Added: FindSMB2UPTime script. Find when is the last time a >= 2008 server was updated.

CHANGELOG

@@ -1,4 +1,10 @@
-ChangeLog Responder 2.0.8:
+ChangeLog Responder 2.1.4:
+- Added: FindSMB2UPTime.py
+- Added: FindSQLSrv.py
+- Added: DontRespondTo and DontRespondToName options in Responder.conf
+- Added: Lanman module
+- Added: Analyze mode
+- Added: SMBRelay
 - Removed: Old style options (On/Off). Just use -r instead of -r On. 
 - Added [DHCP.py]: in-scope target, windows >= Vista support (-R) and unicast answers only.
 - Added: In-scope llmnr/nbt-ns name option

FindSMB2UPTime.py

@@ -0,0 +1,116 @@
+#! /usr/bin/env python
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import datetime, struct
+import sys,socket,struct
+from socket import *
+from odict import OrderedDict
+
+class Packet():
+    fields = OrderedDict([
+        ("", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+def GetBootTime(data):
+    Filetime = int(struct.unpack('<q',data)[0])
+    t = divmod(Filetime - 116444736000000000, 10000000)
+    time = datetime.datetime.fromtimestamp(t[0])
+    return time, time.strftime('%Y-%m-%d %H:%M:%S')
+
+
+def IsDCVuln(t):
+    Date = datetime.datetime(2014, 11, 17, 0, 30)
+    if t[0] < Date:
+       print "DC is up since:", t[1]
+       print "This DC is vulnerable to MS14-068"
+    else:
+       print "DC is up since:", t[1]
+
+def NbtLen(data):
+    Len = struct.pack(">i", len(data))
+    return Len
+
+class SMBHeader(Packet):
+    fields = OrderedDict([
+        ("Proto", "\xff\x53\x4d\x42"),
+        ("Cmd", "\x72"),
+        ("Error-Code", "\x00\x00\x00\x00" ),
+        ("Flag1", "\x10"),
+        ("Flag2", "\x00\x00"),
+        ("Pidhigh", "\x00\x00"),
+        ("Signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("Reserved", "\x00\x00"),
+        ("TID", "\x00\x00"),
+        ("PID", "\xff\xfe"),
+        ("UID", "\x00\x00"),
+        ("MID", "\x00\x00"),
+    ])
+
+class SMBNego(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x00"),
+        ("Bcc", "\x62\x00"),
+        ("Data", "")
+    ])
+    
+    def calculate(self):
+        self.fields["Bcc"] = struct.pack("<H",len(str(self.fields["Data"])))
+
+class SMBNegoData(Packet):
+    fields = OrderedDict([
+        ("StrType","\x02" ),
+        ("dialect", "NT LM 0.12\x00"),
+        ("StrType1","\x02"),
+        ("dialect1", "SMB 2.002\x00"),
+        ("StrType2","\x02"),
+        ("dialect2", "SMB 2.???\x00"),
+    ])
+
+def run(host):
+    s = socket(AF_INET, SOCK_STREAM)
+    s.connect(host)  
+    s.settimeout(0.1) 
+    h = SMBHeader(Cmd="\x72",Flag1="\x18",Flag2="\x53\xc8")
+    n = SMBNego(Data = SMBNegoData())
+    n.calculate()
+    packet0 = str(h)+str(n)
+    buffer0 = NbtLen(packet0)+packet0
+    s.send(buffer0)
+    try:
+        data = s.recv(1024)
+        if data[4:5] == "\xff":
+           print "This host doesn't support SMBv2" 
+        if data[4:5] == "\xfe":
+           IsDCVuln(GetBootTime(data[116:124]))
+    except Exception:
+        s.close()
+        raise
+
+if __name__ == "__main__":
+    if len(sys.argv)<=1:
+        sys.exit('Usage: python '+sys.argv[0]+' DC-IP-address')
+    host = sys.argv[1],445
+    run(host)

Responder.conf

@@ -27,6 +27,11 @@ RespondTo =
 ;RespondTo = WPAD,DEV,PROD,SQLINT
 RespondToName = 
 ;
+;DontRespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
+DontRespondTo = 
+;Set this option with specific NBT-NS/LLMNR names not to respond to (default = None). Example: DontRespondTo = NAC, IPS, IDS
+DontRespondToName =
+;
 [HTTP Server]
 ;;
 ;Set this to On if you want to always serve a specific file to the victim.

Responder.py

@@ -23,7 +23,8 @@ from odict import OrderedDict
 from socket import inet_aton
 from random import randrange
 
-parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -w -r -f\nor:\npython %prog -i 10.20.30.40 -wrf',
+VERSION = 'Responder 2.1.2'
+parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -w -r -f\nor:\npython %prog -i 10.20.30.40 -wrf', version = VERSION,
                                prog=sys.argv[0],
                                )
 parser.add_option('-A','--analyze', action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning anything.", dest="Analyse")
@@ -84,6 +85,10 @@ RespondTo = config.get('Responder Core', 'RespondTo').strip()
 RespondTo.split(",")
 RespondToName = config.get('Responder Core', 'RespondToName').strip()
 RespondToName.split(",")
+DontRespondTo = config.get('Responder Core', 'DontRespondTo').strip()
+DontRespondTo.split(",")
+DontRespondToName = config.get('Responder Core', 'DontRespondToName').strip()
+DontRespondToName.split(",")
 #Cli options.
 OURIP = options.OURIP
 LM_On_Off = options.LM_On_Off
@@ -260,7 +265,30 @@ def RespondToNameScope(RespondToName, Name):
     else:
         return False
 
+##Dont Respond to these hosts/names.
+def DontRespondToSpecificHost(DontRespondTo):
+    if len(DontRespondTo)>=1 and DontRespondTo != ['']:
+        return True
+    else:
+        return False
 
+def DontRespondToSpecificName(DontRespondToName):
+    if len(DontRespondToName)>=1 and DontRespondToName != ['']:
+        return True
+    else:
+        return False
+
+def DontRespondToIPScope(DontRespondTo, ClientIp):
+    if ClientIp in DontRespondTo:
+        return True
+    else:
+        return False
+
+def DontRespondToNameScope(DontRespondToName, Name):
+    if Name in DontRespondToName:
+        return True
+    else:
+        return False
 ##################################################################################
 #NBT NS Stuff
 ##################################################################################
@@ -343,6 +371,13 @@ class NB(BaseRequestHandler):
         data, socket = self.request
         Name = Decode_Name(data[13:45])
 
+        if DontRespondToSpecificHost(DontRespondTo):
+            if RespondToIPScope(DontRespondTo, self.client_address[0]):
+                return None
+
+        if DontRespondToSpecificName(DontRespondToName) and DontRespondToNameScope(DontRespondToName.upper(), Name.upper()):
+            return None 
+
         if Analyze(AnalyzeMode):
             if data[2:4] == "\x01\x10":
                 if Is_Finger_On(Finger_On_Off):
@@ -646,7 +681,6 @@ def Is_Anonymous(data):
     if SecBlobLen > 260:
         SSPIStart = data[79:]
         LMhashLen = struct.unpack('<H',data[93:95])[0]
-        print 'LMHASHLEN:',struct.unpack('<H',data[89:91])[0]
         if LMhashLen == 0 or LMhashLen == 1:
             return True
         else:
@@ -1238,6 +1272,8 @@ def IsICMPRedirectPlausible(IP):
     dnsip = []
     for line in file('/etc/resolv.conf', 'r'):
         ip = line.split()
+        if len(ip) < 2:
+           continue
         if ip[0] == 'nameserver':
             dnsip.extend(ip[1:])
     for x in dnsip:
@@ -1266,10 +1302,10 @@ class LLMNR(BaseRequestHandler):
     def handle(self):
         data, soc = self.request
         try:
-            if Analyze(AnalyzeMode):
             if data[2:4] == "\x00\x00":
                 if Parse_IPV6_Addr(data):
                     Name = Parse_LLMNR_Name(data)
+                    if Analyze(AnalyzeMode):
                         if Is_Finger_On(Finger_On_Off):
                             try:
                                 Finger = RunSmbFinger((self.client_address[0],445))
@@ -1286,12 +1322,16 @@ class LLMNR(BaseRequestHandler):
                                 print Message
                                 logger3.warning(Message)
 
+                    if DontRespondToSpecificHost(DontRespondTo):
+                        if RespondToIPScope(DontRespondTo, self.client_address[0]):
+                            return None
+
+                    if DontRespondToSpecificName(DontRespondToName) and DontRespondToNameScope(DontRespondToName.upper(), Name.upper()):
+                        return None 
+
                     if RespondToSpecificHost(RespondTo):
                         if Analyze(AnalyzeMode) == False:
                             if RespondToIPScope(RespondTo, self.client_address[0]):
-                        if data[2:4] == "\x00\x00":
-                            if Parse_IPV6_Addr(data):
-                                Name = Parse_LLMNR_Name(data)
                                 if RespondToSpecificName(RespondToName) == False:
                                     buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
                                     buff.calculate()
@@ -1333,13 +1373,8 @@ class LLMNR(BaseRequestHandler):
                                             except Exception:
                                                 logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
                                                 pass
-                        else:
-                            pass
 
                     if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False:
-                if data[2:4] == "\x00\x00":
-                    if Parse_IPV6_Addr(data):
-                        Name = Parse_LLMNR_Name(data)
                         if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
                             buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
                             buff.calculate()
@@ -2540,5 +2575,3 @@ if __name__ == '__main__':
         main()
     except:
         raise
-
-