P4wnp1 A.L.O.A. - Framework Which Turns A Rapsberry Pi Goose Egg W Into A Flexible, Low-Cost Platform For Pentesting, Ruby-Red Teaming Too Physical Engagements
P4wnP1 A.L.O.A. past times MaMe82 is a framework which turns a Rapsberry Pi Zero W into a flexible, low-cost platform for pentesting, ruddy teaming together with physical engagements ... or into "A Little Offensive Appliance".
0. How to install
The latest icon could live establish nether release tab.
The easiest way to access a fresh P4wnP1 A.L.O.A. installation is to utilisation the spider web customer via the spawned WiFi (the PSK is
MaMe82-P4wnP1, the URL http://172.24.0.1:8000) or SSH (default password toor).1. Features
Plug&Play USB device emulation
- USB functions:
- USB Ethernet (RNDIS together with CDC ECM)
- USB Serial
- USB Mass Storage (Flashdrive or CD-Rom)
- HID Keyboard
- HID Mouse
- runtime reconfiguration of USB stack (no reboot)
- detection of connect/disconnect makes it possible to maintain P4wnP1 A.L.O.A powered upward (external supply) together with trigger activity if the emulated USB device is attached to a novel host
- no demand to bargain amongst different internal ethernet interfaces, equally CDC ECM together with RNDIS are connected to a virtual bridge
- persistent shop together with charge of configuration templates for USB settings
HIDScript
- replacement for express DuckyScript
- sophisticated scripting linguistic communication to automate keyboard together with mouse
- up to 8 HIDScript jobs could run inwards parallel (keep a task upward to jiggle the mouse, spell others are started on-demand to do arbitrary mouse together with keystroke injection seamlessly)
- HIDScript is based on JavaScript, amongst mutual libraries available, which allows to a greater extent than complex scripts (function calls, using
Mathfor mouse calculations etc.) - keyboard
- based on UTF-8, so there's no limitation to ASCII characters
- could react on feedback from the hosts existent keyboard past times reading dorsum LED state changes of NUMLOCK, CAPSLOCK together with SCROLLLOCK (if the target OS shares LED state across all connected keyboards, which isn't the instance for OSX)
- take branching decisions inwards HIDScript, based on LED feedback
- mouse
- relative motility (fast, but non precise)
- stepped relative motility (slower, but accurate ... moves mouse inwards 1 DPI steps)
- absolute positioning on Windows (pixel perfect if target's covert dimensions are known)
- Keyboard together with mouse are non solely controlled past times the same scripting language, both could live used inwards the same script. This allows combining them inwards companionship to attain goals, which couldn't live achieved using solely keyboard or mouse.
- current linguistic communication layouts: br, de, es, fr, gb, it, ru together with us
Bluetooth
- full interface to Bluez stack (currently no back upward for remote device discovery/connect)
- allows to run a Bluetooth Network Access Point (NAP)
- customizable Pairing (PIN based legacy trend or SSP)
- High Speed back upward (uses 802.11 frames to attain WiFi similar transfer rates)
- Runtime reconfiguration of the Bluetooth stack
- Note: PANU is possible, too, but currently non supported (no remote device connection)
- persistent shop together with charge of configuration templates for Bluetooth settings
WiFi
- modified Firmware (build amongst Nexmon framework)
- allows KARMA (spoof valid answers for Access Points probed past times remote devices together with allow association)
- broadcast additional Beacons, to emulate multiple SSIDs
- WiFi covert channel
- Note: Nexmon legacy monitor trend is included, but non supported past times P4wnP1. Monitor trend is nonetheless buggy together with probable to crash the firmware if the configuration changes.
- easy Access Point configuration
- easy Station trend configuration (connect to existing AP)
- failover trend (if it is non possible to connect to the target Access Point, direct upward an ain Access Point)
- runtime reconfiguration of WiFi stack
- persistent shop together with charge of configuration templates for WiFi settings
Networking
- easy ethernet interface configuration for
- bluetooth NAP interface
- USB interface (if RNDIS/CDC ECM is enabled)
- WiFi interface
- supports dedicated DHCP server per interface
- support for DHCP customer mode
- manual configuration
- persistent shop together with charge of configuration templates for each interface
Tooling
Not much to say here, P4wnP1 A.L.O.A. is backed past times KALI Linux, so everything should live right at your hands (or could live installed using apt)
Configuration together with Control via CLI, remotely if needed
- all features mentioned so far, could live configured using a CLI client
- the P4wnP1 core service is a unmarried binary, running equally systemd unit of measurement which preserves runtime state
- the CLI customer interfaces amongst this service via RPC (gRPC to live specific) to modify the state of the core
- as the CLI uses a RPC approach, it could live used for remote configuration, too
- if P4wnP1 is accessed via SSH, the CLI customer is there, waiting for your commands (or your tab completion kung fu)
- the CLI is written inwards Go (as most of the code) together with hence compiles for most major platforms together with architectures
- compile the customer for windows
- make certain you lot could connect to P4wnP1 somehow (Bluetooth, WiFi, USB)
- add the
hostparameter to your customer commands - ... together with utilisation the CLI equally you lot would do amongst local access.
Configuration together with Control via spider web client
Although it wasn't planned initially, P4wnP1 A.L.O.A. could live configured using a webclient. Even though the customer wasn't planned, it evolved to a prissy slice of software. In fact it ended upward equally the principal configuration tool for P4wnP1 A.L.O.A. The webclient has capabilities, which couldn't live accessed from the CLI (templates storage, creation of "TriggerActions").
The core features:
- should piece of work on most major mobile together with desktop browsers, amongst consistent await together with experience (Quasar Framework)
- uses gRPC via websockets (no RESTful API, no XHR, nearly same approach equally CLI)
- Thanks to this interface, the weblient does non rely on a request&reply scheme only, but receives "push events" from the P4wnP1 core. This means:
- if you lot (or a script) changes the state of P4wnP1 A.L.O.A. these changes volition live instantly reflected into the webclient
- if you lot have got multiple webclients running, changes of the core's state volition live reflected from 1 customer to all other clients
- includes a HIDScript editor, amongst
- syntax highlighting
- auto-complete (
CTRL+SPACE) - persistent storage & charge for HIDScripts
- on-demand execution of HIDScript direct from the browser
- a HIDScript task director (cancel running jobs, inspect task state together with results)
- includes an overview together with editor for TriggerActions
- full templating back upward for all features described so far
- the WebClient is a Single Page Application, 1 time loaded everything runs customer side, solely gRPC asking are exchanged
Automation
The automation approach of the old P4wnP1 version (static bash scripts) couldn't live used anymore.
The automation approach of P4wnP1 A.L.O.A. had to fulfills these requirements:
- easy to utilisation together with understand
- usable from a webclient
- be generic together with flexible, at the same time
- everything doable amongst the old "bash script" approach, should nonetheless live possible
- able to access all subsystems (USB, WiFi, Bluetooth, Ethernet Interfaces, HIDScript ... )
- modular, amongst reusable parts
- ability to back upward (simple) logical tasks without writing additional code
- allow physical computing, past times utilizing of the GPIO ports
Usage tutorial
2. Workflow component subdivision 1 - HIDScript
P4wnP1 A.L.O.A. doesn't utilisation concepts similar static configuration or payloads. In fact it has no static workflow at all.
P4wnP1 A.L.O.A. is meant to live equally flexible equally possible, to allow using it inwards all possible scenarios (including the ones I couldn't think of spell creating P4wnP1 A.L.O.A.).
But at that spot are some basic concepts, I'd similar to walk through inwards this section. As it is difficult to explicate everything without creating a proper (video) documentation, I see some some mutual utilisation cases together with examples inwards companionship to explicate what needs to live explained.
Nevertheless, it is unlikely that I'll have got the fourth dimension to provide a full-fledged documentation. So I encourage everyone to back upward me amongst tutorials together with ideas, which could live linked dorsum into this README
Now let's start amongst 1 of the most basic tasks:
2.1 Run a keystroke injection against a host, which has P4wnP1 attached via USB
The minimum configuration requirement to attain this goal is:
- The USB sub organisation is configured to emulate at to the lowest degree a keyboard
- There is a way to access P4wnP1 (remotely), inwards companionship to initiate the keystroke injection
- the USB settings are initialized to provide keyboard, mouse together with ethernet over USB (both, RNDIS together with CDC ECM)
- P4wnP1 could already live accessed remotely, using 1 of the next methods:
- WiFi
- the Access Point scream should live obvious
- the password is
MaMe82-P4wnP1 - the IP of P4wnP1 is
172.24.0.1
- USB Ethernet
- the IP of P4wnP1 is
172.16.0.1
- the IP of P4wnP1 is
- Bluetooth
- device scream
P4wnP1 - PIN
1337 - the IP is
172.26.0.1 - Note: Secure Simple Pairing is OFF inwards companionship to strength PIN Pairing. This 1 time again means, high speed trend is turned off, too. So the bluetooth connexion is real slow, which is less of a work for SSH access, but requesting the webclient could direct upward to 10 minutes (in contrast to some seconds amongst high speed enabled).
- device scream
- WiFi
- a SSH server is accessible from all the aforementioned IPs
- The SSH user for KALI Linux is
root, the default password istoor - The webclient could live reached over all 3 connections on port 8000 via HTTP
At this dot I assume:
- You have got attached P4wnP1 to some target host via USB (the innermost of the Raspberry's micro USB ports is the 1 to use)
- The USB host runs an application, which is able to have the keystrokes together with has the electrical flow keyboard input focus (f.e. a text editor)
- You are remotely connected to P4wnP1 via SSH (the best way is WiFi), preferably the SSH connexion is running from a different host, so the the 1 which has P4wnP1 A.L.O.A. attached over USB
root@kali: # P4wnP1_cli The CLI customer tool could live used to configure P4wnP1 A.L.O.A. from the command line. The tool relies on RPC so it could live used remotely. Version: v0.1.0-alpha1 Usage: P4wnP1_cli [command] Available Commands: db Database backup together with restore evt Receive P4wnP1 service events assist Help most whatever command hid Use keyboard or mouse functionality led Set or Get LED state of P4wnP1 cyberspace Configure Network settings of ethernet interfaces (including USB ethernet if enabled) organisation organisation commands template Deploy together with listing templates trigger Fire a grouping mail activity or hold off for a grouping have trigger usb USB gadget settings wifi Configure WiFi (spawn Access Point or bring together WiFi networks) Flags: -h, --help assist for P4wnP1_cli --host string The h ost amongst the listening P4wnP1 RPC server (default "localhost") --port string The port on which the P4wnP1 RPC server is listening (default "50051") Use "P4wnP1_cli [command] --help" for to a greater extent than information most a command.-h to the CLI command:root@kali: # P4wnP1_cli hid run -h Run script provided from measure input, commandline parameter or past times path to script file on P4wnP1 Usage: P4wnP1_cli hid run [flags] Flags: -c, --commands string HIDScript commands to run, given equally string -h, --help assist for run -r, --server-path string Load HIDScript from given path on P4wnP1 server -t, --timeout uint32 Interrupt HIDScript after this timeout (seconds) Global Flags: --host string The host amongst the listening P4wnP1 RPC server (default "localhost") --port string The port on which the P4wnP1 RPC server is listening (default "50051")P4wnP1_cli hid run -c 'type("Hello world")'The resultant output inwards the SSH session should await similar to this:
TempFile created: /tmp/HIDscript295065725 Start appending to 'HIDscript295065725' inwards folder 'TMP' Result: nullIf your SSH customer runs on the USB host itself, the typed "Hello world" ends upward somewhere betwixt the resulting output of the CLI command (it doesn't belong to the output, but has been typed inwards between).
Goal achieved. We injected keystrokes to the target.
Much reading for a uncomplicated task similar keystroke injection, but again, this department is meant to explicate basic concepts.
2.2 Moving on to to a greater extent than sophisticated linguistic communication features of HIDScript
If you lot managed to run the "Hello world" keystroke injection, this is a practiced dot to explore some additional HIDScript features.
We already know the
type command, but let's endeavour together with hash out some to a greater extent than sophisticated HIDScript commands:Pressing especial keys together with combinations
The
type command supports pressing return, past times encoding a "new line" grapheme into the input string, similar this:P4wnP1_cli hid run -c 'type("line 1\nline 2\nline 3 followed past times pressing RETURN 3 times\n\n\n")'The
press command comes to help!Let's utilisation
press to mail CTRL+ALT+DELETE to the USB host:P4wnP1_cli hid run -c 'press("CTRL ALT DELETE")'Let's press the fundamental 'A' without whatever modifier key:
P4wnP1_cli hid run -c 'press("A")'press("A") interprets 'A' equally key. The command type("A"), on the other hand, tries to press a fundamental combination which should resultant inwards an working capital missive of the alphabet 'A' output character.Let's combine a modifier together with a non-modifier key, inwards companionship to create an working capital missive of the alphabet 'A' output grapheme (mimic the behaviour of `type("A"):
P4wnP1_cli hid run -c 'press("SHIFT A")'It is of import to understand, that
press interprets the given its fundamental arguments equally keys, spell type tries to regain the appropriate fundamental combinations to create the intended output characters.In a lastly example, let's combine
press together with type.P4wnP1_cli hid run -c 'type("before caps\n"); press("CAPS"); type("after caps\n"); press("CAPS");'Additional notes on fundamental presses amongst
press:I don't wish to dive into the depth of USB keyboard reports inner workings, but some things are worth mentioning to pinpoint the limits together with possibilities of the
press command (which itself plant based on raw keyboard reports):- a keyboard study tin comprise upward to 8 modifier keys at once
- the modifier keys are
- LEFT_CTRL
- RIGHT_CTRL
- LEFT_ALT
- RIGHT_ALT
- LEFT_SHIFT
- RIGHT_SHIFT
- LEFT_GUI
- RIGHT_GUI
- P4wnP1 allows using aliases for mutual modifiers
- CTRL == CONTROL == LEFT_CTRL
- ALT == LEFT_ALT
- SHIFT == LEFT_SHIFT
- WIN == GUI == LEFT_GUI
- in improver to the modifiers,
pressconsumes upward to 6 normal or especial keys- normal keys stand upward for characters together with especial keys
- example of especial keys: BACKSPACE, ENTER (== RETURN), F1 .. F12)
- the keys are linguistic communication layout agnostic (
press("Z")results inwards USB_KEY_Z fo EN_US keyboard layout, but produces USB_KEY_Y for a High German layout. This corresponds to pressing the hardware fundamental 'Z' on a High German keyboard, which would create a USB_KEY_Y, too.) /usr/local/P4wnP1/keymaps/common.jsonholds a formatted JSON keymap amongst all possible keys (be careful non to modify the file)
- adding multiple keys to the a unmarried
presscommand, doesn't create a fundamental sequence. All given given keys are pressed at the same fourth dimension together with release at the same time. pressreleases keys automatically, this agency a sequence similar "hold ALT, press TAB, press TAB, release ALT" currently isn't possible
Keyboard layout
The HIDScript command to modify the keyboard layout is
layout() .The next instance switches keyboard layout to 'US' types something together with switches the layout to 'German' before it goes on typing:
P4wnP1_cli hid run -c 'layout("us"); type("Typing amongst EN_US layout\n");layout("de"); type("Typing amongst High German layout supporting especial chars üäö\n");'On a host amongst High German keyboard layout the resultant looks similar this:
Tzping amongst EN?US lazout Typing amongst High German layout supporting especial chars üäöTyping amongst EN_US layout Tzping amongst High German lazout supporting especial chars [';The
layout command allows to align P4wwP1's internal layout to the 1 of the target USB host.Being able to modify the layout inwards the middle of a running HIDScript, could come upward inwards handy: Who knows, perchance you lot similar to beast strength the target host's keyboard layout past times issuing commands amongst changing layouts till 1 of the typed commands achieves the desired effect.
Important: The layout has global effect. This agency if multiple HIDScripts are running concurrently together with 1 of the scripts sets a novel layout, all other scripts are effected immediately, too.
Typing speed
By default P4wnP1 injects keystrokes equally fast equally possible. Depending on your goal, this could live a chip equally good much (think of counter measures which forbid keystroke injection based on behaviour analysis of typing speed). HIDScript supports a command to modify this behavior.
typingSpeed(delayMillis, jitterMillis)The start declaration to the
typingSpeed command represents a constant delay inwards milliseconds, which is applied betwixt 2 keystrokes. The 2d declaration is an additional jitter inwards milliseconds. It adds an additional random delay, which scales betwixt 0 together with the given jitter inwards milliseconds, to the static delay provided amongst the start argument.Let's endeavour to utilisation
typingSpeed to deadening downward the typing:P4wnP1_cli hid run -c 'typingSpeed(100,0); type("Hello world")'P4wnP1_cli hid run -c 'typingSpeed(0,500); type("Writing amongst random jitter upward to 500 milliseconds")'P4wnP1_cli hid run -c 'typingSpeed(100,150); type("Writing amongst to a greater extent than natural speed")'Wait for LED report
Waiting for LED report, or to live precise LED state changes, is 1 of the to a greater extent than sophisticated keyboard features of HIDScript. It could live real powerful but needs a chip of explanation.
You may have got noticed that (depending on the USB host's OS) the keyboard state modifiers (NUM LOCK, SCROLL LOCK, CAPS LOCK) are shared across multiple connected keyboards. For example, if you lot connect 2 keyboards to a Windows host, together with toggle CAPS LOCK on 1 of them, the CAPS LOCK LED changes on both keyboards.
Exactly this attempt out could live used, to determine if the keyboard state modifiers are shared across all keyboards for a given OS.
In instance a USB host supports this sort of state sharing (for instance Windows does), P4wnP1's HIDScript linguistic communication could brand utilisation out of it.
Imagine the next scenario:
P4wnP1 is connected to a USB host together with you lot wish to apply keystroke injection, but you lot don't wish the HIDScript to run the keystrokes immediately. Instead the HIDScript should sit down together with hold off till you lot hitting NUMLOCK, CAPSLOCK or SCROLLLOCK on the host's existent keyboard. Why? Maybe you're involved inwards an engagement, person walked inwards together with you lot don't wish that this exact "somebody" could regard how magically a huge amount of characters are typed into a console window which all of a precipitous popped up. So you lot hold off till "somebody" walks out, hitting NUM LOCK together with ultimately a console window pops upward together with a huge amount of characters are magically type ... I think you lot got it.
The described behaviour could live achieved similar this:
P4wnP1_cli hid run -c 'waitLED(NUM); type("A huge amount of characters\n")'This is intended behaviour together with the argue for this is some other utilisation instance for the
waitLED command:Maybe you lot have got used other keyboard scripting languages together with other USB devices capable of injecting keystrokes, before. Most of these devices part a mutual problem: You don't know when to start typing!
If you lot start typing instantly after the USB device is powered up, it is probable that the USB host hasn't finished device enumeration together with hence hasn't managed to direct upward the keyboard drivers. Ultimately your keystrokes are lost.
To overcome this you lot could add together a delay before the keystroke injection starts. But how long should this delay be? Five seconds, 10 seconds, thirty seconds ?
The reply is: it depends! It depends on how fast the host is able to enumerate the device together with direct upward the keyboard driver. In fact you lot couldn't know how long this takes, without testing against the actual target.
But equally nosotros have got already learned, Operating Systems similar Windows part the LED state across multiple keyboards. This agency if the NUMLOCK LED of the host keyboard is laid to ON before you lot attach a 2d keyboard, the NUMLOCK LED on this novel keyboard has to live laid to ON, too, 1 time attached. If the NUM LOCK LED would have got been laid to OFF, anyways, the newly attached keyboard receives the LED state (all LEDs off inwards this case). The interesting thing most this is, that this "LED update" could solely live mail from the USB host to the attached keyboard, if the keyboard driver has finished loading (sending LED state wouldn't live possible otherwise).
Isn't that beautiful? The USB host tells us: "I'm ready to have keystrokes". There is no demand to play around amongst initial delays.
But hither is some other problem: Assume nosotros connect P4wnP1 to an USB host. We run a HIDScript starting amongst
waitLED instead of a paw crafted delay. Typing starts after the waitLED, but cypher happens - our keystrokes are lost, anyways! Why? Because, it is probable that nosotros missed the LED state update, equally it arrived before nosotros fifty-fifty started our HIDScript.Exactly this "race condition" is the argue why P4wnP1 preserves all recognized LED state changes, unless at to the lowest degree 1 HIDScript consumes them past times calling
waitLED (or waitLEDRepeat). This could resultant inwards the behaviour depict earlier, where a waitLED returns immediately, fifty-fifty though no LED modify occurred. We at nowadays know: The LED modify indeed occurred, but it could have got happened much before (berfore nosotros fifty-fifty started the HIDScript), because the state modify was preserved. We also know, that this behaviour is needed to avoid missing LED state changes, inwards instance waitLED is used to attempt out for "USB host's keyboard driver readiness".Note: It is worth mentioning, that
waitLED returns ONLY if the received LED state differs from P4wnP1's internal state. This means, fifty-fifty if nosotros hear for a modify on whatever LED amongst waitLED(ANY) it nonetheless could happen, that nosotros have an initial LED state from a USB host, which doesn't differ from P4wnP1's internal state. In this instance waitLED(ANY) would block forever (or till a existent LED modify happens). This especial instance could live handled past times calling waitLED(ANY_OR_NONE), which returns equally presently equally a novel LED state arrive, fifty-fifty if it doesn't resultant inwards a change.Enough explanation, let's acquire practical ... before nosotros do so, nosotros have got to modify the hardware setup a bit:
Attach an external powerfulness provide to the 2d USB port of the Raspberry Pi Zero (the outer one). This assures that P4wnP1 doesn't loose powerfulness when detached from the USB host, equally it doesn't rely on motorcoach powerfulness anymore. The USB port which should live used to connect P4wnP1 to the target USB host is the inner most of the 2 ports.
Now start the next HIDScript
P4wnP1_cli hid run -c 'while (true) {waitLED(ANY);type("Attached\n");}'This taught us 3 facts:
waitLEDcould live used equally initial command inwards scripts, to start typing equally presently equally the keyboard driver is readywaitLEDisn't the perfect choice, to recess HID scripts until a LED changing fundamental is pressed on the USB host, equally preserved state changes could unblock the command inwards an unintended way- Providing to a greater extent than complex HIDScript equally parameter to the CLI isn't real convenient
waitLED command, nosotros direct attention of the 3rd fact, now. Let us leave of absence the CLI.- abort the P4wnP1 CLI amongst CTRL+C (in instance the looping HIDScript is nonetheless running)
- open a browser on the host yor have got been using for the SSH connexion to P4wnP1 (not the USB host)
- the webclient could live accessed via the same IP equally the SSH server, the port is 8000 (for WiFi
http://172.24.0.1:8000) - navigate to the "HIDScript" tab inwards the at nowadays opened webclient
- from at that spot you lot could charge together with shop HIDScripts (we don't do this for now, although
ms_snake.jsis a real practiced instance for the powerfulness of LED based triggers)
return waitLED(ANY);Now, if whatever LED modify is emitted from the USB host (by toggling NUM, CAPS or SCROLL) the HIDScript task should end. It nonetheless could live establish nether "Succeeded" jobs.
If you lot press the lilliputian "info" clit again, at that spot should live an information most the resultant value (encoded equally JSON), which looks something similar this:
{"ERROR":false,"ERRORTEXT":"","TIMEOUT":false,"NUM":true,"CAPS":false,"SCROLL":false,"COMPOSE":false,"KANA":false}waitLED command returns a JavaScript object looking similar this:{ ERROR: false, // gets truthful if an mistake occurred (f.e. HIDScript was aborted, before waitLED could return) ERRORTEXT: "", // corresponding mistake string TIMEOUT: false, // gets truthful if waitLED timed out (more on this inwards a minute) NUM: true, // gets truthful if NUM LED had changed before waitLED returned CAPS: false, // gets truthful if CAPS LED had changed before waitLED returned SCROLL: false, // gets truthful if SCROLL LED had changed before waitLED returned COMPOSE: false, // gets truthful if COMPOSE LED had changed before waitLED returned (uncommon) KANA: imitation // gets truthful if KANA LED had changed before waitLED returned (uncommon) }NUM became true. In your instance it perchance was CAPS. It doesn't affair which LED it was. "hat does affair is the fact, that the homecoming value gives the chance to examine the LED modify which makes the command homecoming together with hence it could live used to direct branching decisions inwards your HIDScript (based on LED state changes issued from the USB host's existent keyboard).Let's endeavour an example:
while (true) { resultant = waitLED(ANY); if (result.NUM) { type("NUM has been toggled\n"); } if (result.SCROLL) { type("SCROLL has been toggled\n"); } if (result.CAPS) { break; //exit loop } }Puhhh ... a bunch of text on this command for a unmarried HIDScript command, but at that spot nonetheless some things left.
We provided arguments similar
NUM, ANY or ANY_OR_NONE to the waitLED command, without farther explanation.The
waitLED accepts upward to 2 arguments:The start argument, equally you lot mightiness have got guessed, is a whitelist filter for the LEDs to watch. Valid arguments are:
ANY(react on a modify to whatever of the LEDs)ANY_OR_NONE(react on every novel LED state, fifty-fifty if there's no change)NUM(ignore all LED changes, except on the NUM LED)CAPS(ignore all LED changes, except on the NUM CAPS)SCROLL(ignore all LED changes, except on the NUM SCROLL)- multiple filters could live combined similar this
CAPS | NUM,NUM | SCROLL
waitLED returns together with has TIMEOUT: true laid inwards the resulting object (additionally ERROR is laid to truthful together with ERRORTEXT indicates a timeout).The next command would hold off for a modify on the NUM LED, but aborts waiting after v seconds:
waitLED(NUM,5000)waitLED is a real powerful command if used correctly, it hasn't helped to bargain amongst our like shooting fish in a barrel task of robustly pausing a HIDScript till a state modifier fundamental is pressed on the target USB host (remember: We wanted to recess execution to assure the unwanted "somebody" walked out before typing starts, but waitLED occasionally returned early, because of preserved LED state changes).This is where
waitLEDRepeat joins the game together with comes to rescue.Paste the next script into the editor together with endeavour to brand the command return. Inspect the HIDScript results afterwards.
return waitLEDRepeat(ANY)waitLEDRepeat command return. The waitLEDRepeat command wouldn't homecoming if differing LEDs modify state or if the LED changes on a unmarried LED are occurring equally good slow.The declaration provided to
waitLEDRepeat (which is ANY inwards the example) serves the exact same purpose equally for waitLED. It is a whitelist filter. For instance waitLEDRepeat(NUM) would solely homecoming for changes of the NUM LOCK LED - no affair how fast together with often you'd hammer on the CAPS LOCK key, it wouldn't homecoming unlees NUM LOCK is pressed frequently.By default, 1 of the whitelisted LEDs has to modify 3 times together with the delay betwixt 2 successive changes mustn't live greater than 800 milliseconds inwards companionship to brand
waitLEDRepeat return. This behaviour could tuned, past times providing additional arguments similar shown inwards this example:filter = ANY; // same filters equally for waitLED num_changes = 5; // how often the SAME LED has to change, inwards companionship to homecoming from waitLEDRepeat max_delay = 800; // the maximum duration betwixt 2 LED changes, which should live taken into acccount (milliseconds) timeout = 10000; // timeout inwards milliseconds waitLEDRepeat(filter, num_changes, max_delay); //wait till a LED oftentimes changed v times, no timeout waitLEDRepeat(filter, num_changes, max_delay, timeout); //wait till a LED oftentimes changed v times, abort after 10 secondsNote:
waitLEDRepeat doesn't differ from waitLED, when it comes to consumption of preserved LED state changes. Anyways, it is much harder to trigger it unintended.So
waitLEDRepeat is the right choice, if the task is to recess HIDScripts till human interaction happens. Of course of didactics it could live used for branching, too, equally it provides the same homecoming object equally waitLED does.Up to this dot nosotros gained a practiced chip of noesis most HIDScript (of course of didactics non most everything, nosotros haven't fifty-fifty looked into mouse command capabilities of this scripting language). Anyways, this tutorial is most P4wnP1 A.L.O.A. workflow together with basic concepts. So nosotros don't await into other HIDScript features, for now, together with displace on.
Let's summarize what nosotros learned most P4wnP1's workflow together with concepts so far:
- we could start actions similar keystroke injection from the CLI client, on-demand
- we could utilisation the webclient to attain the same, spell having additional command over HIDScript jobs
- if nosotros connect an external powerfulness provide to P4wnP1 A.L.O.A., nosotros attach/detach to/from different USB hosts together with already started HIDScripts exceed on working seamlessly
- we could configure the USB stack just to our needs (and modify its configuration at runtime, without rebooting P4wnP1)
- we could write multi purpose HIDScripts, amongst complex logic based on JavaScript (with back upward for functions, loops, branching etc. etc.)
3. Workflow component subdivision 2 - Templating together with TriggerActions
Before exceed on amongst the other major concepts of P4wnP1 A.L.O.A. let's refine our start goal, which was to "run a keystroke injection against a USB host":
- The novel goal is to type "Hello world" into the editor of a Windows USB host (notepad.exe).
- The editor should live opened past times P4wnP1 (not manually past times the user).
- The editor should automatically live closed, when whatever of the keyboard LEDs of the USB host is toggled.
- Everytime P4wnP1 is attached to the USB host, this behaviour should repeat (with external powerfulness supply, no reboot of P4wnP1)
- The procedure should solely run once, unless P4wnP1 is re-attached to the USB host, fifty-fifty if successive keyboard LED changes occur after the HIDScript has been started.
- Even if P4wnP1 is rebooted, the same behaviour should live recoverable without recreating item of the setup from scratch, again.
// Starting notepad press("WIN R"); // Windows fundamental + R, to opened upward run dialog delay(500); // hold off 500ms for the dialog to opened upward type("notepad.exe\n"); // type 'notepad.exe' to the run dialog, append a RETURN press delay(2000); // hold off 2 seconds for notepad to come upward up // Type the message type("Hello world") // Type "Hello world" to notepad // unopen notepad after LED modify waitLED(ANY); // hold off for a unmarried LED modify press("ALT F4"); // ALT+F4 shortcut to unopen notepad //as nosotros changed content, at that spot volition live a confirmation dialog before notepad exits delay(500); // hold off for the confirmation dialog press("RIGHT"); // displace focus to adjacent clit (don't save) amongst RIGHT ARROW press("SPACEBAR"); // confirm dialog amongst spacedelay command, which doesn't demand much explanation. It delays execution for the given amount of milliseconds.The script could live pasted into the webclient HIDScript editor together with started amongst "run" inwards companionship to attempt out it.
It should piece of work equally intended, so nosotros are nearly done. In companionship to live able reuse the script, fifty-fifty after a reboot, nosotros shop it persistently. This could live achieved past times hitting the "store" clit inwards the HIDScript tab of the webclient. After entering a scream (we utilisation
tutorial1 for now) together with confirming the dialog, the HIDScript should have got been stored. We could banking concern check this, past times hitting the "Load & Replace" clit inwards the webclient. The stored script should occur inwards the listing of stored scripts amongst the scream tutorial1.js (the .js extension is appended automatically, if it hasn't been provided inwards the "store" dialog, already).Warning: If a scream of an already existing file used inwards the shop dialog, the respective file gets overwritten without asking for farther confirmation.
Let's endeavour to start the stored script using the CLI customer from a SSH session, similar this:
P4wnP1_cli hid run tutorial1.jsIt would fifty-fifty live possible to start the script remotely from a CLI customer compiled for Windows. Assuming the Windows host is able to range P4wnP1 A.L.O.A. via WiFi together with the IP of P4wnP1 is laid to
172.24.0.1 the proper command would await similar this:P4wnP1_cli.exe --host 172.24.0.1 hid run tutorial1.jsThe adjacent stair is to allow the script to run again, every fourth dimension P4wnP1 is re-attached to a USB host. H5N1 approach nosotros already used to attain such a behavior, was to wrap everything into a loop together with prepend a
waitLED(ANY_OR_NONE). The waitLED(ANY_OR_NONE) assured tha the loop solely continues, if the target USB host signals that the keyboard driver is ready to have input past times sending an update of the global keyboard LED sate. An accordingly modified script could await similar this:while (true) { waitLED(ANY_OR_NONE); // hold off till keyboard driver sends the initial LED state // Starting notepad press("WIN R"); // Windows fundamental + R, to opened upward run dialog delay(500); // hold off 500ms for the dialog to opened upward type("notepad.exe\n"); // type 'notepad.exe' to the run dialog, append a RETURN press delay(2000); // hold off 2 seconds for notepad to come upward up // Type the message type("Hello world") // Type "Hello world" to notepad // unopen notepad after LED modify waitLED(ANY); // hold off for a unmarried LED modify press("ALT F4"); // ALT+F4 shortcut to unopen notepad //as nosotros changed content, at that spot volition live a confirmation dialog before notepad exits delay(500); // hold off for the confirmation dialog press("RIGHT"); // displace focus to adjacent clit (don't save) amongst RIGHT ARROW press("SPACEBAR") ; // confirm dialog amongst infinite }waitLED involved, which waits till notepad.exe should live is closed, again.Doing it similar this involves several issues. For instance if P4wnP1 is detached before the "Hello world" is typed out, the at nowadays blocking
waitLED would live the 1 before press("ALT F4") together with execution would maintain at exact this dot of the HIDScript 1 time P4wnP1 is attached to a (maybe different) USB host, again.H5N1 definitive kill criteria for the chosen approach is the next problem: The requirement that the script should live run solely 1 time after attaching P4wnP1 to an USB host couldn't live met, equally hitting NUM LOCK multiple times would restart the script over together with over.
So how do nosotros solve this ?
Let's innovate TriggerActions
The solution to the work are so called "TriggerActions". As the scream implies, this P4wnP1 A.L.O.A. workflow concept fires actions based on predefined triggers.
To acquire an thought of what I'm talking about, caput over to the "TRIGGER ACTIONS" tab on the webclient. Depending on the electrical flow setup, at that spot may already be TriggerActions. We don't attention for existing TriggerActions, now.
Hit the "ADD ONE" clit together with a novel TriggerActions should live added together with instantly opened inwards edit mode. The novel TriggerAction is disabled past times default together with has to live enabled inwards companionship to brand it editable. So nosotros toggle the enable switch.
Now from the trace downward bill of fare called "Trigger" the choice "USB gadget connected to host" should live selected. The activity should have got a preset of "write log entry" selected. We leave of absence it similar this together with hitting the "Update" button.
The newly added TriggerAction should live visible inwards the TriggerActions overview at nowadays (the 1 amongst the highest ID) together with present a summary of the selected Trigger together with selected Action inwards readable form.
To attempt out if the newly defined TriggerAction works, navigate over to the "Event Log" tab of the webclient. Make certain you lot have got the webclient opened via WiFi (not USB ethernet). Apply external powerfulness to P4wnP1, disconnect it from the USB host together with connect it again. H5N1 log message should live pushed to the customer every fourth dimension P4wnP1 is attached to a USB host, immediately.
If you lot repeated this a few times, you lot perchance noticed that the "USB gadget connected to host" trigger fires real fast (or inwards an early on stage of USB enumeration phase). To live to a greater extent than precise: When this trigger fires, it is known that P4wnP1 was connected to a USB host, but at that spot is no guarantee that the USB host managed to charge all needed USB device drivers. In fact it is real unlikely that the USB keyboard driver is loaded when the trigger fires. We have got to maintain this inwards mind.
Before nosotros displace on amongst our task, nosotros do an additional test. Heading dorsum to the "TriggerAction" tab together with nosotros press the lilliputian bluish clit looking similar a pen for our newly created TriggerAction. We terminate upward inwards edit trend again.
This time, nosotros enable the
One shot option. Head dorsum to the "Event Log" afterwards, together with again, detach together with re-attach P4wnP1 from the USB host. This fourth dimension the TriggerAction should burn solely once. No affair how often P4wnP1 is re-attached to the USB host afterwards, no novel log message indicating a USB connect should live created.It is worth mentioning that a "One shot" TriggerAction isn't deleted after the Trigger has fired. Instead the TriggerAction is disabled, again. Re-enabling allows reusing a TriggerAction without redefining it. Nothing gets lost until the ruddy "trash" clit is hitting on a TriggerAction, which volition delete the respective TriggerAction.
Warning: If the delete clit for a TriggerAction is clicked, the TriggerAction is deleted permanently without farther confirmation.
At this dot let's do the obvious. We edit the created TriggerAction together with select "start a HIDScript" instead of "write log entry" for the activity to execute. Additionally nosotros disable "one-shot", again. H5N1 novel input patch called "script name" is shown. Clicking on this input patch brings upward a selection dialog for all stored HIDScripts, including our formerly created
tutorial1.js HIDScript.Before nosotros attempt out if this works, permit me brand a quick banking concern annotation on the activity "write log entry": P4wnP1 A.L.O.A. doesn't maintain rails of Triggers which have got already live fired. This agency the log entries created past times a "write log entry" activity are delivered to all listening client, but aren't stored past times the P4wnP1 service (for diverse reasons). The webclient on the other paw stores the log entry until the the webclient itself is reloaded. The same applies to events, which are related to HIDScript jobs. If a HIDScript ends (with success or error), an lawsuit pushed to all currently opened upward webclients. In summary, each webclient has a runtime state, which holds to a greater extent than information than the core service, itself. If the runtime state of the webclient grows to large (too much retention usage), 1 solely needs to reload the customer to clear "historical" sate information. If the core service would acquit the same together with shop every historical information, it would run out of resources real soon. Thus this concept applies to most sub systems of P4wnP1 A.L.O.A.
Now dorsum to our task. We have got a TriggerAction ready, which should burn our HIDScript every fourth dimension P4wnP1 is attached to an USB host.
Depending on the target USB host, this plant to a greater extent than or less reliably. In my attempt out setup it didn't piece of work at all together with there's a reason:
Let's review the start few lines our HIDScript:
// Starting notepad press("WIN R"); // Windows fundamental + R, to opened upward run dialog delay(500); // hold off 500ms for the dialog to opened upward type("notepad.exe\n"); // type 'notepad.exe' to the run dialog, append a RETURN press ... snip ...As nosotros already know that it isn't possible to predict the optimal delay, nosotros exceed amongst the
waitLED(ANY_OR_NONE) approach, explained earlier. The novel script looks similar this:waitLED(ANY_OR_NONE); //assure keyboard driver is ready // Starting notepad press("WIN R"); // Windows fundamental + R, to opened upward run dialog delay(500); // hold off 500ms for the dialog to opened upward type("notepad.exe\n"); // type 'notepad.exe' to the run dialog, append a RETURN press delay(2000); // hold off 2 seconds for notepad to come upward up // Type the message type("Hello world") // Type "Hello world" to notepad // unopen notepad after LED modify waitLEDRepeat(ANY); // hold off for a unmarried LED modify press("ALT F4"); // ALT+F4 shortcut to unopen notepad //as nosotros changed content, at that spot volition live a confirmation dialog before notepad exits delay(500); // hold off for the confirmation dialog press("RIGHT"); // displace focus to adjacent clit (don't save) amongst RIGHT ARROW press("SPACEBAR"); // confirm dialog amongst spacetutorial1) overwrites the erstwhile HIDScript without farther confirmation, equally already pointed out. Thus at that spot is no demand to adjust our TriggerAction, equally the HIDScript scream the TriggerAction refers hasn't changed.With this lilliputian modify everything should piece of work equally intended together with the script should trigger everytime nosotros attach to an USB host, but solely run once.
Now, if P4wnP1 is rebooted or looses power, our HIDScript would survive, because nosotros have got stored it persistently, but the TriggerAction would live gone. Needless to say, that TriggerActions could live stored persistently, too.
The "store" clit inwards the "TriggerAction" tab plant just similar the 1 inwards the HIDScript editor. It should live noted that all currently active TriggerActions volition live stored if the "store" dialog is confirmed (including the disabled ones). The best practise is to delete all TriggerActions which don't belong to the task inwards electrical flow range before storing (they should have got been stored earlier, if needed) together with to solely shop the modest laid of TriggerActions relevant to the electrical flow task, using a proper name. There are 2 options to charge dorsum stored TriggerActions to the active ones:
- "load & replace" clears all active trigger actions together with loads solely the stored ones
- "load & add" keeps the already active TriggerActions together with adds inwards the stored ones. Thus "load & add" could live used to build a complex TriggerAction laid out of smaller sets. The resulting laid could then, again, live stored.
tutorial1 1 time again together with won't conflict amongst the HIDScript called tutorial1.Confirm successful storing, past times hitting the "load&replace" clit inwards the "TriggerAction" tab. The stored TriggerAction laid should live inwards the listing together with named
tutorial1.Warning: The TriggerAction "load" dialogs allow deleting stored TriggerActions past times hitting the ruddy "trash" clit adjacent to each action. Hitting the clit permanently deletes the respective TriggerAction set, without farther confirmation
At this dot nosotros could safely delete our TriggerAction from the "TriggerActions" tab (!!not amongst the trash clit from 1 of the charge dialogs!!).
With the TriggerAction deleted from the active ones, cypher happens if nosotros detach together with re-attach P4wnP1 from the USB host.
Anyways, the stored TriggerAction laid
tutorial1 volition persists reboots together with could live reloaded at anytime.Instead of reloading the TriggerAction laid from amongst the webclient, nosotros endeavour to accomplish that using the CLI client.
Lets direct a quick await into the assist covert of the
template deploy sub-command:root@kali: # P4wnP1_cli template deploy -h Deploy given gadget settings Usage: P4wnP1_cli template deploy [flags] Flags: -b, --bluetooth string Deploy Bluetooth template -f, --full string Deploy total settings template -h, --help assist for deploy -n, --network string Deploy network settings template -t, --trigger-actions string Deploy trigger activity template -u, --usb string Deploy USB settings template -w, --wifi string Deploy WiFi settings templates Global Flags: --host string The host amongst the listening P4wnP1 RPC server (default "localhost") --port string The port on which the P4wnP1 RPC server is listening (default "50051") -t flag. We run the next command, to restore the stored TriggerAction set:P4wnP1_cli template deploy -t tutorial1Storing, loading together with deploying of templates is 1 of the 2 principal concepts behind P4wnP1's automation workflow, the other 1 are the already known TriggerActions. It is worth mentioning, that non solely TriggerAction sets could live stored together with loaded equally templates themselves, but that TriggerActions could live used to deploy already stored templates, if that makes sense.
Revisiting our tasks, it seems all defined requirements are met now:
- we typed "Hello world" into the editor of a Windows USB host
- the editor is opened past times P4wnP1, non manually past times the user
- the editor is closed automatically, when 1 of the keyboard LEDs toggled once
- every fourth dimension P4wnP1 is attached to a USB host, this behaviour repeats
- the HIDScript runs solely once, unless P4wnP1 is re-attached to the USB host, fifty-fifty if successive keyboard LED changes occur
- if P4wnP1 is rebooted, the same behaviour could live recovered past times loading the stored TriggerAction laid (which 1 time again refers to the stored HIDScript). This could either live achieved amongst a unmarried CLI command or amongst a uncomplicated "load&add" or "load&replace" from the webclient's trigger activity tab.
- it should live assured, that the USB configuration has the keyboard functionality enabled (the electrical flow setup doesn't do this together with the TriggerAction couldn't start the HIDScript inwards instance the USB keyboard is disabled)
- the created setup should applied at kick of P4wnP1 A.L.O.A., without the demand of manually loading of the TriggerAction set. The setup has to hold upward a reboot of P4wnP1.
Introduce Master Templates together with Startup Master Template
Before nosotros await into Master Templates, nosotros do something nosotros haven't done, yet, because everything simply worked equally intended so far: We define a valid USB configurations, matching our task!
- device series number: 123456789
- device production name: Auto Writer
- device manufacturer: The Creator
- Product ID: 0x9876
- Vendor ID: 0x1D6B
- enabled USB functions
- HID keyboard
- HID mouse
root@kali: # P4wnP1_cli usb laid -h laid USB Gadget settings Usage: P4wnP1_cli usb laid [flags] Flags: -e, --cdc-ecm Use the CDC ECM gadget role -n, --disable If this flag is set, the gadget stays inactive after deployment (not fountain to UDC) -h, --help assist for laid -k, --hid-keyboard Use the HID KEYBOARD gadget role -m, --hid-mouse Use the HID MOUSE gadget role -g, --hid-raw Use the HID RAW gadget role -f, --manufacturer string Manufacturer string (default "MaMe82") -p, --pid string Product ID (format '0x1347') (default "0x1347") -o, --product string Product scream string (default "P4wnP1 past times MaMe82") -r, --rndis Use the RNDIS gadget role -s, --serial Use the SERIAL gadget role -x, --sn string Serial number (alpha nu meric) (default "deadbeef1337") -u, --ums Use the USB Mass Storage gadget role --ums-cdrom If this flag is set, UMS emulates a CD-Rom instead of a flashdrive (ignored, if UMS disabled) --ums-file string Path to the icon or block device backing UMS (ignored, if UMS disabled) -v, --vid string Vendor ID (format '0x1d6b') (default "0x1d6b") Global Flags: --host string The host amongst the listening P4wnP1 RPC server (default "localhost") --json Output results equally JSON if applicable --port string The port on which the P4wnP1 RPC server is listening (default "50051")root@kali: # P4wnP1_cli usb laid \ > --sn 123456789 \ > --product "Auto Writer" \ > --manufacturer "The Creator" \ > --pid "0x9876" \ > --vid "0x1d6b" \ > --hid-keyboard \ > --hid-mouse Successfully deployed USB gadget settings Enabled: truthful Product: Auto Writer Manufacturer: The Creator Serialnumber: 123456789 PID: 0x9876 VID: 0x1d6b Functions: RNDIS: imitation CDC ECM: imitation Serial: imitation HID Mouse: truthful HID Keyboard: truthful HID Generic: imitation Mass Storage: falseAlthough it is perfectly possible to deploy a USB setup using the CLI, at that spot are several benefits using the webclient inwards favor of the CLI. In this case:
- changing the settings from the webclient is easier together with to a greater extent than convenient
- the webclient holds an internal settings state, this allows defining USB settings without truly deploying them (the CLI on the other hand, could solely manipulate settings past times deploying them. This, again, resets the spell USB stack of P4wnP1 together with all theme functionality. F.e. already running HIDScript would live interrupted or USB network interfaces are redeployed
- the electrical flow settings of the webclient could live stored to a persistent template, without deploying them upfront
- the CLI client, (currently) isn't able to shop USB settings
Let's exceed on amongst storing the USB settings:
Again nosotros hitting the "store" button, this fourth dimension inwards the "USB settings" tab. Once to a greater extent than nosotros telephone yell upward the template
tutorial1 (there is no conflict amongst the TriggerAction template stored nether the same name, because a different namespace is used for USB settings).Now nosotros have got 2 novel together with persistently stored templates::
- a template for the TriggerAction set, named
tutorial1 - a template for the USB settings, also scream
tutorial1
P4wnP1_cli template deploy --usb tutorial1 --trigger-actions tutorial1P4wnP1 template deploy could charge a template for each of the sub systems of P4wnP1 A.L.O.A. inwards a unmarried run (for the network subsystem multiple templates could live loaded, 1 per each adapter). Deploying templates for diverse subsystems is considered a mutual task spell working amongst P4wnP1 A.L.O.A., because inwards most cases it should live necessary to reconfigure several subsystems to range a unmarried goal. To line organisation human relationship for this, so called Master Templates have got been introduced.H5N1 Master Template could consist of:
- a already stored TriggerAction laid template
- a already stored USB settings template
- a already stored WiFi settings template
- a already stored Bluetooth settings template
- multiple stored Network settings templates (one per each adapter)
So lets define a Master Template for our electrical flow task:
- Navigate to the "Generic Settings" tab of the webclient
- On the "Master Template Editor" click on the modest clit on the right to the "TriggerActions Template" field
- From the Dialog direct the
tutorial1template together with confirm amongst "OK" button - If you lot selected the incorrect template, re-open the dialog together with select a different 1 or utilisation the "x" icon on the right to "TriggerAction Template" to delete the electrical flow selection
- Repeat the steps for the "USB Template" selection, 1 time again direct
tutorial1(which is a different template for the USB sub system, although it shares the scream amongst the 1 for the TriggerActions) - Check that the right templates have got been selected for bot, USB together with TriggerActions, together with all other Templates are left empty
- Store the novel Master Template, past times hitting the "Store" clit together with providing the scream
tutorial1
Now hitting the "Deploy Stored" button, select the template named
startup together with confirm amongst "OK".In contrast to the "Load Stored" function, which loads a stored template to the Master Template Editor, the "Deploy Stored" role applies all settings of a Master Template to the corresponding sub systems of P4wnP1, instantly (without fifty-fifty loading them to the Master Template Editor).
As the
startup Master Template overwrites the electrical flow WiFi settings, it could give that you lot have got lost the connexion to the webclient together with demand to reconnect to the P4wnP1 WiFi network.Once you've reconnected successfully together with inspect the electrical flow USB settings together with electrical flow TriggerActions, the settings nosotros stored before have got been overwritten past times the sub settings of the
startup Master Template.There are 2 ways to deploy the
tutorial1 Master Template again:- Deploying it using the "Deploy Stored" dialog from the "Master Template Editor" (as done amongst the
startupMaster Template a minute, ago) - Deploying it using the CLI customer amongst
P4wnP1_cli template deploy --full tutorial1(the--fullflag is an alias for Master Template)
tutorial1, nosotros already achieved 1 of our novel goals:It is assured, that the USB configuration has the keyboard functionality enabled when nosotros charge our keystroke injection setup.
H5N1 quick summary on how this works:
- the Master Template
tutorial1loads USB settings, calledtutorial1which have got- USB keyboard together with USB mouse enabled
- the Master Template
tutorial1loads a TriggerAction laid amongst a unmarried TriggerAction- the TriggerAction starts the HID script
tutorial1.jseach fourth dimension P4wnP1 gets attached to an USB host- the HIDScript starts typing, 1 time the
waitLEDtrigger fires (keyboard driver ready) together with ends after a successive LED change
- the HIDScript starts typing, 1 time the
- the TriggerAction starts the HID script
This goal could live achieved pretty like shooting fish in a barrel now. The "Generic Settings" tab of the webclient presents a card called Startup Master Template. Changing the Startup Master Template to
tutorial1 at this dot would have got immediate resultant together with it would probable *destroy the working kick configuration of P4wnP1 A.L.O.A.".Important: If a Master Template has sub templates left empty (f.e. if at that spot is no Bluetooth template selected), the respective sub organisation isn't reconfigured when the Master Template is loaded. While this comes inwards handy for runtime reconfiguration without resetting already running sub systems similar the USB stack or WiFi stack if non needed, Master Templates used equally Startup Master Template leave of absence sub systems without defined templates inwards an UNDEFINED STATE. If, for example, no valid WiFi template is provided, it is unlikely that P4wnP1 A.L.O.A. volition live reachable via WiFi after reboot
So before deploying our novel
tutorial1 Master Template equally Startup Master Template, nosotros assure proper settings are loaded for the other subsystem. We do that similar this:- From the "Master Template Editor" hitting the "Load Stored" clit together with reload the
tutorial1template to the editor. - The template should have got
tutorial1laid for "TriggerActions Template" together with for "USB template" - For "WiFi Template" select the template named
startup - For "Bluetooth Template" select the template named
startup - For "Network Templates" select the templates named:
bteth_startupusbeth_startupwlan0_startup_dhcp_server
- Overwrite the
tutorial1Master Template amongst the novel settings (hit "Store", acquire intotutorial1together with confirm amongst "OK") - Double banking concern check that the changes have got applied, past times hitting "Load Stored", again, together with selecting
tutorial1. All subsections of the loaded Master Template should await similar described here.
Once rebooted, P4wnP1 A.L.O.A. should trigger the HIDScript automatically (and should nonetheless live reachable via WiFi, to allow reconfiguration)
Congratulations, all goals achieved
You have got learned most the real basic workflow concepts of P4wnP1 A.L.O.A.
3. Where to exceed from here
It is currently non possible to provide a total documentations. So hither are some comments on topics which haven't been touched, yet, but are worth investigating.
BashScripts
P4wnP1 allows running BashScripts from TriggerActions. The scripts which are usable from TriggerActions are homed at
/usr/local/P4wnP1/scripts. If a script is called from a TriggerAction, several arguments (like the actual trigger) are handed inwards via bash variables. The file /usr/local/P4wnP1/scripts/trigger-aware.sh provides a prissy instance of a bash script which acts differently, depending on the calling trigger. It is worth having a await onto this script, equally it uses all "TriggerAction variables" currently available.GPIO
The community of the old P4wnP1 version occasionally came upward amongst hardware mods or extensions of the Rapsberry PI together with the inquiry how to integrate them. It isn't possible for me to provide a generic solution to this problem. Neither is it a practiced idea, to provide back upward for a real specific hardware extension, which is solely used past times a few people. With the introduction of TriggerAction the thought came up, to back upward GPIO equally both, Triggers via GPIO input together with Actions issuing GPIO output. Although non planned for the start release, this characteristic has already been implemented. I nonetheless haven't had the fourth dimension to document it together with it could easily give that some things change. The functionality uses the "periph.io" library amongst some tyke extension (customized border detection amongst custom de-bounce for GPIO, thank you lot to @marcaruel for telephone commutation on this)
nexmon KARMA
The WiFi firmware included amongst P4wnP1 A.L.O.A. has been modified (utilizing nexmon framework) to back upward KARMA. This characteristic hasn't made it into the core so far (needs some rework firmware-wise) together with hence isn't available from webclient or CLI. If you lot wish to play around amongst the karma features, at that spot is a legacy python CLI, which allows setting the KARMA options on the fly. The python script could live establish here:
/usr/local/P4wnP1/legacy/karmatool.pyTip: To acquire most out of the KARMA functionality, you lot should setup P4wnP1 A.L.O.A. to provide a WiFi Access Point without authentication, otherwise it wouldn't brand to much sense. For misfortunate beacon flooding this isn't needed, but (static) custom SSIDs for beaconing are express inwards their number (saving resources on the WiFi chip)
Help covert of karmatool.py:
root@kali:/usr/local/P4wnP1/legacy# ./karmatool.py Firmware inwards utilisation seems to live KARMA capable Firmware configuration tool for KARMA modified nexmon WiFi firmware on Pi0W/Pi3 past times MaMe82 ========================================================================================= RePo: https://github.com/mame82/P4wnP1_nexmon_additions Creds to: seemoo-lab for "NEXMON" projection H5N1 hostapd based Access Point should live upward together with running, when using this tool (see the README for details). Usage: python karmatool.py [Arguments] Arguments: -h Print this assist covert -i Interactive trend -d Load default configuration (KARMA on, KARMA beaconing off, beaconing for xiii mutual SSIDs on, custom SSIDs never expire) -c Print electrical flow KARMA firmware configuration -p 0/1 Disabl e/Enable KARMA probe responses -a 0/1 Disable/Enable KARMA association responses -k 0/1 Disable/Enable KARMA association responses together with probe responses (overrides -p together with -a) -b 0/1 Disable/Enable KARMA beaconing (broadcasts upward to twenty SSIDs spotted inwards probe requests equally beacon) -s 0/1 Disable/Enable custom SSID beaconing (broadcasts upward to twenty SSIDs which have got been added past times the user amongst '--addssid=' when enabled) --addssid="test" Add SSID "test" to custom SSID listing (max twenty SSIDs) --remssid="test" Remove SSID "test" from custom SSID listing --clearssids Clear listing of custom SSIDs --clearkarma Clear listing of karma SSIDs (only influences beaconing, non probes) --autoremkarma=600 Auto take away KARMA SSIDs from beaconing listing after sending 600 beacons without receiving an association (about threescore seconds, 0 = beacon forever) --autoremcustom=3000 Auto take away custom SSIDs from beaconing listing after sending 3000 beacons without receiving an association (about v minutes, 0 = beacon forever) Example: python karmatool.py -k 1 -b 0 Enables KARMA (probe together with association responses) But sends no beacons for SSIDs from received probes python karmatool.py -k 1 -b 0 Enables KARMA (probe together with association responses) together with sends beacons for SSIDs from received probes (max twenty SSIDs, if autoremove isn't enabled) python karmatool.py --addssid="test 1" --addssid="test 2" -s 1 Add SSID "test 1" together with "test 2" together with enable beaconing for custom SSIDs< br/>WiFi covert channel
The WiFi covert channel hasn't been ported to Go together with isn't component subdivision of the P4wnP1 core. Anyways, the legacy functionality is provided. In companionship to brand the covert channel run, several weather have got to live met:
- a keystroke injection has to live applied to the target customer to inject stage1
- stage1 loads stage2 over a (simplified version) of the HID covert channel, hence a especial USB HID device has to live provided together with a especial HID covert channel server has to live started on P4wnP1, inwards companionship to provide stage2
- a 2d server has to live started together with interface the modified WiFi firmware, inwards companionship to deal customer connecting inwards via the WiFi covert channel together with provide interactive trounce access to those clients (the server is a console application which is meant to run inwards a terminal multiplexer, similar
screen)
To send out such a task amongst P4wnP1 A.L.O.A. is a neat instance for its capabilities. Additionally it helps to distinguish what P4wnP1 A.L.O.A. is meant to live together with what is non meant to be.
P4wnP1 A.L.O.A. is non meant to:
- be a "weaponized" tool
- provide RTR payloads, which could live carried out past times everybody, without agreement what's going on or which risks are involved
- be a flexible, low-cost, steal sized platform
- serve equally enabler for tasks similar the 1 described here
- support prototyping, testing together with carrying out all kinds of USB related tasks, usually used during pentest or redteam engagements, without providing a finalized static solution
/usr/local/P4wnP1/legacy folder homes the needed external tools to run the WiFi covert channel (namely the WiFi server, the HID covert channel stager server together with the WiFi covert channel customer agent). Those components could live considered equally external parts (don't belong to P4wnP1 A.L.O.A. core).Additionally P4wnP1 A.L.O.A. provides a configuration, which utilizes the given components to do the next things:
- drive-by against Windows hosts inwards companionship to deliver in-memory customer code to download stage2 via HID covert channel, based on keystroke injection (HIDScript)
- starting the keystroke injection, equally presently equally P4wnP1 is connected to a USB host (TriggerAction issuing HIDScript)
- bring upward the stager, which delivers the WiFi covert channel customer agent via HID covert channel, equally presently equally the keystroke injection starts (TriggerAction running a bash script, which 1 time again starts the external server)
- bring upward the WiFi covert channel server, when needed (same TriggerAction together with BashScript)
- deploy a USB setup which provides a USB keyboard (to allow keystroke injection) together with an additional raw HID device (serves equally covert channel for stage2 delivery) - the USB settings are stored inwards a settings template
- deploy a WiFi setup, which allows remote access to P4wnP1, inwards companionship to allow interaction amongst the CLI frontend of the WiFi covert channel server - the WiFi settings are stored inwards a settings template
- provide a unmarried dot of entry, to deploy all the needed configurations at 1 time (done past times a Master Template, which consists of proper WiFi settings, proper USB settings together with the TriggerActions needed to start the HIDScript)
As presently equally it is re-attached to a USB host, it should start typing out stage1 together with the according servers are started internally. >From a SSH session (for instance over WiFi) the WiFi covert channel server could live accessed using
screen -d -r wifi_c2 to interact amongst clients, which connected dorsum over the WiFi covert channel. As the keystroke injection depends on the USB hosts linguistic communication layout, the according HIDScript called wifi_covert_channel.js has a variable language which could live used to adjust the keyboard layout inwards use. Additionally at that spot is a variable called hide (false past times default). If hide is laid to true, the console Window on the customer gets hidden spell stage1 is typed. This, again, pinpoints how complex tasks could live reduced to a uncomplicated bool variable, thank you lot to HIDScript together with the backing JavaScript engine.The "wifi covert channel" demo provided amongst P4wnP1's Master Templates could live used equally Startup Master Template, too, equally WiFi access is nonetheless possible together with hence the setup could live changed again, remotely at whatever time.
The involved BashScript, which is called from a TriggerAction is a practiced instance how flexible the CLI customer could get. As the HID stager needs to know on which device file to hear (the 1 which represents the generic HID device), but this information is solely available at runtime (depends on enabled USB gadget functions), the script requests the CLI to study the right HID device past times running
hidraw=$(P4wnP1_cli usb acquire device raw).The total BashScript is hosted inwards the folder
/usr/local/P4wnP1/scripts, equally all bash scripts which should live accessible from TriggerActions.Bluetooth NAP
P4wnP1 provides Bluetooth based network functionality over the Bluetooth Network Encapsulation Protocol (BNEP). The currently most interesting characteristic is the Bluetooth Network Access Point (NAP), which allows IP based Bluetooth remote access to P4wnP1, for instance from mobiles.
In companionship to utilisation this characteristic some things should live known:
- The bluetooth network interface, called
btethcould live configured together with templated similar the other network interfaces (webclient or CLI) - In companionship to allow NAP access from an Android mobile (iPhone untested), the mobile non solely needs to connect, but additionally P4wnP1 has to paw out a proper IP for the default gateway on the
btethinterface via DHCP. This is, because the mobile wants to utilisation the NAP equally gateway to the Internet (which would live the intended use). If the NAP itself wouldn't provide a gateway, the Android Mobile would do no farther requests after the DHCP D.O.R.A. The easiest way to overcome this, is to instruct the DHCP server to provide the IP of thebtethinterface itself equally default gateway (DHCP choice 3). Even if at that spot is no existent upstream connection, this worked during my tests - equally the mobile has to access the gateway amongst layer3 communication inwards companionship to "phone home". Even if successive connectivity tests fail, the working layer 3 connexion persists. This allows, for example, SSH access via Bluetooth. With "High Speed" enabled, the webclient plant pretty nice, too. - In companionship to allow PIN based pairing Simple Secure Pairing (SSP) has to live disabled. If SSP is enabled, the running Pairing agent confirms every passkey (which agency fifty-fifty less safety than amongst legacy PIN pairing, equally every device is able to connect). Maybe a confirmation dialog for SSP based passkey pairing volition live implemented for the CLI/webclient inwards future, but currently this is out of scope. I highly advise to disable "discoverable" together with "bondable" if SSP is inwards use, equally presently equally the intended device has paired.
- Another shortcoming of having SSP disabled, is that "High Speed" wouldn't live usable for bluetooth conections (or to enable High Speed, pairing has to live done amongst SSP). Without "High Speed" enabled (uses 802.11 frames for communication) it would direct most 10 minutes to asking the webclient, amongst high speed enabled it takes some seconds. Using SSH together with the CLI customer over a NAP without "High Speed" should live fine, though.
- The default Bluetooth network interface settings (
bteth_startup) together with the default Bluetooth settings (startup) should allow "Low Speed" access over SSH amongst legacy PIN pairing. The PIN is1337together with could live changed from the webclient.
TriggerAction Groups
The TriggerActions come upward amongst a prissy rooting capability called "Groups". I didn't managed to come upward up amongst a characteristic demo inwards time, but I'm planning to include an instance for an LED based four chip binary counter (using GPIOs, a toggle switch together with four LEDs).
The thought of groups is the following:
Consider you lot wish to have got four TriggerActions (TAs) firing on the exact same Trigger (for instance "on attached to USB host"). You could attain this past times creating four TAs, each amongst the Trigger "on attached to USB host".
Alternatively, you lot could direct upward a TriggerAction which sends the value
1 to a grouping named "connected" when the "on attached to USB host" occurs. Now you lot define your other four TriggerActions to burn when the value 1 is received on a grouping named "connected". The resultant would live the same together with non brand equally good much sense for at nowadays (in fact it needs 1 to a greater extent than TriggerAction). The solely positive effect, for now, is that the TriggerActions are slightly to a greater extent than readable, thank you lot to the grouping name, which could live chosen freely.Now the start advanced thing you lot could do, is to run the next CLI command:
P4wnP1_cli trigger mail --group-name=connected --group-value=11 to brand it on the grouping connected would fire. As you lot perchance remember, the CLI customer could run remotely (from different platforms), so it could live used to Trigger command remotely.The Trigger which reacts on "Group channels" is called "value on grouping channel". The to a greater extent than interesting trigger is called "multiple values on grouping channel". This "multiple values" trigger allows to hear for ordered sequences of values, or 1 of multiple values or all values inwards an unordered sequence, before it fires.
Let's say you lot qant to burn a BashScript, when these weather are met:
- The WiFi AP is up
- P4wnP1 has been connected to a USB host
- On "WiFi AP up" --> mail value 1 to grouping "conditions"
- On "attached to USB host" --> mail value 2 to grouping "conditions"
- On "multiple values on grouping channel"; values (1,2); type "All (logical AND)" --> start bash script
If "exact ordered sequence" would have got been used, instead of "All (logical AND)" for the type, the bash script would solely start if the WiFi AP come upward up before the USB connected Trigger (not the otherway around). In combination amongst GPIO triggers, this could for instance live used, to trigger actions based on the input of a uncomplicated PIN pad.
I'm certain you lot have got some prissy usage ideas for "group" channels.
Worth mentioning:
The CLI customer is able to do a blocking wait, till a dedicated value arrives on a "group channel", using a command similar this:
P4wnP1_cli trigger hold off --group-name=waitgroup --group-value=1Work inwards progress, missing sections:
- HIDScript Trigger variables (variables handed inwards to HIDScripts fired from TriggerActions)
- HIDScript helpers (powershell functions)
- HIDScript demo serpent (mouse)
- USB Mass storage (genimg helper)
4. Rescue: Help, I can't range P4wnP1 A.L.O.A. equally I messed upward the configuration
P4wnP1 A.L.O.A. doesn't protect you lot from misconfiguration, which homecoming it unusable (as a root console wouldn't protect you lot from running
rm -rf /).In instance you lot messed everything up, hither some ideas how to cook things:
Database backup
Before you lot direct critical changes to a nonetheless working P4wnP1 configuration, create a database backup. This could either live done from the "Generic Settings" tab of the webclient or the the CLI, amongst the
P4wnP1_cli db backup command. The backup volition live stored inwards the folder /usr/local/P4wnP1/db nether the chosen name. The "restore" role or P4wnP1_cli db restore command could live used to restore a given backup. H5N1 backup contains all stored templates (USB, WiFi, Network, Bluetooth, TriggerActions, MasterTemplates) together with the Startup Master Template which has been set. The backup doesn't include HIDScripts or BashScripts, equally both are stored equally files to allow like shooting fish in a barrel editing.I have got no backup together with messed everything
When P4wnP1 A.L.O.A. starts, it checks if a database exists. If the database doesn't be it fills a novel database based on an initial backup which ships amongst P4wnP1 A.L.O.A.
The initial backup is stored at
/usr/local/P4wnP1/db/init.db together with should never live deleted or overwritten.In companionship to strength P4wnP1 to re-create the actual database has to live deleted. This could live achieved past times mounting the P4wnP1 A.L.O.A. SD card on a organisation which is capable of writing EXT partitions.
Once done, delete the folder
/usr/local/P4wnP1/store from the SD card's root partition. This deletes the database together with hence forces re-creation 1 time P4wnP1 is booted, againI have got a backup, but can't access P4wnP1 to restore it
If you lot can't restore an existing database, because you lot have got no access, you lot could nonetheless follow the steps from "I have got no backup together with messed everything". In improver to deletion of the
/usr/local/P4wnP1/store supplant the /usr/local/P4wnP1/db/init.db file amongst the 1 from your backup (be certain to have got a backup re-create of init.db).This should re-create your custom DB 1 time P4wnP1 is rebooted.
I messed the Startup Master Template of my backup
If you lot have got a backup for which the Startup Master Template doesn't work. You have got to do some additional steps, equally it isn't possible to modify the Startup Template direct inwards a backup.
First follow the steps from "I have got no backup together with messed everything" which re-create the initial P4wnP1 database. After a reboot of P4wnP1, you lot should live able to access P4wnP1's webclient remotely, again.
Move on to the "Generic Settings" together with restore your ain backup (the 1 amongst the incorrect Startup Master Template).
The "Startup Master Template" should present your "broken" Master Template equally selected. If this isn't the case, reload the browser tab hosting the webclient application.
Again, navigate to the "Generic Settings" tab together with select a Startup Master Template which is known to work.
At this dot you lot should live ready to reboot.
non of the inwards a higher identify helped
Sorry, seems you lot have got to recreate your P4wnP1 A.L.O.A. SD crad from a create clean image.
5. Credits
Under construction, random order
- @JohanBrandhorst (close telephone commutation on gRPC-web via gopherjs, ridiculous fast implementation of "websocket for server streaming", characteristic request)
- @steevdave, @_binkybear (kali build scripts, give-and-take ongoing exchange)
- @Re4sonKernel (Support on moving P4wnP1 inwardness changes to a good maintained together with pop repo, collaboration on Bluez fixes)
- @SymbianSyMoh (Inspiration for HID laid on re-trigger without reboot)
- @quasarframework (could listing this nether 3rd political party libs, but the piece of work done hither is insane; the look&feel of the P4wnP1 webclient is to a greater extent than or lees based on default components of this beautiful library)
- @CyberArms (one of the most early on P4wnP1 supporters, author of the best tutorial together with fifty-fifty books on such topics)
- @LucaBongiorni (not solely 1 of the earliest supporters, he does inwards hardware, what I'm solely to do inwards software; he gives talks on the USB subject together with honors Open Source solutions, all inwards all a neat guy together with an inspiration)
- @evilsocket (his block pushed me towards Go, a neat OSS developer, read his code together with you lot know what I mean)
- @RoganDawes together with @Singe from @SensePost (inspiring guys)
- @Swiftb0y (Early supporter, creator of the "old" P4wnP1 WiKi, early on tester for ideas on P4wnP1 A.L.O.A.)
- @marcaruel (discussion on GPIO border detection using periph.io)
6. ToDos together with support
This isn't a total fledged ToDo list, but some milestones are left together with I'd live happy to have som community back upward on this
- Porting the total HID covert channel functionality to Go core (I'm on my ain amongst that)
- add Bluetooth configuration command for CLI
- Create additional keyboard layouts (currently br, de, es, fr, gb, it, ru together with us are supported)
- extend Bluetooth functionality to allow connexion to other discoverable devices (authentication together with trust)
- move WiFi KARMA functionality from dedicated python tool to P4wnP1 core (with webclient support))
- Create total documentation for HIDScript (basically solely the mouse component subdivision is missing)
- Create total documentation for P4wnP1 (hoping for community)
- Get rid of a remaining dependency on the docker netlink (see README of the
netlinkfolder)
P4wnP1 plant amongst custom bindings to the Bluez API. Although the Bluez API supports Low Energy (GATT, emulating peripherals etc.) it isn't planned to integrate this functionality into P4wnP1 A.L.O.A.
Note on Nexmon:
P4wnP1 utilizes nexmon. Most people know nexmon equally a firmware modification which allows enabling monitor trend together with bundle injection for broadcom WiFi chips (including the BCM43430a1, which is used past times the Raspberry Pi Zero W). But nexmon is more, it is a framework which allows modifying ARM firmware blobs (after a chip of reversing), amongst patches written inwards high score C code. P4wnP1 uses this framework, to apply custom patches to the WiFi firmware, which enable hardware based KARMA back upward together with firmware (as good equally driver) back upward for the WiFi covert channel. It isn't the aim of this modifications to provide proper monitor trend or injection back upward for the built-in WiFi interface. Although, the legacy nexmon monitor trend functionality is included inwards the electrical flow WiFi firmware, it is considered "erroneous", equally it interferes amongst measure WiFi functionality used past times P4wnP1 (crashes if the interface is used inwards station trend etc.).
