Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Capture7include Msf::Exploit::Remote::Ipv68include Msf::Auxiliary::Report910def initialize11super(12'Name' => 'IPv6 Link Local/Node Local Ping Discovery',13'Description' => %q{14Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.15},16'Author' => 'wuntee',17'License' => MSF_LICENSE,18'References' =>19[20['URL','http://wuntee.blogspot.com/2010/12/ipv6-ping-host-discovery-metasploit.html']21]22)2324deregister_options('SNAPLEN', 'FILTER', 'PCAPFILE')25end2627def listen_for_ping_response(opts = {})28hosts = {}29timeout = opts['TIMEOUT'] || datastore['TIMEOUT']30prefix = opts['PREFIX'] || datastore['PREFIX']3132max_epoch = ::Time.now.to_i + timeout3334while(::Time.now.to_i < max_epoch)35pkt_bytes = capture.next()36Kernel.select(nil,nil,nil,0.1)37next if not pkt_bytes38p = PacketFu::Packet.parse(pkt_bytes)39# Don't bother checking if it's an echo reply, since Neighbor Solicitations40# and any other response is just as good.41next unless p.is_ipv6?42host_addr = p.ipv6_saddr43host_mac = p.eth_saddr44next if host_mac == @smac45unless hosts[host_addr] == host_mac46hosts[host_addr] = host_mac47print_status(" |*| #{host_addr} => #{host_mac}")48end49end50return hosts51end5253def smac54smac = datastore['SMAC']55smac ||= get_mac(@interface) if @netifaces56smac ||= ipv6_mac57smac58end5960def run61# Start capture62open_pcap({'FILTER' => "icmp6"})6364@netifaces = true65if not netifaces_implemented?66print_error("WARNING : Pcaprub is not up-to-date, some functionality will not be available")67@netifaces = false68end6970@interface = datastore['INTERFACE'] || Pcap.lookupdev7172# Send ping73print_status("Sending multicast pings...")74dmac = "33:33:00:00:00:01"75@smac = smac76# Figure out our source address by the link-local interface77shost = ipv6_link_address7879# m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv680ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #node-local all nodes81ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #node-local all routers82ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All nodes on the local network segment83ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All routers on the local network segment84ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #OSPFv3 AllSPF routers85ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #OSPFv3 AllDR routers86ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #RIP routers87ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #EIGRP routers88ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #PIM routers89ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #MLDv2 reports (defined in RFC 3810)90ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All DHCP servers and relay agents on the local network site (defined in RFC 3315)91ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "SMAC" => @smac, "WAIT" => false}) #All DHCP servers on the local network site (defined in RFC 3315)9293# Listen for host advertisements94print_status("Listening for responses...")95listen_for_ping_response()9697# Close capture98close_pcap()99end100end101102103