respounder: detects presence of responder in the network

by do son · Published · Updated

respounder

respounder

  • A tool that detects the presence of a Responder in the network
  • Identifies compromised machines before hackers run away with the loot (hashes)

It sends LLMNR name resolution requests for made-up hostnames that do not exist. In a normal non-adversarial network we do not expect such names to resolve. However, a responder, if present in the network, will resolve such queries and therefore will be forced to reveal itself.

Download

Usage

Running respounder is as simple as invoking it on the command line. Example invocation:

Flags

$ ./respounder [-json] [-debug] [-hostname testhostname | -rhostname]



Flags:

  -json

        Prints a JSON to STDOUT if a responder is detected on

        the network. Other text is sent to STDERR

  -debug

        Creates a debug.log file with a trace of the program

  -interface string

        Interface where responder will be searched (eg. eth0).

        Not specifying this flag will search on all interfaces.

  -hostname string

        Hostname to search for (default "aweirdcomputername")

  -rhostname

        Searches for a hostname comprised of random string instead

        of the default hostname ("aweirdcomputername")

 

Typical usage scenario

Personal

Detect rogue hosts running responder on public Wi-Fi networks e.g. like airports, cafés and avoid joining such networks (especially if you are running Windows OS)

Corporate

Detect network compromises as soon as they happen by running respounder in a loop

For eg., the following run crontab respounder every minute and log a JSON file to syslog whenever a responder is detected.

* * * * * /path/to/respounder -json | /usr/bin/logger -t responder-detected

Example syslog entry:

Demo

Respounder in action

Source: https://github.com/codeexpress/

Tags: respounder