Skip to main content

Tool to view/recover stored wifi passwords and source code analysis

so i was just walking around my space in the cybers (on twitter to be exact) when i came across this tweet by +KitPloit , one of my more reliable sources of new tools on the penetration testing and vulnerability assessment scene (i am not a hacker of any sort...lol). it mentioned how it was possible to "recover your stored wifi passwords" which my brain translated as "steal someone's wifi passwords" and i decided to check out what sorcery this was by analysing the source code..

the code on github by LionSec had just 120 lines in python and since it was supposed to work for both windows and linux platform (according to the code, mac wasn't supported yet), i assumed the section with respect to windows would be even shorter if you factor in error handling as well.

after checking the imports (sys, subprocess) i immediately realised that some system commands would be called from within the script and executed. that also meant that i could easily reuse that code if i decided to create a metasploit module in ruby.

one more little bit of knowledge i gained here was the platform library. this was my first time using it and it reminded me of when i first met itertools library after i had spent quite some time trying to figure out an efficient way to come up with a script that could go through all possible combinations of a sequence of 3 ports to find the correct port-knocking sequence for one pentest challenge VM i came across on vulnhub. but that's another story altogether...

so i ran a few simple tests with platform and checked its help options (in interpreter mode, just type in help(platform) and you're good to go). Turns out, you can view the system type, version, processor family and even more stuff on the machine the script is running on.

i skipped the linux segment of the code (that's for another post) and jumped straight into the windows segment. The data entry and option selection was simple enough, and then i got to the line i was looking for (line 79):

print check_output("netsh wlan show profile key=clear", shell=True)


i then typed in the command in quotes in command line and immediately got a list of all the wifi networks currently saved on my machine. interesting so far, but not what i was looking for exactly.


i went deeper and then found what i was looking for in line 86:


wifi2 = check_output("netsh wlan show profile name=* key=clear", shell=True)


i proceeded to type in the command in quotes again (but i replaced the profile name's wildcard option * with one of my listed wifi networks) and voila, i got the wifi password in all its cleartext glory!

considering how the execution of this command did not require elevation to administrator privileges first (or maybe i just didnt notice something) it should be possible to create a metasploit module or even a meterpreter script to do this if one does not exist already. so now i will proceed to inform everyone i know of this issue but i have no clue as yet that how can you mitigate it....

till the next blog! 

Comments

Post a Comment

Popular posts from this blog

Password Cracking: RainbowCrack table generation, sorting and usage

I had to do this demo after one of my students asked for my assistance regarding how to use this tool. Usually, I just assign different tools to them individually depending on the aspect of penetration testing we are covering (session hijacking, vulnerability scanning, etc) and then tell them to submit a report and a video demo of how the tool is used. Anyway, after a brief one-to-one discussion I realized the student had actually done the research on how rainbow tables operate (above and beyond the material in the lecture slides) so I figured that if he was here asking for assistance, he genuinely needed it. The tool is available at the RainbowCrack site.  A detailed description of this nifty tool can also be found here . So, firstly I had to generate the rainbow tables. The command line syntax is: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index where: hash_algorithm  Rainbow table is hash algorithm sp...
Post a Comment
Read more

Forensics: Extraction of email evidence using Wireshark and NetworkMiner

The video at the end of this post is a demo of a solution to a forensic challenge from this site .   The goal of the challenge is to extract necessary information for an investigation from a pcap file. the site, forensicscontest.com, has a number of similar challenges that you can try out as well. Obviously, there is more than one way to skin a pcap (the other methods can be found among the solutions/walkthroughs on the site itself) and in this case 2 tools were used: Wireshark NetworkMiner Just to cover a few "mysterious" sections of the video, there is a point where I sorted the packets in wireshark in alphabetical order then looked for the first SMTP packet. The reason is that since we are investigating email evidence, the common protocols we should search for include IMAP, SMTP etc. In this case, the criminal used SMTP. Next, there is a point where we highlight the stream index in the detailed section of the packet. This is because each stream refers ...
Post a Comment
Read more

How I Recovered my Corrupted 2TB Hard Drive without having to copy everything to another Drive

So, a little back story. I have a 2 Terabyte external hard drive that's split into 3 partitions for backup; one for entertainment, one for work and one for personal projects. A friend of mine had a Lenovo laptop that was having challenges with installing WLAN drivers (you'd install the drivers and they'd keep giving an error that drivers aren't working. If you tried to uninstall them, they'd just reappear...but that's a whole different story). Anyway, my friend decided to roll-back from Windows 10 to Windows 8 and wanted to copy one of the test builds from my 2TB HDD so I lent it to him. Little did I know that that Lenovo laptop had other plans for me. Upon connecting the external hard drive to the Lenovo laptop, it immediately read it as a FAT32 formatted drive (it was actually NTFS formatted) and had 1.82 TB free space of the "actual" size 1.82 TB. Where panic would have ensued for many, I managed to keep in the growing irritation at such a thing ...
1 comment
Read more