Extracting Wi-Fi Passwords from Aruba Virtual Controller


Like usual I was conducting pentest and found an interesting way to extract the passwords for multiple access points managed using Aruba Virtual Controller IAP 105.


What is a Virtual Controller ?

Aruba Instant virtual controller gives you the flexibility of configuring multiple access points from a centralized location.
You can distribute, store and regulate configuration to distributed access points from one place. Virtual controller is basically a single point of management for your configuration and firmware.
Fimware version prior to IAP-105 are vulnerable to access points password disclosure vulnerability, any malicious user having access to the management console can extract sensitive details using just browser(chrome, firefox, IE, etc.) debugger.
You can extract the passwords using below simple steps:
1. Login to Aruba virtual controller (in my case it was default admin-admin).
2. Click on the network you want to disclose wireless key for.
3. Click edit Factory Settings >> Go to Security Settings
4. Open browser’s debugger.
5. For the password text box change type to “text” in html.
6. Voila !!