2014-11-14 20:44:07 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Auxiliary::UDPScanner
|
2014-11-20 21:49:36 +00:00
|
|
|
include Msf::Auxiliary::Kademlia
|
2014-11-14 20:44:07 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(
|
|
|
|
update_info(
|
|
|
|
info,
|
|
|
|
'Name' => 'Gather Kademlia Server Information',
|
|
|
|
'Description' => %q(
|
|
|
|
This module uses the Kademlia BOOTSTRAP and PING messages to identify
|
|
|
|
and extract information from Kademlia speaking UDP endpoints,
|
|
|
|
typically belonging to eMule/eDonkey/BitTorrent servers or other P2P
|
|
|
|
applications.
|
|
|
|
),
|
2014-11-18 21:27:59 +00:00
|
|
|
'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',
|
2014-11-14 20:44:07 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
# There are lots of academic papers on the protocol but they tend to lack usable
|
|
|
|
# protocol details. This is the best I've found
|
|
|
|
['URL', 'http://gbmaster.wordpress.com/2013/06/16/botnets-surrounding-us-sending-kademlia2_bootstrap_req-kademlia2_hello_req-and-their-strict-cousins/#more-125']
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Actions' => [
|
|
|
|
['BOOTSTRAP', 'Description' => 'Use a Kademlia2 BOOTSTRAP'],
|
|
|
|
['PING', 'Description' => 'Use a Kademlia2 PING']
|
|
|
|
],
|
|
|
|
'DefaultAction' => 'BOOTSTRAP'
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(4672)
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def build_probe
|
|
|
|
@probe ||= case action.name
|
|
|
|
when 'BOOTSTRAP'
|
2014-11-24 22:03:43 +00:00
|
|
|
BootstrapRequest.new
|
2014-11-14 20:44:07 +00:00
|
|
|
when 'PING'
|
2014-11-24 22:03:43 +00:00
|
|
|
Ping.new
|
2014-11-14 20:44:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def scanner_process(response, src_host, src_port)
|
2014-11-14 22:39:40 +00:00
|
|
|
return if response.blank?
|
|
|
|
peer = "#{src_host}:#{src_port}"
|
|
|
|
|
|
|
|
case action.name
|
|
|
|
when 'BOOTSTRAP'
|
2014-11-24 22:03:43 +00:00
|
|
|
if bootstrap_res = BootstrapResponse.from_data(response)
|
|
|
|
info = {
|
|
|
|
peer_id: bootstrap_res.peer_id,
|
|
|
|
tcp_port: bootstrap_res.tcp_port,
|
|
|
|
version: bootstrap_res.version,
|
|
|
|
peers: bootstrap_res.peers
|
|
|
|
}
|
|
|
|
print_good("#{peer} ID #{bootstrap_res.peer_id}, TCP port #{bootstrap_res.tcp_port}," +
|
|
|
|
" version #{bootstrap_res.version}, #{bootstrap_res.peers.size} peers")
|
2014-11-14 22:39:40 +00:00
|
|
|
end
|
|
|
|
when 'PING'
|
2014-11-24 22:03:43 +00:00
|
|
|
if pong = Pong.from_data(response)
|
|
|
|
print_good("#{peer} PONG port #{pong.port}")
|
|
|
|
# port should match the port we contacted it from. TODO: validate this?
|
|
|
|
info = { udp_port: pong.port }
|
|
|
|
end
|
2014-11-14 22:39:40 +00:00
|
|
|
end
|
|
|
|
|
2014-11-14 20:44:07 +00:00
|
|
|
return unless info
|
|
|
|
@results[src_host] ||= []
|
|
|
|
@results[src_host] << info
|
|
|
|
end
|
|
|
|
|
|
|
|
def scanner_postscan(_batch)
|
|
|
|
@results.each_pair do |host, info|
|
|
|
|
report_host(host: host)
|
|
|
|
report_service(
|
|
|
|
host: host,
|
|
|
|
proto: 'udp',
|
|
|
|
port: rport,
|
2014-12-12 22:40:42 +00:00
|
|
|
name: 'kademlia',
|
2014-11-14 20:44:07 +00:00
|
|
|
info: info
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|