Responder Help Card
Copyright (c) 2002+ Fred Cohen & Associates - ALL RIGHTS RESERVED
| Face | Type | SRC and DST | Flags | Action
|
|---|
| eth0 | Arp | IP | [Ss]yn | Deny [arg]
|
| eth1 | Icmp | IP:Port | [Aa]ck | daZzle [arg]
|
| ... | Tcp | IP:Port:MAC | [Ff]in | Mirror
|
| lo | Udp | . | [Pp]sh | Garble [a][%]
|
| * | OtherIP | D [arg] | [Uu]rg | Ignore
|
| . | * | Fin | [Rr]st | Slow
|
| G [a][%] | . | Rst | [Cc]ontinue | Pose [s][d][face]
|
| Tickle | Z [arg] | noHost | [Vv]erbose | .
|
| Itch | Garble | noNet | [Dd]etails | a.b.c.d:p:m:m:m:m:m:m
|
| Poke | Random | norouTe | [Mm]ac s/D | 0-255.*.12.12-90:@p:@m
|
| Stab | ; comment | . end rules | . | =.+2.-5.g:r:...
|
| | | | |
|
| Hashsets: | Host | Port | Mac | [HPM] name [entry ]+
|
| | | | |
|
| Lisp: | ( preset | [ on arrival | ! pre-test | e.g., (setq ttlpolicy :TTLwin)
|
| | ? in cond | : pre-action | + post action | e.g., ?(< ttl 2)
|
Some Examples:
(format t "~%********************Welcome to Responder*****************~%")
H weird 1.2.3.4 5.6.7.8 ; murkey hash with initial values
H bad ; initialize bad hash - no values yet
P fake 21 22 23 25 80 443 ; fake ports
H fake 12.12.23.34 12.12.23.43 ; fake hosts
M fake 1:1:1:1:1:1 ; fake MAC address
!(format t "~a~%" arphash) ; show arp hash
!(format t "~a~%" hashweird) ; show murkey hash
; hashing ARPs
:(setarphash (SLOT FROM 'SA_DATA) (arpsrc) (frommac))
* A 204.7.229.* * c I ; store ARPs in ARP cache for all ARP packets and go on
:(setarphash (SLOT FROM 'SA_DATA) (src) (frommac))
* IUTO 204.7.229.* * c I ; store ARPs in ARP cache for all ARP packets and go on
; set arphash with source from other interface to eth0
+(setarphash '(101 116 104 48 0 0 0 0 0 0 0 0 0 0) (src) (frommac))
eth1 A @target * Dv F eth0 ; eth1 ARPs forwarded to eth0
(setq ttlpolicy :TTLlin) ; default Linux TTLs
(setq TTLdistance 2) ; ttl reduction - behind a router
; set window to 0 for slowing TCP sessions
:(progn (setf (b (+ 14 offset)) 0) (setf (b (+ 15 offset)) 0))
eth0 T @bad * - Z G ; dazzle TCP on eth0 garble mode with window 0
:(if (> (inchash hashweird (list (src))) 7) (sethash hashbad (list (src))) )
:(sethash hashweird (list (src)))
eth0 T * @fake:@fake - Z R ; fake hosts count weird - turn bad
* * * * - I ; this is the default last rule - Ignore all