2011-08-21 04:46:57 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-08-21 04:46:57 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Exploit::Capture
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'BNAT Scanner',
|
|
|
|
'Description' => %q{
|
|
|
|
This module is a scanner which can detect Broken NAT (network address translation)
|
|
|
|
implementations, which could result in a inability to reach ports on remote
|
|
|
|
machines. Typically, these ports will appear in nmap scans as 'filtered'/'closed'.
|
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'bannedit',
|
|
|
|
'Jonathan Claudius <jclaudius[at]trustwave.com>',
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
2015-10-28 15:45:02 +00:00
|
|
|
[ 'URL', 'https://github.com/claudijd/bnat'],
|
2015-10-27 17:41:32 +00:00
|
|
|
[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels']
|
2013-08-30 21:28:54 +00:00
|
|
|
]
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "21,22,23,80,443"]),
|
|
|
|
OptString.new('INTERFACE', [true, "The name of the interface", "eth0"]),
|
|
|
|
OptInt.new('TIMEOUT', [true, "The reply read timeout in milliseconds", 500])
|
|
|
|
],self.class)
|
|
|
|
|
|
|
|
deregister_options('FILTER','PCAPFILE','RHOST','SNAPLEN')
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def probe_reply(pcap, to)
|
|
|
|
reply = nil
|
|
|
|
begin
|
|
|
|
Timeout.timeout(to) do
|
|
|
|
pcap.each do |r|
|
|
|
|
pkt = PacketFu::Packet.parse(r)
|
|
|
|
next unless pkt.is_tcp?
|
|
|
|
reply = pkt
|
|
|
|
break
|
|
|
|
end
|
|
|
|
end
|
|
|
|
rescue Timeout::Error
|
|
|
|
end
|
|
|
|
return reply
|
|
|
|
end
|
|
|
|
|
|
|
|
def generate_probe(ip)
|
|
|
|
ftypes = %w{windows, linux, freebsd}
|
|
|
|
@flavor = ftypes[rand(ftypes.length)]
|
|
|
|
config = PacketFu::Utils.whoami?(:iface => datastore['INTERFACE'])
|
|
|
|
p = PacketFu::TCPPacket.new(:config => config)
|
|
|
|
p.ip_daddr = ip
|
|
|
|
p.tcp_flags.syn = 1
|
|
|
|
return p
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
open_pcap
|
|
|
|
|
|
|
|
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
|
|
|
|
|
|
|
|
p = generate_probe(ip)
|
|
|
|
pcap = self.capture
|
|
|
|
|
|
|
|
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
|
|
|
|
2013-12-18 21:04:53 +00:00
|
|
|
if ports.empty?
|
|
|
|
raise Msf::OptionValidateError.new(['PORTS'])
|
|
|
|
end
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
ports.each_with_index do |port,i|
|
|
|
|
p.tcp_dst = port
|
|
|
|
p.tcp_src = rand(64511)+1024
|
|
|
|
p.tcp_seq = rand(64511)+1024
|
|
|
|
p.recalc
|
|
|
|
|
|
|
|
ackbpf = "tcp [8:4] == 0x#{(p.tcp_seq + 1).to_s(16)}"
|
|
|
|
pcap.setfilter("tcp and tcp[13] == 18 and not host #{ip} and src port #{p.tcp_dst} and dst port #{p.tcp_src} and #{ackbpf}")
|
2015-09-27 21:18:51 +00:00
|
|
|
break unless capture_sendto(p, ip)
|
2013-08-30 21:28:54 +00:00
|
|
|
reply = probe_reply(pcap, to)
|
|
|
|
next if reply.nil?
|
|
|
|
|
|
|
|
print_status("[BNAT RESPONSE] Requested IP: #{ip} Responding IP: #{reply.ip_saddr} Port: #{reply.tcp_src}")
|
|
|
|
end
|
|
|
|
|
|
|
|
close_pcap
|
|
|
|
end
|
2011-10-17 02:42:01 +00:00
|
|
|
|
2012-03-18 05:07:27 +00:00
|
|
|
end
|