github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-08-20 05:13:34 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added proper changes to RunFinger (and is not checking for MS17-010 straight away)

Browse source
This commit is contained in:
Paul A 2018-11-18 12:41:15 +01:00
commit 105502edd4
1 changed files with 105 additions and 127 deletions
Download patch file Download diff file Expand all files Collapse all files

232
tools/RunFinger.py
View file

@ -1,3 +1,7 @@
if options.grep_output:
func = ShowSmallResults
else:
func = ShowResults
#!/usr/bin/env python #!/usr/bin/env python
# This file is part of Responder, a network take-over set of tools # This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie. # created and maintained by Laurent Gaffie.
@ -22,22 +26,22 @@ from odict import OrderedDict
import optparse import optparse
from RunFingerPackets import * from RunFingerPackets import *
__version__ = "0.7" __version__ = "0.8"
parser = optparse.OptionParser(usage='python %prog -i 10.10.10.224\nor:\npython %prog -i 10.10.10.0/24', version=__version__, prog=sys.argv[0]) parser = optparse.OptionParser(usage='python %prog -i 10.10.10.224\nor:\npython %prog -i 10.10.10.0/24', version=__version__, prog=sys.argv[0])
parser.add_option('-i','--ip', action="store", help="Target IP address or class C", dest="TARGET", metavar="10.10.10.224", default=None) parser.add_option('-i','--ip', action="store", help="Target IP address or class C", dest="TARGET", metavar="10.10.10.224", default=None)
parser.add_option('-g','--grep', action="store_true", dest="Grep", default=False, help="Output in grepable format") parser.add_option('-a','--all', action="store_true", help="Performs all checks (including MS17-010)", dest="all", default=False)
parser.add_option('-g','--grep', action="store_true", dest="grep_output", default=False, help="Output in grepable format")
options, args = parser.parse_args() options, args = parser.parse_args()
if options.TARGET is None: if options.TARGET is None:
print "\n-i Mandatory option is missing, please provide a target or target range.\n" print("\n-i Mandatory option is missing, please provide a target or target range.\n")
parser.print_help() parser.print_help()
exit(-1) exit(-1)
Timeout = 2 Timeout = 2
Host = options.TARGET Host = options.TARGET
Grep = options.Grep
class Packet(): class Packet():
fields = OrderedDict([ fields = OrderedDict([
@ -78,27 +82,27 @@ def dtoa(d):
return inet_ntoa(struct.pack("!L", d)) return inet_ntoa(struct.pack("!L", d))
def OsNameClientVersion(data): def OsNameClientVersion(data):
try: try:
length = struct.unpack('<H',data[43:45])[0] length = struct.unpack('<H',data[43:45])[0]
if length > 255: if length > 255:
OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[48+length:].split('\x00\x00\x00')[:2]]) OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[48+length:].split('\x00\x00\x00')[:2]])
return OsVersion, ClientVersion return OsVersion, ClientVersion
if length <= 255: if length <= 255:
OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]]) OsVersion, ClientVersion = tuple([e.replace('\x00','') for e in data[47+length:].split('\x00\x00\x00')[:2]])
return OsVersion, ClientVersion return OsVersion, ClientVersion
except: except:
return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version" return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
def GetHostnameAndDomainName(data): def GetHostnameAndDomainName(data):
try: try:
DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]]) DomainJoined, Hostname = tuple([e.replace('\x00','') for e in data[81:].split('\x00\x00\x00')[:2]])
Time = GetBootTime(data[60:68]) Time = GetBootTime(data[60:68])
#If max length domain name, there won't be a \x00\x00\x00 delineator to split on #If max length domain name, there won't be a \x00\x00\x00 delineator to split on
if Hostname == '': if Hostname == '':
DomainJoined = data[81:110].replace('\x00','') DomainJoined = data[81:110].replace('\x00','')
Hostname = data[113:].replace('\x00','') Hostname = data[113:].replace('\x00','')
return Hostname, DomainJoined, Time return Hostname, DomainJoined, Time
except: except:
return "Could not get Hostname.", "Could not get Domain joined" return "Could not get Hostname.", "Could not get Domain joined"
def DomainGrab(Host): def DomainGrab(Host):
s = socket(AF_INET, SOCK_STREAM) s = socket(AF_INET, SOCK_STREAM)
@ -150,73 +154,54 @@ def SmbFinger(Host):
pass pass
def SmbNullSession(Host): def check_ms17_010(host):
s = socket(AF_INET, SOCK_STREAM) s = socket(AF_INET, SOCK_STREAM)
try: try:
s.settimeout(Timeout) s.settimeout(Timeout)
s.connect(Host) s.connect(Host)
except: h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x53\xc8")
pass n = SMBNego(Data = SMBNegoData())
n.calculate()
packet0 = str(h)+str(n)
buffer0 = longueur(packet0)+packet0
s.send(buffer0)
data = s.recv(2048)
if data[8:10] == "\x75\x00":
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",uid=data[32:34],tid=data[28:30],mid="\xc0\x00")
t = SMBTransRAPData()
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
s.send(buffer1)
data = s.recv(2048)
if data[9:13] == "\x05\x02\x00\xc0":
return True
else:
return False
else:
return False
except Exception as err:
return False
try:
h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x53\xc8")
n = SMBNego(Data = SMBNegoData())
n.calculate()
packet0 = str(h)+str(n)
buffer0 = longueur(packet0)+packet0
s.send(buffer0)
data = s.recv(2048)
try:
if data[8:10] == "\x72\x00":
head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x53\xc8")
t = SMBSessionData()
t.calculate()
final = t
packet1 = str(head)+str(final)
buffer1 = longueur(packet1)+packet1
s.send(buffer1)
data = s.recv(2048)
if data[8:10] == "\x73\x16": def check_smb_null_session(host):
head = SMBHeader(cmd="\x73",flag1="\x18", flag2="\x17\xc8",uid=data[32:34],mid="\x80\x00") s = socket(AF_INET, SOCK_STREAM)
t = SMBSession2() try:
t.calculate() s.settimeout(Timeout)
final = t s.connect(host)
packet1 = str(head)+str(final) h = SMBHeader(cmd="\x72",flag1="\x18", flag2="\x53\xc8")
buffer1 = longueur(packet1)+packet1 n = SMBNego(Data = SMBNegoData())
s.send(buffer1) n.calculate()
data = s.recv(2048) packet0 = str(h)+str(n)
buffer0 = longueur(packet0)+packet0
if data[8:10] == "\x73\x00": s.send(buffer0)
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",uid=data[32:34],mid="\xc0\x00") data = s.recv(2048)
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$") if data[8:10] == "\x75\x00":
t.calculate() return True
packet1 = str(head)+str(t) else:
buffer1 = longueur(packet1)+packet1 return False
s.send(buffer1) except Exception:
data = s.recv(2048) return False
if data[8:10] == "\x75\x00":
global Guest
Guest = True
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",uid=data[32:34],tid=data[28:30],mid="\xc0\x00")
t = SMBTransRAPData()
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
s.send(buffer1)
data = s.recv(2048)
if data[9:13] == "\x05\x02\x00\xc0":
return Guest, True
else:
return Guest, False
else:
return False, False
except Exception:
pass
except:
pass
################## ##################
#run it #run it
@ -224,14 +209,15 @@ def ShowResults(Host):
try: try:
Hostname, DomainJoined, Time = DomainGrab(Host) Hostname, DomainJoined, Time = DomainGrab(Host)
Signing, OsVer, LanManClient = SmbFinger(Host) Signing, OsVer, LanManClient = SmbFinger(Host)
NullSess, Ms17010 = SmbNullSession(Host) NullSess = check_smb_null_session(Host)
print "Retrieving information for %s..."%Host[0] Ms17010 = check_ms17_010(Host)
print "SMB signing:", Signing print ("Retrieving information for %s..."%Host[0])
print "Null Sessions Allowed:", NullSess print ("SMB signing:", Signing)
print "Vulnerable to MS17-010:", Ms17010 print ("Null Sessions Allowed:", NullSess)
print "Server Time:", Time[1] print ("Vulnerable to MS17-010:", Ms17010)
print "OS version: '%s'\nLanman Client: '%s'"%(OsVer, LanManClient) print ("Server Time:", Time[1])
print "Machine Hostname: '%s'\nThis machine is part of the '%s' domain\n"%(Hostname, DomainJoined) print ("OS version: '%s'\nLanman Client: '%s'"%(OsVer, LanManClient))
print ("Machine Hostname: '%s'\nThis machine is part of the '%s' domain\n"%(Hostname, DomainJoined))
except: except:
pass pass
@ -246,40 +232,32 @@ def ShowSmallResults(Host):
try: try:
Hostname, DomainJoined, Time = DomainGrab(Host) Hostname, DomainJoined, Time = DomainGrab(Host)
Signing, OsVer, LanManClient = SmbFinger(Host) Signing, OsVer, LanManClient = SmbFinger(Host)
NullSess, Ms17010 = SmbNullSession(Host) NullSess = check_smb_null_session(Host)
Message = "['%s', Os:'%s', Domain:'%s', Signing:'%s', Time:'%s', Null Session: %s, MS17-010: %s]"%(Host[0], OsVer, DomainJoined, Signing, Time[1],NullSess, Ms17010) Ms17010 = check_ms17_010(Host)
print Message message_ms17010 = ", MS17-010: {}".format(Ms17010)
except: print("['{}', Os:'{}', Domain:'{}', Signing:'{}', Time:'{}', Null Session: {} {}".format(Host[0], OsVer, DomainJoined, Signing, Time[1],NullSess, message_ms17010))
raise except Exception as err:
pass pass
def IsGrepable():
if options.Grep:
return True
else:
return False
def RunFinger(Host): def RunFinger(Host):
m = re.search("/", str(Host)) m = re.search("/", str(Host))
if m : if m:
net,_,mask = Host.partition('/') net,_,mask = Host.partition('/')
mask = int(mask) mask = int(mask)
net = atod(net) net = atod(net)
threads = [] threads = []
for host in (dtoa(net+n) for n in range(0, 1<<32-mask)): if options.grep_output:
if IsGrepable(): func = ShowSmallResults
p = multiprocessing.Process(target=ShowSmallResults, args=((host,445),)) else:
threads.append(p) func = ShowResults
p.start() for host in (dtoa(net+n) for n in range(0, 1<<32-mask)):
else: p = multiprocessing.Process(target=func, args=((host,445),))
p = multiprocessing.Process(target=ShowResults, args=((host,445),)) threads.append(p)
threads.append(p) p.start()
p.start()
else: else:
if IsGrepable(): if options.grep_output:
ShowSmallResults((Host,445)) ShowSmallResults((Host,445))
else: else:
ShowResults((Host,445)) ShowResults((Host,445))
RunFinger(Host)
RunFinger(Host)