Skip to content

S0174 Responder

Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. 1

Item Value
ID S0174
Version 1.1
Created 16 January 2018
Last Modified 06 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Responder is used to poison name services to gather hashes and credentials from systems within a local network.1
enterprise T1040 Network Sniffing Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.1

Groups That Use This Software

ID Name References
G0007 APT28 23
G0032 Lazarus Group 4


Back to top