Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Auxiliary::Report
8

9
  OUI_LIST = Rex::Oui
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Windows Gather ARP Scanner',
16
        'Description' => %q{
17
          This Module will perform an ARP scan for a given IP range through a
18
          Meterpreter Session.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
22
        'Platform' => [ 'win' ],
23
        'SessionTypes' => [ 'meterpreter'],
24
        'Compat' => {
25
          'Meterpreter' => {
26
            'Commands' => %w[
27
              stdapi_railgun_api
28
            ]
29
          }
30
        }
31
      )
32
    )
33
    register_options(
34
      [
35
        OptString.new('RHOSTS', [true, 'The target address range or CIDR identifier', nil]),
36
        OptInt.new('THREADS', [false, 'The number of concurrent threads', 10])
37

38
      ]
39
    )
40
  end
41

42
  # Run Method for when run command is issued
43
  def run
44
    print_status("Running module against #{sysinfo['Computer']}")
45
    arp_scan(datastore['RHOSTS'], datastore['THREADS'])
46
  end
47

48
  def arp_scan(cidr, threads)
49
    print_status("ARP Scanning #{cidr}")
50
    ws = client.railgun.ws2_32
51
    iphlp = client.railgun.iphlpapi
52
    a = []
53
    iplst = []
54
    found = ''
55
    ipadd = Rex::Socket::RangeWalker.new(cidr)
56
    numip = ipadd.num_ips
57
    while (iplst.length < numip)
58
      ipa = ipadd.next_ip
59
      if !ipa
60
        break
61
      end
62

63
      iplst << ipa
64
    end
65

66
    while (!iplst.nil? && !iplst.empty?)
67
      a = []
68
      1.upto(threads) do
69
        a << framework.threads.spawn("Module(#{refname})", false, iplst.shift) do |ip_text|
70
          next if ip_text.nil?
71

72
          h = ws.inet_addr(ip_text)
73
          ip = h['return']
74
          h = iphlp.SendARP(ip, 0, 6, 6)
75
          if h['return'] == client.railgun.const('NO_ERROR')
76
            mac_text = h['pMacAddr'].unpack('C*').map { |e| '%02x' % e }.join(':')
77
            company = OUI_LIST.lookup_oui_company_name(mac_text)
78
            print_good("\tIP: #{ip_text} MAC #{mac_text} (#{company})")
79
            report_host(host: ip_text, mac: mac_text)
80
            next if company.nil?
81

82
            report_note(host: ip_text, type: 'mac_oui', data: company)
83
          end
84
        end
85
      end
86
      a.map(&:join)
87
    end
88
    return found
89
  end
90
end
91

92