P4wnP1 A.L.O.A. – Framework Which Turns A Rapsberry Pi Zero W Into A Flexible, Low-Cost Platform For Pentesting, Red Teaming And Physical Engagements

P4wnP1 A.L.O.A. by MaMe82 is a framework which turns a Rapsberry Pi Zero W into a flexible, low-cost platform for pentesting, red teaming and physical engagements … or into “A Little Offensive Appliance".0. How to installThe latest image could be found under release tab.The easiest way to access a fresh P4wnP1 A.L.O.A. installation is to use the web client via the spawned WiFi (the PSK is MaMe82-P4wnP1, the URL or SSH (default password toor).1. FeaturesPlug&Play USB device emulationUSB functions: USB Ethernet (RNDIS and CDC ECM)USB SerialUSB Mass Storage (Flashdrive or CD-Rom)HID KeyboardHID Mouseruntime reconfiguration of USB stack (no reboot)detection of connect/disconnect makes it possible to keep P4wnP1 A.L.O.A powered up (external supply) and trigger action if the emulated USB device is attached to a new hostno need to deal with different internal ethernet interfaces, as CDC ECM and RNDIS are connected to a virtual bridgepersistent store and load of configuration templates for USB settingsHIDScriptreplacement for limited DuckyScriptsophisticated scripting language to automate keyboard and mouseup to 8 HIDScript jobs could run in parallel (keep a job up to jiggle the mouse, while others are started on-demand to do arbitrary mouse and keystroke injection seamlessly)HIDScript is based on JavaScript, with common libraries available, which allows more complex scripts (function calls, using Math for mouse calculations etc.)keyboard based on UTF-8, so there’s no limitation to ASCII characterscould react on feedback from the hosts real keyboard by reading back LED state changes of NUMLOCK, CAPSLOCK and SCROLLLOCK (if the target OS shares LED state across all connected keyboards, which isn’t the case for OSX)take branching decisions in HIDScript, based on LED feedbackmouse relative movement (fast, but not precise)stepped relative movement (slower, but accurate … moves mouse in 1 DPI steps)absolute positioning on Windows (pixel perfect if target’s screen dimensions are known)Keyboard and mouse are not only controlled by the same scripting language, both could be used in the same script. This allows combining them in order to achieve goals, which couldn’t be achieved using only keyboard or mouse.current language layouts: br, de, es, fr, gb, it, ru and usBluetoothfull interface to Bluez stack (currently no support for remote device discovery/connect)allows to run a Bluetooth Network Access Point (NAP)customizable Pairing (PIN based legacy mode or SSP)High Speed support (uses 802.11 frames to achieve WiFi like transfer rates)Runtime reconfiguration of the Bluetooth stackNote: PANU is possible, too, but currently not supported (no remote device connection)persistent store and load of configuration templates for Bluetooth settingsWiFimodified Firmware (build with Nexmon framework) allows KARMA (spoof valid answers for Access Points probed by remote devices and allow association)broadcast additional Beacons, to emulate multiple SSIDsWiFi covert channelNote: Nexmon legacy monitor mode is included, but not supported by P4wnP1. Monitor mode is still buggy and likely to crash the firmware if the configuration changes.easy Access Point configurationeasy Station mode configuration (connect to existing AP)failover mode (if it is not possible to connect to the target Access Point, bring up an own Access Point)runtime reconfiguration of WiFi stackpersistent store and load of configuration templates for WiFi settingsNetworkingeasy ethernet interface configuration for bluetooth NAP interfaceUSB interface (if RNDIS/CDC ECM is enabled)WiFi interfacesupports dedicated DHCP server per interfacesupport for DHCP client modemanual configurationpersistent store and load of configuration templates for each interfaceToolingNot much to say here, P4wnP1 A.L.O.A. is backed by KALI Linux, so everything should be right at your hands (or could be installed using apt)Configuration and Control via CLI, remotely if neededall features mentioned so far, could be configured using a CLI clientthe P4wnP1 core service is a single binary, running as systemd unit which preserves runtime statethe CLI client interfaces with this service via RPC (gRPC to be specific) to change the state of the coreas the CLI uses a RPC approach, it could be used for remote configuration, tooif P4wnP1 is accessed via SSH, the CLI client is there, waiting for your commands (or your tab completion kung fu)the CLI is written in Go (as most of the code) and thus compiles for most major platforms and architecturesSo if you want to use a a batch file running on a remote Windows host to configure P4wnP1 … no problem:compile the client for windowsmake sure you could connect to P4wnP1 somehow (Bluetooth, WiFi, USB)add the host parameter to your client commands… and use the CLI as you would do with local access.Configuration and Control via web clientAlthough it wasn’t planned initially, P4wnP1 A.L.O.A. could be configured using a webclient. Even though the client wasn’t planned, it evolved to a nice piece of software. In fact it ended up as the main configuration tool for P4wnP1 A.L.O.A. The webclient has capabilities, which couldn’t be accessed from the CLI (templates storage, creation of "TriggerActions").The core features:should work on most major mobile and desktop browsers, with consistent look and feel (Quasar Framework)uses gRPC via websockets (no RESTful API, no XHR, nearly same approach as CLI)Thanks to this interface, the weblient does not rely on a request&reply scheme only, but receives "push events" from the P4wnP1 core. This means: if you (or a script) changes the state of P4wnP1 A.L.O.A. these changes will be immediately reflected into the webclientif you have multiple webclients running, changes of the core’s state will be reflected from one client to all other clientsincludes a HIDScript editor, with syntax highlightingauto-complete (CTRL+SPACE)persistent storage & load for HIDScriptson-demand execution of HIDScript directly from the browsera HIDScript job manager (cancel running jobs, inspect job state and results)includes an overview and editor for TriggerActionsfull templating support for all features described so farthe WebClient is a Single Page Application, once loaded everything runs client side, only gRPC request are exchangedAutomationThe automation approach of the old P4wnP1 version (static bash scripts) couldn’t be used anymore.The automation approach of P4wnP1 A.L.O.A. had to fulfills these requirements:easy to use and understandusable from a webclientbe generic and flexible, at the same timeeverything doable with the old "bash script" approach, should still be possibleable to access all subsystems (USB, WiFi, Bluetooth, Ethernet Interfaces, HIDScript … )modular, with reusable partsability to support (simple) logical tasks without writing additional codeallow physical computing, by utilizing of the GPIO portsWith introducing of the so called "TriggerActions" and by combining them with the templating system (persistent settings storage for all sub systems) all the requirements could be satisfied. Details on TriggerActions could be find in the WorkFlow section.Usage tutorial2. Workflow part 1 – HIDScriptP4wnP1 A.L.O.A. doesn’t use concepts like static configuration or payloads. In fact it has no static workflow at all.P4wnP1 A.L.O.A. is meant to be as flexible as possible, to allow using it in all possible scenarios (including the ones I couldn’t think of while creating P4wnP1 A.L.O.A.).But there are some basic concepts, I’d like to walk through in this section. As it is hard to explain everything without creating a proper (video) documentation, I visit some some common use cases and examples in order to explain what needs to be explained.Nevertheless, it is unlikely that I’ll have the time to provide a full-fledged documentation. So I encourage everyone to support me with tutorials and ideas, which could be linked back into this READMENow let’s start with one of the most basic tasks:2.1 Run a keystroke injection against a host, which has P4wnP1 attached via USBThe minimum configuration requirement to achieve this goal is:The USB sub system is configured to emulate at least a keyboardThere is a way to access P4wnP1 (remotely), in order to initiate the keystroke injectionThe default configuration of P4wnP1’s (unmodified image) meets these requirements already:the USB settings are initialized to provide keyboard, mouse and ethernet over USB (both, RNDIS and CDC ECM)P4wnP1 could already be accessed remotely, using one of the following methods: WiFi the Access Point name should be obviousthe password is MaMe82-P4wnP1the IP of P4wnP1 is Ethernet the IP of P4wnP1 is device name P4wnP1PIN 1337the IP is Secure Simple Pairing is OFF in order to force PIN Pairing. This again means, high speed mode is turned off, too. So the bluetooth connection is very slow, which is less of a problem for SSH access, but requesting the webclient could take up to 10 minutes (in contrast to some seconds with high speed enabled).a SSH server is accessible from all the aforementioned IPsThe SSH user for KALI Linux is root, the default password is toorThe webclient could be reached over all three connections on port 8000 via HTTPNote: Deploying a HTTPS connection is currently not in scope of the project. So please keep this in mind, if you handle sensitive data, like WiFi credentials, in the webclient. The whole project isn’t built with security in mind (and it is unlikely that this will ever get a requirement). So please deploy appropriate measures (f.e. restricting access to webclient with iptables, if the Access Point is configured with Open Authentication; don’t keep Bluetooth Discoverability and Connectability enabled without PIN protection etc. etc.)At this point I assume:You have attached P4wnP1 to some target host via USB (the innermost of the Raspberry’s micro USB ports is the one to use)The USB host runs an application, which is able to receive the keystrokes and has the current keyboard input focus (f.e. a text editor)You are remotely connected to P4wnP1 via SSH (the best way is WiFi), preferably the SSH connection is running from a different host, then the the one which has P4wnP1 A.L.O.A. attached over USBIn order to run the CLI client from the SSH session, issue the following command:root@kali:~# P4wnP1_cli The CLI client tool could be used to configure P4wnP1 A.L.O.A.from the command line. The tool relies on RPC so it could be used remotely.Version: v0.1.0-alpha1Usage: P4wnP1_cli [command]Available Commands: db Database backup and restore evt Receive P4wnP1 service events help Help about any command hid Use keyboard or mouse functionality led Set or Get LED state of P4wnP1 net Configure Network settings of ethernet interfaces (including USB ethernet if enabled) system system commands template Deploy and list templates trigger Fire a group send action or wait for a group receive trigger usb USB gadget settings wifi Configure WiFi (spawn Access Point or join WiFi networks)Flags: -h, –help help for P4wnP1_cli –host string The h ost with the listening P4wnP1 RPC server (default "localhost") –port string The port on which the P4wnP1 RPC server is listening (default "50051")Use "P4wnP1_cli [command] –help" for more information about a command.The help screen already shows, that the CLI client uses different commands to interact with the various subsystems of P4wnP1 A.L.O.A. Most of these commands have own sub-commands, again. The help for each command or sub-command could be accessed by appending -h to the CLI command:root@kali:~# P4wnP1_cli hid run -hRun script provided from standard input, commandline parameter or by path to script file on P4wnP1Usage: P4wnP1_cli hid run [flags]Flags: -c, –commands string HIDScript commands to run, given as string -h, –help help for run -r, –server-path string Load HIDScript from given path on P4wnP1 server -t, –timeout uint32 Interrupt HIDScript after this timeout (seconds)Global Flags: –host string The host with the listening P4wnP1 RPC server (default "localhost") –port string The port on which the P4wnP1 RPC server is listening (default "50051")Now, in order to type out "Hello world" to the USB host, the following CLI command could be used:P4wnP1_cli hid run -c ‘type("Hello world")’The result output in the SSH session should look similar to this:TempFile created: /tmp/HIDscript295065725Start appending to ‘HIDscript295065725’ in folder ‘TMP’Result:nullOn the USB host "Hello World" should have been typed to the application with keyboard focus.If your SSH client runs on the USB host itself, the typed "Hello world" ends up somewhere between the resulting output of the CLI command (it doesn’t belong to the output, but has been typed in between).Goal achieved. We injected keystrokes to the target.Much reading for a simple task like keystroke injection, but again, this section is meant to explain basic concepts.2.2 Moving on to more sophisticated language features of HIDScriptIf you managed to run the "Hello world" keystroke injection, this is a good point to explore some additional HIDScript features.We already know the type command, but let’s try and discuss some more sophisticated HIDScript commands:Pressing special keys and combinationsThe type command supports pressing return, by encoding a "new line" character into the input string, like this:P4wnP1_cli hid run -c ‘type("line 1\nline 2\nline 3 followed by pressing RETURN three times\n\n\n")’But what about special keys or key combinations?The press command comes to help!Let’s use press to send CTRL+ALT+DELETE to the USB host:P4wnP1_cli hid run -c ‘press("CTRL ALT DELETE")’Note: Two of keys have been modifiers (CTRL and ALT) and only one has been an actual key (DELETE)Let’s press the key ‘A’ without any modifier key:P4wnP1_cli hid run -c ‘press("A")’The resulting output should be a lowercase ‘a’, because press("A") interprets ‘A’ as key. The command type("A"), on the other hand, tries to press a key combination which should result in an uppercase ‘A’ output character.Let’s combine a modifier and a non-modifier key, in order to produce an uppercase ‘A’ output character (mimic the behavior of `type("A"):P4wnP1_cli hid run -c ‘press("SHIFT A")’This should have produced an uppercase A output.It is important to understand, that press interprets the given its key arguments as keys, while type tries to find the appropriate key combinations to produce the intended output characters.In a last example, let’s combine press and type.P4wnP1_cli hid run -c ‘type("before caps\n"); press("CAPS"); type("after caps\n"); press("CAPS");’The last command typed a string, toggled CAPSLOCK, typed another string and toggled CAPS lock again. In result, CAPSLOCK should be in its initial state (toggled two times), but one of the strings is typed uppercase, the other lowercase although both strings have been given in lower case.Additional notes on key presses with press:I don’t want to dive into the depth of USB keyboard reports inner workings, but some things are worth mentioning to pinpoint the limits and possibilities of the press command (which itself works based on raw keyboard reports):a keyboard report can contain up to 8 modifier keys at oncethe modifier keys are LEFT_CTRLRIGHT_CTRLLEFT_ALTRIGHT_ALTLEFT_SHIFTRIGHT_SHIFTLEFT_GUIRIGHT_GUIP4wnP1 allows using aliases for common modifiers CTRL == CONTROL == LEFT_CTRLALT == LEFT_ALTSHIFT == LEFT_SHIFTWIN == GUI == LEFT_GUIin addition to the modifiers, press consumes up to six normal or special keys normal keys represent characters and special keysexample of special keys: BACKSPACE, ENTER (== RETURN), F1 .. F12)the keys are language layout agnostic (press("Z") results in USB_KEY_Z fo EN_US keyboard layout, but produces USB_KEY_Y for a German layout. This corresponds to pressing the hardware key ‘Z’ on a German keyboard, which would produce a USB_KEY_Y, too.)/usr/local/P4wnP1/keymaps/common.json holds a formatted JSON keymap with all possible keys (be careful not to change the file)adding multiple keys to the a single press command, doesn’t produce a key sequence. All given given keys are pressed at the same time and release at the same time.press releases keys automatically, this means a sequence like "hold ALT, press TAB, press TAB, release ALT" currently isn’t possibleKeyboard layoutThe HIDScript command to change the keyboard layout is layout().The following example switches keyboard layout to ‘US’ types something and switches the layout to ‘German’ before it goes on typing:P4wnP1_cli hid run -c ‘layout("us"); type("Typing with EN_US layout\n");layout("de"); type("Typing with German layout supporting special chars üäö\n");’The output result of the command given above, depends on the target layout used by the USB host.On a host with German keyboard layout the result looks like this:Tzping with EN?US lazoutTyping with German layout supporting special chars üäöOn a host with US keyboard layout it looks like this:Typing with EN_US layoutTzping with German lazout supporting special chars [‘;Please note, that the intended output is only achieved, if P4wnP1’s keyboard layout aligns with the keyboard layout actually used by the USB host.The layout command allows to align P4wwP1’s internal layout to the one of the target USB host.Being able to change the layout in the middle of a running HIDScript, could come in handy: Who knows, maybe you like to brute force the target host’s keyboard layout by issuing commands with changing layouts till one of the typed commands achieves the desired effect.Important: The layout has global effect. This means if multiple HIDScripts are running concurrently and one of the scripts sets a new layout, all other scripts are effected immediately, too.Typing speedBy default P4wnP1 injects keystrokes as fast as possible. Depending on your goal, this could be a bit too much (think of counter measures which prevent keystroke injection based on behavior analysis of typing speed). HIDScript supports a command to change this behavior.typingSpeed(delayMillis, jitterMillis)The first argument to the typingSpeed command represents a constant delay in milliseconds, which is applied between two keystrokes. The second argument is an additional jitter in milliseconds. It adds an additional random delay, which scales between 0 and the given jitter in milliseconds, to the static delay provided with the first argument.Let’s try to use typingSpeed to slow down the typing:P4wnP1_cli hid run -c ‘typingSpeed(100,0); type("Hello world")’Next, instead of a constant delay, we try a random jitter:P4wnP1_cli hid run -c ‘typingSpeed(0,500); type("Writing with random jitter up to 500 milliseconds")’Finally, by combining and tuning both values, we could simulate natural typing speed:P4wnP1_cli hid run -c ‘typingSpeed(100,150); type("Writing with more natural speed")’Important: The typing speed has global effect. This means if multiple HIDScripts are running concurrently and one of the scripts sets a new typing speed, all other scripts are effected immediately, too.Wait for LED reportWaiting for LED report, or to be precise LED state changes, is one of the more sophisticated keyboard features of HIDScript. It could be very powerful but needs a bit of explanation.You may have noticed that (depending on the USB host’s OS) the keyboard state modifiers (NUM LOCK, SCROLL LOCK, CAPS LOCK) are shared across multiple connected keyboards. For example, if you connect two keyboards to a Windows host, and toggle CAPS LOCK on one of them, the CAPS LOCK LED changes on both keyboards.Exactly this test could be used, to determine if the keyboard state modifiers are shared across all keyboards for a given OS.In case a USB host supports this kind of state sharing (for example Windows does), P4wnP1’s HIDScript language could make use out of it.Imagine the following scenario:P4wnP1 is connected to a USB host and you want to apply keystroke injection, but you don’t want the HIDScript to run the keystrokes immediately. Instead the HIDScript should sit and wait till you hit NUMLOCK, CAPSLOCK or SCROLLLOCK on the host’s real keyboard. Why? Maybe you’re involved in an engagement, somebody walked in and you don’t want that this exact "somebody" could see how magically a huge amount of characters are typed into a console window which suddenly popped up. So you wait till "somebody" walks out, hit NUM LOCK and ultimately a console window pops up and a huge amount of characters are magically type … I think you got it.The described behavior could be achieved like this:P4wnP1_cli hid run -c ‘waitLED(NUM); type("A huge amount of characters\n")’If you tested the command above, typing should only start if NUM LOCK is pressed on the USB host’s hardware keyboard, but you might encounter cases where the keystrokes immediately are issued, even if NUM LOCK wasn’t pressed (and the keyboard LED hasn’t hacnged).This is intended behavior and the reason for this is another use case for the waitLED command:Maybe you have used other keyboard scripting languages and other USB devices capable of injecting keystrokes, before. Most of these devices share a common problem: You don’t know when to start typing!If you start typing immediately after the USB device is powered up, it is likely that the USB host hasn’t finished device enumeration and thus hasn’t managed to bring up the keyboard drivers. Ultimately your keystrokes are lost.To overcome this you could add a delay before the keystroke injection starts. But how long should this delay be? Five seconds, 10 seconds, 30 seconds ?The answer is: it depends! It depends on how fast the host is able to enumerate the device and bring up the keyboard driver. In fact you couldn’t know how long this takes, without testing against the actual target.But as we have already learned, Operating Systems like Windows share the LED state across multiple keyboards. This means if the NUMLOCK LED of the host keyboard is set to ON before you attach a second keyboard, the NUMLOCK LED on this new keyboard has to be set to ON, too, once attached. If the NUM LOCK LED would have been set to OFF, anyways, the newly attached keyboard receives the LED state (all LEDs off in this case). The interesting thing about this is, that this "LED update" could only be send from the USB host to the attached keyboard, if the keyboard driver has finished loading (sending LED state wouldn’t be possible otherwise).Isn’t that beautiful? The USB host tells us: "I’m ready to receive keystrokes". There is no need to play around with initial delays.But here is another problem: Assume we connect P4wnP1 to an USB host. We run a HIDScript starting with waitLED instead of a hand crafted delay. Typing starts after the waitLED, but nothing happens – our keystrokes are lost, anyways! Why? Because, it is likely that we missed the LED state update, as it arrived before we even started our HIDScript.Exactly this "race condition" is the reason why P4wnP1 preserves all recognized LED state changes, unless at least one HIDScript consumes them by calling waitLED (or waitLEDRepeat). This could result in the behavior describe earlier, where a waitLED returns immediately, even though no LED change occurred. We now know: The LED change indeed occurred, but it could have happened much earlier (berfore we even started the HIDScript), because the state change was preserved. We also know, that this behavior is needed to avoid missing LED state changes, in case waitLED is used to test for "USB host’s keyboard driver readiness".Note: It is worth mentioning, that waitLED returns ONLY if the received LED state differs from P4wnP1’s internal state. This means, even if we listen for a change on any LED with waitLED(ANY) it still could happen, that we receive an initial LED state from a USB host, which doesn’t differ from P4wnP1’s internal state. In this case waitLED(ANY) would block forever (or till a real LED change happens). This special case could be handled by calling waitLED(ANY_OR_NONE), which returns as soon as a new LED state arrive, even if it doesn’t result in a change.Enough explanation, let’s get practical … before we do so, we have to change the hardware setup a bit:Attach an external power supply to the second USB port of the Raspberry Pi Zero (the outer one). This assures that P4wnP1 doesn’t loose power when detached from the USB host, as it doesn’t rely on bus power anymore. The USB port which should be used to connect P4wnP1 to the target USB host is the inner most of the two ports.Now start the following HIDScriptP4wnP1_cli hid run -c ‘while (true) {waitLED(ANY);type("Attached\n");}’Detach P4wnP1 from the USB host (and make sure it is kept powered on)! Reattach it to the USB host … Every time you reattach P4wnP1 to the host, "Attached" should be typed out to the host.This taught us 3 facts:waitLED could be used as initial command in scripts, to start typing as soon as the keyboard driver is readywaitLED isn’t the perfect choice, to pause HID scripts until a LED changing key is pressed on the USB host, as preserved state changes could unblock the command in an unintended wayProviding more complex HIDScript as parameter to the CLI isn’t very convenientAs we still aren’t done with the waitLED command, we take care of the third fact, now. Let us leave the CLI.abort the P4wnP1 CLI with CTRL+C (in case the looping HIDScript is still running)open a browser on the host yor have been using for the SSH connection to P4wnP1 (not the USB host)the webclient could be accessed via the same IP as the SSH server, the port is 8000 (for WiFi to the "HIDScript" tab in the now opened webclientfrom there you could load and store HIDScripts (we don’t do this for now, although ms_snake.js is a very good example for the power of LED based triggers)Replace the script in the editor Window with the following one:return waitLED(ANY);After hitting a run button, the right side of the window should show a new running HID job. If you press the little "info" button to the right of the HIDScript job, you could see details, like its state (should be running), the job ID and the VM ID (this is the number of the JavaScript VM running this job. There are 8 of these VMs, so 8 HIDScripts could run in parallel).Now, if any LED change is emitted from the USB host (by toggling NUM, CAPS or SCROLL) the HIDScript job should end. It still could be found under "Succeeded" jobs.If you press the little "info" button again, there should be an information about the result value (encoded as JSON), which looks something like this:{"ERROR":false,"ERRORTEXT":"","TIMEOUT":false,"NUM":true,"CAPS":false,"SCROLL":false,"COMPOSE":false,"KANA":false}So the waitLED command returns a JavaScript object looking like this:{ ERROR: false, // gets true if an error occurred (f.e. HIDScript was aborted, before waitLED could return) ERRORTEXT: "", // corresponding error string TIMEOUT: false, // gets true if waitLED timed out (more on this in a minute) NUM: true, // gets true if NUM LED had changed before waitLED returned CAPS: false, // gets true if CAPS LED had changed before waitLED returned SCROLL: false, // gets true if SCROLL LED had changed before waitLED returned COMPOSE: false, // gets true if COMPOSE LED had changed before waitLED returned (uncommon) KANA: false // gets true if KANA LED had changed before waitLED returned (uncommon)}In my case, NUM became true. In your case it maybe was CAPS. It doesn’t matter which LED it was. "hat does matter is the fact, that the return value gives the opportunity to examine the LED change which makes the command return and thus it could be used to take branching decisions in your HIDScript (based on LED state changes issued from the USB host’s real keyboard).Let’s try an example:while (true) { result = waitLED(ANY); if (result.NUM) { type("NUM has been toggled\n"); } if (result.SCROLL) { type("SCROLL has been toggled\n"); } if (result.CAPS) { break; //exit loop }}Assuming the given script is already running, pressing NUM on the USB host should result in typing out "NUM has been toggled", while pressing SCROLL LOCK results in the typed text "SCROLL has been toggled". This behavior repeats, until CAPS LOCK is pressed and the resulting LED change aborts the loop and ends the HIDScript.Puhhh … a bunch of text on this command for a single HIDScript command, but there still some things left.We provided arguments like NUM, ANY or ANY_OR_NONE to the waitLED command, without further explanation.The waitLED accepts up to two arguments:The first argument, as you might have guessed, is a whitelist filter for the LEDs to watch. Valid arguments are:ANY (react on a change to any of the LEDs)ANY_OR_NONE (react on every new LED state, even if there’s no change)NUM (ignore all LED changes, except on the NUM LED)CAPS (ignore all LED changes, except on the NUM CAPS)SCROLL (ignore all LED changes, except on the NUM SCROLL)multiple filters could be combined like this CAPS | NUM, NUM | SCROLLThe second argument, we haven’t used so far, is a timeout duration in milliseconds. If no LED change occurred during this timeout duration, waitLED returns and has TIMEOUT: true set in the resulting object (additionally ERROR is set to true and ERRORTEXT indicates a timeout).The following command would wait for a change on the NUM LED, but aborts waiting after 5 seconds:waitLED(NUM,5000)Even though waitLED is a very powerful command if used correctly, it hasn’t helped to deal with our easy task of robustly pausing a HIDScript till a state modifier key is pressed on the target USB host (remember: We wanted to pause execution to assure the unwanted "somebody" walked out before typing starts, but waitLED occasionally returned early, because of preserved LED state changes).This is where waitLEDRepeat joins the game and comes to rescue.Paste the following script into the editor and try to make the command return. Inspect the HIDScript results afterwards.return waitLEDRepeat(ANY)You should quickly notice, that the same LED has to be changed multiple times frequently, in order to make the waitLEDRepeat command return. The waitLEDRepeat command wouldn’t return if differing LEDs change state or if the LED changes on a single LED are occurring too slow.The argument provided to waitLEDRepeat (which is ANY in the example) serves the exact same purpose as for waitLED. It is a whitelist filter. For example waitLEDRepeat(NUM) would only return for changes of the NUM LOCK LED – no matter how fast and often you’d hammer on the CAPS LOCK key, it wouldn’t return unlees NUM LOCK is pressed frequently.By default, one of the whitelisted LEDs has to change 3 times and the delay between two successive changes mustn’t be greater than 800 milliseconds in order to make waitLEDRepeat return. This behavior could tuned, by providing additional arguments like shown in this example:filter = ANY; // same filters as for waitLEDnum_changes = 5; // how often the SAME LED has to change, in order to return from waitLEDRepeatmax_delay = 800; // the maximum duration between two LED changes, which should be taken into acccount (milliseconds)timeout = 10000; // timeout in millisecondswaitLEDRepeat(filter, num_changes, max_delay); //wait till a LED frequently changed 5 times, no timeoutwaitLEDRepeat(filter, num_changes, max_delay, timeout); //wait till a LED frequently changed 5 times, abort after 10 secondsSo that’s how to interact with LED reports from an USB host in HIDScript.Note: waitLEDRepeat doesn’t differ from waitLED, when it comes to consumption of preserved LED state changes. Anyways, it is much harder to trigger it unintended.So waitLEDRepeat is the right choice, if the task is to pause HIDScripts till human interaction happens. Of course it could be used for branching, too, as it provides the same return object as waitLED does.Up to this point we gained a good bit of knowledge about HIDScript (of course not about everything, we haven’t even looked into mouse control capabilities of this scripting language). Anyways, this tutorial is about P4wnP1 A.L.O.A. workflow and basic concepts. So we don’t look into other HIDScript features, for now, and move on.Let’s summarize what we learned about P4wnP1’s workflow and concepts so far:we could start actions like keystroke injection from the CLI client, on-demandwe could use the webclient to achieve the same, while having additional control over HIDScript jobsif we connect an external power supply to P4wnP1 A.L.O.A., we attach/detach to/from different USB hosts and already started HIDScripts go on working seamlesslywe could configure the USB stack exactly to our needs (and change its configuration at runtime, without rebooting P4wnP1)we could write multi purpose HIDScripts, with complex logic based on JavaScript (with support for functions, loops, branching etc. etc.)3. Workflow part 2 – Templating and TriggerActionsBefore go on with the other major concepts of P4wnP1 A.L.O.A. let’s refine our first goal, which was to "run a keystroke injection against a USB host":The new goal is to type "Hello world" into the editor of a Windows USB host (notepad.exe).The editor should be opened by P4wnP1 (not manually by the user).The editor should automatically be closed, when any of the keyboard LEDs of the USB host is toggled.Everytime P4wnP1 is attached to the USB host, this behavior should repeat (with external power supply, no reboot of P4wnP1)The process should only run once, unless P4wnP1 is re-attached to the USB host, even if successive keyboard LED changes occur after the HIDScript has been started.Even if P4wnP1 is rebooted, the same behavior should be recoverable without recreating detail of the setup from scratch, again.Starting notepad, typing "Hello world" and closing notepad after a LED change could be done with the things we learned so far. An according HIDScript could look something like this:// Starting notepadpress("WIN R"); // Windows key + R, to open run dialogdelay(500); // wait 500ms for the dialog to opentype("notepad.exe\n"); // type ‘notepad.exe’ to the run dialog, append a RETURN pressdelay(2000); // wait 2 seconds for notepad to come up// Type the messagetype("Hello world") // Type "Hello world" to notepad// close notepad after LED changewaitLED(ANY); // wait for a single LED changepress("ALT F4"); // ALT+F4 shortcut to close notepad//as we changed content, there will be a confirmation dialog before notepad exitsdelay(500); // wait for the confirmation dialogpress("RIGHT"); // move focus to next button (don’t save) with RIGHT ARROWpress("SPACEBAR"); // confirm dialog with spaceThe only thing new in this script is the delay command, which doesn’t need much explanation. It delays execution for the given amount of milliseconds.The script could be pasted into the webclient HIDScript editor and started with "run" in order to test it.It should work as intended, so we are nearly done. In order to be able reuse the script, even after a reboot, we store it persistently. This could be achieved by hitting the "store" button in the HIDScript tab of the webclient. After entering a name (we use tutorial1 for now) and confirming the dialog, the HIDScript should have been stored. We could check this, by hitting the "Load & Replace" button in the webclient. The stored script should occur in the list of stored scripts with the name tutorial1.js (the .js extension is appended automatically, if it hasn’t been provided in the "store" dialog, already).Warning: If a name of an already existing file used in the store dialog, the respective file gets overwritten without asking for further confirmation.Let’s try to start the stored script using the CLI client from a SSH session, like this:P4wnP1_cli hid run tutorial1.jsThis should have worked. This means, it is possible to start stored HIDScripts from all applications which support shell commands or from a simple bash script, by using the P4wnP1 A.L.O.A. CLI client.It would even be possible to start the script remotely from a CLI client compiled for Windows. Assuming the Windows host is able to reach P4wnP1 A.L.O.A. via WiFi and the IP of P4wnP1 is set to the proper command would look like this:P4wnP1_cli.exe –host hid run tutorial1.jsNote: At the time of this writing, I haven’t decided yet if P4wnP1 A.L.O.A. ships a CLI binary for each and every possible platform and architecture. But it is likely that precompiled versions for major platforms are provided. If not – this isn’t a big problem, as cross-compilation of the CLI client’s Go code takes less than a minute.The next step is to allow the script to run again, every time P4wnP1 is re-attached to a USB host. A approach we already used to achieve such a behavior, was to wrap everything into a loop and prepend a waitLED(ANY_OR_NONE). The waitLED(ANY_OR_NONE) assured tha the loop only continues, if the target USB host signals that the keyboard driver is ready to receive input by sending an update of the global keyboard LED sate. An accordingly modified script could look like this:while (true) { waitLED(ANY_OR_NONE); // wait till keyboard driver sends the initial LED state // Starting notepad press("WIN R"); // Windows key + R, to open run dialog delay(500); // wait 500ms for the dialog to open type("notepad.exe\n"); // type ‘notepad.exe’ to the run dialog, append a RETURN press delay(2000); // wait 2 seconds for notepad to come up // Type the message type("Hello world") // Type "Hello world" to notepad // close notepad after LED change waitLED(ANY); // wait for a single LED change press("ALT F4"); // ALT+F4 shortcut to close notepad //as we changed content, there will be a confirmation dialog before notepad exits delay(500); // wait for the confirmation dialog press("RIGHT"); // move focus to next button (don’t save) with RIGHT ARROW press("SPACEBAR") ; // confirm dialog with space }The script given above, indeed, would run, every time P4wnP1 is attached to an USB host. But the script isn’t very robust, because there’s a second waitLED involved, which waits till notepad.exe should be is closed, again.Doing it like this involves several issues. For example if P4wnP1 is detached before the "Hello world" is typed out, the now blocking waitLED would be the one before press("ALT F4") and execution would continue at exact this point of the HIDScript once P4wnP1 is attached to a (maybe different) USB host, again.A definitive kill criteria for the chosen approach is the following problem: The requirement that the script should be run only once after attaching P4wnP1 to an USB host couldn’t be met, as hitting NUM LOCK multiple times would restart the script over and over.So how do we solve this ?Let’s introduce TriggerActionsThe solution to the problem are so called "TriggerActions". As the name implies, this P4wnP1 A.L.O.A. workflow concept fires actions based on predefined triggers.To get an idea of what I’m talking about, head over to the "TRIGGER ACTIONS" tab on the webclient. Depending on the current setup, there may already exist TriggerActions. We don’t care for existing TriggerActions, now.Hit the "ADD ONE" button and a new TriggerActions should be added and instantly opened in edit mode. The new TriggerAction is disabled by default and has to be enabled in order to make it editable. So we toggle the enable switch.Now from the pull down menu called "Trigger" the option "USB gadget connected to host" should be selected. The action should have a preset of "write log entry" selected. We leave it like this and hit the "Update" button.The newly added TriggerAction should be visible in the TriggerActions overview now (the one with the highest ID) and show a summary of the selected Trigger and selected Action in readable form.To test if the newly defined TriggerAction works, navigate over to the "Event Log" tab of the webclient. Make sure you have the webclient opened via WiFi (not USB ethernet). Apply external power to P4wnP1, disconnect it from the USB host and connect it again. A log message should be pushed to the client every time P4wnP1 is attached to a USB host, immediately.If you repeated this a few times, you maybe noticed that the "USB gadget connected to host" trigger fires very fast (or in an early stage of USB enumeration phase). To be more precise: When this trigger fires, it is known that P4wnP1 was connected to a USB host, but there is no guarantee that the USB host managed to load all needed USB device drivers. In fact it is very unlikely that the USB keyboard driver is loaded when the trigger fires. We have to keep this in mind.Before we move on with our task, we do an additional test. Heading back to the "TriggerAction" tab and we press the little blue button looking like a pen for our newly created TriggerAction. We end up in edit mode again.This time, we enable the One shot option. Head back to the "Event Log" afterwards, and again, detach and re-attach P4wnP1 from the USB host. This time the TriggerAction should fire only once. No matter how often P4wnP1 is re-attached to the USB host afterwards, no new log message indicating a USB connect should be created.It is worth mentioning that a "One shot" TriggerAction isn’t deleted after the Trigger has fired. Instead the TriggerAction is disabled, again. Re-enabling allows reusing a TriggerAction without redefining it. Nothing gets lost until the red "trash" button is hit on a TriggerAction, which will delete the respective TriggerAction.Warning: If the delete button for a TriggerAction is clicked, the TriggerAction is deleted permanently without further confirmation.At this point let’s do the obvious. We edit the created TriggerAction and select "start a HIDScript" instead of "write log entry" for the action to execute. Additionally we disable "one-shot", again. A new input field called "script name" is shown. Clicking on this input field brings up a selection dialog for all stored HIDScripts, including our formerly created tutorial1.js HIDScript.Before we test if this works, let me make a quick note on the action "write log entry": P4wnP1 A.L.O.A. doesn’t keep track of Triggers which have already be fired. This means the log entries created by a "write log entry" action are delivered to all listening client, but aren’t stored by the P4wnP1 service (for various reasons). The webclient on the other hand stores the log entry until the the webclient itself is reloaded. The same applies to events, which are related to HIDScript jobs. If a HIDScript ends (with success or error), an event pushed to all currently open webclients. In summary, each webclient has a runtime state, which holds more information than the core service, itself. If the runtime state of the webclient grows to large (too much memory usage), one only needs to reload the client to clear "historical" sate information. If the core service would behave the same and store every historical information, it would run out of resources very soon. Thus this concept applies to most sub systems of P4wnP1 A.L.O.A.Now back to our task. We have a TriggerAction ready, which should fire our HIDScript every time P4wnP1 is attached to an USB host.Depending on the target USB host, this works more or less reliably. In my test setup it didn’t work at all and there’s a reason:Let’s review the first few lines our HIDScript:// Starting notepadpress("WIN R"); // Windows key + R, to open run dialogdelay(500); // wait 500ms for the dialog to opentype("notepad.exe\n"); // type ‘notepad.exe’ to the run dialog, append a RETURN press… snip …Recalling the fact, that the "USB gadget connected" Trigger fires in early USB enumeration phase and the USB host’s keyboard driver hasn’t necessarily been loaded, the problem becomes obvious. We have to prepend some kind of delay to the script to assure the keyboard driver is up (otherwise our keystrokes would end up in nowhere).As we already know that it isn’t possible to predict the optimal delay, we go with the waitLED(ANY_OR_NONE) approach, explained earlier. The new script looks like this:waitLED(ANY_OR_NONE); //assure keyboard driver is ready// Starting notepadpress("WIN R"); // Windows key + R, to open run dialogdelay(500); // wait 500ms for the dialog to opentype("notepad.exe\n"); // type ‘notepad.exe’ to the run dialog, append a RETURN pressdelay(2000); // wait 2 seconds for notepad to come up// Type the messagetype("Hello world") // Type "Hello world" to notepad// close notepad after LED changewaitLEDRepeat(ANY); // wait for a single LED changepress("ALT F4"); // ALT+F4 shortcut to close notepad//as we changed content, there will be a confirmation dialog before notepad exitsdelay(500); // wait for the confirmation dialogpress("RIGHT"); // move focus to next button (don’t save) with RIGHT ARROWpress("SPACEBAR"); // confirm dialog with spaceStoring the modified script under the exact same name (tutorial1) overwrites the former HIDScript without further confirmation, as already pointed out. Thus there is no need to adjust our TriggerAction, as the HIDScript name the TriggerAction refers hasn’t changed.With this little change everything should work as intended and the script should trigger everytime we attach to an USB host, but only run once.Now, if P4wnP1 is rebooted or looses power, our HIDScript would survive, because we have stored it persistently, but the TriggerAction would be gone. Needless to say, that TriggerActions could be stored persistently, too.The "store" button in the "TriggerAction" tab works exactly like the one in the HIDScript editor. It should be noted that all currently active TriggerActions will be stored if the "store" dialog is confirmed (including the disabled ones). The best practice is to delete all TriggerActions which don’t belong to the task in current scope before storing (they should have been stored earlier, if needed) and to only store the small set of TriggerActions relevant to the current task, using a proper name. There are two options to load back stored TriggerActions to the active ones:"load & replace" clears all active trigger actions and loads only the stored ones"load & add" keeps the already active TriggerActions and adds in the stored ones. Thus "load & add" could be used to build a complex TriggerAction set out of smaller sets. The resulting set could then, again, be stored.For now we should only store our single TriggerAction, which starts out HIDScript. The name we use to store is tutorial1 again and won’t conflict with the HIDScript called tutorial1.Confirm successful storing, by hitting the "load&replace" button in the "TriggerAction" tab. The stored TriggerAction set should be in the list and named tutorial1.Warning: The TriggerAction "load" dialogs allow deleting stored TriggerActions by hitting the red "trash" button next to each action. Hitting the button permanently deletes the respective TriggerAction set, without further confirmationAt this point we could safely delete our TriggerAction from the "TriggerActions" tab (!!not with the trash button from one of the load dialogs!!).With the TriggerAction deleted from the active ones, nothing happens if we detach and re-attach P4wnP1 from the USB host.Anyways, the stored TriggerAction set tutorial1 will persists reboots and could be reloaded at anytime.Instead of reloading the TriggerAction set from with the webclient, we try to accomplish that using the CLI client.Lets take a quick look into the help screen of the template deploy sub-command:root@kali:~# P4wnP1_cli template deploy -hDeploy given gadget settingsUsage: P4wnP1_cli template deploy [flags]Flags: -b, –bluetooth string Deploy Bluetooth template -f, –full string Deploy full settings template -h, –help help for deploy -n, –network string Deploy network settings template -t, –trigger-actions string Deploy trigger action template -u, –usb string Deploy USB settings template -w, –wifi string Deploy WiFi settings templatesGlobal Flags: –host string The host with the listening P4wnP1 RPC server (default "localhost") –port string The port on which the P4wnP1 RPC server is listening (default "50051")The usage screen shows, that TriggerAction Templates could be deployed with the -t flag. We run the following command, to restore the stored TriggerAction set:P4wnP1_cli template deploy -t tutorial1The TriggerAction which fires out HIDScript on USB host connections is now loaded again and should be shown in the TriggerActions tab of the webclient. If P4wnP1 A.L.O.A. is attached to an USB host, the script should run again.Storing, loading and deploying of templates is one of the two main concepts behind P4wnP1’s automation workflow, the other one are the already known TriggerActions. It is worth mentioning, that not only TriggerAction sets could be stored and loaded as templates themselves, but that TriggerActions could be used to deploy already stored templates, if that makes sense.Revisiting our tasks, it seems all defined requirements are met now:we typed "Hello world" into the editor of a Windows USB hostthe editor is opened by P4wnP1, not manually by the userthe editor is closed automatically, when one of the keyboard LEDs toggled onceevery time P4wnP1 is attached to a USB host, this behavior repeatsthe HIDScript runs only once, unless P4wnP1 is re-attached to the USB host, even if successive keyboard LED changes occurif P4wnP1 is rebooted, the same behavior could be recovered by loading the stored TriggerAction set (which again refers to the stored HIDScript). This could either be achieved with a single CLI command or with a simple "load&add" or "load&replace" from the webclient’s trigger action tab.Once more let us add additional goals:it should be assured, that the USB configuration has the keyboard functionality enabled (the current setup doesn’t do this and the TriggerAction couldn’t start the HIDScript in case the USB keyboard is disabled)the created setup should applied at boot of P4wnP1 A.L.O.A., without the need of manually loading of the TriggerAction set. The setup has to survive a reboot of P4wnP1.To achieve the two additional goals, we have to dive into a new topic and …Introduce Master Templates and Startup Master TemplateBefore we look into Master Templates, we do something we haven’t done, yet, because everything just worked as intended so far: We define a valid USB configurations, matching our task!device serial number: 123456789device product name: Auto Writerdevice manufacturer: The CreatorProduct ID: 0x9876Vendor ID: 0x1D6Benabled USB functions HID keyboardHID mouseLet’s take a look into the usage screen of the CLI command, which could bes used to deploy these settings, first:root@kali:~# P4wnP1_cli usb set -hset USB Gadget settingsUsage: P4wnP1_cli usb set [flags]Flags: -e, –cdc-ecm Use the CDC ECM gadget function -n, –disable If this flag is set, the gadget stays inactive after deployment (not bound to UDC) -h, –help help for set -k, –hid-keyboard Use the HID KEYBOARD gadget function -m, –hid-mouse Use the HID MOUSE gadget function -g, –hid-raw Use the HID RAW gadget function -f, –manufacturer string Manufacturer string (default "MaMe82") -p, –pid string Product ID (format ‘0x1347’) (default "0x1347") -o, –product string Product name string (default "P4wnP1 by MaMe82") -r, –rndis Use the RNDIS gadget function -s, –serial Use the SERIAL gadget function -x, –sn string Serial number (alpha nu meric) (default "deadbeef1337") -u, –ums Use the USB Mass Storage gadget function –ums-cdrom If this flag is set, UMS emulates a CD-Rom instead of a flashdrive (ignored, if UMS disabled) –ums-file string Path to the image or block device backing UMS (ignored, if UMS disabled) -v, –vid string Vendor ID (format ‘0x1d6b’) (default "0x1d6b")Global Flags: –host string The host with the listening P4wnP1 RPC server (default "localhost") –json Output results as JSON if applicable –port string The port on which the P4wnP1 RPC server is listening (default "50051")The command has a bunch of flags, but there exists a bunch of changeable USB settings, too. Deploying our defined USB setup could be done like this, using the CLI:root@kali:~# P4wnP1_cli usb set \> –sn 123456789 \> –product "Auto Writer" \> –manufacturer "The Creator" \> –pid "0x9876" \> –vid "0x1d6b" \> –hid-keyboard \> –hid-mouseSuccessfully deployed USB gadget settingsEnabled: trueProduct: Auto WriterManufacturer: The CreatorSerialnumber: 123456789PID: 0x9876VID: 0x1d6bFunctions: RNDIS: false CDC ECM: false Serial: false HID Mouse: true HID Keyboard: true HID Generic: false Mass Storage: falseThe result output of the (longish) command shows the resulting USB settings. Let us check the "USB settings" tab of the webclient to confirm that they have been applied. All changes should be reflected, if nothing went wrong.Although it is perfectly possible to deploy a USB setup using the CLI, there are several benefits using the webclient in favor of the CLI. In this case:changing the settings from the webclient is easier and more convenientthe webclient holds an internal settings state, this allows defining USB settings without actually deploying them (the CLI on the other hand, could only manipulate settings by deploying them. This, again, resets the while USB stack of P4wnP1 and all dependent functionality. F.e. already running HIDScript would be interrupted or USB network interfaces are redeployedthe current settings of the webclient could be stored to a persistent template, without deploying them upfrontthe CLI client, (currently) isn’t able to store USB settingsIn our current case, it is obviously a better choice to use the webclient for the needed changes to the USB settings. The good thing about the CLI approach (we already used here): As the CLI forced us to deploy the USB settings, we could confirm that they are working, before we store them into a persistent template.Let’s go on with storing the USB settings:Again we hit the "store" button, this time in the "USB settings" tab. Once more we call the template tutorial1 (there is no conflict with the TriggerAction template stored under the same name, because a different namespace is used for USB settings).Now we have two new and persistently stored templates::a template for the TriggerAction set, named tutorial1a template for the USB settings, also name tutorial1Assuming the state (of current USB settings, TriggerActions or both) changed somehow, we could reload both of the stored settings at once, by issuing the following CLI command:P4wnP1_cli template deploy –usb tutorial1 –trigger-actions tutorial1The command P4wnP1 template deploy could load a template for each of the sub systems of P4wnP1 A.L.O.A. in a single run (for the network subsystem multiple templates could be loaded, one per each adapter). Deploying templates for various subsystems is considered a common task while working with P4wnP1 A.L.O.A., because in most cases it should be necessary to reconfigure several subsystems to reach a single goal. To account for this, so called Master Templates have been introduced.A Master Template could consist of:a already stored TriggerAction set templatea already stored USB settings templatea already stored WiFi settings templatea already stored Bluetooth settings templatemultiple stored Network settings templates (one per each adapter)A Master Templated could be defined, stored or loaded, using the "Master Template Editor" from the "Generic Settings" tab of the webclient. Using the webclient is a convenient way to define Master Templates, as it supports you by only allowing to select templates, which have been already stored for the respective sub systems (and currently the webclient is the only way to define Master Templates).So lets define a Master Template for our current task:Navigate to the "Generic Settings" tab of the webclientOn the "Master Template Editor" click on the small button on the right to the "TriggerActions Template" fieldFrom the Dialog choose the tutorial1 template and confirm with "OK" buttonIf you selected the wrong template, re-open the dialog and select a different one or use the "x" icon on the right to "TriggerAction Template" to delete the current selectionRepeat the steps for the "USB Template" selection, again choose tutorial1 (which is a different template for the USB sub system, although it shares the name with the one for the TriggerActions)Check that the correct templates have been selected for bot, USB and TriggerActions, and all other Templates are left emptyStore the new Master Template, by hitting the "Store" button and providing the name tutorial1To confirm if that the template has been stored, you could use the "Load Stored" button – the template should be listed in the selection. Cancel the "Load Store" dialog again.Now hit the "Deploy Stored" button, select the template named startup and confirm with "OK".In contrast to the "Load Stored" function, which loads a stored template to the Master Template Editor, the "Deploy Stored" function applies all settings of a Master Template to the corresponding sub systems of P4wnP1, immediately (without even loading them to the Master Template Editor).As the startup Master Template overwrites the current WiFi settings, it could happen that you have lost the connection to the webclient and need to reconnect to the P4wnP1 WiFi network.Once you’ve reconnected successfully and inspect the current USB settings and current TriggerActions, the settings we stored earlier have been overwritten by the sub settings of the startup Master Template.There are two ways to deploy the tutorial1 Master Template again:Deploying it using the "Deploy Stored" dialog from the "Master Template Editor" (as done with the startup Master Template a minute, ago)Deploying it using the CLI client with P4wnP1_cli template deploy –full tutorial1 (the –full flag is an alias for Master Template)Beeing able to deploy the Master Template tutorial1, we already achieved one of our new goals:It is assured, that the USB configuration has the keyboard functionality enabled when we load our keystroke injection setup.A quick summary on how this works:the Master Template tutorial1 loads USB settings, called tutorial1 which have USB keyboard and USB mouse enabledthe Master Template tutorial1 loads a TriggerAction set with a single TriggerAction the TriggerAction starts the HID script tutorial1.js each time P4wnP1 gets attached to an USB host the HIDScript starts typing, once the waitLED trigger fires (keyboard driver ready) and ends after a successive LED changeThe only remaining goal is the following: The created setup should applied at boot of P4wnP1 A.L.O.A., without the need of manually loading of the TriggerAction set. The setup has to survive a reboot of P4wnP1.This goal could be achieved pretty easy now. The "Generic Settings" tab of the webclient presents a card called Startup Master Template. Changing the Startup Master Template to tutorial1 at this point would have immediate effect and it would likely *destroy the working boot configuration of P4wnP1 A.L.O.A.".Important: If a Master Template has sub templates left empty (f.e. if there is no Bluetooth template selected), the respective sub system isn’t reconfigured when the Master Template is loaded. While this comes in handy for runtime reconfiguration without resetting already running sub systems like the USB stack or WiFi stack if not needed, Master Templates used as Startup Master Template leave sub systems without defined templates in an UNDEFINED STATE. If, for example, no valid WiFi template is provided, it is unlikely that P4wnP1 A.L.O.A. will be reachable via WiFi after rebootSo before deploying our new tutorial1 Master Template as Startup Master Template, we assure proper settings are loaded for the other subsystem. We do that like this:From the "Master Template Editor" hit the "Load Stored" button and reload the tutorial1 template to the editor.The template should have tutorial1 set for "TriggerActions Template" and for "USB template"For "WiFi Template" select the template named startupFor "Bluetooth Template" select the template named startupFor "Network Templates" select the templates named: bteth_startupusbeth_startupwlan0_startup_dhcp_serverOverwrite the tutorial1 Master Template with the new settings (hit "Store", enter tutorial1 and confirm with "OK")Double check that the changes have applied, by hitting "Load Stored", again, and selecting tutorial1. All subsections of the loaded Master Template should look like described here.Now we are ready to deploy our new Master Template as Startup Master Template. After doing so we hit the "reboot" button.Once rebooted, P4wnP1 A.L.O.A. should trigger the HIDScript automatically (and should still be reachable via WiFi, to allow reconfiguration)Congratulations, all goals achievedYou have learned about the very basic workflow concepts of P4wnP1 A.L.O.A.3. Where to go from hereIt is currently not possible to provide a full documentations. So here are some comments on topics which haven’t been touched, yet, but are worth investigating.BashScriptsP4wnP1 allows running BashScripts from TriggerActions. The scripts which are usable from TriggerActions are homed at /usr/local/P4wnP1/scripts. If a script is called from a TriggerAction, several arguments (like the actual trigger) are handed in via bash variables. The file /usr/local/P4wnP1/scripts/trigger-aware.sh provides a nice example of a bash script which acts differently, depending on the calling trigger. It is worth having a look onto this script, as it uses all "TriggerAction variables" currently available.GPIOThe community of the old P4wnP1 version occasionally came up with hardware mods or extensions of the Rapsberry PI and the question how to integrate them. It isn’t possible for me to provide a generic solution to this problem. Neither is it a good idea, to provide support for a very specific hardware extension, which is only used by a few people. With the introduction of TriggerAction the idea came up, to support GPIO as both, Triggers via GPIO input and Actions issuing GPIO output. Although not planned for the first release, this feature has already been implemented. I still haven’t had the time to document it and it could easily happen that some things change. The functionality uses the "periph.io" library with some minor extension (customized edge detection with custom de-bounce for GPIO, thanks to @marcaruel for exchange on this)nexmon KARMAThe WiFi firmware included with P4wnP1 A.L.O.A. has been modified (utilizing nexmon framework) to support KARMA. This feature hasn’t made it into the core so far (needs some rework firmware-wise) and thus isn’t available from webclient or CLI. If you want to play around with the karma features, there is a legacy python CLI, which allows setting the KARMA options on the fly. The python script could be found here: /usr/local/P4wnP1/legacy/karmatool.pyTip: To get most out of the KARMA functionality, you should setup P4wnP1 A.L.O.A. to provide a WiFi Access Point without authentication, otherwise it wouldn’t make to much sense. For poor beacon flooding this isn’t needed, but (static) custom SSIDs for beaconing are limited in their number (saving resources on the WiFi chip)Help screen of karmatool.py:root@kali:/usr/local/P4wnP1/legacy# ./karmatool.py Firmware in use seems to be KARMA capableFirmware configuration tool for KARMA modified nexmon WiFi firmware on Pi0W/Pi3 by MaMe82=========================================================================================RePo: https://github.com/mame82/P4wnP1_nexmon_additionsCreds to: seemoo-lab for "NEXMON" projectA hostapd based Access Point should be up and running, when using this tool(see the README for details). Usage: python karmatool.py [Arguments]Arguments: -h Print this help screen -i Interactive mode -d Load default configuration (KARMA on, KARMA beaconing off, beaconing for 13 common SSIDs on, custom SSIDs never expire) -c Print current KARMA firmware configuration -p 0/1 Disabl e/Enable KARMA probe responses -a 0/1 Disable/Enable KARMA association responses -k 0/1 Disable/Enable KARMA association responses and probe responses (overrides -p and -a) -b 0/1 Disable/Enable KARMA beaconing (broadcasts up to 20 SSIDs spotted in probe requests as beacon) -s 0/1 Disable/Enable custom SSID beaconing (broadcasts up to 20 SSIDs which have been added by the user with ‘–addssid=’ when enabled) –addssid="test" Add SSID "test" to custom SSID list (max 20 SSIDs) –remssid="test" Remove SSID "test" from custom SSID list –clearssids Clear list of custom SSIDs –clearkarma Clear list of karma SSIDs (only influences beaconing, not probes) –autoremkarma=600 Auto remove KARMA SSIDs from beaconing list after sending 600 beacons without receiving an association (about 60 seconds, 0 = beacon forever) –autoremcustom=3000 Auto remove custom SSIDs from beaconing list after sending 3000 beacons without receiving an association (about 5 minutes, 0 = beacon forever) Example: python karmatool.py -k 1 -b 0 Enables KARMA (probe and association responses) But sends no beacons for SSIDs from received probes python karmatool.py -k 1 -b 0 Enables KARMA (probe and association responses) and sends beacons for SSIDs from received probes (max 20 SSIDs, if autoremove isn’t enabled) python karmatool.py –addssid="test 1" –addssid="test 2" -s 1 Add SSID "test 1" and "test 2" and enable beaconing for custom SSIDs< br/>WiFi covert channelThe WiFi covert channel hasn’t been ported to Go and isn’t part of the P4wnP1 core. Anyways, the legacy functionality is provided. In order to make the covert channel run, several conditions have to be met:a keystroke injection has to be applied to the target client to inject stage1stage1 loads stage2 over a (simplified version) of the HID covert channel, thus a special USB HID device has to be provided and a special HID covert channel server has to be started on P4wnP1, in order to provide stage2a second server has to be started and interface the modified WiFi firmware, in order to manage client connecting in via the WiFi covert channel and provide interactive shell access to those clients (the server is a console application which is meant to run in a terminal multiplexer, like screen)All of the aforementioned conditions could be fulfilled using P4wnP1 A.L.O.A.’s feature set, if the needed components (HID stager, WiFi cover channel server, client agent to deliver) are provided.To carry out such a task with P4wnP1 A.L.O.A. is a great example for its capabilities. Additionally it helps to distinguish what P4wnP1 A.L.O.A. is meant to be and what is not meant to be.P4wnP1 A.L.O.A. is not meant to:be a "weaponized" toolprovide RTR payloads, which could be carried out by everybody, without understanding what’s going on or which risks are involvedP4wnP1 A.L.O.A. is meant to:be a flexible, low-cost, pocket sized platformserve as enabler for tasks like the one described heresupport prototyping, testing and carrying out all kinds of USB related tasks, commonly used during pentest or redteam engagements, without providing a finalized static solutionIn set sense, the /usr/local/P4wnP1/legacy folder homes the needed external tools to run the WiFi covert channel (namely the WiFi server, the HID covert channel stager server and the WiFi covert channel client agent). Those components could be considered as external parts (don’t belong to P4wnP1 A.L.O.A. core).Additionally P4wnP1 A.L.O.A. provides a configuration, which utilizes the given components to do the following things:drive-by against Windows hosts in order to deliver in-memory client code to download stage2 via HID covert channel, based on keystroke injection (HIDScript)starting the keystroke injection, as soon as P4wnP1 is connected to a USB host (TriggerAction issuing HIDScript)bring up the stager, which delivers the WiFi covert channel client agent via HID covert channel, as soon as the keystroke injection starts (TriggerAction running a bash script, which again starts the external server)bring up the WiFi covert channel server, when needed (same TriggerAction and BashScript)deploy a USB setup which provides a USB keyboard (to allow keystroke injection) and an additional raw HID device (serves as covert channel for stage2 delivery) – the USB settings are stored in a settings templatedeploy a WiFi setup, which allows remote access to P4wnP1, in order to allow interaction with the CLI frontend of the WiFi covert channel server – the WiFi settings are stored in a settings templateprovide a single point of entry, to deploy all the needed configurations at once (done by a Master Template, which consists of proper WiFi settings, proper USB settings and the TriggerActions needed to start the HIDScript)The Master Template is called "wifi covert channel". By deploying it from the "generic settings" tap of the webclient ("DEPLOY STORED" from the Master Template Editor) P4wnP1 A.L.O.A. is ready configured to execute all the describe steps.As soon as it is re-attached to a USB host, it should start typing out stage1 and the according servers are started internally. >From a SSH session (for example over WiFi) the WiFi covert channel server could be accessed using screen -d -r wifi_c2 to interact with clients, which connected back over the WiFi covert channel. As the keystroke injection depends on the USB hosts language layout, the according HIDScript called wifi_covert_channel.js has a variable language which could be used to adjust the keyboard layout in use. Additionally there is a variable called hide (false by default). If hide is set to true, the console Window on the client gets hidden while stage1 is typed. This, again, pinpoints how complex tasks could be reduced to a simple bool variable, thanks to HIDScript and the backing JavaScript engine.The "wifi covert channel" demo provided with P4wnP1’s Master Templates could be used as Startup Master Template, too, as WiFi access is still possible and thus the setup could be changed again, remotely at any time.The involved BashScript, which is called from a TriggerAction is a good example how flexible the CLI client could get. As the HID stager needs to know on which device file to listen (the one which represents the generic HID device), but this information is only available at runtime (depends on enabled USB gadget functions), the script requests the CLI to report the correct HID device by running hidraw=$(P4wnP1_cli usb get device raw).The full BashScript is hosted in the folder /usr/local/P4wnP1/scripts, as all bash scripts which should be accessible from TriggerActions.Bluetooth NAPP4wnP1 provides Bluetooth based network functionality over the Bluetooth Network Encapsulation Protocol (BNEP). The currently most interesting feature is the Bluetooth Network Access Point (NAP), which allows IP based Bluetooth remote access to P4wnP1, for example from mobiles.In order to use this feature some things should be known:The bluetooth network interface, called bteth could be configured and templated like the other network interfaces (webclient or CLI)In order to allow NAP access from an Android mobile (iPhone untested), the mobile not only needs to connect, but additionally P4wnP1 has to hand out a proper IP for the default gateway on the bteth interface via DHCP. This is, because the mobile wants to use the NAP as gateway to the Internet (which would be the intended use). If the NAP itself wouldn’t provide a gateway, the Android Mobile would do no further requests after the DHCP D.O.R.A. The easiest way to overcome this, is to instruct the DHCP server to provide the IP of the bteth interface itself as default gateway (DHCP option 3). Even if there is no real upstream connection, this worked during my tests – as the mobile has to access the gateway with layer3 communication in order to "phone home". Even if successive connectivity tests fail, the working layer 3 connection persists. This allows, for example, SSH access via Bluetooth. With "High Speed" enabled, the webclient works pretty nice, too.In order to allow PIN based pairing Simple Secure Pairing (SSP) has to be disabled. If SSP is enabled, the running Pairing agent confirms every passkey (which means even less security than with legacy PIN pairing, as every device is able to connect). Maybe a confirmation dialog for SSP based passkey pairing will be implemented for the CLI/webclient in future, but currently this is out of scope. I highly suggest to disable "discoverable" and "bondable" if SSP is in use, as soon as the intended device has paired.Another shortcoming of having SSP disabled, is that "High Speed" wouldn’t be usable for bluetooth conections (or to enable High Speed, pairing has to be done with SSP). Without "High Speed" enabled (uses 802.11 frames for communication) it would take about 10 minutes to request the webclient, with high speed enabled it takes some seconds. Using SSH and the CLI client over a NAP without "High Speed" should be fine, though.The default Bluetooth network interface settings (bteth_startup) and the default Bluetooth settings (startup) should allow "Low Speed" access over SSH with legacy PIN pairing. The PIN is 1337 and could be changed from the webclient.TriggerAction GroupsThe TriggerActions come with a nice rooting capability called "Groups". I didn’t managed to come up with a feature demo in time, but I’m planning to include an example for an LED based 4 bit binary counter (using GPIOs, a toggle switch and 4 LEDs).The idea of groups is the following:Consider you want to have 4 TriggerActions (TAs) firing on the exact same Trigger (for example "on attached to USB host"). You could achieve this by creating 4 TAs, each with the Trigger "on attached to USB host".Alternatively, you could bring up a TriggerAction which sends the value 1 to a group named "connected" when the "on attached to USB host" occurs. Now you define your other 4 TriggerActions to fire when the value 1 is received on a group named "connected". The result would be the same and not make too much sense for now (in fact it needs one more TriggerAction). The only positive effect, for now, is that the TriggerActions are slightly more readable, thanks to the group name, which could be chosen freely.Now the first advanced thing you could do, is to run the following CLI command:P4wnP1_cli trigger send –group-name=connected –group-value=1This command would have the exatc same effect as the "on attached to USB host" host TriggerAction and all 4 other TAs, which are waiting for the value 1 to arrive on the group connected would fire. As you maybe remember, the CLI client could run remotely (from different platforms), so it could be used to Trigger command remotely.The Trigger which reacts on "Group channels" is called "value on group channel". The more interesting trigger is called "multiple values on group channel". This "multiple values" trigger allows to listen for ordered sequences of values, or one of multiple values or all values in an unordered sequence, before it fires.Let’s say you qant to fire a BashScript, when these conditions are met:The WiFi AP is upP4wnP1 has been connected to a USB hostYou could create TAs for both events like this:On "WiFi AP up" –> send value 1 to group "conditions"On "attached to USB host" –> send value 2 to group "conditions"Now you could deploy a third TriggerAction like thisOn "multiple values on group channel"; values (1,2); type "All (logical AND)" –> start bash scriptIn this configuration, the bash script would only start if both "condition" Trigger have fired.If "exact ordered sequence" would have been used, instead of "All (logical AND)" for the type, the bash script would only start if the WiFi AP come up before the USB connected Trigger (not the otherway around). In combination with GPIO triggers, this could for example be used, to trigger actions based on the input of a simple PIN pad.I’m sure you have some nice usage ideas for "group" channels.Worth mentioning:The CLI client is able to do a blocking wait, till a dedicated value arrives on a "group channel", using a command like this:P4wnP1_cli trigger wait –group-name=waitgroup –group-value=1This could be used, to drive scripts from TriggerActions, utilizing the CLI (with their full power like GPIO).Work in progress, missing sections:HIDScript Trigger variables (variables handed in to HIDScripts fired from TriggerActions)HIDScript helpers (powershell functions)HIDScript demo snake (mouse)USB Mass storage (genimg helper)4. Rescue: Help, I can’t reach P4wnP1 A.L.O.A. as I messed up the configurationP4wnP1 A.L.O.A. doesn’t protect you from misconfiguration, which render it unusable (as a root console wouldn’t protect you from running rm -rf /).In case you messed everything up, here some ideas how to fix things:Database backupBefore you take critical changes to a still working P4wnP1 configuration, create a database backup. This could either be done from the "Generic Settings" tab of the webclient or the the CLI, with the P4wnP1_cli db backup command. The backup will be stored in the folder /usr/local/P4wnP1/db under the chosen name. The "restore" function or P4wnP1_cli db restore command could be used to restore a given backup. A backup contains all stored templates (USB, WiFi, Network, Bluetooth, TriggerActions, MasterTemplates) and the Startup Master Template which has been set. The backup doesn’t include HIDScripts or BashScripts, as both are stored as files to allow easy editing.I have no backup and messed everythingWhen P4wnP1 A.L.O.A. starts, it checks if a database exists. If the database doesn’t exist it fills a new database based on an initial backup which ships with P4wnP1 A.L.O.A.The initial backup is stored at /usr/local/P4wnP1/db/init.db and should never be deleted or overwritten.In order to force P4wnP1 to re-create the actual database has to be deleted. This could be achieved by mounting the P4wnP1 A.L.O.A. SD card on a system which is capable of writing EXT partitions.Once done, delete the folder /usr/local/P4wnP1/store from the SD card’s root partition. This deletes the database and thus forces re-creation once P4wnP1 is booted, againI have a backup, but can’t access P4wnP1 to restore itIf you can’t restore an existing database, because you have no access, you could still follow the steps from "I have no backup and messed everything". In addition to deletion of the /usr/local/P4wnP1/store replace the /usr/local/P4wnP1/db/init.db file with the one from your backup (be sure to have a backup copy of init.db).This should re-create your custom DB once P4wnP1 is rebooted.I messed the Startup Master Template of my backupIf you have a backup for which the Startup Master Template doesn’t work. You have to do some additional steps, as it isn’t possible to change the Startup Template directly in a backup.First follow the steps from "I have no backup and messed everything" which re-create the initial P4wnP1 database. After a reboot of P4wnP1, you should be able to access P4wnP1’s webclient remotely, again.Move on to the "Generic Settings" and restore your own backup (the one with the wrong Startup Master Template).The "Startup Master Template" should show your "broken" Master Template as selected. If this isn’t the case, reload the browser tab hosting the webclient application.Again, navigate to the "Generic Settings" tab and select a Startup Master Template which is known to work.At this point you should be ready to reboot.non of the above helpedSorry, seems you have to recreate your P4wnP1 A.L.O.A. SD crad from a clean image.5. CreditsUnder construction, random order@JohanBrandhorst (close exchange on gRPC-web via gopherjs, ridiculous fast implementation of "websocket for server streaming", feature request)@steevdave, @_binkybear (kali build scripts, discussion ongoing exchange)@Re4sonKernel (Support on moving P4wnP1 kernel changes to a well maintained and popular repo, collaboration on Bluez fixes)@SymbianSyMoh (Inspiration for HID attack re-trigger without reboot)@quasarframework (could list this under 3rd party libs, but the work done here is insane; the look&feel of the P4wnP1 webclient is more or lees based on default components of this beautiful library)@CyberArms (one of the most early P4wnP1 supporters, writer of the best tutorial and even books on such topics)@LucaBongiorni (not only one of the earliest supporters, he does in hardware, what I’m only to do in software; he gives talks on the USB topic and honors Open Source solutions, all in all a great guy and an inspiration)@evilsocket (his block pushed me towards Go, a great OSS developer, read his code and you know what I mean)@RoganDawes and @Singe from @SensePost (inspiring guys)@Swiftb0y (Early supporter, creator of the "old" P4wnP1 WiKi, early tester for ideas on P4wnP1 A.L.O.A.)@marcaruel (discussion on GPIO edge detection using periph.io)6. ToDos and supportThis isn’t a full fledged ToDo list, but some milestones are left and I’d be happy to receive som community support on thisPorting the full HID covert channel functionality to Go core (I’m on my own with that)add Bluetooth configuration command for CLICreate additional keyboard layouts (currently br, de, es, fr, gb, it, ru and us are supported)extend Bluetooth functionality to allow connection to other discoverable devices (authentication and trust)move WiFi KARMA functionality from dedicated python tool to P4wnP1 core (with webclient support))Create full documentation for HIDScript (basically only the mouse part is missing)Create full documentation for P4wnP1 (hoping for community)Get rid of a remaining dependency on the docker netlink (see README of the netlink folder)Note on Bluetooth:P4wnP1 works with custom bindings to the Bluez API. Although the Bluez API supports Low Energy (GATT, emulating peripherals etc.) it isn’t planned to integrate this functionality into P4wnP1 A.L.O.A.Note on Nexmon:P4wnP1 utilizes nexmon. Most people know nexmon as a firmware modification which allows enabling monitor mode and package injection for broadcom WiFi chips (including the BCM43430a1, which is used by the Raspberry Pi Zero W). But nexmon is more, it is a framework which allows modifying ARM firmware blobs (after a bit of reversing), with patches written in high level C code. P4wnP1 uses this framework, to apply custom patches to the WiFi firmware, which enable hardware based KARMA support and firmware (as well as driver) support for the WiFi covert channel. It isn’t the aim of this modifications to provide proper monitor mode or injection support for the built-in WiFi interface. Although, the legacy nexmon monitor mode functionality is included in the current WiFi firmware, it is considered "erroneous", as it interferes with standard WiFi functionality used by P4wnP1 (crashes if the interface is used in station mode etc.).Download P4wnP1_aloa

Link: http://feedproxy.google.com/~r/PentestTools/~3/igwQvhbsl94/p4wnp1-aloa-framework-which-turns.html