Here's an example of how an attacker could use Responder to carry out a credential theft attack:

1. The attacker sets up a fake wireless access point (AP) with the same name as a legitimate AP in the area.
2. The victim connects to the attacker's fake AP and tries to access a network resource, such as a file server.
3. The victim's computer sends an LLMNR or NBT-NS broadcast asking for the IP address of the file server.
4. Responder intercepts the broadcast and sends a response pretending to be the file server.
5. The victim's computer sends its authentication credentials to Responder, thinking it's communicating with the legitimate file server.
6. Responder logs the victim's credentials and saves them to a file on the attacker's machine.

LLMNR:

is a protocol used in Windows networks to resolve hostnames to IP addresses in a local network

What is LLMNR poisoning ?

LLMNR poisoning is a type of cyberattack that involves intercepting and altering LLMNR network traffic to redirect network requests to a malicious server

Example of How it Done -

Man-in-the-middle attack

→ where the attacker intercepts the network traffic between two devices and alters it to their advantage. Let's say you're at work and you try to connect to a network printer. Your computer sends an LLMNR broadcast asking for the IP address of the printer. An attacker intercepts this request and sends a response pretending to be the printer. Your computer then sends all print jobs to the attacker's server, allowing the attacker to view or manipulate the data being printed.

How it’s done by Responder Tool , But first .. What is Responder ?

Responder is a tool to intercept or carryout LLMNR poisoning attacks The tool works by sending specially crafted LLMNR and NBT-NS (NetBIOS Name Service) packets to the victim's computer, tricking it into sending its authentication credentials to the attacker's machine.