Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/bnat/bnat_scan.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Scanner

8
  include Msf::Exploit::Capture

9


10
  def initialize

11
    super(

12
      'Name' => 'BNAT Scanner',

13
      'Description' => %q{

14
          This module is a scanner which can detect Broken NAT (network address translation)

15
        implementations, which could result in an inability to reach ports on remote

16
        machines. Typically, these ports will appear in nmap scans as 'filtered'/'closed'.

17
      },

18
      'Author' => [

19
        'bannedit',

20
        'Jonathan Claudius <jclaudius[at]trustwave.com>',

21
      ],

22
      'License' => MSF_LICENSE,

23
      'References' => [

24
        ['URL', 'https://github.com/claudijd/bnat'],

25
        ['URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels']

26
      ]

27
    )

28


29
    register_options(

30
      [

31
        OptString.new('PORTS', [true, 'Ports to scan (e.g. 22-25,80,110-900)', '21,22,23,80,443']),

32
        OptString.new('INTERFACE', [true, 'The name of the interface', 'eth0']),

33
        OptInt.new('TIMEOUT', [true, 'The reply read timeout in milliseconds', 500])

34
      ]

35
    )

36


37
    deregister_options('FILTER', 'PCAPFILE', 'SNAPLEN')

38
  end

39


40
  def probe_reply(pcap, to)

41
    reply = nil

42
    begin

43
      Timeout.timeout(to) do

44
        pcap.each do |r|

45
          pkt = PacketFu::Packet.parse(r)

46
          next unless pkt.is_tcp?

47


48
          reply = pkt

49
          break

50
        end

51
      end

52
    rescue Timeout::Error => e

53
      vprint_error(e.message)

54
    end

55
    return reply

56
  end

57


58
  def generate_probe(ip)

59
    ftypes = %w[windows linux freebsd]

60
    @flavor = ftypes.sample

61
    config = PacketFu::Utils.whoami?(iface: datastore['INTERFACE'])

62
    p = PacketFu::TCPPacket.new(config: config)

63
    p.ip_daddr = ip

64
    p.tcp_flags.syn = 1

65
    return p

66
  end

67


68
  def run_host(ip)

69
    ports = Rex::Socket.portspec_crack(datastore['PORTS'])

70


71
    if ports.empty?

72
      raise Msf::OptionValidateError, ['PORTS']

73
    end

74


75
    open_pcap

76


77
    to = (datastore['TIMEOUT'] || 500).to_f / 1000.0

78


79
    p = generate_probe(ip)

80
    pcap = capture

81


82
    ports.each_with_index do |port, _i|

83
      p.tcp_dst = port

84
      p.tcp_src = rand(1024..65534)

85
      p.tcp_seq = rand(1024..65534)

86
      p.recalc

87


88
      ackbpf = "tcp [8:4] == 0x#{(p.tcp_seq + 1).to_s(16)}"

89
      pcap.setfilter("tcp and tcp[13] == 18 and not host #{ip} and src port #{p.tcp_dst} and dst port #{p.tcp_src} and #{ackbpf}")

90
      break unless capture_sendto(p, ip)

91


92
      reply = probe_reply(pcap, to)

93
      next if reply.nil?

94


95
      print_status("[BNAT RESPONSE] Requested IP: #{ip} Responding IP: #{reply.ip_saddr} Port: #{reply.tcp_src}")

96
    end

97


98
    close_pcap

99
  end

100
end

101


102