forked from RoganDawes/P4wnP1
-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup.cfg
131 lines (108 loc) · 6.96 KB
/
setup.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/bin/sh
###########################
# General config
# these are the default settings
# the setting are only used, if not defined in the payload itself
###########################
# USB setup
# ---------------------------
# Make sure to change USB_PID if you enable different USB functionality in order
# to force Windows to enumerate the device again
USB_VID="0x1d6b" # Vendor ID
USB_PID="0x0137" # Product ID
USE_ECM=true # if true CDC ECM will be enabled
USE_RNDIS=true # if true RNDIS will be enabled
USE_HID=false # if true HID (keyboard) will be enabled
USE_HID_MOUSE=true # if true HID mouse will be enabled
USE_RAWHID=false # if true a raw HID device will be enabled
USE_UMS=false # if true USB Mass Storage will be enabled
# ===========================================
# Network and DHCP options USB over Ethernet
# ===========================================
# We choose an IP with a very small subnet (see comments in README.rst)
IF_IP="172.16.0.1" # IP used by P4wnP1
IF_MASK="255.255.255.252"
IF_DHCP_RANGE="172.16.0.2,172.16.0.2" # DHCP Server IP Range
ROUTE_SPOOF=false # set two static routes on target to cover whole IPv4 range
WPAD_ENTRY=false # provide a WPAD entry via DHCP pointing to responder
# ============================
# WiFi options (only Pi Zero W)
# ============================
WIFI_NEXMON=false # Experimental: enables the use of Nexmon driver + firmware to add monitor mode capability
WIFI_REG=US # WiFi regulatory domain (if not set accordingly, WiFi channels are missing)
# Access Point Settings
# ---------------------
WIFI_ACCESSPOINT=true
WIFI_ACCESSPOINT_NAME="P4wnP1"
WIFI_ACCESSPOINT_PSK="MaMe82-P4wnP1"
WIFI_ACCESSPOINT_IP="172.24.0.1" # IP used by P4wnP1
WIFI_ACCESSPOINT_NETMASK="255.255.255.0"
WIFI_ACCESSPOINT_DHCP_RANGE="172.24.0.2,172.24.0.100" # DHCP Server IP Range
WIFI_ACCESSPOINT_HIDE_SSID=false # use to hide SSID of WLAN (you have to manually connect to the name given by WIFI_ACCESSPOINT_NAME)
# WiFi Client Settings
# --------------------
WIFI_CLIENT=false # enables connecting to existing WiFi (currently only WPA2 PSK)
# example payload: wifi_connect.txt
# Warning: could slow down boot, because:
# - scan for target network is issued upfront
# - DHCP client is started and waits for a lease on WiFi adapter
# Note: if WIFI_ACCESSPOINT is enabled, too:
# - P4wnP1 tries to connect to the given WiFi
# - if connection fails, the AccessPoint is started instead
WIFI_CLIENT_SSID="Accespoint Name" # name of target network
WIFI_CLIENT_PSK="AccessPoint password" # passphrase for target network
WIFI_CLIENT_STORE_NETWORK=false # unused right now, should be used to store known networks, but priority has to be given if multiple known networks are present
WIFI_CLIENT_OVERWRITE_PSK=true # unused right now, in case the network WIFI_CLIENT_STORE_NETWORK is set an existing PSK gets overwritten
# ==================================
# Keyboard settings for HID keyboard
# ==================================
lang="us" # Keyboard language for outhid and duckhid commands
HID_KEYBOARD_TEST=true # if enabled 'onKeyboardUp' is fired as soon as the host initializes the keyboard
# ===============================================
# Settings for reachback connections with AutoSSH
# ===============================================
AUTOSSH_ENABLED=false # if enabled P4wnP1 will continuously try to bring up a SSH connection tunneling out its internal SSH server to a remote SSH Server
AUTOSSH_REMOTE_HOST=YourSSH-server.com # host address of the remote SSH server
AUTOSSH_REMOTE_USER=root # valid user of the remote SSH server (passwordless login has to be possible with the key given by AUTOSSH_PRIVATE_KEY)
AUTOSSH_PRIVATE_KEY="$wdir/ssh/keys/P4wnP1_id" # private key used to login to the remote server (has to be present in ~/.ssh/authorized_keys file of AUTOSSH_REMOTE_USER)
AUTOSSH_PUBLIC_KEY="$wdir/ssh/keys/P4wnP1_id.pub" # this key has to be present in ~/.ssh/authorized_keys file of AUTOSSH_REMOTE_USER, (use ./ssh/pushkey.sh to assist)
AUTOSSH_REMOTE_PORT=8765 # P4wnP1's SSH shell will be reachable at this port on the remote SSH server (the port is bound to localhost and thus not exposed to public facing IP)
# =============================
# Settings for Bluetooth PAN (Pi Zero W only)
# =============================
# Note: Connecting Bluetooth Network Access Point (NAP) with a mobile device
# requires to disable other networks with internet access on this device in most cases
# (like WiFi).
# NAP provided by P4wnP1 doesn't necessarily provide Internet access, but is used to
# grant network access on P4wnP1 via bluetooth. The alternative would be to establish
# a "Group Network (GN)" instead of NAP, which unfortunately didn't work in most test cases,
# when it cames to connection of a mobile device.
# So if Internet should be provided from P4wnP1 via NAP (which isn't the purpose of P4wnP1),
# P4wnP1 itself has to be connected to Internet (for example using RNDIS + ICS on windows or
# using the WiFi client mode). Additionally iptables rules have to be deployed to enable MASQUERADING
# on the respective outbound interface.
#
# To summerize: P4wnP1 provides NAP as access option to SSH via bluetooth, not to serve Internet,
# although this could be achieved.
BLUETOOTH_NAP=false # Enable Bluetooth NAP to SSH in via Bluetooth
BLUETOOTH_NAP_PIN=1337 # unused, PIN authentication currently not working (custom agent for bluez 5 needed)
BLUETOOTH_NAP_IP="172.26.0.1" # IP used by P4wnP1
BLUETOOTH_NAP_NETMASK="255.255.255.0"
BLUETOOTH_NAP_DHCP_RANGE="172.26.0.2,172.26.0.100" # DHCP Server IP Range
# =============================
# Settings for USB Mass Storage
# =============================
# =====================
# Payload selection
# =====================
PAYLOAD=network_only.txt
#PAYLOAD=hid_mouse.txt # HID mouse demo: Shows different ways of positioning the mouse pointer, using P4wnP1's MouseScript languag
#PAYLOAD=hid_backdoor_remote.txt # AutoSSH "reachback" version of hid_backdoor (see payload comments for details)
#PAYLOAD=wifi_connect.txt
#PAYLOAD=stickykey/trigger.txt # Backdoor Windows LockScreen with SYSTEM shell, triggered by NUMLOCK, trigger SCROLLLOCK to revert the changes
#PAYLOAD=hakin9_tutorial/payload.txt # steals stored plain credentials of Internet Explorer or Edge and saves them to USB flash drive (for hakin9 tutorial)
#PAYLOAD=Win10_LockPicker.txt # Steals NetNTLMv2 hash from locked Window machine, attempts to crack the hash and enters the plain password to unlock the machin on success
#PAYLOAD=hid_backdoor.txt # under (heavy) development
#PAYLOAD=hid_frontdoor.txt # HID covert channel demo: Triggers P4wnP1 covert channel console by pressing NUMLOCK 5 times on target (Windows)
#PAYLOAD=hid_keyboard.txt # HID keyboard demo: Waits till target installed keyboard driver and writes "Keyboard is running" to notepad
#PAYLOAD=hid_keyboard2.txt # HID keyboard demo: triggered by CAPS-, NUM- or SCROLL-LOCK interaction on target