Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
19515 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::Capture
8
include Msf::Exploit::Remote::Ipv6
9
include Msf::Auxiliary::Report
10
11
def initialize
12
super(
13
'Name' => 'IPv6 Link Local/Node Local Ping Discovery',
14
'Description' => %q{
15
Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.
16
},
17
'Author' => 'wuntee',
18
'License' => MSF_LICENSE,
19
'References' => [
20
['URL', 'http://wuntee.blogspot.com/2010/12/ipv6-ping-host-discovery-metasploit.html']
21
],
22
'Notes' => {
23
'Stability' => [CRASH_SAFE],
24
'SideEffects' => [IOC_IN_LOGS],
25
'Reliability' => []
26
}
27
)
28
29
deregister_options('SNAPLEN', 'FILTER', 'PCAPFILE')
30
end
31
32
def listen_for_ping_response(opts = {})
33
hosts = {}
34
timeout = opts['TIMEOUT'] || datastore['TIMEOUT']
35
36
max_epoch = ::Time.now.to_i + timeout
37
38
while (::Time.now.to_i < max_epoch)
39
pkt_bytes = capture.next
40
Kernel.select(nil, nil, nil, 0.1)
41
next if !pkt_bytes
42
43
p = PacketFu::Packet.parse(pkt_bytes)
44
# Don't bother checking if it's an echo reply, since Neighbor Solicitations
45
# and any other response is just as good.
46
next unless p.is_ipv6?
47
48
host_addr = p.ipv6_saddr
49
host_mac = p.eth_saddr
50
next if host_mac == @smac
51
52
unless hosts[host_addr] == host_mac
53
hosts[host_addr] = host_mac
54
print_status(" |*| #{host_addr} => #{host_mac}")
55
end
56
end
57
return hosts
58
end
59
60
def smac
61
smac = datastore['SMAC']
62
smac ||= get_mac(@interface) if @netifaces
63
smac ||= ipv6_mac
64
smac
65
end
66
67
def run
68
# Start capture
69
open_pcap({ 'FILTER' => 'icmp6' })
70
71
@netifaces = true
72
if !netifaces_implemented?
73
print_error('WARNING : Pcaprub is not up-to-date, some functionality will not be available')
74
@netifaces = false
75
end
76
77
@interface = datastore['INTERFACE'] || Pcap.lookupdev
78
79
# Send ping
80
print_status('Sending multicast pings...')
81
dmac = '33:33:00:00:00:01'
82
@smac = smac
83
# Figure out our source address by the link-local interface
84
shost = ipv6_link_address
85
86
# m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv6
87
ping6('FF01::1', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # node-local all nodes
88
ping6('FF01::2', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # node-local all routers
89
ping6('FF02::1', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # All nodes on the local network segment
90
ping6('FF02::2', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # All routers on the local network segment
91
ping6('FF02::5', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # OSPFv3 AllSPF routers
92
ping6('FF02::6', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # OSPFv3 AllDR routers
93
ping6('FF02::9', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # RIP routers
94
ping6('FF02::a', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # EIGRP routers
95
ping6('FF02::d', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # PIM routers
96
ping6('FF02::16', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # MLDv2 reports (defined in RFC 3810)
97
ping6('ff02::1:2', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # All DHCP servers and relay agents on the local network site (defined in RFC 3315)
98
ping6('ff05::1:3', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # All DHCP servers on the local network site (defined in RFC 3315)
99
100
# Listen for host advertisements
101
print_status('Listening for responses...')
102
listen_for_ping_response
103
104
# Close capture
105
close_pcap
106
end
107
end
108
109