github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-08-19 21:03:33 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

run smbv1 scan in runfinger

Browse source
This commit is contained in:
klemou 2022-10-01 09:26:32 +02:00
commit 4321919c9f
1 changed files with 199 additions and 181 deletions
Download patch file Download diff file Expand all files Collapse all files

34
tools/RunFinger.py
View file

@ -32,6 +32,7 @@ parser = optparse.OptionParser(usage='python %prog -i 10.10.10.224\nor:\npython
parser.add_option('-i','--ip', action="store", help="Target IP address or class C", dest="TARGET", metavar="10.10.10.224", default=None) parser.add_option('-i','--ip', action="store", help="Target IP address or class C", dest="TARGET", metavar="10.10.10.224", default=None)
parser.add_option('-f','--filename', action="store", help="Target file", dest="Filename", metavar="ips.txt", default=None) parser.add_option('-f','--filename', action="store", help="Target file", dest="Filename", metavar="ips.txt", default=None)
parser.add_option('-o','--outfile', action="store", help="Output file", dest="OutFilename", metavar="output.txt", default=None)
parser.add_option('-t','--timeout', action="store", help="Timeout for all connections. Use this option to fine tune Runfinger.", dest="Timeout", type="float", metavar="0.9", default=2) parser.add_option('-t','--timeout', action="store", help="Timeout for all connections. Use this option to fine tune Runfinger.", dest="Timeout", type="float", metavar="0.9", default=2)
options, args = parser.parse_args() options, args = parser.parse_args()
@ -44,6 +45,7 @@ if options.TARGET == None and options.Filename == None:
Timeout = options.Timeout Timeout = options.Timeout
Host = options.TARGET Host = options.TARGET
Filename = options.Filename Filename = options.Filename
Outputfile = None if options.OutFilename==None else open(options.OutFilename,"w")
SMB1 = "True" SMB1 = "True"
SMB2signing = "False" SMB2signing = "False"
DB = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/RunFinger.db" DB = os.path.abspath(os.path.join(os.path.dirname(__file__)))+"/RunFinger.db"
@ -162,7 +164,10 @@ def ParseSMBNTLM2Exchange(data, host, bootime, signing): #Parse SMB NTLMSSP Res
DomainGrab((host, 445)) DomainGrab((host, 445))
RDP = IsServiceOn((host,3389)) RDP = IsServiceOn((host,3389))
SQL = IsServiceOn((host,1433)) SQL = IsServiceOn((host,1433))
print(("[SMB2]:['{}', Os:'{}', Build:'{}', Domain:'{}', Bootime: '{}', Signing:'{}', RDP:'{}', SMB1:'{}', MSSQL:'{}']".format(host, WindowsVers, str(WindowsBuildVers), Domain, Bootime, signing, RDP,SMB1, SQL))) outstr = (f"[SMB2]:['{host}', Os:'{WindowsVers}', Build:'{str(WindowsBuildVers)}', Domain:'{Domain}', Bootime: '{Bootime}', Signing:'{signing}', RDP:'{RDP}', SMB1:'{SMB1}', MSSQL:'{SQL}']")
print(outstr)
if Outputfile != None:
Outputfile.write(outstr+"\n") # save result in file
SaveRunFingerToDb({ SaveRunFingerToDb({
'Protocol': '[SMB2]', 'Protocol': '[SMB2]',
'Host': host, 'Host': host,
@ -328,11 +333,20 @@ def check_smb_null_session(host):
s.send(NetworkSendBufferPython2or3(buffer0)) s.send(NetworkSendBufferPython2or3(buffer0))
data = s.recv(2048) data = s.recv(2048)
if data[8:10] == b'\x75\x00': if data[8:10] == b'\x75\x00':
return 'True' h = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",uid=data[32:34].decode('latin-1'),tid=data[28:30].decode('latin-1'),mid="\xc0\x00")
n = SMBTransRAPData()
n.calculate()
packet0 = str(h)+str(n)
buffer0 = longueur(packet0)+packet0
s.send(NetworkSendBufferPython2or3(buffer0))
data = s.recv(2048)
if data[9:13] == b"\x05\x02\x00\xc0":
return ('True', 'True')
return ('True', 'False')
else: else:
return 'False' return ('False', 'False')
except Exception: except Exception as e:
return False print(f"Test on null session and ms17 fail on {host[0]} Error: {e}", file=sys.stderr)
################## ##################
#SMB2 part: #SMB2 part:
@ -390,14 +404,18 @@ def handle(data, host):
################## ##################
def ShowSmallResults(Host): def ShowSmallResults(Host):
if ConnectAndChoseSMB((Host,445)) == False: ConnectAndChoseSMB((Host,445))
if SMB1 == "True":
try: try:
Hostname, DomainJoined = DomainGrab((Host, 445)) Hostname, DomainJoined = DomainGrab((Host, 445))
Signing, OsVer, LanManClient = SmbFinger((Host, 445)) Signing, OsVer, LanManClient = SmbFinger((Host, 445))
NullSess = check_smb_null_session((Host, 445)) NullSess, ms17_10_ready = check_smb_null_session((Host, 445))
RDP = IsServiceOn((Host,3389)) RDP = IsServiceOn((Host,3389))
SQL = IsServiceOn((Host,1433)) SQL = IsServiceOn((Host,1433))
print(("[SMB1]:['{}', Os:'{}', Domain:'{}', Signing:'{}', Null Session: '{}', RDP:'{}', MSSQL:'{}']".format(Host, OsVer, DomainJoined, Signing, NullSess,RDP, SQL))) outstr = f"[SMB1]:['{Host}', Hostname:'{Hostname}', Os:'{OsVer}', Domain:'{DomainJoined}', Null Session: '{NullSess}', Vulnerable to MS17-010: '{ms17_10_ready}', Lanman Client: '{LanManClient}', RDP:'{RDP}', MSSQL:'{SQL}']"
print(outstr)
if Outputfile != None:
Outputfile.write(outstr+"\n") # save result in file
SaveRunFingerToDb({ SaveRunFingerToDb({
'Protocol': '[SMB1]', 'Protocol': '[SMB1]',
'Host': Host, 'Host': Host,