Jump to content

P4wnP1

PoSHMagiC0de

By PoSHMagiC0de
in Hacks & Mods

 Share

Recommended Posts

PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
Posted

The link to the github is here:

https://github.com/mame82/P4wnP1

Not my project.  I found out about this late last week and it prompted me to order 2 Raspberry Pi Zero Ws.  They came in yesterday and before I posted this I wanted to give it a spin.

First off, not trying to list any competing projects to Hak5.  I own most of their stuff and love it all.  This is just additional as each tool has a use depending on what you want to do and how much time you have, etc.

P4wnP1 is a project built on the P Zero and Pi Zero W (for the hid_backdoor).  The has a few tools like something similar to quickcreds but the system will try and crack them itself with a simple wordlist and if it is guessed it will log into the machine when it is locked.  I will let you look at the project github site to see all the things it has, I will talk about its flagship feature.

The P4wnP1 was written for Raspian Jessie.  Right now stretch is out.  So, needless to say there are a few issues but the main one is stuff has to be ran as sudo versus on Jessie things just ran as root.

When I first got it all installed I tried it and found this out when i tried to connect to the hid_backdoor shell.  It crashed.  I had to install pydispatcher and pycrypto with sudo to fix those.  Soon I found out the hidserver would not start.  These were easy fixes as all I did was edited the bash scripts to include sudo in the right places.  After that the hid_backdoor shell works.

 

So, first thing I tried is just sending ducky commands which worked.

I then did the hid_backdoor using firestage1 which ran a powershell command on the machine to load the hid shell into the background.  No network connection or anything.  The server and agent communicate through an hid channel.  I been looking at the code and am just floored.  Right now it does simple commands which are actually powerful enough when used in combination like launching processes. killing them and interacting with them though I have not been able to interact with a powershell shell I spawn.  It also includes a shell you can drop to on the victim that gives you an interactive DOS shell communicating through the hid channel.  It leaves itself open for you to script your own payloads as well.  Oh, forgot, you connect to it remotely through the Pi Zero W's wifi which is set as an access point on bootup and you ssh into the Pi which drops you into the hidserver app as your shell though you can exit it to the actual pi shell.  I used it with my cell phone wifi and an android ssh app to control it while I pranked my boss.

If you have pi zero Ws laying around, you have to check out this project.

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
  • Author
Posted
9 hours ago, Dave-ee Jones said:

So it's a cheap, DIY version of the Bash Bunny with WiFi support (which is what I've always wanted for the BB). Useless, they said. Negligible, they said. What use does it have, they said.

This is perfect timing as there are many (like @Mr.Wrench ) who are looking to do this kind of thing.

 

Lol, I hear you.

I wanted bluetooth when I saw the supreme duck. This thing is a whole new level. But yeah, it is a BB with wifi support.  I would almost say it can be a wireless lan turtle too.  if you preprogram the wifi for a nearby hotspot, it will connect when powered up.  Apply the patch so it says it is a 20GB nic and you probably could flow traffic through it.  Pi zero that is.

Link to comment
Share on other sites
mame82 Newbie

mame82

Posted
Posted

Beside the fact that I brought up P4wnP1, before BashBunny was there, the devices are comparable.

In fact there's a feature comparison in the P4wnP1 readme.

So there're two things P4wnP1 could do, which BB isn't capable of:

- bring up an USB HID device which serves as covert backchannel to get  networkless remote shells

- relay this shells to built-in WiFi AP

 

Okay, maybe there's more in the future (bluetooth support, CDROM emulation, pivoting by tunneling TCP sockets through HID device).

P.S. P4wnP1 has a payload to unlock boxes, after a hash has been fetched:

 

 

Link to comment
Share on other sites
Dave-ee Jones Newbie

Dave-ee Jones

Posted
Posted
On 8/25/2017 at 6:38 PM, PoSHMagiC0de said:

I would almost say it can be a wireless lan turtle too.  if you preprogram the wifi for a nearby hotspot, it will connect when powered up.  Apply the patch so it says it is a 20GB nic and you probably could flow traffic through it.  Pi zero that is.

Yeah, that's what I was getting at too.

On 8/27/2017 at 3:20 AM, mame82 said:

P.S. P4wnP1 has a payload to unlock boxes, after a hash has been fetched:

Yes, I did read the P4wnP1 readme which includes the comparison between P4wnP1 and the BB. As they also said as well, the BB has a larger community base while the P4wnP1 is a one-man show with no backing community as of yet, meaning no community payloads.

Also, the BB can be used to unlock boxes as well, because it uses the same method as the P4wnP1 (in fact, they both use Responder to do it), however I would agree the P4wnP1 has done it a bit better, though the BB could match that anyway, if someone wanted to make the payload to automatically input the text if Responder finds a matching hash.

Link to comment
Share on other sites
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
  • Author
Posted

You will have to put that precompiled version of John on it. It only cracks what is in its wordlist using John.  It is for cracking simple passwords, nothing fancy with rules though I think you could but man that would put your pi through the ringer.  BB already gets pretty warm, John would probably catch it on fire.

I have been playing with it and getting it to work with the new raspbian stretch (which it does). I am loving the hidbackdoor. Made a new payload that included it and enabled rndis.  My Changed the PID to something random.  My win10 machine installed the nic is 3 seconds and hid.  I could ping back and forth to the pi and the victim.  backdoor payloads worked.  FOund a way to fire off scripts using the hid channel and agent and get back results.  Loving it. Sat in my living room hacking my win10 machine that is in my bedroom through the pi's wap.

 

Link to comment
Share on other sites
Dave-ee Jones Newbie

Dave-ee Jones

Posted
Posted
14 minutes ago, PoSHMagiC0de said:

You will have to put that precompiled version of John on it. It only cracks what is in its wordlist using John.  It is for cracking simple passwords, nothing fancy with rules though I think you could but man that would put your pi through the ringer.  BB already gets pretty warm, John would probably catch it on fire.

I have been playing with it and getting it to work with the new raspbian stretch (which it does). I am loving the hidbackdoor. Made a new payload that included it and enabled rndis.  My Changed the PID to something random.  My win10 machine installed the nic is 3 seconds and hid.  I could ping back and forth to the pi and the victim.  backdoor payloads worked.  FOund a way to fire off scripts using the hid channel and agent and get back results.  Loving it. Sat in my living room hacking my win10 machine that is in my bedroom through the pi's wap.

 

Man, I really need to get a Zero W :/

That's next on my ordering list then. I just need to 3D print a case for it and put a USB head on it.

Link to comment
Share on other sites
  • 2 weeks later...
PoSHMagiC0de Rookie

PoSHMagiC0de

Posted
  • Author
Posted

Just wanted to do an update.

Mame82 did some updates to the installer so it works file with Raspbian Stretch Lite now.  I have yet to fully test install but I got it working with Stretch before changes so it is compatible just the install had some needed tweaks to work fine.

On top of that, I have given it a try with Empire Project.  Since this is optimized for Windows I decided to use Empire as the companion framework with this project.  It is written in Python too (so hopefully there is some way to merge them into in maybe P4wnP1 as a separate listener with stager/launcher) so figured there would be no big issue.  Only issue I ran across is Empire itself needing extra dependencies that it doesn't install, probably because it was put together on Kali so some dependencies are taken for granted as already installed.  I am building a list of dependencies to give to the Empire team so they can do some extra checks.  Besides that I got it running relatively easy.

How did I use it?  I made a copy of the hid_backdoor payload.  Renamed it, change PID, set RNDIS to true.  Now I have hid and network ability.  When P4wnP1 launches on my wifi ssh connection I create a new screens screen and launch empire.  I create a listener and get the launcher.  That launcher I use after I initiate a HID_Backdoor(FireStage1).  I then CreateProc the launcher to get empire up.  Now I can create a separate agent and turn in into a relay.  That relay is used as my listener point for any other machines I get into on the network since the victim PC that pi is on is not sharing its internet with pi.  Essentially, I turned the machine the pi is connected to, to a rat controlled via wifi.  Want to get the connections to an outside terminal.  Just fire off a launcher for the empire server that is on the outside.  Doing it from the pi eliminates external connections going on reducing suspicion since most of the early warnings are connections to outside sources.

 

I imagine you can do the same with Metasploit but I have not tried to install Metasploit separately on Pi yet, usually it comes in Parrot on Kali for Raspberry Pi when I get the full distro image which I normally do if I am just making a general, small, network accessible remote access terminal.

Link to comment
Share on other sites
  • 4 weeks later...
InfoSecREDD Newbie

InfoSecREDD

Posted
Posted

Yeah this has been around for months.. I've been waiting for Hak5 to put the MouseHID in to the BashBunny.. But I'll go back to being quiet now.. 

 

Link to comment
Share on other sites
Dave-ee Jones Newbie

Dave-ee Jones

Posted
Posted
On 10/3/2017 at 8:35 AM, Ar1k88 said:

Yeah this has been around for months.. I've been waiting for Hak5 to put the MouseHID in to the BashBunny.. But I'll go back to being quiet now.. 

You could potentially do that yourself, but you would void your warranty.

(Hint: There are some spare pins and a USB Host header on the board of the BB).

Link to comment
Share on other sites
InfoSecREDD Newbie

InfoSecREDD

Posted
Posted
15 minutes ago, Dave-ee Jones said:

You could potentially do that yourself, but you would void your warranty.

(Hint: There are some spare pins and a USB Host header on the board of the BB).

Oh I know I could do it, I was waiting for "Hak5" to do it.. Lol.. :P 

I have a Zero W with P4wnP1 already on it.. Honestly BashBunny is more convenient to use than the P4wnP1.. But both has it's advantages.. :) 

Link to comment
Share on other sites
Dave-ee Jones Newbie

Dave-ee Jones

Posted
Posted

Agreed. I would love WiFi/Bluetooth on the Bunny but...yea, won't be happening anytime soon unless I hack it myself (not much experience in that area..at all..). The P4wnP1 does this out of the box (almost), but you miss the easier-to-use functionality and it's not as fast (not having an SSD and a decent CPU). But then again, it is an open-source board so you can put almost anything on it, so the upgradable capabilities are there.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...