Lab Notes: 2025-11-19

Overview

A key day studying Responder errors, TCP server binding conflicts, and what services Responder attempts to emulate. Clarified terminology used in professional cyber comms environments and continued senior pentester planning.

Cybersecurity Topics Covered

• Responder’s role in LLMNR/NBT-NS/MDNS poisoning.
• Why Responder throws TCP server errors when ports are already in use.
• Which ports matter for SMB credential harvesting (SMB 445/139).
• Determining whether Responder is still listening even when HTTP/LDAP/RDP bindings fail.
• Learned YARA basics: pattern-matching rules for malware classification and detection.

Troubleshooting Steps Practiced

# Identify conflicting services
sudo ss -tulpn | egrep ':80|:53|:389|:3389'

# Stop services binding to important ports
sudo systemctl stop apache2
sudo systemctl stop xrdp
sudo systemctl stop slapd
sudo systemctl stop systemd-resolved

# Start Responder manually
sudo responder -I ens5

Professional Terminology Learned

• “YARA” = malware pattern-matching rule framework.

Notes

• Even with port binding errors, Responder remains functional for SMB poisoning.
• This aligns with THM workflows in CVE-2024-21413 labs.