metasploit-framework/modules/auxiliary/scanner/discovery/udp_sweep.rb

558 lines
12 KiB
Ruby

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'openssl'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'UDP Service Sweeper',
'Version' => '$Revision$',
'Description' => 'Detect common UDP services',
'Author' => 'hdm',
'License' => MSF_LICENSE
)
register_options(
[
Opt::CHOST,
OptInt.new('BATCHSIZE', [true, 'The number of hosts to probe in each set', 256]),
], self.class)
register_advanced_options(
[
OptBool.new('RANDOMIZE_PORTS', [false, 'Randomize the order the ports are probed', true])
], self.class)
# Intialize the probes array
@probes = []
# Add the UDP probe method names
@probes << 'probe_pkt_dns'
@probes << 'probe_pkt_netbios'
@probes << 'probe_pkt_portmap'
@probes << 'probe_pkt_mssql'
@probes << 'probe_pkt_ntp'
@probes << 'probe_pkt_snmp1'
@probes << 'probe_pkt_snmp2'
@probes << 'probe_pkt_sentinel'
@probes << 'probe_pkt_db2disco'
@probes << 'probe_pkt_citrix'
@probes << 'probe_pkt_pca_st'
@probes << 'probe_pkt_pca_nq'
end
def setup
super
if datastore['RANDOMIZE_PORTS']
@probes = @probes.sort_by { rand }
end
end
# Define our batch size
def run_batch_size
datastore['BATCHSIZE'].to_i
end
# Fingerprint a single host
def run_batch(batch)
@results = {}
print_status("Sending #{@probes.length} probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
begin
udp_sock = nil
idx = 0
# Create an unbound UDP socket if no CHOST is specified, otherwise
# create a UDP socket bound to CHOST (in order to avail of pivoting)
udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil, 'Context' => {'Msf' => framework, 'MsfExploit' => self} })
add_socket(udp_sock)
# Send each probe to each host
@probes.each do |probe|
batch.each do |ip|
begin
data, port = self.send(probe, ip)
udp_sock.sendto(data, ip, port, 0)
rescue ::Interrupt
raise $!
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
nil
end
if (idx % 30 == 0)
while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
reply_addr = r[1].split(':').last
parse_reply(r) if batch.include? reply_addr
end
end
idx += 1
end
end
cnt = 0
del = 10
sts = Time.now.to_i
while (r = udp_sock.recvfrom(65535, del) and r[1])
reply_addr = r[1].split(':').last
parse_reply(r) if batch.include? reply_addr
# Prevent an indefinite loop if the targets keep replying
cnt += 1
break if cnt > run_batch_size
# Escape after 15 seconds regardless of batch size
break if ((sts + 15) < Time.now.to_i)
del = 1.0
end
rescue ::Interrupt
raise $!
rescue ::Errno::ENOBUFS
print_status("Socket buffers are full, waiting for them to flush...")
while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
reply_addr = r[1].split(':').last
parse_reply(r) if batch.include? reply_addr
end
select(nil, nil, nil, 0.25)
retry
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
end
@results.each_key do |k|
next if not @results[k].respond_to?('keys')
data = @results[k]
next unless inside_workspace_boundary?(data[:host])
conf = {
:host => data[:host],
:port => data[:port],
:proto => 'udp',
:name => data[:app],
:info => data[:info]
}
if data[:hname]
conf[:host_name] = data[:hname].downcase
end
if data[:mac]
conf[:mac] = data[:mac].downcase
end
report_service(conf)
print_status("Discovered #{data[:app]} on #{k} (#{data[:info]})")
end
end
#
# The response parsers
#
def parse_reply(pkt)
# Ignore "empty" packets
return if not pkt[1]
if(pkt[1] =~ /^::ffff:/)
pkt[1] = pkt[1].sub(/^::ffff:/, '')
end
# Ignore duplicates
hkey = "#{pkt[1]}:#{pkt[2]}"
app = 'unknown'
inf = ''
maddr = nil
hname = nil
# Work with protocols that return different data in different packets
# These are reported at the end of the scanning loop to build state
case pkt[2]
when 5632
@results[hkey] ||= {}
data = @results[hkey]
data[:app] = "pcAnywhere_stat"
data[:port] = pkt[2]
data[:host] = pkt[1]
case pkt[0]
when /^NR(........................)(........)/
name = $1.dup
caps = $2.dup
name = name.gsub(/_+$/, '').gsub("\x00", '').strip
caps = caps.gsub(/_+$/, '').gsub("\x00", '').strip
data[:name] = name
data[:caps] = caps
when /^ST(.+)/
buff = $1.dup
stat = 'Unknown'
if buff[2,1].unpack("C")[0] == 67
stat = "Available"
end
if buff[2,1].unpack("C")[0] == 11
stat = "Busy"
end
data[:stat] = stat
end
if data[:name]
inf << "Name: #{data[:name]} "
end
if data[:stat]
inf << "- #{data[:stat]} "
end
if data[:caps]
inf << "( #{data[:caps]} ) "
end
data[:info] = inf
end
# Ignore duplicates
return if @results[hkey]
case pkt[2]
when 53
app = 'DNS'
ver = nil
if (not ver and pkt[0] =~ /([6789]\.[\w\.\-_\:\(\)\[\]\/\=\+\|\{\}]+)/i)
ver = 'BIND ' + $1
end
ver = 'Microsoft DNS' if (not ver and pkt[0][2,4] == "\x81\x04\x00\x01")
ver = 'TinyDNS' if (not ver and pkt[0][2,4] == "\x81\x81\x00\x01")
ver = pkt[0].unpack('H*')[0] if not ver
inf = ver if ver
@results[hkey] = true
when 137
app = 'NetBIOS'
data = pkt[0]
head = data.slice!(0,12)
xid, flags, quests, answers, auths, adds = head.unpack('n6')
return if quests != 0
return if answers == 0
qname = data.slice!(0,34)
rtype,rclass,rttl,rlen = data.slice!(0,10).unpack('nnNn')
buff = data.slice!(0,rlen)
names = []
case rtype
when 0x21
rcnt = buff.slice!(0,1).unpack("C")[0]
1.upto(rcnt) do
tname = buff.slice!(0,15).gsub(/\x00.*/, '').strip
ttype = buff.slice!(0,1).unpack("C")[0]
tflag = buff.slice!(0,2).unpack('n')[0]
names << [ tname, ttype, tflag ]
end
maddr = buff.slice!(0,6).unpack("C*").map{|c| "%.2x" % c }.join(":")
names.each do |name|
inf << name[0]
inf << ":<%.2x>" % name[1]
if (name[2] & 0x8000 == 0)
inf << ":U :"
else
inf << ":G :"
end
end
inf << maddr
if(names.length > 0)
hname = names[0][0]
end
end
@results[hkey] = true
when 111
app = 'Portmap'
buf = pkt[0]
inf = ""
hed = buf.slice!(0,24)
svc = []
while(buf.length >= 20)
rec = buf.slice!(0,20).unpack("N5")
svc << "#{rec[1]} v#{rec[2]} #{rec[3] == 0x06 ? "TCP" : "UDP"}(#{rec[4]})"
report_service(
:host => pkt[1],
:port => rec[4],
:proto => (rec[3] == 0x06 ? "tcp" : "udp"),
:name => "sunrpc",
:info => "#{rec[1]} v#{rec[2]}",
:state => "open"
)
end
inf = svc.join(", ")
@results[hkey] = true
when 123
app = 'NTP'
ver = nil
ver = pkt[0].unpack('H*')[0]
ver = 'NTP v3' if (ver =~ /^1c06|^1c05/)
ver = 'NTP v4' if (ver =~ /^240304/)
ver = 'NTP v4 (unsynchronized)' if (ver =~ /^e40/)
ver = 'Microsoft NTP' if (ver =~ /^dc00|^dc0f/)
inf = ver if ver
@results[hkey] = true
when 1434
app = 'MSSQL'
mssql_ping_parse(pkt[0]).each_pair { |k,v|
inf += k+'='+v+' '
}
@results[hkey] = true
when 161
app = 'SNMP'
asn = OpenSSL::ASN1.decode(pkt[0]) rescue nil
return if not asn
snmp_error = asn.value[0].value rescue nil
snmp_comm = asn.value[1].value rescue nil
snmp_data = asn.value[2].value[3].value[0] rescue nil
snmp_oid = snmp_data.value[0].value rescue nil
snmp_info = snmp_data.value[1].value rescue nil
return if not (snmp_error and snmp_comm and snmp_data and snmp_oid and snmp_info)
snmp_info = snmp_info.to_s.gsub(/\s+/, ' ')
inf = snmp_info
com = snmp_comm
@results[hkey] = true
when 5093
app = 'Sentinel'
@results[hkey] = true
when 523
app = 'ibm-db2'
inf = db2disco_parse(pkt[0])
@results[hkey] = true
when 1604
app = 'citrix-ica'
return unless citrix_parse(pkt[0])
@results[hkey] = true
end
return unless inside_workspace_boundary?(pkt[1])
report_service(
:host => pkt[1],
:mac => (maddr and maddr != '00:00:00:00:00:00') ? maddr : nil,
:host_name => (hname) ? hname.downcase : nil,
:port => pkt[2],
:proto => 'udp',
:name => app,
:info => inf,
:state => "open"
)
print_status("Discovered #{app} on #{pkt[1]}:#{pkt[2]} (#{inf})")
end
#
# Parse a db2disco packet.
#
def db2disco_parse(data)
res = data.split("\x00")
"#{res[2]}_#{res[1]}"
end
#
# Validate this is truly Citrix ICA; returns true or false.
#
def citrix_parse(data)
server_response = "\x30\x00\x02\x31\x02\xfd\xa8\xe3\x02\x00\x06\x44" # Server hello response
data =~ /^#{server_response}/
end
#
# Parse a 'ping' response and format as a hash
#
def mssql_ping_parse(data)
res = {}
var = nil
idx = data.index('ServerName')
return res if not idx
data[idx, data.length-idx].split(';').each do |d|
if (not var)
var = d
else
if (var.length > 0)
res[var] = d
var = nil
end
end
end
return res
end
#
# The probe definitions
#
def probe_pkt_dns(ip)
data = [rand(0xffff)].pack('n') +
"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+
"\x07"+ "VERSION"+
"\x04"+ "BIND"+
"\x00\x00\x10\x00\x03"
return [data, 53]
end
def probe_pkt_netbios(ip)
data =
[rand(0xffff)].pack('n')+
"\x00\x00\x00\x01\x00\x00\x00\x00"+
"\x00\x00\x20\x43\x4b\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x00\x00\x21\x00\x01"
return [data, 137]
end
def probe_pkt_portmap(ip)
data =
[
rand(0xffffffff), # XID
0, # Type
2, # RPC Version
100000, # Program ID
2, # Program Version
4, # Procedure
0, 0, # Credentials
0, 0, # Verifier
].pack('N*')
return [data, 111]
end
def probe_pkt_mssql(ip)
return ["\x02", 1434]
end
def probe_pkt_ntp(ip)
data =
"\xe3\x00\x04\xfa\x00\x01\x00\x00\x00\x01\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\xc5\x4f\x23\x4b\x71\xb1\x52\xf3"
return [data, 123]
end
def probe_pkt_sentinel(ip)
return ["\x7a\x00\x00\x00\x00\x00", 5093]
end
def probe_pkt_snmp1(ip)
name = 'public'
xid = rand(0x100000000)
pdu =
"\x02\x01\x00" +
"\x04" + [name.length].pack('c') + name +
"\xa0\x1c" +
"\x02\x04" + [xid].pack('N') +
"\x02\x01\x00" +
"\x02\x01\x00" +
"\x30\x0e\x30\x0c\x06\x08\x2b\x06\x01\x02\x01" +
"\x01\x01\x00\x05\x00"
head = "\x30" + [pdu.length].pack('C')
data = head + pdu
[data, 161]
end
def probe_pkt_snmp2(ip)
name = 'public'
xid = rand(0x100000000)
pdu =
"\x02\x01\x01" +
"\x04" + [name.length].pack('c') + name +
"\xa1\x19" +
"\x02\x04" + [xid].pack('N') +
"\x02\x01\x00" +
"\x02\x01\x00" +
"\x30\x0b\x30\x09\x06\x05\x2b\x06\x01\x02\x01" +
"\x05\x00"
head = "\x30" + [pdu.length].pack('C')
data = head + pdu
[data, 161]
end
def probe_pkt_db2disco(ip)
data = "DB2GETADDR\x00SQL05000\x00"
[data, 523]
end
def probe_pkt_citrix(ip) # Server hello packet from citrix_published_bruteforce
data =
"\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00"
return [data, 1604]
end
def probe_pkt_pca_st(ip)
return ["ST", 5632]
end
def probe_pkt_pca_nq(ip)
return ["NQ", 5632]
end
end