dhondta / dronesploit

Drone pentesting framework console
GNU General Public License v3.0
1.44k stars 245 forks source link

Targets list not accessible on the command line using autocomplete or direct type-in. #31

Open amritabithi opened 2 years ago

amritabithi commented 2 years ago

Hello :)

It seems that when using the "scan" command targets are not being properly added to the targets list in memory. When using the command line options where it will help auto-complete and fill in 'TARGETS' for example, where you would type something like "set TARGET XX' it will never suggest a target to fill in as a choice.

I did find yesterday that when using the "targets" command to list all targets that I did have some saved, but there was no way to actually set one of them as the active target before running the "run" command on the modules that require a target set. When trying it, I can type "set TARGET" and it will auto-complete with the 'TARGET' choice, but after that it provides no suggestions and using the SSID or MAC address as the target name only shows the error "Not a valid target name" and does not allow you to hit enter.

Overall, it seems the targets list is not accessible when trying to access it on the dronesploit command line.

Below are two exceptions that I got, which may be unrelated but I am including them in case it is helpful, note that I have not found the password for the access point when running these commands, so I am aware I may be using the 'connect' command incorrectly here.

This exception is caused by trying to connect to a target using it's MAC address in the 'emergency_stop' module (without a known password):

dronesploit[myproject] command(dji/tello/emergency_stop) > connect 30:C9:AB:XX:XX:XX                                                           
[-] '30:C9:AB:XX:XX:XX'
Traceback (most recent call last):
  File "/home/myuser/.local/lib/python3.8/site-packages/sploitkit/core/console.py", line 361, in run
    obj.run(*args)
  File "/tmp/pip-unpacked-wheel-7eg3f6fr/dronesploit/_src/commands/wifi.py", line 16, in run
  File "/home/myuser/.local/lib/python3.8/site-packages/dronesploit/wifi/mixin.py", line 33, in connect
    pswd = self.console.state['TARGETS'][essid].get('password')
  File "/home/myuser/.local/lib/python3.8/site-packages/tinyscript/helpers/dictionaries.py", line 228, in __getitem__
    return super(ExpiringDict, self).__getitem__(key)
KeyError: '30:C9:AB:XX:XX:XX'
dronesploit[myproject] command(dji/tello/emergency_stop) > run 

This exception is caused by trying to use the 'connect' command on an SSID (without a known password):

dronesploit auxiliary(wifi/find_ssids) > run                                                                                                  
[!] Press Ctrl+C to interrupt
[*] Found ExampleWifiPoint
dronesploit auxiliary(wifi/find_ssids) > connect ExampleWifiPoint                                                                                      
[-] 'ExampleWifiPoint'
Traceback (most recent call last):
  File "/home/myuser/.local/lib/python3.8/site-packages/sploitkit/core/console.py", line 361, in run
    obj.run(*args)
  File "/tmp/pip-unpacked-wheel-7eg3f6fr/dronesploit/_src/commands/wifi.py", line 16, in run
  File "/home/myuser/.local/lib/python3.8/site-packages/dronesploit/wifi/mixin.py", line 33, in connect
    pswd = self.console.state['TARGETS'][essid].get('password')
  File "/home/myuser/.local/lib/python3.8/site-packages/tinyscript/helpers/dictionaries.py", line 228, in __getitem__
    return super(ExpiringDict, self).__getitem__(key)
KeyError: 'ExampleWifiPoint'
dronesploit auxiliary(wifi/find_ssids) >
dhondta commented 2 years ago

Hi @amritabithi !

Actually, the reason why you cannot get the value auto-completed while trying to connect to your target is probably that the related WiFi is not open and you did not crack the password, as this snippet from here suggests :

class Connect(Command, ConnectMixin):
    """ Connect to an Access Point """
    def complete_values(self):
        targets = self.console.state['TARGETS']
        return [t for t, d in targets.items() if (d.get('password') is not None or d['enc'] == "OPN") and \
                t not in self.console.root.connected_targets]

However, I may refine it to display a warning telling something like "no target cracked yet".

For the exceptions :

  1. Connecting using the MAC address is not supported yet. Only the ESSID can be used.
  2. It is surprising that a KeyError is raised while it was just detected with scanning. Beware that the target dictionary has en expiration ; beyond 5', you will need to rescan. Note that if you just scanned this SSID, unless it is open ("Enc" value is "OPN"), you will not get the value auto-completed for connecting to it, as explained here above.

In both cases, you should not be able to enter the command as these values are not auto-completed. This is something I need to fix.

For the second case, @amritabithi could you please run the framework with dronesploit --dev --verbose, reproduce your steps and provide the output of the state command right after scanning.

amritabithi commented 2 years ago

Sorry about the slow response, and thank you for the answer about the targets list that makes sense. I think that MAC address support for interacting would be much better but I am still learning how it all works, I am using some other utilities to do testing and am working on sending commands directly to the MAC address with UDP, and if I have any success I will document it here and maybe have it supported with dronesploit. ( I tried various tests to get a WPA key but have had no luck, so am hoping to find another interface to circumvent the WiFi authentication. )

Thank you again for the bug fixing, it has been a great learning exercise at the least :)

When I have a little time I will try to get a couple of crashes' output in debug mode, otherwise it seems to run well now with very occasional crashes but I will get those documented and put together in a report here. Thank you!!!