Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/scanner/ip/ipidseq.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'timeout'67class MetasploitModule < Msf::Auxiliary8include Msf::Exploit::Capture9include Msf::Auxiliary::Scanner10include Msf::Auxiliary::Report1112def initialize13super(14'Name' => 'IPID Sequence Scanner',15'Description' => %q{16This module will probe hosts' IPID sequences and classify17them using the same method Nmap uses when it's performing18its IPID Idle Scan (-sI) and OS Detection (-O).1920Nmap's probes are SYN/ACKs while this module's are SYNs.21While this does not change the underlying functionality,22it does change the chance of whether or not the probe23will be stopped by a firewall.2425Nmap's Idle Scan can use hosts whose IPID sequences are26classified as "Incremental" or "Broken little-endian incremental".27},28'Author' => 'kris katterjohn',29'License' => MSF_LICENSE30)3132register_options([33Opt::RPORT(80),34OptInt.new('TIMEOUT', [true, "The reply read timeout in milliseconds", 500]),35OptString.new('INTERFACE', [false, 'The name of the interface'])36])3738register_advanced_options([39OptInt.new('SAMPLES', [true, "The IPID sample size", 6])40])4142deregister_options('FILTER','PCAPFILE')43end4445def rport46datastore['RPORT'].to_i47end4849def run_host(ip)50open_pcap5152raise "SAMPLES option must be >= 2" if datastore['SAMPLES'] < 25354pcap = self.capture5556shost = Rex::Socket.source_address(ip)5758to = (datastore['TIMEOUT'] || 500).to_f / 1000.05960ipids = []6162pcap.setfilter(getfilter(shost, ip, rport))6364datastore['SAMPLES'].times do65sport = rand(0xffff - 1025) + 10256667probe = buildprobe(shost, sport, ip, rport)6869next unless capture_sendto(probe, ip)7071reply = probereply(pcap, to)7273next if not reply7475ipids << reply.ip_id76end7778close_pcap7980return if ipids.empty?8182print_status("#{ip}'s IPID sequence class: #{analyze(ipids)}")8384#Add Report85report_note(86:host => ip,87:proto => 'ip',88:type => 'IPID sequence',89:data => "IPID sequence class: #{analyze(ipids)}"90)91end9293# Based on Nmap's get_ipid_sequence() in osscan2.cc94def analyze(ipids)95allzeros = true96allsame = true97mul256 = true98inc = true99100# ipids.each do |ipid|101# print_status("Got IPID ##{ipid}")102# end103104return "Unknown" if ipids.size < 2105106diffs = []107i = 1108109while i < ipids.size110p = ipids[i - 1]111c = ipids[i]112113if p != 0 or c != 0114allzeros = false115end116117if p <= c118diffs[i - 1] = c - p119else120diffs[i - 1] = c - p + 65536121end122123if ipids.size > 2 and diffs[i - 1] > 20000124return "Randomized"125end126127i += 1128end129130return "All zeros" if allzeros131132diffs.each do |diff|133if diff > 1000 and ((diff % 256) != 0 or ((diff % 256) == 0 and diff >= 25600))134return "Random positive increments"135end136137allsame = false if diff != 0138139mul256 = false if diff > 5120 or (diff % 256) != 0140141inc = false if diff >= 10142end143144return "Constant" if allsame145146return "Broken little-endian incremental!" if mul256147148return "Incremental!" if inc149150"Unknown"151end152153def getfilter(shost, dhost, dport)154"tcp and src host #{dhost} and src port #{dport} and " +155"dst host #{shost}"156end157158# This gets set via the usual capture_sendto interface159def buildprobe(shost, sport, dhost, dport)160p = PacketFu::TCPPacket.new161p.ip_saddr = shost162p.ip_daddr = dhost163p.tcp_sport = sport164p.tcp_dport = dport165p.tcp_flags.syn = 1166p.recalc167p168end169170def probereply(pcap, to)171reply = nil172173begin174Timeout.timeout(to) do175pcap.each do |r|176pkt = PacketFu::Packet.parse(r)177next unless pkt.is_tcp?178next unless pkt.tcp_flags.syn == 1 || pkt.tcp_flags.rst == 1179reply = pkt180break181end182end183rescue Timeout::Error184end185186return reply187end188end189190191