Module: Msf::Exploit::Capture

Defined in:
lib/msf/core/exploit/capture.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#arp_cacheObject

Returns the value of attribute arp_cache


423
424
425
# File 'lib/msf/core/exploit/capture.rb', line 423

def arp_cache
  @arp_cache
end

#arp_captureObject

Returns the value of attribute arp_capture


423
424
425
# File 'lib/msf/core/exploit/capture.rb', line 423

def arp_capture
  @arp_capture
end

#captureObject

Returns the value of attribute capture


423
424
425
# File 'lib/msf/core/exploit/capture.rb', line 423

def capture
  @capture
end

#dst_cacheObject

Returns the value of attribute dst_cache


423
424
425
# File 'lib/msf/core/exploit/capture.rb', line 423

def dst_cache
  @dst_cache
end

Instance Method Details

#arp(target_ip = nil) ⇒ Object

A pure-Ruby ARP exchange. It uses self.arp_capture to send and recv packets, rather than self.capture.

Raises:

  • (RuntimeError)

342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
# File 'lib/msf/core/exploit/capture.rb', line 342

def arp(target_ip=nil)
  return self.arp_cache[target_ip] if self.arp_cache[target_ip]
  return self.arp_cache[:gateway] unless should_arp? target_ip
  source_ip = Rex::Socket.source_address(target_ip)
  raise RuntimeError, "Could not access the capture process." unless self.arp_capture
  p = arp_packet(target_ip, source_ip)
  inject_eth(:eth_type  => 0x0806,
    :payload   => p,
    :pcap      => self.arp_capture,
    :eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)]
  )
  begin
    to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
    ::Timeout.timeout(to) do
      while (my_packet = inject_reply(:arp, self.arp_capture))
        if my_packet.arp_saddr_ip == target_ip
          self.arp_cache[target_ip] = my_packet.eth_saddr
          return self.arp_cache[target_ip]
        else
          next
        end
      end
    end
  rescue ::Timeout::Error
  end
end

#arp_packet(target_ip = nil, source_ip = nil) ⇒ Object

Creates a full ARP packet, mainly for use with inject_eth()


370
371
372
373
374
375
376
377
378
# File 'lib/msf/core/exploit/capture.rb', line 370

def arp_packet(target_ip=nil, source_ip=nil)
  p               = PacketFu::ARPPacket.new
  p.arp_opcode    = 1
  p.arp_daddr_ip  = target_ip || datastore['RHOST']
  p.arp_saddr_ip  = source_ip || datastore['LHOST']
  my_eth          = self.arp_cache[Rex::Socket.source_address(target_ip)]
  p.arp_saddr_mac = my_eth || "00:00:00:00:00:00"
  return p
end

#capture_extract_ies(raw) ⇒ Object


142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# File 'lib/msf/core/exploit/capture.rb', line 142

def capture_extract_ies(raw)
  set = {}
  idx = 0
  len = 0

  while (idx < raw.length)
    len = raw[idx+1]
    return set unless len
    set[raw[idx]] ||= []
    set[raw[idx]].push(raw[idx + 2, len])
    idx += len + 2
  end

  return set
end

#capture_icmp_echo_pack(id = nil, seq = nil, payload = nil) ⇒ Object

Intended to be used as the payload to an ICMP echo request's payload


558
559
560
561
562
# File 'lib/msf/core/exploit/capture.rb', line 558

def capture_icmp_echo_pack(id=nil, seq=nil, payload=nil)
  id  ||= rand(0x10000)
  seq ||= rand(0x10000)
  [id, seq, payload.to_s].pack("nna*")
end

#capture_icmp_echo_unpack(data) ⇒ Object

Decodes and ICMP echo request or response.


565
566
567
# File 'lib/msf/core/exploit/capture.rb', line 565

def capture_icmp_echo_unpack(data)
  data.unpack("nna*")
end

#capture_sendto(payload = "", dhost = nil, bcast = false, dev = nil) ⇒ Object

Capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires a payload and a destination address. To send to the broadcast address, set bcast to true (this will guarantee that packets will be sent even if ARP doesn't work out).

Raises:

  • (RuntimeError)

245
246
247
248
249
250
251
252
253
254
# File 'lib/msf/core/exploit/capture.rb', line 245

def capture_sendto(payload="", dhost=nil, bcast=false, dev=nil)
  raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" unless self.capture
  raise RuntimeError, "Must specify a host to sendto" unless dhost
  dev              ||= datastore['INTERFACE']
  dst_mac, src_mac = lookup_eth(dhost, dev)
  if dst_mac == nil and not bcast
    return false
  end
  inject_eth(:payload => payload, :eth_daddr => dst_mac, :eth_saddr => src_mac)
end

#check_pcaprub_loadedObject


390
391
392
393
394
395
396
397
398
399
400
# File 'lib/msf/core/exploit/capture.rb', line 390

def check_pcaprub_loaded
  if not @pcaprub_loaded
    print_status("The Pcaprub module is not available: #{@pcaprub_error}")
    raise RuntimeError, "Pcaprub not available"
  elsif not @network_interface_loaded
    print_status("The NetworkInterface module is not available: #{@network_interface_error}")
    raise RuntimeError, "NetworkInterface not available"
  else
    true
  end
end

#close_pcapObject


135
136
137
138
139
140
# File 'lib/msf/core/exploit/capture.rb', line 135

def close_pcap
  return unless self.capture
  self.capture     = nil
  self.arp_capture = nil
  GC.start()
end

#each_packetObject

This monstrosity works around a series of bugs in the interrupt signal handling of Ruby 1.9


162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
# File 'lib/msf/core/exploit/capture.rb', line 162

def each_packet
  return unless capture
  begin
    @capture_count = 0
    reader         = framework.threads.spawn("PcapReceiver", false) do
      capture.each do |pkt|
        yield(pkt)
        @capture_count += 1
      end
    end
    reader.join
  rescue ::Exception
    raise $!
  ensure
    reader.kill if reader.alive?
  end

  @capture_count
end

#expire_arpcacheObject

Allow modules to reset their arp caches arbitrarily.


381
382
383
# File 'lib/msf/core/exploit/capture.rb', line 381

def expire_arpcache
  self.arp_cache = {}
end

#get_interface_guid(dev) ⇒ Object

This function is usefull only on windows where pcaprub use the GUID


458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
# File 'lib/msf/core/exploit/capture.rb', line 458

def get_interface_guid(dev)
  check_pcaprub_loaded
  if RUBY_PLATFORM == "i386-mingw32"
    if dev.to_s =~ /^[0-9]{1,2}$/
      if is_interface?(dev)
        NetworkInterface.interfaces[(dev.to_i) - 1]
      else
        return dev
      end
    else
      return dev
    end
  else #Non windows
    return dev
  end
end

#get_ipv4_addr(dev, num = 0) ⇒ Object

Raises:

  • (RuntimeError)

492
493
494
495
496
497
498
499
500
# File 'lib/msf/core/exploit/capture.rb', line 492

def get_ipv4_addr(dev, num=0)
  check_pcaprub_loaded
  dev   = get_interface_guid(dev)
  addrs = NetworkInterface.addresses(dev)
  raise RuntimeError, "Interface #{dev} does not exist" if !addrs
  raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
  raise RuntimeError, "Can not get the IPv4 address for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['addr']
  addrs[NetworkInterface::AF_INET][num]['addr']
end

#get_ipv4_addr_count(dev) ⇒ Object

Raises:

  • (RuntimeError)

484
485
486
487
488
489
490
# File 'lib/msf/core/exploit/capture.rb', line 484

def get_ipv4_addr_count(dev)
  check_pcaprub_loaded
  dev   = get_interface_guid(dev)
  addrs = NetworkInterface.addresses(dev)
  raise RuntimeError, "Interface #{dev} does not exist" if !addrs
  addrs[NetworkInterface::AF_INET].length
end

#get_ipv4_broadcast(dev, num = 0) ⇒ Object

Raises:

  • (RuntimeError)

512
513
514
515
516
517
518
519
520
# File 'lib/msf/core/exploit/capture.rb', line 512

def get_ipv4_broadcast(dev, num=0)
  check_pcaprub_loaded
  dev   = get_interface_guid(dev)
  addrs = NetworkInterface.addresses(dev)
  raise RuntimeError, "Interface #{dev} do not exists" if !addrs
  raise RuntimeError, "Interface #{dev} do not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
  raise RuntimeError, "Can not get IPv4 broadcast address for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['broadcast']
  addrs[NetworkInterface::AF_INET][num]['broadcast']
end

#get_ipv4_netmask(dev, num = 0) ⇒ Object

Raises:

  • (RuntimeError)

502
503
504
505
506
507
508
509
510
# File 'lib/msf/core/exploit/capture.rb', line 502

def get_ipv4_netmask(dev, num=0)
  check_pcaprub_loaded
  dev   = get_interface_guid(dev)
  addrs = NetworkInterface.addresses(dev)
  raise RuntimeError, "Interface #{dev} does not exist" if !addrs
  raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
  raise RuntimeError, "Can not get IPv4 netmask for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['netmask']
  addrs[NetworkInterface::AF_INET][num]['netmask']
end

#get_ipv6_addr(dev, num = 0) ⇒ Object

NOTE: IPv6 is not implemented on Windows

Raises:

  • (RuntimeError)

532
533
534
535
536
537
538
539
540
541
# File 'lib/msf/core/exploit/capture.rb', line 532

def get_ipv6_addr(dev, num=0)
  check_pcaprub_loaded
  dev = get_interface_guid(dev)
  raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)
  addrs = NetworkInterface.addresses(dev)
  raise RuntimeError, "Interface #{dev} do not exists" if !addrs
  raise RuntimeError, "Interface #{dev} do not have an ipv6 address at position #{num}" if addrs[NetworkInterface::AF_INET6].length < num + 1
  raise RuntimeError, "Can not get ipv6 address for interface #{dev}" if !addrs[NetworkInterface::AF_INET6][num]['addr']
  addrs[NetworkInterface::AF_INET6][num]['addr'].gsub(/%(.)*$/, '')
end

#get_ipv6_addr_count(dev) ⇒ Object

Raises:

  • (RuntimeError)

522
523
524
525
526
527
528
529
# File 'lib/msf/core/exploit/capture.rb', line 522

def get_ipv6_addr_count(dev)
  check_pcaprub_loaded
  dev = get_interface_guid(dev)
  raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)
  addrs = NetworkInterface.addresses(dev)
  raise RuntimeError, "Interface #{dev} do not exists" if !addrs
  addrs[NetworkInterface::AF_INET6].length
end

#get_ipv6_netmask(dev, num = 0) ⇒ Object

Raises:

  • (RuntimeError)

543
544
545
546
547
548
549
550
551
552
# File 'lib/msf/core/exploit/capture.rb', line 543

def get_ipv6_netmask(dev, num=0)
  check_pcaprub_loaded
  dev = get_interface_guid(dev)
  raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)
  addrs = NetworkInterface.addresses(dev)
  raise RuntimeError, "Interface #{dev} do not exists" if !addrs
  raise RuntimeError, "Interface #{dev} do not have an ipv6 address at position #{num}" if addrs[NetworkInterface::AF_INET6].length < num + 1
  raise RuntimeError, "Can not get ipv6 netmask address for interface #{dev}" if !addrs[NetworkInterface::AF_INET6][num]['netmask']
  addrs[NetworkInterface::AF_INET6][num]['netmask']
end

#get_mac(dev) ⇒ Object

Raises:

  • (RuntimeError)

475
476
477
478
479
480
481
482
# File 'lib/msf/core/exploit/capture.rb', line 475

def get_mac(dev)
  check_pcaprub_loaded
  dev   = get_interface_guid(dev)
  addrs = NetworkInterface.addresses(dev)
  raise RuntimeError, "Interface #{dev} does not exist" if !addrs
  raise RuntimeError, "Can not get mac address for interface #{dev}" if !addrs[NetworkInterface::AF_LINK][0]['addr']
  addrs[NetworkInterface::AF_LINK][0]['addr']
end

#initialize(info = {}) ⇒ Object

Initializes an instance of an exploit module that captures traffic


23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/msf/core/exploit/capture.rb', line 23

def initialize(info = {})
  super

  register_options(
    [
      OptPath.new('PCAPFILE', [false, 'The name of the PCAP capture file to process']),
      OptString.new('INTERFACE', [false, 'The name of the interface']),
      OptString.new('FILTER', [false, 'The filter string for capturing traffic']),
      OptInt.new('SNAPLEN', [true, 'The number of bytes to capture', 65535]),
      OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 500]),
      Opt::RHOST

    ], Msf::Exploit::Capture
  )

  register_advanced_options(
    [
      OptInt.new('UDP_SECRET', [true, 'The 32-bit cookie for UDP probe requests.', 1297303091]),
      OptAddress.new('GATEWAY', [false, 'The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set.']),
      OptInt.new('NETMASK', [false, 'The local network mask. This is used to decide if an address is in the local network.', 24]),
    ], Msf::Exploit::Capture
  )

  require 'packetfu'

  begin
    require 'pcaprub'
    @pcaprub_loaded = true
  rescue ::LoadError => e
    @pcaprub_loaded = false
    @pcaprub_error  = e
  end

  begin
    require 'network_interface'
    @network_interface_loaded = true
  rescue ::LoadError => e
    @network_interface_loaded = false
    @network_interface_error  = e
  end

end

#inject(pkt = "", pcap = self.capture) ⇒ Object

Injects a packet on the wire. For all injection-related functions, it's on the module to open up a capture device first (this way, we don't needlessly spawn new capture devices).


185
186
187
188
189
190
191
192
# File 'lib/msf/core/exploit/capture.rb', line 185

def inject(pkt="", pcap=self.capture)
  check_pcaprub_loaded
  if not pcap
    raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
  else
    pcap.inject(pkt.to_s) # Can be a PacketFu Packet object or a pre-packed string
  end
end

#inject_eth(args = {}) ⇒ Object

Injects an Ethernet packet with an optional payload. The payload may be a regular PacketFu packet, an EthHeader, or a string.


196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
# File 'lib/msf/core/exploit/capture.rb', line 196

def inject_eth(args={})
  eth_daddr   = args[:eth_daddr] || "ff:ff:ff:ff:ff:ff"
  eth_saddr   = args[:eth_saddr] || "00:00:00:00:00:00"
  eth_type    = args[:eth_type] || 0x0800 # IP default
  payload     = args[:payload]
  pcap        = args[:pcap] || self.capture
  p           = PacketFu::EthPacket.new
  p.eth_daddr = eth_daddr
  p.eth_saddr = eth_saddr
  p.eth_proto = eth_type
  if payload
    if payload.kind_of? PacketFu::EthPacket
      p.payload = payload.eth_header.body
    elsif payload.kind_of? PacketFu::EthHeader
      p.payload = payload.body
    else
      p.payload = payload.to_s
    end
  end
  inject p.to_s, pcap
end

#inject_pcap(pcap_file, filter = nil, delay = 0, pcap = self.capture) ⇒ Object


218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
# File 'lib/msf/core/exploit/capture.rb', line 218

def inject_pcap(pcap_file, filter=nil, delay = 0, pcap=self.capture)
  check_pcaprub_loaded
  unless pcap
    raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
  end

  if (not File.exists?(pcap_file))
    raise RuntimeError, "The PCAP file #{pcap_file} could not be found"
  end

  if (pcap_file.empty?)
    raise RuntimeError, "The PCAP file #{pcap_file} is empty"
  end

  capture_file = ::Pcap.open_offline(pcap_file)
  capture_file.setfilter(filter) if filter
  while (pkt = capture_file.next) do
    pcap.inject(pkt)
    Rex.sleep((delay * 1.0)/1000)
  end
  GC.start
end

#inject_reply(proto = :udp, pcap = self.capture) ⇒ Object

The return value either be a PacketFu::Packet object, or nil


257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
# File 'lib/msf/core/exploit/capture.rb', line 257

def inject_reply(proto=:udp, pcap=self.capture)
  reply = nil
  to    = (datastore['TIMEOUT'] || 500).to_f / 1000.0
  if not pcap
    raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
  else
    begin
      ::Timeout.timeout(to) do
        pcap.each do |r|
          packet = PacketFu::Packet.parse(r)
          next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto
          reply = packet
          break
        end
      end
    rescue ::Timeout::Error
    end
  end
  return reply
end

#is_interface?(dev) ⇒ Boolean

Returns:

  • (Boolean)

438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
# File 'lib/msf/core/exploit/capture.rb', line 438

def is_interface?(dev)
  check_pcaprub_loaded
  if RUBY_PLATFORM == "i386-mingw32"
    if dev =~ /\\Device\\NPF_\{[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}\}/
      return NetworkInterface.interfaces.include?(dev)
    elsif dev.to_s =~ /^[0-9]{1,2}$/
      if (dev.to_i <= NetworkInterface.interfaces.length) and (dev.to_i >= 0)
        return true
      else
        return false
      end
    else
      return false
    end
  else
    return NetworkInterface.interfaces.include?(dev)
  end
end

#list_interfacesObject


433
434
435
436
# File 'lib/msf/core/exploit/capture.rb', line 433

def list_interfaces
  check_pcaprub_loaded
  NetworkInterface.interfaces
end

#lookup_eth(addr = nil, iface = nil) ⇒ Object

This ascertains the correct Ethernet addresses one should use to ensure injected IP packets actually get where they are going, and manages the self.arp_cache hash. It always uses self.arp_capture to inject and capture packets, and will always first fire off a UDP packet using the regular socket to learn the source host's and gateway's mac addresses.

Raises:

  • (RuntimeError)

284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
# File 'lib/msf/core/exploit/capture.rb', line 284

def lookup_eth(addr=nil, iface=nil)
  raise RuntimeError, "Could not access the capture process." unless self.arp_capture

  self.arp_cache ||= {}
  self.dst_cache ||= {}

  return self.dst_cache[addr] if self.dst_cache[addr]

  if !self.arp_cache[Rex::Socket.source_address(addr)]
    probe_gateway(addr)
  end

  src_mac = self.arp_cache[Rex::Socket.source_address(addr)]
  if should_arp?(addr)
    dst_mac = self.arp_cache[addr] || arp(addr)
  else
    dst_mac = self.arp_cache[:gateway]
  end

  self.dst_cache[addr] = [dst_mac, src_mac]
end

#lookupnetObject


402
403
404
405
406
407
408
409
410
411
412
413
414
# File 'lib/msf/core/exploit/capture.rb', line 402

def lookupnet
  check_pcaprub_loaded
  dev  = datastore['INTERFACE'] || ::Pcap.lookupdev
  mask = datastore['NETMASK'] || 24
  begin
    my_net = IPAddr.new("#{Pcap.lookupnet(dev).first}/#{mask}")
  rescue RuntimeError => e
    @pcaprub_error = e
    print_status("Cannot stat device: #{@pcaprub_error}")
    raise RuntimeError, "Pcaprub error: #{@pcaprub_error}"
  end
  return my_net
end

#netifaces_implemented?Boolean

Netifaces code

Returns:

  • (Boolean)

427
428
429
430
431
# File 'lib/msf/core/exploit/capture.rb', line 427

def netifaces_implemented?
  @network_interface_loaded and
    NetworkInterface.respond_to?(:interfaces) and
    NetworkInterface.respond_to?(:addresses)
end

#open_pcap(opts = {}) ⇒ Object

Opens a handle to the specified device


84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# File 'lib/msf/core/exploit/capture.rb', line 84

def open_pcap(opts={})
  check_pcaprub_loaded
  if RUBY_PLATFORM == "i386-mingw32"
    if opts['INTERFACE'] or datastore['INTERFACE']
      dev = opts['INTERFACE'] || datastore['INTERFACE']
      if is_interface?(dev)
        dev = get_interface_guid(dev)
      end
    end
  else
    dev = opts['INTERFACE'] || datastore['INTERFACE'] || nil
  end

  len = (opts['SNAPLEN'] || datastore['SNAPLEN'] || 65535).to_i
  tim = (opts['TIMEOUT'] || datastore['TIMEOUT'] || 0).to_i
  fil = opts['FILTER'] || datastore['FILTER']
  do_arp = (opts['ARPCAP'] == false) ? false : true

  # Look for a PCAP file
  cap = datastore['PCAPFILE'] || ''

  if (not cap.empty?)
    if (not File.exists?(cap))
      raise RuntimeError, "The PCAP file #{cap} could not be found"
    end
    self.capture = ::Pcap.open_offline(cap)
  else
    dev ||= ::Pcap.lookupdev

    unless RUBY_PLATFORM == "i386-mingw32"
      system("ifconfig", dev, "up")
    end

    self.capture = ::Pcap.open_live(dev, len, true, tim)
    if do_arp
      self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)
      preamble         = datastore['UDP_SECRET'].to_i
      arp_filter       = "arp[6:2] = 2 or (udp[8:4] = #{preamble})"
      self.arp_capture.setfilter(arp_filter)
    end
  end

  if (not self.capture)
    raise RuntimeError, "Could not start the capture process"
  elsif (do_arp and !self.arp_capture and cap.empty?)
    raise RuntimeError, "Could not start the ARP capture process"
  end

  self.capture.setfilter(fil) if fil
end

#probe_gateway(addr) ⇒ Object


306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
# File 'lib/msf/core/exploit/capture.rb', line 306

def probe_gateway(addr)
  dst_host = (datastore['GATEWAY'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s)
  dst_port = rand(30000)+1024
  preamble = [datastore['UDP_SECRET']].pack("N")
  secret   = "#{preamble}#{Rex::Text.rand_text(rand(0xff)+1)}"

  begin
    UDPSocket.open.send(secret, 0, dst_host, dst_port)
  rescue Errno::ENETUNREACH
    # This happens on networks with no gatway. We'll need to use a
    # fake source hardware address.
    self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
  end

  begin
    to = (datastore['TIMEOUT'] || 1500).to_f / 1000.0
    ::Timeout.timeout(to) do
      while (my_packet = inject_reply(:udp, self.arp_capture))
        if my_packet.payload == secret
          dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr
          src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr
          return [dst_mac, src_mac]
        else
          next
        end
      end
    end
  rescue ::Timeout::Error
    # Well, that didn't work (this common on networks where there's no gatway, like
    # VMWare network interfaces. We'll need to use a fake source hardware address.
    self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
  end
end

#rhostObject

For compatabilty with Msf::Exploit::Remote::Ip


386
387
388
# File 'lib/msf/core/exploit/capture.rb', line 386

def rhost
  datastore['RHOST']
end

#should_arp?(ip) ⇒ Boolean

Returns:

  • (Boolean)

416
417
418
419
420
421
# File 'lib/msf/core/exploit/capture.rb', line 416

def should_arp?(ip)
  @mydev  ||= datastore['INTERFACE'] || ::Pcap.lookupdev
  @mymask ||= datastore['NETMASK'] || 24
  @mynet  ||= lookupnet
  @mynet.include?(IPAddr.new(ip))
end

#stats_drop(pcap = self.capture) ⇒ Object


71
72
73
74
# File 'lib/msf/core/exploit/capture.rb', line 71

def stats_drop(pcap=self.capture)
  return(0) unless pcap
  pcap.stats['drop']
end

#stats_ifdrop(pcap = self.capture) ⇒ Object


76
77
78
79
# File 'lib/msf/core/exploit/capture.rb', line 76

def stats_ifdrop(pcap=self.capture)
  return(0) unless pcap
  pcap.stats['ifdrop']
end

#stats_recv(pcap = self.capture) ⇒ Object


66
67
68
69
# File 'lib/msf/core/exploit/capture.rb', line 66

def stats_recv(pcap=self.capture)
  return(0) unless pcap
  pcap.stats['recv']
end