Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/lib/msf/core/exploit/capture.rb
Views: 11784
# -*- coding: binary -*-1module Msf23###4#5# This module provides methods for sending and receiving6# raw packets. It should be preferred over the soon-to-be7# deprecated Rex::Socket::Ip and Msf::Exploit::Remote::Ip8# mixins.9#10# Please see the pcaprub documentation for more information11# on how to use capture objects.12#13###1415class Exploit16module Capture1718#19# Initializes an instance of an exploit module that captures traffic20#2122def initialize(info = {})23super2425register_options(26[27OptPath.new('PCAPFILE', [false, 'The name of the PCAP capture file to process']),28OptString.new('INTERFACE', [false, 'The name of the interface']),29OptString.new('FILTER', [false, 'The filter string for capturing traffic']),30OptInt.new('SNAPLEN', [true, 'The number of bytes to capture', 65535]),31OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 500]),32Opt::RHOST3334], Msf::Exploit::Capture35)3637register_advanced_options(38[39OptInt.new('SECRET', [true, 'A 32-bit cookie for probe requests.', 'MSF!'.unpack('N').first]),40OptAddress.new('GATEWAY_PROBE_HOST',41[42true,43'Send a TTL=1 random UDP datagram to this host to discover the default gateway\'s MAC',44'8.8.8.8']),45OptPort.new('GATEWAY_PROBE_PORT',46[47false,48'The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)'])49], Msf::Exploit::Capture50)5152begin53require 'packetfu'54require 'pcaprub'55@pcaprub_loaded = true56rescue ::LoadError => e57@pcaprub_loaded = false58@pcaprub_error = e59end6061begin62require 'network_interface'63@network_interface_loaded = true64rescue ::LoadError => e65@network_interface_loaded = false66@network_interface_error = e67end6869end7071def stats_recv(pcap=self.capture)72return(0) unless pcap73pcap.stats['recv']74end7576def stats_drop(pcap=self.capture)77return(0) unless pcap78pcap.stats['drop']79end8081def stats_ifdrop(pcap=self.capture)82return(0) unless pcap83pcap.stats['ifdrop']84end8586#87# Opens a handle to the specified device88#89def open_pcap(opts={})90check_pcaprub_loaded91if RUBY_PLATFORM == "i386-mingw32"92if opts['INTERFACE'] or datastore['INTERFACE']93dev = opts['INTERFACE'] || datastore['INTERFACE']94if is_interface?(dev)95dev = get_interface_guid(dev)96end97end98else99dev = opts['INTERFACE'] || datastore['INTERFACE'] || nil100end101102len = (opts['SNAPLEN'] || datastore['SNAPLEN'] || 65535).to_i103tim = (opts['TIMEOUT'] || datastore['TIMEOUT'] || 0).to_i104fil = opts['FILTER'] || datastore['FILTER']105do_arp = (opts['ARPCAP'] == false) ? false : true106107# Look for a PCAP file108cap = datastore['PCAPFILE'] || ''109110if (not cap.empty?)111if (not File.exist?(cap))112raise RuntimeError, "The PCAP file #{cap} could not be found"113end114self.capture = ::Pcap.open_offline(cap)115else116dev ||= ::Pcap.lookupdev117118unless RUBY_PLATFORM == "i386-mingw32"119system("ifconfig", dev, "up")120end121122self.capture = ::Pcap.open_live(dev, len, true, tim)123if do_arp124self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)125preamble = datastore['SECRET'].to_i126arp_filter = "arp[6:2] = 2 or (udp[8:4] = #{preamble})"127self.arp_capture.setfilter(arp_filter)128end129end130131if (not self.capture)132raise RuntimeError, "Could not start the capture process"133elsif (do_arp and !self.arp_capture and cap.empty?)134raise RuntimeError, "Could not start the ARP capture process"135end136137self.capture.setfilter(fil) if fil138end139140def close_pcap141return unless self.capture142self.capture = nil143self.arp_capture = nil144end145146def capture_extract_ies(raw)147set = {}148idx = 0149len = 0150151while (idx < raw.length)152len = raw[idx+1]153return set unless len154set[raw[idx]] ||= []155set[raw[idx]].push(raw[idx + 2, len])156idx += len + 2157end158159return set160end161162#163# Loop through each packet164#165def each_packet166return unless capture167@capture_count ||= 0168capture.each do |pkt|169yield(pkt)170@capture_count += 1171end172@capture_count173end174175# Injects a packet on the wire. For all injection-related functions, it's176# on the module to open up a capture device first (this way, we don't177# needlessly spawn new capture devices).178def inject(pkt="", pcap=self.capture)179check_pcaprub_loaded180if not pcap181raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"182else183pcap.inject(pkt.to_s) # Can be a PacketFu Packet object or a pre-packed string184end185end186187# Injects an Ethernet packet with an optional payload. The payload188# may be a regular PacketFu packet, an EthHeader, or a string.189def inject_eth(args={})190eth_daddr = args[:eth_daddr] || "ff:ff:ff:ff:ff:ff"191eth_saddr = args[:eth_saddr] || "00:00:00:00:00:00"192eth_type = args[:eth_type] || 0x0800 # IP default193payload = args[:payload]194pcap = args[:pcap] || self.capture195p = PacketFu::EthPacket.new196p.eth_daddr = eth_daddr197p.eth_saddr = eth_saddr198p.eth_proto = eth_type199if payload200if payload.kind_of? PacketFu::EthPacket201p.payload = payload.eth_header.body202elsif payload.kind_of? PacketFu::EthHeader203p.payload = payload.body204else205p.payload = payload.to_s206end207end208inject p.to_s, pcap209end210211def inject_pcap(pcap_file, filter=nil, delay = 0, pcap=self.capture)212check_pcaprub_loaded213unless pcap214raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"215end216217if (not File.exist?(pcap_file))218raise RuntimeError, "The PCAP file #{pcap_file} could not be found"219end220221if (pcap_file.empty?)222raise RuntimeError, "The PCAP file #{pcap_file} is empty"223end224225capture_file = ::Pcap.open_offline(pcap_file)226capture_file.setfilter(filter) if filter227while (pkt = capture_file.next) do228pcap.inject(pkt)229Rex.sleep((delay * 1.0)/1000)230end231end232233# Sends a payload to a given target using the pcap capture interface234#235# == Parameters:236# payload:: The payload String to send237# dhost:: the destination host to send to238# bcast:: set to `true` to send to the broadcast address if necessary239# dev:: the name of the network interface to send the payload on240#241# == Returns:242# The number of bytes sent iff the payload was successfully sent/injected. `false` otherwise243def capture_sendto(payload="", dhost=nil, bcast=false, dev=nil)244raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" unless self.capture245raise RuntimeError, "Must specify a host to sendto" unless dhost246dev ||= datastore['INTERFACE']247dst_mac, src_mac = lookup_eth(dhost, dev)248if dst_mac == nil and not bcast249vprint_error("Unable to determine the destination MAC for #{dhost} on #{dev} and bcast is false")250return false251end252inject_eth(:payload => payload, :eth_daddr => dst_mac, :eth_saddr => src_mac)253end254255# The return value either be a PacketFu::Packet object, or nil256def inject_reply(proto=:udp, pcap=self.capture)257# Defaults to ~2 seconds258to = ((datastore['TIMEOUT'] || 500).to_f * 4) / 1000.0259raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" if not pcap260begin261::Timeout.timeout(to) do262pcap.each do |r|263packet = PacketFu::Packet.parse(r)264next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto265return packet266end267end268rescue ::Timeout::Error269end270nil271end272273# This ascertains the correct Ethernet addresses one should use to274# ensure injected IP packets actually get where they are going, and275# manages the self.arp_cache hash. It always uses self.arp_capture276# to inject and capture packets, and will always first fire off a277# UDP packet using the regular socket to learn the source host's278# and gateway's mac addresses.279def lookup_eth(addr=nil, iface=nil)280raise RuntimeError, "Could not access the capture process." unless self.arp_capture281282self.arp_cache ||= {}283self.dst_cache ||= {}284285return self.dst_cache[addr] if self.dst_cache[addr]286287if !self.arp_cache[Rex::Socket.source_address(addr)]288probe_gateway(addr)289end290291src_mac = self.arp_cache[Rex::Socket.source_address(addr)]292if should_arp?(addr)293dst_mac = self.arp_cache[addr] || arp(addr)294else295dst_mac = self.arp_cache[:gateway]296end297298self.dst_cache[addr] = [dst_mac, src_mac]299end300301def probe_gateway(addr)302dst_host = datastore['GATEWAY_PROBE_HOST']303dst_port = datastore['GATEWAY_PROBE_PORT'].to_i == 0 ? rand(30000) + 1024 : datastore['GATEWAY_PROBE_PORT']304preamble = [datastore['SECRET']].pack("N")305secret = "#{preamble}#{Rex::Text.rand_text(rand(0xff)+1)}"306307begin308UDPSocket.open do |sock|309sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_TTL, 1)310sock.send(secret, 0, dst_host, dst_port)311end312rescue Errno::ENETUNREACH313# This happens on networks with no gateway. We'll need to use a314# fake source hardware address.315self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"316end317318begin319to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0320::Timeout.timeout(to) do321loop do322my_packet = inject_reply(:udp, self.arp_capture)323next unless my_packet324next unless my_packet.payload == secret325dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr326src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr327return [dst_mac, src_mac]328end329end330rescue ::Timeout::Error331# Well, that didn't work (this is common on networks where there's no gateway, like332# VMWare network interfaces. We'll need to use a fake source hardware address.333self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"334end335end336337# A pure-Ruby ARP exchange. It uses self.arp_capture to send and recv338# packets, rather than self.capture.339def arp(target_ip=nil)340return self.arp_cache[target_ip] if self.arp_cache[target_ip]341return self.arp_cache[:gateway] unless should_arp? target_ip342source_ip = Rex::Socket.source_address(target_ip)343raise RuntimeError, "Could not access the capture process." unless self.arp_capture344345p = arp_packet(target_ip, source_ip)346347# Try up to 3 times to get an ARP response3481.upto(3) do349inject_eth(:eth_type => 0x0806,350:payload => p,351:pcap => self.arp_capture,352:eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)]353)354begin355to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0356::Timeout.timeout(to) do357loop do358my_packet = inject_reply(:arp, self.arp_capture)359next unless my_packet360next unless my_packet.arp_saddr_ip == target_ip361self.arp_cache[target_ip] = my_packet.eth_saddr362return self.arp_cache[target_ip]363end364end365rescue ::Timeout::Error366end367end368nil369end370371# Creates a full ARP packet, mainly for use with inject_eth()372def arp_packet(target_ip=nil, source_ip=nil)373p = PacketFu::ARPPacket.new374p.arp_opcode = 1375p.arp_daddr_ip = target_ip || datastore['RHOST']376p.arp_saddr_ip = source_ip || datastore['LHOST']377my_eth = self.arp_cache[Rex::Socket.source_address(target_ip)]378p.arp_saddr_mac = my_eth || "00:00:00:00:00:00"379return p380end381382# Allow modules to reset their arp caches arbitrarily.383def expire_arpcache384self.arp_cache = {}385end386387# For compatibility with Msf::Exploit::Remote::Ip388def rhost389datastore['RHOST']390end391392def check_pcaprub_loaded393if not @pcaprub_loaded394print_status("The Pcaprub module is not available: #{@pcaprub_error}")395raise RuntimeError, "Pcaprub not available"396elsif not @network_interface_loaded397print_status("The NetworkInterface module is not available: #{@network_interface_error}")398raise RuntimeError, "NetworkInterface not available"399else400true401end402end403404def lookupnet405check_pcaprub_loaded406dev = datastore['INTERFACE'] || ::Pcap.lookupdev407begin408my_ip, my_mask = Pcap.lookupnet(dev)409# convert the netmask obtained from the relevant interface to CIDR410cidr_mask = my_mask.to_s(2).count('1')411my_net = IPAddr.new("#{my_ip}/#{cidr_mask}")412rescue RuntimeError => e413@pcaprub_error = e414print_status("Cannot stat device: #{@pcaprub_error}")415raise RuntimeError, "Pcaprub error: #{@pcaprub_error}"416end417return my_net418end419420def should_arp?(ip)421lookupnet.include?(IPAddr.new(ip))422end423424attr_accessor :capture, :arp_cache, :arp_capture, :dst_cache425426# Netifaces code427428def netifaces_implemented?429@network_interface_loaded and430NetworkInterface.respond_to?(:interfaces) and431NetworkInterface.respond_to?(:addresses)432end433434def list_interfaces435check_pcaprub_loaded436NetworkInterface.interfaces437end438439def is_interface?(dev)440check_pcaprub_loaded441if RUBY_PLATFORM == "i386-mingw32"442if dev =~ /\\Device\\NPF_\{[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}\}/443return NetworkInterface.interfaces.include?(dev)444elsif dev.to_s =~ /^[0-9]{1,2}$/445if (dev.to_i <= NetworkInterface.interfaces.length) and (dev.to_i >= 0)446return true447else448return false449end450else451return false452end453else454return NetworkInterface.interfaces.include?(dev)455end456end457458# This function is useful only on windows where pcaprub use the GUID459def get_interface_guid(dev)460check_pcaprub_loaded461if RUBY_PLATFORM == "i386-mingw32"462if dev.to_s =~ /^[0-9]{1,2}$/463if is_interface?(dev)464NetworkInterface.interfaces[(dev.to_i) - 1]465else466return dev467end468else469return dev470end471else #Non windows472return dev473end474end475476def get_mac(dev)477check_pcaprub_loaded478dev = get_interface_guid(dev)479addrs = NetworkInterface.addresses(dev)480raise RuntimeError, "Interface #{dev} does not exist" if !addrs481raise RuntimeError, "Cannot get mac address for interface #{dev}" if !addrs[NetworkInterface::AF_LINK][0]['addr']482addrs[NetworkInterface::AF_LINK][0]['addr']483end484485def get_ipv4_addr_count(dev)486check_pcaprub_loaded487dev = get_interface_guid(dev)488addrs = NetworkInterface.addresses(dev)489raise RuntimeError, "Interface #{dev} does not exist" if !addrs490addrs[NetworkInterface::AF_INET].length491end492493def get_ipv4_addr(dev, num=0)494check_pcaprub_loaded495dev = get_interface_guid(dev)496addrs = NetworkInterface.addresses(dev)497raise RuntimeError, "Interface #{dev} does not exist" if !addrs498raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1499raise RuntimeError, "Cannot get the IPv4 address for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['addr']500addrs[NetworkInterface::AF_INET][num]['addr']501end502503def get_ipv4_netmask(dev, num=0)504check_pcaprub_loaded505dev = get_interface_guid(dev)506addrs = NetworkInterface.addresses(dev)507raise RuntimeError, "Interface #{dev} does not exist" if !addrs508raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1509raise RuntimeError, "Cannot get IPv4 netmask for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['netmask']510addrs[NetworkInterface::AF_INET][num]['netmask']511end512513def get_ipv4_broadcast(dev, num=0)514check_pcaprub_loaded515dev = get_interface_guid(dev)516addrs = NetworkInterface.addresses(dev)517raise RuntimeError, "Interface #{dev} do not exists" if !addrs518raise RuntimeError, "Interface #{dev} do not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1519raise RuntimeError, "Cannot get IPv4 broadcast address for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['broadcast']520addrs[NetworkInterface::AF_INET][num]['broadcast']521end522523def get_ipv6_addr_count(dev)524check_pcaprub_loaded525dev = get_interface_guid(dev)526raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)527addrs = NetworkInterface.addresses(dev)528raise RuntimeError, "Interface #{dev} do not exists" if !addrs529addrs[NetworkInterface::AF_INET6].length530end531532# NOTE: IPv6 is not implemented on Windows533def get_ipv6_addr(dev, num=0)534check_pcaprub_loaded535dev = get_interface_guid(dev)536raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)537addrs = NetworkInterface.addresses(dev)538raise RuntimeError, "Interface #{dev} do not exists" if !addrs539raise RuntimeError, "Interface #{dev} do not have an ipv6 address at position #{num}" if addrs[NetworkInterface::AF_INET6].length < num + 1540raise RuntimeError, "Cannot get ipv6 address for interface #{dev}" if !addrs[NetworkInterface::AF_INET6][num]['addr']541addrs[NetworkInterface::AF_INET6][num]['addr'].gsub(/%(.)*$/, '')542end543544def get_ipv6_netmask(dev, num=0)545check_pcaprub_loaded546dev = get_interface_guid(dev)547raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)548addrs = NetworkInterface.addresses(dev)549raise RuntimeError, "Interface #{dev} do not exists" if !addrs550raise RuntimeError, "Interface #{dev} do not have an ipv6 address at position #{num}" if addrs[NetworkInterface::AF_INET6].length < num + 1551raise RuntimeError, "Cannot get ipv6 netmask address for interface #{dev}" if !addrs[NetworkInterface::AF_INET6][num]['netmask']552addrs[NetworkInterface::AF_INET6][num]['netmask']553end554555# Protocol-specific encoding/decoding methods until more556# application protos get into PacketFu proper557558# Intended to be used as the payload to an ICMP echo request's payload559def capture_icmp_echo_pack(id=nil, seq=nil, payload=nil)560id ||= rand(0x10000)561seq ||= rand(0x10000)562[id, seq, payload.to_s].pack("nna*")563end564565# Decodes and ICMP echo request or response.566def capture_icmp_echo_unpack(data)567data.unpack("nna*")568end569570end571572end573574end575576577