Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
GNU General Public License v3.0
5.39k
stars
768
forks
source link
SMBv2 Server Able to be Fingerprinted via GUID #266
Conversely, the same field for the class "SMBNegoAns" (which I assume is for SMBv1) dynamically generates this GUID from urandom at runtime. Unless there is an explicit reason as to why this field for SMB2 must remain static, it should be dynamically generated at runtime as well.
In packets.py, the "SMB2NegoAns" class has a field "Guid" that is set to a static value. This value has been identified and published for blue teams to use for fingerprinting with detection tools. See post here: https://infosec.exchange/@taylorparizo/111689732675331393
Conversely, the same field for the class "SMBNegoAns" (which I assume is for SMBv1) dynamically generates this GUID from urandom at runtime. Unless there is an explicit reason as to why this field for SMB2 must remain static, it should be dynamically generated at runtime as well.