2013-03-07 23:53:19 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-03-07 23:53:19 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2012-01-24 16:16:56 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Auxiliary::Report
|
2014-08-22 18:53:39 +00:00
|
|
|
include Msf::Exploit::Remote::Udp
|
|
|
|
include Msf::Auxiliary::UDPScanner
|
2014-08-22 17:49:28 +00:00
|
|
|
include Msf::Auxiliary::NATPMP
|
2014-08-22 18:01:17 +00:00
|
|
|
include Rex::Proto::NATPMP
|
2012-01-24 16:16:56 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'NAT-PMP External Address Scanner',
|
|
|
|
'Description' => 'Scan NAT devices for their external address using NAT-PMP',
|
|
|
|
'Author' => 'Jon Hart <jhart[at]spoofed.org>',
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
2012-01-24 16:16:56 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2012-01-24 16:16:56 +00:00
|
|
|
|
2014-08-22 18:53:39 +00:00
|
|
|
def scan_host(ip)
|
|
|
|
scanner_send(@probe, ip, datastore['RPORT'])
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2012-01-24 16:16:56 +00:00
|
|
|
|
2014-08-22 18:53:39 +00:00
|
|
|
def scanner_prescan(batch)
|
|
|
|
@probe = external_address_request
|
|
|
|
end
|
2012-01-24 16:16:56 +00:00
|
|
|
|
2014-08-22 18:53:39 +00:00
|
|
|
def scanner_process(data, shost, sport)
|
|
|
|
(ver, op, result, epoch, external_address) = parse_external_address_response(data)
|
2012-01-24 16:16:56 +00:00
|
|
|
|
2014-08-22 18:53:39 +00:00
|
|
|
peer = "#{shost}:#{sport}"
|
2014-08-22 16:58:39 +00:00
|
|
|
if (ver == 0 && op == 128 && result == 0)
|
2014-08-22 18:53:39 +00:00
|
|
|
print_good("#{peer} -- external address #{external_address}")
|
2014-08-22 16:58:39 +00:00
|
|
|
# report its external address as alive
|
|
|
|
if inside_workspace_boundary?(external_address)
|
|
|
|
report_host(
|
|
|
|
:host => external_address,
|
|
|
|
:state => Msf::HostState::Alive
|
|
|
|
)
|
|
|
|
end
|
|
|
|
else
|
2014-08-22 18:53:39 +00:00
|
|
|
print_error("#{peer} -- unexpected version/opcode/result/address: #{ver}/#{op}/#{result}/#{external_address}")
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2012-01-24 16:16:56 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# report the host we scanned as alive
|
|
|
|
report_host(
|
2014-08-22 18:53:39 +00:00
|
|
|
:host => shost,
|
2013-08-30 21:28:54 +00:00
|
|
|
:state => Msf::HostState::Alive
|
|
|
|
)
|
2012-01-24 16:16:56 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# report NAT-PMP as being open
|
|
|
|
report_service(
|
2014-08-22 18:53:39 +00:00
|
|
|
:host => shost,
|
|
|
|
:port => sport,
|
2013-08-30 21:28:54 +00:00
|
|
|
:proto => 'udp',
|
|
|
|
:name => 'natpmp',
|
|
|
|
:state => Msf::ServiceState::Open
|
|
|
|
)
|
|
|
|
end
|
2012-01-24 16:16:56 +00:00
|
|
|
end
|