Wifi Password Txt

admin

A dictionary attack is a method that consists of breaking into a password-protected computer or server (in this case a Wi-Fi network) by systematically entering every word in a dictionary as a password. What is this tutorial and what isn't. You won't magically have free Wi-Fi for the rest of your life, if that's what you're looking for. Wordlists, weakpass, bruteforce, password list. Home Download Search. Open the tool, Fern Wifi cracker. Select our wireless interface WLAN). Click on the tab “Scan for access points”. The tool will search for available access points as shown below. Since we want to hack a WPA enabled wifi network, click on WPA tab. It will show all the available WPA enabled networks. Click on the wifi network whose password.

Mar 03, 2020 -w PasswordList.txt is the name of my word list document, which contains large number of passwords Key Found using Aircrack-ng aircrack-ng tool runs through the word list document, match each word in the word list with the handshake packet one by one.

Yesterday afternoon I discovered that Pastebin has what they call the Pastes Archive that is just a listing of the last 20 or so things people have uploaded and given the popularity of the site this means you can kind of just sit here and refresh every minute and get something new. I was honestly surprised by the amount of text based porn ads someone had set up a bot to post along with fan fiction writing, someones bash file for installing build-essentials twice (???), and a wide variety of scripts, functions, and lots of hello worlds. It was a fun time killer and I figured maybe if I revisit this from time to time I would actually get something useful out of it and I wouldn’t get sucked into it for over an hour like I do on /r/CatsWhoYell.

What’s on Pastebin this morning?

This morning when I woke up I still had the page open so I refreshed to see what would pop up.

And apparently I’m a lucky man because 19 seconds prior to me refreshing someone posted a file conspicuously named wifi.PS1

This is for educational purposes DO NOT do this to a machine you do not have permission on!

Now then a PS1 file typically signifies it’s going to be run in PowerShell and if someone is posting a PowerShell file named “wifi” it can really mean only a few things.

  1. Someone got tired of configuring the Wi-Fi on all the PC’s in a building and wrote a script to do it so they could quickly apply it
  2. Someone wrote a script for doing the typical trouble shooting steps for Wi-Fi for them
  3. Someone needs the MAC address so that they can whitelist the machine on the network
  4. Someone needs to extract the Wi-Fi information from a machine

Well we got #4 but if someone has #2 please email me because I could use a script for that on my relatives machines.

As a quick aside from someone who mostly uses bash based terminals in Linux, PowerShell has a lot of the same command names unlike CMD which is part of why Microsoft would prefer it if we all forgot about CMD.

Let’s walk through this script:

  1. It’s changing directory to root (C drive for example) then making a directory called x64 and entering it
  2. Uses wget to download another pastebin file (raw gives you the raw text) and it’s storing it as wifi.bat
  3. Now it runs the wifi.bat file
  4. Remove-ItemProperty is a command for clearning a Windows Registry entry, in this script they are clearing RunMRU which stands for “Run Most Recently Used” and is the history keeper for commands ran via start. They are also telling it to do it based on Name with a wildcard (*) and if any error is encountered it should supress the error and move on

As an example here is my RunMRU

Wifi Password Txt

This is the part where things get interesting, that raw Pastebin is actually being obfuscated!

I know this is not a one way hash and it has to be something PowerShell can actually interpret without doing any complex decoding. It’s clearly not hex which leaves us with the next most common candidate, base64.

So I open up good ol CyberChef and throw the blob into the input and drag over “From Base64” and ta da we get our batch file!

So let’s walk through this:

  1. netsh wlan export profile key=clear is a really cool command that dumps your Wi-Fi information, including plaintext password, to an XML file inside of whatever directory you are in.
  2. This is printing a message into a file called wifipass.txt (more on who Exploitech is later)
  3. These next four lines are parsing every .xml file in the folder and appending it to the wifipass.txt file
  4. This next section is for sending wifipass.txt file to themselves. It’s pretty straightforward, they establish that they wish to connect to the gmail SMTP server and provide the login credentials and attach the wifipass.txt then send the email. I’ve changed out their credentials with some fake ones.
  5. Remove the XML files along with two files called w.txt and w.PS1 then wipe the RunMRU

However, this does not work!

The issue is that they are saving and executing wifi.bat as a batch file, however

will only work in Powershell.

Weakpass_2a

Wifi Password Txt File

I made a defanged version of the script that removes the emailing portion and cleanup to demonstrate.

Wifi Password Txt

As you can see wifipass.txt is empty except for that initial echo header text.If we run the batch file on it’s own we see the following

However this can be easily corrected to run properly by renaming it to wifiExtract.PS1 and modifying our execution script

Wifi Password Txt File

Now that I had this I started wondering:

  1. Who is Exploitech
  2. Why is someone using a broken payload

A quick Google search made it clear pretty quick

Password

How To See All Your Saved Wi-Fi Passwords On Windows 10

Watching the video it’s easy to see that originally Exploitech had meant for the obfuscated code to be executed as such

The person who made the one I found had simply been incapable of actually following directions or had decided they wanted to modify it in their own way but they didn’t really know what they were doing.

Cached

Making it Better

So this set of scripts is pretty cool but I think I could make them better.

I made a fork which you can find here on GitHub.

Explorer.PS1

SystemDriver.PS1

Example Output

So what did I change?

For starters they’re using rm which doesn’t fully delete the file, it is only sending it to the Windows Recycle Bin. Instead of using rm I used Remove-Item, this will delete an item and bypass the Recycle Bin. So now the script fully cleans up after itself.

Next I did not like the odd use of a batch file. Watching the video they for some reason decided to post the Base64 blob + the lines to decode into the same Pastebin post, which meant there was nothing really being obfuscated as anyone who downloaded and ran the paste as a batch file would get the nonobfuscated version… So now it is configured such that you just host the raw base64 blob somewhere like Pastebin and it will download that and save it as a text file which it will then convert to it’s UTF8 form and write back into a PowerShell file followed by executing it.

Inside the SystemDriver.PS1 I had it grab two extra lines of information from the profile export, the authentication and encryption methods. That way you can make sure you configure your settings before attempting to connect to any Wi-Fi point or if you want to try and do an evil twin attack. Which leads to my next feature for the output which was adding the driver information for wlan so you could see what hardware the computer has if you wanted to use it as a Wi-Fi hotspot for either yourself or as an evil twin access point.

Finally I updated the formating on the SMTP section simply because it looked messy and I didn’t like entering the same info multiple times.

See Full List On Weakpass.com

I have some ideas on how to maybe further flesh this out but it might actually be best to turn it into a set of network pentesting related scripts instead of just Wi-Fi.

Hopefully if you made it this far you enjoyed the post and learned something like I did, if you’re curious about why it is Wi-Fi passwords are stored like this I asked on the security StackExchange and got back some great answers!

Until next time,

Jesse “Wazanator” Culver