def search(self): if self.packet.getlayer(IPv6) and self.packet.getlayer(DHCP6_Solicit): mac = self.packet[Ether].src fqdn = self.packet[DHCP6_Solicit].fqdn hostname = fqdn.split('.')[0] ipv6 = self.packet[IPv6].src ipv4 = None domain = '.'.join(fqdn.split('.')[1:]).rstrip('.').upper() dns = None router = None segment = None os = None notes = None enterprisenum = self.packet[DHCP6_Solicit].enterprisenum protocol = 'DHCPv6' attack = None description = None if str(enterprisenum) == '311': enterprise = 'Microsoft' os = 'Microsoft Windows' if protocol not in self.keys['protocols']: self.keys['protocols'].append(protocol) if domain not in self.keys['domains'] and domain != None and '__MSBROWSE__' not in domain: self.keys['domains'].append(domain) if router not in self.keys['routers'] and router != None: self.keys['routers'].append(router) if dns not in self.keys['dns'] and dns != None: self.keys['dns'].append(dns) if hostname not in self.keys['hosts'].keys() and hostname != None: self.keys['hosts'].update({hostname: {'mac': mac, 'ipv4': ipv4, 'domain': domain, 'ipv6': ipv6, 'enterprisenum': enterprisenum, 'enterprise': enterprise, 'os': os, 'protocol': protocol, 'notes': notes, 'attacks': attack}}) if attack not in self.keys['attacks'].keys() and attack != None: self.keys['attacks'].update({attack: description}) else: if self.keys['hosts'][hostname]['os'] == None or self.keys['hosts'][hostname]['os'] == 'Unknown': engine.UpdateReconKeys(self.keys, hostname, os=os).operating_system() if self.keys['hosts'][hostname]['ipv6'] == None or self.keys['hosts'][hostname]['ipv6'] == 'Unknown': engine.UpdateReconKeys(self.keys, hostname, ipv6=ipv6).ip_v6() return self.keys
def search(self): if self.packet.getlayer(Ether) and self.packet.getlayer(LLMNRResponse): mac = self.packet[Ether].src ipv4 = None ipv6 = None domain = None dns = None router = None notes = None hostname = None os = None sport = self.packet[UDP].sport dport = self.packet[UDP].dport sid_keys = {} protocol = 'LLMNR' attack = None description = None qname = self.packet[LLMNRResponse].qd.qname qtype = self.packet[LLMNRResponse].qd.qtype qclass = self.packet[LLMNRResponse].qd.qclass rrname = str(self.packet[LLMNRResponse].an.rrname).strip('.') rtype = self.packet[LLMNRResponse].an.type rclass = self.packet[LLMNRResponse].an.rclass rdata = self.packet[LLMNRResponse].an.rdata r_ns = self.packet[LLMNRResponse].ns r_ar = self.packet[LLMNRResponse].ar if protocol not in self.keys['protocols']: self.keys['protocols'].append(protocol) if domain not in self.keys['domains'] and domain not in self.keys['hosts'].keys(): self.keys['domains'].append(domain) if rrname not in self.keys['hosts'].keys() and rrname != None: self.keys['hosts'].update({rrname: {'ipv4': rdata, 'mac': mac, 'domain': 'Unknown', 'ipv6': ipv6, 'os': os, 'protocol': protocol, 'server_keys': sid_keys, 'attacks': attack}}) if attack not in self.keys['attacks'].keys() and attack != None: self.keys['attacks'].update({attack: description}) else: if self.keys['hosts'][rrname]['os'] == None or self.keys['hosts'][rrname]['os'] == 'Unknown': engine.UpdateReconKeys(self.keys, rrname, os=os).operating_system() return self.keys
def search(self): username = None username_host = None broadcast = None if self.packet.getlayer(IP): broadcast = '{}.255'.format('.'.join( self.packet[IP].src.split('.')[0:3])) if broadcast and self.packet.getlayer( UDP) and self.packet[IP].dst == broadcast and self.packet[ UDP].sport == 138 and self.packet[UDP].dport == 138: raw_packet = list(str(self.packet[Raw])) if '\x12' in raw_packet: logon_index = raw_packet.index('\x12') check_logon = raw_packet[logon_index + 1] if check_logon == '\x00': username = ''.join( raw_packet[logon_index + 4 + 10:logon_index + 4 + 10 + 26]).replace('\x00', '') username_host = ''.join(raw_packet[(logon_index + 4):(logon_index + 4 + 10)]).replace( '\x00', '') if self.packet.getlayer(UDP) and self.packet.getlayer( NBTDatagram ) and self.packet[UDP].sport == 138 and self.packet[UDP].dport == 138: mac = self.packet[Ether].src ipv4 = self.packet[IP].src segment = '{}.0/24'.format('.'.join(ipv4.split('.')[0:3])) ipv6 = None domain = None domain_controller = False os = None sport = self.packet[IP].sport dport = self.packet[IP].dport dns = None router = None raw_packet = list(str(self.packet[Raw])) browser_cmd = raw_packet[85:87] notes = None attack = None protocol = 'Windows Browser Datagram' host_comment = None server_type = ''.join(list(raw_packet[110:114])).encode('hex') little_endian_server_type = ''.join( list(raw_packet[110:114])[::-1]).encode('hex') if browser_cmd[1] == '\x01': announcement = "Host Announcement" host_comment = ''.join(raw_packet[(86 + 32):]).strip() elif browser_cmd[1] == '\x02': announcement = "Request Announcement" elif browser_cmd[1] == '\x0b': announcement = "Become Backup Browser" elif browser_cmd[1] == '\x0c': announcement = "Domain/Workgroup Announcement" elif browser_cmd[1] == '\x0f': announcement = "Local Master Announcement" host_comment = ''.join(raw_packet[(86 + 32):]).strip() else: announcement = None if announcement != "Request Announcement" and announcement != "Become Backup Browser" and len( list(raw_packet)) > 108: if list(raw_packet[108:110])[0] == '\x0a' and list( raw_packet[108:110])[1] == '\x00': os = 'Win 10 / Server 2016 (NT 10.0)' elif list(raw_packet[108:110])[0] == '\x06' and list( raw_packet[108:110])[1] == '\x00': os = 'Win Vista / Server 2008 (NT 6.0)' elif list(raw_packet[108:110])[0] == '\x06' and list( raw_packet[108:110])[1] == '\x01': os = 'Win 7 / Server 2008 R2 (NT 6.1)' attack = 'EternalBlue SMB Remote Code Execution' description = ''' 1 or more hosts were found running outdated versions of the Windows operating system. Hosts running Windows 7 or Server 2008 R2 may be affected by an SMBv1 vulnerability which results in arbitrary remote code execution in the privilege context of SYSTEM. This vulnerability can be confirmed using the MS17_010 SMB RCE Detection module found within the Metasploit Framework and following the below steps: ~ MSF Example ~ - use auxiliary/scanner/smb/smb_ms17_010 - set RHOSTS <target_hosts> - set SMBDomain <target_domain_name> (optional) - set SMBUser <username> (optional) - set SMBPass <password> (optional) - run ''' elif list(raw_packet[108:110])[0] == '\x06' and list( raw_packet[108:110])[1] == '\x02': os = 'Win 8 / Server 2012 (NT 6.2)' elif list(raw_packet[108:110])[0] == '\x06' and list( raw_packet[108:110])[1] == '\x03': os = 'Win 8.1 / Server 2012 R2 (NT 6.3)' elif list(raw_packet[108:110])[0] == '\x05' and list( raw_packet[108:110])[1] == '\x00': os = 'Win 2000 (NT 5.0)' elif list(raw_packet[108:110])[0] == '\x05' and list( raw_packet[108:110])[1] == '\x01': os = 'Win XP (NT 5.1)' elif list(raw_packet[108:110])[0] == '\x05' and list( raw_packet[108:110])[1] == '\x02': os = 'Win XP Pro x64 / Server 2003 / Server 2003 R2 (NT 5.2)' else: os = None else: os = None type = self.packet[NBTDatagram].Type hostname = self.packet[NBTDatagram].SourceName.strip() host_ipv4 = str(self.packet[NBTDatagram].SourceIP) host_type = str(self.packet[NBTDatagram].SUFFIX1) domain = str(self.packet[NBTDatagram].DestinationName).strip() sid_keys = {} if little_endian_server_type and announcement == "Host Announcement": byte_list = re.findall('..', little_endian_server_type) server_type_binary = [] for b in byte_list: bin_byte = bin(int(b, 16))[2:].zfill(8) server_type_binary.append(bin_byte) little_end_srv_bin_list = server_type_binary[::-1] server_type_binary_string = ''.join( little_end_srv_bin_list).strip() server_type_keys_1 = [ 'novell', 'apple', 'time_source', 'backup_controller', 'domain_controller', 'sql_server', 'server', 'workstation' ] server_type_keys_2 = [ 'nt_server_1', 'nt_server_2', 'wfw', 'nt_workstation', 'xenix', 'dialin', 'print', 'member' ] server_type_keys_3 = [ 'dfs', 'windows_95_plus', 'vms', 'osf', 'domain_master_browser', 'master_browser', 'backup_browser', 'potential_browser' ] server_type_values_1 = list(server_type_binary_string)[0:8] server_type_values_2 = list(server_type_binary_string)[8:16] server_type_values_3 = list(server_type_binary_string)[16:24] server_type_keys = server_type_keys_1 + server_type_keys_2 + server_type_keys_3 server_type_values = server_type_values_1 + server_type_values_2 + server_type_values_3 sid_keys = dict(zip(server_type_keys, server_type_values)) if { username: username_host } not in self.keys['usernames'] and username != None: self.keys['usernames'].append({username: username_host}) if 'MSBROWSE' in domain: domain = 'MSBROWSE' if domain not in self.keys[ 'domains'] and domain != None and 'MSBROWSE' not in domain and domain not in self.keys[ 'hosts'].keys(): self.keys['domains'].append(domain) if dport not in self.keys['ports']: self.keys['ports'].append(dport) if protocol not in self.keys['protocols']: self.keys['protocols'].append(protocol) if os not in self.keys[ 'fingerprints'] and os != None and os != 'Unknown': self.keys['fingerprints'].append(os) if notes not in self.keys[ 'fingerprints'] and notes != None and not notes.startswith( 'Performed'): self.keys['fingerprints'].append(notes) if router not in self.keys['routers'] and router != None: self.keys['routers'].append(router) if dns not in self.keys['dns'] and dns != None: self.keys['dns'].append(dns) if hostname not in self.keys['hosts'].keys() and hostname != None: self.keys['hosts'].update({ hostname: { 'mac': mac, 'domain': domain, 'ipv4': host_ipv4, 'ipv6': ipv6, 'os': os, 'notes': notes, 'protocol': protocol, 'segment': segment, 'server_keys': sid_keys, 'comment': host_comment, 'attacks': attack } }) if attack not in self.keys['attacks'].keys() and attack != None: self.keys['attacks'].update({attack: description}) else: if self.keys['hosts'][hostname]['os'] == None or self.keys[ 'hosts'][hostname]['os'] == 'Unknown': engine.UpdateReconKeys(self.keys, hostname, os=os).operating_system() if self.keys['hosts'][hostname]['domain'] == None or self.keys[ 'hosts'][hostname]['domain'] == 'Unknown': engine.UpdateReconKeys(self.keys, hostname, domain=domain).domain_name() if ('server_keys' in self.keys['hosts'][hostname].keys() and self.keys['hosts'][hostname]['server_keys'] == None ) or ('server_keys' in self.keys['hosts'][hostname].keys() and self.keys['hosts'][hostname]['server_keys'] == 'Unknown'): engine.UpdateReconKeys(self.keys, hostname, server_keys=sid_keys).server_type() return self.keys
def search(self): if self.packet.getlayer(Ether) and self.packet.getlayer( UDP) and self.packet.getlayer( NBNSQueryRequest ) and self.packet[UDP].dport == 137 and self.packet[ Ether].dst == 'ff:ff:ff:ff:ff:ff': raw_packet = list(str(self.packet[NBNSQueryRequest])) mac = self.packet[Ether].src sport = self.packet[IP].sport dport = self.packet[IP].dport ipv4 = self.packet[IP].src question = self.packet[NBNSQueryRequest].QUESTION_NAME.strip() suffix = self.packet[NBNSQueryRequest].SUFFIX ipv6 = None domain = None dns = None router = None hostname = None os = None suffix_type = None notes = None sid_keys = {} segment = '{}.0/24'.format('.'.join(ipv4.split('.')[0:3])) protocol = 'NBNS' if str(suffix) == '16705': suffix_type = 'workstation' if str(suffix) == '16973': suffix_type = 'domain controller' if str(suffix) == '17217': suffix_type = 'file server service' if str(suffix) == '16970': suffix_type = 'unknown' if dport not in self.keys['ports']: self.keys['ports'].append(dport) if domain not in self.keys['domains'] and domain not in self.keys[ 'hosts'].keys( ) and domain != None and '__MSBROWSE__' not in domain: self.keys['domains'].append(domain) if protocol not in self.keys['protocols']: self.keys['protocols'].append(protocol) if 'WPAD' in question and 'WPAD' not in self.keys['protocols']: self.keys['protocols'].append('WPAD') notes = 'WPAD client' if router not in self.keys['routers'] and router != None: self.keys['routers'].append(router) if dns not in self.keys['dns'] and dns != None: self.keys['dns'].append(dns) if hostname not in self.keys['hosts'].keys(): if hostname != None: self.keys['hosts'].update({ hostname: { 'mac': mac, 'ipv4': ipv4, 'ipv6': ipv6, 'domain': domain, 'lookup': question, 'suffix_type': suffix_type, 'os': os, 'protocol': protocol, 'notes': notes, 'server_keys': sid_keys } }) else: if self.keys['hosts'][hostname]['os'] == None or self.keys[ 'hosts'][hostname]['os'] == 'Unknown': engine.UpdateReconKeys(self.keys, hostname, os=os).operating_system() return self.keys
def search(self): username = None username_host = None broadcast = None if self.packet.getlayer(IP): broadcast = '{}.255'.format('.'.join( self.packet[IP].src.split('.')[0:3])) if broadcast and self.packet.getlayer( UDP) and self.packet[IP].dst == broadcast and self.packet[ UDP].sport == 138 and self.packet[UDP].dport == 138: raw_packet = list(str(self.packet[Raw])) if '\x12' in raw_packet: logon_index = raw_packet.index('\x12') check_logon = raw_packet[logon_index + 1] if check_logon == '\x00': username = ''.join( raw_packet[logon_index + 4 + 10:logon_index + 4 + 10 + 26]).replace('\x00', '') username_host = ''.join(raw_packet[(logon_index + 4):(logon_index + 4 + 10)]).replace( '\x00', '') if self.packet.getlayer(UDP) and self.packet.getlayer( NBTDatagram ) and self.packet[UDP].sport == 138 and self.packet[UDP].dport == 138: mac = self.packet[Ether].src ipv4 = self.packet[IP].src segment = '{}.0/24'.format('.'.join(ipv4.split('.')[0:3])) ipv6 = None domain = None domain_controller = False os = None sport = self.packet[IP].sport dport = self.packet[IP].dport dns = None router = None raw_packet = list(str(self.packet[Raw])) browser_cmd = raw_packet[85:87] notes = None attack = None protocol = 'Windows Browser Datagram' host_comment = None server_type = ''.join(list(raw_packet[110:114])).encode('hex') little_endian_server_type = ''.join( list(raw_packet[110:114])[::-1]).encode('hex') if browser_cmd[1] == '\x01': announcement = "Host Announcement" host_comment = ''.join(raw_packet[(86 + 32):]).strip() elif browser_cmd[1] == '\x02': announcement = "Request Announcement" elif browser_cmd[1] == '\x0b': announcement = "Become Backup Browser" elif browser_cmd[1] == '\x0c': announcement = "Domain/Workgroup Announcement" elif browser_cmd[1] == '\x0f': announcement = "Local Master Announcement" host_comment = ''.join(raw_packet[(86 + 32):]).strip() else: announcement = None if announcement != "Request Announcement" and announcement != "Become Backup Browser" and len( list(raw_packet)) > 108: if list(raw_packet[108:110])[0] == '\x0a' and list( raw_packet[108:110])[1] == '\x00': os = 'Windows 10 / Server 2016 (NT 10.0)' elif list(raw_packet[108:110])[0] == '\x06' and list( raw_packet[108:110])[1] == '\x00': os = 'Windows Vista / Server 2008 (NT 6.0)' elif list(raw_packet[108:110])[0] == '\x06' and list( raw_packet[108:110])[1] == '\x01': os = 'Windows 7 / Server 2008 R2 (NT 6.1)' elif list(raw_packet[108:110])[0] == '\x06' and list( raw_packet[108:110])[1] == '\x02': os = 'Windows 8 / Server 2012 (NT 6.2)' elif list(raw_packet[108:110])[0] == '\x06' and list( raw_packet[108:110])[1] == '\x03': os = 'Windows 8.1 / Server 2012 R2 (NT 6.3)' elif list(raw_packet[108:110])[0] == '\x05' and list( raw_packet[108:110])[1] == '\x00': os = 'Windows 2000 (NT 5.0)' elif list(raw_packet[108:110])[0] == '\x05' and list( raw_packet[108:110])[1] == '\x01': os = 'Windows XP (NT 5.1)' elif list(raw_packet[108:110])[0] == '\x05' and list( raw_packet[108:110])[1] == '\x02': os = 'Windows XP Pro x64 / Server 2003 / Server 2003 R2 (NT 5.2)' else: os = None else: os = None type = self.packet[NBTDatagram].Type hostname = self.packet[NBTDatagram].SourceName.strip() host_ipv4 = str(self.packet[NBTDatagram].SourceIP) host_type = str(self.packet[NBTDatagram].SUFFIX1) domain = str(self.packet[NBTDatagram].DestinationName).strip() sid_keys = {} if little_endian_server_type and announcement == "Host Announcement": byte_list = re.findall('..', little_endian_server_type) server_type_binary = [] for b in byte_list: bin_byte = bin(int(b, 16))[2:].zfill(8) server_type_binary.append(bin_byte) little_end_srv_bin_list = server_type_binary[::-1] server_type_binary_string = ''.join( little_end_srv_bin_list).strip() server_type_keys_1 = [ 'novell', 'apple', 'time_source', 'backup_controller', 'domain_controller', 'sql_server', 'server', 'workstation' ] server_type_keys_2 = [ 'nt_server_1', 'nt_server_2', 'wfw', 'nt_workstation', 'xenix', 'dialin', 'print', 'member' ] server_type_keys_3 = [ 'dfs', 'windows_95_plus', 'vms', 'osf', 'domain_master_browser', 'master_browser', 'backup_browser', 'potential_browser' ] server_type_values_1 = list(server_type_binary_string)[0:8] server_type_values_2 = list(server_type_binary_string)[8:16] server_type_values_3 = list(server_type_binary_string)[16:24] server_type_keys = server_type_keys_1 + server_type_keys_2 + server_type_keys_3 server_type_values = server_type_values_1 + server_type_values_2 + server_type_values_3 sid_keys = dict(zip(server_type_keys, server_type_values)) if { username: username_host } not in self.keys['usernames'] and username != None: self.keys['usernames'].append({username: username_host}) if 'MSBROWSE' in domain: domain = 'MSBROWSE' if domain not in self.keys[ 'domains'] and domain != None and 'MSBROWSE' not in domain and domain not in self.keys[ 'hosts'].keys(): self.keys['domains'].append(domain) if dport not in self.keys['ports']: self.keys['ports'].append(dport) if protocol not in self.keys['protocols']: self.keys['protocols'].append(protocol) if os not in self.keys[ 'fingerprints'] and os != None and os != 'Unknown': self.keys['fingerprints'].append(os) if notes not in self.keys[ 'fingerprints'] and notes != None and not notes.startswith( 'Performed'): self.keys['fingerprints'].append(notes) if router not in self.keys['routers'] and router != None: self.keys['routers'].append(router) if dns not in self.keys['dns'] and dns != None: self.keys['dns'].append(dns) if hostname not in self.keys['hosts'].keys() and hostname != None: self.keys['hosts'].update({ hostname: { 'mac': mac, 'domain': domain, 'ipv4': host_ipv4, 'ipv6': ipv6, 'os': os, 'notes': notes, 'protocol': protocol, 'segment': segment, 'server_keys': sid_keys, 'comment': host_comment } }) else: if self.keys['hosts'][hostname]['os'] == None or self.keys[ 'hosts'][hostname]['os'] == 'Unknown': engine.UpdateReconKeys(self.keys, hostname, os=os).operating_system() return self.keys
def search(self): if self.packet.getlayer(Ether) and self.packet.getlayer( UDP) and self.packet.getlayer( NBNSQueryRequest ) and self.packet[UDP].dport == 137 and self.packet[ Ether].dst == 'ff:ff:ff:ff:ff:ff': raw_packet = list(str(self.packet[NBNSQueryRequest])) mac = self.packet[Ether].src sport = self.packet[IP].sport dport = self.packet[IP].dport ipv4 = self.packet[IP].src question = self.packet[NBNSQueryRequest].QUESTION_NAME.strip() suffix = self.packet[NBNSQueryRequest].SUFFIX attack = 'NBNS Poisoning' description = ''' Hosts discovered from NBNS traffic may potentially be abused to capture NetNTLMv2 hashes. Poisoning responses to NBNS name lookups may also provide a means of remote code execution against hosts which do not enforce SMB signing by performing NTLM Relay attacks against them. ~ NetNTLMv2 Hash Capture Example ~ . Responder.py -I eth0 -wr(fd) ~ NTLM Relay Example ~ . Responder.py -I eth0 -wr(fd) . ntlmrelayx.py -tf <relay_targets_file> --enum-local-admins -c "ipconfig /all" ''' ipv6 = None domain = None dns = None router = None hostname = None os = None suffix_type = None notes = None sid_keys = {} segment = '{}.0/24'.format('.'.join(ipv4.split('.')[0:3])) protocol = 'NBNS' if str(suffix) == '16705': suffix_type = 'workstation' if str(suffix) == '16973': suffix_type = 'domain controller' if str(suffix) == '17217': suffix_type = 'file server service' if str(suffix) == '16970': suffix_type = 'unknown' if dport not in self.keys['ports']: self.keys['ports'].append(dport) if attack not in self.keys['attacks'].keys(): self.keys['attacks'].update({attack: description}) if domain not in self.keys['domains'] and domain not in self.keys[ 'hosts'].keys( ) and domain != None and '__MSBROWSE__' not in domain: self.keys['domains'].append(domain) if protocol not in self.keys['protocols']: self.keys['protocols'].append(protocol) if 'WPAD' in question and 'WPAD' not in self.keys['protocols']: self.keys['protocols'].append('WPAD') notes = 'WPAD client' if router not in self.keys['routers'] and router != None: self.keys['routers'].append(router) if dns not in self.keys['dns'] and dns != None: self.keys['dns'].append(dns) if hostname not in self.keys['hosts'].keys(): if hostname != None: self.keys['hosts'].update({ hostname: { 'mac': mac, 'ipv4': ipv4, 'ipv6': ipv6, 'domain': domain, 'lookup': question, 'suffix_type': suffix_type, 'os': os, 'protocol': protocol, 'notes': notes, 'server_keys': sid_keys } }) else: if self.keys['hosts'][hostname]['os'] == None or self.keys[ 'hosts'][hostname]['os'] == 'Unknown': engine.UpdateReconKeys(self.keys, hostname, os=os).operating_system() return self.keys