Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Display hostname of DuT #296

Open
archi opened this issue Nov 6, 2024 · 0 comments
Open

Display hostname of DuT #296

archi opened this issue Nov 6, 2024 · 0 comments

Comments

@archi
Copy link

archi commented Nov 6, 2024
edited
Loading

I was looking at the SMB traffic in wireshark and noticed that it also contained the hostname of the DuT. This information isn't displayed, yet, and I was wondering if it was possible to add it?
Often it's no new/relevant information, but maybe it might be useful in some scenarios.

Both variants of saveToDb (from utils.py and Report.py) seem to already accept a hostname field. So it's likely just a matter of parsing this at

Responder/servers/SMB.py

Line 127 in e918fe0

Username = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')

I'll played around with this, and this trivial diff works for me:

diff --git a/servers/SMB.py b/servers/SMB.py
index b93ebb7..3ba37c8 100644
--- a/servers/SMB.py
+++ b/servers/SMB.py
@@ -125,6 +125,9 @@ def ParseSMBHash(data,client, Challenge):  #Parse SMB NTLMSSP v1/v2
                UserLen      = struct.unpack('<H',SSPIString[38:40])[0]
                UserOffset   = struct.unpack('<H',SSPIString[40:42])[0]
                Username     = SSPIString[UserOffset:UserOffset+UserLen].decode('UTF-16LE')
+               HostLen      = struct.unpack('<H',SSPIString[46:48])[0]
+               HostOffset   = struct.unpack('<H',SSPIString[48:50])[0]
+               Hostname     = SSPIString[HostOffset:HostOffset+HostLen].decode('UTF-16LE')
                WriteHash    = '%s::%s:%s:%s:%s' % (Username, Domain, codecs.encode(Challenge,'hex').decode('latin-1'), SMBHash[:32], SMBHash[32:])

                SaveToDb({
@@ -132,6 +135,7 @@ def ParseSMBHash(data,client, Challenge):  #Parse SMB NTLMSSP v1/v2
                        'type': 'NTLMv2-SSP',
                        'client': client,
                        'user': Domain+'\\'+Username,
+                       'hostname': Hostname,
                        'hash': SMBHash,
                        'fullhash': WriteHash,
                })

What surprises me is how there is a provision for this, but it's unused. Any reason that's not wanted, or is it just that no one got around to add this?

btw: Thanks for sharing the awesome work with the world! :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@archi