Initial support for LLMNR #339
Conversation
|
Anything I can do to help move this along? |
|
@jayjb any luck in getting this included? |
|
Hi @defensivedepth, @theidiotyouyellat, Sorry for the delay with this. We like the idea, we don't love the dependency on Scapy though (its quite a heavy dependency for what we using it for). Im trying to figure a way we can craft those Queries without it. If not, I'll likely accept this for now while we improve it. |
|
@jayjb Thanks for the feedback. The Scapy dep is not new - the SNMP module already requires it. What specifically is the concern? |
|
hey @defensivedepth and @theidiotyouyellat, taking a look. hit you back shortly |
There was a problem hiding this comment.
Thanks @defensivedepth, the code looks great! Sorry about the delay here getting our feedback. We'd love to have this in. I've just left a request for a small change to how we handle the import and we should be good to go!
|
I resolved the change request, thanks! |
|
awesome, thanks @defensivedepth! merged |
|
Now it's merged ;) |
Proposed changes
Adds support for Canary LLMNR. Uses Scapy to broadcast a LLMNR query for canary hostname. If it receives a LLMNR response, it confirms that it was for the canary hostname and then logs the event. The following is configurable:
Sample log output, generated by using Responder to poison LLMNR request:
{"dst_host": "0.0.0.0", "dst_port": 5355, "local_time": "2024-01-20 21:41:58.716469", "local_time_adjusted": "2024-01-20 21:41:58.716499", "logdata": {"query_hostname": "DC03", "response": "DNS Ans \"10.0.0.22\" "}, "logtype": 19001, "node_id": "opencanary-1", "src_host": "192.168.16.27", "src_port": 5355, "utc_time": "2024-01-20 21:41:58.716495"}Discussion: #335
Types of changes
Checklist
I will add docs once it's confirmed that this PR will be accepted.
pre-commitin the repo)Further comments
N/A