2012-06-28 13:17:05 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-06-28 13:17:05 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
2012-10-23 18:24:05 +00:00
|
|
|
require 'msf/core/auxiliary/report'
|
2012-06-28 13:17:05 +00:00
|
|
|
|
2016-03-07 08:56:58 +00:00
|
|
|
class Metasploit < Msf::Post
|
2012-06-28 13:17:05 +00:00
|
|
|
|
2013-09-05 18:41:25 +00:00
|
|
|
include Msf::Auxiliary::Report
|
2012-06-28 13:17:05 +00:00
|
|
|
|
2013-09-05 18:41:25 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Windows Gather TCP Netstat',
|
|
|
|
'Description' => %q{ This Module lists current TCP sessions},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'mubix' ],
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter']
|
|
|
|
))
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
], self.class)
|
|
|
|
end
|
2012-06-28 13:17:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def parse_tcptable(buffer)
|
|
|
|
entries = buffer[0,4].unpack("V*")[0]
|
|
|
|
print_status("Total TCP Entries: #{entries}")
|
2012-06-28 13:17:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
rtable = Rex::Ui::Text::Table.new(
|
|
|
|
'Header' => 'Connection Table',
|
|
|
|
'Indent' => 2,
|
|
|
|
'Columns' => ['STATE', 'LHOST', 'LPORT', 'RHOST', 'RPORT']
|
|
|
|
)
|
|
|
|
offset = 4
|
|
|
|
(1..entries).each do
|
|
|
|
x = {}
|
|
|
|
x[:state] = case buffer[(offset + 0), 4].unpack("V*")[0]
|
|
|
|
when 1
|
|
|
|
'CLOSED'
|
|
|
|
when 2
|
|
|
|
'LISTEN'
|
|
|
|
when 3
|
|
|
|
'SYN_SENT'
|
|
|
|
when 4
|
|
|
|
'SYN_RCVD'
|
|
|
|
when 5
|
|
|
|
'ESTABLISHED'
|
|
|
|
when 6
|
|
|
|
'FIN_WAIT1'
|
|
|
|
when 7
|
|
|
|
'FIN_WAIT2'
|
|
|
|
when 8
|
|
|
|
'CLOSE_WAIT'
|
|
|
|
when 9
|
|
|
|
'CLOSING'
|
|
|
|
when 10
|
|
|
|
'LAST_ACK'
|
|
|
|
when 11
|
|
|
|
'TIME_WAIT'
|
|
|
|
when 12
|
|
|
|
'DELETE_TCB'
|
|
|
|
else
|
|
|
|
'UNDEFINED'
|
|
|
|
end
|
|
|
|
x[:lhost] = Rex::Socket.addr_itoa(buffer[(offset + 4), 4].unpack("N")[0])
|
|
|
|
x[:lport] = buffer[(offset + 8), 4].unpack("n")[0]
|
|
|
|
x[:rhost] = Rex::Socket.addr_itoa(buffer[(offset + 12), 4].unpack("N")[0])
|
|
|
|
if x[:state] == "LISTEN"
|
|
|
|
x[:rport] = "_"
|
|
|
|
else
|
|
|
|
x[:rport] = buffer[(offset + 16), 4].unpack("n")[0]
|
|
|
|
end
|
|
|
|
offset = offset + 20
|
|
|
|
rtable << [x[:state], x[:lhost], x[:lport], x[:rhost], x[:rport]]
|
|
|
|
end
|
|
|
|
print_status(rtable.to_s)
|
|
|
|
end
|
2012-06-28 13:17:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run
|
|
|
|
session.railgun.add_function('iphlpapi', 'GetTcpTable', 'DWORD', [
|
|
|
|
['PBLOB', 'pTcpTable', 'out'],
|
|
|
|
['PDWORD', 'pdwSize', 'inout'],
|
|
|
|
['BOOL', 'bOrder', 'in']
|
|
|
|
])
|
2012-06-28 13:17:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
getsize = session.railgun.iphlpapi.GetTcpTable(4,4,true)
|
|
|
|
buffersize = getsize['pdwSize']
|
2012-06-28 13:17:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("TCP Table Size: #{buffersize}")
|
|
|
|
tcptable = session.railgun.iphlpapi.GetTcpTable(buffersize,buffersize,true)
|
2012-06-28 13:17:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
parse_tcptable(tcptable['pTcpTable'])
|
|
|
|
end
|
2012-06-28 13:17:05 +00:00
|
|
|
end
|