Class: Msf::Exploit::SMB::ShadowMitmDispatcher

Inherits:

RubySMB::Dispatcher::Base

• Object
• RubySMB::Dispatcher::Base
• Msf::Exploit::SMB::ShadowMitmDispatcher

Defined in:

lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb

Overview

This class provides a Man-In-The-Middle packet Dispatcher.

Constant Summary

READ_TIMEOUT =

30

TCP_MSS =

RFC 879

536

Instance Attribute Summary

• #ccap ⇒ PacketFu::Capture
• #eth_dst ⇒ String
• #eth_src ⇒ String
• #interface ⇒ String
• #ip_dst ⇒ String
• #ip_src ⇒ String
• #mac ⇒ String
• #read_timeout ⇒ Integer
• #stream ⇒ IO (also: #tcp_socket)
• #tcp_ack ⇒ Integer
• #tcp_dst ⇒ Integer
• #tcp_mss ⇒ Integer
• #tcp_seq ⇒ Integer
• #tcp_src ⇒ Integer
• #tcp_win ⇒ Integer

Class Method Summary

• .connect ⇒ Object

Instance Method Summary

• #initialize(interface:, mac:, eth_src:, eth_dst:, ip_src:, ip_dst:, tcp_src:, tcp_dst:, tcp_seq:, tcp_ack:, tcp_win:, tcp_mss: TCP_MSS, read_timeout: READ_TIMEOUT) ⇒ ShadowMitmDispatcher constructor

  We decide the host based on the first person to connect.

• #recv_packet(full_response: false) ⇒ String

  Read a packet off the wire and parse it into a string.

• #send_packet(packet, nbss_header: true, tcp_flags: { ack: 1, psh: 1 }, tcp_opts: "") ⇒ Object

  Needs: @tcp_src, @tcp_dst, @tcp_seq, @tcp_ack, @tcp-win, @interface, @mac.

Constructor Details

#initialize(interface:, mac:, eth_src:, eth_dst:, ip_src:, ip_dst:, tcp_src:, tcp_dst:, tcp_seq:, tcp_ack:, tcp_win:, tcp_mss: TCP_MSS, read_timeout: READ_TIMEOUT) ⇒ ShadowMitmDispatcher

We decide the host based on the first person to connect

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 86

def initialize(interface: , mac: , eth_src: , eth_dst: , ip_src: , ip_dst: , tcp_src:, tcp_dst: , tcp_seq: , tcp_ack: , tcp_win: , tcp_mss: TCP_MSS, read_timeout: READ_TIMEOUT)
  @interface = interface
  @mac = mac
  @eth_src = eth_src
  @eth_dst = eth_dst
  @ip_src = ip_src
  @ip_dst = ip_dst
  @tcp_src = tcp_src
  @tcp_dst = tcp_dst
  @tcp_seq = tcp_seq
  @tcp_ack = tcp_ack
  @tcp_win = tcp_win
  @tcp_mss = tcp_mss
  @read_timeout = read_timeout
  # Just create something to close
  @stream = Socket.new Socket::AF_INET, Socket::SOCK_STREAM
end

Instance Attribute Details

#ccap ⇒ PacketFu::Capture

Returns:

• (PacketFu::Capture)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 83

def ccap
  @ccap
end

#eth_dst ⇒ String

Returns:

• (String)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 38

def eth_dst
  @eth_dst
end

#eth_src ⇒ String

Returns:

• (String)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 33

def eth_src
  @eth_src
end

#interface ⇒ String

Returns:

• (String)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 23

def interface
  @interface
end

#ip_dst ⇒ String

Returns:

• (String)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 48

def ip_dst
  @ip_dst
end

#ip_src ⇒ String

Returns:

• (String)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 43

def ip_src
  @ip_src
end

#mac ⇒ String

Returns:

• (String)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 28

def mac
  @mac
end

#read_timeout ⇒ Integer

Returns:

• (Integer)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 18

def read_timeout
  @read_timeout
end

#stream ⇒ IO Also known as: tcp_socket

Returns:

• (IO)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 11

def stream
  @stream
end

#tcp_ack ⇒ Integer

Returns:

• (Integer)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 58

def tcp_ack
  @tcp_ack
end

#tcp_dst ⇒ Integer

Returns:

• (Integer)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 68

def tcp_dst
  @tcp_dst
end

#tcp_mss ⇒ Integer

Returns:

• (Integer)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 78

def tcp_mss
  @tcp_mss
end

#tcp_seq ⇒ Integer

Returns:

• (Integer)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 53

def tcp_seq
  @tcp_seq
end

#tcp_src ⇒ Integer

Returns:

• (Integer)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 63

def tcp_src
  @tcp_src
end

#tcp_win ⇒ Integer

Returns:

• (Integer)

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 73

def tcp_win
  @tcp_win
end

Class Method Details

.connect ⇒ Object

Parameters:

• host (String) —

  passed to TCPSocket.new

• port (Fixnum) —

  passed to TCPSocket.new

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 106

def self.connect#(host, port: 445, socket: TCPSocket.new(host, port))
  new()
end

Instance Method Details

#recv_packet(full_response: false) ⇒ String

Read a packet off the wire and parse it into a string

Parameters:

• full_response (Boolean) (defaults to: false) —

  whether to include the NetBios Session Service header in the response

Returns:

• (String) —

  the raw response (including the NetBios Session Service header if full_response is true)

Raises:

• (RubySMB::Error::NetBiosSessionService) —

  if there’s an error reading the first 4 bytes, which are assumed to be the NetBiosSessionService header.

• (RubySMB::Error::CommunicationError) —

  if the read timeout expires or an error occurs when reading the packet

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 166

def recv_packet(full_response: false)
  raise RubySMB::Error::CommunicationError, 'Capture has not been initialized' unless @ccap.class == PacketFu::Capture
  pkt = @stream.each_data do |data|
    pkt = PacketFu::Packet.parse(data)
    break pkt if (pkt.tcp_header.tcp_seq == @tcp_ack) || (@tcp_ack == 0)
  end
  raise Errno::ECONNRESET, 'Recieved a RST packet' if pkt.tcp_header.tcp_flags.rst == 1
  #puts "#{pkt.tcp_header.tcp_seq} == #{@tcp_ack}"
  @tcp_ack = pkt.tcp_header.tcp_seq + pkt.tcp_header.body.size
  @tcp_ack += 1 if pkt.tcp_header.tcp_flags.syn == 1
  @tcp_seq = pkt.tcp_header.tcp_ack
  return pkt.payload[(full_response ? 0 : 4)..-1]
rescue Errno::EINVAL, Errno::ECONNABORTED, Errno::ECONNRESET, TypeError, NoMethodError => e
  raise RubySMB::Error::CommunicationError, "An error occurred reading from the Network #{e.message}"
end

#send_packet(packet, nbss_header: true, tcp_flags: { ack: 1, psh: 1 }, tcp_opts: "") ⇒ Object

Needs: @tcp_src, @tcp_dst, @tcp_seq, @tcp_ack, @tcp-win, @interface, @mac

# File 'lib/msf/core/exploit/smb/shadow_mitm_dispatcher.rb', line 111

def send_packet(packet, nbss_header: true, tcp_flags: { ack: 1, psh: 1 }, tcp_opts: "")
  data = nbss_header ? nbss(packet) : ''
  if packet.respond_to?(:to_binary_s)
    data << packet.to_binary_s
  else
    data << packet
  end
  eth_header = PacketFu::EthHeader.new(eth_src: @eth_src, eth_dst: @eth_dst)
  ip_header = PacketFu::IPHeader.new(ip_src: @ip_src, ip_dst: @ip_dst)
  tcp_header = PacketFu::TCPHeader.new(
    tcp_src: @tcp_src,
    tcp_dst: @tcp_dst,
    tcp_seq: @tcp_seq,
    tcp_ack: @tcp_ack,
    tcp_win: @tcp_win,
    tcp_flags: tcp_flags,
    tcp_opts: tcp_opts
  )
  pkt = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: tcp_header)
  pkt.payload = data
  pkt.recalc
  @stream.close if @stream
  @ccap = PacketFu::Capture.new(
    iface: @interface,
    promisc: false,
    start: true,
    filter: "ether dst #{@mac} and not ether src #{@mac} and src port #{@tcp_dst} and dst port #{@tcp_src}"
  )
  @stream = @ccap.stream
  if data.size > @tcp_mss
    ip_body = pkt.ip_header.body.to_s
    ip_id = pkt.ip_header.ip_id
    ip_body.chars.each_slice(@tcp_mss+40).each_with_index do |frag, index|
      fpkt = PacketFu::IPPacket.new(eth: eth_header.to_s, ip: ip_header.to_s)
      fpkt.ip_id = ip_id
      fpkt.ip_header.ip_frag = 0x20*0x100 unless (index+1)*(@tcp_mss+40) >= ip_body.size
      fpkt.ip_header.ip_frag = fpkt.ip_header.ip_frag + ((@tcp_mss+40)/8)*index
      fpkt.payload = frag.join
      fpkt.ip_header.ip_recalc(:ip_len)
      fpkt.ip_header.ip_recalc(:ip_sum)
      fpkt.to_w(@interface)
    end
  else
    pkt.to_w(@interface)
  end
  nil
end