def search(self):
if self.packet.getlayer(IPv6) and self.packet.getlayer(DHCP6_Solicit):
mac = self.packet[Ether].src
fqdn = self.packet[DHCP6_Solicit].fqdn
hostname = fqdn.split('.')[0]
ipv6 = self.packet[IPv6].src
ipv4 = None
domain = '.'.join(fqdn.split('.')[1:]).rstrip('.').upper()
dns = None
router = None
segment = None
os = None
notes = None
enterprisenum = self.packet[DHCP6_Solicit].enterprisenum
protocol = 'DHCPv6'
attack = None
description = None
if str(enterprisenum) == '311':
enterprise = 'Microsoft'
os = 'Microsoft Windows'
if protocol not in self.keys['protocols']:
self.keys['protocols'].append(protocol)
if domain not in self.keys['domains'] and domain != None and '__MSBROWSE__' not in domain:
self.keys['domains'].append(domain)
if router not in self.keys['routers'] and router != None:
self.keys['routers'].append(router)
if dns not in self.keys['dns'] and dns != None:
self.keys['dns'].append(dns)
if hostname not in self.keys['hosts'].keys() and hostname != None:
self.keys['hosts'].update({hostname: {'mac': mac, 'ipv4': ipv4, 'domain': domain, 'ipv6': ipv6, 'enterprisenum': enterprisenum, 'enterprise': enterprise, 'os': os, 'protocol': protocol, 'notes': notes, 'attacks': attack}})
if attack not in self.keys['attacks'].keys() and attack != None:
self.keys['attacks'].update({attack: description})
else:
if self.keys['hosts'][hostname]['os'] == None or self.keys['hosts'][hostname]['os'] == 'Unknown':
engine.UpdateReconKeys(self.keys, hostname, os=os).operating_system()
if self.keys['hosts'][hostname]['ipv6'] == None or self.keys['hosts'][hostname]['ipv6'] == 'Unknown':
engine.UpdateReconKeys(self.keys, hostname, ipv6=ipv6).ip_v6()
return self.keys
def search(self):
if self.packet.getlayer(Ether) and self.packet.getlayer(LLMNRResponse):
mac = self.packet[Ether].src
ipv4 = None
ipv6 = None
domain = None
dns = None
router = None
notes = None
hostname = None
os = None
sport = self.packet[UDP].sport
dport = self.packet[UDP].dport
sid_keys = {}
protocol = 'LLMNR'
attack = None
description = None
qname = self.packet[LLMNRResponse].qd.qname
qtype = self.packet[LLMNRResponse].qd.qtype
qclass = self.packet[LLMNRResponse].qd.qclass
rrname = str(self.packet[LLMNRResponse].an.rrname).strip('.')
rtype = self.packet[LLMNRResponse].an.type
rclass = self.packet[LLMNRResponse].an.rclass
rdata = self.packet[LLMNRResponse].an.rdata
r_ns = self.packet[LLMNRResponse].ns
r_ar = self.packet[LLMNRResponse].ar
if protocol not in self.keys['protocols']:
self.keys['protocols'].append(protocol)
if domain not in self.keys['domains'] and domain not in self.keys['hosts'].keys():
self.keys['domains'].append(domain)
if rrname not in self.keys['hosts'].keys() and rrname != None:
self.keys['hosts'].update({rrname: {'ipv4': rdata, 'mac': mac, 'domain': 'Unknown', 'ipv6': ipv6, 'os': os, 'protocol': protocol, 'server_keys': sid_keys, 'attacks': attack}})
if attack not in self.keys['attacks'].keys() and attack != None:
self.keys['attacks'].update({attack: description})
else:
if self.keys['hosts'][rrname]['os'] == None or self.keys['hosts'][rrname]['os'] == 'Unknown':
engine.UpdateReconKeys(self.keys, rrname, os=os).operating_system()
return self.keys
def search(self):
username = None
username_host = None
broadcast = None
if self.packet.getlayer(IP):
broadcast = '{}.255'.format('.'.join(
self.packet[IP].src.split('.')[0:3]))
if broadcast and self.packet.getlayer(
UDP) and self.packet[IP].dst == broadcast and self.packet[
UDP].sport == 138 and self.packet[UDP].dport == 138:
raw_packet = list(str(self.packet[Raw]))
if '\x12' in raw_packet:
logon_index = raw_packet.index('\x12')
check_logon = raw_packet[logon_index + 1]
if check_logon == '\x00':
username = ''.join(
raw_packet[logon_index + 4 + 10:logon_index + 4 + 10 +
26]).replace('\x00', '')
username_host = ''.join(raw_packet[(logon_index +
4):(logon_index + 4 +
10)]).replace(
'\x00', '')
if self.packet.getlayer(UDP) and self.packet.getlayer(
NBTDatagram
) and self.packet[UDP].sport == 138 and self.packet[UDP].dport == 138:
mac = self.packet[Ether].src
ipv4 = self.packet[IP].src
segment = '{}.0/24'.format('.'.join(ipv4.split('.')[0:3]))
ipv6 = None
domain = None
domain_controller = False
os = None
sport = self.packet[IP].sport
dport = self.packet[IP].dport
dns = None
router = None
raw_packet = list(str(self.packet[Raw]))
browser_cmd = raw_packet[85:87]
notes = None
attack = None
protocol = 'Windows Browser Datagram'
host_comment = None
server_type = ''.join(list(raw_packet[110:114])).encode('hex')
little_endian_server_type = ''.join(
list(raw_packet[110:114])[::-1]).encode('hex')
if browser_cmd[1] == '\x01':
announcement = "Host Announcement"
host_comment = ''.join(raw_packet[(86 + 32):]).strip()
elif browser_cmd[1] == '\x02':
announcement = "Request Announcement"
elif browser_cmd[1] == '\x0b':
announcement = "Become Backup Browser"
elif browser_cmd[1] == '\x0c':
announcement = "Domain/Workgroup Announcement"
elif browser_cmd[1] == '\x0f':
announcement = "Local Master Announcement"
host_comment = ''.join(raw_packet[(86 + 32):]).strip()
else:
announcement = None
if announcement != "Request Announcement" and announcement != "Become Backup Browser" and len(
list(raw_packet)) > 108:
if list(raw_packet[108:110])[0] == '\x0a' and list(
raw_packet[108:110])[1] == '\x00':
os = 'Win 10 / Server 2016 (NT 10.0)'
elif list(raw_packet[108:110])[0] == '\x06' and list(
raw_packet[108:110])[1] == '\x00':
os = 'Win Vista / Server 2008 (NT 6.0)'
elif list(raw_packet[108:110])[0] == '\x06' and list(
raw_packet[108:110])[1] == '\x01':
os = 'Win 7 / Server 2008 R2 (NT 6.1)'
attack = 'EternalBlue SMB Remote Code Execution'
description = '''
1 or more hosts were found running outdated versions of the Windows operating system.
Hosts running Windows 7 or Server 2008 R2 may be affected by an SMBv1
vulnerability which results in arbitrary remote code execution in the privilege
context of SYSTEM.
This vulnerability can be confirmed using the MS17_010 SMB RCE Detection module
found within the Metasploit Framework and following the below steps:
~ MSF Example ~
- use auxiliary/scanner/smb/smb_ms17_010
- set RHOSTS <target_hosts>
- set SMBDomain <target_domain_name> (optional)
- set SMBUser <username> (optional)
- set SMBPass <password> (optional)
- run
'''
elif list(raw_packet[108:110])[0] == '\x06' and list(
raw_packet[108:110])[1] == '\x02':
os = 'Win 8 / Server 2012 (NT 6.2)'
elif list(raw_packet[108:110])[0] == '\x06' and list(
raw_packet[108:110])[1] == '\x03':
os = 'Win 8.1 / Server 2012 R2 (NT 6.3)'
elif list(raw_packet[108:110])[0] == '\x05' and list(
raw_packet[108:110])[1] == '\x00':
os = 'Win 2000 (NT 5.0)'
elif list(raw_packet[108:110])[0] == '\x05' and list(
raw_packet[108:110])[1] == '\x01':
os = 'Win XP (NT 5.1)'
elif list(raw_packet[108:110])[0] == '\x05' and list(
raw_packet[108:110])[1] == '\x02':
os = 'Win XP Pro x64 / Server 2003 / Server 2003 R2 (NT 5.2)'
else:
os = None
else:
os = None
type = self.packet[NBTDatagram].Type
hostname = self.packet[NBTDatagram].SourceName.strip()
host_ipv4 = str(self.packet[NBTDatagram].SourceIP)
host_type = str(self.packet[NBTDatagram].SUFFIX1)
domain = str(self.packet[NBTDatagram].DestinationName).strip()
sid_keys = {}
if little_endian_server_type and announcement == "Host Announcement":
byte_list = re.findall('..', little_endian_server_type)
server_type_binary = []
for b in byte_list:
bin_byte = bin(int(b, 16))[2:].zfill(8)
server_type_binary.append(bin_byte)
little_end_srv_bin_list = server_type_binary[::-1]
server_type_binary_string = ''.join(
little_end_srv_bin_list).strip()
server_type_keys_1 = [
'novell', 'apple', 'time_source', 'backup_controller',
'domain_controller', 'sql_server', 'server', 'workstation'
]
server_type_keys_2 = [
'nt_server_1', 'nt_server_2', 'wfw', 'nt_workstation',
'xenix', 'dialin', 'print', 'member'
]
server_type_keys_3 = [
'dfs', 'windows_95_plus', 'vms', 'osf',
'domain_master_browser', 'master_browser',
'backup_browser', 'potential_browser'
]
server_type_values_1 = list(server_type_binary_string)[0:8]
server_type_values_2 = list(server_type_binary_string)[8:16]
server_type_values_3 = list(server_type_binary_string)[16:24]
server_type_keys = server_type_keys_1 + server_type_keys_2 + server_type_keys_3
server_type_values = server_type_values_1 + server_type_values_2 + server_type_values_3
sid_keys = dict(zip(server_type_keys, server_type_values))
if {
username: username_host
} not in self.keys['usernames'] and username != None:
self.keys['usernames'].append({username: username_host})
if 'MSBROWSE' in domain:
domain = 'MSBROWSE'
if domain not in self.keys[
'domains'] and domain != None and 'MSBROWSE' not in domain and domain not in self.keys[
'hosts'].keys():
self.keys['domains'].append(domain)
if dport not in self.keys['ports']:
self.keys['ports'].append(dport)
if protocol not in self.keys['protocols']:
self.keys['protocols'].append(protocol)
if os not in self.keys[
'fingerprints'] and os != None and os != 'Unknown':
self.keys['fingerprints'].append(os)
if notes not in self.keys[
'fingerprints'] and notes != None and not notes.startswith(
'Performed'):
self.keys['fingerprints'].append(notes)
if router not in self.keys['routers'] and router != None:
self.keys['routers'].append(router)
if dns not in self.keys['dns'] and dns != None:
self.keys['dns'].append(dns)
if hostname not in self.keys['hosts'].keys() and hostname != None:
self.keys['hosts'].update({
hostname: {
'mac': mac,
'domain': domain,
'ipv4': host_ipv4,
'ipv6': ipv6,
'os': os,
'notes': notes,
'protocol': protocol,
'segment': segment,
'server_keys': sid_keys,
'comment': host_comment,
'attacks': attack
}
})
if attack not in self.keys['attacks'].keys() and attack != None:
self.keys['attacks'].update({attack: description})
else:
if self.keys['hosts'][hostname]['os'] == None or self.keys[
'hosts'][hostname]['os'] == 'Unknown':
engine.UpdateReconKeys(self.keys, hostname,
os=os).operating_system()
if self.keys['hosts'][hostname]['domain'] == None or self.keys[
'hosts'][hostname]['domain'] == 'Unknown':
engine.UpdateReconKeys(self.keys, hostname,
domain=domain).domain_name()
if ('server_keys' in self.keys['hosts'][hostname].keys()
and self.keys['hosts'][hostname]['server_keys'] == None
) or ('server_keys' in self.keys['hosts'][hostname].keys()
and self.keys['hosts'][hostname]['server_keys']
== 'Unknown'):
engine.UpdateReconKeys(self.keys,
hostname,
server_keys=sid_keys).server_type()
return self.keys
def search(self):
if self.packet.getlayer(Ether) and self.packet.getlayer(
UDP) and self.packet.getlayer(
NBNSQueryRequest
) and self.packet[UDP].dport == 137 and self.packet[
Ether].dst == 'ff:ff:ff:ff:ff:ff':
raw_packet = list(str(self.packet[NBNSQueryRequest]))
mac = self.packet[Ether].src
sport = self.packet[IP].sport
dport = self.packet[IP].dport
ipv4 = self.packet[IP].src
question = self.packet[NBNSQueryRequest].QUESTION_NAME.strip()
suffix = self.packet[NBNSQueryRequest].SUFFIX
ipv6 = None
domain = None
dns = None
router = None
hostname = None
os = None
suffix_type = None
notes = None
sid_keys = {}
segment = '{}.0/24'.format('.'.join(ipv4.split('.')[0:3]))
protocol = 'NBNS'
if str(suffix) == '16705':
suffix_type = 'workstation'
if str(suffix) == '16973':
suffix_type = 'domain controller'
if str(suffix) == '17217':
suffix_type = 'file server service'
if str(suffix) == '16970':
suffix_type = 'unknown'
if dport not in self.keys['ports']:
self.keys['ports'].append(dport)
if domain not in self.keys['domains'] and domain not in self.keys[
'hosts'].keys(
) and domain != None and '__MSBROWSE__' not in domain:
self.keys['domains'].append(domain)
if protocol not in self.keys['protocols']:
self.keys['protocols'].append(protocol)
if 'WPAD' in question and 'WPAD' not in self.keys['protocols']:
self.keys['protocols'].append('WPAD')
notes = 'WPAD client'
if router not in self.keys['routers'] and router != None:
self.keys['routers'].append(router)
if dns not in self.keys['dns'] and dns != None:
self.keys['dns'].append(dns)
if hostname not in self.keys['hosts'].keys():
if hostname != None:
self.keys['hosts'].update({
hostname: {
'mac': mac,
'ipv4': ipv4,
'ipv6': ipv6,
'domain': domain,
'lookup': question,
'suffix_type': suffix_type,
'os': os,
'protocol': protocol,
'notes': notes,
'server_keys': sid_keys
}
})
else:
if self.keys['hosts'][hostname]['os'] == None or self.keys[
'hosts'][hostname]['os'] == 'Unknown':
engine.UpdateReconKeys(self.keys, hostname,
os=os).operating_system()
return self.keys
def search(self):
username = None
username_host = None
broadcast = None
if self.packet.getlayer(IP):
broadcast = '{}.255'.format('.'.join(
self.packet[IP].src.split('.')[0:3]))
if broadcast and self.packet.getlayer(
UDP) and self.packet[IP].dst == broadcast and self.packet[
UDP].sport == 138 and self.packet[UDP].dport == 138:
raw_packet = list(str(self.packet[Raw]))
if '\x12' in raw_packet:
logon_index = raw_packet.index('\x12')
check_logon = raw_packet[logon_index + 1]
if check_logon == '\x00':
username = ''.join(
raw_packet[logon_index + 4 + 10:logon_index + 4 + 10 +
26]).replace('\x00', '')
username_host = ''.join(raw_packet[(logon_index +
4):(logon_index + 4 +
10)]).replace(
'\x00', '')
if self.packet.getlayer(UDP) and self.packet.getlayer(
NBTDatagram
) and self.packet[UDP].sport == 138 and self.packet[UDP].dport == 138:
mac = self.packet[Ether].src
ipv4 = self.packet[IP].src
segment = '{}.0/24'.format('.'.join(ipv4.split('.')[0:3]))
ipv6 = None
domain = None
domain_controller = False
os = None
sport = self.packet[IP].sport
dport = self.packet[IP].dport
dns = None
router = None
raw_packet = list(str(self.packet[Raw]))
browser_cmd = raw_packet[85:87]
notes = None
attack = None
protocol = 'Windows Browser Datagram'
host_comment = None
server_type = ''.join(list(raw_packet[110:114])).encode('hex')
little_endian_server_type = ''.join(
list(raw_packet[110:114])[::-1]).encode('hex')
if browser_cmd[1] == '\x01':
announcement = "Host Announcement"
host_comment = ''.join(raw_packet[(86 + 32):]).strip()
elif browser_cmd[1] == '\x02':
announcement = "Request Announcement"
elif browser_cmd[1] == '\x0b':
announcement = "Become Backup Browser"
elif browser_cmd[1] == '\x0c':
announcement = "Domain/Workgroup Announcement"
elif browser_cmd[1] == '\x0f':
announcement = "Local Master Announcement"
host_comment = ''.join(raw_packet[(86 + 32):]).strip()
else:
announcement = None
if announcement != "Request Announcement" and announcement != "Become Backup Browser" and len(
list(raw_packet)) > 108:
if list(raw_packet[108:110])[0] == '\x0a' and list(
raw_packet[108:110])[1] == '\x00':
os = 'Windows 10 / Server 2016 (NT 10.0)'
elif list(raw_packet[108:110])[0] == '\x06' and list(
raw_packet[108:110])[1] == '\x00':
os = 'Windows Vista / Server 2008 (NT 6.0)'
elif list(raw_packet[108:110])[0] == '\x06' and list(
raw_packet[108:110])[1] == '\x01':
os = 'Windows 7 / Server 2008 R2 (NT 6.1)'
elif list(raw_packet[108:110])[0] == '\x06' and list(
raw_packet[108:110])[1] == '\x02':
os = 'Windows 8 / Server 2012 (NT 6.2)'
elif list(raw_packet[108:110])[0] == '\x06' and list(
raw_packet[108:110])[1] == '\x03':
os = 'Windows 8.1 / Server 2012 R2 (NT 6.3)'
elif list(raw_packet[108:110])[0] == '\x05' and list(
raw_packet[108:110])[1] == '\x00':
os = 'Windows 2000 (NT 5.0)'
elif list(raw_packet[108:110])[0] == '\x05' and list(
raw_packet[108:110])[1] == '\x01':
os = 'Windows XP (NT 5.1)'
elif list(raw_packet[108:110])[0] == '\x05' and list(
raw_packet[108:110])[1] == '\x02':
os = 'Windows XP Pro x64 / Server 2003 / Server 2003 R2 (NT 5.2)'
else:
os = None
else:
os = None
type = self.packet[NBTDatagram].Type
hostname = self.packet[NBTDatagram].SourceName.strip()
host_ipv4 = str(self.packet[NBTDatagram].SourceIP)
host_type = str(self.packet[NBTDatagram].SUFFIX1)
domain = str(self.packet[NBTDatagram].DestinationName).strip()
sid_keys = {}
if little_endian_server_type and announcement == "Host Announcement":
byte_list = re.findall('..', little_endian_server_type)
server_type_binary = []
for b in byte_list:
bin_byte = bin(int(b, 16))[2:].zfill(8)
server_type_binary.append(bin_byte)
little_end_srv_bin_list = server_type_binary[::-1]
server_type_binary_string = ''.join(
little_end_srv_bin_list).strip()
server_type_keys_1 = [
'novell', 'apple', 'time_source', 'backup_controller',
'domain_controller', 'sql_server', 'server', 'workstation'
]
server_type_keys_2 = [
'nt_server_1', 'nt_server_2', 'wfw', 'nt_workstation',
'xenix', 'dialin', 'print', 'member'
]
server_type_keys_3 = [
'dfs', 'windows_95_plus', 'vms', 'osf',
'domain_master_browser', 'master_browser',
'backup_browser', 'potential_browser'
]
server_type_values_1 = list(server_type_binary_string)[0:8]
server_type_values_2 = list(server_type_binary_string)[8:16]
server_type_values_3 = list(server_type_binary_string)[16:24]
server_type_keys = server_type_keys_1 + server_type_keys_2 + server_type_keys_3
server_type_values = server_type_values_1 + server_type_values_2 + server_type_values_3
sid_keys = dict(zip(server_type_keys, server_type_values))
if {
username: username_host
} not in self.keys['usernames'] and username != None:
self.keys['usernames'].append({username: username_host})
if 'MSBROWSE' in domain:
domain = 'MSBROWSE'
if domain not in self.keys[
'domains'] and domain != None and 'MSBROWSE' not in domain and domain not in self.keys[
'hosts'].keys():
self.keys['domains'].append(domain)
if dport not in self.keys['ports']:
self.keys['ports'].append(dport)
if protocol not in self.keys['protocols']:
self.keys['protocols'].append(protocol)
if os not in self.keys[
'fingerprints'] and os != None and os != 'Unknown':
self.keys['fingerprints'].append(os)
if notes not in self.keys[
'fingerprints'] and notes != None and not notes.startswith(
'Performed'):
self.keys['fingerprints'].append(notes)
if router not in self.keys['routers'] and router != None:
self.keys['routers'].append(router)
if dns not in self.keys['dns'] and dns != None:
self.keys['dns'].append(dns)
if hostname not in self.keys['hosts'].keys() and hostname != None:
self.keys['hosts'].update({
hostname: {
'mac': mac,
'domain': domain,
'ipv4': host_ipv4,
'ipv6': ipv6,
'os': os,
'notes': notes,
'protocol': protocol,
'segment': segment,
'server_keys': sid_keys,
'comment': host_comment
}
})
else:
if self.keys['hosts'][hostname]['os'] == None or self.keys[
'hosts'][hostname]['os'] == 'Unknown':
engine.UpdateReconKeys(self.keys, hostname,
os=os).operating_system()
return self.keys
def search(self):
if self.packet.getlayer(Ether) and self.packet.getlayer(
UDP) and self.packet.getlayer(
NBNSQueryRequest
) and self.packet[UDP].dport == 137 and self.packet[
Ether].dst == 'ff:ff:ff:ff:ff:ff':
raw_packet = list(str(self.packet[NBNSQueryRequest]))
mac = self.packet[Ether].src
sport = self.packet[IP].sport
dport = self.packet[IP].dport
ipv4 = self.packet[IP].src
question = self.packet[NBNSQueryRequest].QUESTION_NAME.strip()
suffix = self.packet[NBNSQueryRequest].SUFFIX
attack = 'NBNS Poisoning'
description = '''
Hosts discovered from NBNS traffic may potentially be abused to capture NetNTLMv2 hashes.
Poisoning responses to NBNS name lookups may also provide a means of remote code execution
against hosts which do not enforce SMB signing by performing NTLM Relay attacks against them.
~ NetNTLMv2 Hash Capture Example ~
. Responder.py -I eth0 -wr(fd)
~ NTLM Relay Example ~
. Responder.py -I eth0 -wr(fd)
. ntlmrelayx.py -tf <relay_targets_file> --enum-local-admins -c "ipconfig /all"
'''
ipv6 = None
domain = None
dns = None
router = None
hostname = None
os = None
suffix_type = None
notes = None
sid_keys = {}
segment = '{}.0/24'.format('.'.join(ipv4.split('.')[0:3]))
protocol = 'NBNS'
if str(suffix) == '16705':
suffix_type = 'workstation'
if str(suffix) == '16973':
suffix_type = 'domain controller'
if str(suffix) == '17217':
suffix_type = 'file server service'
if str(suffix) == '16970':
suffix_type = 'unknown'
if dport not in self.keys['ports']:
self.keys['ports'].append(dport)
if attack not in self.keys['attacks'].keys():
self.keys['attacks'].update({attack: description})
if domain not in self.keys['domains'] and domain not in self.keys[
'hosts'].keys(
) and domain != None and '__MSBROWSE__' not in domain:
self.keys['domains'].append(domain)
if protocol not in self.keys['protocols']:
self.keys['protocols'].append(protocol)
if 'WPAD' in question and 'WPAD' not in self.keys['protocols']:
self.keys['protocols'].append('WPAD')
notes = 'WPAD client'
if router not in self.keys['routers'] and router != None:
self.keys['routers'].append(router)
if dns not in self.keys['dns'] and dns != None:
self.keys['dns'].append(dns)
if hostname not in self.keys['hosts'].keys():
if hostname != None:
self.keys['hosts'].update({
hostname: {
'mac': mac,
'ipv4': ipv4,
'ipv6': ipv6,
'domain': domain,
'lookup': question,
'suffix_type': suffix_type,
'os': os,
'protocol': protocol,
'notes': notes,
'server_keys': sid_keys
}
})
else:
if self.keys['hosts'][hostname]['os'] == None or self.keys[
'hosts'][hostname]['os'] == 'Unknown':
engine.UpdateReconKeys(self.keys, hostname,
os=os).operating_system()
return self.keys