Path: blob/master/modules/post/windows/gather/arp_scanner.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Auxiliary::Report78OUI_LIST = Rex::Oui910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Windows Gather ARP Scanner',15'Description' => %q{16This module will perform an ARP scan for a given IP range through a17Meterpreter session.18},19'License' => MSF_LICENSE,20'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],21'Platform' => [ 'win' ],22'SessionTypes' => [ 'meterpreter'],23'Notes' => {24'Stability' => [CRASH_SAFE],25'SideEffects' => [],26'Reliability' => []27},28'Compat' => {29'Meterpreter' => {30'Commands' => %w[31stdapi_railgun_api32]33}34}35)36)37register_options(38[39OptString.new('RHOSTS', [true, 'The target address range or CIDR identifier', nil]),40OptInt.new('THREADS', [false, 'The number of concurrent threads', 10])41]42)43end4445def run46hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']47print_status("Running module against #{hostname} (#{session.session_host})")48arp_scan(datastore['RHOSTS'], datastore['THREADS'])49end5051def arp_scan(cidr, threads)52print_status("ARP Scanning #{cidr}")53ws = client.railgun.ws2_3254iphlp = client.railgun.iphlpapi55a = []56iplst = []57found = ''58ipadd = Rex::Socket::RangeWalker.new(cidr)59numip = ipadd.num_ips60while (iplst.length < numip)61ipa = ipadd.next_ip62if !ipa63break64end6566iplst << ipa67end6869while !iplst.nil? && !iplst.empty?70a = []711.upto(threads) do72a << framework.threads.spawn("Module(#{refname})", false, iplst.shift) do |ip_text|73next if ip_text.nil?7475h = ws.inet_addr(ip_text)76ip = h['return']77h = iphlp.SendARP(ip, 0, 6, 6)78if h['return'] == client.railgun.const('NO_ERROR')79mac_text = h['pMacAddr'].unpack('C*').map { |e| '%02x' % e }.join(':')80company = OUI_LIST.lookup_oui_company_name(mac_text)81print_good("\tIP: #{ip_text} MAC #{mac_text} (#{company})")82report_host(host: ip_text, mac: mac_text)83next if company.nil?8485report_note(host: ip_text, type: 'mac_oui', data: { :company => company })86end87end88end89a.map(&:join)90end91return found92end93end949596