*This article is written by: Meow God 2017, and it belongs to the FreeBuf original reward program. Reproduction without permission is prohibited.

Preparation and Introduction

Once, a friend of mine said he wanted to buy the hak5 Bash Bunny, a network hijacking keyboard injection all-in-one BadUSB. It looked great, but unfortunately, my friend said he needed to eat instant noodles for two months to save up for it!

I asked, is it really that expensive??? After checking on the almighty Taobao, I was shocked!!!

1400 yuan!!!!

How many instant noodles do I need to eat to save that up!

So I had the following idea: how to achieve the functionality of the Bash Bunny at a low cost, and in the end, I demonstrated it to my friend.

His expression was like this!

Preparation:

1. Mao Zedong (money)

2. Mao Zedong

3. still Mao Zedong

Of course, this is all nonsense! Back to the point!

1. You need a Raspberry Pi (I used the Pi Zero W, which only costs 153 on Taobao!)

Because the Pi Zero W has a built-in CYW43438 wireless chip and Bluetooth. It is convenient for SSH control and is super small!

2. Data cable or Micro USB OTG adapter (three yuan each on Taobao)

Preparation work for the Raspberry Pi:

1.WiFi Network ConfigurationConfiguration

If the Raspberry Pi system is flashed, directly store wpa_supplicant.conf in the root directory of the memory card.

The content of this file is:

Explanation and examples of WiFi configurations with different security levels:

#ssid: the SSID of the network

#psk: password

#priority: connection priority, the higher the number, the higher the priority (cannot be negative)

#scan_ssid: specify this value as 1 when connecting to hidden WiFi

2. Enable SSH Service

Similar to WiFi configuration, create a new file in the boot partition, it can be empty, and name the file ssh. Note that it should be lowercase and have no extension.

Then you can connect to your own WiFi!

SSH into the Raspberry Pi with the default username pi and password raspberry (if you don’t know the IP, you can check it from the router management).

3. Configure and Download Installation Programs

After downloading, execute:

Of course, the most important point is that after installation, the WiFi will change to P4wnP1.

The password is MaMe82-P4wnP1.

The SSH connection address is 172.24.0.1, and the username and password are still the initial Raspberry Pi password.

It is recommended to change the initial password! Be careful not to get hacked!!!

If you want to control it with your phone, you can use the Shelly app (for iPhone). Of course, Android can also use other SSH software to control the Raspberry Pi.

If the iPhone connects to WiFi but there is no WiFi icon, it is recommended to check the DNS option… it should be empty.

Modify it yourself as shown in the following image:

Configure P4wnP1

nano setup.cfg

This configuration file can modify the WiFi name and password.

Also, the keyboard language and other options at the bottom have payload selection.

At the beginning, set payload=network_only.txt, and add # in front of it.

You can only execute one payload at a time.

Then choose the payload to execute (remove the comment to execute the payload).

For example, if you choose hid_backdoor, remove the # in front of PAYLOAD=hid_backdoor_remote.txt.

As shown in the following image:

Of course, the program that can unlock the Windows 10 lock screen that Mitnick demonstrated at DEFCON can also be implemented with this… that is PAYLOAD=Win10_LockPicker.txt.

The hash password file is stored in the P4wnP1/responder/logs/ folder.

You can try it; I tried it, and it was very exciting!!!!

Here is a demonstration video (using hid_backdoor_remote):

The first step I executed was FireStage1.

It is equivalent to obtaining a connected session.

As shown in the image: after execution, it will change to client connected.

Generally, you need to set the keyboard language option, input SetKeyboardLanguage.

Then you can choose the language; here I chose 8.

As shown in the image

Inputting help will show many options.

For example, SendDuckyScript sends the ducky script, which is the function of badUSB.

SendMouseScript is the mouse script function, download is to download.

Upload and shell, I don’t need to say much… you can do anything you want!

Here is the video demonstration:

http://v.youku.com/v_show/id_XMzA2MTkwNDE2NA==.html

*This article is written by: Meow God 2017, and it belongs to the FreeBuf original reward program. Reproduction without permission is prohibited.