Skip to main content
Layer 2 tools run as persistent background processes until explicitly stopped. Each tool has four operations:
  • Start — launch the process with sudo, log it to scan history, begin output monitoring.
  • Stop — terminate the process with pkill, update scan history.
  • Output — read the output file at a given byte offset for incremental polling (avoids re-reading from the start).
  • Status — check whether the process is running and which interface it is bound to.
All three tools require a sudo password at start time because they bind to raw network interfaces.

Responder

Responder poisons LLMNR/NBT-NS/mDNS queries and captures NTLM hashes and cleartext credentials. Captured credentials are automatically parsed and stored in the credentials database.

POST /api/responder/start

Starts Responder with the given interface and options. 
curl -X POST http://localhost:8000/api/responder/start \
  -H "Content-Type: application/json" \
  -d '{
    "interface": "tun0",
    "options": ["-wrf"],
    "sudo_password": "kali"
  }'
interface
string
required
Network interface name to bind Responder to (e.g. tun0, eth0).
options
array
Array of additional Responder flags (e.g. ["-wrf"] for WPAD + fingerprinting). Each flag is a separate string element.
sudo_password
string
required
Sudo password for privilege escalation.
Response:
status
string
"success" on launch.
process_id
integer
OS PID of the Responder process.
output_file
string
Basename of the output log file in recon/ (e.g. responder_20240115_143200.txt).
command
string
The full sudo command executed.
{
  "status": "success",
  "process_id": 12345,
  "output_file": "responder_20240115_143200.txt",
  "command": "sudo responder -I tun0 -wrf"
}

POST /api/responder/stop

Terminates the Responder process.
process_id
integer
required
PID returned by /api/responder/start.
sudo_password
string
required
Sudo password for the pkill command.
Response: {"status": "success", "message": "Responder stopped"}

GET /api/responder/output

Returns output from the Responder log file starting at a byte offset. Call repeatedly with increasing offsets to implement live streaming. 
curl "http://localhost:8000/api/responder/output?file=responder_20240115_143200.txt&offset=0"
file
string
required
Filename in recon/ (basename only, as returned by the start endpoint).
offset
integer
Byte offset to start reading from. Defaults to 0. Use the file_size from the previous response as the next offset.
Response:
status
string
"success".
content
string
New output since the last offset. Empty string if no new data.
file_size
integer
Current total file size in bytes. Use as the next offset value.

GET /api/responder/status

Returns the list of currently running Responder processes. 
curl http://localhost:8000/api/responder/status
Response:
status
string
"success".
running
boolean
true if at least one Responder process is active.
processes
array
Array of process info objects.

GET /api/responder/config

Reads and parses the Responder configuration file (typically /usr/share/responder/Responder.conf). 
curl "http://localhost:8000/api/responder/config?path=/usr/share/responder/Responder.conf"
path
string
required
Absolute path to Responder.conf.
Response:
status
string
"success".
config
object
Parsed config as a nested object: {"SectionName": {"Key": "Value", ...}}. Mirrors the INI-style structure of Responder.conf with sections like Responder Core, Servers, HTTP Options, etc.
path
string
The config file path that was read.
{
  "status": "success",
  "config": {
    "Responder Core": { "Responder": "On", "NBTNS": "On", "LLMNR": "On" },
    "HTTP Options": { "HTTP": "On" },
    "SMB Options": { "SMB": "On" }
  },
  "path": "/usr/share/responder/Responder.conf"
}

POST /api/responder/config

Writes an updated Responder configuration. Uses sudo to overwrite the config file. 
curl -X POST http://localhost:8000/api/responder/config \
  -H "Content-Type: application/json" \
  -d '{
    "path": "/usr/share/responder/Responder.conf",
    "config": {"Responder Core": {"LLMNR": "On", "NBTNS": "Off"}},
    "sudo_password": "kali"
  }'
path
string
required
Absolute path to Responder.conf.
config
object
required
Full config as a nested object matching the structure returned by GET /api/responder/config.
sudo_password
string
required
Sudo password for writing to the system config file.
Response: {"status": "success"}

mitm6

mitm6 performs IPv6 DHCPv6 spoofing to intercept DNS queries and relay credentials to LDAP/SMBv2.

POST /api/mitm6/start

Starts mitm6 on the given interface. 
curl -X POST http://localhost:8000/api/mitm6/start \
  -H "Content-Type: application/json" \
  -d '{
    "interface": "eth0",
    "options": ["-d", "corp.local"],
    "sudo_password": "kali"
  }'
interface
string
required
Network interface (e.g. eth0).
options
array
Additional mitm6 flags (e.g. ["-d", "corp.local"] to restrict to a specific domain).
sudo_password
string
required
Sudo password.
Response:
status
string
"success".
process_id
integer
OS PID.
output_file
string
Log file basename in recon/.
command
string
Command executed.

POST /api/mitm6/stop

Terminates the mitm6 process.
process_id
integer
required
PID returned by /api/mitm6/start.
sudo_password
string
required
Sudo password for pkill.
Response: {"status": "success", "message": "mitm6 stopped"}

GET /api/mitm6/output

Returns mitm6 log output starting at a byte offset. Same incremental polling pattern as Responder. 
curl "http://localhost:8000/api/mitm6/output?file=mitm6_20240115_143200.txt&offset=0"
file
string
required
Log file basename.
offset
integer
Byte offset. Defaults to 0.
Response:
status
string
"success".
content
string
New output since the offset.
file_size
integer
Current file size in bytes.

GET /api/mitm6/status

Returns currently running mitm6 processes. 
curl http://localhost:8000/api/mitm6/status
Response:
running
boolean
true if any mitm6 process is active.
processes
array
Array of process info objects.

ASRepCatcher

ASRepCatcher intercepts Kerberos AS-REQ/AS-REP exchanges. Supports two modes:
  • relay — relay AS-REP hashes to capture and forward authentication.
  • listen — passive mode, capture AS-REP hashes from network traffic.

POST /api/asrepcatcher/start

Starts ASRepCatcher in the specified mode. 
curl -X POST http://localhost:8000/api/asrepcatcher/start \
  -H "Content-Type: application/json" \
  -d '{
    "interface": "eth0",
    "mode": "relay",
    "sudo_password": "kali"
  }'
interface
string
Network interface. Optional; defaults to the system’s primary interface.
mode
string
Operation mode: "relay" (default) or "listen".
options
array
Additional ASRepCatcher flags as an array of strings.
sudo_password
string
required
Sudo password. ASRepCatcher requires root to bind to the network.
Response:
status
string
"success" on launch.
process_id
integer
OS PID.
output_file
string
Log file basename in recon/.
command
string
Command executed.
{
  "status": "success",
  "process_id": 13579,
  "output_file": "asrepcatcher_20240115_143200.txt",
  "command": "sudo /home/kali/etherreaper/ASRepCatcher/ASRepCatcher-venv/bin/ASRepCatcher relay"
}

POST /api/asrepcatcher/stop

Terminates the ASRepCatcher process.
process_id
integer
required
PID returned by /api/asrepcatcher/start.
sudo_password
string
required
Sudo password for pkill.
Response: {"status": "success", "message": "ASRepCatcher stopped"}

GET /api/asrepcatcher/output

Returns ASRepCatcher log output from the given byte offset. 
curl "http://localhost:8000/api/asrepcatcher/output?file=asrepcatcher_20240115_143200.txt&offset=0"
file
string
required
Log file basename in recon/.
offset
integer
Byte offset. Defaults to 0.
Response:
status
string
"success".
content
string
New output since the offset.
file_size
integer
Current file size in bytes.

GET /api/asrepcatcher/status

Returns currently running ASRepCatcher processes. 
curl http://localhost:8000/api/asrepcatcher/status
Response:
running
boolean
true if any ASRepCatcher process is active.
processes
array
Array of process info objects.

Build docs developers (and LLMs) love

Get started for freeTalk to us