Responder is an in-built Kali Linux tool for Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) that responds to specific NetBIOS queries based on the file server request. This tool can be launched by running responder -I eth0 (ethernet adapter name of your network that you want to) -h in the Terminal, as shown in the following screenshot:

Responder has the ability to do the following:

• Check for a local host file that includes any specific DNS entries
• Automatically perform a DNS query on the selected network
• Use LLMNR/NBT-NS to send out broadcast messages to the selected network

Attackers on the same network can fire up Responder on the network, as shown in the following screenshot. Responder has the ability to set up multiple server types by itself:

In this example, let's say we venom the victim at 192.168.1.125 while trying to access the fileserver at \METASPLOITABLE3\. However, for the victim there will be an error message, as shown in the following screenshot:

Now the attackers use Responder to pause the results, including the NTLM username and the hash, as shown in the following screenshot:

Another easy password grabbing attack can be performed using Responder by running responder -I eth0 -wrFb in the Terminal. In this scenario, the user will get an NTLM popup to enter their username and password. All the log files will be available in /usr/share/responder/logs/, and the log filename will be SMBv2-NTLMv2-SSP-<IP>.txt. This can then be passed directly to John the Ripper by running john SMBv2-NTLMv2-SSP-<IP>.txt for the offline cracking on the NTLM hash that was captured. As shown in the following screenshot, the output of john can be verified with the --show option. The first variable represents the username, the second represents the plaintext password, and third represents the hostname; this is all followed by the hashes: