This tool is first an LLMNR, NBT-NS and MDNS responder, it will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option via command line if you want this tool to answer to the Workstation Service request name suffix.
MultiRelay has also been ported to this Windows version, allowing a pentest to pivot across compromises.
* Experimental Windows Version.
* Goal of this version is to be able to propagate compromises across subnets and domains from any compromised Windows machine. This tool can also be used compromise a domain from an external penetration test.
* This version will disable netbios on all interfaces and the current firewall profile on the target host.
* Default values will be turned back On when killing Responder (CRTL-C).
* LLMNR and Netbios works out of the box on any Windows XP-2003 and apparently on Windows 2012/2016.
* Netbios support works on all versions.
* Best way to collect hashes with this Windows version: Responder.exe -i IP_Addr -rPv
Latest change Responder v1.2 10/11/2016:
* Added: use wmic instead of .bat files and %compsec%
Usage and download from source:
git clone https://github.com/lgandx/Responder-Windows && cd Responder-Windows