2010-04-30 08:40:19 +00:00
|
|
|
##
|
|
|
|
|
# $Id$
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
2010-11-11 22:43:22 +00:00
|
|
|
# http://metasploit.com/framework/
|
2010-04-30 08:40:19 +00:00
|
|
|
##
|
2009-07-22 02:48:00 +00:00
|
|
|
|
2010-04-30 08:40:19 +00:00
|
|
|
require 'msf/core'
|
2009-07-22 02:48:00 +00:00
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Capture
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
|
super(
|
|
|
|
|
'Name' => 'ARP Sweep Local Network Discovery',
|
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
Enumerate alive Hosts in local network using ARP requests.
|
|
|
|
|
},
|
|
|
|
|
'Author' => 'belch',
|
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
|
)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-22 02:48:00 +00:00
|
|
|
register_options([
|
2011-06-02 21:31:36 +00:00
|
|
|
OptString.new('SHOST', [false, "Source IP Address"]),
|
|
|
|
|
OptString.new('SMAC', [false, "Source MAC Address"]),
|
2011-04-14 16:29:56 +00:00
|
|
|
# one re-register TIMEOUT here with a lower value, cause 5 seconds will be enough in most of the case
|
|
|
|
|
OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 5]),
|
2009-07-22 02:48:00 +00:00
|
|
|
], self.class)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-06-02 21:31:36 +00:00
|
|
|
deregister_options('SNAPLEN', 'FILTER', 'PCAPFILE', 'UDP_SECRET', 'GATEWAY', 'NETMASK')
|
2009-07-22 02:48:00 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run_batch_size
|
|
|
|
|
datastore['BATCHSIZE'] || 256
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run_batch(hosts)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-06-02 21:31:36 +00:00
|
|
|
@netifaces = true
|
|
|
|
|
if not netifaces_implemented?
|
|
|
|
|
print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
|
|
|
|
|
@netifaces = false
|
|
|
|
|
end
|
|
|
|
|
|
2011-07-26 01:29:21 +00:00
|
|
|
# XXX: This needs to be more automatic /and/ not rely on Pcap.interfaces, since
|
|
|
|
|
# it's never going to be reliable anyway.
|
2010-04-30 08:40:19 +00:00
|
|
|
shost = datastore['SHOST']
|
2011-06-02 21:31:36 +00:00
|
|
|
shost ||= get_ipv4_addr(datastore['INTERFACE']) if @netifaces
|
|
|
|
|
raise RuntimeError ,'SHOST should be defined' unless shost
|
|
|
|
|
|
2009-07-22 02:48:00 +00:00
|
|
|
smac = datastore['SMAC']
|
2011-06-02 21:31:36 +00:00
|
|
|
smac ||= get_mac(datastore['INTERFACE']) if @netifaces
|
|
|
|
|
raise RuntimeError ,'SMAC should be defined' unless smac
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
|
open_pcap({'SNAPLEN' => 68, 'FILTER' => "arp[6:2] == 0x0002"})
|
2009-07-22 02:48:00 +00:00
|
|
|
|
|
|
|
|
begin
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-22 02:48:00 +00:00
|
|
|
hosts.each do |dhost|
|
2011-06-02 21:31:36 +00:00
|
|
|
if dhost != shost
|
|
|
|
|
probe = buildprobe(shost, smac, dhost)
|
|
|
|
|
capture.inject(probe)
|
2009-07-22 02:48:00 +00:00
|
|
|
|
2011-06-02 21:31:36 +00:00
|
|
|
while(reply = getreply())
|
|
|
|
|
next if not reply[:arp]
|
|
|
|
|
print_status("#{reply[:arp].spa} appears to be up.")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-06-02 21:31:36 +00:00
|
|
|
report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha)
|
|
|
|
|
end
|
2009-07-22 02:48:00 +00:00
|
|
|
end
|
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-04-14 16:29:56 +00:00
|
|
|
etime = Time.now.to_f + datastore['TIMEOUT']
|
2009-07-22 02:48:00 +00:00
|
|
|
while (Time.now.to_f < etime)
|
|
|
|
|
while(reply = getreply())
|
|
|
|
|
next if not reply[:arp]
|
2009-07-23 11:47:10 +00:00
|
|
|
print_status("#{reply[:arp].spa} appears to be up.")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-23 11:47:10 +00:00
|
|
|
report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha)
|
2009-07-22 02:48:00 +00:00
|
|
|
end
|
|
|
|
|
Kernel.select(nil, nil, nil, 0.50)
|
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-22 02:48:00 +00:00
|
|
|
ensure
|
|
|
|
|
close_pcap()
|
|
|
|
|
end
|
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-22 02:48:00 +00:00
|
|
|
def buildprobe(shost, smac, dhost)
|
|
|
|
|
n = Racket::Racket.new
|
2009-12-29 23:32:50 +00:00
|
|
|
n.l2 = Racket::L2::Ethernet.new(Racket::Misc.randstring(14))
|
2009-07-22 02:48:00 +00:00
|
|
|
n.l2.src_mac = smac
|
|
|
|
|
n.l2.dst_mac = 'ff:ff:ff:ff:ff:ff'
|
|
|
|
|
n.l2.ethertype = 0x0806
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-29 23:32:50 +00:00
|
|
|
n.l3 = Racket::L3::ARP.new
|
|
|
|
|
n.l3.opcode = Racket::L3::ARP::ARPOP_REQUEST
|
2009-07-22 02:48:00 +00:00
|
|
|
n.l3.sha = n.l2.src_mac
|
|
|
|
|
n.l3.tha = n.l2.dst_mac
|
|
|
|
|
n.l3.spa = shost
|
|
|
|
|
n.l3.tpa = dhost
|
|
|
|
|
n.pack
|
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-22 02:48:00 +00:00
|
|
|
def getreply
|
|
|
|
|
pkt = capture.next
|
|
|
|
|
return if not pkt
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-12-29 23:32:50 +00:00
|
|
|
eth = Racket::L2::Ethernet.new(pkt)
|
2009-07-22 02:48:00 +00:00
|
|
|
return if not eth.ethertype == 0x0806
|
|
|
|
|
|
2009-12-29 23:32:50 +00:00
|
|
|
arp = Racket::L3::ARP.new(eth.payload)
|
|
|
|
|
return if not arp.opcode == Racket::L3::ARP::ARPOP_REPLY
|
2009-07-22 02:48:00 +00:00
|
|
|
|
|
|
|
|
{:raw => pkt, :eth => eth, :arp => arp}
|
|
|
|
|
end
|
|
|
|
|
end
|
