Mostly complete Kademlia PING / BOOTSTRAP scanner

Author: jhart-r7

lib/rex/proto/kademlia.rb

@@ -1,3 +1,3 @@
 # -*- coding: binary -*-
 
-require 'rex/proto/steam/message'
+require 'rex/proto/kademlia/message'

lib/rex/proto/kademlia/message.rb

@@ -77,8 +77,7 @@ def decode_pong(message)
     return nil unless opcode == PONG
     # abort if the response is too large/small
     return nil unless port && port.size == 2
-    # the port will be the port the true endpoint is actually listening on,
-    # which may not be the same as the port you contacted it on (NAT/etc)
+    # this should always be equivalent to the source port from which the PING was received
     port.unpack('v')[0]
   end
 

modules/auxiliary/scanner/kademlia/server_info.rb

@@ -54,14 +54,31 @@ def build_probe
   end
 
   def scanner_process(response, src_host, src_port)
-    info = message_decode(response)
+    return if response.blank?
+    peer = "#{src_host}:#{src_port}"
+
+    case action.name
+    when 'BOOTSTRAP'
+      peer_id, tcp_port, version, peers = decode_bootstrap_res(response)
+      info = {
+        peer_id: peer_id,
+        tcp_port: tcp_port,
+        version: version,
+        peers: peers
+      }
+      if datastore['VERBOSE']
+      else
+        print_good("#{peer} ID #{peer_id}, TCP port #{tcp_port}, version #{version}, #{peers.size} peers")
+      end
+    when 'PING'
+      udp_port = decode_pong(response)
+      print_good("#{peer} PONG")
+      # udp_port should match the port we contacted it from.  TODO: validate this?
+      info = { udp_port: udp_port }
+    end
+
     return unless info
     @results[src_host] ||= []
-    if datastore['VERBOSE']
-      print_good("#{src_host}:#{src_port} found '#{info.inspect}'")
-    else
-      print_good("#{src_host}:#{src_port} found '#{info[:name]}'")
-    end
     @results[src_host] << info
   end