18 Nov 2017

What is P4wnP1?

P4wnP1 is an open source, highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W. I’m sure you must have heard about the wonderful tools from Hak5. Well now there is an open source variant which I think combines Rubber Ducky and Bash Bunny with support for Human Interface Device (HID) attacks and network attacks. When it comes to HID attacks, P4wnP1 can be installed as a plug-and-play keyboard. When network attacks come into the picture, Windows targets act as a Remote Network Driver Interface Specification (RNDIS) interface and for *NIX based targets, it acts as a USB Communications Device Class (CDC) – Ethernet Control Model (ECM) Subclass interface.

P4wnP1 features:

  • HID covert channel Frontdoor/Backdoor: Get remote shell access to Microsoft Windows targets via HID devices
  • Windows 10 Lockpicker: Unlock Microsoft Windows boxes with weak passwords (fully automated)
  • Stealing Browser Credentials: Dumps stored browser credentials and copy’s them to the built-in flash drive
  • WiFi Hotspot: SSH access (Pi Zero W only), supports hidden ESSID.
  • Client Mode: Relays USB net attacks over WiFi with internet access (MitM)
  • USB device: Works with Windows Plug and Play support. Supports the following device types:
    • HID covert channel communication device: Frontdoor/Backdoor
    • HID Keyboard/Mouse
    • USB Mass storage: Currently only in demo setup with 128 Megabyte drive
    • RNDIS: Microsoft Windows networking
    • CDC ECM: MacOS / Linux networking
  • Bash based payload scripts. A lot of examples payloads included.
  • Responder: Pre-compiled and ready to go!
  • John the Ripper Jumbo: Pre-compiled version ready to go!
  • AutoSSH integration: For easy reverse ssh tunnels.
  • Auto attack: P4wnP1 automatically boots to standard shell if an OTG adapter is attached
  • LED state feedback with a simple bash command (led_blink)
  • Advanced HID features:
    • Keyboard payloads could be triggered by targets main keyboard LEDs (NUMLOCK, CAPSLOCK and SCROLLLOCK)
    • Dynamic payload branching based on LED triggers
    • Supports DuckyScripts!
    • Supports raw ASCII Output via HID Keyboard (could be used to print out character based files via keyboard, like cat /var/log syslog | outhid)
    • Multi Keyboard language layout support (no need to worry about target language when using HID commands)
    • Output starts when target keyboard driver is loaded (no need for manual delays, onKeyboardUp callback could be used in payloads)
    • Supports MouseScript
  • Advanced network features:
    • Fake RNDIS network interface speed up to 20GB/s to get the lowest metric and win every fight for the dominating ‘default gateway’ entry in routing tables, while carrying out network attacks.
    • Automatic link detection and interface switching, if a payload enables both RNDIS and ECM network
    • SSH server is running by default, so P4wnP1 could be connected on 172.16.0.1 (as long as the payload enables RNDIS, CDC ECM or both) or on 172.24.0.1 via WiFi
    • if both, WiFi client mode and WiFi Access Point mode, are enable – P4wnP1 fails over to open an Access Point in case the target WiFi isn’t reachable (Pi Zero W only)
  • Advanced payload features:
    • bash payloads based on callbacks (see template.txt payload for details)
      • onNetworkUp (when target host gets network link active)
      • onTargetGotIP (if the target received an IP, the IP could be accessed from the payload script)
      • onKeyboardUp (when keyboard driver installation on target has finished and keyboard is usable)
      • onLogin (when a user logs in to P4wnP1 via SSH)
    • configuration can be done globally (setup.cfg) or overwritten per payload (if the same parameter is defined in the payload script)
    • settings include:
      • USB config (Vendor ID, Product ID, device types to enable …)
      • WiFi config (SSID, password …)
      • HID keyboard config (target keyboard language etc.)
      • Network and DHCP config
      • Payload Selection

These are not the only features! There are a lot more which are discussed in much detail by the author at the official wiki. You can use P4wnP1 to install stuff and gain access to airgapped systems, launch man-in-the-middle attacks and exfiltrate information. Infact, using this tool, the author – @mame82 also found a vulnerability in Oracle Java installations! You now must be wondering why is there a need for P4wnP1, when Rubber Duckyalready exists? These are the reasons I found most appealing:

  • You have an ability to handle Ducky Script‘s embedded in a bash-like payload.
  • You also have the ability to run native keyboard payloads when an event such as a key press is triggered.
  • When installed on a Raspberry Pi Zero W, keyboard attacks can also be fired via WiFi by spawning an access point.
  • Output raw ASCII with pipes to the virtual keyboard.
  • Multi-language support via a global payload variable!

IT Security Professional – Security Researcher & Consultant for the Government, Enthusiast, Malware Analyst, Penetration Tester.

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.