Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/chromecast_wifi.rb
19593 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Scanner

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Chromecast Wifi Enumeration',

15
        'Description' => %q{

16
          This module enumerates wireless access points through Chromecast.

17
        },

18
        'Author' => ['wvu'],

19
        'References' => [

20
          ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website

21
        ],

22
        'License' => MSF_LICENSE,

23
        'Notes' => {

24
          'Reliability' => UNKNOWN_RELIABILITY,

25
          'Stability' => UNKNOWN_STABILITY,

26
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

27
        }

28
      )

29
    )

30


31
    register_options([

32
      Opt::RPORT(8008)

33
    ])

34
  end

35


36
  def run_host(ip)

37
    res = scan

38


39
    return unless res && res.code == 200

40


41
    waps_table = Rex::Text::Table.new(

42
      'Header' => "Wireless Access Points from #{ip}",

43
      'Columns' => [

44
        'BSSID',

45
        'PWR',

46
        'ENC',

47
        'CIPHER',

48
        'AUTH',

49
        'ESSID'

50
      ],

51
      'SortIndex' => -1

52
    )

53


54
    res.get_json_document.each do |wap|

55
      waps_table << [

56
        wap['bssid'],

57
        wap['signal_level'],

58
        enc(wap),

59
        cipher(wap),

60
        auth(wap),

61
        wap['ssid'] + (wap['wpa_id'] ? ' (*)' : '')

62
      ]

63
    end

64


65
    unless waps_table.rows.empty?

66
      print_line(waps_table.to_s)

67
      report_note(

68
        :host => ip,

69
        :port => rport,

70
        :proto => 'tcp',

71
        :type => 'chromecast.wifi',

72
        :data => { :csv_table => waps_table.to_csv }

73
      )

74
    end

75
  end

76


77
  def scan

78
    send_request_raw(

79
      'method' => 'POST',

80
      'uri' => '/setup/scan_wifi',

81
      'agent' => Rex::Text.rand_text_english(rand(42) + 1)

82
    )

83
    send_request_raw(

84
      'method' => 'GET',

85
      'uri' => '/setup/scan_results',

86
      'agent' => Rex::Text.rand_text_english(rand(42) + 1)

87
    )

88
  end

89


90
  def enc(wap)

91
    case wap['wpa_auth']

92
    when 1

93
      'OPN'

94
    when 2

95
      'WEP'

96
    when 5

97
      'WPA'

98
    when 0, 7

99
      'WPA2'

100
    else

101
      wap['wpa_auth']

102
    end

103
  end

104


105
  def cipher(wap)

106
    case wap['wpa_cipher']

107
    when 1

108
      ''

109
    when 2

110
      'WEP'

111
    when 3

112
      'TKIP'

113
    when 4

114
      'CCMP'

115
    else

116
      wap['wpa_cipher']

117
    end

118
  end

119


120
  def auth(wap)

121
    case wap['wpa_auth']

122
    when 0

123
      'MGT'

124
    when 5, 7

125
      'PSK'

126
    else

127
      ''

128
    end

129
  end

130
end

131


132