-
Notifications
You must be signed in to change notification settings - Fork 10
/
respotter.py
439 lines (410 loc) · 20.2 KB
/
respotter.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
#!/usr/bin/env python3
import argparse
from copy import deepcopy
from datetime import datetime, timedelta
from ipaddress import ip_network
import json
from multiprocessing import Process, Lock
from pathlib import Path
import random
from scapy.all import *
from scapy.layers.dns import DNS, DNSQR
from scapy.layers.inet import IP, UDP
from scapy.layers.llmnr import LLMNRQuery, LLMNRResponse
from scapy.layers.netbios import NBNSQueryRequest, NBNSQueryResponse, NBNSHeader
from time import sleep
from utils.discord import send_discord_message
from utils.errors import WebhookException
from utils.slack import send_slack_message
from utils.teams import send_teams_message
import logging
import logging.config
import logging.handlers
respotter_ascii_logo = r"""
____ __ __
/ __ \___ _________ ____ / /_/ /____ _____
/ /_/ / _ \/ ___/ __ \/ __ \/ __/ __/ _ \/ ___/
/ _, _/ __(__ ) /_/ / /_/ / /_/ /_/ __/ /
/_/ |_|\___/____/ .___/\____/\__/\__/\___/_/
/_/
"""
class Respotter:
def __init__(self,
discord_webhook="",
excluded_protocols=[],
hostname="Loremipsumdolorsitamet",
slack_webhook="",
state_file="state/state.json",
subnet="",
syslog_address="",
teams_webhook="",
test_webhooks=False,
verbosity=2,
):
# initialize logger
self.log = logging.getLogger('respotter')
formatter = logging.Formatter('')
handler = logging.StreamHandler()
handler.setFormatter(formatter)
self.log.addHandler(handler)
self.log.setLevel((5 - verbosity) * 10)
if syslog_address:
handler = logging.handlers.SysLogHandler(address=(syslog_address, 514))
formatter = logging.Formatter('Respotter {processName}[{process}]: {message}', style='{')
handler.setFormatter(formatter)
self.log.addHandler(handler)
# import configuration
self.excluded_protocols = excluded_protocols
self.hostname = hostname
if self.hostname == "Loremipsumdolorsitamet":
self.log.warning("[-] WARNING: using default hostname 'Loremipsumdolorsitamet' - set a more believable hostname for better OPSEC")
self.is_daemon = False
self.verbosity = verbosity
# state persistence
self.state_file = state_file
self.state_lock = Lock()
try:
with open(self.state_file, "r+") as state_file:
try:
previous_state = json.load(state_file)
self.responder_alerts = previous_state["responder_alerts"]
self.remediation_alerts = previous_state["remediation_alerts"]
for ip in self.responder_alerts:
self.responder_alerts[ip] = datetime.fromisoformat(self.responder_alerts[ip])
for ip in self.remediation_alerts:
self.remediation_alerts[ip] = datetime.fromisoformat(self.remediation_alerts[ip])
except json.JSONDecodeError:
raise FileNotFoundError
except FileNotFoundError:
self.responder_alerts = {}
self.remediation_alerts = {}
Path("state").mkdir(parents=True, exist_ok=True)
with open(self.state_file, "w") as state_file:
json.dump({"responder_alerts": {}, "remediation_alerts": {}}, state_file)
# get broadcast IP for Netbios
if subnet:
try:
network = ip_network(subnet)
self.broadcast_ip = str(network.broadcast_address)
except:
self.log.error(f"[!] ERROR: could not parse subnet CIDR. Netbios protocol will be disabled.")
elif "nbns" not in self.excluded_protocols:
self.log.error(f"[!] ERROR: subnet CIDR not configured. Netbios protocol will be disabled.")
self.excluded_protocols.append("nbns")
# setup webhooks
self.webhooks = {}
for service in ["teams", "slack", "discord"]:
webhook = eval(f"{service}_webhook")
if webhook:
self.webhooks[service] = webhook
else:
self.log.warning(f"[-] WARNING: {service} webhook URL not set")
if test_webhooks:
self.webhook_test()
def webhook_test(self):
title = "Test message"
details = "Respotter is starting up... This is a test message."
for service in ["teams", "discord", "slack"]:
if service in self.webhooks:
try:
eval(f"send_{service}_message")(self.webhooks[service], title=title, details=details)
self.log.info(f"[+] {service.capitalize()} webhook test successful")
except WebhookException as e:
self.log.error(f"[!] {service.capitalize()} webhook test failed: {e}")
def webhook_responder_alert(self, responder_ip):
with self.state_lock:
if responder_ip in self.responder_alerts:
if self.responder_alerts[responder_ip] > datetime.now() - timedelta(hours=1):
return
title = "Responder detected!"
details = f"Responder instance found at {responder_ip}"
for service in ["teams", "discord", "slack"]:
if service in self.webhooks:
try:
eval(f"send_{service}_message")(self.webhooks[service], title=title, details=details)
self.log.info(f"[+] Alert sent to {service.capitalize()} for {responder_ip}")
except WebhookException as e:
self.log.error(f"[!] {service.capitalize()} webhook failed: {e}")
self.responder_alerts[responder_ip] = datetime.now()
with open(self.state_file, "r+") as state_file:
state = json.load(state_file)
new_state = deepcopy(self.responder_alerts)
for ip in new_state:
new_state[ip] = new_state[ip].isoformat()
state["responder_alerts"] = new_state
state_file.seek(0)
json.dump(state, state_file)
def webhook_remediation_alert(self, requester_ip, message):
with self.state_lock:
if requester_ip in self.remediation_alerts:
if self.remediation_alerts[requester_ip] > datetime.now() - timedelta(hours=1):
return
title = "Configuration issue detected!"
details = message
for service in ["teams", "discord", "slack"]:
if service in self.webhooks:
try:
eval(f"send_{service}_message")(self.webhooks[service], title=title, details=details)
self.log.info(f"[+] Remediation alert sent to {service.capitalize()} for {requester_ip}")
except WebhookException as e:
self.log.error(f"[!] {service.capitalize()} webhook failed: {e}")
self.remediation_alerts[requester_ip] = datetime.now()
with open(self.state_file, "r+") as state_file:
state = json.load(state_file)
new_state = deepcopy(self.remediation_alerts)
for ip in new_state:
new_state[ip] = new_state[ip].isoformat()
state["remediation_alerts"] = new_state
state_file.seek(0)
json.dump(state, state_file)
def send_llmnr_request(self, hostname=""):
# LLMNR uses the multicast IP 224.0.0.252 and UDP port 5355
if not hostname:
hostname = self.hostname
packet = IP(dst="224.0.0.252")/UDP(dport=5355)/LLMNRQuery(qd=DNSQR(qname=hostname))
response = sr1(packet, timeout=1, verbose=0)
if not response:
self.log.debug(f"[*] [LLMNR] No response for '{hostname}'")
return
for p in response:
self.log.debug(p)
# Print all resolved IP addresses
for sniffed_packet in response:
if sniffed_packet.haslayer(LLMNRResponse):
for answer in sniffed_packet[LLMNRResponse].an:
if answer.type == 1: # Type 1 is A record, which contains the IP address
self.log.critical(f"[!] [LLMNR] Responder detected at: {answer.rdata} - responded to name '{hostname}'")
if self.is_daemon:
self.webhook_responder_alert(answer.rdata)
def send_mdns_request(self, hostname=""):
# mDNS uses the multicast IP 224.0.0.251 and UDP port 5353
if not hostname:
hostname = self.hostname
packet = IP(dst="224.0.0.251")/UDP(dport=5353)/DNS(rd=1, qd=DNSQR(qname=hostname))
response = sr1(packet, timeout=1, verbose=0)
if not response:
self.log.debug(f"[*] [MDNS] No response for '{hostname}'")
return
for p in response:
self.log.debug(p)
# Print all resolved IP addresses
for sniffed_packet in response:
if sniffed_packet is not None and sniffed_packet.haslayer(DNS):
for answer in sniffed_packet[DNS].an:
if answer.type == 1:
self.log.critical(f"[!] [MDNS] Responder detected at: {answer.rdata} - responded to name '{hostname}'")
if self.is_daemon:
self.webhook_responder_alert(answer.rdata)
def send_nbns_request(self, hostname=""):
try:
self.broadcast_ip
except AttributeError:
self.log.error("[!] ERROR: broadcast IP not set. Skipping Netbios request.")
return
if not hostname:
hostname = self.hostname
# WORKAROUND: Scapy not matching long req to resp (secdev/scapy PR #4446)
if len(hostname) > 15:
hostname = hostname[:15]
# Netbios uses the broadcast IP and UDP port 137
packet = IP(dst=self.broadcast_ip)/UDP(sport=137, dport=137)/NBNSHeader(OPCODE=0x0, NM_FLAGS=0x11, QDCOUNT=1)/NBNSQueryRequest(SUFFIX="file server service", QUESTION_NAME=hostname, QUESTION_TYPE="NB")
response = sr1(packet, timeout=1, verbose=0)
if not response:
self.log.debug("[*] [NBT-NS] No response for '{hostname}'")
return
for p in response:
self.log.debug(p)
# Print all resolved IP addresses
for sniffed_packet in response:
if sniffed_packet is not None and sniffed_packet.haslayer(NBNSQueryResponse):
for answer in sniffed_packet[NBNSQueryResponse].ADDR_ENTRY:
self.log.critical(f"[!] [NBT-NS] Responder detected at: {answer.NB_ADDRESS} - responded to name '{hostname}'")
if self.is_daemon:
self.webhook_responder_alert(answer.NB_ADDRESS)
def daemon(self):
self.is_daemon = True
scanner_process = Process(target=self.responder_scan)
scanner_process.start()
sniffer_process = Process(target=self.vuln_sniff)
sniffer_process.start()
scanner_process.join()
sniffer_process.join()
def responder_scan(self):
self.log.info("[*] Responder scans started")
# Scapy setting -- multicast/broadcast responses won't come from dst IP
conf.checkIPaddr = False
while True:
if "llmnr" not in self.excluded_protocols:
self.send_llmnr_request()
if "mdns" not in self.excluded_protocols:
self.send_mdns_request()
if "nbns" not in self.excluded_protocols:
self.send_nbns_request()
sleep(random.randrange(30,90))
def vuln_sniff(self):
"""
This sniffer will NOT poison responses; it will only listen for queries.
Poisoning responses isn't opsec-safe for the honeypot, and may cause issues with
the client. Use Responder to identify accounts that are vulnerable to poisoning
once a vulnerable host has been discovered by Respotter.
"""
llmnr_sniffer = AsyncSniffer(
filter="udp port 5355",
lfilter=lambda pkt: pkt.haslayer(LLMNRQuery) and pkt[IP].src != conf.iface.ip, # TODO: should this be DNSQR?
started_callback=self.sniffer_startup,
prn=self.llmnr_found,
store=0
)
mdns_sniffer = AsyncSniffer(
filter="udp port 5353",
lfilter=lambda pkt: pkt.haslayer(DNS) and pkt[IP].src != conf.iface.ip, # TODO: should this be DNSQR?
started_callback=self.sniffer_startup,
prn=self.mdns_found,
store=0
)
nbns_sniffer = AsyncSniffer(
filter="udp port 137",
lfilter=lambda pkt: pkt.haslayer(NBNSQueryRequest) and pkt[IP].src != conf.iface.ip,
started_callback=self.sniffer_startup,
prn=self.nbns_found,
store=0
)
llmnr_sniffer.start()
mdns_sniffer.start()
nbns_sniffer.start()
while True:
sleep(1)
def sniffer_startup(self):
self.log.info("[*] Sniffer started")
def llmnr_found(self, packet):
for dns_packet in packet[LLMNRQuery].qd:
requester_ip = packet[IP].src
requested_hostname = dns_packet.qname.decode()
self.log.critical(f"[!] [LLMNR] LLMNR query for '{requested_hostname}' from {requester_ip} - potentially vulnerable to Responder")
if self.is_daemon:
self.get_remediation_advice("LLMNR", requester_ip, requested_hostname)
def mdns_found(self, packet):
for dns_packet in packet[DNS].qd:
requester_ip = packet[IP].src
requested_hostname = dns_packet.qname.decode()
self.log.critical(f"[!] [MDNS] mDNS query for '{requested_hostname}' from {requester_ip} - potentially vulnerable to Responder")
if self.is_daemon:
self.get_remediation_advice("MDNS", requester_ip, requested_hostname)
def nbns_found(self, packet):
requester_ip = packet[IP].src
requested_hostname = packet[NBNSQueryRequest].QUESTION_NAME.decode()
self.log.critical(f"[!] [NBT-NS] NBT-NS query for '{requested_hostname}' from {requester_ip} - potentially vulnerable to Responder")
if self.is_daemon:
self.get_remediation_advice("NBT-NS", requester_ip, requested_hostname)
def get_remediation_advice(self, protocol, requester_ip, requested_hostname):
if ip := self.dns_lookup(requested_hostname):
if ip == requester_ip:
# Host looking for itself
self.log.debug(f"[*] [{protocol}] {requester_ip} is looking for itself")
return None
elif protocol == "NBT-NS":
# Netbios sometimes is used before doing a DNS lookup
return None
else:
# Host looking for another device
self.log.info(f"[*] [{protocol}] {requester_ip} has incorrect DNS server for {requested_hostname}")
advice = f"{requester_ip} unable to find host '{requested_hostname}' in DNS so it used {protocol}. Update the DNS settings on {requester_ip} to point to the correct DNS server"
self.webhook_remediation_alert(requester_ip, advice)
else:
if self.device_exists(requested_hostname):
# We got a response -- DNS server is missing a record for the host
self.log.info(f"[*] [{protocol}] DNS record missing for '{requested_hostname}' - add record to DNS server")
advice = f"{requester_ip} unable to find host '{requested_hostname}' in DNS so it used {protocol}. Add a DNS record for '{requested_hostname}' to the DNS server"
self.webhook_remediation_alert(requester_ip, advice)
else:
# We got no response -- the device doesn't exist
self.log.debug(f"[*] [{protocol}] {requester_ip} is looking for non-existent device {requested_hostname}")
def dns_lookup(self, hostname):
try:
return socket.gethostbyname(hostname)
except:
return None
def device_exists(self, hostname):
# LLMNR
packet = IP(dst="224.0.0.252")/UDP(dport=5355)/LLMNRQuery(qd=DNSQR(qname=hostname))
response = sr1(packet, timeout=1, verbose=0)
if response:
return True
# mDNS
packet = IP(dst="224.0.0.251")/UDP(dport=5353)/DNS(rd=1, qd=DNSQR(qname=hostname))
response = sr1(packet, timeout=1, verbose=0)
if response:
return True
# Netbios
try:
self.broadcast_ip
except AttributeError:
return False
# WORKAROUND: Scapy not matching long req to resp (secdev/scapy PR #4446)
if len(hostname) > 15:
hostname = hostname[:15]
packet = IP(dst=self.broadcast_ip)/UDP(sport=137, dport=137)/NBNSHeader(OPCODE=0x0, NM_FLAGS=0x11, QDCOUNT=1)/NBNSQueryRequest(SUFFIX="file server service", QUESTION_NAME=hostname, QUESTION_TYPE="NB")
response = sr1(packet, timeout=1, verbose=0)
if response:
return True
return False
def parse_options():
# add_help=False so it doesn't parse -h yet
config_parser = argparse.ArgumentParser(add_help=False)
config_parser.add_argument("-c", "--config", help="Specify config file", metavar="FILE")
args, remaining_argv = config_parser.parse_known_args()
# Precedence: defaults < config file < cli arguments
defaults = {
"discord_webhook": "",
"exclude": "",
"hostname": "Loremipsumdolorsitamet",
"slack_webhook": "",
"state_file": "state/state.json",
"subnet": "",
"syslog_address": "",
"teams_webhook": "",
"test_webhooks": False,
"verbosity": 2,
}
# parse config and override defaults
if args.config:
with open(args.config, "r") as config_file:
config = json.load(config_file)
defaults.update(config)
# parse args and override config
parser = argparse.ArgumentParser(parents=[config_parser])
parser.set_defaults(**defaults)
parser.add_argument("-s", "--subnet", help="Subnet in CIDR format to calculate broadcast IP for Netbios")
parser.add_argument("-v", "--verbosity", help="Verbosity level (0-5)")
parser.add_argument("-n", "--hostname", help="Hostname to scan for")
parser.add_argument("-x", "--exclude", help="Protocols to exclude from scanning (e.g. 'llmnr,nbns')")
parser.add_argument("-l", "--syslog-address", help="Syslog server address")
parser.add_argument("--test-webhooks", action="store_true", help="Test configured webhooks")
parser.add_argument("--state-file", help="Path to state file")
args = parser.parse_args(remaining_argv)
if int(args.verbosity) > 4:
print(f"Final config: {args}\n")
return args
if __name__ == "__main__":
print(respotter_ascii_logo)
print("\nScanning for Responder...\n")
options = parse_options()
excluded_protocols = options.exclude.split(",")
if excluded_protocols == [""]:
excluded_protocols = []
for protocol in excluded_protocols:
if protocol not in ["llmnr", "mdns", "nbns"]:
print("[!] Error - exclusions must be a comma separated list of the following options: llmnr,mdns,nbns")
exit(1)
respotter = Respotter(discord_webhook=options.discord_webhook,
excluded_protocols=excluded_protocols,
hostname=options.hostname,
slack_webhook=options.slack_webhook,
state_file=options.state_file,
subnet=options.subnet,
syslog_address=options.syslog_address,
teams_webhook=options.teams_webhook,
test_webhooks=options.test_webhooks,
verbosity=int(options.verbosity)
)
respotter.daemon()