From 4d649045aa0a5f29ba050db5bbcebe489bf421ec Mon Sep 17 00:00:00 2001 From: Carlos Perez Date: Thu, 8 Jul 2010 14:24:24 +0000 Subject: [PATCH] ARP Scanner Meterpreter Script using the railgun Extension, based on example provided in railgun manual. git-svn-id: file:///home/svn/framework3/trunk@9733 4d416f70-5f16-0410-b530-b9f4589650da --- scripts/meterpreter/arp_scanner.rb | 113 +++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 scripts/meterpreter/arp_scanner.rb diff --git a/scripts/meterpreter/arp_scanner.rb b/scripts/meterpreter/arp_scanner.rb new file mode 100644 index 0000000000..c249d2d9e3 --- /dev/null +++ b/scripts/meterpreter/arp_scanner.rb @@ -0,0 +1,113 @@ +# $Id$ +# $Revision$ +# Author: Carlos Perez at carlos_perez[at]darkoperator.com +#------------------------------------------------------------------------------- +################## Variable Declarations ################## +@client = client +@@exec_opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help menu." ], + "-i" => [ false, "Enumerate Local Interfaces"], + "-r" => [ true, "The target address range or CIDR identifier"], + "-s" => [ false, "Save found IP Addresses to logs."] +) + + + +def enum_int + print_status("Enumerating Interfaces") + client.net.config.interfaces.each do |i| + if not i.mac_name =~ /Loopback/ + print_status("\t#{i.mac_name}") + print_status("\t#{i.ip}") + print_status("\t#{i.netmask}") + print_status() + end + + end +end +def arp_scan(cidr) + print_status("ARP Scanning #{cidr}") + client.core.use("railgun") + rail = client.railgun + ws = client.railgun.ws2_32 + iphlp = client.railgun.iphlpapi + i, a = 0, [] + iplst,found = [],[] + ipadd = Rex::Socket::RangeWalker.new(cidr) + numip = ipadd.num_ips + while (iplst.length < numip) + ipa = ipadd.next_ip + if (not ipa) + break + end + iplst << ipa + end + iplst.each do |ip_text| + if i < 10 + a.push(::Thread.new { + h = ws.inet_addr(ip_text) + ip = h["return"] + h = iphlp.SendARP(ip,0,6,6) + if h["return"] == rail.const("NO_ERROR") + mac = h["pMacAddr"] + print_status("IP: #{ip_text} MAC " + + mac[0].ord.to_s(16) + ":" + + mac[1].ord.to_s(16) + ":" + + mac[2].ord.to_s(16) + ":" + + mac[3].ord.to_s(16) + ":" + + mac[4].ord.to_s(16) + ":" + + mac[5].ord.to_s(16) + ) + found << ip_text + end + }) + i += 1 + else + sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty? + i = 0 + end + end + a.delete_if {|x| not x.alive?} while not a.empty? + return found +end + +def save_found(found_ip) + info = @client.sys.config.sysinfo + # Create Filename info to be appended to downloaded files + filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S") + + # Create a directory for the logs + logs = ::File.join(Msf::Config.log_directory,'scripts', 'arp_scanner',info['Computer'] + filenameinfo) + # Create the log directory + ::FileUtils.mkdir_p(logs) + + #log file name + dest = logs + "/" + info['Computer'] + filenameinfo + ".txt" + + print_status("Saving found IP's to #{dest}") + file_local_write(dest,found_ip) + +end +save2log = false +cidr2scan = "" +@@exec_opts.parse(args) { |opt, idx, val| + case opt + when "-h" + print_line "Meterpreter Script for performing an ARPS Scan Discovery." + print_line(@@exec_opts.usage) + raise Rex::Script::Completed + when "-i" + enum_int + raise Rex::Script::Completed + when "-r" + cidr2scan = val + when "-s" + save2log = true + end +} + +if save2log + save_found(arp_scan(cidr2scan)) +else + arp_scan(cidr2scan) +end \ No newline at end of file