Skip to content

/ respounder

Respounder detects presence of responder in the network.
responder golang network-security-monitoring network-security hackers llmnr computer-security blue-team attack-prevention attack-defense
Go Makefile
  1. Go 93.1%
  2. Makefile 6.9%
Branch: master
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore JSON and Debug feature added. Fixed IPv6 issue on Mac OS X Feb 6, 2018
LICENSE Initial commit Feb 5, 2018
Makefile Merge branch 'add-computernames' of github.com:jamesbcook/respounder … Feb 19, 2018
README.md Added ability to specify interface via flag (Fixes #4).\nA disconnect… Feb 21, 2018
respounder.go Added ability to specify interface via flag (Fixes #4).\nA disconnect… Feb 21, 2018

README.md

res·pound·er

/rɪˈspaʊnd dər/ noun

  • A tool that detects presence of a Responder in the network
  • Identifies compromised machines before hackers run away with the loot (hashes)

Respounder sends LLMNR name resolution requests for made-up hostnames that do not exist. In a normal non-adversarial network we do not expect such names to resolve. However, a responder, if present in the network, will resolve such queries and therefore will be forced to reveal itself.

Download

Latest Releases

Respounder is available for 32/64 bit linux, OS X and Windows systems. Latest versions can be downloaded from the Release tab above.

Build from source

This is a golang project with no dependencies. Assuming you have golang compiler installed, the following will build the binary from scratch

$ git clone https://github.com/codeexpress/respounder
$ cd respounder
$ go build -o respounder respounder.go

Usage

Running respounder is as simple as invoking it on the command line. Example invocation:

$ ./respounder


     .´/
    / (           .----------------.
    [ ]░░░░░░░░░░░|// RESPOUNDER //|
    ) (           '----------------'
    '-'

[wlan0]    Sending probe from 192.168.0.19...   responder not detected
[vmnet1]   Sending probe from 172.16.211.1...   responder not detected
[vmnet8]   Sending probe from 172.16.55.1...    responder detected at 172.16.55.128

Flags

$ ./respounder [-json] [-debug] [-hostname testhostname | -rhostname]

Flags:
  -json
        Prints a JSON to STDOUT if a responder is detected on
        the network. Other text is sent to STDERR
  -debug
        Creates a debug.log file with a trace of the program
  -interface string
        Interface where responder will be searched (eg. eth0).
        Not specifying this flag will search on all interfaces.
  -hostname string
        Hostname to search for (default "aweirdcomputername")
  -rhostname
        Searches for a hostname comprised of random string instead
        of the default hostname ("aweirdcomputername")

Typical usage scenario

Personal

Detect rogue hosts running responder on public Wi-Fi networks e.g. like airports, cafés and avoid joining such networks (especially if you are running windows OS)

Corporate

Detect network compromises as soon as they happen by running respounder in a loop

For eg. the following crontab runs respounder every minute and logs a JSON file to syslog whenever a responder is detected.

* * * * * /path/to/respounder -json | /usr/bin/logger -t responder-detected

Example syslog entry:

code@express:~/$ sudo tail -f /var/log/syslog
Feb  9 03:44:07 responder-detected: [{"interface":"vmnet8","responderIP":"172.16.55.128","sourceIP":"172.16.55.1"}]

Demo

Respounder in action

Coming Up Next: Android App

There are plans to port this tool to an android app so that adversarial Wi-Fi networks (eg. WiFi Pineapple or WiFi Pumpkin running responder) can be detected right from a mobile phone.

You can’t perform that action at this time.