2018 Wi-Fi password stealing program using USB rubber

2 Abstract A minute is all it takes for a hacker to gain informations from your computer, such as Wi-Fi password. Due to the limited capability of people to remember a lot of complex and unique password, people tend to use the same password for most of their account. This paper aimed to implement Wi-Fi password stealing program in USB Rubber Ducky using USB Rubber Ducky Scripting, Visual Basic Script, Web Server, Command Prompt, and Ducky Toolkit to obtain clear text Wi-Fi password that ever connected to the computer. In the testing phase, the success rate of Wi-Fi password stealing program reached 94.28% with 87.87% obtained personal password is still categorized as guessable password and the password reuse rate reached 81.81%. Thus, Wi-Fi password stealing program can be very dangerous as most of the personal password was used in lots of account and still categorized as

USB Rubber Ducky use a very simple language and most of the language is based on the keyboard [20]. Some special commands that USB Rubber Ducky have, are:  REM: to give a comment in the script,  WINDOWS: has the same function as Windows button on the keyboard,  DELAY: to postpone an activity that will be run after another activity,  STRING: to write a sentence into the computer,  ENTER: has the same function as Enter Button on the keyboard. All of it can be utilized to create an activity inside the computer. For example, if the attacker wants to execute run program then it can be done using "WINDOWS R" in the script.

Related Works
Based on Benjamin Cannoles experiment, some implementation are already being applied to attack the victim using USB Rubber Ducky. One of them is to install a malware inside the computer using a malicious web server and the capability of USB Rubber Ducky to download the malware and upload sensitive informations back to the server [21]. Another example related to USB Rubber Ducky is an act of stealing Windows logon password using Mimikatz remotely. It can be done by using the capability of USB Rubber Ducky to create a connection to the malicious web server that have mimikatz.exe and sekurlsa.dll. After the connection has been built, the attacker can utilize USB Rubber Ducky to download sekurlsa.dll and run mimikatz.exe remotely [11]. All the implementation of USB Rubber Ducky is undetectable by antivirus because it is considered safe by the computer when someone is typing on their keyboard [22].

Research Method
To steal Wi-Fi passwords inside a computer, a script will be written in USB Rubber Ducky language and it will be injected to the USB Rubber Ducky. The script will be divided into 3 main steps based on how system hacking works [23] as illustrated in Figure 2

Gaining Access
In this step, the attacker will try to get physical access into the computer to run Wi-Fi password stealing program. Ideally, the target will be computers that are left behind by the owner to do a small task that will take less than 5 minutes and it is still running. After the attacker gain physical access into the computer and inject the USB Rubber Ducky into the computer, the script will perform gaining access method as illustrated in Figure 3. The gaining access method consists of opening command prompt as an administrator and deactivating the firewall to perform escalating privileges.
The reason why command prompt should be run as an administrator is because certain commands need administrator privilege to be executed, such as deactivating the firewall. Deactivating the firewall is needed in order to avoid the protection from the firewall to certain features, such as File Transfer Protocol (FTP). Without the protection of the firewall, all kinds of act related to the internet will not be filtered and it is easier for the attacker to proceed to the next method. Deactivation of the firewall will utilize netsh command in the command prompt which is "netsh firewall set opmode mode=disable".

Executing Program
In a big picture, the executing program method consists of creating and changing directory to wifi, extracting wifi informations, creating and executing VB script to compress and zip files, and sending the information file to the attacker server via FTP as illustrated in Figure 4. Wifi directory is created to limit the workspace which will make it easier for the attacker to clear the logs later. Wi-Fi password stealing program will run its main activity using netsh command in the command prompt which is "netsh wlan export profile key=clear". This command will extract all Wi-Fi informations that ever connected to the computer and export it into Extensible Markup Language (XML) files. After that, the program will create a VB script in order to compress and zip the XML files into one compressed file. VB script was chosen because it has been installed by default in every desktop release of Microsoft Windows. To compress and zip a folder, the VB script will create an empty zipped file and put the source folder inside the empty zipped file as illustrated in Figure 5. When the file is ready to be sent, upload informations module that illustrated in Figure 6 will be executed. The script will open a connection to the server via FTP and the file will be uploaded to the server using passive mode and binary transfer method. Since it is a compressed file, binary transfer method is used instead of ASCII transfer method because binary transfer method will transfer file as a binary data instead of a text file. The reason why we use passive mode instead of active is to initiates both connections to the server. It solved the problem of firewalls filtering the incoming data port connection to the client from the server.

Clearing Logs
In the last step, the script will focus on clearing every single track in the computer as if nothing ever happened to the computer as illustrated in Figure 7 and it consists of closing FTP connection, deleting wifi folder, deleting VB script, deleting wifi.zip, enabling firewall, and closing the command prompt. Based on how system hacking methods work, the application model was illustrated in Figure 8.

Zxcvbn Password Analysis Library
Zxcvbn is one of the popular library to determine a password strength and used by Dropbox [24][25]. Zxcvbn has 3 main process which are match, score, and search. In the match process, Zxcvbn will do pattern matching toward 6 aspects as follows: In the score process, Zxcvbn will do the math based on the match process and determine the password strength by returning a value that indicate the category as shown in Table 1. Lastly, Zxcvbn will do the search process to estimate the time to guess the password assuming the attacker already knows the structure of the password and this process is based on the result of the match process.

Evaluation
The data will be collected using voluntary sampling and clustering sampling which means the attacker will ask for the victim consent to collect the data inside the victim's computer After that, the data will be clustered into 3 category as follows: The data will be evaluated to determine the success rate of Wi-Fi password stealing program using USB Rubber Ducky, the strength of victim's password using Zxcvbn Password Analysis Library, and the password reuse rate.

Results and Analysis
The program was made using USB Rubber Ducky language for Windows operating system and it will run approximately 50 seconds to grab all the Wi-Fi informations in a computer. The result of each Wi-Fi information will be converted into XML file as shown in Figure 9. From this figure, it shows a complete diagnosis of each Wi-Fi which ever connected to the computer including SSID name and the security key for the Wi-Fi. In this testing, 35 samples was used to evaluate the program which consist of 5 businessmen, 20 college students, and 10 others.

The Success Rate of Wi-Fi Password Stealing Program
The test was executed 35 times and failed 2 times under college student category due to the Wi-Fi SSID contains a character other than numeric and alphabet. In other words, the success rate of Wi-Fi password stealing program reach 94.28% and each test was executed on various computer specification within 1 minute.

The Strength of Victim's Personal Password
From 33 successful samples, the strength of victim's personal password is shown in Figure 10. Those which categorized as guessable password reach 87.87% and only 12.13% of them was categorized as unguessable. The Strength of Victim's Password Chart is shown in Figure 10.
It shows how most of our personal password is still weak as it only fulfill certain regular expression shown in Table 2

The Password Reuse Rate
Based on the survery to the victims as illustrated in Figure 11, it is found that 81.81% use the same password for every account which they have, 12.12% use a similar password for every account but with additional characters depends on the website, and only 6.06% of them that use different password for every account. The Password Reuse Rate Chart is shown in Figure 11.

Conclusion and Future Works
The proposed Wi-Fi password stealing program was implemented successfully with the rate of 94.28% and because of the high rate of password reuse that reach 81.81%, Wi-Fi password stealing can be very dangerous as the password is used in lots of account. How low the password strength is also becomes a consideration as the attacker has a high chance of success to do a brute force attack that fulfill [a-z] regular expression which have 48.48% number of matched. It shows how people are still lacking of awareness in creating a strong password.
This project can be extended in several ways:  Due to the failed experiment on 2 subjects because of non-alphanumeric character, extend the VB Script to make it successful.  Instead of using FTP, one can change the firmware of the USB Rubber Ducky and save the files locally inside the USB Rubber Ducky.  More experiment can be done with different operating system, such as Linux and Mac OS.