[Responder Core] ; Poisoners to start MDNS = On LLMNR = On NBTNS = On #IPv6 conf: DHCPv6 = Off ; Servers to start SQL = On SMB = On QUIC = On RDP = On Kerberos = On FTP = On POP = On SMTP = On IMAP = On HTTP = On HTTPS = On DNS = On LDAP = On DCERPC = On WINRM = On SNMP = On MQTT = On MYSQL = On ; Custom challenge. ; Use "Random" for generating a random challenge for each requests (Default) Challenge = Random ; SQLite Database file ; Delete this file to re-capture previously captured hashes Database = Responder.db ; Default log file SessionLog = Responder-Session.log ; Poisoners log PoisonersLog = Poisoners-Session.log ; Analyze mode log AnalyzeLog = Analyzer-Session.log ; Dump Responder Config log: ResponderConfigDump = Config-Responder.log ; Specific IP Addresses to respond to (default = All) ; Example: RespondTo = 10.20.1.100-150, 10.20.3.10, fe80::e059:5c8f:a486:a4ea-a4ef, 2001:db8::8a2e:370:7334 RespondTo = ; Specific NBT-NS/LLMNR names to respond to (default = All) ; Example: RespondTo = WPAD, DEV, PROD, SQLINT ;RespondToName = WPAD, DEV, PROD, SQLINT RespondToName = ; Specific IP Addresses not to respond to (default = None) ; Hosts with IPv4 and IPv6 addresses must have both addresses included to prevent responding. ; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10, fe80::e059:5c8f:a486:a4ea-a4ef, 2001:db8::8a2e:370:7334 DontRespondTo = ; Specific NBT-NS/LLMNR names not to respond to (default = None) ; Example: DontRespondToName = NAC, IPS, IDS DontRespondToName = ISATAP ; MDNS TLD not to respond to (default = _dosvc). Do not add the ".", only the TLD. ; Example: DontRespondToTLD = _dosvc, _blasvc, etc DontRespondToTLD = _dosvc ; If set to On, we will stop answering further requests from a host ; if a hash has been previously captured for this host. AutoIgnoreAfterSuccess = Off ; If set to On, we will send ACCOUNT_DISABLED when the client tries ; to authenticate for the first time to try to get different credentials. ; This may break file serving and is useful only for hash capture CaptureMultipleCredentials = On ; If set to On, we will write to file all hashes captured from the same host. ; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto, ; domain\popo, domain\zozo. Recommended value: On, capture everything. CaptureMultipleHashFromSameHost = On ;IPv6 section [DHCPv6 Server] ; Domain to filter DNS and DHCPv6 poisoning responses ; Only respond to clients in this domain ; Leave empty to poison all domains (NOT RECOMMENDED - causes network disruption) ; Example: corp.local DHCPv6_Domain = ; Send Router Advertisements to speed up IPv6 configuration ; Only needed on networks without RA Guard protection ; Default: Off (more stealthy, waits for natural DHCPv6 SOLICIT) ; WARNING: Sending RA can be more detectable SendRA = Off ; Specific IPv6 address to bind to and advertise as DNS server ; Leave empty to auto-detect link-local address (recommended) ; Example: fe80::1 ; Example: 2001:db8::1 BindToIPv6 = [Kerberos] ; ====================================================== ; Kerberos Operation Mode (NEW FEATURE) ; ====================================================== ; ; CAPTURE (default) - Capture Kerberos AS-REP hashes ; - Responds with KDC_ERR_PREAUTH_REQUIRED ; - Client sends encrypted timestamp ; - Responder captures AS-REP hash ; - Crack with: hashcat -m 7500 ; - Good for: Stealthy operation, unique Kerberos hashes ; ; FORCE_NTLM - Force client to fall back to NTLM ; - Responds with KDC_ERR_ETYPE_NOSUPP ; - Client abandons Kerberos, tries NTLM ; - Responder's SMB/HTTP captures NetNTLMv2 ; - Crack with: hashcat -m 5600 ; - Good for: Relay attacks, faster cracking ; ; Choose based on engagement needs: ; - Use CAPTURE for stealth and Kerberos-specific hashes ; - Use FORCE_NTLM for relay attacks or faster cracking ; ; Default: CAPTURE (if not specified) ; ====================================================== KerberosMode = CAPTURE ; Alternative: Force NTLM fallback ;KerberosMode = FORCE_NTLM [HTTP Server] ; Set to On to always serve the custom EXE Serve-Always = Off ; Set to On to replace any requested .exe with the custom EXE Serve-Exe = Off ; Set to On to serve the custom HTML if the URL does not contain .exe ; Set to Off to inject the 'HTMLToInject' in web pages instead Serve-Html = Off ; Custom HTML to serve HtmlFilename = files/AccessDenied.html ; Custom EXE File to serve ExeFilename = ;files/filetoserve.exe ; Name of the downloaded .exe that the client will see ExeDownloadName = ProxyClient.exe ; Custom WPAD Script ; Only set one if you really know what you're doing. Responder is taking care of that and inject the right one, with your current IP address. WPADScript = ; HTML answer to inject in HTTP responses (before tag). ; leave empty if you want to use the default one (redirect to SMB on your IP address). HTMLToInject = [HTTPS Server] ; Configure SSL Certificates to use SSLCert = certs/responder.crt SSLKey = certs/responder.key