respounder: detects presence of responder in the network


  • A tool that detects the presence of a Responder in the network
  • Identifies compromised machines before hackers run away with the loot (hashes)

It sends LLMNR name resolution requests for made-up hostnames that do not exist. In a normal non-adversarial network we do not expect such names to resolve. However, a responder, if present in the network, will resolve such queries and therefore will be forced to reveal itself.



Running respounder is as simple as invoking it on the command line. Example invocation:


$ ./respounder [-json] [-debug] [-hostname testhostname | -rhostname]

        Prints a JSON to STDOUT if a responder is detected on
        the network. Other text is sent to STDERR
        Creates a debug.log file with a trace of the program
  -interface string
        Interface where responder will be searched (eg. eth0).
        Not specifying this flag will search on all interfaces.
  -hostname string
        Hostname to search for (default "aweirdcomputername")
        Searches for a hostname comprised of random string instead
        of the default hostname ("aweirdcomputername")


Typical usage scenario


Detect rogue hosts running responder on public Wi-Fi networks e.g. like airports, cafés and avoid joining such networks (especially if you are running Windows OS)


Detect network compromises as soon as they happen by running respounder in a loop

For eg., the following run crontab respounder every minute and log a JSON file to syslog whenever a responder is detected.

* * * * * /path/to/respounder -json | /usr/bin/logger -t responder-detected

Example syslog entry:


Respounder in action