Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an artifact that queries connections config from NetworkManager #702

Merged
merged 6 commits into from
Oct 12, 2023

Conversation

misje
Copy link
Contributor

@misje misje commented Oct 7, 2023

NetworkManager is commonly used in Linux for configuring network connections. This artifact extracts all network connections configured in NetworkManager, which includes data like

  • Network names
  • SSIDs
  • BSSIDs,
  • Wi-Fi PSKs (redacted by default)
  • Static IP address assignments
  • Routes

If NetworkManager is used on the system, this gives information about what networks the computer has connected to (especially for Wi-Fi), and when it was last connected to those networks. A simple VQL filter reveals which of those network were insecure, or if any interfaces has been configured as an access point or as ad-hoc. NetworkManager also tracks all seen BSSIDs for networks.

Connections are typically not tied to a specific interface, so it is not always useful to correlate current IP addresses and routes on interfaces against active connections. An optional enrichment using interfaces() was tested and subsequently removed.

INI is a very common configuration file format, and I couldn't find any existing parser. This artifact therefore exports an INI file parser for use by other artifacts. parse_ini(filename) returns three columns: Section, Key, Value. parse_ini_as_dict(filename) returns a single column, Contents, with everything in a dict. Section names are prepended to keys, separated by a slash. Spaces in values are supported, and quotes are included as-is.

I haven't included any example output because there would be little data left after sanitising everything.

@misje misje marked this pull request as draft October 11, 2023 12:37
@misje
Copy link
Contributor Author

misje commented Oct 11, 2023

I have a few other features to commit, and I'll also provide some example output.

@misje misje marked this pull request as ready for review October 11, 2023 16:20
@scudette scudette merged commit 215a302 into Velocidex:master Oct 12, 2023
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants