infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #592 from alexmaloteaux/ipv6arpfix 

ipv6 and arp_scanner fix
unstable
HD Moore 2012-07-18 20:40:27 -07:00
parent d238debb2f 81ba60169f
commit 9bff1c913b
4 changed files with 66 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
View File

@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
next unless p.is_ipv6?
host_addr = p.ipv6_saddr
host_mac = p.eth_saddr
next if host_mac == smac
next if host_mac == @smac
unless hosts[host_addr] == host_mac
hosts[host_addr] = host_mac
print_status(" |*| #{host_addr} => #{host_mac}")
@ -55,33 +55,44 @@ class Metasploit3 < Msf::Auxiliary
end
def smac
datastore['SMAC'].to_s.empty? ? ipv6_mac : datastore['SMAC']
smac = datastore['SMAC']
smac ||= get_mac(@interface) if @netifaces
smac ||= ipv6_mac
smac
end
def run
# Start capture
open_pcap({'FILTER' => "icmp6"})
@netifaces = true
if not netifaces_implemented?
print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
@netifaces = false
end
@interface = datastore['INTERFACE'] || Pcap.lookupdev
# Send ping
print_status("Sending multicast pings...")
dmac = "33:33:00:00:00:01"
@smac = smac
# Figure out our source address by the link-local interface
shost = ipv6_link_address
# m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv6
ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #node-local all nodes
ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #node-local all routers
ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All nodes on the local network segment
ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All routers on the local network segment
ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #OSPFv3 AllSPF routers
ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #OSPFv3 AllDR routers
ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #RIP routers
ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #EIGRP routers
ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #PIM routers
ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #MLDv2 reports (defined in RFC 3810)
ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All DHCP servers and relay agents on the local network site (defined in RFC 3315)
ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All DHCP servers on the local network site (defined in RFC 3315)
ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #node-local all nodes
ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #node-local all routers
ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All nodes on the local network segment
ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All routers on the local network segment
ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #OSPFv3 AllSPF routers
ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #OSPFv3 AllDR routers
ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #RIP routers
ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #EIGRP routers
ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #PIM routers
ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #MLDv2 reports (defined in RFC 3810)
ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All DHCP servers and relay agents on the local network site (defined in RFC 3315)
ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All DHCP servers on the local network site (defined in RFC 3315)
# Listen for host advertisments
print_status("Listening for responses...")

25
modules/auxiliary/scanner/discovery/ipv6_neighbor.rb
View File

@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('SHOST', [false, "Source IP Address"]),
OptString.new('SMAC', [true, "Source MAC Address"]),
OptString.new('SMAC', [false, "Source MAC Address"]),
], self.class)
deregister_options('SNAPLEN', 'FILTER')
@ -48,19 +48,30 @@ class Metasploit3 < Msf::Auxiliary
def run_batch(hosts)
open_pcap({'SNAPLEN' => 68, 'FILTER' => "arp[6:2] == 0x0002"})
@netifaces = true
if not netifaces_implemented?
print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
@netifaces = false
end
print_status("Discovering IPv4 nodes via ARP...")
shost = datastore['SHOST']
smac = datastore['SMAC']
@interface = datastore['INTERFACE'] || Pcap.lookupdev
@shost = datastore['SHOST']
@shost ||= get_ipv4_addr(@interface) if @netifaces
raise RuntimeError ,'SHOST should be defined' unless @shost
@smac = datastore['SMAC']
@smac ||= get_mac(@interface) if @netifaces
raise RuntimeError ,'SMAC should be defined' unless @smac
addrs = []
begin
found = {}
hosts.each do |dhost|
shost = datastore['SHOST'] || Rex::Socket.source_address(dhost)
probe = buildprobe(datastore['SHOST'], datastore['SMAC'], dhost)
probe = buildprobe(@shost, @smac, dhost)
capture.inject(probe)
while(reply = getreply())
next unless reply.is_arp?
@ -110,7 +121,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Discovering IPv6 addresses for IPv4 nodes...")
print_status("")
smac = datastore['SMAC']
smac = @smac
open_pcap({'SNAPLEN' => 68, 'FILTER' => "icmp6"})
begin

20
modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb
View File

@ -74,7 +74,7 @@ class Metasploit3 < Msf::Auxiliary
def find_link_local(opts = {})
shost = opts['SHOST'] || datastore['SHOST'] || ipv6_link_address
hosts = opts['HOSTS'] || []
smac = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
smac = @smac
timeout = opts['TIMEOUT_NEIGHBOR'] || datastore['TIMEOUT_NEIGHBOR']
network_prefix = Rex::Socket.addr_aton(shost)[0,8]
@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
def create_router_advertisment(opts={})
dhost = "FF02::1"
smac = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
smac = @smac
shost = opts['SHOST'] || datastore['SHOST'] || ipv6_link_address
lifetime = opts['LIFETIME'] || datastore['TIMEOUT']
prefix = opts['PREFIX'] || datastore['PREFIX']
@ -152,6 +152,22 @@ class Metasploit3 < Msf::Auxiliary
# Start caputure
open_pcap({'FILTER' => "icmp6"})
@netifaces = true
if not netifaces_implemented?
print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
@netifaces = false
end
@interface = datastore['INTERFACE'] || Pcap.lookupdev
@shost = datastore['SHOST']
@shost ||= get_ipv4_addr(@interface) if @netifaces
raise RuntimeError ,'SHOST should be defined' unless @shost
@smac = datastore['SMAC']
@smac ||= get_mac(@interface) if @netifaces
@smac ||= ipv6_mac
raise RuntimeError ,'SMAC should be defined' unless @smac
# Send router advertisement
print_status("Sending router advertisement...")
pkt = create_router_advertisment()

5
modules/post/windows/gather/arp_scanner.rb
View File

@ -19,6 +19,7 @@ class Metasploit3 < Msf::Post
include Msf::Post::Common
include Msf::Auxiliary::Report
OUI_LIST = Rex::Oui
def initialize(info={})
super( update_info( info,
@ -69,8 +70,10 @@ class Metasploit3 < Msf::Post
h = iphlp.SendARP(ip,0,6,6)
if h["return"] == client.railgun.const("NO_ERROR")
mac_text = h["pMacAddr"].unpack('C*').map { |e| "%02x" % e }.join(':')
print_status("\tIP: #{ip_text} MAC #{mac_text}")
company = OUI_LIST::lookup_oui_company_name(mac_text )
print_status("\tIP: #{ip_text} MAC #{mac_text} (#{company})")
report_host(:host => ip_text,:mac => mac_text)
report_note(:host => ip_text, :type => "mac_oui", :data => company)
end
})
i += 1