Merge pull request #163 from Hackndo/master

Add ESS downgrade parameter
2025-08-21 22:03:30 -07:00 · 2021-05-17 21:33:16 -03:00 · 2021-05-17 21:33:16 -03:00 · 3fe574683b
commit 3fe574683b
parent ae1c2be51c dcb80d992e
5 changed files with 8 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -16,7 +16,7 @@ The concept behind this is to target our answers, and be stealthier on the netwo

 - Built-in SMB Auth server.
 	
-Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2022, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. SMBv2 has also been implemented and is supported by default.
+Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2022, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. If --disable-ess is set, extended session security will be disabled for NTLMv1 authentication. SMBv2 has also been implemented and is supported by default.

 - Built-in MSSQL Auth server.

@ -163,6 +163,7 @@ Options:
                                with -r. Default: Off
 	  --lm                  Force LM hashing downgrade for Windows XP/2003 and
 	                        earlier. Default: Off
+	  --disable-ess         Force ESS downgrade. Default: Off
 	  -v, --verbose         Increase verbosity.
 	

--- a/Responder.py
+++ b/Responder.py
@ -43,6 +43,7 @@ parser.add_option('-F','--ForceWpadAuth',  action="store_true", help="Force NTLM
 parser.add_option('-P','--ProxyAuth',       action="store_true", help="Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective when combined with -r. Default: False", dest="ProxyAuth_On_Off", default=False)

 parser.add_option('--lm',                  action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False)
+parser.add_option('--disable-ess',         action="store_true", help="Force ESS downgrade. Default: False", dest="NOESS_On_Off", default=False)
 parser.add_option('-v','--verbose',        action="store_true", help="Increase verbosity.", dest="Verbose")
 options, args = parser.parse_args()

--- a/packets.py
+++ b/packets.py
@ -791,7 +791,7 @@ class LDAPNTLMChallenge(Packet):
 		("NTLMSSPNtWorkstationLen",                   "\x1e\x00"),
 		("NTLMSSPNtWorkstationMaxLen",                "\x1e\x00"),
 		("NTLMSSPNtWorkstationBuffOffset",            "\x38\x00\x00\x00"),
-		("NTLMSSPNtNegotiateFlags",                   "\x15\x82\x89\xe2"),
+		("NTLMSSPNtNegotiateFlags",                   "\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
 		("NTLMSSPNtServerChallenge",                  "\x81\x22\x33\x34\x55\x46\xe7\x88"),
 		("NTLMSSPNtReserved",                         "\x00\x00\x00\x00\x00\x00\x00\x00"),
 		("NTLMSSPNtTargetInfoLen",                    "\x94\x00"),
@ -1331,7 +1331,7 @@ class SMBSession1Data(Packet):
 		("NTLMSSPNtWorkstationLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
-		("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
+		("NTLMSSPNtNegotiateFlags","\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
 		("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"),
 		("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
 		("NTLMSSPNtTargetInfoLen","\x94\x00"),
@ -1651,7 +1651,7 @@ class SMB2Session1Data(Packet):
 		("NTLMSSPNtWorkstationLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
-		("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
+		("NTLMSSPNtNegotiateFlags","\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
 		("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"),
 		("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
 		("NTLMSSPNtTargetInfoLen","\x94\x00"),
--- a/settings.py
+++ b/settings.py
@ -176,6 +176,7 @@ class Settings:
 		# CLI options
 		self.ExternalIP         = options.ExternalIP
 		self.LM_On_Off          = options.LM_On_Off
+		self.NOESS_On_Off       = options.NOESS_On_Off
 		self.WPAD_On_Off        = options.WPAD_On_Off
 		self.Wredirect          = options.Wredirect
 		self.NBTNSDomain        = options.NBTNSDomain
--- a/utils.py
+++ b/utils.py
@ -403,6 +403,7 @@ def StartupMessage():
 	print('    %-27s' % "Force WPAD auth" + (enabled if settings.Config.Force_WPAD_Auth else disabled))
 	print('    %-27s' % "Force Basic Auth" + (enabled if settings.Config.Basic else disabled))
 	print('    %-27s' % "Force LM downgrade" + (enabled if settings.Config.LM_On_Off == True else disabled))
+	print('    %-27s' % "Force ESS downgrade" + (enabled if settings.Config.NOESS_On_Off == True or settings.Config.LM_On_Off == True else disabled))
 	print('    %-27s' % "Fingerprint hosts" + (enabled if settings.Config.Finger_On_Off == True else disabled))
 	print('')