Path: blob/master/modules/auxiliary/scanner/portscan/xmas.rb
21367 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Capture7include Msf::Auxiliary::Scanner8include Msf::Auxiliary::Report910def initialize11super(12'Name' => 'TCP "XMas" Port Scanner',13'Description' => %q{14Enumerate open|filtered TCP services using a raw15"XMas" scan; this sends probes containing the FIN,16PSH and URG flags.17},18'Author' => 'kris katterjohn',19'License' => MSF_LICENSE20)2122register_options([23OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "1-10000"]),24OptInt.new('TIMEOUT', [true, "The reply read timeout in milliseconds", 500]),25OptInt.new('BATCHSIZE', [true, "The number of hosts to scan per set", 256]),26OptInt.new('DELAY', [true, "The delay between connections, per thread, in milliseconds", 0]),27OptInt.new('JITTER', [true, "The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.", 0]),28OptString.new('INTERFACE', [false, 'The name of the interface'])29])3031deregister_options('FILTER', 'PCAPFILE')32end3334# No IPv6 support yet35def support_ipv6?36false37end3839def run_batch_size40datastore['BATCHSIZE'] || 25641end4243def run_batch(hosts)44open_pcap4546pcap = self.capture4748ports = Rex::Socket.portspec_crack(datastore['PORTS'])49if ports.empty?50raise Msf::OptionValidateError.new(['PORTS'])51end5253jitter_value = datastore['JITTER'].to_i54if jitter_value < 055raise Msf::OptionValidateError.new(['JITTER'])56end5758delay_value = datastore['DELAY'].to_i59if delay_value < 060raise Msf::OptionValidateError.new(['DELAY'])61end6263to = (datastore['TIMEOUT'] || 500).to_f / 1000.06465# we copy the hosts because some may not be reachable and need to be ejected66host_queue = hosts.dup67# Spread the load across the hosts68ports.each do |dport|69host_queue.each do |dhost|70shost, sport = getsource(dhost)7172pcap.setfilter(getfilter(shost, sport, dhost, dport))7374begin75probe = buildprobe(shost, sport, dhost, dport)7677# Add the delay based on JITTER and DELAY if needs be78add_delay_jitter(delay_value, jitter_value)7980unless capture_sendto(probe, dhost)81host_queue.delete(dhost)82next83end8485reply = probereply(pcap, to)8687next if reply # Got a RST back8889print_status(" TCP OPEN|FILTERED #{dhost}:#{dport}")9091# Add Report92report_note(93:host => dhost,94:proto => 'tcp',95:port => dport,96:type => "TCP OPEN|FILTERED #{dhost}:#{dport}",97:data => {98:host => dhost,99:port => dport100}101)102rescue ::Exception103print_error("Error: #{$!.class} #{$!}")104end105end106end107108close_pcap109end110111def getfilter(shost, sport, dhost, dport)112# Look for associated RSTs113"tcp and (tcp[13] & 0x04) != 0 and " +114"src host #{dhost} and src port #{dport} and " +115"dst host #{shost} and dst port #{sport}"116end117118def getsource(dhost)119# srcip, srcport120[ Rex::Socket.source_address(dhost), rand(0xffff - 1025) + 1025 ]121end122123def buildprobe(shost, sport, dhost, dport)124p = PacketFu::TCPPacket.new125p.ip_saddr = shost126p.ip_daddr = dhost127p.tcp_sport = sport128p.tcp_flags.fin = 1129p.tcp_flags.urg = 1130p.tcp_flags.psh = 1131p.tcp_dport = dport132p.tcp_win = 3072133p.recalc134p135end136137def probereply(pcap, to)138reply = nil139begin140Timeout.timeout(to) do141pcap.each do |r|142pkt = PacketFu::Packet.parse(r)143next unless pkt.is_tcp?144145reply = pkt146break147end148end149rescue Timeout::Error150end151return reply152end153end154155156