search

lgandx / Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
GNU General Public License v3.0
5.39k stars 768 forks source link

SMBv2 Server Able to be Fingerprinted via GUID #266

Closed agreenbhm closed 9 months ago

agreenbhm commented 9 months ago

In packets.py, the "SMB2NegoAns" class has a field "Guid" that is set to a static value. This value has been identified and published for blue teams to use for fingerprinting with detection tools. See post here: https://infosec.exchange/@taylorparizo/111689732675331393

Conversely, the same field for the class "SMBNegoAns" (which I assume is for SMBv1) dynamically generates this GUID from urandom at runtime. Unless there is an explicit reason as to why this field for SMB2 must remain static, it should be dynamically generated at runtime as well.

lgandx commented 9 months ago

Great catch! Working on this and other stuff :)

lgandx commented 9 months ago

Solved in https://github.com/lgandx/Responder/commit/66ee7f8f08f57926f5b3694ffb9e87619eee576f and much more potential sig. Thanks!