How to Pull Wireless Credentials with the Bash Bunny

All of the BHIS testers are pretty geeked about Hak5’s newest toy — the Bash Bunny. Last week, Jordan blogged about the USB Exfiltration payload. Today I will demo another nifty payload that was uploaded to their GitHub repo, WiPassDump. This module works on unlocked Windows machines to pull out the clear text credentials for any WEP or WPA/2-PSK wireless network profiles that have been saved on the computer. Basically, what this module does is force an administrator command prompt to run and then issue the following command

netsh wlan export profile key=clear

Since the machine has to be unlocked anyway, you might be wondering why not just open a command prompt and run the above command manually? Why bother with the Bash Bunny? Here is why: When you are doing a physical penetration test or red team engagement you will often find unlocked workstations. If you are going to collect data from such a workstation it is much easier to be stealthy if all you have to do is plug-in a USB. You would not necessarily even need to sit down at the computer. Let’s face it, typing on someone else’s keyboard is definitely a red flag if someone were to notice you but standing near someone’s desk (while you wait about 7 seconds for the Bash Bunny to do its job) can be much easier “explained” if you get caught.

Here is how to prep and launch the attack:

First, put the bunny in arming mode (switch position 3, toward the insertion point) and grab the payload files here.

Save the WiPassDump files into one of the attack folders; switch1 or switch2.

Open up payload.txt in a text editor and make sure the language settings match the language of the computer you will be running this on. The payload as uploaded is set up for a French Candian language machine. I have changed mine to US English.

The “Q ALT y” command means to enter the letter “y” when the UAC prompt is presented. This is the UAC elevation permission. Now save your changes and eject the drive.

To launch the attack move the switch to the switch position where you stored the payloads, in my case switch position 1…..

…and plug it into an unlocked machine. It took about 7 seconds for this to run on my Windows 8 machine. The netsh command that ran created a separate file for each of the wireless network profiles found on the system. Here is what it found on one of my test machines:

Each of these files contains the SSID and where possible (WEP/WPA-PSK &WPA2-PSK), the passphrase:

Then I tried running the script using an unprivileged account, a “standard” user in Microsoft lingo. It didn’t work. Interestingly enough an unprivileged user is allowed to successfully dump the wireless profiles including the passwords in cleartext.

So I modified the payload.txt file like this….

….and it worked like a champ!

No administrator privilege needed.  I tested this attack against a standard user on a Windows 8 and a Windows 10 machine. I suspect it will work the same way on other versions as well.

So how do you prevent this type of attack, er, um, or at least limit the damage?

  • Don’t use WPA/2-PSK on corporate networks
  • Don’t leave workstations unlocked and unattended
  • Use full disk encryption to thwart a Konboot lock-screen bypass attack
  • Disable USB access on company-owned computers or limit to specific, known devices