PATCH - SMB logs don't contain client IP like HTTP logs do

Question

PATCH - SMB logs don't contain client IP like HTTP logs do

jhaar opened this issue 6 years ago · 2 comments

Hi there

I was having a play and noticed this, so I thought I'd patch it to log the client IP. I know the client IP is logged in HTTP transactions to stdout and Responder-Session.log - so it's inconsistent. I needed the log as I'm running this on the open Internet and am seeing WannaCry whacking away at it: the scans don't attempt to auth - so you don't get the client IP any other way. This change allows me to capture WannaCry botnet zombies - yay! ;-)

Pretty simple, but I'm not programmer so I don't know enough to submit this via anything other than your bug system :-)

diff -pr Responder/servers/SMB.py Responder-patched/servers/SMB.py
*** Responder/servers/SMB.py 2018-09-11 06:49:38.749464380 +0000
--- Responder-patched/servers/SMB.py 2018-09-08 00:07:46.221467548 +0000
*************** def tidcalc(data): #Set TID SMB Header
*** 61,71 ****
pack=data[28:30]
return pack

! def ParseShare(data):
packet = data[:]
a = re.search('(\x5c\x00\x5c.*.\x00\x00\x00)', packet)
if a:
! print text("[SMB] Requested Share : %s" % a.group(0).decode('UTF-16LE'))

def ParseSMBHash(data,client): #Parse SMB NTLMSSP v1/v2
--- 61,71 ----
pack=data[28:30]
return pack

! def ParseShare(data,client):
packet = data[:]
a = re.search('(\x5c\x00\x5c.*.\x00\x00\x00)', packet)
if a:
! print text("[SMB] %s Requested Share : %s " % (client,a.group(0).decode('UTF-16LE')))

def ParseSMBHash(data,client): #Parse SMB NTLMSSP v1/v2
*************** class SMB1(BaseRequestHandler): # SMB S
*** 266,272 ****

			if data[8:10] == "\x75\x00":  # Tree Connect AndX Request

! ParseShare(data)
Header = SMBHeader(cmd="\x75",flag1="\x88", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00", pid=pidcalc(data), tid=chr(randrange(256))+chr(randrange(256)), uid=uidcalc(data), mid=midcalc(data))
Body = SMBTreeData()
Body.calculate()
--- 266,272 ----

			if data[8:10] == "\x75\x00":  # Tree Connect AndX Request

! ParseShare(data,self.client_address[0])
Header = SMBHeader(cmd="\x75",flag1="\x88", flag2="\x01\xc8", errorcode="\x00\x00\x00\x00", pid=pidcalc(data), tid=chr(randrange(256))+chr(randrange(256)), uid=uidcalc(data), mid=midcalc(data))
Body = SMBTreeData()
Body.calculate()

Answer 1 · 2018-10-30T10:10:36.000Z

Gimana sih om caranya ajarin dong?

Answer 2 · 2018-10-30T13:38:25.000Z

This project is no longer actively maintained. Please use https://github.com/lgandx/Responder