Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/arp_scanner.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Auxiliary::Report

8


9
  OUI_LIST = Rex::Oui

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Windows Gather ARP Scanner',

16
        'Description' => %q{

17
          This module will perform an ARP scan for a given IP range through a

18
          Meterpreter session.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],

22
        'Platform' => [ 'win' ],

23
        'SessionTypes' => [ 'meterpreter'],

24
        'Notes' => {

25
          'Stability' => [CRASH_SAFE],

26
          'SideEffects' => [],

27
          'Reliability' => []

28
        },

29
        'Compat' => {

30
          'Meterpreter' => {

31
            'Commands' => %w[

32
              stdapi_railgun_api

33
            ]

34
          }

35
        }

36
      )

37
    )

38
    register_options(

39
      [

40
        OptString.new('RHOSTS', [true, 'The target address range or CIDR identifier', nil]),

41
        OptInt.new('THREADS', [false, 'The number of concurrent threads', 10])

42
      ]

43
    )

44
  end

45


46
  def run

47
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']

48
    print_status("Running module against #{hostname} (#{session.session_host})")

49
    arp_scan(datastore['RHOSTS'], datastore['THREADS'])

50
  end

51


52
  def arp_scan(cidr, threads)

53
    print_status("ARP Scanning #{cidr}")

54
    ws = client.railgun.ws2_32

55
    iphlp = client.railgun.iphlpapi

56
    a = []

57
    iplst = []

58
    found = ''

59
    ipadd = Rex::Socket::RangeWalker.new(cidr)

60
    numip = ipadd.num_ips

61
    while (iplst.length < numip)

62
      ipa = ipadd.next_ip

63
      if !ipa

64
        break

65
      end

66


67
      iplst << ipa

68
    end

69


70
    while !iplst.nil? && !iplst.empty?

71
      a = []

72
      1.upto(threads) do

73
        a << framework.threads.spawn("Module(#{refname})", false, iplst.shift) do |ip_text|

74
          next if ip_text.nil?

75


76
          h = ws.inet_addr(ip_text)

77
          ip = h['return']

78
          h = iphlp.SendARP(ip, 0, 6, 6)

79
          if h['return'] == client.railgun.const('NO_ERROR')

80
            mac_text = h['pMacAddr'].unpack('C*').map { |e| '%02x' % e }.join(':')

81
            company = OUI_LIST.lookup_oui_company_name(mac_text)

82
            print_good("\tIP: #{ip_text} MAC #{mac_text} (#{company})")

83
            report_host(host: ip_text, mac: mac_text)

84
            next if company.nil?

85


86
            report_note(host: ip_text, type: 'mac_oui', data: { :company => company })

87
          end

88
        end

89
      end

90
      a.map(&:join)

91
    end

92
    return found

93
  end

94
end

95


96