Improvements around Browser listener

poisoners/NBTNS.py

@@ -16,29 +16,12 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import socket
 import settings
-import string
 import fingerprint
 
 from packets import NBT_Ans
 from SocketServer import BaseRequestHandler
 from utils import *
 
-def NBT_NS_Role(data):
-	Role = {
-		"\x41\x41\x00":"Workstation/Redirector",
-		"\x42\x4c\x00":"Domain Master Browser",
-		"\x42\x4d\x00":"Domain Controller",
-		"\x42\x4e\x00":"Local Master Browser",
-		"\x42\x4f\x00":"Browser Election",
-		"\x43\x41\x00":"File Server",
-		"\x41\x42\x00":"Browser",
-	}
-
-	if data in Role:
-		return Role[data]
-	else:
-		return "Service not known."
-
 # Define what are we answering to.
 def Validate_NBT_NS(data):
 	if settings.Config.AnalyzeMode:
@@ -58,19 +41,6 @@ def Validate_NBT_NS(data):
 	else:
 		return False
 
-def Decode_Name(nbname):
-	#From http://code.google.com/p/dpkt/ with author's permission.
-	try:
-		if len(nbname) != 32:
-			return nbname
-		l = []
-		for i in range(0, 32, 2):
-			l.append(chr(((ord(nbname[i]) - 0x41) << 4) |
-					   ((ord(nbname[i+1]) - 0x41) & 0xf)))
-		return filter(lambda x: x in string.printable, ''.join(l).split('\x00', 1)[0].replace(' ', ''))
-	except:
-		return "Illegal NetBIOS name"
-
 # NBT_NS Server class.
 class NBTNS(BaseRequestHandler):
 

servers/Browser.py

@@ -34,7 +34,7 @@ def WorkstationFingerPrint(data):
 		"\x06\x01"    :"Windows 7/Server 2008R2",
 	}
 
-	return Role[data] if data in Role else False
+	return Role[data] if data in Role else "Unknown"
 
 def RequestType(data):
 	Type = {
@@ -50,63 +50,52 @@ def RequestType(data):
 		"\x0f": 'Local Master Announcement',
 	}
 
-	return Type[data] if data in Type else False
+	return Type[data] if data in Type else "Unknown"
 
 def PrintServerName(data, entries):
-	if entries == 0:
-		pass
+	if entries > 0:
 
-	else:
 		entrieslen = 26*entries
 		chunks, chunk_size = len(data[:entrieslen]), entrieslen/entries
-		ServerName = [data[i:i+chunk_size] for i in range(0, chunks, chunk_size) ]
+		ServerName = [data[i:i+chunk_size] for i in range(0, chunks, chunk_size)]
+
 		l = []
 		for x in ServerName:
-			if WorkstationFingerPrint(x[16:18]):
-				l.append(x[:16].replace('\x00', '') + '\n       [-] Os version is: %s'%(WorkstationFingerPrint(x[16:18])))
+			FP   = WorkstationFingerPrint(x[16:18])
+			Name = x[:16].replace('\x00', '')
+
+			if FP:
+				l.append(Name + ' (%s)' % FP)
 			else:
-				l.append(x[:16].replace('\x00', ''))
+				l.append(Name)
 
 		return l
 
+	return None
+
 def ParsePacket(Payload):
 	PayloadOffset = struct.unpack('<H',Payload[51:53])[0]
 	StatusCode = Payload[PayloadOffset-4:PayloadOffset-2]
 
 	if StatusCode == "\x00\x00":
 		EntriesNum = struct.unpack('<H',Payload[PayloadOffset:PayloadOffset+2])[0]
-		ParsedNames = PrintServerName(Payload[PayloadOffset+4:], EntriesNum)
-		return ParsedNames
+		return PrintServerName(Payload[PayloadOffset+4:], EntriesNum)
 
 	else:
 		return None
 
 def RAPThisDomain(Client,Domain):		
-	try:
-		l = []
-		for x in range(1):
 	PDC = RapFinger(Client,Domain,"\x00\x00\x00\x80")
 	if PDC is not None:
-				l.append('[Analyze mode LANMAN] ')
-				l.append('[*] Domain detected on this network:')
-				for x in PDC:
-					l.append('   - '+x)
+		print text("[LANMAN] Detected Domains: %s" % ', '.join(PDC))
+	
 	SQL = RapFinger(Client,Domain,"\x04\x00\x00\x00")
 	if SQL is not None:
-				l.append('[*] SQL Server detected on Domain %s:'%(Domain))
-				for x in SQL:
-					l.append('   - '+x)
-			WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
+		print text("[LANMAN] Detected SQL Servers on domain %s: %s" % (Domain, ', '.join(SQL)))
 
+	WKST = RapFinger(Client,Domain,"\xff\xff\xff\xff")
 	if WKST is not None:
-				l.append('[*] Workstations/Servers detected on Domain %s:'%(Domain))
-				for x in WKST:
-					l.append('   - '+x)
-			else:
-				pass
-			return text('\n'.join(l))
-	except:
-		pass
+		print text("[LANMAN] Detected Workstations/Servers on domain %s: %s" % (Domain, ', '.join(WKST)))
 
 def RapFinger(Host, Domain, Type):
 	try:
@@ -165,7 +154,7 @@ def RapFinger(Host, Domain, Type):
 						s.close()
 						return ParsePacket(data)
 	except:
-		return None
+		pass
 
 def BecomeBackup(data,Client):
 	try:
@@ -194,9 +183,8 @@ def ParseDatagramNBTNames(data,Client):
 		Role2  = NBT_NS_Role(data[79:82])
 
 	
-		if Role2 == "Domain controller service. This name is a domain controller." or Role2 == "Browser Election Service." or Role2 == "Local Master Browser.":
-			if settings.Config.AnalyzeMode:
-				print text('[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s'%(Client, Name, Role1, Domain, Role2))
+		if Role2 == "Domain Controller" or Role2 == "Browser Election" or Role2 == "Local Master Browser" and settings.Config.AnalyzeMode:
+			print text('[Analyze mode: Browser] Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s' % (Client, Name, Role1, Domain, Role2))
 			print RAPThisDomain(Client, Domain)
 	except:
 		pass

tools/BrowserListener.py

@@ -0,0 +1,158 @@
+#!/usr/bin/env python
+# This file is part of Responder
+# Original work by Laurent Gaffie - Trustwave Holdings
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys, os
+import socket
+import thread
+import struct
+import time
+
+BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
+sys.path.insert(0, BASEDIR)
+
+from servers.Browser import WorkstationFingerPrint, RequestType, RAPThisDomain, RapFinger
+from SocketServer import UDPServer, ThreadingMixIn, BaseRequestHandler
+from threading import Lock
+from utils import *
+
+def ParseRoles(data):
+
+	if len(data) != 4:
+		return ''
+
+	AllRoles = {
+		'Workstation':           (ord(data[0]) >> 0) & 1,
+		'Server':                (ord(data[0]) >> 1) & 1,
+		'SQL':                   (ord(data[0]) >> 2) & 1,
+		'Domain Controller':     (ord(data[0]) >> 3) & 1,
+		'Backup Controller':     (ord(data[0]) >> 4) & 1,
+		'Time Source':           (ord(data[0]) >> 5) & 1,
+		'Apple':                 (ord(data[0]) >> 6) & 1,
+		'Novell':                (ord(data[0]) >> 7) & 1,
+		'Member':                (ord(data[1]) >> 0) & 1,
+		'Print':                 (ord(data[1]) >> 1) & 1,
+		'Dialin':                (ord(data[1]) >> 2) & 1,
+		'Xenix':                 (ord(data[1]) >> 3) & 1,
+		'NT Workstation':        (ord(data[1]) >> 4) & 1,
+		'WfW':                   (ord(data[1]) >> 5) & 1,
+		'Unused':                (ord(data[1]) >> 6) & 1,
+		'NT Server':             (ord(data[1]) >> 7) & 1,
+		'Potential Browser':     (ord(data[2]) >> 0) & 1,
+		'Backup Browser':        (ord(data[2]) >> 1) & 1,
+		'Master Browser':        (ord(data[2]) >> 2) & 1,
+		'Domain Master Browser': (ord(data[2]) >> 3) & 1,
+		'OSF':                   (ord(data[2]) >> 4) & 1,
+		'VMS':                   (ord(data[2]) >> 5) & 1,
+		'Windows 95+':           (ord(data[2]) >> 6) & 1,
+		'DFS':                   (ord(data[2]) >> 7) & 1,
+		'Local':                 (ord(data[3]) >> 6) & 1,
+		'Domain Enum':           (ord(data[3]) >> 7) & 1,
+	}
+
+	#print 'Workstation :              ',  AllRoles['Workstation']
+	#print 'Server :                   ',  AllRoles['Server']
+	#print 'SQL :                      ',  AllRoles['SQL']
+	#print 'Domain Controller :        ',  AllRoles['Domain Controller']
+	#print 'Backup Controller :        ',  AllRoles['Backup Controller']
+	#print 'Time Source :              ',  AllRoles['Time Source']
+	#print 'Apple :                    ',  AllRoles['Apple']
+	#print 'Novell :                   ',  AllRoles['Novell']
+	#print 'Member :                   ',  AllRoles['Member']
+	#print 'Print :                    ',  AllRoles['Print']
+	#print 'Dialin :                   ',  AllRoles['Dialin']
+	#print 'Xenix :                    ',  AllRoles['Xenix']
+	#print 'NT Workstation :           ',  AllRoles['NT Workstation']
+	#print 'WfW :                      ',  AllRoles['WfW']
+	#print 'Unused :                   ',  AllRoles['Unused']
+	#print 'NT Server :                ',  AllRoles['NT Server']
+	#print 'Potential Browser :        ',  AllRoles['Potential Browser']
+	#print 'Backup Browser :           ',  AllRoles['Backup Browser']
+	#print 'Master Browser :           ',  AllRoles['Master Browser']
+	#print 'Domain Master Browser :    ',  AllRoles['Domain Master Browser']
+	#print 'OSF :                      ',  AllRoles['OSF']
+	#print 'VMS :                      ',  AllRoles['VMS']
+	#print 'Windows 95+ :              ',  AllRoles['Windows 95+']
+	#print 'DFS :                      ',  AllRoles['DFS']
+	#print 'Local :                    ',  AllRoles['Local']
+	#print 'Domain Enum :              ',  AllRoles['Domain Enum']
+
+	Roles = []
+	for k,v in AllRoles.iteritems():
+		if v == 1:
+			Roles.append(k)
+
+	return ', '.join(Roles)
+
+class BrowserListener(BaseRequestHandler):
+
+	def handle(self):
+		#try:
+			data, socket = self.request
+
+			lock = Lock()
+			lock.acquire()
+
+			DataOffset    = struct.unpack('<H',data[139:141])[0]
+			BrowserPacket = data[82+DataOffset:]
+			ReqType       = RequestType(BrowserPacket[0])
+
+			Domain = Decode_Name(data[49:81])
+			Name   = Decode_Name(data[15:47])
+			Role1  = NBT_NS_Role(data[45:48])
+			Role2  = NBT_NS_Role(data[79:82])
+			Fprint = WorkstationFingerPrint(data[190:192])
+			Roles  = ParseRoles(data[192:196])
+
+			print text("[BROWSER] Request Type : %s" % ReqType)
+			print text("[BROWSER] Address      : %s" % self.client_address[0])
+			print text("[BROWSER] Domain       : %s" % Domain)
+			print text("[BROWSER] Name         : %s" % Name)
+			print text("[BROWSER] Main Role    : %s" % Role1)
+			print text("[BROWSER] 2nd Role     : %s" % Role2)
+			print text("[BROWSER] Fingerprint  : %s" % Fprint)
+			print text("[BROWSER] Role List    : %s" % Roles)
+
+			RAPThisDomain(self.client_address[0], Domain)
+
+			lock.release()
+
+		#except Exception:
+		#	pass
+
+
+class ThreadingUDPServer(ThreadingMixIn, UDPServer):
+	def server_bind(self):
+		self.allow_reuse_address = 1
+		#self.socket.setsockopt(socket.SOL_SOCKET, 25, 'eth0\0')
+		UDPServer.server_bind(self)
+
+def serve_thread_udp_broadcast(host, port, handler):
+	try:
+		server = ThreadingUDPServer(('', port), handler)
+		server.serve_forever()
+	except:
+		print "Error starting UDP server on port " + str(port) + ", check permissions or other servers running."
+
+if __name__ == "__main__":
+	try:
+		print "Listening for BROWSER datagrams..."
+		thread.start_new(serve_thread_udp_broadcast,('', 138,  BrowserListener))
+
+		while True:
+			time.sleep(1)
+
+	except KeyboardInterrupt:
+		sys.exit("\r Exiting...")

utils.py

@@ -36,10 +36,18 @@ def color(txt, code = 1, modifier = 0):
 	elif 'Analyze' in txt:
 		settings.Config.AnalyzeLogger.warning(txt)
 
+	# No colors for windows...
+	if os.name == 'nt':
+		return txt
+
 	return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
 
 def text(txt):
 	logging.info(txt)
+
+	if os.name == 'nt':
+		return txt
+
 	return '\r'+re.sub(r'\[([^]]*)\]', "\033[1;34m[\\1]\033[0m", txt)
 
 def RespondToThisIP(ClientIp):
@@ -195,6 +203,36 @@ def Parse_IPV6_Addr(data):
 	else:
 		return False
 
+def Decode_Name(nbname):
+	#From http://code.google.com/p/dpkt/ with author's permission.
+	try:
+		from string import printable
+
+		if len(nbname) != 32:
+			return nbname
+		
+		l = []
+		for i in range(0, 32, 2):
+			l.append(chr(((ord(nbname[i]) - 0x41) << 4) | ((ord(nbname[i+1]) - 0x41) & 0xf)))
+		
+		return filter(lambda x: x in printable, ''.join(l).split('\x00', 1)[0].replace(' ', ''))
+	
+	except:
+		return "Illegal NetBIOS name"
+
+def NBT_NS_Role(data):
+	Role = {
+		"\x41\x41\x00":"Workstation/Redirector",
+		"\x42\x4c\x00":"Domain Master Browser",
+		"\x42\x4d\x00":"Domain Controller",
+		"\x42\x4e\x00":"Local Master Browser",
+		"\x42\x4f\x00":"Browser Election",
+		"\x43\x41\x00":"File Server",
+		"\x41\x42\x00":"Browser",
+	}
+
+	return Role[data] if data in Role else "Service not known"
+
 def banner():
 
 	banner = "\n".join([