Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7

8
  def initialize(info = {})
9
    super(
10
      update_info(
11
        info,
12
        'Name' => 'Windows Send Probe Request Packets',
13
        'Description' => %q{
14
          This module send probe requests through the wlan interface.
15
          The ESSID field will be use to set a custom message.
16
        },
17
        'License' => MSF_LICENSE,
18
        'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>' ],
19
        'Platform' => [ 'win' ],
20
        'SessionTypes' => [ 'meterpreter' ],
21
        'Compat' => {
22
          'Meterpreter' => {
23
            'Commands' => %w[
24
              stdapi_railgun_api
25
              stdapi_sys_process_attach
26
              stdapi_sys_process_getpid
27
            ]
28
          }
29
        }
30
      )
31
    )
32

33
    register_options(
34
      [
35
        OptString.new('SSID', [true, 'Message to be embedded in the SSID field', '']),
36
        OptInt.new('TIMEOUT', [false, 'Timeout in seconds running probes', '30'])
37
      ]
38
    )
39
  end
40

41
  def run
42
    ssid = datastore['SSID']
43
    time = datastore['TIMEOUT']
44

45
    if ssid.length > 32
46
      print_error('The SSID must be equal to or less than 32 bytes')
47
      return
48
    end
49

50
    mypid = client.sys.process.getpid
51
    @host_process = client.sys.process.open(mypid, PROCESS_ALL_ACCESS)
52
    @wlanapi = client.railgun.wlanapi
53

54
    wlan_handle = open_handle
55
    unless wlan_handle
56
      print_error("Couldn't open WlanAPI Handle. WLAN API may not be installed on target")
57
      print_error('On Windows XP this could also mean the Wireless Zero Configuration Service is turned off')
58
      return
59
    end
60

61
    # typedef struct _DOT11_SSID {
62
    #    ULONG uSSIDLength;
63
    #    UCHAR ucSSID[DOT11_SSID_MAX_LENGTH];
64
    # } DOT11_SSID, *PDOT11_SSID;
65
    pDot11Ssid = [ssid.length].pack('L<') << ssid
66
    wlan_iflist = enum_interfaces(wlan_handle)
67
    if wlan_iflist.empty?
68
      print_status('Wlan interfaces not found')
69
      return
70
    end
71

72
    print_status("Wlan interfaces found: #{wlan_iflist.length}")
73
    print_status("Sending probe requests for #{time} seconds")
74
    begin
75
      ::Timeout.timeout(time) do
76
        loop do
77
          wlan_iflist.each do |interface|
78
            vprint_status("Interface Guid: #{interface['guid'].unpack('H*')[0]}")
79
            vprint_status("Interface State: #{interface['state']}")
80
            vprint_status("DOT11_SSID payload: #{pDot11Ssid.chars.map { |c| c.ord.to_s(16) }.join(':')}")
81
            @wlanapi.WlanScan(wlan_handle, interface['guid'], pDot11Ssid, nil, nil)
82
            sleep(10)
83
          end
84
        end
85
      end
86
    rescue ::Timeout::Error
87
      closehandle = @wlanapi.WlanCloseHandle(wlan_handle, nil)
88
      if closehandle['return'] == 0
89
        print_status('WlanAPI Handle closed successfully')
90
      else
91
        print_error('There was an error closing the Handle')
92
      end
93
    end
94
  end
95

96
  # Function borrowed from @theLightCosine wlan_* modules
97
  def open_handle
98
    begin
99
      wlhandle = @wlanapi.WlanOpenHandle(2, nil, 4, 4)
100
    rescue StandardError
101
      return nil
102
    end
103
    return wlhandle['phClientHandle']
104
  end
105

106
  # Function borrowed from @theLightCosine wlan_* modules
107
  def enum_interfaces(wlan_handle)
108
    iflist = @wlanapi.WlanEnumInterfaces(wlan_handle, nil, 4)
109
    pointer = iflist['ppInterfaceList']
110

111
    numifs = @host_process.memory.read(pointer, 4)
112
    numifs = numifs.unpack('V')[0]
113

114
    interfaces = []
115

116
    # Set the pointer ahead to the first element in the array
117
    pointer = (pointer + 8)
118
    (1..numifs).each do |_i|
119
      interface = {}
120
      # Read the GUID (16 bytes)
121
      interface['guid'] = @host_process.memory.read(pointer, 16)
122
      pointer = (pointer + 16)
123
      # Read the description(up to 512 bytes)
124
      interface['description'] = @host_process.memory.read(pointer, 512)
125
      pointer = (pointer + 512)
126
      # Read the state of the interface (4 bytes)
127
      state = @host_process.memory.read(pointer, 4)
128
      pointer = (pointer + 4)
129
      # Turn the state into human readable form
130
      state = state.unpack('V')[0]
131
      case state
132
      when 0
133
        interface['state'] = 'The interface is not ready to operate.'
134
      when 1
135
        interface['state'] = 'The interface is connected to a network.'
136
      when 2
137
        interface['state'] = 'The interface is the first node in an ad hoc network. No peer has connected.'
138
      when 3
139
        interface['state'] = 'The interface is disconnecting from the current network.'
140
      when 4
141
        interface['state'] = 'The interface is not connected to any network.'
142
      when 5
143
        interface['state'] = 'The interface is attempting to associate with a network.'
144
      when 6
145
        interface['state'] = 'Auto configuration is discovering the settings for the network.'
146
      when 7
147
        interface['state'] = 'The interface is in the process of authenticating.'
148
      else
149
        interface['state'] = 'Unknown State'
150
      end
151
      interfaces << interface
152
    end
153
    return interfaces
154
  end
155
end
156

157