/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::Capture
	include Msf::Exploit::Remote::Ipv6
	include Msf::Auxiliary::Report
	def initialize
		super(
		'Name'        => 'IPv6 Local Neighbor Discovery Using Router Advertisement',
		'Description' => %q{
				Send a spoofed router advertisement with high priority to force hosts to
				start the IPv6 address auto-config. Monitor for IPv6 host advertisements,
				and try to guess the link-local address by concatinating the prefix, and
				the host portion of the IPv6 address.  Use NDP host solicitation to
				determine if the IP address is valid'
		},
		'Author'      => 'wuntee',
		'License'     => MSF_LICENSE,
		'References'    =>
		[
			['URL','http://wuntee.blogspot.com/2010/11/ipv6-link-local-host-discovery-concept.html']
		]
		)

		register_options(
		[
			OptInt.new('TIMEOUT_NEIGHBOR', [true, "Time (seconds) to listen for a solicitation response.", 1])
		], self.class)

		register_advanced_options(
			[
				OptString.new('PREFIX', [true, "Prefix that each host should get an IPv6 address from",
					"2001:1234:DEAD:BEEF::"]
				)
			], self.class)

		deregister_options('SNAPLEN', 'FILTER', 'RHOST', 'PCAPFILE')
	end

	def listen_for_neighbor_solicitation(opts = {})
		hosts = []
		timeout = opts['TIMEOUT'] || datastore['TIMEOUT']
		prefix = opts['PREFIX'] || datastore['PREFIX']

		max_epoch = ::Time.now.to_i + timeout
		autoconf_prefix = IPAddr.new(prefix).to_string().slice(0..19)

		while(::Time.now.to_i < max_epoch)
			pkt = capture.next()
			next if not pkt
			p = PacketFu::Packet.parse(pkt)
			next unless p.is_ipv6?
			next unless p.payload
			next if p.payload.empty?
			next unless p.payload[0,1] == "\x87" # Neighbor solicitation
			host_addr = PacketFu::AddrIpv6.new.read(p.payload[8,16]).to_x # Fixed position yay
			# Make sure host portion is the same as what we requested
			host_addr_prefix = IPAddr.new(host_addr).to_string().slice(0..19)
			next unless host_addr_prefix == autoconf_prefix
			next unless hosts.index(host_addr).nil?
			hosts.push(host_addr)
			print_status("   |*| #{host_addr}")
		end

		return(hosts)
	end

	def find_link_local(opts = {})
		shost = opts['SHOST'] || datastore['SHOST'] || ipv6_link_address
		hosts = opts['HOSTS'] || []
		smac  = @smac
		timeout = opts['TIMEOUT_NEIGHBOR'] || datastore['TIMEOUT_NEIGHBOR']
		network_prefix = Rex::Socket.addr_aton(shost)[0,8]

		hosts.each() do |g|
			host_postfix = Rex::Socket.addr_aton(g)[8,8]
			local_ipv6   = Rex::Socket.addr_ntoa(network_prefix + host_postfix)
			mac = solicit_ipv6_mac(local_ipv6, {"TIMEOUT" => timeout})
			if mac
				# report_host(:mac => mac, :host => local_ipv6)
				print_status("   |*| #{local_ipv6} -> #{mac}")
			end
		end
	end

	def create_router_advertisment(opts={})
		dhost = "FF02::1"
		smac = @smac
		shost = opts['SHOST'] || datastore['SHOST'] || ipv6_link_address
		lifetime = opts['LIFETIME'] || datastore['TIMEOUT']
		prefix = opts['PREFIX'] || datastore['PREFIX']
		plen = 64
		dmac = "33:33:00:00:00:01"

		p = PacketFu::IPv6Packet.new
		p.eth_saddr = smac
		p.eth_daddr = dmac
		p.ipv6_hop = 255
		p.ipv6_next = 0x3a
		p.ipv6_saddr = shost
		p.ipv6_daddr = dhost

		payload = router_advertisement_payload
		payload << opt60_payload(lifetime, prefix)
		payload << slla_payload(smac)
		p.payload = payload
		p.ipv6_len = payload.size
		ipv6_checksum!(p)
		return p
	end

	def opt60_payload(lifetime, prefix)
		type = 3
		len = 4
		prefix_len = 64
		flag = 0xc0
		valid_lifetime = lifetime || 5
		preferred_lifetime = lifetime || 5
		reserved = 0
		prefix = IPAddr.new(prefix).to_i.to_s(16).scan(/../).map {|x| x.to_i(16)}.pack("C*")
		[type, len, prefix_len, flag, valid_lifetime,
			preferred_lifetime, reserved, prefix].pack("CCCCNNNa16")
	end

	def slla_payload(smac)
		type = 1
		len = 1
		addr = PacketFu::EthHeader.mac2str(smac)
		[type,len,addr].pack("CCa6")
	end

	def router_advertisement_payload
		type = 0x86
		code = 0
		checksum = 0
		hop_limit = 0
		flags = 0x08
		lifetime = 1800
		reachable = 0
		retrans = 0
		[type, code, checksum, hop_limit, flags,
			lifetime, reachable, retrans].pack("CCnCCnNN")
	end

	def run
		# Start caputure
		open_pcap({'FILTER' => "icmp6"})

		@netifaces = true
		if not netifaces_implemented?
			print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
			@netifaces = false
		end

		@interface = datastore['INTERFACE'] || Pcap.lookupdev
		@shost = datastore['SHOST']
		@shost ||= get_ipv4_addr(@interface) if @netifaces
		raise RuntimeError ,'SHOST should be defined' unless @shost

		@smac  = datastore['SMAC']
		@smac ||= get_mac(@interface) if @netifaces
		@smac ||= ipv6_mac
		raise RuntimeError ,'SMAC should be defined' unless @smac

		# Send router advertisement
		print_status("Sending router advertisement...")
		pkt = create_router_advertisment()
		capture.inject(pkt.to_s)

		# Listen for host advertisements
		print_status("Listening for neighbor solicitation...")
		hosts = listen_for_neighbor_solicitation()

		if(hosts.size() == 0)
			print_status("No hosts were seen sending a neighbor solicitation")
		else
			# Attempt to get link local addresses
			print_status("Attempting to solicit link-local addresses...")
			find_link_local({"HOSTS" => hosts})
		end

		# Close capture
		close_pcap()
	end

end