search

lgandx / Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
GNU General Public License v3.0
5.49k stars 777 forks source link

Help filtering Responder "spam?" #284

Closed 7MinSec closed 1 month ago

7MinSec commented 3 months ago

Hello,

Something weird I've never seen on a test before: I start Responder-ing like normal with responder.py -I eth0 -Pv and then several devices on the network end up Responder-spamming me with hundreds of request like this:

[*] [MDNS] Poisoned answer sent to 192.168.11.20   for name SONY-TV(1)._dosvc
...
...
[*] [MDNS] Poisoned answer sent to 192.168.11.20   for name SONY-TV(385)._dosvc
[*] [MDNS] Poisoned answer sent to 192.168.11.20   for name SONY-TV(386)._dosvc
[*] [MDNS] Poisoned answer sent to 192.168.11.20   for name SONY-TV(387)._dosvc

Within a few seconds the console log is overwhelmed, errors start popping up, and I have to kill the process.

I've tried playing with the Responder.conf file to see if there's something I can set in the "don't respond to" sections, but I can't get things quieted down. Any ideas?

Thanks, Brian

griffr10 commented 3 months ago

We are seeing the same issue on our current test. It causes Responder to crash within minutes.

lgandx commented 3 months ago

Could you provide the stack trace?

Thanks,

On Tue, Aug 20, 2024, 5:34 PM griffr10 @.***> wrote:

We are seeing the same issue on our current test. It causes Responder to crash within minutes.

— Reply to this email directly, view it on GitHub https://github.com/lgandx/Responder/issues/284#issuecomment-2299716988, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC5Q2E7NNU6BZYO4LOXMEDZSOR6PAVCNFSM6AAAAABMU7R2NCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJZG4YTMOJYHA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

griffr10 commented 3 months ago

Command:

sudo python3 Responder.py -I eth0 --lm --disable-ess Stack Trace: ---------------------------------------- File "/usr/lib/python3.11/socketserver.py", line 755, in __init__ self.handle() File "/home/kali/Tools/Responder/poisoners/MDNS.py", line 85, in handle SavePoisonersToDb({ File "/home/kali/Tools/Responder/utils.py", line 406, in SavePoisonersToDb cursor.execute("INSERT INTO Poisoned VALUES(datetime('now'), ?, ?, ?, ?)", (result['Poisoner'], result['SentToIp'], result['ForName'], result['AnalyzeMode'])) sqlite3.OperationalError: database is locked File "/home/kali/Tools/Responder/poisoners/MDNS.py", line 103, in handle SavePoisonersToDb({ File "/usr/lib/python3.11/socketserver.py", line 755, in __init__ self.handle() File "/home/kali/Tools/Responder/poisoners/MDNS.py", line 85, in handle SavePoisonersToDb({ File "/home/kali/Tools/Responder/utils.py", line 406, in SavePoisonersToDb cursor.execute("INSERT INTO Poisoned VALUES(datetime('now'), ?, ?, ?, ?)", (result['Poisoner'], result['SentToIp'], result['ForName'], result['AnalyzeMode'])) File "/home/kali/Tools/Responder/utils.py", line 406, in SavePoisonersToDb cursor.execute("INSERT INTO Poisoned VALUES(datetime('now'), ?, ?, ?, ?)", (result['Poisoner'], result['SentToIp'], result['ForName'], result['AnalyzeMode'])) sqlite3.OperationalError: database is locked sqlite3.OperationalError: database is locked

I believe the issue may be occurring because responder is repeatedly trying to poison the same IP and name combination and it is filling the database. A snippet of what we are seeing can be found below. 

[*] [MDNS] Poisoned answer sent to fe80::59b4:f827:4e14:2034 for name search-name(4037)._dosvc[*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4038)._dosvc          [*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4039)._dosvc          [*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4040)._dosvc          [*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4041)._dosvc          [*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4042)._dosvc          [*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4043)._dosvc          [*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4044)._dosvc          [*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4045)._dosvc          [*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4046)._dosvc          [*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4047)._dosvc          [*] [MDNS] Poisoned answer sent to fe80::59b4:f827:4e14:2034 for name search-name(4047)._dosvc[*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4049)._dosvc          ----------------------------------------                                                              Exception occurred during processing of request from ('::ffff:10.11.20.135', 5353, 0, 0)              ----------------------------------------                                                              [*] [MDNS] Poisoned answer sent to 10.11.20.135    for name search-name(4050)._dosvc          [*] [MDNS] Poisoned answer sent to fe80::59b4:f827:4e14:2034 for name search-name(4050)._dosvc
7MinSec commented 3 months ago

And not sure this is helpful but I eventually got this "fixed" on my pentest by setting Responder to not respond to about half a dozen IPv4/IPv6 addresses. I can do some unblocking of addresses later in this engagement if you need me to do some testing or data-gathering, but right now I need Responder working :-)

7MinSec commented 3 months ago

Just started a new test today and was having the same issue. I killed Python process and reviewed logs and found tons of entries like this:

Poisoned answer sent to "CLIENT_SYSTEM_IPV6_ADDRESS for name "MY-PENTEST-BOX-NAME(4508)._dosvc
[*] [MDNS] Poisoned answer sent to CLIENT_SYSTEM_IPV4_ADDRESS for name MY-PENTEST-BOX-NAME(4509)._dosvc

The number in parentheses goes up with each "hit." I added both the IPv4 and IPv6 addresses do dontrespondto and that quieted things down to where I could run the tool without it crashing.

3ldidi94 commented 3 months ago

Same issue here. I also need to add IPv4 addresses in the DontRespondTo setting to avoid this issue but the tool become less interesting with that setting

mattysmith00 commented 2 months ago

I've been having the same issue for the past few weeks. I have tested it on older versions of Kali from 2022 - 2024, still had the same issue, so switched from Virtualbox to VMware. Issue still remained.

jeffmcjunkin commented 2 months ago

I had the same in an isolated environment with a Windows 11 23H2 host being the box looping in responses.

puzzlepeaches commented 2 months ago

Cheaty fix that I'm too lazy to create an MR for below:

  1. Open poisoners/MDNS.py
  2. Go to the class definition of MDNS
  3. Underneath MDNSType = Parse_IPV6_Addr(data) add the following
if b"_dosvc" in data:
    return
g0hm4 commented 2 months ago

Cheaty fix that I'm too lazy to create an MR for below:

  1. Open poisoners/MDNS.py
  2. Go to the class definition of MDNS
  3. Underneath MDNSType = Parse_IPV6_Addr(data) add the following
if b"_dosvc" in data:
    return

Works beautifully - thank you

jeffmcjunkin commented 2 months ago

I made a PR for @g0hm4 , @7MinSec , and myself with @g0hm4 's fix above.

@lgandx , is this worth committing for now?

lgandx commented 2 months ago

Working on a fix, will push it soon.

lgandx commented 2 months ago

Added a permanent fix with: https://github.com/lgandx/Responder/commit/e918fe01c617e482d8b24525db581c403104ab28

You can now disable a TLD for MDNS requests in Responder.conf with the option "DontRespondToTLD", _dosvc is now disable by default.

Thanks for reporting this issue!