2011-11-03 03:00:51 +00:00
|
|
|
##
|
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
|
# http://metasploit.com/
|
2011-11-03 03:00:51 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
require 'rex'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info={})
|
|
|
|
|
super( update_info( info,
|
|
|
|
|
'Name' => 'Windows Recon Resolve Hostname',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module resolves a hostname to IP address via the victim,
|
|
|
|
|
similar to the Unix 'dig' command. Since resolution happens over
|
|
|
|
|
an established session from the perspective of the remote host,
|
|
|
|
|
this module can be used to determine differences between external
|
|
|
|
|
and internal resolution, especially for potentially high-value
|
|
|
|
|
internal addresses of devices named 'mail' or 'www.'
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' => [ 'mubix' ],
|
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
|
))
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptString.new('HOSTNAME', [false, 'Hostname to lookup', nil]),
|
|
|
|
|
OptPath.new('HOSTFILE', [false, 'Line separated file with hostnames to resolve', nil]),
|
|
|
|
|
OptBool.new('SAVEHOSTS', [true, 'Save resolved hosts to the database', true])
|
|
|
|
|
], self.class)
|
|
|
|
|
end
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def resolve_hostname(hostname)
|
2011-11-11 00:00:50 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if client.platform =~ /^x64/
|
|
|
|
|
size = 64
|
|
|
|
|
addrinfoinmem = 32
|
|
|
|
|
else
|
|
|
|
|
size = 32
|
|
|
|
|
addrinfoinmem = 24
|
|
|
|
|
end
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
begin
|
|
|
|
|
vprint_status("Looking up IP for #{hostname}")
|
|
|
|
|
result = client.railgun.ws2_32.getaddrinfo(hostname, nil, nil, 4 )
|
|
|
|
|
if result['GetLastError'] == 11001
|
|
|
|
|
print_error("Failed to resolve #{hostname}")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
addrinfo = client.railgun.memread( result['ppResult'], size )
|
|
|
|
|
ai_addr_pointer = addrinfo[addrinfoinmem,4].unpack('L').first
|
|
|
|
|
sockaddr = client.railgun.memread( ai_addr_pointer, size/2 )
|
|
|
|
|
ip = sockaddr[4,4].unpack('N').first
|
|
|
|
|
hostip = Rex::Socket.addr_itoa(ip)
|
|
|
|
|
print_status("#{hostname} resolves to #{hostip}")
|
2013-07-19 18:14:14 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if datastore['SAVEHOSTS']
|
|
|
|
|
report_host({
|
|
|
|
|
:host => hostip,
|
|
|
|
|
:name => hostname
|
|
|
|
|
})
|
|
|
|
|
end
|
2013-07-19 18:14:14 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
rescue Rex::Post::Meterpreter::RequestError
|
|
|
|
|
print_status('Windows 2000 and prior does not support getaddrinfo')
|
|
|
|
|
end
|
2012-10-20 15:32:23 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2012-10-20 15:32:23 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run
|
|
|
|
|
if datastore['HOSTNAME']
|
|
|
|
|
resolve_hostname(datastore['HOSTNAME'])
|
|
|
|
|
end
|
2012-10-20 15:32:23 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if datastore['HOSTFILE']
|
|
|
|
|
::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname|
|
|
|
|
|
if hostname.strip != ""
|
|
|
|
|
resolve_hostname(hostname.strip)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2011-11-03 03:00:51 +00:00
|
|
|
end
|
