Tuesday, November 28, 2017

arp-ping.sh

For those times you need to do recon with an infected host for pivoting purposes, but don't want to install netdiscover or tools of the like... there's arp-ping.sh. Available on my Github page, but here's the source anyway:

#!/bin/bash

if [ "$#" -ne 2 ]; then
 echo "[!] Usage: arping.sh <network> <mask>"
 echo "    Example: arping.sh 192.168.1.0 255.255.255.0"
 exit
fi

# Check if interface exists
ifconfig $IFACE >/dev/null 2>&1
if [ $? -ne 0 ]; then
 echo "[!] Interface does not exists!"
 echo "    Use ifconfig to check applicable interfaces"
 exit
fi

# Check if IP
DOTS=$(echo $1 | grep -o "\." | wc -l)
if [ $DOTS -ne 3 ]; then
 echo "[!] Not a valid IP Address!"
 exit
fi

# Check if Mask
DOTS=$(echo $2 | grep -o "\." | wc -l)
if [ $DOTS -ne 3 ]; then
        echo "[!] Not a valid Mask!"
        exit
fi

# Check if IP is in range
OCTA=`echo $1 | cut -d"." -f1`
if [ $OCTA -lt 0 ] || [ $OCTA -gt 255 ]; then
 echo "[!] Not a valid IP address!"
 exit
fi

OCTB=`echo $1 | cut -d"." -f2`
if [ $OCTB -lt 0 ] || [ $OCTB -gt 255 ]; then
        echo "[!] Not a valid IP address!"
 exit
fi

OCTC=`echo $1 | cut -d"." -f3`
if [ $OCTC -lt 0 ] || [ $OCTC -gt 255 ]; then
        echo "[!] Not a valid IP address!"
 exit
fi

OCTD=`echo $1 | cut -d"." -f4 | cut -d"/" -f1`
if [ $OCTD -lt 0 ] || [ $OCTD -gt 255 ]; then
        echo "[!] Not a valid IP address!"
 exit
fi

# Check if IP is in range
MASKA=`echo $2 | cut -d"." -f1`
if [ $MASKA -lt 0 ] || [ $MASKA -gt 255 ]; then
        echo "[!] Not a valid subnet mask!"
        exit
fi

MASKB=`echo $2 | cut -d"." -f2`
if [ $MASKB -lt 0 ] || [ $MASKB -gt 255 ]; then
        echo "[!] Not a valid subnet mask!"
        exit
fi

MASKC=`echo $2 | cut -d"." -f3`
if [ $MASKC -lt 0 ] || [ $MASKC -gt 255 ]; then
        echo "[!] Not a valid subnet mask!"
        exit
fi

MASKD=`echo $2 | cut -d"." -f4 | cut -d"/" -f1`
if [ $MASKD -lt 0 ] || [ $MASKD -gt 255 ]; then
        echo "[!] Not a valid subnet mask!"
 exit
fi

# Check for continguous ones in mask
if [ $MASKA -lt $MASKB ] || [ $MASKB -lt $MASKC ] || [ $MASKC -lt $MASKD ]; then
 echo "[!] Mask must be contiguous binary ones"
 echo "    Example: 255.255.255.128"
 exit
fi

# Set Floors and Ceilings of IP ranges
if [ $MASKA -ne 255 ]; then
 FLOORA=$(($OCTA & $MASKA))
 CEILINGA=$(($FLOORA + 255 - $MASKA))
else 
        FLOORA=$OCTA
        CEILINGA=$OCTA
fi

if [ $MASKB -ne 255 ]; then
        FLOORB=$(($OCTB & $MASKB))
        CEILINGB=$(($FLOORB + 255 - $MASKB))
else 
        FLOORB=$OCTB
        CEILINGB=$OCTB
fi

if [ $MASKC -ne 255 ]; then
        FLOORC=$(($OCTC & $MASKC))
        CEILINGC=$(($FLOORC + 255 - $MASKC))
else 
        FLOORC=$OCTC
        CEILINGC=$OCTC
fi

if [ $MASKD -ne 255 ]; then
        FLOORD=$(($OCTD & $MASKD))
        CEILINGD=$(($FLOORD + 255 - $MASKD))
else
 FLOORD=$OCTD
 CEILINGD=$OCTD
fi

echo "========================================================================="
echo "ARPing the range..."
echo "$FLOORA.$FLOORB.$FLOORC.$FLOORD - $CEILINGA.$CEILINGB.$CEILINGC.$CEILINGD"
echo "========================================================================="

for a in `seq $FLOORA $CEILINGA`; do
 for b in `seq $FLOORB $CEILINGB`; do
  for c in `seq $FLOORC $CEILINGC`; do
   for d in `seq $FLOORD $CEILINGD`; do
    arp $a.$b.$c.$d | grep ethernet | tr -d "()" | \
     awk -F" " '{print $2":\t"$1}'
   done
  done
 done
done

echo "========================================================================="

You can write it to a file as-is or, for a "file-less malware" approach, just modify the nested for loop by replacing the variables with your "floors and ceilings" of the infected host's subnet, copy, and paste into terminal (don't forget to clear your bash_history...).

No comments:

Post a Comment