CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/netbios/nbname.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Auxiliary::UDPScanner89def initialize10super(11'Name' => 'NetBIOS Information Discovery',12'Description' => 'Discover host information through NetBIOS',13'Author' => 'hdm',14'License' => MSF_LICENSE15)1617register_options(18[19Opt::RPORT(137)20])21end2223def scanner_prescan(batch)24print_status("Sending NetBIOS requests to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")25@results = {}26end2728def scan_host(ip)29scanner_send(create_netbios_status(ip), ip, datastore['RPORT'])30end3132def scanner_postscan(batch)3334cnt = 03536# Perform a second pass based on responsive hosts37@results.keys.each do |ip|38next if not @results[ip][:name]39scanner_send(create_netbios_lookup(@results[ip][:name]), ip, datastore['RPORT'])40cnt += 141end4243# Wait for the final replies to trickle in44scanner_recv(10) if cnt > 04546@results.keys.each do |ip|4748host = @results[ip]49user = ""50os = "Windows"5152if (host[:user] and host[:mac] != "00:00:00:00:00:00")53user = " User:#{host[:user]}"54end5556if (host[:mac] == "00:00:00:00:00:00")57os = "Unix"58end5960names = ""61if (host[:names])62names = " Names:(" + host[:names].map{|n| n[0]}.uniq.join(", ") + ")"63end6465addrs = ""66if (host[:addrs])67addrs = "Addresses:(" + host[:addrs].map{|n| n[0]}.uniq.join(", ") + ")"68end6970if (host[:mac] != "00:00:00:00:00:00")71report_host(:host => ip, :mac => host[:mac])72else73report_host(:host => ip)74end7576extra = ""7778virtual = nil79case host[:mac]80when /^00:13:07/i81virtual = 'ParaVirtual'82when /^(00:1C:14|00:50:56|00:05:69|00:0c:29)/i83virtual = 'VMWare'84when /^00:1C:42/85virtual = "Parallels"86when /^00:18:51/87virtual = "SWsoft Virtuozzo"88when /^00:21:F6/i89virtual = 'Virtual Iron'90when /^00:16:3e/91virtual = 'Xen'92when /^(54:52:00|DE:AD:BE)/93virtual = 'QEMU (unofficial)'94when /^00:24:0B/i95virtual = 'Virtual Computer Inc'96end9798if (virtual)99extra = "Virtual Machine:#{virtual}"100report_note(101:host => ip,102:type => 'host.virtual_machine',103:data => {:vendor => virtual, :method => 'netbios'}104)105end106107if (host[:addrs])108aliases = []109host[:addrs].map{|n| n[0]}.uniq.each do |addr|110next if addr == ip111aliases << addr112end113114if not aliases.empty?115report_note(116:host => ip,117:proto => 'udp',118:port => 137,119:type => 'netbios.addresses',120:data => {:addresses => aliases}121)122end123end124125print_good("#{ip} [#{host[:name]}] OS:#{os}#{user}#{names} #{addrs} Mac:#{host[:mac]} #{extra}")126end127end128129130def scanner_process(data, shost, sport)131132head = data.slice!(0,12)133134xid, flags, quests, answers, auths, adds = head.unpack('n6')135136return if quests != 0137return if answers == 0138139qname = data.slice!(0,34)140rtype,rclass,rttl,rlen = data.slice!(0,10).unpack('nnNn')141buff = data.slice!(0,rlen)142143names = []144145hname = nil146uname = nil147148@results[shost] ||= {}149150case rtype151when 0x21152rcnt = buff.slice!(0,1).unpack("C")[0]1531.upto(rcnt) do154tname = buff.slice!(0,15).gsub(/\x00.*/, '').strip155ttype = buff.slice!(0,1).unpack("C")[0]156tflag = buff.slice!(0,2).unpack('n')[0]157names << [ tname, ttype, tflag ]158hname = tname if ttype == 0x20159uname = tname if ttype == 0x03160end161maddr = buff.slice!(0,6).unpack("C*").map{|c| "%.2x" % c }.join(":")162163@results[shost][:names] = names164@results[shost][:mac] = maddr165166if (!hname and @results[shost][:names].length > 0)167@results[shost][:name] = @results[shost][:names][0][0]168end169170@results[shost][:name] = hname if hname171@results[shost][:user] = uname if uname172173inf = ''174names.each do |name|175inf << name[0]176inf << ":<%.2x>" % name[1]177if (name[2] & 0x8000 == 0)178inf << ":U :"179else180inf << ":G :"181end182end183inf << maddr184185report_service(186:host => shost,187:mac => (maddr and maddr != '00:00:00:00:00:00') ? maddr : nil,188:host_name => (hname) ? hname.downcase : nil,189:port => datastore['RPORT'],190:proto => 'udp',191:name => 'netbios',192:info => inf193)194195when 0x201961.upto(rlen / 6.0) do197tflag = buff.slice!(0,2).unpack('n')[0]198taddr = buff.slice!(0,4).unpack("C*").join(".")199names << [ taddr, tflag ]200end201@results[shost][:addrs] = names202end203end204205def create_netbios_status(ip)206data =207[rand(0xffff)].pack('n')+208"\x00\x00\x00\x01\x00\x00\x00\x00"+209"\x00\x00\x20\x43\x4b\x41\x41\x41"+210"\x41\x41\x41\x41\x41\x41\x41\x41"+211"\x41\x41\x41\x41\x41\x41\x41\x41"+212"\x41\x41\x41\x41\x41\x41\x41\x41"+213"\x41\x41\x41\x00\x00\x21\x00\x01"214215return data216end217218def create_netbios_lookup(name)219name = [name].pack("A15") + "\x00"220221data =222[rand(0xffff)].pack('n') +223"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00" +224"\x20" +225Rex::Proto::SMB::Utils.nbname_encode(name) +226"\x00" +227"\x00\x20\x00\x01"228229return data230end231end232233234