Red Team Tactics with the P4wnP1 A.L.O.A
The P4wnP1 A.L.O.A is a framework that turns a Raspberry Pi Zero W into “A Little Offensive Appliance” that can be used for a variety of activities during Penetration Testing, Red Teaming, and physical engagements. The low-cost nature of the Raspberry Pi Zero W and the open-source nature of the framework makes it low-cost, easy to customize on the fly, and quick to setup. The framework contains a variety of features, including USB device emulation to simulate Ethernet, mass storage, and mouse and keyboard input over USB, keystroke injection to emulate Rubber Ducky attacks to quickly compromise unlocked machines with a pre-written script, connection to the device via Bluetooth and Wi-Fi, and a full (though outdated) Kali Linux distribution. So far, I’ve mainly explored using it for keystroke injection attacks which can be used during a physical penetration testing engagement and which I’ll demonstrate throughout this article.
Interface
The P4wnP1 is designed to be easy to use and configure, and its user interface makes that evident. Once the device is powered up, it emits its own WiFi network with a pre-configured password (in a real engagement, be sure to change both the network name and password — the network name makes it very obvious something suspicious is taking place). After connecting to the network, you can browse to the UI by opening a browser and going to http://172.24.0.1:8000/.
P4wnP1 Web Interface
The first page opens up the USB settings where you can edit all of the various settings the device is equipped with, for instance enabling/disabling ethernet over USB for Windows and Linux, keyboard and mouse functionality for keystroke injection and Rubber Ducky attacks, and enabling USB Mass Storage to save data directly to the P4wnP1. The WiFi and Bluetooth Settings allow you to customize and change the connection information for the devices WiFi and Bluetooth networks, and the Network Settings allow you to specify a network for the P4wnP1 to automatically connect to. The most interesting option I’m going to focus on throughout this post is the HIDScript, as this is the page that allows you to create and run keystroke injection attacks.
The Attack
Generally speaking, a keystroke injection attack tricks a computer into thinking a human interface device (HID) such as a mouse and/or keyboard is plugged in and interacting with it. While some computers are configured to not trust storage devices such as USB drives by default, particularly in corporate environments, nearly every computer used today is configured to automatically accept input from a mouse or keyboard. Any attacker with physical access to an unlocked computer can exploit this feature to plug in a pre-configured device such as a USB Rubber Ducky from Hak5 or a P4wnP1 on a Raspberry Pi Zero and run a keystroke injection attack, which can execute dozens of commands in seconds, leading to the exfiltration of data, the creation of a reverse shell, or the downloading and execution of malware.
The P4wnP1 uses its own syntax for the HID Scripts which is simple and easy to learn, and mainly consists of pressing specific keys (such as ENTER or CTRL), typing strings, and waiting. Keystrokes can be injected faster than the receiving device can keep up with, so in the situation where the attack involves opening certain windows such as PowerShell or Command Prompt, the wait function forces the script to wait a specified amount of time before continuing with the attack. Without this functionality, commands may be “typed” by the device before the necessary program is open, leading to incomplete commands being entered and the ultimate failure of the attack.
HIDScript Editor
The screenshot above shows the HIDScript Editor where the attacker can write and customize scripts for the various attacks. The P4wnP1 comes pre-loaded with a few scripts, however, the script shown above was created for the purpose of this demonstration. For a simple proof-of-concept, this script copies the WiFi passwords for all WiFi networks stored on the computer and copies them over to the P4wnP1 for later analysis. For this attack to work you first have to navigate to the USB settings for the P4wnP1 and enable the USB Mass Storage option. Then choose the default .bin image, disable mouse emulation, save the new configuration, and you’ll then be ready to load up the script and run it
The video above shows the script running in real time and demonstrates just how little time an attacker would need to successfully execute the attack. The script uses the Run dialogue to open a PowerShell window with Administrative privileges, then keystroke injections to automatically select “Yes” in the User Account Control (UAC) to run it as Administrator. It then “types” in the necessary one-liner to save the credentials to the P4wnP1, which was mounted to the computer as storage device “E”. The complete attack takes less than 10 seconds, meaning a prepared attacker could grab these credentials from an unlocked computer in less time than it takes an employee to take a restroom break.
The next attack is similar, but instead of grabbing WiFi credentials the script downloads a specific file to the P4wnP1 for later analysis.
You may notice the attack above runs slower than the first one. It demonstrates an additional feature of the P4wnP1’s HID Scripts, which allows the attacker to specify the speed and jitter at which the keystrokes are injected to more closely resemble how a human might type. Some protection mechanisms measure how quickly a given user commonly types, including the variations in that typing speed (called jitter), and may throw an alert if commands are suddenly typed extremely fast with no variation in the speed (additional information can be found here). In an attempt to circumvent this, P4wnP1 allows an attacker to slow down the speed at which the commands are injected and introduce some variation to make it seem more human-like.
This attack demonstrates an individual’s ability to quickly copy a file to the P4wnP1 with only a few seconds of access. However, the attack could easily be expanded to download an entire folder or set of folders, such as a user’s Desktop or Documents folder, though as more files are downloaded more time will be necessary for the attack to be successful. In both of the above attacks, the files are downloaded to the P4wnP1 to avoid sending sensitive information over the network, however, the scripts can be easily modified to send the information to an email address instead. Check out this excellent post for the changes necessary to do that. This simple change would allow the attacker to exfiltrate the information in environments where USB devices are denied from connecting by default.
In addition to the above attacks, the P4wnP1 could be used for numerous other attacks that are only limited by the attacker’s imagination and the defenses in place. For instance, as mentioned at the beginning of this post a PowerShell reverse shell could be quickly setup or a Cobalt Strike or other C2 beacon could be downloaded and executed. Or the script could simply force the computer to make a network request to an attacker-controlled machine, enabling the attacker to capture the logged in account’s netNTLMv2 hash or relay it to other devices on the network. Just about any attack that could be carried out with physical access to the machine could be carried out with the P4wnP1 with just a few seconds of access.
Mitigation
As this form of attack requires direct physical access to an unlocked computer, the first step to mitigate it is also the easiest: never leave an unlocked computer unattended; always lock, log out, or shut down the computer before leaving it. Most modern computers can be quickly locked by pressing the Windows Key + L, which does not shut down any of the open windows or browsers but will require entering the system or account password before you can interact with it again. If you’re prone to walking away from your unlocked computer, the power settings will typically have the option to lock or put the system to sleep after X minutes of inactivity, allowing you to choose the appropriate waiting period.
The next thing you can do on Windows devices is force the UAC dialogue to always require an administrator password to perform elevated actions. When the UAC prompt only requires the user to click “Yes” to perform actions with administrative privileges, the P4wnP1 can easily bypass the prompt. Requiring an administrative password will require the attacker to already know the admin password for the system and to have already included it in the HID script. This step won’t prevent all actions that the P4wnP1 could take, but it will limit what actions can be taken and the permission levels with which they can be executed.
Resources
Rogan Dawes and his work on the P4wnP1:
https://github.com/RoganDawes/P4wnP1_aloa
You can find the scripts used in this demonstration on Github. These scripts are made available only for educational purposes. Do not use them on devices or networks you do not own or have explicit permission to test.
