CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Capture

8
  include Msf::Exploit::Remote::Ipv6

9
  include Msf::Auxiliary::Report

10


11
  def initialize

12
    super(

13
    'Name'        => 'IPv6 Link Local/Node Local Ping Discovery',

14
    'Description' => %q{

15
        Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.

16
    },

17
    'Author'      => 'wuntee',

18
    'License'     => MSF_LICENSE,

19
    'References'    =>

20
      [

21
        ['URL','http://wuntee.blogspot.com/2010/12/ipv6-ping-host-discovery-metasploit.html']

22
      ]

23
    )

24


25
    deregister_options('SNAPLEN', 'FILTER', 'PCAPFILE')

26
  end

27


28
  def listen_for_ping_response(opts = {})

29
    hosts = {}

30
    timeout = opts['TIMEOUT'] || datastore['TIMEOUT']

31
    prefix = opts['PREFIX'] || datastore['PREFIX']

32


33
    max_epoch = ::Time.now.to_i + timeout

34


35
    while(::Time.now.to_i < max_epoch)

36
      pkt_bytes = capture.next()

37
      Kernel.select(nil,nil,nil,0.1)

38
      next if not pkt_bytes

39
      p = PacketFu::Packet.parse(pkt_bytes)

40
      # Don't bother checking if it's an echo reply, since Neighbor Solicitations

41
      # and any other response is just as good.

42
      next unless p.is_ipv6?

43
      host_addr = p.ipv6_saddr

44
      host_mac = p.eth_saddr

45
      next if host_mac == @smac

46
      unless hosts[host_addr] == host_mac

47
        hosts[host_addr] = host_mac

48
        print_status("   |*| #{host_addr} => #{host_mac}")

49
      end

50
    end

51
    return hosts

52
  end

53


54
  def smac

55
    smac  = datastore['SMAC']

56
    smac ||= get_mac(@interface) if @netifaces

57
    smac ||= ipv6_mac

58
    smac

59
  end

60


61
  def run

62
    # Start capture

63
    open_pcap({'FILTER' => "icmp6"})

64


65
    @netifaces = true

66
    if not netifaces_implemented?

67
      print_error("WARNING : Pcaprub is not up-to-date, some functionality will not be available")

68
      @netifaces = false

69
    end

70


71
    @interface = datastore['INTERFACE'] || Pcap.lookupdev

72


73
    # Send ping

74
    print_status("Sending multicast pings...")

75
    dmac = "33:33:00:00:00:01"

76
    @smac = smac

77
    # Figure out our source address by the link-local interface

78
    shost = ipv6_link_address

79


80
    # m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv6

81
    ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #node-local all nodes

82
    ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #node-local all routers

83
    ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #All nodes on the local network segment

84
    ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #All routers on the local network segment

85
    ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #OSPFv3 AllSPF routers

86
    ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #OSPFv3 AllDR routers

87
    ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #RIP routers

88
    ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #EIGRP routers

89
    ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})    #PIM routers

90
    ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})   #MLDv2 reports (defined in RFC 3810)

91
    ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})  #All DHCP servers and relay agents on the local network site (defined in RFC 3315)

92
    ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "SMAC" =>  @smac, "WAIT" => false})  #All DHCP servers on the local network site (defined in RFC 3315)

93


94
    # Listen for host advertisements

95
    print_status("Listening for responses...")

96
    listen_for_ping_response()

97


98
    # Close capture

99
    close_pcap()

100
  end

101
end

102


103