From d294178b9c23165c3e3af825fea25cef5b1d363e Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 10:09:34 -0400 Subject: [PATCH 01/33] New module responder Responder is an LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. The program itself can be viewed here: https://github.com/SpiderLabs/Responder I have created a module that can use this program and save the logs to sshfs or tmp. --- modules/responder | 114 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 modules/responder diff --git a/modules/responder b/modules/responder new file mode 100644 index 0000000..af30907 --- /dev/null +++ b/modules/responder @@ -0,0 +1,114 @@ +#!/bin/bash /usr/lib/turtle/turtle_module +VERSION="1.0" +DESCRIPTION="Responder - LLMNR, NBT-NS and MDNS poisoner" +CONF=/tmp/responder.form +AUTHOR=IMcPwn + +: ${DIALOG_OK=0} +: ${DIALOG_CANCEL=1} +: ${DIALOG_HELP=2} +: ${DIALOG_EXTRA=3} +: ${DIALOG_ESC=255} + +function start { + if [ ! -s /usr/bin/git ]; then + opkg update && opkg install git + fi + + if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py ]]; then + rm -r /etc/turtle/Responder + git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder + fi + +if [ -s /etc/config/responder ]; + then + responder_log=$(uci get responder.log) + case $responder_log in + sshfs) + if pgrep sshfs > /dev/null; then + echo "SSHFS Running" + if [[ ! -L /etc/turtle/Responder/logs || ! -L /sshfs/Responder/logs ]]; then + rm -r /etc/turtle/Responder/logs + mkdir -p /sshfs/Responder/logs + ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs + echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now + echo responder started and logs are being saved to /sshfs + fi + else + echo "SSHFS not running" + fi + ;; + tmp) + if [[ ! -L /etc/turtle/Responder/logs || ! -L /tmp/Responder/logs ]]; then + rm -r /etc/turtle/Responder/logs + mkdir -p /tmp/Responder/logs + ln -s /tmp/Responder/logs /etc/turtle/Responder/logs + echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now + echo responder started and logs are being saved to /tmp + fi + ;; + esac + else + echo "Responder not configured." + fi +} + +function stop { + kill $(ps | grep -w [/]etc/turtle/Responder/Responder.py | awk {'print $1'}) +} + +function status { + if ps | grep -w -q [/]etc/turtle/Responder/Responder.py; then echo "1"; else echo "0"; fi +} + +function configure { + if [ -s /etc/config/responder ] + then + responder_log=$(uci get responder.log) + else + touch /etc/config/responder + fi + + dialog --ok-label "Submit" \ + --help-button \ + --title "Responder Configuration" \ + --radiolist "\n\ +Responder is an LLMNR, NBT-NS and MDNS poisoner.\n\nNOTICE: The first time you run this module it may take a long time to load. Please let it finish.\n\nThe log files can be saved to SSHFS or /tmp.\n" 16 60 3\ + 1 "Save log to SSHFS if available." off\ + 2 "Save log to /tmp/" off\ + 2>$CONF + + return=$? + + case $return in + $DIALOG_OK) + LOG=$(cat $CONF) + case $LOG in + 1) + uci set responder.log="sshfs" + uci commit responder + ;; + 2) + uci set responder.log="tmp" + uci commit responder + ;; + esac + ;; + $DIALOG_CANCEL) + rm $CONF + clear + exit;; + $DIALOG_HELP) + dialog --title "Help" \ + --msgbox "\ +Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409).\n\ +By default, the tool will only answer to File Server Service request, which is for SMB.\n\n\ +The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior.\n\n\ +For more information, see: https://github.com/SpiderLabs/Responder\n\ +" 20 60 + configure + ;; + $DIALOG_ESC) + clear;; + esac +} From bb113af0d96f1fcc9a79b704636e9a504792663f Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 10:22:10 -0400 Subject: [PATCH 02/33] Add dependency installer and fix formatting --- modules/responder | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/modules/responder b/modules/responder index af30907..784332a 100644 --- a/modules/responder +++ b/modules/responder @@ -14,6 +14,10 @@ function start { if [ ! -s /usr/bin/git ]; then opkg update && opkg install git fi + + if [ ! -s /usr/lib/python2.7/sqlite3/dbapi2.py ]; then + opkg update && opkg install python-sqlite3 + fi if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py ]]; then rm -r /etc/turtle/Responder @@ -28,11 +32,11 @@ if [ -s /etc/config/responder ]; if pgrep sshfs > /dev/null; then echo "SSHFS Running" if [[ ! -L /etc/turtle/Responder/logs || ! -L /sshfs/Responder/logs ]]; then - rm -r /etc/turtle/Responder/logs - mkdir -p /sshfs/Responder/logs - ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs - echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now - echo responder started and logs are being saved to /sshfs + rm -r /etc/turtle/Responder/logs + mkdir -p /sshfs/Responder/logs + ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs + echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now + echo responder started and logs are being saved to /sshfs fi else echo "SSHFS not running" @@ -40,11 +44,11 @@ if [ -s /etc/config/responder ]; ;; tmp) if [[ ! -L /etc/turtle/Responder/logs || ! -L /tmp/Responder/logs ]]; then - rm -r /etc/turtle/Responder/logs - mkdir -p /tmp/Responder/logs - ln -s /tmp/Responder/logs /etc/turtle/Responder/logs - echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now - echo responder started and logs are being saved to /tmp + rm -r /etc/turtle/Responder/logs + mkdir -p /tmp/Responder/logs + ln -s /tmp/Responder/logs /etc/turtle/Responder/logs + echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now + echo responder started and logs are being saved to /tmp fi ;; esac From 936873414c5d4d4aff979bbeea4c264fb845b896 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 10:44:26 -0400 Subject: [PATCH 03/33] Improve help menu --- modules/responder | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/responder b/modules/responder index 784332a..ad1f5d2 100644 --- a/modules/responder +++ b/modules/responder @@ -77,7 +77,7 @@ function configure { --help-button \ --title "Responder Configuration" \ --radiolist "\n\ -Responder is an LLMNR, NBT-NS and MDNS poisoner.\n\nNOTICE: The first time you run this module it may take a long time to load. Please let it finish.\n\nThe log files can be saved to SSHFS or /tmp.\n" 16 60 3\ +For information on the different log files, see "Help"\n\nNOTICE: The first time you run this module it may take a long time to load because of dependencies. Please let it finish.\n\nThe log files can be saved to SSHFS or /tmp.\n" 16 60 3\ 1 "Save log to SSHFS if available." off\ 2 "Save log to /tmp/" off\ 2>$CONF @@ -105,11 +105,16 @@ Responder is an LLMNR, NBT-NS and MDNS poisoner.\n\nNOTICE: The first time you r $DIALOG_HELP) dialog --title "Help" \ --msgbox "\ -Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409).\n\ +Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409).\n\ By default, the tool will only answer to File Server Service request, which is for SMB.\n\n\ The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior.\n\n\ +All activity will be logged to Responder-Session.log\n\ +Analyze mode will be logged to Analyze-Session.log\n\ +Poisoning will be logged to Poisoners-Session.log\n\n\ +All hashes are dumped an unique file John Jumbo compliant, using this format:\n\ +(MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt\n\n\ For more information, see: https://github.com/SpiderLabs/Responder\n\ -" 20 60 +" 25 60 configure ;; $DIALOG_ESC) From 157e2463896ac625660020673f1e6aff2c7bd25e Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 10:52:31 -0400 Subject: [PATCH 04/33] Remove extra quotes --- modules/responder | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/responder b/modules/responder index ad1f5d2..f36547e 100644 --- a/modules/responder +++ b/modules/responder @@ -77,7 +77,7 @@ function configure { --help-button \ --title "Responder Configuration" \ --radiolist "\n\ -For information on the different log files, see "Help"\n\nNOTICE: The first time you run this module it may take a long time to load because of dependencies. Please let it finish.\n\nThe log files can be saved to SSHFS or /tmp.\n" 16 60 3\ +For information on the different log files, see Help\n\nNOTICE: The first time you run this module it may take a long time to load because of dependencies. Please let it finish.\n\nThe log files can be saved to SSHFS or /tmp.\n" 16 60 3\ 1 "Save log to SSHFS if available." off\ 2 "Save log to /tmp/" off\ 2>$CONF From 6e4e079af5665859f26befba7f2f157a80f19c9d Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 10:54:12 -0400 Subject: [PATCH 05/33] Be more specific on log locations --- modules/responder | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/responder b/modules/responder index f36547e..76c2ff7 100644 --- a/modules/responder +++ b/modules/responder @@ -36,7 +36,7 @@ if [ -s /etc/config/responder ]; mkdir -p /sshfs/Responder/logs ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now - echo responder started and logs are being saved to /sshfs + echo responder started and logs are being saved to /sshfs/Responder/logs fi else echo "SSHFS not running" @@ -48,7 +48,7 @@ if [ -s /etc/config/responder ]; mkdir -p /tmp/Responder/logs ln -s /tmp/Responder/logs /etc/turtle/Responder/logs echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now - echo responder started and logs are being saved to /tmp + echo responder started and logs are being saved to /tmp/Responder/logs fi ;; esac From daeb20b6c617e082f84da96239fe2ec80248c856 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 12:48:48 -0400 Subject: [PATCH 06/33] Fix missing semicolon --- modules/responder | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/responder b/modules/responder index 76c2ff7..93d446f 100644 --- a/modules/responder +++ b/modules/responder @@ -66,7 +66,7 @@ function status { } function configure { - if [ -s /etc/config/responder ] + if [ -s /etc/config/responder ]; then responder_log=$(uci get responder.log) else From 4e052dd2a7ca61ba09e5797f6066be0be2942aa3 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 13:16:14 -0400 Subject: [PATCH 07/33] Remove unnecessary if/else --- modules/responder | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/modules/responder b/modules/responder index 93d446f..0ae9421 100644 --- a/modules/responder +++ b/modules/responder @@ -31,25 +31,21 @@ if [ -s /etc/config/responder ]; sshfs) if pgrep sshfs > /dev/null; then echo "SSHFS Running" - if [[ ! -L /etc/turtle/Responder/logs || ! -L /sshfs/Responder/logs ]]; then - rm -r /etc/turtle/Responder/logs - mkdir -p /sshfs/Responder/logs - ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs - echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now - echo responder started and logs are being saved to /sshfs/Responder/logs - fi + rm -r /etc/turtle/Responder/logs + mkdir -p /sshfs/Responder/logs + ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs + echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now + echo responder started and logs are being saved to /sshfs/Responder/logs else echo "SSHFS not running" fi ;; tmp) - if [[ ! -L /etc/turtle/Responder/logs || ! -L /tmp/Responder/logs ]]; then - rm -r /etc/turtle/Responder/logs - mkdir -p /tmp/Responder/logs - ln -s /tmp/Responder/logs /etc/turtle/Responder/logs - echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now - echo responder started and logs are being saved to /tmp/Responder/logs - fi + rm -r /etc/turtle/Responder/logs + mkdir -p /tmp/Responder/logs + ln -s /tmp/Responder/logs /etc/turtle/Responder/logs + echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now + echo responder started and logs are being saved to /tmp/Responder/logs ;; esac else From a715920e5a4369aebc213debab6c75b9b4792a6a Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 18:21:56 -0400 Subject: [PATCH 08/33] Minor fixes and upgrades Remove Responder Database. Add check for previous logs. --- modules/responder | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/modules/responder b/modules/responder index 0ae9421..fd53a51 100644 --- a/modules/responder +++ b/modules/responder @@ -12,7 +12,7 @@ AUTHOR=IMcPwn function start { if [ ! -s /usr/bin/git ]; then - opkg update && opkg install git + opkg update && opkg install git fi if [ ! -s /usr/lib/python2.7/sqlite3/dbapi2.py ]; then @@ -30,10 +30,14 @@ if [ -s /etc/config/responder ]; case $responder_log in sshfs) if pgrep sshfs > /dev/null; then - echo "SSHFS Running" - rm -r /etc/turtle/Responder/logs - mkdir -p /sshfs/Responder/logs - ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs + if [ -s /etc/turtle/Responder/Responder.db ]; then + rm -r /etc/turtle/Responder/Responder.db + fi + if [ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" ]; then + rm -r /etc/turtle/Responder/logs + mkdir -p /sshfs/Responder/logs + ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs + fi echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now echo responder started and logs are being saved to /sshfs/Responder/logs else @@ -41,11 +45,16 @@ if [ -s /etc/config/responder ]; fi ;; tmp) - rm -r /etc/turtle/Responder/logs - mkdir -p /tmp/Responder/logs - ln -s /tmp/Responder/logs /etc/turtle/Responder/logs - echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now - echo responder started and logs are being saved to /tmp/Responder/logs + if [ -s /etc/turtle/Responder/Responder.db ]; then + rm -r /etc/turtle/Responder/Responder.db + fi + if [ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" ]; then + rm -r /etc/turtle/Responder/logs + mkdir -p /tmp/Responder/logs + ln -s /tmp/Responder/logs /etc/turtle/Responder/logs + fi + echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now + echo responder started and logs are being saved to /tmp/Responder/logs ;; esac else From 0c8471f8aa3ba6e9f59d3b51436fbcda2ac2a867 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 18:23:50 -0400 Subject: [PATCH 09/33] Fix formatting of start --- modules/responder | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/responder b/modules/responder index fd53a51..6ce74a5 100644 --- a/modules/responder +++ b/modules/responder @@ -31,13 +31,13 @@ if [ -s /etc/config/responder ]; sshfs) if pgrep sshfs > /dev/null; then if [ -s /etc/turtle/Responder/Responder.db ]; then - rm -r /etc/turtle/Responder/Responder.db - fi - if [ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" ]; then + rm -r /etc/turtle/Responder/Responder.db + fi + if [ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" ]; then rm -r /etc/turtle/Responder/logs mkdir -p /sshfs/Responder/logs - ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs - fi + ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs + fi echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now echo responder started and logs are being saved to /sshfs/Responder/logs else @@ -45,14 +45,14 @@ if [ -s /etc/config/responder ]; fi ;; tmp) - if [ -s /etc/turtle/Responder/Responder.db ]; then - rm -r /etc/turtle/Responder/Responder.db - fi - if [ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" ]; then + if [ -s /etc/turtle/Responder/Responder.db ]; then + rm -r /etc/turtle/Responder/Responder.db + fi + if [ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" ]; then rm -r /etc/turtle/Responder/logs mkdir -p /tmp/Responder/logs - ln -s /tmp/Responder/logs /etc/turtle/Responder/logs - fi + ln -s /tmp/Responder/logs /etc/turtle/Responder/logs + fi echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now echo responder started and logs are being saved to /tmp/Responder/logs ;; From 424065c57c68e74b9a059adb112a1fbf55c2fa19 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 18:28:24 -0400 Subject: [PATCH 10/33] Fix wrong use of equality operators --- modules/responder | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/responder b/modules/responder index 6ce74a5..9a4fddb 100644 --- a/modules/responder +++ b/modules/responder @@ -33,7 +33,7 @@ if [ -s /etc/config/responder ]; if [ -s /etc/turtle/Responder/Responder.db ]; then rm -r /etc/turtle/Responder/Responder.db fi - if [ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" ]; then + if [ $(readlink /etc/turtle/Responder/logs) ! == "/sshfs/Responder/logs" ]; then rm -r /etc/turtle/Responder/logs mkdir -p /sshfs/Responder/logs ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs @@ -48,7 +48,7 @@ if [ -s /etc/config/responder ]; if [ -s /etc/turtle/Responder/Responder.db ]; then rm -r /etc/turtle/Responder/Responder.db fi - if [ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" ]; then + if [ $(readlink /etc/turtle/Responder/logs) ! == "/tmp/Responder/logs" ]; then rm -r /etc/turtle/Responder/logs mkdir -p /tmp/Responder/logs ln -s /tmp/Responder/logs /etc/turtle/Responder/logs From 9b7a442a72aba17b9b6b09e5bc888ac736ac06dc Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 18:39:23 -0400 Subject: [PATCH 11/33] Minor fix --- modules/responder | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/responder b/modules/responder index 9a4fddb..6ce74a5 100644 --- a/modules/responder +++ b/modules/responder @@ -33,7 +33,7 @@ if [ -s /etc/config/responder ]; if [ -s /etc/turtle/Responder/Responder.db ]; then rm -r /etc/turtle/Responder/Responder.db fi - if [ $(readlink /etc/turtle/Responder/logs) ! == "/sshfs/Responder/logs" ]; then + if [ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" ]; then rm -r /etc/turtle/Responder/logs mkdir -p /sshfs/Responder/logs ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs @@ -48,7 +48,7 @@ if [ -s /etc/config/responder ]; if [ -s /etc/turtle/Responder/Responder.db ]; then rm -r /etc/turtle/Responder/Responder.db fi - if [ $(readlink /etc/turtle/Responder/logs) ! == "/tmp/Responder/logs" ]; then + if [ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" ]; then rm -r /etc/turtle/Responder/logs mkdir -p /tmp/Responder/logs ln -s /tmp/Responder/logs /etc/turtle/Responder/logs From 83d71d279d32176a07219675354d67617eb39ce1 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 18:45:33 -0400 Subject: [PATCH 12/33] Fix comparing log symlinks --- modules/responder | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/responder b/modules/responder index 6ce74a5..5a3fdc3 100644 --- a/modules/responder +++ b/modules/responder @@ -33,7 +33,7 @@ if [ -s /etc/config/responder ]; if [ -s /etc/turtle/Responder/Responder.db ]; then rm -r /etc/turtle/Responder/Responder.db fi - if [ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" ]; then + if [[ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" ]]; then rm -r /etc/turtle/Responder/logs mkdir -p /sshfs/Responder/logs ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs @@ -48,7 +48,7 @@ if [ -s /etc/config/responder ]; if [ -s /etc/turtle/Responder/Responder.db ]; then rm -r /etc/turtle/Responder/Responder.db fi - if [ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" ]; then + if [[ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" ]]; then rm -r /etc/turtle/Responder/logs mkdir -p /tmp/Responder/logs ln -s /tmp/Responder/logs /etc/turtle/Responder/logs From 75284201f3f6d333deb07827d94417599fff2080 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 19 Sep 2015 19:03:29 -0400 Subject: [PATCH 13/33] Add quotes around start message --- modules/responder | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/responder b/modules/responder index 5a3fdc3..11f2e18 100644 --- a/modules/responder +++ b/modules/responder @@ -39,7 +39,7 @@ if [ -s /etc/config/responder ]; ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs fi echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now - echo responder started and logs are being saved to /sshfs/Responder/logs + echo "Responder started and logs are being saved to /sshfs/Responder/logs" else echo "SSHFS not running" fi @@ -54,7 +54,7 @@ if [ -s /etc/config/responder ]; ln -s /tmp/Responder/logs /etc/turtle/Responder/logs fi echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now - echo responder started and logs are being saved to /tmp/Responder/logs + echo "Responder started and logs are being saved to /tmp/Responder/logs" ;; esac else From 20717783bac2bdc8e98d4778c76e217335a7dbae Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 26 Sep 2015 20:26:51 -0400 Subject: [PATCH 14/33] More specific log change check --- modules/responder | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/responder b/modules/responder index 11f2e18..9b8d03e 100644 --- a/modules/responder +++ b/modules/responder @@ -33,7 +33,7 @@ if [ -s /etc/config/responder ]; if [ -s /etc/turtle/Responder/Responder.db ]; then rm -r /etc/turtle/Responder/Responder.db fi - if [[ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" ]]; then + if [[ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" || ! -d /sshfs/Responder/logs ]]; then rm -r /etc/turtle/Responder/logs mkdir -p /sshfs/Responder/logs ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs @@ -48,7 +48,7 @@ if [ -s /etc/config/responder ]; if [ -s /etc/turtle/Responder/Responder.db ]; then rm -r /etc/turtle/Responder/Responder.db fi - if [[ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" ]]; then + if [[ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" || ! -d /tmp/Responder/logs ]]; then rm -r /etc/turtle/Responder/logs mkdir -p /tmp/Responder/logs ln -s /tmp/Responder/logs /etc/turtle/Responder/logs From 4b2ceea9f3e0bb996cf14b867cff0609d2102ce1 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 26 Sep 2015 21:04:14 -0400 Subject: [PATCH 15/33] Improve dependency installer check --- modules/responder | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/responder b/modules/responder index 9b8d03e..689b129 100644 --- a/modules/responder +++ b/modules/responder @@ -11,11 +11,11 @@ AUTHOR=IMcPwn : ${DIALOG_ESC=255} function start { - if [ ! -s /usr/bin/git ]; then + if [[ ! $(opkg list-installed | grep git) ]]; then opkg update && opkg install git fi - if [ ! -s /usr/lib/python2.7/sqlite3/dbapi2.py ]; then + if [[ ! $(opkg list-installed | grep python-sqlite3) ]]; then opkg update && opkg install python-sqlite3 fi From cb2ad0bf63f70c6619cc985343be165d0122f6e6 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 26 Sep 2015 21:46:31 -0400 Subject: [PATCH 16/33] Minor updates --- modules/responder | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/modules/responder b/modules/responder index 689b129..b6b4f54 100644 --- a/modules/responder +++ b/modules/responder @@ -11,21 +11,21 @@ AUTHOR=IMcPwn : ${DIALOG_ESC=255} function start { - if [[ ! $(opkg list-installed | grep git) ]]; then - opkg update && opkg install git - fi - - if [[ ! $(opkg list-installed | grep python-sqlite3) ]]; then - opkg update && opkg install python-sqlite3 - fi - - if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py ]]; then - rm -r /etc/turtle/Responder - git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder - fi - -if [ -s /etc/config/responder ]; + if [ -s /etc/config/responder ]; then + if [[ ! $(opkg list-installed | grep git) ]]; then + opkg update && opkg install git + fi + + if [[ ! $(opkg list-installed | grep python-sqlite3) ]]; then + opkg update && opkg install python-sqlite3 + fi + + if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py ]]; then + rm -r /etc/turtle/Responder + git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder + fi + responder_log=$(uci get responder.log) case $responder_log in sshfs) @@ -82,7 +82,7 @@ function configure { --help-button \ --title "Responder Configuration" \ --radiolist "\n\ -For information on the different log files, see Help\n\nNOTICE: The first time you run this module it may take a long time to load because of dependencies. Please let it finish.\n\nThe log files can be saved to SSHFS or /tmp.\n" 16 60 3\ +Responder will listen on a variety of ports to gather credentials. See Help for more information.\n\nNote: the first time you run this module it may take a long time to load because of dependencies.\n\nThe log files can be saved to SSHFS or tmp.\n" 16 60 3\ 1 "Save log to SSHFS if available." off\ 2 "Save log to /tmp/" off\ 2>$CONF @@ -118,7 +118,7 @@ Analyze mode will be logged to Analyze-Session.log\n\ Poisoning will be logged to Poisoners-Session.log\n\n\ All hashes are dumped an unique file John Jumbo compliant, using this format:\n\ (MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt\n\n\ -For more information, see: https://github.com/SpiderLabs/Responder\n\ +For even more information, see: https://github.com/SpiderLabs/Responder\n\ " 25 60 configure ;; From e6bf7791a9c0fefb2e9f87de1e9960e991b9cb92 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sun, 27 Sep 2015 18:03:14 -0400 Subject: [PATCH 17/33] Responder V2 Add support for targeting the LAN interface. Add different Responder modes. Add menu for editing Responder.conf --- modules/responder | 393 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 310 insertions(+), 83 deletions(-) diff --git a/modules/responder b/modules/responder index b6b4f54..5f14fb5 100644 --- a/modules/responder +++ b/modules/responder @@ -1,5 +1,5 @@ #!/bin/bash /usr/lib/turtle/turtle_module -VERSION="1.0" +VERSION="2.0" DESCRIPTION="Responder - LLMNR, NBT-NS and MDNS poisoner" CONF=/tmp/responder.form AUTHOR=IMcPwn @@ -11,84 +11,183 @@ AUTHOR=IMcPwn : ${DIALOG_ESC=255} function start { - if [ -s /etc/config/responder ]; - then - if [[ ! $(opkg list-installed | grep git) ]]; then - opkg update && opkg install git - fi - - if [[ ! $(opkg list-installed | grep python-sqlite3) ]]; then - opkg update && opkg install python-sqlite3 - fi - - if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py ]]; then - rm -r /etc/turtle/Responder - git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder - fi - - responder_log=$(uci get responder.log) - case $responder_log in - sshfs) - if pgrep sshfs > /dev/null; then - if [ -s /etc/turtle/Responder/Responder.db ]; then - rm -r /etc/turtle/Responder/Responder.db - fi - if [[ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" || ! -d /sshfs/Responder/logs ]]; then - rm -r /etc/turtle/Responder/logs - mkdir -p /sshfs/Responder/logs - ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs - fi - echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now - echo "Responder started and logs are being saved to /sshfs/Responder/logs" - else - echo "SSHFS not running" - fi - ;; - tmp) - if [ -s /etc/turtle/Responder/Responder.db ]; then - rm -r /etc/turtle/Responder/Responder.db - fi - if [[ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" || ! -d /tmp/Responder/logs ]]; then - rm -r /etc/turtle/Responder/logs - mkdir -p /tmp/Responder/logs - ln -s /tmp/Responder/logs /etc/turtle/Responder/logs - fi - echo "python /etc/turtle/Responder/Responder.py -I br-lan" | at now - echo "Responder started and logs are being saved to /tmp/Responder/logs" - ;; - esac - else - echo "Responder not configured." - fi + if [ -s /etc/config/responder ]; + then + responder_interface=$(uci get responder.interface) + responder_log=$(uci get responder.log) + responder_mode=$(uci get responder.mode) + + if [[ $responder_interface == "" ]]; + then + echo "Responder interface not configured." + exit 1 + fi + + if [[ $responder_log == "" ]]; + then + echo "Responder log location not configured." + exit 1 + fi + + if [[ $responder_mode == "" ]]; + then + echo "Responder mode not configured." + exit 1 + fi + + if [[ ! $(opkg list-installed | grep git) ]]; + then + echo "Git not installed. Installing..." + opkg update && opkg install git + fi + + if [[ ! $(opkg list-installed | grep python-sqlite3) ]]; + then + echo "Python-sqlite3 not installed. Installing..." + opkg update && opkg install python-sqlite3 + fi + + if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py || ! -s /etc/turtle/Responder/Responder.conf ]]; + then + rm -r /etc/turtle/Responder + echo "Responder not downloaded. Downloading..." + git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder + fi + + case $responder_mode in + 1) mode="";; + 2) mode="-A";; + 3) mode="-w";; + 4) mode="-r";; + 5) mode="-F";; + 6) mode="-f";; + 7) mode="-v";; + 8) mode="-r -F";; + 9) mode="-r -F -f";; + esac + + case $responder_log in + sshfs) + if pgrep sshfs > /dev/null; + then + if [[ $responder_interface == "eth1" ]]; + then + iptables -t filter -I INPUT 1 -i eth1 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 53 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 137 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 138 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 389 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 5553 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 21 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 25 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 80 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 110 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 139 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 389 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 445 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 1433 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 3141 -j ACCEPT + fi + + if [ -s /etc/turtle/Responder/Responder.db ]; + then + rm -r /etc/turtle/Responder/Responder.db + fi + + if [[ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" || ! -d /sshfs/Responder/logs ]]; + then + rm -r /etc/turtle/Responder/logs + mkdir -p /sshfs/Responder/logs + ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs + fi + + echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now + echo "Responder started and logs are being saved to /sshfs/Responder" + else + echo "SSHFS not running" + fi + ;; + tmp) + if [[ $responder_interface == "eth1" ]]; + then + iptables -t filter -I INPUT 1 -i eth1 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 53 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 137 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 138 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 389 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 5553 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 21 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 25 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 80 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 110 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 139 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 389 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 445 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 1433 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 3141 -j ACCEPT + fi + + if [ -s /etc/turtle/Responder/Responder.db ]; + then + rm -r /etc/turtle/Responder/Responder.db + fi + + if [[ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" || ! -d /tmp/Responder/logs ]]; then + rm -r /etc/turtle/Responder/logs + mkdir -p /tmp/Responder/logs + ln -s /tmp/Responder/logs /etc/turtle/Responder/logs + fi + + echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now + echo "Responder started and logs are being saved to /tmp/Responder" + ;; + esac + else + echo "Responder not configured." + exit 1 +fi } function stop { - kill $(ps | grep -w [/]etc/turtle/Responder/Responder.py | awk {'print $1'}) + responder_interface=$(uci get responder.interface) + if [[ $responder_interface == "eth1" ]]; + then + #iptables -t filter -I INPUT 1 -i eth1 -j ACCEPT + iptables -t filter -D INPUT -i eth1 -j ACCEPT + iptables -D INPUT -i eth1 -p udp --dport 53 -j ACCEPT + iptables -D INPUT -i eth1 -p udp --dport 137 -j ACCEPT + iptables -D INPUT -i eth1 -p udp --dport 138 -j ACCEPT + iptables -D INPUT -i eth1 -p udp --dport 389 -j ACCEPT + iptables -D INPUT -i eth1 -p udp --dport 5553 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 21 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 25 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 80 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 110 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 139 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 389 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 445 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 1433 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 3141 -j ACCEPT + fi + + kill $(ps | grep -w [/]etc/turtle/Responder/Responder.py | awk {'print $1'}) } function status { - if ps | grep -w -q [/]etc/turtle/Responder/Responder.py; then echo "1"; else echo "0"; fi + if ps | grep -w -q [/]etc/turtle/Responder/Responder.py; then echo "1"; else echo "0"; fi } -function configure { - if [ -s /etc/config/responder ]; - then - responder_log=$(uci get responder.log) - else - touch /etc/config/responder - fi - dialog --ok-label "Submit" \ - --help-button \ - --title "Responder Configuration" \ +function log { +dialog --ok-label "Submit" \ + --title "Responder Log Configuration" \ + --help-button \ --radiolist "\n\ -Responder will listen on a variety of ports to gather credentials. See Help for more information.\n\nNote: the first time you run this module it may take a long time to load because of dependencies.\n\nThe log files can be saved to SSHFS or tmp.\n" 16 60 3\ +The log files can be saved to SSHFS or tmp.\n" 16 60 3\ 1 "Save log to SSHFS if available." off\ - 2 "Save log to /tmp/" off\ + 2 "Save log to /tmp" off\ 2>$CONF - return=$? - case $return in $DIALOG_OK) LOG=$(cat $CONF) @@ -101,28 +200,156 @@ Responder will listen on a variety of ports to gather credentials. See Help for uci set responder.log="tmp" uci commit responder ;; - esac + esac + configure ;; - $DIALOG_CANCEL) - rm $CONF - clear - exit;; - $DIALOG_HELP) - dialog --title "Help" \ - --msgbox "\ -Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409).\n\ -By default, the tool will only answer to File Server Service request, which is for SMB.\n\n\ -The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior.\n\n\ + $DIALOG_CANCEL) + configure;; + $DIALOG_ESC) + configure;; + $DIALOG_HELP) + dialog --title "Help" --msgbox "\n\ All activity will be logged to Responder-Session.log\n\ Analyze mode will be logged to Analyze-Session.log\n\ Poisoning will be logged to Poisoners-Session.log\n\n\ All hashes are dumped an unique file John Jumbo compliant, using this format:\n\ (MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt\n\n\ -For even more information, see: https://github.com/SpiderLabs/Responder\n\ -" 25 60 - configure - ;; - $DIALOG_ESC) - clear;; +" 18 72 +configure esac } + +function interface { +dialog --ok-label "Submit" \ + --title "Responder Interface Configuration" \ + --radiolist "\n\ +Responder can target the Host machine (The computer the LAN Turtle is plugged in to) or the LAN (The network the LAN Turtle is connected to).\n" 16 60 3\ + 1 "Target just the Host machine (br-lan)." off\ + 2 "Target the entire LAN (eth1)." off\ + 2>$CONF + return=$? + case $return in + $DIALOG_OK) + INTERFACE=$(cat $CONF) + case $INTERFACE in + 1) + uci set responder.interface="br-lan" + uci commit responder + ;; + 2) + uci set responder.interface="eth1" + uci commit responder + ;; + esac + configure + ;; + $DIALOG_CANCEL) + configure;; + $DIALOG_ESC) + configure;; + esac +} + +function mode { + dialog --ok-label "Submit" \ + --title "Responder Mode" \ + --help-button \ + --radiolist "Choose mode\n \n" 20 60 10\ + 1 "Default mode" on\ + 2 "Analyze mode" off\ + 3 "Start WPAD rouge proxy server" off\ + 4 "Enable answers for netbios suffix queries" off\ + 5 "Force NTLM/Basic Authentication" off\ + 6 "Fingerprint hosts" off\ + 7 "Enable verbose" off\ + 8 "Options 4 and 5" off\ + 9 "Options 4, 5, and 6" off\ + 2>$CONF + return=$? + case $return in + $DIALOG_OK) + mode=$(cat $CONF) + case $mode in + 1) + uci set responder.mode="1" + uci commit responder;; + 2) + uci set responder.mode="2" + uci commit responder;; + 3) + uci set responder.mode="3" + uci commit responder;; + 4) + uci set responder.mode="4" + uci commit responder;; + 5) + uci set responder.mode="5" + uci commit responder;; + 6) + uci set responder.mode="6" + uci commit responder;; + 7) + uci set responder.mode="7" + uci commit responder;; + 8) + uci set responder.mode="8" + uci commit responder;; + 8) + uci set responder.mode="9" + uci commit responder;; + esac + configure + ;; + $DIALOG_CANCEL) + configure;; + $DIALOG_ESC) + configure;; + $DIALOG_HELP) + dialog --title "Help" --msgbox "\n\ +Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409).\n\ +By default, the tool will only answer to File Server Service request, which is for SMB.\n\n\ +The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior.\n\n\ +For more information, see: https://github.com/SpiderLabs/Responder\n\ +" 18 72 +configure + esac +} + +function responderconf { +dialog \ + --title "Editing: /etc/turtle/Responder/Responder.conf" \ + --editbox /etc/turtle/Responder/Responder.conf 18 72\ + --help-button \ + 2>$CONF + return=$? + case $return in + $DIALOG_OK) + cat $CONF | { + cat $CONF > /etc/turtle/Responder/Responder.conf + rm $CONF + };; + esac + configure +} + +function configure { + if [[ ! -s /etc/config/responder ]]; + then + touch /etc/config/responder + fi + + dialog --title "" --menu "" 15 60 5 \ + "log" "Specify log location" \ + "interface" "Specify interface to target" \ + "mode" "Specify Responder mode" \ + "responderconf" "Edit Responder.conf" \ + "back" "Return to previous menu" 2> $CONF + result=$(cat $CONF && rm $CONF &>/dev/null) + case $result in + "log") log;; + "interface") interface;; + "mode") mode;; + "responderconf") responderconf;; + "back") exit;; +esac +} From 0781049db5b2c736a8c2fdeac30e7978a0d5df6f Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sun, 27 Sep 2015 20:19:12 -0400 Subject: [PATCH 18/33] Improve formatting --- modules/responder | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/responder b/modules/responder index 5f14fb5..0a3580f 100644 --- a/modules/responder +++ b/modules/responder @@ -215,7 +215,7 @@ Poisoning will be logged to Poisoners-Session.log\n\n\ All hashes are dumped an unique file John Jumbo compliant, using this format:\n\ (MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt\n\n\ " 18 72 -configure +log esac } @@ -311,7 +311,7 @@ By default, the tool will only answer to File Server Service request, which is f The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior.\n\n\ For more information, see: https://github.com/SpiderLabs/Responder\n\ " 18 72 -configure +log esac } @@ -339,11 +339,11 @@ function configure { fi dialog --title "" --menu "" 15 60 5 \ - "log" "Specify log location" \ - "interface" "Specify interface to target" \ - "mode" "Specify Responder mode" \ + "log" "Specify log location" \ + "interface" "Specify interface to target" \ + "mode" "Specify Responder mode" \ "responderconf" "Edit Responder.conf" \ - "back" "Return to previous menu" 2> $CONF + "back" "Return to previous menu" 2> $CONF result=$(cat $CONF && rm $CONF &>/dev/null) case $result in "log") log;; From fdc22f04c8c1b61483155ee9b7ab0b88133b069d Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Mon, 28 Sep 2015 17:21:46 -0400 Subject: [PATCH 19/33] Fix typo --- modules/responder | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/responder b/modules/responder index 0a3580f..4c22cfd 100644 --- a/modules/responder +++ b/modules/responder @@ -294,7 +294,7 @@ function mode { 8) uci set responder.mode="8" uci commit responder;; - 8) + 9) uci set responder.mode="9" uci commit responder;; esac From 66b03bb074996149ff510d534cef6ce08bd09202 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Mon, 28 Sep 2015 17:30:05 -0400 Subject: [PATCH 20/33] Formatting fix --- modules/responder | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/modules/responder b/modules/responder index 4c22cfd..bc2efd7 100644 --- a/modules/responder +++ b/modules/responder @@ -192,11 +192,11 @@ The log files can be saved to SSHFS or tmp.\n" 16 60 3\ $DIALOG_OK) LOG=$(cat $CONF) case $LOG in - 1) + 1) uci set responder.log="sshfs" uci commit responder ;; - 2) + 2) uci set responder.log="tmp" uci commit responder ;; @@ -232,11 +232,11 @@ Responder can target the Host machine (The computer the LAN Turtle is plugged in $DIALOG_OK) INTERFACE=$(cat $CONF) case $INTERFACE in - 1) + 1) uci set responder.interface="br-lan" uci commit responder ;; - 2) + 2) uci set responder.interface="eth1" uci commit responder ;; @@ -255,7 +255,7 @@ function mode { --title "Responder Mode" \ --help-button \ --radiolist "Choose mode\n \n" 20 60 10\ - 1 "Default mode" on\ + 1 "Default mode" on\ 2 "Analyze mode" off\ 3 "Start WPAD rouge proxy server" off\ 4 "Enable answers for netbios suffix queries" off\ @@ -270,28 +270,28 @@ function mode { $DIALOG_OK) mode=$(cat $CONF) case $mode in - 1) + 1) uci set responder.mode="1" uci commit responder;; - 2) + 2) uci set responder.mode="2" uci commit responder;; - 3) + 3) uci set responder.mode="3" uci commit responder;; - 4) + 4) uci set responder.mode="4" uci commit responder;; - 5) + 5) uci set responder.mode="5" uci commit responder;; - 6) + 6) uci set responder.mode="6" uci commit responder;; - 7) + 7) uci set responder.mode="7" uci commit responder;; - 8) + 8) uci set responder.mode="8" uci commit responder;; 9) @@ -333,10 +333,10 @@ dialog \ } function configure { - if [[ ! -s /etc/config/responder ]]; - then - touch /etc/config/responder - fi +if [[ ! -s /etc/config/responder ]]; +then + touch /etc/config/responder +fi dialog --title "" --menu "" 15 60 5 \ "log" "Specify log location" \ From ed5a49100cc1fd5d5f6761061394d117e307a049 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Wed, 30 Sep 2015 17:15:33 -0400 Subject: [PATCH 21/33] Return to correct page after help --- modules/responder | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/responder b/modules/responder index bc2efd7..c32fcd3 100644 --- a/modules/responder +++ b/modules/responder @@ -311,7 +311,7 @@ By default, the tool will only answer to File Server Service request, which is f The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior.\n\n\ For more information, see: https://github.com/SpiderLabs/Responder\n\ " 18 72 -log +mode esac } From 7d4be6e25f874b8145d648db5d0b0d81a1bf4780 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Wed, 30 Sep 2015 17:33:46 -0400 Subject: [PATCH 22/33] Fix Responderconf function --- modules/responder | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/modules/responder b/modules/responder index c32fcd3..a55f931 100644 --- a/modules/responder +++ b/modules/responder @@ -203,7 +203,7 @@ The log files can be saved to SSHFS or tmp.\n" 16 60 3\ esac configure ;; - $DIALOG_CANCEL) + $DIALOG_CANCEL) configure;; $DIALOG_ESC) configure;; @@ -243,7 +243,7 @@ Responder can target the Host machine (The computer the LAN Turtle is plugged in esac configure ;; - $DIALOG_CANCEL) + $DIALOG_CANCEL) configure;; $DIALOG_ESC) configure;; @@ -317,9 +317,9 @@ mode function responderconf { dialog \ + --help-button \ --title "Editing: /etc/turtle/Responder/Responder.conf" \ --editbox /etc/turtle/Responder/Responder.conf 18 72\ - --help-button \ 2>$CONF return=$? case $return in @@ -327,9 +327,22 @@ dialog \ cat $CONF | { cat $CONF > /etc/turtle/Responder/Responder.conf rm $CONF + configure };; - esac - configure + $DIALOG_HELP) + dialog --title "Help" \ + --msgbox "For information on this configuration, see: https://github.com/SpiderLabs/Responder" 20 60 + responderconf + ;; + $DIALOG_CANCEL) + rm $CONF + configure + ;; + $DIALOG_ESC) + rm $CONF + configure + ;; + esac } function configure { From a3cf7d9566d3bc06e6a670f5c773181f52c585a5 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 3 Oct 2015 12:50:08 -0400 Subject: [PATCH 23/33] Responder V2.2 Add tailing of log option Add fix if responder configuration is invalid --- modules/responder | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/modules/responder b/modules/responder index a55f931..bf1d17b 100644 --- a/modules/responder +++ b/modules/responder @@ -1,5 +1,5 @@ #!/bin/bash /usr/lib/turtle/turtle_module -VERSION="2.0" +VERSION="2.1" DESCRIPTION="Responder - LLMNR, NBT-NS and MDNS poisoner" CONF=/tmp/responder.form AUTHOR=IMcPwn @@ -141,6 +141,10 @@ function start { echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now echo "Responder started and logs are being saved to /tmp/Responder" ;; + *) + echo "Responder configuration not valid. Please re-configure then try again." + rm -r /etc/config/responder + exit 1 esac else echo "Responder not configured." @@ -181,6 +185,8 @@ function status { function log { dialog --ok-label "Submit" \ --title "Responder Log Configuration" \ + --extra-button \ + --extra-label "View log" \ --help-button \ --radiolist "\n\ The log files can be saved to SSHFS or tmp.\n" 16 60 3\ @@ -207,6 +213,20 @@ The log files can be saved to SSHFS or tmp.\n" 16 60 3\ configure;; $DIALOG_ESC) configure;; + $DIALOG_EXTRA) + responder_log=$(uci get responder.log) + case $responder_log in + sshfs) + dialog --title "/sshfs/Responder/logs/Responder-Session.log" --clear --tailbox "/sshfs/Responder/logs/Responder-Session.log" 18 72 + ;; + tmp) + dialog --title "/tmp/Responder/logs/Responder-Session.log" --clear --tailbox "/tmp/Responder/logs/Responder-Session.log" 18 72 + ;; + *) + echo "Responder log location not configured." + log;; + esac + log;; $DIALOG_HELP) dialog --title "Help" --msgbox "\n\ All activity will be logged to Responder-Session.log\n\ From c3401c6727acd56b0d4965665662f64d5fae71ff Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 3 Oct 2015 12:52:36 -0400 Subject: [PATCH 24/33] Remove extra function call --- modules/responder | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/responder b/modules/responder index bf1d17b..ad83247 100644 --- a/modules/responder +++ b/modules/responder @@ -224,7 +224,7 @@ The log files can be saved to SSHFS or tmp.\n" 16 60 3\ ;; *) echo "Responder log location not configured." - log;; + ;; esac log;; $DIALOG_HELP) From fbb0181f9c488018091f3d13e05da16aa026b30a Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 3 Oct 2015 13:15:07 -0400 Subject: [PATCH 25/33] Fix rm's and add more validity checks --- modules/responder | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/modules/responder b/modules/responder index ad83247..f2a1d3b 100644 --- a/modules/responder +++ b/modules/responder @@ -1,5 +1,5 @@ #!/bin/bash /usr/lib/turtle/turtle_module -VERSION="2.1" +VERSION="2.2" DESCRIPTION="Responder - LLMNR, NBT-NS and MDNS poisoner" CONF=/tmp/responder.form AUTHOR=IMcPwn @@ -49,8 +49,8 @@ function start { if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py || ! -s /etc/turtle/Responder/Responder.conf ]]; then - rm -r /etc/turtle/Responder - echo "Responder not downloaded. Downloading..." + rm -rf /etc/turtle/Responder + echo "Responder not downloaded or corrupted. Downloading..." git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder fi @@ -64,6 +64,12 @@ function start { 7) mode="-v";; 8) mode="-r -F";; 9) mode="-r -F -f";; + *) + echo "Responder configuration not valid." + echo "Please re-configure then try again." + rm -f /etc/config/responder + exit 1 + ;; esac case $responder_log in @@ -91,12 +97,12 @@ function start { if [ -s /etc/turtle/Responder/Responder.db ]; then - rm -r /etc/turtle/Responder/Responder.db + rm -f /etc/turtle/Responder/Responder.db fi if [[ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" || ! -d /sshfs/Responder/logs ]]; then - rm -r /etc/turtle/Responder/logs + rm -rf /etc/turtle/Responder/logs mkdir -p /sshfs/Responder/logs ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs fi @@ -129,11 +135,11 @@ function start { if [ -s /etc/turtle/Responder/Responder.db ]; then - rm -r /etc/turtle/Responder/Responder.db + rm -f /etc/turtle/Responder/Responder.db fi if [[ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" || ! -d /tmp/Responder/logs ]]; then - rm -r /etc/turtle/Responder/logs + rm -rf /etc/turtle/Responder/logs mkdir -p /tmp/Responder/logs ln -s /tmp/Responder/logs /etc/turtle/Responder/logs fi @@ -142,9 +148,11 @@ function start { echo "Responder started and logs are being saved to /tmp/Responder" ;; *) - echo "Responder configuration not valid. Please re-configure then try again." - rm -r /etc/config/responder + echo "Responder configuration not valid." + echo "Please re-configure then try again." + rm -f /etc/config/responder exit 1 + ;; esac else echo "Responder not configured." From cc3f65609d5ae1f0f741742c00210dc9e123cd0e Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sun, 4 Oct 2015 13:20:25 -0400 Subject: [PATCH 26/33] Improve formatting and add internet check --- modules/responder | 431 ++++++++++++++++++++++++---------------------- 1 file changed, 221 insertions(+), 210 deletions(-) diff --git a/modules/responder b/modules/responder index f2a1d3b..9d3dd9f 100644 --- a/modules/responder +++ b/modules/responder @@ -1,5 +1,5 @@ #!/bin/bash /usr/lib/turtle/turtle_module -VERSION="2.2" +VERSION="2.3" DESCRIPTION="Responder - LLMNR, NBT-NS and MDNS poisoner" CONF=/tmp/responder.form AUTHOR=IMcPwn @@ -11,191 +11,202 @@ AUTHOR=IMcPwn : ${DIALOG_ESC=255} function start { - if [ -s /etc/config/responder ]; - then - responder_interface=$(uci get responder.interface) - responder_log=$(uci get responder.log) - responder_mode=$(uci get responder.mode) - - if [[ $responder_interface == "" ]]; - then - echo "Responder interface not configured." - exit 1 - fi - - if [[ $responder_log == "" ]]; - then - echo "Responder log location not configured." - exit 1 - fi - - if [[ $responder_mode == "" ]]; - then - echo "Responder mode not configured." - exit 1 - fi - - if [[ ! $(opkg list-installed | grep git) ]]; - then - echo "Git not installed. Installing..." - opkg update && opkg install git - fi - - if [[ ! $(opkg list-installed | grep python-sqlite3) ]]; - then - echo "Python-sqlite3 not installed. Installing..." - opkg update && opkg install python-sqlite3 - fi - - if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py || ! -s /etc/turtle/Responder/Responder.conf ]]; - then - rm -rf /etc/turtle/Responder - echo "Responder not downloaded or corrupted. Downloading..." - git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder - fi - - case $responder_mode in - 1) mode="";; - 2) mode="-A";; - 3) mode="-w";; - 4) mode="-r";; - 5) mode="-F";; - 6) mode="-f";; - 7) mode="-v";; - 8) mode="-r -F";; - 9) mode="-r -F -f";; - *) - echo "Responder configuration not valid." - echo "Please re-configure then try again." - rm -f /etc/config/responder - exit 1 - ;; - esac - - case $responder_log in - sshfs) - if pgrep sshfs > /dev/null; - then - if [[ $responder_interface == "eth1" ]]; - then - iptables -t filter -I INPUT 1 -i eth1 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p udp --dport 53 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p udp --dport 137 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p udp --dport 138 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p udp --dport 389 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p udp --dport 5553 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 21 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 25 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 80 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 110 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 139 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 389 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 445 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 1433 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 3141 -j ACCEPT - fi - - if [ -s /etc/turtle/Responder/Responder.db ]; - then - rm -f /etc/turtle/Responder/Responder.db - fi - - if [[ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" || ! -d /sshfs/Responder/logs ]]; - then - rm -rf /etc/turtle/Responder/logs - mkdir -p /sshfs/Responder/logs - ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs - fi - - echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now - echo "Responder started and logs are being saved to /sshfs/Responder" - else - echo "SSHFS not running" - fi - ;; - tmp) - if [[ $responder_interface == "eth1" ]]; - then - iptables -t filter -I INPUT 1 -i eth1 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p udp --dport 53 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p udp --dport 137 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p udp --dport 138 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p udp --dport 389 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p udp --dport 5553 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 21 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 25 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 80 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 110 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 139 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 389 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 445 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 1433 -j ACCEPT - iptables -I INPUT 1 -i eth1 -p tcp --dport 3141 -j ACCEPT - fi - - if [ -s /etc/turtle/Responder/Responder.db ]; - then - rm -f /etc/turtle/Responder/Responder.db - fi - - if [[ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" || ! -d /tmp/Responder/logs ]]; then - rm -rf /etc/turtle/Responder/logs - mkdir -p /tmp/Responder/logs - ln -s /tmp/Responder/logs /etc/turtle/Responder/logs - fi - - echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now - echo "Responder started and logs are being saved to /tmp/Responder" - ;; - *) - echo "Responder configuration not valid." - echo "Please re-configure then try again." - rm -f /etc/config/responder - exit 1 - ;; - esac - else - echo "Responder not configured." - exit 1 + if [ -s /etc/config/responder ]; + then + responder_interface=$(uci get responder.interface) + responder_log=$(uci get responder.log) + responder_mode=$(uci get responder.mode) + + if [[ $responder_interface == "" ]]; + then + echo "Responder interface not configured." + exit 1 + fi + + if [[ $responder_log == "" ]]; + then + echo "Responder log location not configured." + exit 1 + fi + + if [[ $responder_mode == "" ]]; + then + echo "Responder mode not configured." + exit 1 + fi + + if [[ ! $(opkg list-installed | grep git) ]]; + then + check_internet + echo "Git not installed. Installing..." + opkg update && opkg install git + fi + + if [[ ! $(opkg list-installed | grep python-sqlite3) ]]; + then + check_internet + echo "Python-sqlite3 not installed. Installing..." + opkg update && opkg install python-sqlite3 + fi + + if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py || ! -s /etc/turtle/Responder/Responder.conf ]]; + then + check_internet + rm -rf /etc/turtle/Responder + echo "Responder not downloaded or corrupted. Downloading..." + git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder + fi + + case $responder_mode in + 1) mode="";; + 2) mode="-A";; + 3) mode="-w";; + 4) mode="-r";; + 5) mode="-F";; + 6) mode="-f";; + 7) mode="-v";; + 8) mode="-r -F";; + 9) mode="-r -F -f";; + *) + echo "Responder configuration not valid." + echo "Please re-configure then try again." + rm -f /etc/config/responder + exit 1 + ;; + esac + + case $responder_log in + sshfs) + if pgrep sshfs > /dev/null; + then + if [[ $responder_interface == "eth1" ]]; + then + iptables -t filter -I INPUT 1 -i eth1 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 53 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 137 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 138 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 389 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 5553 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 21 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 25 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 80 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 110 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 139 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 389 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 445 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 1433 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 3141 -j ACCEPT + fi + + if [ -s /etc/turtle/Responder/Responder.db ]; + then + rm -f /etc/turtle/Responder/Responder.db + fi + + if [[ $(readlink /etc/turtle/Responder/logs) != "/sshfs/Responder/logs" || ! -d /sshfs/Responder/logs ]]; + then + rm -rf /etc/turtle/Responder/logs + mkdir -p /sshfs/Responder/logs + ln -s /sshfs/Responder/logs /etc/turtle/Responder/logs + fi + + echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now + echo "Responder started and logs are being saved to /sshfs/Responder" + else + echo "SSHFS not running" + fi + ;; + tmp) + if [[ $responder_interface == "eth1" ]]; + then + iptables -t filter -I INPUT 1 -i eth1 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 53 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 137 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 138 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 389 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p udp --dport 5553 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 21 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 25 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 80 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 110 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 139 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 389 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 445 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 1433 -j ACCEPT + iptables -I INPUT 1 -i eth1 -p tcp --dport 3141 -j ACCEPT + fi + + if [ -s /etc/turtle/Responder/Responder.db ]; + then + rm -f /etc/turtle/Responder/Responder.db + fi + + if [[ $(readlink /etc/turtle/Responder/logs) != "/tmp/Responder/logs" || ! -d /tmp/Responder/logs ]]; then + rm -rf /etc/turtle/Responder/logs + mkdir -p /tmp/Responder/logs + ln -s /tmp/Responder/logs /etc/turtle/Responder/logs + fi + + echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now + echo "Responder started and logs are being saved to /tmp/Responder" + ;; + *) + echo "Responder configuration not valid." + echo "Please re-configure then try again." + rm -f /etc/config/responder + exit 1 + ;; + esac + else + echo "Responder not configured." + exit 1 fi } function stop { - responder_interface=$(uci get responder.interface) - if [[ $responder_interface == "eth1" ]]; - then - #iptables -t filter -I INPUT 1 -i eth1 -j ACCEPT - iptables -t filter -D INPUT -i eth1 -j ACCEPT - iptables -D INPUT -i eth1 -p udp --dport 53 -j ACCEPT - iptables -D INPUT -i eth1 -p udp --dport 137 -j ACCEPT - iptables -D INPUT -i eth1 -p udp --dport 138 -j ACCEPT - iptables -D INPUT -i eth1 -p udp --dport 389 -j ACCEPT - iptables -D INPUT -i eth1 -p udp --dport 5553 -j ACCEPT - iptables -D INPUT -i eth1 -p tcp --dport 21 -j ACCEPT - iptables -D INPUT -i eth1 -p tcp --dport 25 -j ACCEPT - iptables -D INPUT -i eth1 -p tcp --dport 80 -j ACCEPT - iptables -D INPUT -i eth1 -p tcp --dport 110 -j ACCEPT - iptables -D INPUT -i eth1 -p tcp --dport 139 -j ACCEPT - iptables -D INPUT -i eth1 -p tcp --dport 389 -j ACCEPT - iptables -D INPUT -i eth1 -p tcp --dport 445 -j ACCEPT - iptables -D INPUT -i eth1 -p tcp --dport 1433 -j ACCEPT - iptables -D INPUT -i eth1 -p tcp --dport 3141 -j ACCEPT - fi - - kill $(ps | grep -w [/]etc/turtle/Responder/Responder.py | awk {'print $1'}) + responder_interface=$(uci get responder.interface) + if [[ $responder_interface == "eth1" ]]; + then + #iptables -t filter -I INPUT 1 -i eth1 -j ACCEPT + iptables -t filter -D INPUT -i eth1 -j ACCEPT + iptables -D INPUT -i eth1 -p udp --dport 53 -j ACCEPT + iptables -D INPUT -i eth1 -p udp --dport 137 -j ACCEPT + iptables -D INPUT -i eth1 -p udp --dport 138 -j ACCEPT + iptables -D INPUT -i eth1 -p udp --dport 389 -j ACCEPT + iptables -D INPUT -i eth1 -p udp --dport 5553 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 21 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 25 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 80 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 110 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 139 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 389 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 445 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 1433 -j ACCEPT + iptables -D INPUT -i eth1 -p tcp --dport 3141 -j ACCEPT + fi + + kill $(ps | grep -w [/]etc/turtle/Responder/Responder.py | awk {'print $1'}) } function status { - if ps | grep -w -q [/]etc/turtle/Responder/Responder.py; then echo "1"; else echo "0"; fi + if ps | grep -w -q [/]etc/turtle/Responder/Responder.py; then echo "1"; else echo "0"; fi } +function check_internet { + ping -q -w 5 -c 1 lanturtle.com &> /dev/null && { + : + } || { + echo -e "The LAN Turtle is currently offline. Responder requires\nan internet connection to install dependencies." + exit 1 + } +} function log { dialog --ok-label "Submit" \ --title "Responder Log Configuration" \ - --extra-button \ - --extra-label "View log" \ - --help-button \ + --extra-button \ + --extra-label "View log" \ + --help-button \ --radiolist "\n\ The log files can be saved to SSHFS or tmp.\n" 16 60 3\ 1 "Save log to SSHFS if available." off\ @@ -206,37 +217,37 @@ The log files can be saved to SSHFS or tmp.\n" 16 60 3\ $DIALOG_OK) LOG=$(cat $CONF) case $LOG in - 1) + 1) uci set responder.log="sshfs" uci commit responder ;; - 2) + 2) uci set responder.log="tmp" uci commit responder ;; esac configure - ;; + ;; $DIALOG_CANCEL) configure;; $DIALOG_ESC) configure;; - $DIALOG_EXTRA) - responder_log=$(uci get responder.log) - case $responder_log in - sshfs) - dialog --title "/sshfs/Responder/logs/Responder-Session.log" --clear --tailbox "/sshfs/Responder/logs/Responder-Session.log" 18 72 - ;; - tmp) - dialog --title "/tmp/Responder/logs/Responder-Session.log" --clear --tailbox "/tmp/Responder/logs/Responder-Session.log" 18 72 - ;; - *) - echo "Responder log location not configured." - ;; - esac - log;; - $DIALOG_HELP) - dialog --title "Help" --msgbox "\n\ + $DIALOG_EXTRA) + responder_log=$(uci get responder.log) + case $responder_log in + sshfs) + dialog --title "/sshfs/Responder/logs/Responder-Session.log" --clear --tailbox "/sshfs/Responder/logs/Responder-Session.log" 18 72 + ;; + tmp) + dialog --title "/tmp/Responder/logs/Responder-Session.log" --clear --tailbox "/tmp/Responder/logs/Responder-Session.log" 18 72 + ;; + *) + echo "Responder log location not configured." + ;; + esac + log;; + $DIALOG_HELP) + dialog --title "Help" --msgbox "\n\ All activity will be logged to Responder-Session.log\n\ Analyze mode will be logged to Analyze-Session.log\n\ Poisoning will be logged to Poisoners-Session.log\n\n\ @@ -260,16 +271,16 @@ Responder can target the Host machine (The computer the LAN Turtle is plugged in $DIALOG_OK) INTERFACE=$(cat $CONF) case $INTERFACE in - 1) + 1) uci set responder.interface="br-lan" uci commit responder ;; - 2) + 2) uci set responder.interface="eth1" uci commit responder ;; esac - configure + configure ;; $DIALOG_CANCEL) configure;; @@ -281,7 +292,7 @@ Responder can target the Host machine (The computer the LAN Turtle is plugged in function mode { dialog --ok-label "Submit" \ --title "Responder Mode" \ - --help-button \ + --help-button \ --radiolist "Choose mode\n \n" 20 60 10\ 1 "Default mode" on\ 2 "Analyze mode" off\ @@ -298,42 +309,42 @@ function mode { $DIALOG_OK) mode=$(cat $CONF) case $mode in - 1) + 1) uci set responder.mode="1" uci commit responder;; - 2) + 2) uci set responder.mode="2" uci commit responder;; - 3) + 3) uci set responder.mode="3" uci commit responder;; - 4) + 4) uci set responder.mode="4" uci commit responder;; - 5) + 5) uci set responder.mode="5" uci commit responder;; - 6) + 6) uci set responder.mode="6" uci commit responder;; - 7) + 7) uci set responder.mode="7" uci commit responder;; - 8) + 8) uci set responder.mode="8" uci commit responder;; - 9) + 9) uci set responder.mode="9" uci commit responder;; esac configure - ;; + ;; $DIALOG_CANCEL) configure;; $DIALOG_ESC) configure;; - $DIALOG_HELP) - dialog --title "Help" --msgbox "\n\ + $DIALOG_HELP) + dialog --title "Help" --msgbox "\n\ Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409).\n\ By default, the tool will only answer to File Server Service request, which is for SMB.\n\n\ The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior.\n\n\ @@ -376,11 +387,11 @@ dialog \ function configure { if [[ ! -s /etc/config/responder ]]; then - touch /etc/config/responder + touch /etc/config/responder fi dialog --title "" --menu "" 15 60 5 \ - "log" "Specify log location" \ + "log" "Specify log location" \ "interface" "Specify interface to target" \ "mode" "Specify Responder mode" \ "responderconf" "Edit Responder.conf" \ From 4168ba060714d65dc51c6169aa187dfe9d030ae0 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sun, 4 Oct 2015 13:34:31 -0400 Subject: [PATCH 27/33] Minor formatting fixes --- modules/responder | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/responder b/modules/responder index 9d3dd9f..a2227e9 100644 --- a/modules/responder +++ b/modules/responder @@ -114,6 +114,7 @@ function start { echo "Responder started and logs are being saved to /sshfs/Responder" else echo "SSHFS not running" + exit 1 fi ;; tmp) @@ -203,11 +204,11 @@ function check_internet { function log { dialog --ok-label "Submit" \ - --title "Responder Log Configuration" \ + --title "Responder Log Configuration" \ --extra-button \ --extra-label "View log" \ --help-button \ - --radiolist "\n\ + --radiolist "\n\ The log files can be saved to SSHFS or tmp.\n" 16 60 3\ 1 "Save log to SSHFS if available." off\ 2 "Save log to /tmp" off\ From c8fe3bf94917e887894e6d34bfd65bd009d5fcea Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sun, 4 Oct 2015 20:33:41 -0400 Subject: [PATCH 28/33] More formatting fixes! --- modules/responder | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/modules/responder b/modules/responder index a2227e9..62a2d37 100644 --- a/modules/responder +++ b/modules/responder @@ -53,7 +53,7 @@ function start { then check_internet rm -rf /etc/turtle/Responder - echo "Responder not downloaded or corrupted. Downloading..." + echo "Responder files are not valid. Downloading..." git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder fi @@ -227,13 +227,12 @@ The log files can be saved to SSHFS or tmp.\n" 16 60 3\ uci commit responder ;; esac - configure - ;; + configure;; $DIALOG_CANCEL) configure;; $DIALOG_ESC) configure;; - $DIALOG_EXTRA) + $DIALOG_EXTRA) responder_log=$(uci get responder.log) case $responder_log in sshfs) @@ -281,8 +280,7 @@ Responder can target the Host machine (The computer the LAN Turtle is plugged in uci commit responder ;; esac - configure - ;; + configure;; $DIALOG_CANCEL) configure;; $DIALOG_ESC) @@ -338,13 +336,12 @@ function mode { uci set responder.mode="9" uci commit responder;; esac - configure - ;; + configure;; $DIALOG_CANCEL) configure;; $DIALOG_ESC) configure;; - $DIALOG_HELP) + $DIALOG_HELP) dialog --title "Help" --msgbox "\n\ Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409).\n\ By default, the tool will only answer to File Server Service request, which is for SMB.\n\n\ @@ -372,16 +369,13 @@ dialog \ $DIALOG_HELP) dialog --title "Help" \ --msgbox "For information on this configuration, see: https://github.com/SpiderLabs/Responder" 20 60 - responderconf - ;; + responderconf;; $DIALOG_CANCEL) rm $CONF - configure - ;; + configure;; $DIALOG_ESC) rm $CONF - configure - ;; + configure;; esac } @@ -404,5 +398,5 @@ fi "mode") mode;; "responderconf") responderconf;; "back") exit;; -esac + esac } From 4d1fa206d14b9aba2adfd02c2b2d66625bd81b6b Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Mon, 5 Oct 2015 18:29:18 -0400 Subject: [PATCH 29/33] Improve internet check formatting --- modules/responder | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/responder b/modules/responder index 62a2d37..3f19a3c 100644 --- a/modules/responder +++ b/modules/responder @@ -37,23 +37,23 @@ function start { if [[ ! $(opkg list-installed | grep git) ]]; then - check_internet echo "Git not installed. Installing..." + check_internet opkg update && opkg install git fi if [[ ! $(opkg list-installed | grep python-sqlite3) ]]; then - check_internet echo "Python-sqlite3 not installed. Installing..." + check_internet opkg update && opkg install python-sqlite3 fi if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py || ! -s /etc/turtle/Responder/Responder.conf ]]; then + echo "Responder files are not valid. Downloading..." check_internet rm -rf /etc/turtle/Responder - echo "Responder files are not valid. Downloading..." git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder fi @@ -197,7 +197,7 @@ function check_internet { ping -q -w 5 -c 1 lanturtle.com &> /dev/null && { : } || { - echo -e "The LAN Turtle is currently offline. Responder requires\nan internet connection to install dependencies." + echo -e "\nThe LAN Turtle is currently offline. The previous\noperation requires an internet connection." exit 1 } } From c0fb3ea73e5b8ca56fb07c62fa56fe6a0f0529ca Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Mon, 12 Oct 2015 09:02:47 -0400 Subject: [PATCH 30/33] Improve start messages --- modules/responder | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/responder b/modules/responder index 3f19a3c..e65d577 100644 --- a/modules/responder +++ b/modules/responder @@ -111,7 +111,7 @@ function start { fi echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now - echo "Responder started and logs are being saved to /sshfs/Responder" + echo -e "Responder started in mode $responder_mode against interface $responder_interface\nand logs are being saved to /sshfs/Responder" else echo "SSHFS not running" exit 1 @@ -149,7 +149,7 @@ function start { fi echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now - echo "Responder started and logs are being saved to /tmp/Responder" + echo -e "Responder started in mode $responder_mode against interface $responder_interface\nand logs are being saved to /tmp/Responder" ;; *) echo "Responder configuration not valid." From 6a1ce2283211e77069aa97750a139c5e9fc58389 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Mon, 12 Oct 2015 10:31:54 -0400 Subject: [PATCH 31/33] Minor formatting improvement --- modules/responder | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/responder b/modules/responder index e65d577..8155e4b 100644 --- a/modules/responder +++ b/modules/responder @@ -197,7 +197,7 @@ function check_internet { ping -q -w 5 -c 1 lanturtle.com &> /dev/null && { : } || { - echo -e "\nThe LAN Turtle is currently offline. The previous\noperation requires an internet connection." + echo -e "\nThe LAN Turtle is currently offline. The previous\noperation requires an internet connection." exit 1 } } @@ -293,7 +293,7 @@ function mode { --title "Responder Mode" \ --help-button \ --radiolist "Choose mode\n \n" 20 60 10\ - 1 "Default mode" on\ + 1 "Default mode" off\ 2 "Analyze mode" off\ 3 "Start WPAD rouge proxy server" off\ 4 "Enable answers for netbios suffix queries" off\ From 0e36c49ab13c179c6f02c73b720fc707851e6800 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sat, 24 Oct 2015 15:25:33 -0400 Subject: [PATCH 32/33] Make first time download look nicer Pipe opkg updating to /dev/null Make git quiet Notify user how to view log in real time --- modules/responder | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/modules/responder b/modules/responder index 8155e4b..a9f10ac 100644 --- a/modules/responder +++ b/modules/responder @@ -37,24 +37,24 @@ function start { if [[ ! $(opkg list-installed | grep git) ]]; then - echo "Git not installed. Installing..." + echo "Dependency git not installed. Installing..." check_internet - opkg update && opkg install git + opkg update > /dev/null && opkg install git fi if [[ ! $(opkg list-installed | grep python-sqlite3) ]]; then - echo "Python-sqlite3 not installed. Installing..." + echo "Dependency python-sqlite3 not installed. Installing..." check_internet - opkg update && opkg install python-sqlite3 + opkg update > /dev/null && opkg install python-sqlite3 fi if [[ ! -d /etc/turtle/Responder || ! -s /etc/turtle/Responder/Responder.py || ! -s /etc/turtle/Responder/Responder.conf ]]; then - echo "Responder files are not valid. Downloading..." + echo "Required Responder files not found. Downloading..." check_internet rm -rf /etc/turtle/Responder - git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder + git clone git://github.com/SpiderLabs/Responder /etc/turtle/Responder -q fi case $responder_mode in @@ -112,6 +112,7 @@ function start { echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now echo -e "Responder started in mode $responder_mode against interface $responder_interface\nand logs are being saved to /sshfs/Responder" + echo "Logs can be viewed at Configure > log > View log" else echo "SSHFS not running" exit 1 @@ -150,6 +151,7 @@ function start { echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now echo -e "Responder started in mode $responder_mode against interface $responder_interface\nand logs are being saved to /tmp/Responder" + echo "Logs can be viewed at Configure > log > View log" ;; *) echo "Responder configuration not valid." From 2f2e644a8086b01175d77c347cb0f7ff0933daa1 Mon Sep 17 00:00:00 2001 From: IMcPwn Date: Sun, 22 Nov 2015 12:32:13 -0500 Subject: [PATCH 33/33] Change stop methods and show PID --- modules/responder | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/modules/responder b/modules/responder index a9f10ac..07f260a 100644 --- a/modules/responder +++ b/modules/responder @@ -1,5 +1,9 @@ #!/bin/bash /usr/lib/turtle/turtle_module -VERSION="2.3" + +# responder by IMcPwn +# http://imcpwn.com + +VERSION="2.4" DESCRIPTION="Responder - LLMNR, NBT-NS and MDNS poisoner" CONF=/tmp/responder.form AUTHOR=IMcPwn @@ -149,9 +153,10 @@ function start { ln -s /tmp/Responder/logs /etc/turtle/Responder/logs fi - echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface" | at now + echo "python /etc/turtle/Responder/Responder.py $mode -I $responder_interface &" | at now echo -e "Responder started in mode $responder_mode against interface $responder_interface\nand logs are being saved to /tmp/Responder" - echo "Logs can be viewed at Configure > log > View log" + echo "Responder started with pid" + pgrep -f Responder.py ;; *) echo "Responder configuration not valid." @@ -187,8 +192,8 @@ function stop { iptables -D INPUT -i eth1 -p tcp --dport 1433 -j ACCEPT iptables -D INPUT -i eth1 -p tcp --dport 3141 -j ACCEPT fi - - kill $(ps | grep -w [/]etc/turtle/Responder/Responder.py | awk {'print $1'}) + if pgrep -f Responder.py > /dev/null; then kill $(pgrep -f Responder.py); fi + echo "Responder stopped" } function status {