Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

post/linux/gather/enum_psk: PSKs not retrieved on non-NetworkManager systems #19589

Open
bcoles opened this issue Oct 26, 2024 · 3 comments
Open

post/linux/gather/enum_psk: PSKs not retrieved on non-NetworkManager systems #19589

bcoles opened this issue Oct 26, 2024 · 3 comments
Labels
bug

Comments

@bcoles
Copy link
Contributor

bcoles commented Oct 26, 2024

The post/linux/gather/enum_psk module file name and module name do not match and are misleading.

This module has a generic name (enum_psk). A more appropriate name would be enum_wifi_psk; although it is generally expected that PSK relates to WiFi pre-shared keys.

This module retrieves WiFi PSKs stored by NetworkManager only:

metasploit-framework/modules/post/linux/gather/enum_psk.rb

Line 16 in 1a6cf9d

'Name' => 'Linux Gather NetworkManager 802-11-Wireless-Security Credentials',

metasploit-framework/modules/post/linux/gather/enum_psk.rb

Line 35 in 1a6cf9d

OptString.new('DIR', [true, 'The path for NetworkManager configuration files', '/etc/NetworkManager/system-connections/'])

This module has seen no major updates since it was added in 2014.

There are other WiFi management software for Linux which may store WiFi passwords in different formats in different places on the file system.

Unfortunately, as the default hard-coded path for the DIR option is specific to NetworkManager, updates to this module to support other software may break backwards compatibility for existing workflows.

Note also that the existing PSK parsing logic contains a flaw which will truncate all characters after the first = character in a PSK:

metasploit-framework/modules/post/linux/gather/enum_psk.rb

Line 54 in 1a6cf9d

psk = l.split('=')[1].strip

Steps to reproduce

  1. Get a session on any WiFi-connected host which does not use NetworkManager to store WiFi credentials
  2. use post/linux/gather/enum_psk
  3. set session <session>
  4. run
  5. Observe no PSKs are identified

Example Configuration Files

Copilot also offers the following common WiFi configuration file locations:

Red Hat / RHEL / CentOS / Fedora: /etc/sysconfig/network-scripts/ifcfg-wlan0 or /etc/sysconfig/network-scripts/ifcfg-ethX
Debian / Ubuntu: /etc/network/interfaces
Arch Linux: /etc/netctl or /etc/wpa_supplicant/wpa_supplicant.conf
openSUSE: /etc/sysconfig/network/ifcfg-wlan0

Here is an example netplan configuration file from an Armbian Linux system:

# cat /etc/netplan/30-wifis-dhcp.yaml 
# Created by Armbian firstlogin script
network:
  wifis:
    wlan0:
      dhcp4: yes
      dhcp6: yes
      access-points:
        "my_ssid":
         password: "my_password"

Note that the PSK is stored in YAML format. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

metasploit-framework/modules/post/linux/gather/enum_psk.rb

Line 52 in 1a6cf9d

next unless l.starts_with?('psk=')

Copilot offers the following example /etc/sysconfig/network-scripts/ifcfg-wlan0 file:

TYPE=Wireless
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=wlan0
DEVICE=wlan0
ONBOOT=yes
ESSID=YourWiFiNetworkName
MODE=Managed
SECURITYMODE=open
KEY_MGMT=WPA-PSK
PSK="YourWiFiPassword"

Note that the PSK is stored on a line beginning with PSK=. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

metasploit-framework/modules/post/linux/gather/enum_psk.rb

Line 52 in 1a6cf9d

next unless l.starts_with?('psk=')

Copilot offers the following example /etc/wpa_supplicant/wpa_supplicant.conf file:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=US

network={
    ssid="YourWiFiNetworkName"
    psk="YourWiFiPassword"
    key_mgmt=WPA-PSK
}

Note that the PSK is stored on a line beginning with whitespace followed by psk=. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

metasploit-framework/modules/post/linux/gather/enum_psk.rb

Line 52 in 1a6cf9d

next unless l.starts_with?('psk=')

Copilot offers the following example /etc/netctl file:

Description='A simple WPA encrypted wireless connection'
Interface=wlan0
Connection=wireless
Security=wpa
IP=dhcp

ESSID='YourWiFiNetworkName'
Key='YourWiFiPassword'

Note that the PSK is stored on a line beginning with Key=. The existing file parsing logic performs a lowercase match for lines beginning with psk= and would not identify the PSK if the user specified the correct DIR.

metasploit-framework/modules/post/linux/gather/enum_psk.rb

Line 52 in 1a6cf9d

next unless l.starts_with?('psk=')

@bcoles bcoles added the bug label Oct 26, 2024
@thebigbone
Copy link

Would adding the parsing logic for all the other network files, the ones you mentioned, be sufficient? I would like to work on it then.

@Snakpax7

This comment was marked as off-topic.

Sign in to view
@bcoles
Copy link
Contributor Author

bcoles commented Nov 12, 2024

Would adding the parsing logic for all the other network files, the ones you mentioned, be sufficient? I would like to work on it then.

This would fix part of the problem. The larger problem is architectural. The module currently takes a DIR option which will need to be reworked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Metasploit Kanban
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bcoles @thebigbone @Snakpax7