July 11, 2015

Windows 7 WiFi scripting

To display all wireless interfaces:
netsh wlan show interfaces
To show the wireless drivers installed run this command. This is particularly interesting as exploits in drivers do exist and most admins do not pay as close attention to driver versions as other types of software:
netsh wlan show drivers
To list available wireless networks (similar to Linux’s iwlist scan option)
netsh wlan show networks
or 
netsh wlan show networks mode=bssid (this shows more BSSID and signal strength)
To view profiles of networks saved on this machine:
netsh wlan show profiles
To make Windows connect to the specified profile (usually named after the SSID of the network):
netsh wlan connect name="ProfileName"
To export the profile details to an XML file (which includes an encrypted version of the PSK if applicable):
netsh wlan export profile name="ProfileName"

To delete a profile
netsh wlan delete profile name="ProfileName"

To Add a profile
netsh wlan add profile filename=c:\temp\myprofile.xml

XML for a WPA2-PSK Wifi networks looks like this


<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>YOUR_NETWORK_NAME</name>
<SSIDConfig>
<SSID>
<hex>HEX-of-your-network-name, for example, "abc" would be "616263"</hex>
<name>YOUR_NETWORK_NAME</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<MSM>
<security>
<authEncryption>
<authentication>WPA2PSK</authentication>
<encryption>AES</encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>YOUR-NETWORK-PASSOWRD</keyMaterial>
</sharedKey>
</security>
</MSM>
</WLANProfile>



Now crucially, here are the commands to turn the Windows 7 (or Server 2008 R2) into an Access Point sharing its existing wireless connection out to others:
netsh wlan set hostednetwork mode=allow ssid=SomeSSID key=passphrase
The hosted network is now created but it is not yet started. To start it, issue the command:
netsh wlan start hostednetwork
Your Windows box is now advertising a network “SomeSSID” (in this case) which other machines can connect to. No notification is given on the Windows box that this has happened and no further notification happens when someone connects.

Vivek stated Microsoft’s response was it wasn’t being exploited “in the wild” therefore nothing would be done about it. Happy WiFi backdooring. :-)

No comments:

Post a Comment