Path: blob/master/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Capture7include Msf::Exploit::Remote::Ipv68include Msf::Auxiliary::Report910def initialize11super(12'Name' => 'IPv6 Link Local/Node Local Ping Discovery',13'Description' => %q{14Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.15},16'Author' => 'wuntee',17'License' => MSF_LICENSE,18'References' => [19['URL', 'http://wuntee.blogspot.com/2010/12/ipv6-ping-host-discovery-metasploit.html']20],21'Notes' => {22'Stability' => [CRASH_SAFE],23'SideEffects' => [IOC_IN_LOGS],24'Reliability' => []25}26)2728deregister_options('SNAPLEN', 'FILTER', 'PCAPFILE')29end3031def listen_for_ping_response(opts = {})32hosts = {}33timeout = opts['TIMEOUT'] || datastore['TIMEOUT']3435max_epoch = ::Time.now.to_i + timeout3637while (::Time.now.to_i < max_epoch)38pkt_bytes = capture.next39Kernel.select(nil, nil, nil, 0.1)40next if !pkt_bytes4142p = PacketFu::Packet.parse(pkt_bytes)43# Don't bother checking if it's an echo reply, since Neighbor Solicitations44# and any other response is just as good.45next unless p.is_ipv6?4647host_addr = p.ipv6_saddr48host_mac = p.eth_saddr49next if host_mac == @smac5051unless hosts[host_addr] == host_mac52hosts[host_addr] = host_mac53print_status(" |*| #{host_addr} => #{host_mac}")54end55end56return hosts57end5859def smac60smac = datastore['SMAC']61smac ||= get_mac(@interface) if @netifaces62smac ||= ipv6_mac63smac64end6566def run67# Start capture68open_pcap({ 'FILTER' => 'icmp6' })6970@netifaces = true71if !netifaces_implemented?72print_error('WARNING : Pcaprub is not up-to-date, some functionality will not be available')73@netifaces = false74end7576@interface = datastore['INTERFACE'] || Pcap.lookupdev7778# Send ping79print_status('Sending multicast pings...')80dmac = '33:33:00:00:00:01'81@smac = smac82# Figure out our source address by the link-local interface83shost = ipv6_link_address8485# m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv686ping6('FF01::1', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # node-local all nodes87ping6('FF01::2', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # node-local all routers88ping6('FF02::1', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # All nodes on the local network segment89ping6('FF02::2', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # All routers on the local network segment90ping6('FF02::5', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # OSPFv3 AllSPF routers91ping6('FF02::6', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # OSPFv3 AllDR routers92ping6('FF02::9', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # RIP routers93ping6('FF02::a', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # EIGRP routers94ping6('FF02::d', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # PIM routers95ping6('FF02::16', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # MLDv2 reports (defined in RFC 3810)96ping6('ff02::1:2', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # All DHCP servers and relay agents on the local network site (defined in RFC 3315)97ping6('ff05::1:3', { 'DMAC' => dmac, 'SHOST' => shost, 'SMAC' => @smac, 'WAIT' => false }) # All DHCP servers on the local network site (defined in RFC 3315)9899# Listen for host advertisements100print_status('Listening for responses...')101listen_for_ping_response102103# Close capture104close_pcap105end106end107108109