S0174 Responder
Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. 1
| Item | Value |
|---|---|
| ID | S0174 |
| Associated Names | |
| Type | TOOL |
| Version | 1.2 |
| Created | 16 January 2018 |
| Last Modified | 17 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1557 | Adversary-in-the-Middle | - |
| enterprise | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Responder is used to poison name services to gather hashes and credentials from systems within a local network.1 |
| enterprise | T1040 | Network Sniffing | Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 2756 |
| G0007 | APT28 | 34 |
References
-
Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017. ↩↩↩
-
ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. ↩
-
Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017. ↩
-
Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. ↩
-
Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩
-
Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. ↩