Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

chromecast_wifi.rb 2.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131
  1. ##
  2. # This module requires Metasploit: http://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5. require 'msf/core'
  6. class MetasploitModule < Msf::Auxiliary
  7. include Msf::Exploit::Remote::HttpClient
  8. def initialize(info = {})
  9. super(update_info(info,
  10. 'Name' => 'Chromecast Wifi Enumeration',
  11. 'Description' => %q{
  12. This module enumerates wireless access points through Chromecast.
  13. },
  14. 'Author' => ['wvu'],
  15. 'References' => [
  16. ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website
  17. ],
  18. 'License' => MSF_LICENSE
  19. ))
  20. register_options([
  21. Opt::RPORT(8008)
  22. ], self.class)
  23. end
  24. def run
  25. res = scan
  26. return unless res && res.code == 200
  27. waps = Rex::Text::Table.new(
  28. 'Header' => 'Wireless Access Points',
  29. 'Columns' => [
  30. 'BSSID',
  31. 'PWR',
  32. 'ENC',
  33. 'CIPHER',
  34. 'AUTH',
  35. 'ESSID'
  36. ],
  37. 'SortIndex' => -1
  38. )
  39. JSON.parse(res.body).each do |wap|
  40. waps << [
  41. wap['bssid'],
  42. wap['signal_level'],
  43. enc(wap),
  44. cipher(wap),
  45. auth(wap),
  46. wap['ssid'] + (wap['wpa_id'] ? ' (*)' : '')
  47. ]
  48. end
  49. print_line(waps.to_s)
  50. report_note(
  51. :host => rhost,
  52. :port => rport,
  53. :proto => 'tcp',
  54. :type => 'chromecast.wifi',
  55. :data => waps.to_csv
  56. )
  57. end
  58. def scan
  59. begin
  60. send_request_raw(
  61. 'method' => 'POST',
  62. 'uri' => '/setup/scan_wifi',
  63. 'agent' => Rex::Text.rand_text_english(rand(42) + 1)
  64. )
  65. send_request_raw(
  66. 'method' => 'GET',
  67. 'uri' => '/setup/scan_results',
  68. 'agent' => Rex::Text.rand_text_english(rand(42) + 1)
  69. )
  70. rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
  71. Rex::HostUnreachable => e
  72. fail_with(Failure::Unreachable, e)
  73. ensure
  74. disconnect
  75. end
  76. end
  77. def enc(wap)
  78. case wap['wpa_auth']
  79. when 1
  80. 'OPN'
  81. when 2
  82. 'WEP'
  83. when 5
  84. 'WPA'
  85. when 0, 7
  86. 'WPA2'
  87. else
  88. wap['wpa_auth']
  89. end
  90. end
  91. def cipher(wap)
  92. case wap['wpa_cipher']
  93. when 1
  94. ''
  95. when 2
  96. 'WEP'
  97. when 3
  98. 'TKIP'
  99. when 4
  100. 'CCMP'
  101. else
  102. wap['wpa_cipher']
  103. end
  104. end
  105. def auth(wap)
  106. case wap['wpa_auth']
  107. when 0
  108. 'MGT'
  109. when 5, 7
  110. 'PSK'
  111. else
  112. ''
  113. end
  114. end
  115. end