dect
/
dedected
13
0
Fork 1
Code Releases Activity

git-svn-id: https://dedected.org/svn/trunk@78 8d8ab74c-27aa-4a3d-9bde-523a2bc1f624

This commit is contained in:
dkemp 2009-02-24 16:17:26 +00:00
parent bb67b7d59e
commit 8a063e5554
4 changed files with 211 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
metasploit-dect/README
View File

@ -3,20 +3,19 @@ To install:
COA Mixin:
1. Copy coa.rb [msf directory]/lib/msf/core/exploit/
2. Edit [msf directory]/lib/msf/core/exploit.rb and add require ''
2. Edit [msf directory]/lib/msf/core/exploit.rb and add require 'msf/core/exploit/coa'
Example Scanner Module:
Example Scanner Modules:
1. Create [msf directory]/modules/auxiliary/scanner/coa/ directory
2. Copy scanner.rb to the above directory
2. Copy call_scanner.rb and station_scanner.rb to the above directory
Notes/Bugs:
1. This module relies on the COM-ON-AIR Linux driver and as such won't
work with Windows systems.
2. The example module uses an infinite loop while scanning, I haven't
found an elegant way to break out of this w/out using ctrl-c. Thus this
leaves the file descriptor to the device open. Restarting the module
won't work you will need to restart Metasploit. I will figure out a fix
for this at some point in an update.
2. Call recording is still a work in progress, currently the call module
just identifies and logs the time of active calls.
-- Your patches are welcome :)

100
metasploit-dect/call_scanner.rb Executable file
View File

@ -0,0 +1,100 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::COA
def initialize
super(
'Name' => 'DECT Call Scanner',
'Version' => '$revision$',
'Description' => %q{
This module scans for active DECT
calls, it does not do recording yet.
},
'Author' =>
['DK <privilegedmode@gmail.com>'],
'References' =>
[
['Dedected', 'http://www.dedected.org'],
],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('VERBOSE',[false,'Be
verbose.',true])
],
self.class
)
end
:calls
def print_results
print("Time\t\t\t\tRFPI\t\tChannel\n")
@calls.each do |rfpi, data|
print("#{data['time']}\t#{data['rfpi']}\t#{data['channel']}\t\n")
end
end
#TODO
#def record_call(data)
# print_status("Synchronizing..")
# pp_scan_mode(data['rfpi_raw'])
# while(true)
# #data = poll
# #puts data
# end
#end
def run
@calls = {}
scanning = true
#record = true
trap("INT") {
scanning = false
stop
close_coa
print_status("Call scan stopped.")
print_results
}
print_status("Opening interface: #{datastore['INTERFACE']}")
open_coa
print_status("Using band: #{band}")
print_status("Changing to call scan mode.")
call_scan_mode
print_status("Scanning for active calls..")
while (scanning)
data = poll
if (data != nil)
parsed_data = parse_call(data)
parsed_data['time'] = Time.new
print_status("Found active call on: #{parsed_data['rfpi']}")
@calls[parsed_data['time']] = parsed_data
#if (record)
# record_call(parsed_data)
#end
end
next_channel
if (datastore['VERBOSE'])
print_status("Switching to channel: #{channel}")
end
sleep(1)
end
end
end

27
metasploit-dect/coa.rb
View File

@ -6,7 +6,14 @@ DECT_BAND_EMEA = 0x01
DECT_BAND_US = 0x02
DECT_BAND_BOTH = 0x03
COA_MODE_IDLE = 0x0000
COA_MODE_FP = 0x0100
COA_MODE_PP = 0x0200
COA_MODE_SNIFF = 0x0300
COA_MODE_JAM = 0x0400
COA_MODE_EEPROM = 0x0500
COA_SUBMODE_SNIFF_SCANFP = 0x0001
COA_SUBMODE_SNIFF_SCANPP = 0x0002
COA_SUBMODE_SNIFF_SYNC = 0x0003
@ -21,9 +28,7 @@ COA_IOCTL_RSSI = 0xD006
COA_IOCTL_FIRMWARE = 0xD007
COA_IOCTL_SETRFPI = 0xD008
station = {
}
def initialize(info = {})
super
@ -58,11 +63,14 @@ station = {
end
def pp_scan_mode(rfpi)
self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SYNC].pack('s'))
self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SYNC].pack('S'))
puts rfpi
self.set_rfpi(rfpi.to_i)
end
def call_scan_mode
self.dect_device.ioctl(COA_IOCTL_MODE, [COA_MODE_SNIFF | COA_SUBMODE_SNIFF_SCANPP].pack('s'))
set_band(datastore['BAND'])
end
def stop
@ -73,9 +81,8 @@ station = {
self.rfpi
end
def set_rfpi(r)
self.rfpi = r
self.dect_device.ioctl(COA_IOCTL_SETRFPI, [self.rfpi].pack('s'))
def set_rfpi(rfpi)
self.dect_device.ioctl(COA_IOCTL_SETRFPI, [rfpi].pack('s'))
end
def channel
@ -151,6 +158,7 @@ station = {
station = {
'channel' => data[0],
'rssi' => data[1],
'rfpi_raw' => data[2,5],
'rfpi' => parse_rfpi(data[2,5])
}
end
@ -159,10 +167,15 @@ station = {
call = {
'channel' => data[0],
'rssi' => data[1],
'rfpi_raw' => data[2,5],
'rfpi' => parse_rfpi(data[2,5])
}
end
def record(filename)
fd = File.open(filename, 'rw')
fd.close
end
attr_accessor :dect_device, :channel, :band
end

84
metasploit-dect/station_scanner.rb Executable file
View File

@ -0,0 +1,84 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::COA
def initialize
super(
'Name' => 'DECT Base Station Scanner',
'Version' => '$revision$',
'Description' => %q{
This module scans for DECT device base stations.
},
'Author' =>
['DK <privilegedmode@gmail.com>'],
'References' =>
[
['Dedected', 'http://www.dedected.org'],
],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('VERBOSE',[false,'Be verbose.',true])
],
self.class
)
end
:base_stations
def print_results
print("RFPI\t\tChannel\n")
@base_stations.each do |rfpi, data|
print("#{data['rfpi']}\t #{data['channel']}\t\n")
end
end
def run
@base_stations = {}
scanning = true
trap("INT") {
scanning = false
stop
close_coa
print_status("fp scan stopped.")
print_results
}
print_status("Opening interface: #{datastore['INTERFACE']}")
open_coa
print_status("Using band: #{band}")
print_status("Changing to fp scan mode.")
fp_scan_mode
print_status("Scanning..")
while (scanning)
data = poll
if (data != nil)
parsed_data = parse_station(data)
if (!@base_stations.key?(parsed_data['rfpi']))
print_status("Found New RFPI: #{parsed_data['rfpi']}")
@base_stations[parsed_data['rfpi']] = parsed_data
end
end
next_channel
if (datastore['VERBOSE'])
print_status("Switching to channel: #{channel}")
end
sleep(1)
end
end
end