Initial commit

Author: clong

.circleci/config.yml

@@ -0,0 +1,24 @@
+version: 2
+
+jobs:
+  build:
+    machine: true
+    working_directory: ~/repo
+
+    steps:
+      - checkout
+      - run: wget https://osquery-packages.s3.amazonaws.com/deb/osquery_3.2.4_1.linux.amd64.deb
+      - run: sudo dpkg -i osquery_3.2.4_1.linux.amd64.deb
+      - run: sudo apt-get update && sudo apt-get install tmux
+      - run: sudo mkdir /etc/osquery/extensions && sudo chmod 755 /etc/osquery/extensions
+      - run: sudo cp /home/circleci/repo/detect_responder.ext /etc/osquery/extensions/detect_responder.ext && sudo chmod 755 /etc/osquery/extensions/detect_responder.ext
+      - run: sudo pip install osquery
+      - run: sudo touch /etc/osquery/extensions.load
+      - run: echo '/etc/osquery/extensions/detect_responder.ext' | sudo tee -a /etc/osquery/extensions.load
+      - run: curl "https://gist.githubusercontent.com/clong/d977895e2cd7cb9dafef56a951741b8e/raw/dfd900f19bffc167421bcecc90f917b7d5894a4f/gistfile1.txt" | sudo tee -a /etc/osquery/osquery.conf
+      - run: echo '--nodisable_extensions' | sudo tee -a /etc/osquery/osquery.flags
+      - run: echo '--verbose' | sudo tee -a /etc/osquery/osquery.flags
+      - run: sudo osqueryctl start
+      - run: sleep 15
+      - run: sudo grep -c "registered table plugin detect_responder" /var/log/osquery/*
+      - run: sudo grep -c "Storing initial results for new scheduled query. detect_responder" /var/log/osquery/*

README.md

@@ -0,0 +1,46 @@
+# Detect Responder (LLMNR, NBT-NS, MDNS poisoner) with osquery
+
+[![asciicast](https://asciinema.org/a/m7co9mikmw52Y1kzra5vrKNZs.png)](https://asciinema.org/a/m7co9mikmw52Y1kzra5vrKNZs)
+
+## Overview
+This repo contains a python-based extension for osquery to detect active instances of Responder or any NBT-NS and LLMNR spoofers/poisoners on the network.
+
+This extension was developed using osquery's Python bindings from https://github.com/osquery/osquery-python/
+
+This extension was written with native Python modules to reduce the need for installing third-party Python libraries on hosts. Although it would have been cleaner and easier to use a library like Scapy, it would require installing it on every host where the extension was used.
+
+Although many similar tools exist, most of them exist as independent scripts. This extension can take advantage of an existing osquery deployment and can provide network coverage everywhere that you have an osquery agent installed.
+
+Note: This extension has not been tested on production networks and exists only as a proof-of-concept.
+
+## How it works
+The extension operates by sending 4 network requests:
+1. A llmnr query for "wpad" to a multicast address
+2. A llmnr query for a randomized 16 character name to a multicast address
+3. A NBT-NS query for "WPAD" to a broadcast address
+4. A NBT-NS query for a randomized 16 character name to a broadcast address
+
+## Installation
+To begin, the osquery-python package must be installed on the system. The easiest way to install it is via `$ sudo pip install osquery`.
+
+Create a folder and `chmod 755` it called `/var/osquery/extensions` (MacOS) or `/etc/osquery/extensions` (Linux) and copy detect_responder.ext to that directory. The extension and directory should have the following permissions:
+```
+$ ls -al /var/osquery/extensions
+total 3336
+drwxr-xr-x   4 root  wheel      128 Jun  3 14:37 .
+drwxr-xr-x  15 root  wheel      480 Apr 17 10:25 ..
+-rwxr-xr-x   1 root  wheel     5594 Jun  3 14:33 detect_responder.ext
+```
+  To configure the extension to load when osquery starts, do one of the following:
+* Create a file called `extensions.load` in `/var/osquery` (MacOS) or `/etc/osquery` (Linux) and populate the file with the full path to `detect_responder.ext`
+* Edit your flags file and add the following flag: `--extension /path/to/detect_responder.ext`
+
+## Usage
+Once you have verified that the extension has loaded correctly, you should be able to run `SELECT * FROM detect_responder;`. To test it, run Responder on a different host on the same network.
+
+To test using osqueryi, run:
+`sudo osqueryi --nodisable_extensions --extension /var/osquery/extensions/detect_responder.ext --verbose`
+
+## Limitations
+* This extension currently only picks the first broadcast address returned by the query. It will support multiple addresses in the future.
+* This extension can be easily fingerprinted and detected. There are no plans to modify it to be harder to detect.

detect_responder.ext

@@ -0,0 +1,130 @@
+#!/usr/bin/env python
+
+import socket
+import osquery
+import random
+import string
+
+@osquery.register_plugin
+
+class MyTablePlugin(osquery.TablePlugin):
+    def name(self):
+        return "detect_responder"
+
+    def columns(self):
+        return [
+            osquery.TableColumn(name="responder_ip", type=osquery.STRING),
+            osquery.TableColumn(name="protocol", type=osquery.STRING),
+            osquery.TableColumn(name="query", type=osquery.STRING),
+            osquery.TableColumn(name="response", type=osquery.STRING),
+        ]
+
+    # Send a LLMNR request for WPAD to Multicast
+    def query_llmnr(self, query, length):
+        # Configure the socket
+        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
+        sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 32)
+        sock.settimeout(2)
+        sock.bind(('0.0.0.0', 0))
+
+        # Configure the destination address and packet data
+        mcast_addr = '224.0.0.252'
+        mcast_port = 5355
+        if query == "random":
+            query = ''.join(random.choice(string.lowercase) for i in range(16))
+        llmnr_packet_data = "\x31\x81\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00" + chr(length) + query + "\x00\x00\x01\x00\x01"
+
+        # Send the LLMNR query
+        sock.sendto(llmnr_packet_data, (mcast_addr, mcast_port))
+
+        # Check if a response was received
+        while 1:
+            try:
+                resp = sock.recvfrom(1024)
+                # If a response was received, parse the results into a row
+                if resp:
+                    row = {}
+                    row["responder_ip"] = str(resp[1][0])
+                    row["query"] = query
+                    row["response"] = str(resp[0][13:(13+length)])
+                    row["protocol"] = "llmnr"
+                    sock.close()
+                    return row
+            # If no response, wait for the socket to timeout and close it
+            except socket.timeout:
+                sock.close()
+                return
+
+    def decode_netbios_name(self, nbname):
+        """
+        Return the NetBIOS first-level decoded nbname.
+        https://stackoverflow.com/questions/13652319/decode-netbios-name-python
+        """
+        if len(nbname) != 32:
+            return nbname
+        l = []
+        for i in range(0, 32, 2):
+            l.append(chr(((ord(nbname[i]) - 0x41) << 4) | ((ord(nbname[i+1]) - 0x41) & 0xf)))
+        return ''.join(l).split('\x00', 1)[0]
+
+    def get_broadcast_addresses(self):
+        # Use osquery to grab a broadcast address
+        # TODO: Add checks for multiple broadcast addresses
+        # TODO: Add checks for no broadcast addresses
+        instance = osquery.SpawnInstance()
+        instance.open()
+        return instance.client.query("SELECT  a.broadcast  FROM interface_addresses a JOIN interface_details d USING (interface) WHERE address NOT LIKE '%:%' AND address!='127.0.0.1';")
+
+
+    def query_nbns(self, query):
+        # TODO: Loop through multiple broadcast addresses if there is more than one
+        # Configure the socket
+        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
+        sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+        sock.settimeout(2)
+        sock.bind(('0.0.0.0', 0))
+
+        # Configure the destination address and packet data
+        broadcast_address = self.get_broadcast_addresses().response[0]['broadcast']
+        port = 137
+        if query == "WPAD":
+            # Format WPAD into NetBIOS query format
+            nbns_query = "\x46\x48\x46\x41\x45\x42\x45\x45\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41"
+        else:
+            # Create a query consisting of 16 random characters
+            query = ''.join(random.choice(string.lowercase) for i in range(16))
+            # Encode the query in the format required by NetBIOS
+            nbns_query = ''.join([chr((ord(c)>>4) + ord('A')) + chr((ord(c)&0xF) + ord('A')) for c in query])
+
+        # Send the NBNS query
+        sock.sendto("\x87\x3c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00\x20" + nbns_query + "\x00\x00\x20\x00\x01", (broadcast_address, port))
+
+        # Check if a response was received
+        while 1:
+            try:
+                resp = sock.recvfrom(1024)
+                # If a response was received, parse the results into a row
+                if resp:
+                    row = {}
+                    row["responder_ip"] = str(resp[1][0])
+                    row["query"] = str(query).strip()
+                    # Convert the NetBIOS encoded response back to the original query
+                    row["response"] = self.decode_netbios_name(str(resp[0][13:45])).strip()
+                    row["protocol"] = "nbns"
+                    sock.close()
+                    return row
+            # If no response, wait for the socket to timeout and close it
+            except socket.timeout:
+                sock.close()
+                return
+
+    def generate(self, context):
+        query_data = []
+        query_data += [self.query_llmnr("wpad", 4)] if self.query_llmnr("wpad", 4) is not None else []
+        query_data += [self.query_llmnr("random", 16)] if self.query_llmnr("random", 16) is not None else []
+        query_data += [self.query_nbns("WPAD")] if self.query_nbns("WPAD") is not None else []
+        query_data += [self.query_nbns("random")] if self.query_nbns("random") is not None else []
+        return query_data
+
+if __name__ == "__main__":
+    osquery.start_extension(name="responder_extension", version="1.0.0")