Responder now supports much more LDAP authentications, the LDAP rogue server has been rewritten to support SASL mechanisms. You'll see a lot of these on your screens :)

CLDAP ping pong with Responder👀

Let's start 2026 with a major Responder update! It now supports: - CLDAP ping pong to SMB auth. - SNMPv3 authentication and hashes. - New rogue Kerberos server forcing AS-REQ when receiving TGS-REQ + support for Kerberos type 17/18 hashes. - IMAP support for NTLM authentication.

Today Secorizon released MSFinger a standalone tool that scans subnets and fingerprints windows workstations. The tool allows you to see if SMB, ldap, ldaps signing is required, if MSSQL, RDP services are running, SMBv1 disabled, etc Everything is logged in a sqlite db. This

Responder 3.2.0.0 is out! All new year updates + - IMAP and SMTP StartTLS - IMAPS TLS server on port 993 - DHCPv6 poisoning (pure python) using Dirk-jan mitm6 attacks - Kerberos, DNS server updates - Etc. github.com/lgandx/Respond…

Don't want to capture Kerberos auth? No problem, Responder now allows you to downgrade to NTLM :) New setting in Responder.conf: KerberosMode -> FORCE_NTLM or CAPTURE

Damn, 14 years already... Back then internal pentests were quite primitive 😬

Responder is all about poisoning, but it's also the biggest collection of rogue authentication servers ever published.

I spent the past 15 years fuzzing network protocols, something I truly enjoy. I build my libraries for what I'm targeting to make sure I understand what I'm doing and ensure the best coverage. Soon I will be releasing some of my work and will be training students. Stay tuned!

Soon you will understand how it was possible to find that kind of bug: github.com/lgandx/PoC/blo… on the most fuzzed authentication protocol ever.

Today Secorizon is releasing OffByWon, an advanced network protocol fuzzing framework. This tool allows you to bring chaos to drivers, servers, parsers. A minimal demo client performing a complete fuzzable LDAP NTLM authentication is included. Several advanced functionalities

Just noticed previous Responder versions were answering any DNS SRV records with TCP port set to 445 😑 Now adding proper mapping service -> TCP port ...

IPv6: Responder use to try to find a globally routable IPv6 (using a socket connect trick) first and only falls back to link-local on exception. Works great on the internet but this is backwards for internal pentesting scenarios. Now forcing bind on Local Link addresses, can be

Our DNSSL attack still works flawlessly when you're on the same subnet as a DC; Instant pwn by injecting a DNS suffix on the DC. All unresolved requests by the DC DNS server -> to your VPS, respond and provide your local IP address All details are here: g-laurent.blogspot.com/2021/12

RA Guard is disabled by default on all major vendor switches, it has to be configured. When configured, the primary and default action across major vendors is to silently drop the packet. Many networks don't even support ipv6, but workstations have IPv6 enabled by default and

Cool kids use --rdnss with -PvA