Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Hardware::Zigbee::Utils
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Sends Beacons to Scan for Active ZigBee Networks',
14
        'Description' => %q{
15
          Post Module to send beacon signals to the broadcast address while
16
          channel hopping
17
        },
18
        'License' => MSF_LICENSE,
19
        'Author' => ['Craig Smith'],
20
        'Platform' => ['hardware'],
21
        'SessionTypes' => ['hwbridge']
22
      )
23
    )
24
    register_options([
25
      OptInt.new('CHANNEL', [false, 'Disable channel hopping by forcing a channel (11-26)', nil]),
26
      OptInt.new('LOOP', [false, 'How many times to loop over the channels (-1 will run in an endless loop)', 1]),
27
      OptInt.new('DELAY', [false, 'Delay in seconds to listen on each channel', 2]),
28
      OptString.new('DEVICE', [false, 'ZigBee device ID, defaults to target device', nil])
29
    ])
30
    @seq = 0
31
    @channel = 11
32
    @stumbled = {}
33
    @loop_count = 0
34
  end
35

36
  def display_details(routerdata)
37
    stackprofile_map = {
38
      0 => 'Network Specific',
39
      1 => 'ZigBee Standard',
40
      2 => 'ZigBee Enterprise'
41
    }
42
    stackver_map = {
43
      0 => 'ZigBee Prototype',
44
      1 => 'ZigBee 2004',
45
      2 => 'ZigBee 2006/2007'
46
    }
47
    spanid, source, extpanid, stackprofilever, channel = routerdata
48
    stackprofilever = stackprofilever.unpack('H*')[0].hex
49
    stackprofile = stackprofilever & 0x0f
50
    stackver = (stackprofilever & 0xf0) >> 4
51
    profile = 'Unknown'
52
    profile = stackprofile_map[stackprofile] if stackprofile_map.key? stackprofile
53
    ver = 'Unknown'
54
    ver = stackver_map[stackver] if stackver_map.key? stackver
55
    print_status("New Network: PANID: 0x#{spanid.upcase} SOURCE: 0x#{source.upcase}")
56
    print_status("        Ext PANID: #{extpanid.upcase.scan(/../).join(':')}       Stack Profile: #{profile}")
57
    print_status("        Stack Version: #{ver}")
58
    print_status("        Channel: #{@channel}")
59
  end
60

61
  def scan
62
    @seq = 0 if @seq > 255
63
    print_status("Scanning Channel #{@channel}")
64
    set_channel(datastore['DEVICE'], @channel)
65
    beacon = "\x03\x08#{@seq.chr}\xff\xff\xff\xff\x07"
66
    inject(datastore['DEVICE'], beacon)
67
    delay = Time.now + datastore['DELAY']
68
    while delay > Time.now
69
      pkt = recv(datastore['DEVICE'])
70
      next unless pkt && !pkt.empty? && pkt['valid_crc']
71

72
      pktdecode = dot154_packet_decode(pkt['data'])
73
      next unless (pktdecode['FSF'] & DOT154_FCF_TYPE_MASK) == DOT154_FCF_TYPE_BEACON
74

75
      key = "#{pktdecode['SPAN_ID']}#{pktdecode['SOURCE']}"
76
      value = [pktdecode['SPAN_ID'], pktdecode['SOURCE'], pktdecode['EXT_PAN_ID'], pktdecode['STACK_PROFILE'], @channel]
77
      if !@stumbled.key? key
78
        @stumbled[key] = value
79
        display_details(value)
80
      end
81
    end
82
    sniffer_off(datastore['DEVICE']) # Needed to clear receive buffers
83
    @seq += 1
84
    @channel += 1 if !datastore['CHANNEL']
85
    @loop_count += 1 if (@channel > 26) || datastore['CHANNEL']
86
    @channel = 11 if @channel > 26
87
  end
88

89
  def run
90
    if !get_target_device && !datastore['DEVICE']
91
      print_error "No target device set.  Either set one with the 'target' command or specify the DEVICE."
92
      return
93
    end
94
    @channel = datastore['CHANNEL'] if datastore['CHANNEL']
95
    @channel = 11 if @channel > 26
96
    if datastore['LOOP'] == -1
97
      loop { scan }
98
    else
99
      scan while (@loop_count < datastore['LOOP'])
100
    end
101
  end
102
end
103

104