minor changes

README.md

@@ -5,7 +5,7 @@ LLMNR/NBT-NS/mDNS Poisoner
 (Original work by Laurent Gaffie <lgaffie@trustwave.com> http://www.spiderlabs.com)
 
 
-
+
 ## Intro ##
 
 Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB.
@@ -14,21 +14,21 @@ The concept behind this is to target our answers, and be stealthier on the netwo
 
 ## Features ##
 
-- Built-in SMB Auth server.
+- Built-in SMB Auth server.
 	
 Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. This functionality is enabled by default when the tool is launched.
 
-- Built-in MSSQL Auth server.
+- Built-in MSSQL Auth server.
 
 In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008.
 
-- Built-in HTTP Auth server.
+- Built-in HTTP Auth server.
 
 In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.
 
 Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can now send your custom files to a victim.
 
-- Built-in HTTPS Auth server.
+- Built-in HTTPS Auth server.
 
 Same as above. The folder certs/ containa 2 default keys, including a dummy private key. This is *intentional*, the purpose is to have Responder working out of the box. A script was added in case you need to generate your own self signed key pair.
 
@@ -40,48 +40,48 @@ In order to redirect LDAP Authentication to this tool, you will need to set the
 
 This modules will collect clear text credentials.
 
-- Built-in DNS server.
+- Built-in DNS server.
 
 This server will answer type A queries. This is really handy when it's combined with ARP spoofing. 
 
-- Built-in WPAD Proxy Server.
+- Built-in WPAD Proxy Server.
 
 This module will capture all HTTP requests from anyone launching Internet Explorer on the network if they have "Auto-detect settings" enabled. This module is higly effective. You can configure your custom PAC script in Responder.conf and inject HTML into the server's responses. See Responder.conf.
 
-- Browser Listener
+- Browser Listener
 
 This module allows to find the PDC in stealth mode.
 
-- Fingerprinting
+- Fingerprinting
 
 When the option -f is used, Responder will fingerprint every host who issued an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode. 
 
-- Icmp Redirect
+- Icmp Redirect
 
     python tools/Icmp-Redirect.py
 
 For MITM on Windows XP/2003 and earlier Domain members. This attack combined with the DNS module is pretty effective.
 
-- Rogue DHCP
+- Rogue DHCP
 
     python tools/DHCP.py
 
 DHCP Inform Spoofing. Allows you to let the real DHCP Server issue IP addresses, and then send a DHCP Inform answer to set your IP address as a primary DNS server, and your own WPAD URL.
 
-- Analyze mode.
+- Analyze mode.
 
 This module allows you to see NBT-NS, BROWSER, LLMNR, DNS requests on the network without poisoning any responses. Also, you can map domains, MSSQL servers, workstations passively, see if ICMP Redirects attacks are plausible on your subnet. 
 
 ## Hashes ##
 
 All hashes are printed to stdout and dumped in an unique file John Jumbo compliant, using this format:
-
+
     (MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt
 
 Log files are located in the "logs/" folder. Hashes will be logged and printed only once per user per hash type, unless you are using the Verbose mode (-v).
 
-- Responder will logs all its activity to Responder-Session.log
+- Responder will logs all its activity to Responder-Session.log
-- Analyze mode will be logged to Analyze-Session.log
+- Analyze mode will be logged to Analyze-Session.log
 - Poisoning will be logged to Poisoners-Session.log
 
 Additionally, all captured hashed are logged into an SQLite database which you can configure in Responder.conf
@@ -89,7 +89,7 @@ Additionally, all captured hashed are logged into an SQLite database which you c
 
 ## Considerations ##
 
-- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.
+- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.
 
 - If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.
 
@@ -101,6 +101,16 @@ Edit this file /etc/NetworkManager/NetworkManager.conf and comment the line: `dn
 
 - This tool is not meant to work on Windows.
 
+- For OSX, please note: Responder must be launched with an IP address for the -i flag (e.g. -i YOUR_IP_ADDR). There is no native support in OSX for custom interface binding. Using -i en1 will not work. Also to run Responder with the best experience, run the following as root:
+
+    launchcl unload /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist
+
+    launchcl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
+
+    launchcl unload /System/Library/LaunchDaemons/com.apple.smbd.plist
+
+    launchcl unload /System/Library/LaunchDaemons/com.apple.netbiosd.plist
+
 ## Usage ##
 
 First of all, please take a look at Responder.conf and tweak it for your needs.
@@ -145,7 +155,7 @@ Options:
 
 
 
-
+
 ## Copyright ##
 
 NBT-NS/LLMNR Responder

Responder.py

@@ -29,6 +29,7 @@ banner()
 parser = optparse.OptionParser(usage='python %prog -I eth0 -w -r -f\nor:\npython %prog -I eth0 -wrf', version=settings.__version__, prog=sys.argv[0])
 parser.add_option('-A','--analyze',        action="store_true", help="Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests without responding.", dest="Analyze", default=False)
 parser.add_option('-I','--interface',      action="store",      help="Network interface to use", dest="Interface", metavar="eth0", default=None)
+parser.add_option('-i','--ip',      action="store",      help="Local IP to use \033[1m\033[31m(only for OSX)\033[0m", dest="OURIP", metavar="10.0.0.21", default=None)
 parser.add_option('-b', '--basic',         action="store_true", help="Return a Basic HTTP authentication. Default: NTLM", dest="Basic", default=False)
 parser.add_option('-r', '--wredir',        action="store_true", help="Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network. Default: False", dest="Wredirect", default=False)
 parser.add_option('-d', '--NBTNSdomain',   action="store_true", help="Enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False", dest="NBTNSDomain", default=False)
@@ -44,6 +45,11 @@ if not os.geteuid() == 0:
     print color("[!] Responder must be run as root.")
     sys.exit(-1)
 
+if options.OURIP is None and IsOsX() is True:
+    print "\n\033[1m\033[31mOSX detected, -i mandatory option is missing\033[0m\n"
+    parser.print_help()
+    exit(-1)
+
 settings.init()
 settings.Config.populate(options)
 

servers/HTTP_Proxy.py

@@ -65,12 +65,12 @@ def InjectData(data, client, req_uri):
 					print text("[PROXY] Injecting into HTTP Response: %s" % color(settings.Config.HtmlToInject, 3, 1))
 
 				Content = Content.replace(HasBody[0], '%s\n%s' % (HasBody[0], settings.Config.HtmlToInject))
-				Headers = Headers.replace("Content-Length: "+Len, "Content-Length: "+ str(len(Content)))
 
 		if "content-encoding: gzip" in Headers.lower():
 			Content = zlib.compress(Content)
 
-		data = Headers +'\r\n'+ Content
+		Headers = Headers.replace("Content-Length: "+Len, "Content-Length: "+ str(len(Content)))
+		data = Headers +'\r\n\r\n'+ Content
 
 	else:
 		if settings.Config.Verbose:

settings.py

@@ -21,7 +21,9 @@ import utils
 import logging
 import ConfigParser
 
-__version__ = 'Responder 2.2'
+from utils import IsOsX
+
+__version__ = 'Responder 2.3'
 
 class Settings:
 	
@@ -66,7 +68,7 @@ class Settings:
 
 	def populate(self, options):
 
-		if options.Interface is None:
+		if options.Interface is None and IsOsX() is False:
 			print utils.color("Error: -I <if> mandatory option is missing", 1)
 			sys.exit(-1)
 
@@ -154,6 +156,7 @@ class Settings:
 		self.Basic           = options.Basic
 		self.Finger_On_Off   = options.Finger
 		self.Interface       = options.Interface
+                self.OURIP           = options.OURIP
 		self.Force_WPAD_Auth = options.Force_WPAD_Auth
 		self.Upstream_Proxy  = options.Upstream_Proxy
 		self.AnalyzeMode     = options.Analyze
@@ -163,7 +166,7 @@ class Settings:
 		if self.HtmlToInject == None:
 			self.HtmlToInject = ''
 
-		self.Bind_To = utils.FindLocalIP(self.Interface)
+		self.Bind_To = utils.FindLocalIP(self.Interface, self.OURIP)
 
 		self.IP_aton         = socket.inet_aton(self.Bind_To)
 		self.Os_version      = sys.platform

utils.py

@@ -87,20 +87,31 @@ def OsInterfaceIsSupported():
 	else:
 		return False
 
-def FindLocalIP(Iface):
+def IsOsX():
+    Os_version = sys.platform
+    if Os_version == "darwin":
+        return True
+    else:
+        return False
+
+
+def FindLocalIP(Iface, OURIP):
 
 	if Iface == 'ALL':
 		return '0.0.0.0'
 
 	try:
-		s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+            
-		s.setsockopt(socket.SOL_SOCKET, 25, Iface+'\0')
+               if IsOsX():
-		s.connect(("127.0.0.1",9))#RFC 863
+	           return OURIP
-		ret = s.getsockname()[0]
+               else:
-		s.close()
+	           s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-
+	           s.setsockopt(socket.SOL_SOCKET, 25, Iface+'\0')
-		return ret
+	           s.connect(("127.0.0.1",9))#RFC 863
-
+	           ret = s.getsockname()[0]
+	           s.close()
+	           return ret
+                    
 	except socket.error:
 		print color("[!] Error: %s: Interface not found" % Iface, 1)
 		sys.exit(-1)
@@ -251,7 +262,7 @@ def banner():
 	print banner
 	print "\n           \033[1;33mNBT-NS, LLMNR & MDNS %s\033[0m" % settings.__version__
 	print ""
-	print "  Original work by Laurent Gaffie (lgaffie@trustwave.com)"
+	print "  Original work by Laurent Gaffie (lgaffie@trustwave.com) and supported by Laurent Gaffie"
 	print "  To kill this script hit CRTL-C"
 	print ""