Module: Msf::Exploit::Remote::Ipv6

Defined in:

lib/msf/core/exploit/remote/ipv6.rb

Overview

This module provides common tools for IPv6

Instance Method Summary

• #check_pcaprub_loaded ⇒ Object
• #close_icmp_pcap ⇒ Object

  Close the capture interface.

• #initialize(info = {}) ⇒ Object

  Initializes an instance of an exploit module that captures traffic.

• #ipv6_checksum!(pkt) ⇒ Object

  Usual ghetto strategy from PacketFu.

• #ipv6_icmpv6_echo_request(id, seq, data) ⇒ Object

  Helper methods that haven’t made it upstream yet.

• #ipv6_interface(opts = {}) ⇒ Object

  Shortcut method for resolving our local interface name.

• #ipv6_link_address(opts = {}) ⇒ Object

  Shortcut method for determining our link-local address.

• #ipv6_linklocaladdr(mac) ⇒ Object

  From Jon Hart’s Racket::L3::Misc#linklocaladdr(), which is from Daniele Bellucci.

• #ipv6_mac(opts = {}) ⇒ Object

  Shortcut method for determining our MAC address.

• #ipv6_neighbor_solicitation(neigh, smac) ⇒ Object

  Takes a neighbor and smac as arguments, The Neighbor value must be an int, while the smac must be a string.

• #ipv6_parse_options(data) ⇒ Object

  Simple tlv parser.

• #ipv6_soll_mcast_addr6(addr) ⇒ Object

  From Jon Hart’s Racket::L3::Misc#soll_mcast_addr6(), which is from DDniele Belluci.

• #ipv6_soll_mcast_mac(addr) ⇒ Object

  From Jon Hart’s Racket::L3::Misc#soll_mcast_mac().

• #open_icmp_pcap(opts = {}) ⇒ Object

  Opens a pcaprub capture interface to inject packets, and sniff ICMPv6 packets.

• #ping6(dhost, opts = {}) ⇒ Object

  Send a ICMPv6 Echo Request, and wait for the associated ICMPv6 Echo Response.

• #solicit_ipv6_mac(dhost, opts = {}) ⇒ Object

  Send out a ICMPv6 neighbor solicitation, and return the associated MAC address.

Instance Method Details

#check_pcaprub_loaded ⇒ Object

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 310

def check_pcaprub_loaded
    unless @pcaprub_loaded
      print_status("The Pcaprub module is not available: #{@pcaprub_error}")
      raise RuntimeError, "Pcaprub not available"
    else
      true
  end

end

#close_icmp_pcap ⇒ Object

Close the capture interface

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 74

def close_icmp_pcap()
  check_pcaprub_loaded

  return if not @ipv6_icmp6_capture
  @ipv6_icmp6_capture = nil
end

#initialize(info = {}) ⇒ Object

Initializes an instance of an exploit module that captures traffic

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 15

def initialize(info = {})
  super
  register_options(
    [
      OptString.new('INTERFACE', [false, 'The name of the interface']),
      OptString.new("SMAC", [ false, "The source MAC address"]),
      OptAddress.new("SHOST", [ false, "The source IPv6 address" ] ),
      OptInt.new("TIMEOUT", [ true, "Timeout when waiting for host response.", 5])
    ], Msf::Exploit::Remote::Ipv6
  )

  begin
    require 'pcaprub'
    @pcaprub_loaded = true
  rescue ::Exception => e
    @pcaprub_loaded = false
    @pcaprub_error  = e
  end
end

#ipv6_checksum!(pkt) ⇒ Object

Usual ghetto strategy from PacketFu

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 277

def ipv6_checksum!(pkt)
  check_data = pkt.headers.last[:ipv6_src].to_s.unpack("n8")
  check_data << pkt.headers.last[:ipv6_dst].to_s.unpack("n8")
  check_data << pkt.ipv6_len
  check_data << [0,58]
  check_payload = pkt.payload.size % 2 == 0 ? pkt.payload : pkt.payload + "\x00"
  check_data << check_payload.unpack("n*")
  check_data.flatten!
  checksum = check_data.inject(0) {|sum,x| sum += x}
  checksum = checksum % 0xffff
  checksum = 0xffff - checksum
  checksum == 0 ? 0xffff : checksum
  pkt.payload[2,2] = [checksum].pack("n")
  pkt
end

#ipv6_icmpv6_echo_request(id, seq, data) ⇒ Object

Helper methods that haven’t made it upstream yet. Mostly packet data packers, also a checksum calculator.

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 220

def ipv6_icmpv6_echo_request(id,seq,data)
  type = 0x80
  code = 0
  checksum = 0
  id ||= rand(0x10000)
  seq ||= rand(0x10000)
  [type,code,checksum,id,seq,data].pack("CCnnna*")
end

#ipv6_interface(opts = {}) ⇒ Object

Shortcut method for resolving our local interface name

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 39

def ipv6_interface(opts={})
  opts['INTERFACE'] || datastore['INTERFACE'] || ::Pcap.lookupdev
end

#ipv6_link_address(opts = {}) ⇒ Object

Shortcut method for determining our link-local address

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 46

def ipv6_link_address(opts={})
  Rex::Socket.ipv6_link_address(ipv6_interface(opts))
end

#ipv6_linklocaladdr(mac) ⇒ Object

From Jon Hart’s Racket::L3::Misc#linklocaladdr(), which is from Daniele Bellucci

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 245

def ipv6_linklocaladdr(mac)
  mac = mac.split(":")
  mac[0] = (mac[0].to_i(16) ^ (1 << 1)).to_s(16)
  ["fe80", "", mac[0,2].join, mac[2,2].join("ff:fe"), mac[4,2].join].join(":")
end

#ipv6_mac(opts = {}) ⇒ Object

Shortcut method for determining our MAC address

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 53

def ipv6_mac(opts={})
  Rex::Socket.ipv6_mac(ipv6_interface(opts))
end

#ipv6_neighbor_solicitation(neigh, smac) ⇒ Object

Takes a neighbor and smac as arguments, The Neighbor value must be an int, while the smac must be a string. Very rudimentary and temporary.

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 296

def ipv6_neighbor_solicitation(neigh,smac)
  target = neigh.to_s(16).scan(/../).map {|x| x.to_i(16)}.pack("C*")
  type = 135
  code = 0
  checksum = 0
  reserved = 0
  opt_type = 1
  opt_len = 1
  [type, code, checksum, reserved,
    target, opt_type, opt_len, smac
  ].pack("CCnNa16CCa6")
end

#ipv6_parse_options(data) ⇒ Object

Simple tlv parser

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 230

def ipv6_parse_options(data)
  pos = 0
  opts = []
  while pos < data.size
    type, len = data[pos,2].unpack("CC")
    this_opt = [type,len]
    this_opt << data[pos+2, (pos-2 + (len * 8))]
    opts << this_opt
    pos += this_opt.pack("CCa*").size
  end
  opts
end

#ipv6_soll_mcast_addr6(addr) ⇒ Object

From Jon Hart’s Racket::L3::Misc#soll_mcast_addr6(), which is from DDniele Belluci

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 253

def ipv6_soll_mcast_addr6(addr)
  h = addr.split(':')[-2, 2]
  m = []  
  x = h[0]
  x[0..1] = 'ff'
  m << x
  x = h[1]
  x.sub!(/^0*/, "")
  m << x
  'ff02::1:' + m.join(':')
end

#ipv6_soll_mcast_mac(addr) ⇒ Object

From Jon Hart’s Racket::L3::Misc#soll_mcast_mac()

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 266

def ipv6_soll_mcast_mac(addr)
  h = addr.split(':')[-2, 2]
  m = []
  m << 'ff'
  m << (h[0].to_i(16) & 0xff).to_s(16)
  m << ((h[1].to_i(16) & (0xff << 8)) >> 8).to_s(16)
  m << (h[1].to_i(16) & 0xff).to_s(16)
  '33:33:' + m.join(':')
end

#open_icmp_pcap(opts = {}) ⇒ Object

Opens a pcaprub capture interface to inject packets, and sniff ICMPv6 packets

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 61

def open_icmp_pcap(opts = {})
  check_pcaprub_loaded

  dev = ipv6_interface(opts)
  len = 65535
  tim = 0
  @ipv6_icmp6_capture = ::Pcap.open_live(dev, len, true, tim)
  @ipv6_icmp6_capture.setfilter("icmp6")
end

#ping6(dhost, opts = {}) ⇒ Object

Send a ICMPv6 Echo Request, and wait for the associated ICMPv6 Echo Response

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 148

def ping6(dhost, opts={})
  check_pcaprub_loaded

  dhost_intf = dhost + '%' + ipv6_interface(opts)

  smac = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
  shost = opts['SHOST'] || datastore['SHOST'] || Rex::Socket.source_address(dhost_intf)
  dmac = opts['DMAC'] || solicit_ipv6_mac(dhost)
  timeout = opts['TIMEOUT'] || datastore['TIMEOUT']
  wait = opts['WAIT']


  if(wait.eql?(nil))
    wait = true
  end

  dmac.eql?(nil) and return false

  open_icmp_pcap()

  # Create ICMPv6 Request
  p = PacketFu::IPv6Packet.new
  p.eth_saddr = smac
  p.eth_daddr = dmac
  p.ipv6_saddr = shost
  p.ipv6_daddr = dhost
  p.ipv6_next = 0x3a
  icmp_id = rand(65000)
  icmp_seq = 1
  icmp_payload = Rex::Text.rand_text(8)
  p.payload = ipv6_icmpv6_echo_request(icmp_id,icmp_seq,icmp_payload)
  p.ipv6_len = p.payload.to_s.size
  ipv6_checksum!(p)

  @ipv6_icmp6_capture.inject(p.to_s)

  if(wait.eql?(true))
    print_status("Waiting for ping reply...")
    print_line("")
    # Wait for a response
    max_epoch = ::Time.now.to_i + timeout
    while(::Time.now.to_i < max_epoch)
      pkt = @ipv6_icmp6_capture.next()
      next if not pkt
      response_pkt = PacketFu::Packet.parse(pkt) rescue nil
      next unless response_pkt
      next unless response_pkt.is_ipv6?
      next unless response_pkt.payload
      next if response_pkt.payload.empty?
      next unless response_pkt.payload[0,1] == "\x81" # Echo reply
      if( response_pkt.ipv6_daddr == p.ipv6_saddr and
         response_pkt.ipv6_saddr == p.ipv6_daddr and
         response_pkt.ipv6_daddr == p.ipv6_saddr and
         response_pkt.payload[4,2] == p.payload[4,2] and # Id
         response_pkt.payload[6,2] == p.payload[6,2] # Seq
        )
        close_icmp_pcap()
        return(true)
      end

    end # End while
  end

  close_icmp_pcap()
  return(false)
end

#solicit_ipv6_mac(dhost, opts = {}) ⇒ Object

Send out a ICMPv6 neighbor solicitation, and return the associated MAC address

# File 'lib/msf/core/exploit/remote/ipv6.rb', line 85

def solicit_ipv6_mac(dhost, opts = {})
  check_pcaprub_loaded

  dhost_intf = dhost + '%' + ipv6_interface(opts)

  smac = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
  shost = opts['SHOST'] || datastore['SHOST'] || Rex::Socket.source_address(dhost_intf)
  timeout = opts['TIMEOUT'] || datastore['TIMEOUT'] || 3

  open_icmp_pcap()

  p2 = PacketFu::IPv6Packet.new
  p2.eth_saddr = smac
  p2.eth_daddr = ipv6_soll_mcast_mac(dhost)
  p2.ipv6_saddr = shost
  p2.ipv6_daddr = ipv6_soll_mcast_addr6(dhost)
  p2.ipv6_hop = 255
  p2.ipv6_next = 0x3a
  p2.payload = ipv6_neighbor_solicitation(
    IPAddr.new(dhost).to_i,
    p2.eth_src
  )
  p2.ipv6_len = p2.payload.size
  ipv6_checksum!(p2)

  @ipv6_icmp6_capture.inject(p2.to_s)

  # Wait for a response
  max_epoch = ::Time.now.to_i + timeout
  while(::Time.now.to_i < max_epoch)
    pkt_bytes = @ipv6_icmp6_capture.next()
    next if not pkt_bytes
    pkt = PacketFu::Packet.parse(pkt_bytes) rescue nil
    next unless pkt
    next unless pkt.is_ipv6?
    next unless pkt.ipv6_next == 0x3a
    next unless pkt.payload
    next if pkt.payload.empty?
    next unless pkt.payload[0,1] == "\x88" # Neighbor advertisement
    if(IPAddr.new(pkt.ipv6_daddr).to_i == IPAddr.new(shost).to_i and
       IPAddr.new(pkt.ipv6_saddr).to_i == IPAddr.new(dhost).to_i)
       ipv6opts = pkt.payload[24,pkt.payload.size]
       next unless ipv6opts
       parsed_opts = ipv6_parse_options(ipv6opts)
       parsed_opts.each do |opt|
         if opt[0] == 2
           addr = PacketFu::EthHeader.str2mac(opt.last)
           close_icmp_pcap()
           return(addr)
         end
       end
       close_icmp_pcap
       return(pkt.eth_saddr)
    end
  end
  close_icmp_pcap
  return nil
end