{"id":35,"date":"2010-03-04T05:01:00","date_gmt":"2010-03-04T05:01:00","guid":{"rendered":"https:\/\/freezion.com\/?p=35"},"modified":"2010-03-04T05:01:00","modified_gmt":"2010-03-04T05:01:00","slug":"finding-live-hosts-on-the-local-network-segment-using-metasploit","status":"publish","type":"post","link":"https:\/\/freezion.com\/?p=35","title":{"rendered":"Finding Live Hosts on the Local Network Segment Using Metasploit"},"content":{"rendered":"

I’ve been learning ruby of late, and one way I’m doing that is by tearing into Metasploit. This has a few nice benefits for me:<\/p>\n

* I get to see real code, written by smart people
\n* I get to learn metasploit a lot better
\n* I get to figure out how to write my own modules for metasploit<\/p>\n

Since I’ve got a couple of arp flood\/sweep scripts I’ve written in both perl and python, I figured that’d be a decent place to start.<\/p>\n

It turns out that metasploit has a module already to do this (arp_sweep.rb), so I started out by taking a look at it. At first, I thought it didn’t do an active sweep, because it appeared to operate on a pcap file only. I tweeted a question to #metasploit about that, and was quickly informed by @hdmoore<\/a> that the module does indeed work on the target network, I just needed to set the INTERFACE option.<\/p>\n

At that point I realized I should probably stop relying on just the code, and start poking at things from within the console =)<\/p>\n

First thing’s first, the arp_sweep module relies on pcaprub. Because I’m using Ubuntu 9.10 (Karmic Koala) vs. something like Backtrack, this module was not already configured. I found a great post<\/a> over at darkoperator.com which explained, among other things, how to get this working. Here are the steps I took:<\/p>\n

From inside my metasploit svn trunk directory (~\/src\/svn\/metasploit\/framework3\/trunk in my case)<\/em>, I ran the following:<\/p>\n

   $ cd external\/pcaprub\n   $ ruby extconf.rb && make\n   $ sudo make install<\/pre>\n
Note that you need to have the libpcap-dev package in order for the compile of pcaprub to work.<\/p>\n
Once I had that done, I returned to the main trunk directory, and ran msfconsole as root (that last bit is important, the arp sweep must be run as root in linux as far as I can tell, due to the fact that the module puts the interface into promiscuous mode to capture the ARP replies):<\/p>\n
root:~\/msf# .\/msfconsole\n\n                 o                       8         o   o\n                 8                       8             8\nooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P\n8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8\n8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8\n8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8\n..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:\n::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::\n::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\n\n\n       =[ metasploit v3.3.4-dev [core:3.3 api:1.0]\n+ -- --=[ 528 exploits - 248 auxiliary\n+ -- --=[ 196 payloads - 23 encoders - 8 nops\n       =[ svn r8703 updated today (2010.03.03)<\/pre>\n
The next thing that happens when I load msfconsole is that a bunch of stuff I have set in my msfconsole.rc gets loaded. If you want more information on what that means, Mubix has a great introduction to metasploit rc files<\/a> at his practical exploitation site. Here’s what it looks like:<\/p>\n
resource (\/root\/.msf3\/msfconsole.rc)> color false\nresource (\/root\/.msf3\/msfconsole.rc)> setg RHOSTS 10.0.1.0\/24\nRHOSTS => 10.0.1.0\/24\nresource (\/root\/.msf3\/msfconsole.rc)> setg RHOST 10.0.1.75\nRHOST => 10.0.1.75\nresource (\/root\/.msf3\/msfconsole.rc)> setg LHOST 10.0.1.51\nLHOST => 10.0.1.51<\/pre>\n
The LHOST setting reflects the IP address of my testing host, the RHOST setting is a victim host I have on my network specifically to attack, and the RHOSTS is my lab network. The color false is there for a few reasons, one of them being that I like transparent term windows and color text sometimes doesn’t play well with that.<\/p>\n
The next step is to load the arp_sweep module and check out what options it takes. The module is in the auxiliary tree within metasploit, and can be loaded like so:<\/p>\n
msf > use auxiliary\/scanner\/discovery\/arp_sweep\nmsf auxiliary(arp_sweep) > show options\n\nModule options:\n\n   Name       Current Setting  Required  Description\n   ----       ---------------  --------  -----------\n   INTERFACE                   no        The name of the interface\n   PCAPFILE                    no        The name of the PCAP capture file to process\n   RHOSTS     10.0.1.0\/24      yes       The target address range or CIDR identifier\n   SHOST                       yes       Source IP Address\n   SMAC                        yes       Source MAC Address\n   THREADS    1                yes       The number of concurrent threads\n   TIMEOUT    500              yes       The number of seconds to wait for new data<\/pre>\n
You can see here some of the effects of the resource file that was loaded earlier, the RHOSTS option is already set for me. I need to set a couple of other things though to make this work, like the source IP address and MAC, as well as the aforementioned INTERFACE setting:<\/p>\n
msf auxiliary(arp_sweep) > set SHOST 10.0.1.51\nSHOST => 10.0.1.51\nmsf auxiliary(arp_sweep) > set INTERFACE wlan0\nINTERFACE => wlan0<\/pre>\n
To set the SMAC option, I need to find the MAC address of my network adapter. Because I’m using wireless for my testing, I need to grab that information from the wlan0 interface. Fortunately, ifconfig provides this information. Even more fortunately, metasploit allows system commands to be run from within the console, so I can get this quite easily. :<\/p>\n
msf auxiliary(arp_sweep) > ifconfig wlan0\n[*] exec: ifconfig wlan0\n\nwlan0     Link encap:Ethernet  HWaddr 00:1b:77:df:e9:ae\n          inet addr:10.0.1.51  Bcast:10.0.1.255  Mask:255.255.255.0\n          inet6 addr: fe80::21b:77ff:fedf:e9ae\/64 Scope:Link\n          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1\n          RX packets:8229414 errors:0 dropped:0 overruns:0 frame:0\n          TX packets:12543574 errors:0 dropped:0 overruns:0 carrier:0\n          collisions:0 txqueuelen:1000\n          RX bytes:2582588276 (2.5 GB)  TX bytes:797473527 (797.4 MB)<\/pre>\n
Now that I have the MAC address (it’s presented in the HWaddr string above), I can set the last option:<\/p>\n
msf auxiliary(arp_sweep) > set SMAC 00:1b:77:df:e9:ae\nSMAC => 00:1b:77:df:e9:ae<\/pre>\n
One more thing to change; I like to increase the thread count to keep things moving quickly:<\/p>\n
msf auxiliary(arp_sweep) > set THREADS 20\nTHREADS => 20<\/pre>\n
Now I run show options once more to make sure the changes I made look right:<\/p>\n
msf auxiliary(arp_sweep) > show options\n\nModule options:\n\n   Name       Current Setting    Required  Description\n   ----       ---------------    --------  -----------\n   INTERFACE  wlan0              no        The name of the interface\n   PCAPFILE                      no        The name of the PCAP capture file to process\n   RHOSTS     10.0.1.0\/24        yes       The target address range or CIDR identifier\n   SHOST      10.0.1.51          yes       Source IP Address\n   SMAC       00:1b:77:df:e9:ae  yes       Source MAC Address\n   THREADS    20                 yes       The number of concurrent threads\n   TIMEOUT    500                yes       The number of seconds to wait for new data<\/pre>\n
And then I can run the module:<\/p>\n
msf auxiliary(arp_sweep) > run\n\n[*] 10.0.1.1 appears to be up.\n[*] 10.0.1.2 appears to be up.\n[*] 10.0.1.5 appears to be up.\n[*] 10.0.1.18 appears to be up.\n[*] 10.0.1.49 appears to be up.\n[*] 10.0.1.50 appears to be up.\n[*] 10.0.1.75 appears to be up.\n[*] Scanned 256 of 256 hosts (100% complete)\n[*] Auxiliary module execution completed<\/pre>\n
Excellent! I got a nice list of live hosts on the local network segement using ARP.<\/p>\n
I’ll talk about why this is useful (over something like tcp portscanning the local network) in a blog post soon.<\/p>\n
[edit]
\nI should mention by the way: if you wanted to do this outside of metasploit, you could do something like the following:<\/p>\n
$ for i in `seq 0 254`; do sudo arping -I wlan0 -c1 -f 10.0.1.$i; done |grep Unicast<\/pre>\n
The results aren’t nearly as pretty (nor are they as quickly gotten):<\/p>\n
Unicast reply from 10.0.1.1 [00:0E:08:ED:A8:B1]  2.028ms\nUnicast reply from 10.0.1.2 [00:15:62:FF:D6:06]  1.248ms\nUnicast reply from 10.0.1.5 [00:20:00:38:20:6C]  2.548ms\nUnicast reply from 10.0.1.18 [00:1D:73:A4:0A:AD]  1.182ms\nUnicast reply from 10.0.1.49 [00:1F:3C:CD:50:1C]  1.652ms\nUnicast reply from 10.0.1.50 [00:21:97:47:6C:80]  1.766ms\nUnicast reply from 10.0.1.75 [00:02:55:42:08:0D]  1.203ms<\/pre>\n","protected":false},"excerpt":{"rendered":"
I’ve been learning ruby of late, and one way I’m doing that is by tearing into Metasploit. This has…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[40,43],"class_list":["post-35","post","type-post","status-publish","format-standard","hentry","category-hacking","tag-msf","tag-pentest"],"_links":{"self":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/35","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=35"}],"version-history":[{"count":0,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/35\/revisions"}],"wp:attachment":[{"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=35"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=35"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=35"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}