From 81ba60169fc306ffbf4693616b145aa219be1f85 Mon Sep 17 00:00:00 2001
From: Alexandre Maloteaux <a.maloteaux@gmail.com>
Date: Tue, 10 Jul 2012 18:28:24 +0100
Subject: [PATCH] ipv6 and arp_scanner fix

---
 .../scanner/discovery/ipv6_multicast_ping.rb  | 41 ++++++++++++-------
 .../scanner/discovery/ipv6_neighbor.rb        | 25 +++++++----
 .../ipv6_neighbor_router_advertisement.rb     | 20 ++++++++-
 modules/post/windows/gather/arp_scanner.rb    |  5 ++-
 4 files changed, 66 insertions(+), 25 deletions(-)

diff --git a/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb b/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
index 625fca2b80..374eb2aeb3 100644
--- a/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
+++ b/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
@@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
 			next unless p.is_ipv6?
 			host_addr = p.ipv6_saddr
 			host_mac = p.eth_saddr
-			next if host_mac == smac
+			next if host_mac == @smac
 			unless hosts[host_addr] == host_mac
 				hosts[host_addr] = host_mac
 				print_status("   |*| #{host_addr} => #{host_mac}")
@@ -55,33 +55,44 @@ class Metasploit3 < Msf::Auxiliary
 	end
 
 	def smac
-		datastore['SMAC'].to_s.empty? ? ipv6_mac : datastore['SMAC']
+		smac  = datastore['SMAC']
+		smac ||= get_mac(@interface) if @netifaces
+		smac ||= ipv6_mac
+		smac
 	end
 
 	def run
 		# Start capture
 		open_pcap({'FILTER' => "icmp6"})
 
+		@netifaces = true
+		if not netifaces_implemented?
+			print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
+			@netifaces = false
+		end
+
+		@interface = datastore['INTERFACE'] || Pcap.lookupdev
+
 		# Send ping
 		print_status("Sending multicast pings...")
 		dmac = "33:33:00:00:00:01"
-
+		@smac = smac
 		# Figure out our source address by the link-local interface
 		shost = ipv6_link_address
 
 		# m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv6
-		ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})    #node-local all nodes
-		ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})    #node-local all routers
-		ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})    #All nodes on the local network segment
-		ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})    #All routers on the local network segment
-		ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})    #OSPFv3 AllSPF routers
-		ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})    #OSPFv3 AllDR routers
-		ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})    #RIP routers
-		ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})    #EIGRP routers
-		ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})    #PIM routers
-		ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})   #MLDv2 reports (defined in RFC 3810)
-		ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})  #All DHCP servers and relay agents on the local network site (defined in RFC 3315)
-		ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})  #All DHCP servers on the local network site (defined in RFC 3315)
+		ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #node-local all nodes
+		ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #node-local all routers
+		ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #All nodes on the local network segment
+		ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #All routers on the local network segment
+		ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #OSPFv3 AllSPF routers
+		ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #OSPFv3 AllDR routers
+		ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #RIP routers
+		ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #EIGRP routers
+		ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #PIM routers
+		ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})   #MLDv2 reports (defined in RFC 3810)
+		ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})  #All DHCP servers and relay agents on the local network site (defined in RFC 3315)
+		ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})  #All DHCP servers on the local network site (defined in RFC 3315)
 
 		# Listen for host advertisments
 		print_status("Listening for responses...")
diff --git a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb
index e82c499c44..43f6d3ad49 100644
--- a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb
+++ b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb
@@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
 		register_options(
 			[
 				OptString.new('SHOST', [false, "Source IP Address"]),
-				OptString.new('SMAC', [true, "Source MAC Address"]),
+				OptString.new('SMAC', [false, "Source MAC Address"]),
 		], self.class)
 
 		deregister_options('SNAPLEN', 'FILTER')
@@ -48,19 +48,30 @@ class Metasploit3 < Msf::Auxiliary
 	def run_batch(hosts)
 		open_pcap({'SNAPLEN' => 68, 'FILTER' => "arp[6:2] == 0x0002"})
 
+		@netifaces = true
+		if not netifaces_implemented?
+			print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
+			@netifaces = false
+		end
+
 		print_status("Discovering IPv4 nodes via ARP...")
 
-		shost = datastore['SHOST']
-		smac  = datastore['SMAC']
+		@interface = datastore['INTERFACE'] || Pcap.lookupdev
+		@shost = datastore['SHOST']
+		@shost ||= get_ipv4_addr(@interface) if @netifaces
+		raise RuntimeError ,'SHOST should be defined' unless @shost
+
+		@smac  = datastore['SMAC']
+		@smac ||= get_mac(@interface) if @netifaces
+		raise RuntimeError ,'SMAC should be defined' unless @smac
 
 		addrs = []
 
 		begin
 			found = {}
 			hosts.each do |dhost|
-				shost = datastore['SHOST'] || Rex::Socket.source_address(dhost)
-
-				probe = buildprobe(datastore['SHOST'], datastore['SMAC'], dhost)
+				
+				probe = buildprobe(@shost, @smac, dhost)
 				capture.inject(probe)
 				while(reply = getreply())
 					next unless reply.is_arp?
@@ -110,7 +121,7 @@ class Metasploit3 < Msf::Auxiliary
 		print_status("Discovering IPv6 addresses for IPv4 nodes...")
 		print_status("")
 
-		smac  = datastore['SMAC']
+		smac  = @smac
 		open_pcap({'SNAPLEN' => 68, 'FILTER' => "icmp6"})
 
 		begin
diff --git a/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb b/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb
index fb5cd37b80..12faa5aa7f 100644
--- a/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb
+++ b/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb
@@ -74,7 +74,7 @@ class Metasploit3 < Msf::Auxiliary
 	def find_link_local(opts = {})
 		shost = opts['SHOST'] || datastore['SHOST'] || ipv6_link_address
 		hosts = opts['HOSTS'] || []
-		smac  = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
+		smac  = @smac 
 		timeout = opts['TIMEOUT_NEIGHBOR'] || datastore['TIMEOUT_NEIGHBOR']
 		network_prefix = Rex::Socket.addr_aton(shost)[0,8]
 
@@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
 
 	def create_router_advertisment(opts={})
 		dhost = "FF02::1"
-		smac = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
+		smac = @smac
 		shost = opts['SHOST'] || datastore['SHOST'] || ipv6_link_address
 		lifetime = opts['LIFETIME'] || datastore['TIMEOUT']
 		prefix = opts['PREFIX'] || datastore['PREFIX']
@@ -152,6 +152,22 @@ class Metasploit3 < Msf::Auxiliary
 		# Start caputure
 		open_pcap({'FILTER' => "icmp6"})
 
+		@netifaces = true
+		if not netifaces_implemented?
+			print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
+			@netifaces = false
+		end
+
+		@interface = datastore['INTERFACE'] || Pcap.lookupdev
+		@shost = datastore['SHOST']
+		@shost ||= get_ipv4_addr(@interface) if @netifaces
+		raise RuntimeError ,'SHOST should be defined' unless @shost
+
+		@smac  = datastore['SMAC']
+		@smac ||= get_mac(@interface) if @netifaces
+		@smac ||= ipv6_mac
+		raise RuntimeError ,'SMAC should be defined' unless @smac
+
 		# Send router advertisement
 		print_status("Sending router advertisement...")
 		pkt = create_router_advertisment()
diff --git a/modules/post/windows/gather/arp_scanner.rb b/modules/post/windows/gather/arp_scanner.rb
index dabd1ea709..e72a928e5f 100644
--- a/modules/post/windows/gather/arp_scanner.rb
+++ b/modules/post/windows/gather/arp_scanner.rb
@@ -19,6 +19,7 @@ class Metasploit3 < Msf::Post
 	include Msf::Post::Common
 	include Msf::Auxiliary::Report
 
+	OUI_LIST = Rex::Oui
 
 	def initialize(info={})
 		super( update_info( info,
@@ -69,8 +70,10 @@ class Metasploit3 < Msf::Post
 						h = iphlp.SendARP(ip,0,6,6)
 						if h["return"] == client.railgun.const("NO_ERROR")
 							mac_text = h["pMacAddr"].unpack('C*').map { |e| "%02x" % e }.join(':')
-							print_status("\tIP: #{ip_text} MAC #{mac_text}")
+							company = OUI_LIST::lookup_oui_company_name(mac_text )
+							print_status("\tIP: #{ip_text} MAC #{mac_text} (#{company})")
 							report_host(:host => ip_text,:mac => mac_text)
+							report_note(:host  => ip_text, :type  => "mac_oui", :data  => company) 
 						end
 					})
 				i += 1