P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W (required for HID backdoor).
The successor of P4wnP1 is called P4wnP1 A.L.O.A. and hosted here: https://github.com/mame82/P4wnP1_aloa
This repo isn't really suspended, but I'm using all of my time to work on P4wnP1's successor. The new Repo is still private, but information on progress are published via twitter, from time to time (@P4wnP1 or @MaMe82).
More important: Don't waste your time following complicated install instructions: A ready-to-go image of latest P4wnP1 version could be found on the release page: https://github.com/mame82/P4wnP1/releases (seems some of you missed it).
Official WiKi started by @jcstill and @Swiftb0y
There isn't a short summary of this README. If you want to handle this nice tool, I'm afraid you have to read this.
The most important sections:
Since the initial release in February 2017, P4wnP1 has come a long way. Today advanced features are merged back into the master branch, among others:
led_blink
)payloads/
subfolder for examples)As it is a flexible framework, P4wnP1 allows to develop custom payloads only limited by the imagination of the pentester using it. To get a basic idea some payloads are already included and described here:
This payload extends the "Snagging creds from locked machine" approach, presented by Mubix (see credits), to its obvious successor:
P4wnP1 LockPicker cracks grabbed hashes and unlocks the target on success, using its keyboard capabilities. This happens fully automated, without further user interaction.
I'm still no video producer, so maybe somebody feels called upon to do a demo. Here's my (sh**ty) attempt:
Here's a version of someone doing this much better, thanks @Seytonic
collected
folder, along with the hashes).The payload Win10_LockPicker.txt
has to be chosen in setup.cfg
to carry out the attack. It is important to modify the payloads "lang" parameter to your target's language. If you attach a HDMI monitor to P4wnP1, you could watch the status output of the attack (including captured hash and plain creds, if you made it this far).
This payload runs a PowerShell script, typed out via P4wnP1's built-in keyboard, in order to dump stored credentials of Microsoft Edge or Internet Explorer. Fetched credentials are stored to P4wnP1's flashdrive (USB Mass Storage). As the name implies, this payload is the result of an hakin9 article on payload development for P4wnP1, which is yet unpublished. For this reason, the payload has RNDIS enabled, although not needed to carry out the attack. Its main purpose is to show how to store the result from a keyboard based attack, to P4wnP1's flashdrive, although the drive letter is only known at runtime of the payload.
This payload plants a backdoor which allows to access a command shell with SYSTEM level privileges from the Windows Lockscreen. Once planted, the shell is triggered by sticky keys.
The payload itself is purely keyboard based.
The widely known approach to achieve the payloads's goal, is to replace the sethc.exe
file. Anyway, this payload does the change based on a registry hack (Debugger property of Image execution options). This means the attack is less noisy, as the filesystem doesn't get touched directly. Additionally the payload shows how to use P4wnP1's keyboard triggers. Pressing NUMLOCK multiple times plants the backdoor, while pressing SCROLLLOCK multiple times removes the backdoor again.
Last but not least, the attack demoes a simple UAC bypass, as the PowerShell session used has to be ran with elevated privileges.
The attack requires an unlocked target run by an Administrator account.
The payload demoed here isn't published yet.
The video is produced by @Seytonic, you should check out his youtube channel with hacking related tutorials and various projects, if you're interested in more stuff like this (link in credits).
@Seytonic thanks for the great tutorial
shell
command to create remote shell (only with covert channel connection)hid_backdoor.txt
payload is runninghid_backdoor.txt
payload in setup.cfg
(using the interactive USB OTG mode or one of the payloads with SSH network access, like network_only.txt
)P4wnP1
(password: MaMe82-P4wnP1
)pi@172.24.0.1
pi
, which is raspberry
in the default configuration.help
shows available commandsSetKeyboardLayout
to set the keyboard layout according to your target's language. This step is important and should always be taken first, otherwise most keyboard based attacks fail.GetKeyboardLayout
. The default keyboard language for the P4wnP1 backdoor shell could be changed in hidtools/backdoor/config.txt
SendKeys
command followed by an ASCII key sequence to send keystrokes to the targetSendKeys
command is somehow restricted, no control keys could be sent, even a RETURN is problematic. So for more complex key sequences the FireDuckyScript
command comes to help.FireDuckyScript
accepts the name of a script residing in the DuckyScript/
folder. The folder is prefilled with some demo scripts. If you omit the script name behind the FireDuckyScript
command, you will be presented with a menue to choose a script. If you wonder why one would write a DuckyScript sending an <ALT> + <F4>
only, you're thinking in the old world of RubberDucky. With P4wnP1 and its capbility to run DuckyScripts dynamically, such short scripts come in handy. If you don't know what I'm talking about run the P4wnP1_youtube.duck
script and you'll know where scripts like AltF4_Return.duck
are needed ;-)So that's all
... no just joking. Four months without commits wouldn't have been passed if there isn't more. Up till here, there was no covert channel communication, right?!
FireStage1
is used, this happens in different flavours. By default a short stub is executed, which hides the command windows from the user, followed by the stage 1 main script.-exec bypass
, -enc
, -NoProfile
or hidden
... nothing suspicious! The shortcoming is, that we need to wait till the PowerShell window opens before typing is continued. As we are not able to detect for input readiness and there are boxes which take years to bring up an interactive PowerShell window, the delay between running powershell.exe
and starting of stage1 typeout could be changed with the second parameter to the FireStage1
command (default is 1000 milliseconds).nohide
to the end of the FireStage1
command line, the Window hiding stub isn't executed in upfront and you should be able to see all my sh**ty debug output.CreateProcess
interact
KillProcess
KillClient
shell
hid_backdoor.txt
payloadP4wnP1
WiFi with a different device (could be a smartphone, as long as a SSH client is installed)SetKeyboardLayout
(or alter hidtools/backdoor/config.txt
)SendKeys
or FireDuckyScript
to inject key strokesFireStage1
shell
to create a remote shell through the covert channelupload
and download
- so files are move back and forth through a raw HID device now between P4wnP1 and the target, nowcat /var/log syslog | outhid
)onKeyboardUp
callback could be used in payloads)template.txt
payload for details)
setup.cfg
) or overwritten per payload (if the same parameter is defined in the payload script)Some days after initial P4wnP1 commit, Hak5's BashBunny was announced (and ordered by myself). Here's a little feature comparison:
Feature | BashBunny | P4wnP1 |
---|---|---|
RNDIS, CDC ECM, HID , serial and Mass storage support | supported, usable in several combinations, Windows Class driver support (Plug and Play) in most modes | supported, usable in most combinations, Windows Class driver support (Plug and Play) in all modes as composite device |
Target to device communication on covert HID channel | no | Raw HID device allows communication with Windows Targets (PowerShell 2.0+ present) via raw HID There's a full automated payload, allowing to access P4wnP1 bash via a custom PowerShell console from target device (see 'hid_frontdoor.txt' payload). An additional payload based on this technique, allows to expose a backdoor session to P4wnP1 via HID covert channel and relaying it via WiFi/Bluetooth to any SSH capable device (bridging airgaps, payload 'hid_backdoor.txt') |
Mouse emulation | no | Supported: relative Mouse positioning (most OS, including Android) + ABSOLUTE mouse positioning (Windows); dedicated scripting language "MouseScript" to control the Mouse, MouseScripts on-demand from HID backdoor shell |
Trigger payloads via target keyboard | No | Hardware based: LEDs for CAPSLOCK/SCROLLLOCK and NUMLOCK are read back and used to branch or trigger payloads (see hid_keyboard2.txt payload) |
Interactive DuckyScript execution | Not supported | supported, HID backdoor could be used to fire scripts on-demand (via WiFi, Bluetooth or from Internet using the HID remote backdoor) |
USB configuration changable during runtime | supported | will maybe be implemented |
Support for RubberDucky payloads | supported | supported |
Support for piping command output to HID keyboard out | no | supported |
Switchable payloads | Hardware switch | manually in interactive mode (Hardware switch could be soldered, script support is a low priority ToDo. At least till somebody prints a housing for the Pi which has such a switch and PIN connectors) |
Interactive Login with display out | SSH / serial | SSH / serial / stand-alone (USB OTG + HDMI) |
Performance | High performance ARM quad core CPU, SSD Flash | Low performance single core ARM CPU, SDCARD |
Network interface bitrate | Windows RNDIS: 2 GBit/sLinux/MacOS ECM: 100 MBit/sReal bitrate 450 MBit max (USB 2.0) | Windows RNDIS: 20 GBit/sLinux/MacOS ECM: 4 GBit/s (detected as 1 GBit/s interface on MacOS)Real bitrate 450 MBit max (USB 2.0)Here's the needed P4wnP1 patch |
LED indicator | RGB Led, driven by single payload command | mono color LED, driven by a single payload command |
Customization | Debian based OS with package manager | Debian based OS with package manager |
External network access via WLAN (relay attacks, MitM attacks, airgap bridging) | Not possible, no external interface | supported with Pi Zero W |
SSH access via Bluetooth | not possible | supported (Pi Zero W) |
Connect to existing WiFi networks (headless) | not possible | supported (Pi Zero W) |
Shell access via Internet | not possible | supported (WiFi client connection + SSH remote port forwarding to SSH server owned by the pentester via AutoSSH) |
Ease of use | Easy, change payloads based on USB drive, simple bash based scripting language | Medium, bash based event driven payloads, inline commands for HID (DuckyScript and ASCII keyboard printing, as well as LED control) |
Available payloads | Fast growing github repo (big community) | Slowly growing github repo (spare time one man show ;-)) Edit: Growing community, but no payload contributions so far |
In one sentence ... | "World's most advanced USB attack platform." | A open source project for the pentesting and red teaming community. |
Total Costs of Ownership | about 99 USD | about 5 USD (11 USD fow WLAN capability with Pi Zero W) |
SumUp: BashBunny is directed to easy usage, but costs 20 times as much as the basic P4wnP1 hardware. P4wnP1 is directed to a more advanced user, but allows outbound communication on a separate network interface (routing and MitM traffic to upstream internet, hardware backdoor etc.)
Refer to INSTALL.md (outdated, will be rewritten someday)
The default payload (payloads/network_only.txt) makes th Pi accessible via Ethernet over USB and WiFi. You could SSH into P4wnP1
via USB
pi@172.16.0.1
or via WiFi
pi@172.24.0.1
Network name: P4wnP1
Key: MaMe82-P4wnP1
From there you could alter setup.cfg
to change the current payload (PAYLOAD
parameter) and keyboard language (LANG
parameter).
Caution:
If the chosen payload overwites the global LANG
parameter (like the hid_keyboard demo payloads), you have to change the LANG
parameter in the payload, too. If your remove the LANG
parameter from the payload, the setting from setup.cfg
is taken. In short words, settings in payloads have higher priority than settings in setup.cfg
install.sh
scriptDuring tests of P4wnP1 a product has been found to answer NTLM authentication requests on wpad.dat on a locked and fully patched Windows 10 machine. The NTLM hash of the logged in user is sent by a third party software, even if the machine isn’t domain joined. The flaw has been reported to the respective vendor. Details will be added to the readme as soon as a patch is available. For now I’ll recently update the disclosure timeline here.
Disclosure Timeline discovered NTLM hash leak:
Date | Action |
---|---|
Feb-23-2017 | Initial report submitted to Oracle (Email) |
Feb-23-2017 | Oracle reports back, investigating the issue |
Mar-01-2017 | Oracle confirmed issue, working on fix |
Mar-23-2017 | Oracle: monthly status Update "Being fixed in main codeline" |
Apr-23-2017 | Oracle: monthly status Update "Being fixed in main codeline" (yes, Oracle statement doesn't change) |
May-23-2017 | Oracle: monthly status Update "Being fixed in main codeline" |
Jun-23-2017 | Oracle: monthly status Update "Being fixed in main codeline" |
Jul-14-2017 | Oracle: released an update and registered CVE-2017-10125. See link |
So here we are now. The vulnerable product has been the Oracle Java JRE and JDK (1.7 Update 141 and 1.8 Update 131). The issue has been fixed with the "Oracle Critical Patch Update Advisory - July 2017", which could be found here. So go and update your Java JRE/JDK.