Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Scanner
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name' => 'Chromecast Wifi Enumeration',
13
      'Description' => %q{
14
        This module enumerates wireless access points through Chromecast.
15
      },
16
      'Author' => ['wvu'],
17
      'References' => [
18
        ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website
19
      ],
20
      'License' => MSF_LICENSE
21
    ))
22

23
    register_options([
24
      Opt::RPORT(8008)
25
    ])
26
  end
27

28
  def run_host(ip)
29
    res = scan
30

31
    return unless res && res.code == 200
32

33
    waps_table = Rex::Text::Table.new(
34
      'Header' => "Wireless Access Points from #{ip}",
35
      'Columns' => [
36
        'BSSID',
37
        'PWR',
38
        'ENC',
39
        'CIPHER',
40
        'AUTH',
41
        'ESSID'
42
      ],
43
      'SortIndex' => -1
44
    )
45

46
    res.get_json_document.each do |wap|
47
      waps_table << [
48
        wap['bssid'],
49
        wap['signal_level'],
50
        enc(wap),
51
        cipher(wap),
52
        auth(wap),
53
        wap['ssid'] + (wap['wpa_id'] ? ' (*)' : '')
54
      ]
55
    end
56

57
    unless waps_table.rows.empty?
58
      print_line(waps_table.to_s)
59
      report_note(
60
        :host => ip,
61
        :port => rport,
62
        :proto => 'tcp',
63
        :type => 'chromecast.wifi',
64
        :data => waps_table.to_csv
65
      )
66
    end
67
  end
68

69
  def scan
70
    send_request_raw(
71
      'method' => 'POST',
72
      'uri' => '/setup/scan_wifi',
73
      'agent' => Rex::Text.rand_text_english(rand(42) + 1)
74
    )
75
    send_request_raw(
76
      'method' => 'GET',
77
      'uri' => '/setup/scan_results',
78
      'agent' => Rex::Text.rand_text_english(rand(42) + 1)
79
    )
80
  end
81

82
  def enc(wap)
83
    case wap['wpa_auth']
84
    when 1
85
      'OPN'
86
    when 2
87
      'WEP'
88
    when 5
89
      'WPA'
90
    when 0, 7
91
      'WPA2'
92
    else
93
      wap['wpa_auth']
94
    end
95
  end
96

97
  def cipher(wap)
98
    case wap['wpa_cipher']
99
    when 1
100
      ''
101
    when 2
102
      'WEP'
103
    when 3
104
      'TKIP'
105
    when 4
106
      'CCMP'
107
    else
108
      wap['wpa_cipher']
109
    end
110
  end
111

112
  def auth(wap)
113
    case wap['wpa_auth']
114
    when 0
115
      'MGT'
116
    when 5, 7
117
      'PSK'
118
    else
119
      ''
120
    end
121
  end
122
end
123

124