How to Pull Wireless Credentials with the Bash Bunny
All of the BHIS testers are pretty geeked about Hak5’s newest toy — the Bash Bunny. Last week, Jordan blogged about the USB Exfiltration payload. Today I will demo another nifty payload that was uploaded to their GitHub repo, WiPassDump. This module works on unlocked Windows machines to pull out the clear text credentials for any WEP or WPA/2-PSK wireless network profiles that have been saved on the computer. Basically, what this module does is force an administrator command prompt to run and then issue the following command
netsh wlan export profile key=clear
Since the machine has to be unlocked anyway, you might be wondering why not just open a command prompt and run the above command manually? Why bother with the Bash Bunny? Here is why: When you are doing a physical penetration test or red team engagement you will often find unlocked workstations. If you are going to collect data from such a workstation it is much easier to be stealthy if all you have to do is plug-in a USB. You would not necessarily even need to sit down at the computer. Let’s face it, typing on someone else’s keyboard is definitely a red flag if someone were to notice you but standing near someone’s desk (while you wait about 7 seconds for the Bash Bunny to do its job) can be much easier “explained” if you get caught.
Here is how to prep and launch the attack:
First, put the bunny in arming mode (switch position 3, toward the insertion point) and grab the payload files here.
Save the WiPassDump files into one of the attack folders; switch1 or switch2.
Open up payload.txt in a text editor and make sure the language settings match the language of the computer you will be running this on. The payload as uploaded is set up for a French Candian language machine. I have changed mine to US English.
The “Q ALT y” command means to enter the letter “y” when the UAC prompt is presented. This is the UAC elevation permission. Now save your changes and eject the drive.
To launch the attack move the switch to the switch position where you stored the payloads, in my case switch position 1…..
…and plug it into an unlocked machine. It took about 7 seconds for this to run on my Windows 8 machine. The netsh command that ran created a separate file for each of the wireless network profiles found on the system. Here is what it found on one of my test machines:
Each of these files contains the SSID and where possible (WEP/WPA-PSK &WPA2-PSK), the passphrase:
Then I tried running the script using an unprivileged account, a “standard” user in Microsoft lingo. It didn’t work. Interestingly enough an unprivileged user is allowed to successfully dump the wireless profiles including the passwords in cleartext.
So I modified the payload.txt file like this….
….and it worked like a champ!
No administrator privilege needed. I tested this attack against a standard user on a Windows 8 and a Windows 10 machine. I suspect it will work the same way on other versions as well.
So how do you prevent this type of attack, er, um, or at least limit the damage?
- Don’t use WPA/2-PSK on corporate networks
- Don’t leave workstations unlocked and unattended
- Use full disk encryption to thwart a Konboot lock-screen bypass attack
- Disable USB access on company-owned computers or limit to specific, known devices
Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.
All of the BHIS testers are pretty geeked about Hak5’s newest toy — the Bash Bunny. Last week, Jordan blogged about the USB Exfiltration payload. Today I will demo another nifty payload that was uploaded to their GitHub repo, WiPassDump. This module works on unlocked Windows machines to pull out the clear text credentials for any WEP or WPA/2-PSK wireless network profiles that have been saved on the computer. Basically, what this module does is force an administrator command prompt to run and then issue the following command
netsh wlan export profile key=clear
Since the machine has to be unlocked anyway, you might be wondering why not just open a command prompt and run the above command manually? Why bother with the Bash Bunny? Here is why: When you are doing a physical penetration test or red team engagement you will often find unlocked workstations. If you are going to collect data from such a workstation it is much easier to be stealthy if all you have to do is plug-in a USB. You would not necessarily even need to sit down at the computer. Let’s face it, typing on someone else’s keyboard is definitely a red flag if someone were to notice you but standing near someone’s desk (while you wait about 7 seconds for the Bash Bunny to do its job) can be much easier “explained” if you get caught.
Here is how to prep and launch the attack:
First, put the bunny in arming mode (switch position 3, toward the insertion point) and grab the payload files here.
Save the WiPassDump files into one of the attack folders; switch1 or switch2.
Open up payload.txt in a text editor and make sure the language settings match the language of the computer you will be running this on. The payload as uploaded is set up for a French Candian language machine. I have changed mine to US English.
The “Q ALT y” command means to enter the letter “y” when the UAC prompt is presented. This is the UAC elevation permission. Now save your changes and eject the drive.
To launch the attack move the switch to the switch position where you stored the payloads, in my case switch position 1…..
…and plug it into an unlocked machine. It took about 7 seconds for this to run on my Windows 8 machine. The netsh command that ran created a separate file for each of the wireless network profiles found on the system. Here is what it found on one of my test machines:
Each of these files contains the SSID and where possible (WEP/WPA-PSK &WPA2-PSK), the passphrase:
Then I tried running the script using an unprivileged account, a “standard” user in Microsoft lingo. It didn’t work. Interestingly enough an unprivileged user is allowed to successfully dump the wireless profiles including the passwords in cleartext.
So I modified the payload.txt file like this….
….and it worked like a champ!
No administrator privilege needed. I tested this attack against a standard user on a Windows 8 and a Windows 10 machine. I suspect it will work the same way on other versions as well.
So how do you prevent this type of attack, er, um, or at least limit the damage?
- Don’t use WPA/2-PSK on corporate networks
- Don’t leave workstations unlocked and unattended
- Use full disk encryption to thwart a Konboot lock-screen bypass attack
- Disable USB access on company-owned computers or limit to specific, known devices
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand
fred
March 28, 2017 @ 7:59 am
Did you check your export file after dumping the profile as a non admin? You should not have the passphrase in clear. According to netsh help:
” If a key in plain text is required and the caller is local administrator, output XML file will include the key in plain text. Otherwise, the output XML file will include encrypted key”
Sally
March 28, 2017 @ 12:27 pm
Hi Fred. Yes the help does indeed state that this should not be possible as a standard user but we are seeing the passwords in plaintext in the output files. You can check this your self by issuing the command “netsh wlan export profile folder=C:\temp key=clear”. Let us know if you get different results. Thanks!
Sally
March 29, 2017 @ 8:59 am
UPDATE 3/29/17: This has been tested on standalone Windows 7,8,10 hosts as well as domain joined Windows 7 hosts with the same results. This is not to say that there is no way to prevent standard users from exporting wireless passwords but it seems that by default they can.
fred
March 29, 2017 @ 10:55 am
Ah nice, thanks for the reply, I did not have a standard machine/account close to me to test, I will then, pretty cool if it works with standard user rights. Will let you know if I have the same results.
fred
March 29, 2017 @ 11:19 am
Found a Win7 machine and unfortunately I don’t get the key in clear if I am not local admin, the export is successful but the key is encrypted (and it is in clear when I put the user in the local admin group). I used a local user, not a domain one. Well, I’ll keep the idea anyway as it’s a good one and just try and see!
Endless Nameless
April 6, 2017 @ 4:19 pm
What are your thoughts on the Bash Bunny? Useful?
Massive Dynamic
May 8, 2017 @ 7:32 pm
@EndlessNameless I’m not a fanboy of any particular OS. With that stated, I love a tool that can hack ’em all. However, the Bunny should have been half the price and marketed as a beta build, as sites such as this are responsible for the majority of the pentesting payloads the Bunny has to offer. However, not even Sally’s modifications to the script make it work properly. I had faith that she would have solved the answers, but alas, it does not work.
The only way it works is to plug the Bunny into a Windows box and run the a.cmd file manually. Sadly, that’s the only way I can make it work. In the end, it is overpriced for the amount of glitches it reports.