defensivedepth
commented
4 months ago Anything I can do to help move this along?
Closed defensivedepth closed 1 month ago
defensivedepth
commented
4 months ago Anything I can do to help move this along?
theidiotyouyellat
commented
2 months ago @jayjb any luck in getting this included?
jayjb
commented
2 months ago Hi @defensivedepth, @theidiotyouyellat,
Sorry for the delay with this. We like the idea, we don't love the dependency on Scapy though (its quite a heavy dependency for what we using it for). Im trying to figure a way we can craft those Queries without it. If not, I'll likely accept this for now while we improve it.
defensivedepth
commented
2 months ago @jayjb Thanks for the feedback. The Scapy dep is not new - the SNMP module already requires it. What specifically is the concern?
mclmax
commented
2 months ago hey @defensivedepth and @theidiotyouyellat, taking a look. hit you back shortly
defensivedepth
commented
1 month ago I resolved the change request, thanks!
mclmax
commented
1 month ago awesome, thanks @defensivedepth! merged
mclmax
commented
1 month ago Now it's merged ;)
Proposed changes
Adds support for Canary LLMNR. Uses Scapy to broadcast a LLMNR query for canary hostname. If it receives a LLMNR response, it confirms that it was for the canary hostname and then logs the event. The following is configurable:
Sample log output, generated by using Responder to poison LLMNR request:
{"dst_host": "0.0.0.0", "dst_port": 5355, "local_time": "2024-01-20 21:41:58.716469", "local_time_adjusted": "2024-01-20 21:41:58.716499", "logdata": {"query_hostname": "DC03", "response": "DNS Ans \"10.0.0.22\" "}, "logtype": 19001, "node_id": "opencanary-1", "src_host": "192.168.16.27", "src_port": 5355, "utc_time": "2024-01-20 21:41:58.716495"}Discussion: https://github.com/thinkst/opencanary/discussions/335
Types of changes
Checklist
I will add docs once it's confirmed that this PR will be accepted.
pre-commitin the repo)Further comments
N/A