fix: Bind to interface bug.

minor fix
minor change
2025-12-07 13:11:29 +00:00 · 2014-03-20 22:37:10 -04:00 · 2014-03-19 22:17:58 -04:00 · 2014-02-19 19:35:35 -05:00 · 2014-02-19 19:29:29 -05:00 · 2014-02-19 19:29:19 -05:00
2 changed files with 50 additions and 24 deletions
--- a/README.md
+++ b/README.md
@@ -86,6 +86,8 @@ FEATURES

 - WPAD rogue transparent proxy server. This module will capture all HTTP requests from anyone launching Internet Explorer on the network. This module is higly effective. You can now send your custom Pac script to a victim and inject HTML into the server's responses. See Responder.conf. This module is now enabled by default.

+- Analyze mode: This module allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning any requests. Also, you can map domains, MSSQL servers, workstations passively, see if ICMP Redirects attacks are plausible on your subnet. 
+
 - Responder is now using a configuration file. See Responder.conf.

 - Built-in POP3 auth server. This module will collect POP3 plaintext credentials
@@ -120,7 +122,7 @@ Running this tool:

 Usage Example:

-python Responder.py -i 10.20.30.40 -r On -I eth0
+python Responder.py -i 10.20.30.40 -r On -F On -w On

 Options List:

@@ -145,7 +147,7 @@ Options List:
                                     host that issued an NBT-NS or LLMNR query.

 -w On, --wpad=On                     Set this to On or Off to start/stop the WPAD rogue
-                                     proxy server. Default value is On
+                                     proxy server. Default value is Off

 --lm=Off                             Set this to On if you want to force LM hashing
                                     downgrade for Windows XP/2003 and earlier. Default value is Off
@@ -154,6 +156,12 @@ Options List:
                                     wpad.dat file retrieval. This might cause a login prompt in
                                     some specific cases. Default value is Off

+-A, --analyze                        Analyze mode. This option allows you to see NBT-NS,BROWSER, 
+                                     LLMNR requests from which workstation to which workstation 
+                                     without poisoning any requests. Also, you can map domains, 
+                                     MSSQL servers, workstations passively.
+
+
 -v                                   More verbose


@@ -162,6 +170,7 @@ For more information read these posts:
 http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
 http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
 http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html
+http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html

 Follow our latest updates on twitter:
 https://twitter.com/PythonResponder
--- a/Responder.py
+++ b/Responder.py
@@ -134,7 +134,7 @@ logger2.addHandler(logging.FileHandler(Log2Filename,'w'))

 AnalyzeFilename = str(os.path.join(ResponderPATH,"Analyze-LLMNR-NBT-NS.log"))
 logger3 = logging.getLogger('Analyze LLMNR/NBT-NS')
-logger3.addHandler(logging.FileHandler(AnalyzeFilename,'w'))
+logger3.addHandler(logging.FileHandler(AnalyzeFilename,'a'))

 def Show_Help(ExtraHelpData):
   help = "NBT Name Service/LLMNR Responder 2.0.\nPlease send bugs/comments to: lgaffie@trustwave.com\nTo kill this script hit CRTL-C\n\n"
@@ -444,7 +444,7 @@ def RAPThisDomain(Client,Domain):
                 l.append('   -'+x)
          WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
          if WKST is not None:
-             l.append('[!]Workstation Server detected on Domain %s:'%(Domain))
+             l.append('[!]Workstations/Servers detected on Domain %s:'%(Domain))
             for x in WKST:
                 l.append('   -'+x)
          else:
@@ -484,7 +484,7 @@ def RapFinger(Host,Domain, Type):
             buffer1 = longueur(packet1)+packet1  
             s.send(buffer1)
             data = s.recv(1024)
-             ##Rap ServerEnum, domain forests and PDC
+             ##Rap ServerEnum.
             if data[8:10] == "\x75\x00":
                head = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x04\x00")
                t = SMBTransRAPData(Data=RAPNetServerEnum3Data(ServerType=Type,DetailLevel="\x01\x00",TargetDomain=Domain))
@@ -492,8 +492,8 @@ def RapFinger(Host,Domain, Type):
                packet1 = str(head)+str(t)
                buffer1 = longueur(packet1)+packet1  
                s.send(buffer1)
-                data = s.recv(1024)
-                ##Rap ServerEnum, SQL servers
+                data = s.recv(64736)
+                ##Rap ServerEnum, Get answer and return what we're looking for.
                if data[8:10] == "\x25\x00":
                   s.close()
                   return ParsePacket(data)
@@ -858,8 +858,8 @@ class SMB1LM(BaseRequestHandler):
                 data = self.request.recv(1024)

        except Exception:
-           pass #no need to print errors..
           self.request.close()
+           pass #no need to print errors..

 ##################################################################################
 #SQL Stuff
@@ -1498,7 +1498,7 @@ def InjectData(data):
             return Gzip
          else:
             return data
-       if "Content-Type: text/html" in Headers:
+       if "content-type: text/html" in Headers.lower():
          Len = ''.join(re.findall('(?<=Content-Length: )[^\r\n]*', Headers))
          HasHTML = re.findall('(?<=<html)[^<]*', Content)
          if HasHTML :
@@ -2108,25 +2108,40 @@ ThreadingTCPServer.allow_reuse_address = 1


 def serve_thread_udp(host, port, handler):
-	try:
-		server = ThreadingUDPServer((host, port), handler)
-		server.serve_forever()
-	except:
-		print "Error starting UDP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
+   try:
+      if OsInterfaceIsSupported(INTERFACE):
+         IP = FindLocalIP(BIND_TO_Interface)
+         server = ThreadingUDPServer((IP, port), handler)
+         server.serve_forever()
+      else:
+         server = ThreadingUDPServer((host, port), handler)
+         server.serve_forever()
+   except:
+      print "Error starting UDP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
 
 def serve_thread_tcp(host, port, handler):
-	try:
-		server = ThreadingTCPServer((host, port), handler)
-		server.serve_forever()
-	except:
-		print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
+   try:
+      if OsInterfaceIsSupported(INTERFACE):
+         IP = FindLocalIP(BIND_TO_Interface)
+         server = ThreadingTCPServer((IP, port), handler)
+         server.serve_forever()
+      else:
+         server = ThreadingTCPServer((host, port), handler)
+         server.serve_forever()
+   except:
+      print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."

 def serve_thread_SSL(host, port, handler):
-	try:
-		server = SSlSock((host, port), handler)
-		server.serve_forever()
-	except:
-		print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
+   try:
+      if OsInterfaceIsSupported(INTERFACE):
+         IP = FindLocalIP(BIND_TO_Interface)
+         server = SSlSock((IP, port), handler)
+         server.serve_forever()
+      else:
+         server = SSlSock((host, port), handler)
+         server.serve_forever()
+   except:
+      print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."

 def main():
    try:
@@ -2159,3 +2174,5 @@ if __name__ == '__main__':



+
+
Author	SHA1	Message	Date
lgandx	a1a4f46c7b	fix: Bind to interface bug.	2014-03-20 22:37:10 -04:00
lgandx	81b1f8f2c1	minor fix	2014-03-19 22:17:58 -04:00
lgandx	d0fc37fa42	minor change	2014-02-19 19:35:35 -05:00
lgandx	f5b21d992a	Merge branch 'master' of https://github.com/SpiderLabs/Responder merged with latest version	2014-02-19 19:29:29 -05:00
lgandx	2fdc74a089	minor fixes	2014-02-19 19:29:19 -05:00
lgandx	68eefb1e05	Reflected recent changes	2014-02-19 19:27:28 -05:00
lgandx	cff67bd4ba	Merge pull request #27 from mubix/patch-1 Case-insensitive content-type check	2014-02-10 16:58:02 -05:00
Rob Fuller	094824bfd3	Case-insensitive content-type check Was noticing that injection wasn't happening when the header was "Content-type" instead of the checked for "Content-Type". Headers could probably be put as .lower() from the beginning, but then again there might be header content that may break because of it.	2014-02-10 16:55:11 -05:00