Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/kademlia/server_info.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Auxiliary::UDPScanner

9
  include Msf::Auxiliary::Kademlia

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Gather Kademlia Server Information',

16
        'Description' => %q{

17
          This module uses the Kademlia BOOTSTRAP and PING messages to identify

18
          and extract information from Kademlia speaking UDP endpoints,

19
          typically belonging to eMule/eDonkey/BitTorrent servers or other P2P

20
          applications.

21
        },

22
        'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',

23
        'References' => [

24
          # There are lots of academic papers on the protocol but they tend to lack usable

25
          # protocol details.  This is the best I've found

26
          ['URL', 'https://gbmaster.wordpress.com/2013/06/16/botnets-surrounding-us-sending-kademlia2_bootstrap_req-kademlia2_hello_req-and-their-strict-cousins/#more-125']

27
        ],

28
        'License' => MSF_LICENSE,

29
        'Actions' => [

30
          ['BOOTSTRAP', 'Description' => 'Use a Kademlia2 BOOTSTRAP'],

31
          ['PING', 'Description' => 'Use a Kademlia2 PING']

32
        ],

33
        'DefaultAction' => 'BOOTSTRAP',

34
        'Notes' => {

35
          'Reliability' => UNKNOWN_RELIABILITY,

36
          'Stability' => UNKNOWN_STABILITY,

37
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

38
        }

39
      )

40
    )

41


42
    register_options(

43
      [

44
        Opt::RPORT(4672)

45
      ]

46
    )

47
  end

48


49
  def build_probe

50
    @probe ||= case action.name

51
               when 'BOOTSTRAP'

52
                 BootstrapRequest.new

53
               when 'PING'

54
                 Ping.new

55
               end

56
  end

57


58
  def scanner_process(response, src_host, src_port)

59
    return if response.blank?

60


61
    peer = "#{src_host}:#{src_port}"

62


63
    case action.name

64
    when 'BOOTSTRAP'

65
      if bootstrap_res = BootstrapResponse.from_data(response)

66
        info = {

67
          peer_id: bootstrap_res.peer_id,

68
          tcp_port: bootstrap_res.tcp_port,

69
          version: bootstrap_res.version,

70
          peers: bootstrap_res.peers

71
        }

72
        print_good("#{peer} ID #{bootstrap_res.peer_id}, TCP port #{bootstrap_res.tcp_port}," +

73
                   " version #{bootstrap_res.version}, #{bootstrap_res.peers.size} peers")

74
      end

75
    when 'PING'

76
      if pong = Pong.from_data(response)

77
        print_good("#{peer} PONG port #{pong.port}")

78
        # port should match the port we contacted it from.  TODO: validate this?

79
        info = { udp_port: pong.port }

80
      end

81
    end

82


83
    return unless info

84


85
    @results[src_host] ||= []

86
    @results[src_host] << info

87
  end

88


89
  def scanner_postscan(_batch)

90
    @results.each_pair do |host, info|

91
      report_host(host: host)

92
      report_service(

93
        host: host,

94
        proto: 'udp',

95
        port: rport,

96
        name: 'kademlia',

97
        info: info

98
      )

99
    end

100
  end

101
end

102


103