search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.13k stars 13.97k forks source link

post/linux/gather/enum_psk: PSKs not retrieved on non-NetworkManager systems #19589

Open bcoles opened 1 week ago

bcoles commented 1 week ago

The post/linux/gather/enum_psk module file name and module name do not match and are misleading.

This module has a generic name (enum_psk). A more appropriate name would be enum_wifi_psk; although it is generally expected that PSK relates to WiFi pre-shared keys.

This module retrieves WiFi PSKs stored by NetworkManager only:

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L16

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L35

This module has seen no major updates since it was added in 2014.

There are other WiFi management software for Linux which may store WiFi passwords in different formats in different places on the file system.

Unfortunately, as the default hard-coded path for the DIR option is specific to NetworkManager, updates to this module to support other software may break backwards compatibility for existing workflows.

Note also that the existing PSK parsing logic contains a flaw which will truncate all characters after the first = character in a PSK:

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L54

Steps to reproduce

  1. Get a session on any WiFi-connected host which does not use NetworkManager to store WiFi credentials
  2. use post/linux/gather/enum_psk
  3. set session <session>
  4. run
  5. Observe no PSKs are identified

Example Configuration Files

Copilot also offers the following common WiFi configuration file locations:

Red Hat / RHEL / CentOS / Fedora: /etc/sysconfig/network-scripts/ifcfg-wlan0 or /etc/sysconfig/network-scripts/ifcfg-ethX Debian / Ubuntu: /etc/network/interfaces Arch Linux: /etc/netctl or /etc/wpa_supplicant/wpa_supplicant.conf openSUSE: /etc/sysconfig/network/ifcfg-wlan0

Here is an example netplan configuration file from an Armbian Linux system:

# cat /etc/netplan/30-wifis-dhcp.yaml 
# Created by Armbian firstlogin script
network:
  wifis:
    wlan0:
      dhcp4: yes
      dhcp6: yes
      access-points:
        "my_ssid":
         password: "my_password"

Note that the PSK is stored in YAML format. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L52

Copilot offers the following example /etc/sysconfig/network-scripts/ifcfg-wlan0 file:

TYPE=Wireless
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=wlan0
DEVICE=wlan0
ONBOOT=yes
ESSID=YourWiFiNetworkName
MODE=Managed
SECURITYMODE=open
KEY_MGMT=WPA-PSK
PSK="YourWiFiPassword"

Note that the PSK is stored on a line beginning with PSK=. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L52

Copilot offers the following example /etc/wpa_supplicant/wpa_supplicant.conf file:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=US

network={
    ssid="YourWiFiNetworkName"
    psk="YourWiFiPassword"
    key_mgmt=WPA-PSK
}

Note that the PSK is stored on a line beginning with whitespace followed by psk=. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L52

Copilot offers the following example /etc/netctl file:

Description='A simple WPA encrypted wireless connection'
Interface=wlan0
Connection=wireless
Security=wpa
IP=dhcp

ESSID='YourWiFiNetworkName'
Key='YourWiFiPassword'

Note that the PSK is stored on a line beginning with Key=. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L52

thebigbone commented 4 days ago

Would adding the parsing logic for all the other network files, the ones you mentioned, be sufficient? I would like to work on it then.

Snakpax7 commented 4 days ago

I need help setting up my code space or termux I have yet to completely do it correctly and although I have found quite a bit that's not been talked about i still need help please is there any way some one could give me a completed list of command's for me to do that

On Sat, Nov 2, 2024, 1:10 AM hcrypt @.***> wrote:

Would adding the parsing logic for all the other network files, the ones you mentioned, be sufficient? I would like to work on it then.

— Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/19589#issuecomment-2452885897, or unsubscribe https://github.com/notifications/unsubscribe-auth/BLXRFGVCVD3USZJEY6NY6LDZ6RUDZAVCNFSM6AAAAABQUVF4PKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSHA4DKOBZG4 . You are receiving this because you are subscribed to this thread.Message ID: @.***>