metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

post/linux/gather/enum_psk: PSKs not retrieved on non-NetworkManager systems

Open bcoles opened this issue 3 months ago • 0 comments

The post/linux/gather/enum_psk module file name and module name do not match and are misleading.

This module has a generic name (enum_psk). A more appropriate name would be enum_wifi_psk; although it is generally expected that PSK relates to WiFi pre-shared keys.

This module retrieves WiFi PSKs stored by NetworkManager only:

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L16

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L35

This module has seen no major updates since it was added in 2014.

There are other WiFi management software for Linux which may store WiFi passwords in different formats in different places on the file system.

Unfortunately, as the default hard-coded path for the DIR option is specific to NetworkManager, updates to this module to support other software may break backwards compatibility for existing workflows.

Note also that the existing PSK parsing logic contains a flaw which will truncate all characters after the first = character in a PSK:

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L54

Steps to reproduce

  1. Get a session on any WiFi-connected host which does not use NetworkManager to store WiFi credentials
  2. use post/linux/gather/enum_psk
  3. set session <session>
  4. run
  5. Observe no PSKs are identified

Example Configuration Files

Copilot also offers the following common WiFi configuration file locations:

Red Hat / RHEL / CentOS / Fedora: /etc/sysconfig/network-scripts/ifcfg-wlan0 or /etc/sysconfig/network-scripts/ifcfg-ethX Debian / Ubuntu: /etc/network/interfaces Arch Linux: /etc/netctl or /etc/wpa_supplicant/wpa_supplicant.conf openSUSE: /etc/sysconfig/network/ifcfg-wlan0

Here is an example netplan configuration file from an Armbian Linux system:

# cat /etc/netplan/30-wifis-dhcp.yaml 
# Created by Armbian firstlogin script
network:
  wifis:
    wlan0:
      dhcp4: yes
      dhcp6: yes
      access-points:
        "my_ssid":
         password: "my_password"

Note that the PSK is stored in YAML format. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L52

Copilot offers the following example /etc/sysconfig/network-scripts/ifcfg-wlan0 file:

TYPE=Wireless
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=wlan0
DEVICE=wlan0
ONBOOT=yes
ESSID=YourWiFiNetworkName
MODE=Managed
SECURITYMODE=open
KEY_MGMT=WPA-PSK
PSK="YourWiFiPassword"

Note that the PSK is stored on a line beginning with PSK=. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L52

Copilot offers the following example /etc/wpa_supplicant/wpa_supplicant.conf file:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=US

network={
    ssid="YourWiFiNetworkName"
    psk="YourWiFiPassword"
    key_mgmt=WPA-PSK
}

Note that the PSK is stored on a line beginning with whitespace followed by psk=. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L52

Copilot offers the following example /etc/netctl file:

Description='A simple WPA encrypted wireless connection'
Interface=wlan0
Connection=wireless
Security=wpa
IP=dhcp

ESSID='YourWiFiNetworkName'
Key='YourWiFiPassword'

Note that the PSK is stored on a line beginning with Key=. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/post/linux/gather/enum_psk.rb#L52

bcoles avatar Oct 26 '24 10:10 bcoles