## # $Id: ipv6_multicast_ping.rb 13962 2011-10-17 02:42:01Z todb $ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Capture include Msf::Exploit::Remote::Ipv6 include Msf::Auxiliary::Report def initialize super( 'Name' => 'IPv6 Link Local/Node Local Ping Discovery', 'Version' => '$Revision: 13962 $', 'Description' => %q{ Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds. }, 'Author' => 'wuntee', 'License' => MSF_LICENSE, 'References' => [ ['URL','http://wuntee.blogspot.com/2010/12/ipv6-ping-host-discovery-metasploit.html'] ] ) deregister_options('SNAPLEN', 'FILTER', 'RHOST', 'PCAPFILE') end def listen_for_ping_response(opts = {}) hosts = {} timeout = opts['TIMEOUT'] || datastore['TIMEOUT'] prefix = opts['PREFIX'] || datastore['PREFIX'] max_epoch = ::Time.now.to_i + timeout while(::Time.now.to_i < max_epoch) pkt_bytes = capture.next() Kernel.select(nil,nil,nil,0.1) next if not pkt_bytes p = PacketFu::Packet.parse(pkt_bytes) # Don't bother checking if it's an echo reply, since Neighbor Solicitations # and any other response is just as good. next unless p.is_ipv6? host_addr = p.ipv6_saddr host_mac = p.eth_saddr next if host_mac == @smac unless hosts[host_addr] == host_mac hosts[host_addr] = host_mac print_status(" |*| #{host_addr} => #{host_mac}") end end return hosts end def smac smac = datastore['SMAC'] smac ||= get_mac(@interface) if @netifaces smac ||= ipv6_mac smac end def run # Start capture open_pcap({'FILTER' => "icmp6"}) @netifaces = true if not netifaces_implemented? print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available") @netifaces = false end @interface = datastore['INTERFACE'] || Pcap.lookupdev # Send ping print_status("Sending multicast pings...") dmac = "33:33:00:00:00:01" @smac = smac # Figure out our source address by the link-local interface shost = ipv6_link_address # m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv6 ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #node-local all nodes ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #node-local all routers ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All nodes on the local network segment ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All routers on the local network segment ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #OSPFv3 AllSPF routers ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #OSPFv3 AllDR routers ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #RIP routers ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #EIGRP routers ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #PIM routers ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #MLDv2 reports (defined in RFC 3810) ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All DHCP servers and relay agents on the local network site (defined in RFC 3315) ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All DHCP servers on the local network site (defined in RFC 3315) # Listen for host advertisments print_status("Listening for responses...") listen_for_ping_response() # Close capture close_pcap() end end