git-svn-id: https://dedected.org/svn/trunk@78 8d8ab74c-27aa-4a3d-9bde-523a2bc1f624
This commit is contained in:
parent
bb67b7d59e
commit
8a063e5554
|
@ -3,20 +3,19 @@ To install:
|
|||
COA Mixin:
|
||||
|
||||
1. Copy coa.rb [msf directory]/lib/msf/core/exploit/
|
||||
2. Edit [msf directory]/lib/msf/core/exploit.rb and add require ''
|
||||
2. Edit [msf directory]/lib/msf/core/exploit.rb and add require 'msf/core/exploit/coa'
|
||||
|
||||
Example Scanner Module:
|
||||
Example Scanner Modules:
|
||||
|
||||
1. Create [msf directory]/modules/auxiliary/scanner/coa/ directory
|
||||
2. Copy scanner.rb to the above directory
|
||||
2. Copy call_scanner.rb and station_scanner.rb to the above directory
|
||||
|
||||
Notes/Bugs:
|
||||
|
||||
1. This module relies on the COM-ON-AIR Linux driver and as such won't
|
||||
work with Windows systems.
|
||||
|
||||
2. The example module uses an infinite loop while scanning, I haven't
|
||||
found an elegant way to break out of this w/out using ctrl-c. Thus this
|
||||
leaves the file descriptor to the device open. Restarting the module
|
||||
won't work you will need to restart Metasploit. I will figure out a fix
|
||||
for this at some point in an update.
|
||||
2. Call recording is still a work in progress, currently the call module
|
||||
just identifies and logs the time of active calls.
|
||||
|
||||
-- Your patches are welcome :)
|
||||
|
|
|
@ -0,0 +1,100 @@
|
|||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::COA
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'DECT Call Scanner',
|
||||
'Version' => '$revision$',
|
||||
'Description' => %q{
|
||||
This module scans for active DECT
|
||||
calls, it does not do recording yet.
|
||||
},
|
||||
'Author' =>
|
||||
['DK <privilegedmode@gmail.com>'],
|
||||
'References' =>
|
||||
[
|
||||
['Dedected', 'http://www.dedected.org'],
|
||||
],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
|
||||
OptString.new('VERBOSE',[false,'Be
|
||||
verbose.',true])
|
||||
],
|
||||
self.class
|
||||
)
|
||||
|
||||
end
|
||||
|
||||
:calls
|
||||
|
||||
def print_results
|
||||
print("Time\t\t\t\tRFPI\t\tChannel\n")
|
||||
@calls.each do |rfpi, data|
|
||||
print("#{data['time']}\t#{data['rfpi']}\t#{data['channel']}\t\n")
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
#TODO
|
||||
#def record_call(data)
|
||||
# print_status("Synchronizing..")
|
||||
# pp_scan_mode(data['rfpi_raw'])
|
||||
# while(true)
|
||||
# #data = poll
|
||||
# #puts data
|
||||
# end
|
||||
|
||||
#end
|
||||
|
||||
def run
|
||||
@calls = {}
|
||||
scanning = true
|
||||
#record = true
|
||||
|
||||
trap("INT") {
|
||||
scanning = false
|
||||
stop
|
||||
close_coa
|
||||
print_status("Call scan stopped.")
|
||||
print_results
|
||||
}
|
||||
|
||||
print_status("Opening interface: #{datastore['INTERFACE']}")
|
||||
open_coa
|
||||
print_status("Using band: #{band}")
|
||||
print_status("Changing to call scan mode.")
|
||||
call_scan_mode
|
||||
print_status("Scanning for active calls..")
|
||||
|
||||
while (scanning)
|
||||
data = poll
|
||||
if (data != nil)
|
||||
parsed_data = parse_call(data)
|
||||
parsed_data['time'] = Time.new
|
||||
print_status("Found active call on: #{parsed_data['rfpi']}")
|
||||
@calls[parsed_data['time']] = parsed_data
|
||||
#if (record)
|
||||
# record_call(parsed_data)
|
||||
#end
|
||||
|
||||
|
||||
end
|
||||
|
||||
next_channel
|
||||
|
||||
if (datastore['VERBOSE'])
|
||||
print_status("Switching to channel: #{channel}")
|
||||
end
|
||||
sleep(1)
|
||||
end
|
||||
end
|
||||
end
|
|
@ -6,7 +6,14 @@ DECT_BAND_EMEA = 0x01
|
|||
DECT_BAND_US = 0x02
|
||||
DECT_BAND_BOTH = 0x03
|
||||
|
||||
COA_MODE_IDLE = 0x0000
|
||||
COA_MODE_FP = 0x0100
|
||||
COA_MODE_PP = 0x0200
|
||||
COA_MODE_SNIFF = 0x0300
|
||||
COA_MODE_JAM = 0x0400
|
||||
COA_MODE_EEPROM = 0x0500
|
||||
|
||||
|
||||
COA_SUBMODE_SNIFF_SCANFP = 0x0001
|
||||
COA_SUBMODE_SNIFF_SCANPP = 0x0002
|
||||
COA_SUBMODE_SNIFF_SYNC = 0x0003
|
||||
|
@ -21,9 +28,7 @@ COA_IOCTL_RSSI = 0xD006
|
|||
COA_IOCTL_FIRMWARE = 0xD007
|
||||
COA_IOCTL_SETRFPI = 0xD008
|
||||
|
||||
station = {
|
||||
|
||||
}
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
@ -58,11 +63,14 @@ station = {
|
|||
end
|
||||
|
||||
def pp_scan_mode(rfpi)
|
||||
self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SYNC].pack('s'))
|
||||
self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SYNC].pack('S'))
|
||||
puts rfpi
|
||||
self.set_rfpi(rfpi.to_i)
|
||||
end
|
||||
|
||||
def call_scan_mode
|
||||
self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SCANPP].pack('s'))
|
||||
set_band(datastore['BAND'])
|
||||
end
|
||||
|
||||
def stop
|
||||
|
@ -73,9 +81,8 @@ station = {
|
|||
self.rfpi
|
||||
end
|
||||
|
||||
def set_rfpi(r)
|
||||
self.rfpi = r
|
||||
self.dect_device.ioctl(COA_IOCTL_SETRFPI, [self.rfpi].pack('s'))
|
||||
def set_rfpi(rfpi)
|
||||
self.dect_device.ioctl(COA_IOCTL_SETRFPI, [rfpi].pack('s'))
|
||||
end
|
||||
|
||||
def channel
|
||||
|
@ -151,6 +158,7 @@ station = {
|
|||
station = {
|
||||
'channel' => data[0],
|
||||
'rssi' => data[1],
|
||||
'rfpi_raw' => data[2,5],
|
||||
'rfpi' => parse_rfpi(data[2,5])
|
||||
}
|
||||
end
|
||||
|
@ -159,10 +167,15 @@ station = {
|
|||
call = {
|
||||
'channel' => data[0],
|
||||
'rssi' => data[1],
|
||||
'rfpi_raw' => data[2,5],
|
||||
'rfpi' => parse_rfpi(data[2,5])
|
||||
}
|
||||
end
|
||||
|
||||
def record(filename)
|
||||
fd = File.open(filename, 'rw')
|
||||
fd.close
|
||||
end
|
||||
|
||||
attr_accessor :dect_device, :channel, :band
|
||||
end
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::COA
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'DECT Base Station Scanner',
|
||||
'Version' => '$revision$',
|
||||
'Description' => %q{
|
||||
This module scans for DECT device base stations.
|
||||
},
|
||||
'Author' =>
|
||||
['DK <privilegedmode@gmail.com>'],
|
||||
'References' =>
|
||||
[
|
||||
['Dedected', 'http://www.dedected.org'],
|
||||
],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('VERBOSE',[false,'Be verbose.',true])
|
||||
],
|
||||
self.class
|
||||
)
|
||||
|
||||
end
|
||||
|
||||
:base_stations
|
||||
|
||||
def print_results
|
||||
print("RFPI\t\tChannel\n")
|
||||
@base_stations.each do |rfpi, data|
|
||||
print("#{data['rfpi']}\t #{data['channel']}\t\n")
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
def run
|
||||
@base_stations = {}
|
||||
scanning = true
|
||||
|
||||
|
||||
trap("INT") {
|
||||
scanning = false
|
||||
stop
|
||||
close_coa
|
||||
print_status("fp scan stopped.")
|
||||
print_results
|
||||
}
|
||||
|
||||
print_status("Opening interface: #{datastore['INTERFACE']}")
|
||||
open_coa
|
||||
print_status("Using band: #{band}")
|
||||
print_status("Changing to fp scan mode.")
|
||||
fp_scan_mode
|
||||
print_status("Scanning..")
|
||||
|
||||
while (scanning)
|
||||
data = poll
|
||||
|
||||
if (data != nil)
|
||||
parsed_data = parse_station(data)
|
||||
if (!@base_stations.key?(parsed_data['rfpi']))
|
||||
print_status("Found New RFPI: #{parsed_data['rfpi']}")
|
||||
@base_stations[parsed_data['rfpi']] = parsed_data
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
next_channel
|
||||
|
||||
if (datastore['VERBOSE'])
|
||||
print_status("Switching to channel: #{channel}")
|
||||
end
|
||||
sleep(1)
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue