metasploit-framework/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb

##
# $Id: ipv6_multicast_ping.rb 13962 2011-10-17 02:42:01Z todb $
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::Capture
	include Msf::Exploit::Remote::Ipv6
	include Msf::Auxiliary::Report

	def initialize
		super(
		'Name'        => 'IPv6 Link Local/Node Local Ping Discovery',
		'Description' => %q{
				Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.
		},
		'Author'      => 'wuntee',
		'License'     => MSF_LICENSE,
		'References'    =>
			[
				['URL','http://wuntee.blogspot.com/2010/12/ipv6-ping-host-discovery-metasploit.html']
			]
		)

		deregister_options('SNAPLEN', 'FILTER', 'RHOST', 'PCAPFILE')
	end

	def listen_for_ping_response(opts = {})
		hosts = {}
		timeout = opts['TIMEOUT'] || datastore['TIMEOUT']
		prefix = opts['PREFIX'] || datastore['PREFIX']

		max_epoch = ::Time.now.to_i + timeout

		while(::Time.now.to_i < max_epoch)
			pkt_bytes = capture.next()
			Kernel.select(nil,nil,nil,0.1)
			next if not pkt_bytes
			p = PacketFu::Packet.parse(pkt_bytes)
			# Don't bother checking if it's an echo reply, since Neighbor Solicitations
			# and any other response is just as good.
			next unless p.is_ipv6?
			host_addr = p.ipv6_saddr
			host_mac = p.eth_saddr
			next if host_mac == @smac
			unless hosts[host_addr] == host_mac
				hosts[host_addr] = host_mac
				print_status("   |*| #{host_addr} => #{host_mac}")
			end
		end
		return hosts
	end

	def smac
		smac  = datastore['SMAC']
		smac ||= get_mac(@interface) if @netifaces
		smac ||= ipv6_mac
		smac
	end

	def run
		# Start capture
		open_pcap({'FILTER' => "icmp6"})

		@netifaces = true
		if not netifaces_implemented?
			print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
			@netifaces = false
		end

		@interface = datastore['INTERFACE'] || Pcap.lookupdev

		# Send ping
		print_status("Sending multicast pings...")
		dmac = "33:33:00:00:00:01"
		@smac = smac
		# Figure out our source address by the link-local interface
		shost = ipv6_link_address

		# m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv6
		ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #node-local all nodes
		ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #node-local all routers
		ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #All nodes on the local network segment
		ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #All routers on the local network segment
		ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #OSPFv3 AllSPF routers
		ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #OSPFv3 AllDR routers
		ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #RIP routers
		ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #EIGRP routers
		ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #PIM routers
		ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})   #MLDv2 reports (defined in RFC 3810)
		ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})  #All DHCP servers and relay agents on the local network site (defined in RFC 3315)
		ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})  #All DHCP servers on the local network site (defined in RFC 3315)

		# Listen for host advertisments
		print_status("Listening for responses...")
		listen_for_ping_response()

		# Close capture
		close_pcap()
	end

end
This commit adds a new set of discovery modules from wuntee and some useful utility methods for working with link-local addresses git-svn-id: file:///home/svn/framework3/trunk@11417 4d416f70-5f16-0410-b530-b9f4589650da 2010-12-27 16:43:53 +00:00			`##`
added more multicast addresses from wikipedia 2012-02-07 10:45:20 +00:00			`# $Id: ipv6_multicast_ping.rb 13962 2011-10-17 02:42:01Z todb $`
This commit adds a new set of discovery modules from wuntee and some useful utility methods for working with link-local addresses git-svn-id: file:///home/svn/framework3/trunk@11417 4d416f70-5f16-0410-b530-b9f4589650da 2010-12-27 16:43:53 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::Capture`
			`include Msf::Exploit::Remote::Ipv6`
			`include Msf::Auxiliary::Report`

			`def initialize`
			`super(`
			`'Name' => 'IPv6 Link Local/Node Local Ping Discovery',`
			`'Description' => %q{`
			`Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.`
			`},`
			`'Author' => 'wuntee',`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['URL','http://wuntee.blogspot.com/2010/12/ipv6-ping-host-discovery-metasploit.html']`
			`]`
			`)`

			`deregister_options('SNAPLEN', 'FILTER', 'RHOST', 'PCAPFILE')`
			`end`

			`def listen_for_ping_response(opts = {})`
			`hosts = {}`
			`timeout = opts['TIMEOUT'] \|\| datastore['TIMEOUT']`
			`prefix = opts['PREFIX'] \|\| datastore['PREFIX']`

			`max_epoch = ::Time.now.to_i + timeout`

			`while(::Time.now.to_i < max_epoch)`
Fixes #5038, missed a couple mentions of Racket. Excised now for sure. git-svn-id: file:///home/svn/framework3/trunk@13371 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-27 17:44:36 +00:00			`pkt_bytes = capture.next()`
Fixes #5038. Removes all instances of Racket objects, as far as I can tell. If I missed any through my mighty grep -ril racket . statement, please reopen! git-svn-id: file:///home/svn/framework3/trunk@13342 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-26 01:29:21 +00:00			`Kernel.select(nil,nil,nil,0.1)`
Fixes #5038, missed a couple mentions of Racket. Excised now for sure. git-svn-id: file:///home/svn/framework3/trunk@13371 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-27 17:44:36 +00:00			`next if not pkt_bytes`
			`p = PacketFu::Packet.parse(pkt_bytes)`
			`# Don't bother checking if it's an echo reply, since Neighbor Solicitations`
			`# and any other response is just as good.`
Msftidy run against a bunch of whitespace violations, a few line too longs. git-svn-id: file:///home/svn/framework3/trunk@13962 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 02:42:01 +00:00			`next unless p.is_ipv6?`
Fixes #5038, missed a couple mentions of Racket. Excised now for sure. git-svn-id: file:///home/svn/framework3/trunk@13371 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-27 17:44:36 +00:00			`host_addr = p.ipv6_saddr`
			`host_mac = p.eth_saddr`
ipv6 and arp_scanner fix 2012-07-10 17:28:24 +00:00			`next if host_mac == @smac`
Fixes #5038, missed a couple mentions of Racket. Excised now for sure. git-svn-id: file:///home/svn/framework3/trunk@13371 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-27 17:44:36 +00:00			`unless hosts[host_addr] == host_mac`
This commit adds a new set of discovery modules from wuntee and some useful utility methods for working with link-local addresses git-svn-id: file:///home/svn/framework3/trunk@11417 4d416f70-5f16-0410-b530-b9f4589650da 2010-12-27 16:43:53 +00:00			`hosts[host_addr] = host_mac`
			`print_status(" \|*\| #{host_addr} => #{host_mac}")`
			`end`
			`end`
Fixes #5038, missed a couple mentions of Racket. Excised now for sure. git-svn-id: file:///home/svn/framework3/trunk@13371 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-27 17:44:36 +00:00			`return hosts`
			`end`

			`def smac`
ipv6 and arp_scanner fix 2012-07-10 17:28:24 +00:00			`smac = datastore['SMAC']`
			`smac \|\|= get_mac(@interface) if @netifaces`
			`smac \|\|= ipv6_mac`
			`smac`
This commit adds a new set of discovery modules from wuntee and some useful utility methods for working with link-local addresses git-svn-id: file:///home/svn/framework3/trunk@11417 4d416f70-5f16-0410-b530-b9f4589650da 2010-12-27 16:43:53 +00:00			`end`

			`def run`
Fixes #5038, missed a couple mentions of Racket. Excised now for sure. git-svn-id: file:///home/svn/framework3/trunk@13371 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-27 17:44:36 +00:00			`# Start capture`
This commit adds a new set of discovery modules from wuntee and some useful utility methods for working with link-local addresses git-svn-id: file:///home/svn/framework3/trunk@11417 4d416f70-5f16-0410-b530-b9f4589650da 2010-12-27 16:43:53 +00:00			`open_pcap({'FILTER' => "icmp6"})`

ipv6 and arp_scanner fix 2012-07-10 17:28:24 +00:00			`@netifaces = true`
			`if not netifaces_implemented?`
			`print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")`
			`@netifaces = false`
			`end`

			`@interface = datastore['INTERFACE'] \|\| Pcap.lookupdev`

This commit adds a new set of discovery modules from wuntee and some useful utility methods for working with link-local addresses git-svn-id: file:///home/svn/framework3/trunk@11417 4d416f70-5f16-0410-b530-b9f4589650da 2010-12-27 16:43:53 +00:00			`# Send ping`
			`print_status("Sending multicast pings...")`
			`dmac = "33:33:00:00:00:01"`
ipv6 and arp_scanner fix 2012-07-10 17:28:24 +00:00			`@smac = smac`
This commit adds a new set of discovery modules from wuntee and some useful utility methods for working with link-local addresses git-svn-id: file:///home/svn/framework3/trunk@11417 4d416f70-5f16-0410-b530-b9f4589650da 2010-12-27 16:43:53 +00:00			`# Figure out our source address by the link-local interface`
			`shost = ipv6_link_address`
Be gone, whitespace. 2012-02-10 09:16:37 +00:00
			`# m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv6`
ipv6 and arp_scanner fix 2012-07-10 17:28:24 +00:00			`ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #node-local all nodes`
			`ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #node-local all routers`
			`ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All nodes on the local network segment`
			`ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All routers on the local network segment`
			`ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #OSPFv3 AllSPF routers`
			`ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #OSPFv3 AllDR routers`
			`ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #RIP routers`
			`ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #EIGRP routers`
			`ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #PIM routers`
			`ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #MLDv2 reports (defined in RFC 3810)`
			`ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All DHCP servers and relay agents on the local network site (defined in RFC 3315)`
			`ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All DHCP servers on the local network site (defined in RFC 3315)`
Be gone, whitespace. 2012-02-10 09:16:37 +00:00
This commit adds a new set of discovery modules from wuntee and some useful utility methods for working with link-local addresses git-svn-id: file:///home/svn/framework3/trunk@11417 4d416f70-5f16-0410-b530-b9f4589650da 2010-12-27 16:43:53 +00:00			`# Listen for host advertisments`
			`print_status("Listening for responses...")`
			`listen_for_ping_response()`

			`# Close capture`
			`close_pcap()`
			`end`

			`end`