wismna / hackpi Goto Github PK

Hacking tool inside a Raspberry Pi zero

Shell 100.00%

gadget raspberry-pi ethernet-gadget driver bridge linux usb-controller

hackpi's Introduction

HackPi Readme

HackPi is a combination of Samy Kamkar's Poisontap and Responder (original idea by Mubix) on a Raspberry Pi Zero. It exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, siphons cookies and snag NTLM hashed credentials.
It works automatically on Windows, Linux and MacOs without any user interaction (e.g. no manual driver installation).

Installation

Clone Hackpi into your user's home folder (usually /home/pi):
git clone https://github.com/wismna/HackPi
Execute the installer:
sudo chmod +x install.sh
./install.sh
Reboot the Pi, it should work!

For troubleshooting network issues on Linux or MacOs (not Windows at this time, unfortunately), you should be able to connect to your Raspberry Pi via the serial interface and investigate the problems:

sudo screen /dev/ttyACM0 115200

How it works

Creating the ethernet gadget

The really simple way create a gadget on the Pi is to follow this guide and use g_ether kernel module. However, g_ether is a legacy module that definitely does not work on Windows. During all my tests, the gadget was systematically recognized as a COM3 device. I couldn't even force newer versions of Windows (10) to use an Ethernet driver. Also, it's impossible to emulate more than one device at the same time.

I then found with this great guide, which uses the libcomposite kernel module. This is far more advanced as it allows precise configuration of the gadget, as well as giving the ability to emulate more than one device at the same time.

I created an Ethernet gadget adapter as well as the serial adapter in a single configuration. The serial adapter is very very useful, especially while testing the Ethernet configuration, as if you make a breaking change and can't ssh back to your Raspberry Pi Zero, you still can use the console:
sudo screen /dev/ttyACM0 115200

To make the Ethernet gadget work on Windows, I used a little trick. When Windows is communicating with the adapter, it will look in its .inf files for a matching driver based on idVendor and idProduct (as well as bcdDevice for revision). Knowing this, I used

echo 0x04b3 > idVendor
echo 0x4010 > idProduct

so that Windows would load its generic RNDIS driver netimm.inf. However, this still wouldn't work for me, even though it appeared to be working for other people. Windows would load the driver but fail to start the adapter with a code 10 error.

Browsing a bit (a lot...) I determined that Windows would only reliably work with a RNDIS configuration. So I added a new configuration designed to emulate the RNDIS function. This configuration had to be defined first for Windows to work. Linux and Mac (supposedly) are smart enough to ignore it and load the second one, the CDC ECM configuration. And lo and behold, it worked! Windows correctly loaded the driver and the adapter, with no manual intervention. Unfortunately it didn't work on Linux anymore... great.

Bridge interface

I realized (thanks to the serial console) that each configfs configuration creates a new network interface (usb0, usb1 and so on). However, all the servers were listening exclusively on usb0, which was assigned to the RNDIS configuration. Linux ignored this configuration to load the CDC ECM one, where no servers (especially ISC-DHCP) were listening and no routes nor iptables rules were added.

The easy solution would have been to duplicate everything, but I decided instead to create a bridge interface, br0, which would be the master of all usbX interfaces. Then, I would make the servers listen on that interface, as well as add the routes and iptable rules. After a bit of fiddling around, it worked!

My gadget was now automatically recognized by Windows and Linux, without having to change anything to the configuration files. Unfortunately (bis...) the gadget stopped working on MacOs, and this is because since version 10.11, it's no longer smart enough to load the CDC ECM configuration if it isn't the first one! I now needed a way to make the gadget recognize the host it was connected to via USB fingerprinting, so that I could better configure libcomposite.

OS fingerprinting

This is where the fun began. I had two big issues to overcome:

Find a way to dump, trace or sniff USB traffic on a USB controller set up as a device
The chicken and the egg problem: to trace USB traffic, the gadget needed to be set up, but to be set up correctly, I needed to trace USB traffic...

The first thing to do was to find a way to dump incoming USB traffic. The obvious answer was to use the usbmon kernel module which allows tracing of USB data. Unfortunately, this doesn't work at all (no data is captured) when the USB controller is in device mode. But to create a USB gadget of any kind, the controller has to be set in device (or peripheral) mode. So no usbmon, and by way of consequence, no tcpdump, wireshark or whatever else uses usbmon traces.
For device mode to work on the Raspberry Pi Zero, we have to load a kernel module, dwc2, which enables USB OTG (dynamic switching between host and device modes). I tried setting the module to act as a host to enable usbmon on it, but then no gadget would work, and there would be no trace. After a lot of going around in circles, I decided to read the source of this module to understand how it worked. I found a function which handles the reception of USB Setup Requests, which is exactly what I was interested in. So I simply added a printk() function in there to output these requests in the kernel messages, which could then be seen by calling dmesg.
Clearly, this is not the most elegant way to do it, but I:

Didn't want to recompile the whole kernel just to add debugging
Didn't want any other debugging messages

So, I made my change, recompiled the module, replaced the standard one with this one, and finally! I could see the USB Setup Requests in dmesg.

I now had to tackle on the next issue: the messages would only be shown when the gadget was initialized. But I wanted to see those messages before initializing the gadget so that it could be set properly! So I got the idea: what if I loaded a "dummy" gadget at boot, let it generate USB trace data, then disable it and activate the "real" gadget?
I tried at first creating another libcomposite gadget, but it wouldn't work properly. I then decided to load one of the legacy modules which was replaced by libcomposite, g_ether. Even though it was a legacy module, it would still work, and as added bonuses, it required no configuration at all and was loaded very early during boot. I tested that, and it worked: the g_ethergadget was generating USB traffic in dmesg, which I would interpret to determine which OS the Raspberry Pi was connected to.

Granted, at the time being, it is quite simple as it only allows recognizing MacOs among other OSs (which however is exactly what I needed), but it should be relatively easy to use this data to perform more precise USB fingerprinting.

So, finally, after all this, I now have a Ethernet Gadget that is recognized and loaded, without any user interaction (no manual driver installation etc.) on all major OSs: Linux, MacOS and Windows!

hackpi's People

Contributors

Stargazers

Watchers

Forkers

jinghfut humbertcostas theway2day sk-011 dowdyph0 d3ra1l minkione 2no1 dirkakrid wikijm kalrong awesome-pentest-gadgets imccie johncheng110 adamerny f0xmulder m42e santaklouse malwar3ninja cha0tic75 f1vet adisik hanshaze icipher18 mozram ro9ueadmin fo0nikens jmg20 arnco km269 kerkradio piterpentester hobbit19 tyrells 0buffer thepraeceps ff-mgk junaidnaseer kouki31 pyth0n39 peheaven fanlessfan elmergonzalezb abuba42 thomasgrochforks ttuanhung leozanella blun7 gscconnect princessdesynk moni11811 veebee jrsk23 overcyber perkaholic999 godfidence01

hackpi's Issues

"Failed to bring up br0"

Failed to bring up br0, other than that everything is looking good. Any suggestions?

Trying to add keyboard to gadget

Hi,

First thanks for your great work :) I have been using your repository for my testings on PoisonTap and love it.

I have been trying to add a keyboard gadget without much success.

I modified the gadget.sh like this:

#!/bin/sh
#
# HackPi
#  by wismna
#  http://github.com/wismna/raspberry-pi/hackpi
#  14/01/2017
#

cd /sys/kernel/config/usb_gadget/
mkdir -p hackpi
cd hackpi

OS=`cat /home/pi/os.txt`
HOST="48:6f:73:74:50:43"
SELF0="42:61:64:55:53:42"
SELF1="42:61:64:55:53:43"
SELF2="42:61:64:55:53:43"

echo 0x04b3 > idVendor
echo 0x4010 > idProduct

echo 0x0100 > bcdDevice # v1.0.0
mkdir -p strings/0x409
echo "badc0deddeadbeef" > strings/0x409/serialnumber
echo "wismna" > strings/0x409/manufacturer
echo "PiZero" > strings/0x409/product

if [ "$OS" != "MacOs" ]; then
        # Config 1: RNDIS
        mkdir -p configs/c.1/strings/0x409
        echo "0x80" > configs/c.1/bmAttributes
        echo 250 > configs/c.1/MaxPower
        echo "Config 1: RNDIS network" > configs/c.1/strings/0x409/configuration

        echo "1" > os_desc/use
        echo "0xcd" > os_desc/b_vendor_code
        echo "MSFT100" > os_desc/qw_sign

        mkdir -p functions/rndis.usb0
        echo $SELF0 > functions/rndis.usb0/dev_addr
        echo $HOST > functions/rndis.usb0/host_addr
        echo "RNDIS" > functions/rndis.usb0/os_desc/interface.rndis/compatible_id
        echo "5162001" > functions/rndis.usb0/os_desc/interface.rndis/sub_compatible_id
fi

# Config 2: CDC ECM
mkdir -p configs/c.2/strings/0x409
echo "Config 2: ECM network" > configs/c.2/strings/0x409/configuration
echo 250 > configs/c.2/MaxPower

mkdir -p functions/ecm.usb0
# first byte of address must be even
echo $HOST > functions/ecm.usb0/host_addr
echo $SELF1 > functions/ecm.usb0/dev_addr

# Create the CDC ACM function
mkdir -p functions/acm.gs0

mkdir -p functions/hid.usb0
echo 1 > functions/hid.0/protocol
echo 1 > functions/hid.0/subclass
echo 8 > functions/hid.0/report_length
echo -ne \\x05\\x01\\x09\\x06\\xa1\\x01\\x05\\x07\\x19\\xe0\\x29\\xe7\\x15\\x00\\x25\\x01\\x75\\x01\\x95\\x08\\x81\\x02\\x95\\x01\\x75\\x08\\x81\\x03\\x95\\x05\\x75\\x01\\x05\\x08\\x19\\x01\\x29\\x05\\x91\\x02\\x95\\x01\\x75\\x03\\x91\\x03\\x95\\x06\\x75\\x08\\x15\\x00\\x25\\x65\\x05\\x07\\x19\\x00\\x29\\x65\\x81\\x00\\xc0 > functions/hid.0/report_desc


# Link everything and bind the USB device
if [ "$OS" != "MacOs" ]; then
        ln -s configs/c.1 os_desc
        ln -s functions/rndis.usb0 configs/c.1
fi

ln -s functions/ecm.usb0 configs/c.2
ln -s functions/acm.gs0 configs/c.2
ln -s functions/hid.usb0 configs/c.2
# End functions
ls /sys/class/udc > UDC

But Im receiving a kernel panic on boot like this one:

[   24.552717] Unable to handle kernel NULL pointer dereference at virtual address 00000002
[   24.558020] pgd = d8534000
[   24.563353] [00000002] *pgd=18d4c831, *pte=00000000, *ppte=00000000
[   24.568837] Internal error: Oops: 17 [#1] ARM
[   24.574084] Modules linked in: usb_f_hid usb_f_acm u_serial usb_f_rndis bnep hci_uart btbcm bluetooth bridge stp llc brcmfmac brcmutil snd_bcm2835 cfg80211 snd_pcm rfkill snd_timer snd bcm2835_gpiomem uio_pdrv_genirq uio fixed usb_f_ecm u_ether libcomposite dwc2 udc_core ipv6 [last unloaded: usb_f_rndis]
[   24.586514] CPU: 0 PID: 818 Comm: ls Not tainted 4.9.24+ #993
[   24.592339] Hardware name: BCM2835
[   24.598413] task: d8d3c420 task.stack: da686000
[   24.604646] PC is at alloc_ep_req+0x30/0xa8 [libcomposite]
[   24.610500] LR is at 0x0
[   24.616628] pc : [<bf0b6fe8>]    lr : [<00000000>]    psr: a0000013
sp : da687d98  ip : 00000000  fp : da687db4
[   24.628734] r10: da6622c8  r9 : d8cd56c4  r8 : da662270
[   24.634894] r7 : d8cd56a8  r6 : d8cd7f80  r5 : da649a90  r4 : 00000000
[   24.640883] r3 : d8cd7fb4  r2 : 00000000  r1 : 00000000  r0 : d8cd7f80
[   24.646878] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   24.653058] Control: 00c5387d  Table: 18534008  DAC: 00000055
[   24.658985] Process ls (pid: 818, stack limit = 0xda686188)
[   24.665233] Stack: (0xda687d98 to 0xda688000)
[   24.671503] 7d80:                                                       00000003 da662270
[   24.677587] 7da0: 00000004 bf43cc80 da687dec da687db8 bf43b7f0 bf0b6fc4 bf4364ac bf0b1428
[   24.684054] 7dc0: 00000000 da687dd0 da68cd80 da662270 d8cd56a8 da67e5e0 d8cd571c da662270
[   24.690461] 7de0: da687e04 da687df0 bf0b20c0 bf43b75c d8cd56a8 da67e68c da687e3c da687e08
[   24.696805] 7e00: bf0b6384 bf0b2050 da5a5d10 da67e654 c013eb30 da5ae600 bf07bea4 da67e5e0
[   24.703416] 7e20: da67e5e0 bf07be98 00000000 d84f8000 da687e5c da687e40 bf079838 bf0b6144
[   24.709768] 7e40: 00000000 da5ae600 bf07bea4 da64bfe0 da687e84 da687e60 bf079d68 bf079808
[   24.716468] 7e60: 00000032 da64bfe0 d8d73700 da67e400 da67e590 0000000d da687eac da687e88
[   24.723184] 7e80: bf0b6d10 bf079c74 0000000d d8d73700 d8d73718 da687f80 d8c1a320 b6f82000
[   24.729725] 7ea0: da687edc da687eb0 c01baf30 bf0b6c6c da687f80 d8c1a320 da687f80 b6f82000
[   24.736592] 7ec0: da687f80 0000000d da686000 00000000 da687f4c da687ee0 c0143dec c01bae68
[   24.743193] 7ee0: b6f82000 da687fb0 01b73df8 00000000 da687fac da687f00 c0009204 c05d40f0
[   24.750081] 7f00: 593071f9 1312cebc 00002919 da459554 00000003 00001000 00000000 c0144be8
[   24.756947] 7f20: da686000 c0147320 da687f4c 0000000d d8c1a320 b6f82000 da687f80 c000ffc4
[   24.763685] 7f40: da687f7c da687f50 c0144c24 c0143dc0 00000002 d8c1a322 d8c1a320 d8c1a322
[   24.770704] 7f60: 0000000d b6f82000 c000ffc4 da686000 da687fa4 da687f80 c0145d34 c0144b80
[   24.777506] 7f80: 00000000 00000000 0000000d b6f82000 b6ef9b40 00000004 00000000 da687fa8
[   24.784647] 7fa0: c000fe40 c0145cec 0000000d b6f82000 00000001 b6f82000 0000000d 00000000
[   24.791555] 7fc0: 0000000d b6f82000 b6ef9b40 00000004 0000000d b6f82000 0000000d 00000000
[   24.798715] 7fe0: 00000000 bec1a85c b6e27008 b6e7e89c 60000010 00000001 00000000 00000000
[   24.806068] [<bf0b6fe8>] (alloc_ep_req [libcomposite]) from [<bf43b7f0>] (hidg_bind+0xa0/0x258 [usb_f_hid])
[   24.813255] [<bf43b7f0>] (hidg_bind [usb_f_hid]) from [<bf0b20c0>] (usb_add_function+0x7c/0x164 [libcomposite])
[   24.820842] [<bf0b20c0>] (usb_add_function [libcomposite]) from [<bf0b6384>] (configfs_composite_bind+0x24c/0x360 [libcomposite])
[   24.828355] [<bf0b6384>] (configfs_composite_bind [libcomposite]) from [<bf079838>] (udc_bind_to_driver+0x3c/0xe0 [udc_core])
[   24.836220] [<bf079838>] (udc_bind_to_driver [udc_core]) from [<bf079d68>] (usb_gadget_probe_driver+0x100/0x14c [udc_core])
[   24.843934] [<bf079d68>] (usb_gadget_probe_driver [udc_core]) from [<bf0b6d10>] (gadget_dev_desc_UDC_store+0xb0/0xcc [libcomposite])
[   24.852066] [<bf0b6d10>] (gadget_dev_desc_UDC_store [libcomposite]) from [<c01baf30>] (configfs_write_file+0xd4/0x17c)
[   24.859906] [<c01baf30>] (configfs_write_file) from [<c0143dec>] (__vfs_write+0x38/0x128)
[   24.868070] [<c0143dec>] (__vfs_write) from [<c0144c24>] (vfs_write+0xb0/0x1bc)
[   24.875963] [<c0144c24>] (vfs_write) from [<c0145d34>] (SyS_write+0x54/0xb0)
[   24.884219] [<c0145d34>] (SyS_write) from [<c000fe40>] (ret_fast_syscall+0x0/0x1c)
[   24.892172] Code: ebff044d e2506000 0a000013 e5952024 (e1d230d2)
[   24.900498] ---[ end trace c29f93dff280ffe1 ]---

Thanks in advance!

THIS STEAL ONLY HTTP COOKIES? or http and https?

wireless interface don't work?

I have installed the finished, and in the WIN 10 plug USB test is good。
But the raspberry independent power supply to start (do not plug PC USB) wireless interface can not be used, iwlist can scan to SSID, but can not connect to wifi, this is normal?

Not detected by any OS

I was curious about your project, so I gave it try.
But my Raspberry pi zero is not detected as an Ethernet Adapter by any OS.
Here are the steps that I followed :
1 . I did a fresh install of Raspbian.
2 . apt-get install git
3 . git clone https://github.com/wismna/HackPi
4 . sudo chmod +x install.sh
5 . ./install.sh

Then I plugged it into a Win 10 laptop. Nothing happened.
Then I plugged it into a Mac OS Sierra laptop. Same.

No error in /var/log/syslog.
gadget.log and usbreq.log are empty.
In the os.txt file I got "Unknow".

So I read a little the source code and I tried to force the Mac Os detection.
I modified gadget.sh :

#OS=`cat /home/pi/os.txt`
OS="MacOs"

But it's not working :).
I didn't have the time to search more, I will update this issue.

Did I do something wrong ?
I should precise that the original poisontap works good on the Mac laptop, but not on the Windows one.

works with windows 7

Issue after reboot

I followed the tutorial, and it work well. But after the reboot of my raspberry Pi 3 (the one I using for the configuration) I'm unable to connect to the ssh and my USB keyboard is not detected.

Someone can help ?
Thanks you for reading this.

ps : I'm using Jessie Lite.

Implemented recently?

Hi just checking in if this has been deployed recently and successfully on a raspberry pi zero /w?

I followed the instructions to run the standard install.sh script but had failures detecting the kernel and then the device would not get detected on MacBook, only Windows would see the device and the DHCP component tied to PoisonTap would not work on Windows, no DHCP address of 1.0.0.1 was handed out.

WINDOWS OS

THIS WORK IN WINDOWS 7 AND 10?
thanks for ur understanding and ur hard work u do to make us hack other cookies while eating cookies

backend server tutorial

Hello,
I am trying to setup the backend server, but i dont know any good hosting...
Do you have an idea were I can host my server/
and do you have a tutorial how to do this/

kind regards

Natascha

responder

Has been patched.
Sorry

Cant install

EDIT

So I figured out that it doesnt work when I try to install hackpi while my sd card is in my rpi3

Now I finally installed it on my rpi zero with some errors tho

https://pastebin.com/5tnUPiDp

Generating /etc/default/isc-dhcp-server... Job for isc-dhcp-server.service failed. See 'systemctl status isc-dhcp-server.service' and 'journalctl -xn' for details. invoke-rc.d: initscript isc-dhcp-server, action "start" failed.
Backup files? [y/n] N cp: cannot create regular file ‘/lib/modules/4.4.50+/kernel/drivers/usb/dwc2/dwc2.ko’: No such file or directory

help manual？？

Hi，Is it possible to improve Poisontap and Responder in HackPi following the specific configuration manual, or POC tutorial? It's too complicated for the novice.
There is a problem, HackPi can integrate Browser Exploit? At the same time be able to do HID (keyboard input) attack?

Pi hack

Guide for only running Responder

Hi,
I was wondering what needs to be disabled/commented out to just run Responder to capture the creds (i.e. not run PoisonTap) ?

Is it a matter of just commenting out the following lines in rc.local?

/sbin/sysctl -w net.ipv4.ip_forward=1 /sbin/iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 1337
/usr/bin/screen -dmS dnsspoof /usr/sbin/dnsspoof -i br0 port 53 /usr/bin/screen -dmS node /usr/bin/nodejs /home/pi/poisontap/pi_poisontap.js

Thanks for the great work!

Serial interface OSX High Sierra don't work

Hey,

i installed HackPi on a Raspberry Pi Zero W without any errors and without the backdoor.
It seems to work fine but i have 2 problems:

After i plugged it in the first time (usb <--> computer) i can't ssh via Wifi to the Pi. Why?
I wanted to see the output of sudo screen /dev/ttyACM0 115200 but i get the response Cannot exec '/dev/ttyACM0 ': no such file or directory. Whats the problem?

Windows does not recognize the ethernet adapter

Hello,
I've been trying to make poisontap work on a raspberry pi zero and start with Sammy Kamkar's github. After having several problems I wrote to Samy and he told me that I had to try Hackpi. After following your tutorial to do the installation I have had the same problems as with the Samy version. In Windows 10 I recognize the device as a Serial Bus. In Windows 7 I recognized the device as an RNDIS Ethernet Gadget but did not install the driver. In linux I install the USB device but nothing is executed.
Thank you very much! Regards!