wifi_dump - ESSID credentials dump

[pedro ubuntu]

[ WIFI_DUMP - ESSID credentials dump (wlan/lan) ]
Version: 1.9 Author: pedr0 Ubuntu [ r00t-3xp10it ]
Hosted By: peterubuntu10[at]sourceforge[dot]net
http://sourceforge.net/projects/msf-auxiliarys/
https://sourceforge.net/p/msf-auxiliarys/repository/ci/master/tree/wifi_dump.rb

[ MODULE DESCRIPTION ]



[ MODULE ADVANCED OPTIONS ]

[ WORK FLOW - CONFIG REQUIRED SETTINGS ]
Since pentesters use diferent distros for penetration testing and in some linux distros the
user its not SuperUser (root) and therefor does not have permitions to write in /root folder.
'DOWNLOAD_PATH' allows users to input logfiles download folder location (local system)...

remark: If 'download_path' variable is NOT set, then wifi_dump.rb will use default location (/root)

[ WORK FLOW - CONFIG REQUIRED SETTINGS ]
'GET_SYSTEM' Option allows users to elevate current session to @SYSTEM and

[ WORK FLOW - CONFIG REQUIRED SETTINGS ]
'LIST_INTERFACES' option reports what interface its active (in use) in target host

Active Interfaces in target system <interfaces.log>
</interfaces.log>

[ WORK FLOW - CONFIG REQUIRED SETTINGS ]
Since we now know whats the Interface (wlan) active in target host, we can start from
dumping all ESSID names stored in that interface using 'LIST_PROFILES' option.

List profiles available in target system <profiles.log>
</profiles.log>

[ WORK FLOW - CONFIG REQUIRED SETTINGS ]
Since netsh (cmd command) does not have any switch that allow us to dump all credentials
from all ESSID's stored, 'DUMP_ESSID' allow users to dump credentials one-at-the-time.

dump credentials of SSID name<dump.log>
</dump.log>

[ REMARKE ]
wifi_dump.rb uses pre-defined 'default settings' to make exploiting time faster:

By default we dont need to config any of this settings unless the user wants to, that can
be acomplished (manually) by executing: 'set [option] [value inputed by user]'.

[ EXAMPLE: QUICK DUMP FROM WLAN INTERFACE ]

[ EXAMPLE: QUICK DUMP FROM LAN INTERFACE ]

[ MODULE ERROR REPORTS ]
New metasploit release have changed the class name to use 'MetasploitModule' so
if you are seeing this display it means that your metasploit its using an old class name.
To fix this display just edit one of metasploit modules and check what class name
your version its using, then replace in my module the (class MetasploitModule) constante...

[ POST - MODULE LIMITATIONS ]

  As part of post-exploitation class this module requires one open session
  This module only runs in a meterpreter shell enviroment (meterpreter client)
  This module only runs againts windows systems (netsh native cmd syntax)
  This module does NOT dump credentials from VM's, NAT, bridged networks
  This module does NOT retrieve info from USB-wirelless (stored in usb-stick)
  "This module does NOT use decrypting mechanisms to crack ESSID password"

[ PORT MODULE TO METASPLOIT DATABASE ]

  Kali linux [COPY TO]: /usr/share/metasploit-framework/modules/post/windows/wlan/wifi_dump.rb
  Ubuntu linux [COPY TO]: /opt/metasploit/apps/pro/msf3/modules/post/windows/wlan/wifi_dump.rb
  Manually Path Search: root@kali:~# locate modules/post/windows/wlan

[ LOAD - USE MODULE ]

  meterpreter > background
  msf exploit(handler) > reload_all
  msf exploit(handler) > use post/windows/wlan/wifi_dump
  msf post(CleanTracks) > info
  msf post(CleanTracks) > show options
  msf post(CleanTracks) > show advanced options
  msf post(CleanTracks) > set [option(s)]
  msf post(CleanTracks) > exploit

[ FINAL NOTES ]
Why dump credentials from one system that we allready are connected too?
Lets take the following scenario in consideration: I have cracked 2 wireless modens
within my antena signal range (means that i have access to 2 modens from my home)
Our attacker can dump the passwords of that ESSIDs and have access to new Lan's now..

[ CREDITS ]

  'r00t-3xp10it' =>  post-module author
  Special thanks => milton@barra

Suspicious Shell Activity - RedTeam develop @2016

[ VIDEO TUTORIAL ]
Video not available