Home

Awesome

P4wnP1 by MaMe82

P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W (required for HID backdoor).

Important

The successor of P4wnP1 is called P4wnP1 A.L.O.A. and hosted here: https://github.com/mame82/P4wnP1_aloa

This repo isn't really suspended, but I'm using all of my time to work on P4wnP1's successor. The new Repo is still private, but information on progress are published via twitter, from time to time (@P4wnP1 or @MaMe82).

More important: Don't waste your time following complicated install instructions: A ready-to-go image of latest P4wnP1 version could be found on the release page: https://github.com/mame82/P4wnP1/releases (seems some of you missed it).

TL;TR

Official WiKi started by @jcstill and @Swiftb0y

There isn't a short summary of this README. If you want to handle this nice tool, I'm afraid you have to read this.

The most important sections:

Introduction

Since the initial release in February 2017, P4wnP1 has come a long way. Today advanced features are merged back into the master branch, among others:

External Resources using P4wnP1

P4wnP1 Features (quick summary)

Payload descritions and video demos of included payloads

As it is a flexible framework, P4wnP1 allows to develop custom payloads only limited by the imagination of the pentester using it. To get a basic idea some payloads are already included and described here:

Payload: Windows LockPicker

This payload extends the "Snagging creds from locked machine" approach, presented by Mubix (see credits), to its obvious successor:

P4wnP1 LockPicker cracks grabbed hashes and unlocks the target on success, using its keyboard capabilities. This happens fully automated, without further user interaction.

Video demo

I'm still no video producer, so maybe somebody feels called upon to do a demo. Here's my (sh**ty) attempt: P4wnP1 LockPicker demo youtube

Here's a version of someone doing this much better, thanks @Seytonic P4wnP1 LockPicker demo youtube

Attack chain (short summary):

  1. The USB network interface of P4wnP1 is used to bring up a DHCP which provides its configuration to the target client.
  2. Among other options, a WPAD entry is placed and static routes for the whole IPv4 address space are deployed to the target.
  3. P4wnP1 redirects traffic dedicated to remote hosts to itself using different techniques.
  4. Requests for various protocols originating from the target, are fetched by "Responder.py", which forces authentication and tries to steal the hashes used for authentication.
  5. If a hash is grabbed, P4wnP1 LED blinks three times in sequence, to signal that you can unplug and walk away with the hashes for offline cracking. Or...
  6. ... you leave P4wnP1 plugged and the hashes are handed over to John the Ripper, which tries to bruteforce the captured hash.
  7. If the ´password of the user who locked the box is weakly chosen, chances are high that John the Ripper will be able to crack it, which leads to...
  8. ... P4wnP1 ultimately enters the password, in order to unlock the box and you're able to access the box (the cracked password is stored in collected folder, along with the hashes).

The payload Win10_LockPicker.txt has to be chosen in setup.cfg to carry out the attack. It is important to modify the payloads "lang" parameter to your target's language. If you attach a HDMI monitor to P4wnP1, you could watch the status output of the attack (including captured hash and plain creds, if you made it this far).

Payload: Stealing Browser credentials (hakin9_tutorial)

This payload runs a PowerShell script, typed out via P4wnP1's built-in keyboard, in order to dump stored credentials of Microsoft Edge or Internet Explorer. Fetched credentials are stored to P4wnP1's flashdrive (USB Mass Storage). As the name implies, this payload is the result of an hakin9 article on payload development for P4wnP1, which is yet unpublished. For this reason, the payload has RNDIS enabled, although not needed to carry out the attack. Its main purpose is to show how to store the result from a keyboard based attack, to P4wnP1's flashdrive, although the drive letter is only known at runtime of the payload.

Video demo

P4wnP1 LockPicker demo youtube

Backdooring Windows Lock Screen

This payload plants a backdoor which allows to access a command shell with SYSTEM level privileges from the Windows Lockscreen. Once planted, the shell is triggered by sticky keys.

The payload itself is purely keyboard based. The widely known approach to achieve the payloads's goal, is to replace the sethc.exe file. Anyway, this payload does the change based on a registry hack (Debugger property of Image execution options). This means the attack is less noisy, as the filesystem doesn't get touched directly. Additionally the payload shows how to use P4wnP1's keyboard triggers. Pressing NUMLOCK multiple times plants the backdoor, while pressing SCROLLLOCK multiple times removes the backdoor again. Last but not least, the attack demoes a simple UAC bypass, as the PowerShell session used has to be ran with elevated privileges.

The attack requires an unlocked target run by an Administrator account.

The payload demoed here isn't published yet.

Video demo

P4wnP1 LockPicker demo youtube

Payload: HID covert channel frontdoor

Video demo

P4wnP1 HID demo youtube

HID frontdoor features

Payload HID covert channel backdoor (Pi Zero W only)

Video demo

P4wnP1 HID demo youtube

The video is produced by @Seytonic, you should check out his youtube channel with hacking related tutorials and various projects, if you're interested in more stuff like this (link in credits).

@Seytonic thanks for the great tutorial

HID backdoor features

HID backdoor attack chain and usage

1. Preparation

2. Access the P4wnP1 backdoor shell

3. Ad-Hoc keyboard attacks from P4wnP1 backdoor shell (without using the covert channel), could be done from here:

So that's all

... no just joking. Four months without commits wouldn't have been passed if there isn't more. Up till here, there was no covert channel communication, right?!

4. Fire stage 1 of the covert channel payload ('FireStage1' command)

5. Loading stage 2

6. Using the backdoor connection

HID backdoor attack - summary

  1. Choose hid_backdoor.txt payload
  2. Connect P4wnP1 device to Windows target
  3. Connect to the newly spawned P4wnP1 WiFi with a different device (could be a smartphone, as long as a SSH client is installed)
  4. Set the correct target keyboard layout with SetKeyboardLayout (or alter hidtools/backdoor/config.txt)
  5. On the P4wnP1 shell run SendKeys or FireDuckyScript to inject key strokes
  6. To fire up the covert channel HID backdoor, issue the command FireStage1
  7. After the target connected back, enter shell to create a remote shell through the covert channel

HID backdoor - Currently missing features

P4wnP1 more advanced features (excerpt)

Advanced HID Keyboard Features

Advanced Network Features

Advanced payload features

Feature Comparison with BashBunny

Some days after initial P4wnP1 commit, Hak5's BashBunny was announced (and ordered by myself). Here's a little feature comparison:

FeatureBashBunnyP4wnP1
RNDIS, CDC ECM, HID , serial and Mass storage supportsupported, usable in several combinations, Windows Class driver support (Plug and Play) in most modessupported, usable in most combinations, Windows Class driver support (Plug and Play) in all modes as composite device
Target to device communication on covert HID channelnoRaw HID device allows communication with Windows Targets (PowerShell 2.0+ present) via raw HID</br> There's a full automated payload, allowing to access P4wnP1 bash via a custom PowerShell console from target device (see 'hid_frontdoor.txt' payload). </br> An additional payload based on this technique, allows to expose a backdoor session to P4wnP1 via HID covert channel and relaying it via WiFi/Bluetooth to any SSH capable device (bridging airgaps, payload 'hid_backdoor.txt')
Mouse emulationnoSupported: relative Mouse positioning (most OS, including Android) + ABSOLUTE mouse positioning (Windows); dedicated scripting language "MouseScript" to control the Mouse, MouseScripts on-demand from HID backdoor shell
Trigger payloads via target keyboardNoHardware based: LEDs for CAPSLOCK/SCROLLLOCK and NUMLOCK are read back and used to branch or trigger payloads (see hid_keyboard2.txt payload)
Interactive DuckyScript executionNot supportedsupported, HID backdoor could be used to fire scripts on-demand (via WiFi, Bluetooth or from Internet using the HID remote backdoor)
USB configuration changable during runtimesupportedwill maybe be implemented
Support for RubberDucky payloadssupportedsupported
Support for piping command output to HID keyboard outnosupported
Switchable payloadsHardware switchmanually in interactive mode (Hardware switch could be soldered, script support is a low priority ToDo. At least till somebody prints a housing for the Pi which has such a switch and PIN connectors)
Interactive Login with display outSSH / serialSSH / serial / stand-alone (USB OTG + HDMI)
PerformanceHigh performance ARM quad core CPU, SSD FlashLow performance single core ARM CPU, SDCARD
Network interface bitrateWindows RNDIS: 2 GBit/s</br>Linux/MacOS ECM: 100 MBit/s</br>Real bitrate 450 MBit max (USB 2.0)Windows RNDIS: 20 GBit/s</br>Linux/MacOS ECM: 4 GBit/s (detected as 1 GBit/s interface on MacOS)</br>Real bitrate 450 MBit max (USB 2.0)</br>Here's the needed P4wnP1 patch
LED indicatorRGB Led, driven by single payload commandmono color LED, driven by a single payload command
CustomizationDebian based OS with package managerDebian based OS with package manager
External network access via WLAN (relay attacks, MitM attacks, airgap bridging)Not possible, no external interfacesupported with Pi Zero W
SSH access via Bluetoothnot possiblesupported (Pi Zero W)
Connect to existing WiFi networks (headless)not possiblesupported (Pi Zero W)
Shell access via Internetnot possiblesupported (WiFi client connection + SSH remote port forwarding to SSH server owned by the pentester via AutoSSH)
Ease of useEasy, change payloads based on USB drive, simple bash based scripting languageMedium, bash based event driven payloads, inline commands for HID (DuckyScript and ASCII keyboard printing, as well as LED control)
Available payloadsFast growing github repo (big community)Slowly growing github repo (spare time one man show ;-)) Edit: Growing community, but no payload contributions so far
In one sentence ..."World's most advanced USB attack platform."A open source project for the pentesting and red teaming community.
Total Costs of Ownershipabout 99 USDabout 5 USD (11 USD fow WLAN capability with Pi Zero W)

SumUp: BashBunny is directed to easy usage, but costs 20 times as much as the basic P4wnP1 hardware. P4wnP1 is directed to a more advanced user, but allows outbound communication on a separate network interface (routing and MitM traffic to upstream internet, hardware backdoor etc.)

Install instructions

Refer to INSTALL.md (outdated, will be rewritten someday)

Getting started

The default payload (payloads/network_only.txt) makes th Pi accessible via Ethernet over USB and WiFi. You could SSH into P4wnP1

via USB

pi@172.16.0.1

or via WiFi

pi@172.24.0.1
Network name: P4wnP1
Key: MaMe82-P4wnP1

From there you could alter setup.cfg to change the current payload (PAYLOAD parameter) and keyboard language (LANG parameter).

Caution: If the chosen payload overwites the global LANG parameter (like the hid_keyboard demo payloads), you have to change the LANG parameter in the payload, too. If your remove the LANG parameter from the payload, the setting from setup.cfg is taken. In short words, settings in payloads have higher priority than settings in setup.cfg

Requirements

Snagging creds from locked machines, vulnerable application (Oracle JAVA JRE/JDK vuln)

During tests of P4wnP1 a product has been found to answer NTLM authentication requests on wpad.dat on a locked and fully patched Windows 10 machine. The NTLM hash of the logged in user is sent by a third party software, even if the machine isn’t domain joined. The flaw has been reported to the respective vendor. Details will be added to the readme as soon as a patch is available. For now I’ll recently update the disclosure timeline here.

Disclosure Timeline discovered NTLM hash leak:

DateAction
Feb-23-2017Initial report submitted to Oracle (Email)
Feb-23-2017Oracle reports back, investigating the issue
Mar-01-2017Oracle confirmed issue, working on fix
Mar-23-2017Oracle: monthly status Update "Being fixed in main codeline"
Apr-23-2017Oracle: monthly status Update "Being fixed in main codeline"  (yes, Oracle statement doesn't change)  
May-23-2017Oracle: monthly status Update "Being fixed in main codeline"
Jun-23-2017Oracle: monthly status Update "Being fixed in main codeline"
Jul-14-2017Oracle: released an update and registered CVE-2017-10125. See link

So here we are now. The vulnerable product has been the Oracle Java JRE and JDK (1.7 Update 141 and 1.8 Update 131). The issue has been fixed with the "Oracle Critical Patch Update Advisory - July 2017", which could be found here. So go and update your Java JRE/JDK.

Credits to