Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/gather/arp_scanner.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Auxiliary::Report
8
9
OUI_LIST = Rex::Oui
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Windows Gather ARP Scanner',
16
'Description' => %q{
17
This module will perform an ARP scan for a given IP range through a
18
Meterpreter session.
19
},
20
'License' => MSF_LICENSE,
21
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
22
'Platform' => [ 'win' ],
23
'SessionTypes' => [ 'meterpreter'],
24
'Notes' => {
25
'Stability' => [CRASH_SAFE],
26
'SideEffects' => [],
27
'Reliability' => []
28
},
29
'Compat' => {
30
'Meterpreter' => {
31
'Commands' => %w[
32
stdapi_railgun_api
33
]
34
}
35
}
36
)
37
)
38
register_options(
39
[
40
OptString.new('RHOSTS', [true, 'The target address range or CIDR identifier', nil]),
41
OptInt.new('THREADS', [false, 'The number of concurrent threads', 10])
42
]
43
)
44
end
45
46
def run
47
hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
48
print_status("Running module against #{hostname} (#{session.session_host})")
49
arp_scan(datastore['RHOSTS'], datastore['THREADS'])
50
end
51
52
def arp_scan(cidr, threads)
53
print_status("ARP Scanning #{cidr}")
54
ws = client.railgun.ws2_32
55
iphlp = client.railgun.iphlpapi
56
a = []
57
iplst = []
58
found = ''
59
ipadd = Rex::Socket::RangeWalker.new(cidr)
60
numip = ipadd.num_ips
61
while (iplst.length < numip)
62
ipa = ipadd.next_ip
63
if !ipa
64
break
65
end
66
67
iplst << ipa
68
end
69
70
while !iplst.nil? && !iplst.empty?
71
a = []
72
1.upto(threads) do
73
a << framework.threads.spawn("Module(#{refname})", false, iplst.shift) do |ip_text|
74
next if ip_text.nil?
75
76
h = ws.inet_addr(ip_text)
77
ip = h['return']
78
h = iphlp.SendARP(ip, 0, 6, 6)
79
if h['return'] == client.railgun.const('NO_ERROR')
80
mac_text = h['pMacAddr'].unpack('C*').map { |e| '%02x' % e }.join(':')
81
company = OUI_LIST.lookup_oui_company_name(mac_text)
82
print_good("\tIP: #{ip_text} MAC #{mac_text} (#{company})")
83
report_host(host: ip_text, mac: mac_text)
84
next if company.nil?
85
86
report_note(host: ip_text, type: 'mac_oui', data: { :company => company })
87
end
88
end
89
end
90
a.map(&:join)
91
end
92
return found
93
end
94
end
95
96