Initial commit

2025-08-21 05:43:35 -07:00 · 2013-02-12 03:00:12 -05:00 · 2013-02-12 03:00:12 -05:00 · 77040f8ea0
commit 77040f8ea0
parent 9f1c3bcba3
1 changed files with 177 additions and 0 deletions
--- a/README.txt
+++ b/README.txt
@ -0,0 +1,177 @@
+NBT-NS/LLMNR Responder
+Laurent Gaffie <lgaffie@trustwave.com>
+http://www.spiderlabs.com
+
+INTRODUCTION
+============
+
+This tool is first an LLMNR and NBT-NS responder, it will answer to 
+*specific* NBT-NS (NetBIOS Name Service) queries based on their name 
+suffix (see: http://support.microsoft.com/kb/163409). By default, the
+tool will only answers to File Server Service request, which is for SMB.
+The concept behind this, is to target our answers, and be stealthier on
+the network. This also helps to ensure that we don't break legitimate
+NBT-NS behavior.
+You can set the -r option to 1 via command line if you want this tool to
+answer to the Workstation Service request name suffix.
+
+FEATURES
+========
+
+- Built-in SMB Auth server.
+  Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP. Successfully tested from NT4
+  to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4.
+  This functionality is enabled by default when the tool is launched.
+
+- Built-in MSSQL Auth server.
+  In order to redirect SQL Authentication to this tool, you will need to
+  set the option -r to 1(NBT-NS queries for SQL Server lookup are
+  using the Workstation Service name suffix) for systems older than
+  windows Vista (LLMNR will be used for Vista and higher). This server
+  supports NTLMv1, LMv2 hashes. This functionality was successfully tested
+  on Windows SQL Server 2005 & 2008.
+
+- Built-in HTTP Auth server.
+  In order to redirect HTTP Authentication to this tool, you will need
+  to set the option -r to 1 for Windows version older than Vista (NBT-NS
+  queries for HTTP server lookup are sent using the Workstation Service
+  name suffix). For Vista and higher, LLMNR will be used. This server 
+  supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server
+  was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.
+  Note: This module also works for WebDav NTLM authentication issued from
+  Windows WebDav clients (WebClient).
+
+- Built-in LDAP Auth server.
+  In order to redirect LDAP Authentication to this tool, you will need
+  to set the option -r to 1 for Windows version older than Vista (NBT-NS
+  queries for HTTP server lookup are sent using the Workstation Service
+  name suffix). For Vista and higher, LLMNR will be used. This server 
+  supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server
+  was successfully tested on Windows Support tool "ldp" and LdapAdmin.
+
+- Built-in FTP Auth server.
+  This module will collect FTP clear text credentials.
+
+- Built-in small DNS server. This server will answer type A queries. This
+  is really handy when it's combined with ARP spoofing. 
+
+- All hashes are printed to stdout and dumped in an unique file John
+  Jumbo compliant, using this format:
+  (SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt
+  The file will be located in the current folder.
+
+- Responder will logs all its activity to a file Responder-Session.log.
+
+- When the option -f is set to "On", Responder will fingerprint every host who issued an LLMNR/NBT-NS query.
+  All capture modules still work while in fingerprint mode. 
+
+- Browser Listener finds the PDC in stealth mode.
+
+- Icmp Redirect for MITM on Windows =< 5.2 Domain members. This attack combined with the DNS module is pretty effective.
+
+- WPAD rogue transparent proxy server. This module will *silently* grab the encrypted credentials of anyone launching Internet Explorer on the network. It will also grab the cookie of the requested page. This module is higly effective.
+
+CONSIDERATIONS
+==============
+
+- This tool listen on several port: UDP 137, UDP 138, UDP 53, TCP 1433, TCP 389,
+  TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141 Multicast UDP 5553.
+  If you run Samba on your system, stop smbd and nmbd and all other 
+  services listening on these ports.
+  For Ubuntu users: 
+  Edit this file /etc/NetworkManager/NetworkManager.conf and comment the line : "dns=dnsmasq".
+  Then kill dnsmasq with this command (as root): killall dnsmasq -9
+
+- Any rogue server can be turn off via command line, see USAGE section.
+
+- This tool will *not* work on Windows by default.
+
+
+USAGE
+=====
+
+Running this tool:
+
+- python Responder.py [options]
+
+Usage Example:
+
+python Responder.py -i 10.20.30.40 -b 1 -r 0 -f On
+
+Options List:
+
+-h, --help                           show this help message and exit.
+
+-i 10.20.30.40, --ip=10.20.30.40     The ip address to redirect the traffic to.
+                                     (usually yours)
+
+-b 0, --basic=0                      Set this to 1 if you want to return a 
+                                     Basic HTTP authentication. 0 will return 
+                                     an NTLM authentication.
+
+-s Off, --http=Off                   Set this to On or Off to start/stop the
+                                     HTTP server. Default value is On.
+
+-S Off, --smb=Off                    Set this to On or Off to start/stop the
+                                     SMB server. Default value is On.
+
+-q Off, --sql=Off                    Set this to On or Off to start/stop the
+                                     SQL server. Default value is On.
+
+-r 0, --wredir=0                     Set this to enable answers for netbios 
+                                     wredir suffix queries. Answering to wredir
+                                     will likely break stuff on the network 
+                                     (like classics 'nbns spoofer' will).
+                                     Default value is therefore set to Off (0).
+
+-c 1122334455667788, --challenge=    The server challenge to set for NTLM
+                                     authentication. If not set, then defaults
+                                     to 1122334455667788, the most common
+                                     challenge for existing Rainbow Tables.
+
+-l file.log, --logfile=filename.log  Log file to use for Responder session.
+
+-f Off, --fingerprint=Off            This option allows you to fingerprint a 
+                                     host that issued an NBT-NS or LLMNR query.
+
+-F On, --ftp=On                      Set this to On or Off to start/stop the FTP server.
+                                     Default value is On
+
+-L On, --ldap=On                     Set this to On or Off to start/stop the LDAP server.
+                                     Default value is On
+
+-D On, --dns=On                      Set this to On or Off to start/stop the DNS server.
+                                     Default value is On
+
+-w On, --wpad=On                     Set this to On or Off to start/stop the WPAD rogue
+                                     proxy server. Default value is On
+
+
+
+
+For more information read these posts: 
+http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
+http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
+
+Follow our latest updates on twitter:
+https://twitter.com/PythonResponder
+
+COPYRIGHT
+=========
+
+NBT-NS/LLMNR Responder
+Created by Laurent Gaffie
+Copyright (C) 2013 Trustwave Holdings, Inc.
+ 
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+ 
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>