Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

SpiderLabs Responder Updates

Responder is a penetration-testing tool in active development. To continue making it the best tool it can be, we regularly update it in order to add new features and functionality based on user feedback (and we're one of those users). In this post we will cover some of the most recent changes to Responder and how Responder has grown into a feature-rich exploitation tool. If you are unfamiliar with Responder, read more here or here.

New Functionalities in Responder:

  • Customizable default configuration file

    • A number of CLI switches have been moved to this configuration file to streamline functionality.

    • More below.

  • Bound listening on a specific network interface.

  • Scoping improvements to only answer requests from target IP addresses.

  • New options to serve files to target systems— Serve-Always and Serve-Exe.

  • Custom Proxy Auto-Configuration (PAC) script.

  • User-specified HTML to target systems post "authentication".


How to use the configuration file:

The new "Responder.conf" file provides configuration for a number of Responder options including a number of new features. In this file you will be able to specify:

  • Rogue authentication servers status

  • Log file name

  • NTLM challenge string

  • IP address on the local system to which Responder should be bound

  • A white list of target IP addresses—useful when you have a test that is limited in scope, and you need to poison a specific list of targets.

The configuration file also contains a 'HTTP Server' section where you will find some new options:

  • Serve-Exe: When Responder notes a .exe extension in a requested URL, the target system is served a specified .exe, by default our custom SpiderLabs bind shell executable FixInternet.exe

  • Serve-Always: If you are using WPAD (-w On) you will serve a specified file to all your targets

  • Filename: Used with the Serve-Always option to specify the file to be served to target systems

  • ExecFilename: Used with the Serve-Always option to specify a .exe to be served to target systems.

  • WPADScript: Used to specify your custom PAC script

  • HTMLToServe: Used to specify an HTML page to be served to the target after the HTTP/HTTPS rogue server completes a NTLM authentication—by default, we provide a redirection to a SMB server with an LM hash downgrade.

More Information on the New Responder Wushu:

With this release, Responder now provides an option in the configuration file, Serve-Always, to always send a specific file to a victim after successful authentication (Basic and NTLM) via HTTP/HTTPS. These new features are used in conjunction with the established "-w On" WPAD MiTM and "-r On" options.

Included in this release is an example Denied.html file. Specified by the "Filename" option in the configuration file, this HTML file will display a custom webpage when served to target systems. The following picture reflects this case scenario:

  • Responder is launched this way: python -i Attacker_IP -r On -w On
  • The victim has a fully updated Windows 2003/XP/2008r2/7/8/2012 with default settings. Part of a domain or not and even with a network profile set to Public. The only user interaction is opening Internet Explorer *.


When a victim clicks on the "Proxy Client" link, Responder will serve the default "FixInternet.exe" bind shell backdoor. The bindshell will be listening on the target IP address TCP port 140. If you wish to serve a different executable you can specify a different file using the "ExecFilename" option in the configuration file. Also, whatever file you are serving, it will always be displayed to the victim as "ProxyClient.exe".


In this specific example, we're trying to persuade the user to run our malicious executable by convincing them that they must do so to restore their Internet access.

These new "Serve-Always" and "Serve-Exe" options, when combined with the "-w On" WPAD MiTM and "-r On" WREDIR options, will result in Responder serving the specified file/page to all your targets for each web request.

I would like to thank my colleagues here at SpiderLabs for their feedback regarding Responder. Their input helped me in developing this in-house pentest tool into a fun application that can now help penetration testers gain control of workstations and Domain Controllers, within minutes.

For latest updates, you can follow us on Twitter:

Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More