├── LICENSE.md
├── README.md
└── Wireless_Enumeration.ps1


/LICENSE.md:
--------------------------------------------------------------------------------
1 | Any tools listed in this repository are provided under the license clause below.
2 | 
3 | Copyright (c) 2017, David Sullivan All rights reserved.
4 | 
5 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
6 | 
7 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
8 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Wireless_Query
 2 | Query Active Directory for Workstations and then Pull their Wireless Network Passwords
 3 | 
 4 | This tool is designed to pull a list of machines from AD and then use psexec to pull their wireless network passwords. This should be run with either a DOMAIN or WORKSTATION Admin account.
 5 | 
 6 | After it runs, the full output can be found at your $Output variable location.
 7 | 
 8 | ### Instructions
 9 | 
10 | Edit the variables on lines 7-9 of the script per your needs. 
11 | 
12 | This can be used as a blue team tool to ensure that your users are not connecting to networks that use weak passwords or networks with weak encryption types. 
13 | 
14 | It can also be used as a red team tool to harvest potential passwords that are being used on the network or wireless hotspots that may not use RADIUS. But this is going to be super loud -> probably better to pick targets and just run the commands ad hoc.
15 | 
16 | ### Notes/Dependencies:
17 | -Written for Powershell 4.0, may work with other versions
18 | 
19 | -Requires PSExec
20 | 
21 | ### Disclaimer:
22 | -This tool has been provided for testing and academic purposes only. Do not use this tool on accounts that you do not own or have express/strict written consent to test against. Do not use for illegal purposes!
23 | 
24 | 


--------------------------------------------------------------------------------
/Wireless_Enumeration.ps1:
--------------------------------------------------------------------------------
 1 | # Retrieve Machine List from AD and then run psexec to gather SSID names and passwords accross a domain
 2 | # Requires Local Admin rights on the machine (Workstation/Domain Admin rights)
 3 | 
 4 | Import-Module ActiveDirectory
 5 | 
 6 | # Set filepaths and options for variables
 7 | $ou = "*"                                                              # "*" to pull information from all OU's
 8 | $psexec = "C:\PSTools\PsExec.exe"                                      # path to psexec.exe executable
 9 | $output = "C:\temp\wireless_networks.csv"                              # path to output file (will be in csv format)
10 | 
11 | # Create a new empty array for results
12 | $results = @()
13 | 
14 | # Do the lookup and create the output file
15 | echo "AD-Lookup running, do not close window"
16 | $workstations = Get-ADComputer -filter {Enabled -eq $true} | Where-Object{$_.DistinguishedName -like $ou } | Select-Object Name
17 | 
18 | # Iterate through each workstation to get SSID names
19 | foreach ($workstation in $workstations) {
20 | 
21 |     # Reset array to null (in case machine is not available on the network)
22 |     $network_ids = @()
23 |     
24 |     echo "Running lookup on $workstation"
25 |     $network_ids = & $psexec \\$workstation netsh.exe wlan show all | findstr c:/"SSID name" | %{$_.split('"')[1]} | ? {$_} | sort -uniq
26 | 
27 |     # Iterate through each SSID name and pull the password
28 |     foreach ($network_id in $network_ids) {
29 |         echo "Running lookup on $network_id"
30 |         $details = & $psexec \\$workstation netsh.exe wlan show profile name="$network_id" key=clear 
31 |         $password = $details | findstr /c:"Key Content" | %{$_.split('::')[1]}
32 |         $auth = $details | findstr /c:"Authentication" | %{$_.split('::')[1]}
33 |         
34 |         # Write all data to the results array
35 |         $results += New-Object PsObject -Property @{
36 |             Workstation = $workstation
37 |             Password = $password
38 |             Network = $network_id
39 |             Authentication = $auth
40 |         }
41 |     }
42 | }
43 | 
44 | # Write the results array to a csv file
45 | $results | convertto-csv -NoTypeInformation -Delimiter "," | % { $_ -replace '"', ""} | out-file $output -Encoding ascii
46 | 


--------------------------------------------------------------------------------