Bash Bunny – Get Cleartext WiFi Creds From Windows Using WiPassDump

This will be a quick demo on how easy it is to capture stored WiFi credentials on Windows using the Bash Bunny and WiPassDump payload.

 First set the BashBunny to “arming mode” (slot 3 or the one closest to the actual USB plug) and plug in the device.

With the Bash Bunny loaded as a mass storage device drill down into the payloads library and find the payload file under WiPassDump.  Copy the contents of the folder to */payloads/switch1/ overriding any default or leftover files already present.

No config is required for the payload but let’s open up the payload file to understand what is going on.

The meat of what is going on is right here:

netsh wlan export profile key=clear

  1. The payload checks for and creates a loot directory to store the creds.
  2. Using Windows Run it opens a PowerShell session and maps to the BashBunny loot directory.
  3. It runs the above command that very simply and easily exports all existing WiFi profiles on the machine in cleartext (Thank you MS for making it so easy).
  4. Run history is scrubbed from registry so if a person later uses it the last command will not auto-populate raising suspicion.
  5. If successful, Bash Bunny LED indicator will go solid green when finished.

Let’s plug in the device again using switch 1 and try it out.

Waiting 5-10 seconds and watching 2 run commands quickly populate and disappear I get the green indicator light meaning it’s finished running the payload.

For the purposes of the test I setup 2 quick hotspots on my phone for my test machine to connect to, and both appear below:

And XML of one of the examples with full creds:

Next up I will be trying out a payload that dumps creds stored in any of the systems browsers (IE, Chrome, Firefox) with PasswordGrabber.