Config dumped independently. Responder-Session.log is now a clean file.

Added new option in Responder.conf. Capture multiple hashes from the same client. Default is On.
2025-12-06 04:31:30 +00:00 · 2016-09-11 23:03:50 -03:00 · 2016-09-11 22:33:00 -03:00
3 changed files with 24 additions and 13 deletions
--- a/Responder.conf
+++ b/Responder.conf
@@ -49,7 +49,7 @@ DontRespondTo =
 DontRespondToName = ISATAP

 ; If set to On, we will stop answering further requests from a host
-; if a hash hash been previously captured for this host.
+; if a hash has been previously captured for this host.
 AutoIgnoreAfterSuccess = Off

 ; If set to On, we will send ACCOUNT_DISABLED when the client tries
@@ -57,6 +57,11 @@ AutoIgnoreAfterSuccess = Off
 ; This may break file serving and is useful only for hash capture
 CaptureMultipleCredentials = On

+; If set to On, we will write to file all hashes captured from the same host. 
+; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto, 
+; domain\popo, domain\zozo. Recommended value: On, capture everything.
+CaptureMultipleHashFromSameHost = On
+
 [HTTP Server]

 ; Set to On to always serve the custom EXE
--- a/settings.py
+++ b/settings.py
@@ -20,7 +20,7 @@ import subprocess

 from utils import *

-__version__ = 'Responder 2.3.2'
+__version__ = 'Responder 2.3.2.3'

 class Settings:
 	
@@ -147,9 +147,10 @@ class Settings:
 		self.DontRespondToName = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')])

 		# Auto Ignore List
-		self.AutoIgnore                 = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
-		self.CaptureMultipleCredentials = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
-		self.AutoIgnoreList             = []
+		self.AutoIgnore                       = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
+		self.CaptureMultipleCredentials       = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
+                self.CaptureMultipleHashFromSameHost  = self.toBool(config.get('Responder Core', 'CaptureMultipleHashFromSameHost'))
+		self.AutoIgnoreList                   = []

 		# CLI options
                self.ExternalIP         = options.ExternalIP
@@ -194,18 +195,13 @@ class Settings:
 		logging.warning('Responder Started: %s' % self.CommandLine)

 		Formatter = logging.Formatter('%(asctime)s - %(message)s')
-                CLog_Handler = logging.FileHandler(self.ResponderConfigDump, 'a')
 		PLog_Handler = logging.FileHandler(self.PoisonersLogFile, 'w')
 		ALog_Handler = logging.FileHandler(self.AnalyzeLogFile, 'a')
-                CLog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setLevel(logging.INFO)
 		ALog_Handler.setLevel(logging.INFO)
 		PLog_Handler.setFormatter(Formatter)
 		ALog_Handler.setFormatter(Formatter)

-		self.ResponderConfigLogger = logging.getLogger('Config Dump Log')
-		self.ResponderConfigLogger.addHandler(CLog_Handler)
-
 		self.PoisonersLogger = logging.getLogger('Poisoners Log')
 		self.PoisonersLogger.addHandler(PLog_Handler)

@@ -216,8 +212,8 @@ class Settings:
                DNS = subprocess.check_output(["cat", "/etc/resolv.conf"])
                RoutingInfo = subprocess.check_output(["netstat", "-rn"])
                Message = "Current environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(NetworkCard,DNS,RoutingInfo)
-                self.ResponderConfigLogger.warning(Message)
-                self.ResponderConfigLogger.warning(str(self))
+                utils.DumpConfig(self.ResponderConfigDump, Message)
+                utils.DumpConfig(self.ResponderConfigDump,str(self))

 def init():
 	global Config
--- a/utils.py
+++ b/utils.py
@@ -130,6 +130,10 @@ def WriteData(outfile, data, user):
 	with open(outfile,"a") as outf2:
 		outf2.write(data + '\n')

+# Function used to write debug config and network info.
+def DumpConfig(outfile, data):
+	with open(outfile,"a") as dump:
+		dump.write(data + '\n')

 def SaveToDb(result):
 	# Creating the DB if it doesn't exist
@@ -157,7 +161,7 @@ def SaveToDb(result):
 	cursor.text_factory = sqlite3.Binary  # We add a text factory to support different charsets
 	res = cursor.execute("SELECT COUNT(*) AS count FROM responder WHERE module=? AND type=? AND client=? AND LOWER(user)=LOWER(?)", (result['module'], result['type'], result['client'], result['user']))
 	(count,) = res.fetchone()
-
+        
 	if not count:
 		with open(logfile,"a") as outf:
 			if len(result['cleartext']):  # If we obtained cleartext credentials, write them to file
@@ -168,6 +172,12 @@ def SaveToDb(result):
 		cursor.execute("INSERT INTO responder VALUES(datetime('now'), ?, ?, ?, ?, ?, ?, ?, ?)", (result['module'], result['type'], result['client'], result['hostname'], result['user'], result['cleartext'], result['hash'], result['fullhash']))
 		cursor.commit()

+        if settings.Config.CaptureMultipleHashFromSameHost:
+		with open(logfile,"a") as outf:
+			if len(result['cleartext']):  # If we obtained cleartext credentials, write them to file
+				outf.write('%s:%s\n' % (result['user'].encode('utf8', 'replace'), result['cleartext'].encode('utf8', 'replace')))
+			else:  # Otherwise, write JtR-style hash string to file
+				outf.write(result['fullhash'].encode('utf8', 'replace') + '\n')

 	if not count or settings.Config.Verbose:  # Print output
 		if len(result['client']):
Author	SHA1	Message	Date
lgandx	92c9191bda	Config dumped independently. Responder-Session.log is now a clean file.	2016-09-11 23:03:50 -03:00
lgandx	35d933d596	Added new option in Responder.conf. Capture multiple hashes from the same client. Default is On.	2016-09-11 22:33:00 -03:00