forked from RoganDawes/P4wnP1
-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup.cfg
104 lines (84 loc) · 5.32 KB
/
setup.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/bin/sh
###########################
# General config
# these are the default settings
# the setting are only used, if not defined in the payload itself
###########################
# USB setup
# ---------------------------
# Make sure to change USB_PID if you enable different USB functionality in order
# to force Windows to enumerate the device again
USB_VID="0x1d6b" # Vendor ID
USB_PID="0x0137" # Product ID
USE_ECM=true # if true CDC ECM will be enabled
USE_RNDIS=true # if true RNDIS will be enabled
USE_HID=false # if true HID (keyboard) will be enabled
USE_RAWHID=false # if true a raw HID device will be enabled
USE_RAWHID_FULLDUPLEX=false # if true two raw HID devices will be enabled (input + output)
USE_UMS=false # if true USB Mass Storage will be enabled
# ===========================================
# Network and DHCP options USB over Ethernet
# ===========================================
# We choose an IP with a very small subnet (see comments in README.rst)
IF_IP="172.16.0.1" # IP used by P4wnP1
IF_MASK="255.255.255.252"
IF_DHCP_RANGE="172.16.0.2,172.16.0.2" # DHCP Server IP Range
ROUTE_SPOOF=false # set two static routes on target to cover whole IPv4 range
WPAD_ENTRY=false # provide a WPAD entry via DHCP pointing to responder
# ============================
# WiFi options (only Pi Zero W)
# ============================
WIFI_REG=US # WiFi regulatory domain (if not set accordingly, WiFi channels are missing)
# Access Point Settings
# ---------------------
WIFI_ACCESSPOINT=true
WIFI_ACCESSPOINT_NAME="P4wnP1"
WIFI_ACCESSPOINT_PSK="MaMe82-P4wnP1"
WIFI_ACCESSPOINT_IP="172.24.0.1" # IP used by P4wnP1
WIFI_ACCESSPOINT_NETMASK="255.255.255.0"
WIFI_ACCESSPOINT_DHCP_RANGE="172.24.0.2,172.24.0.100" # DHCP Server IP Range
WIFI_ACCESSPOINT_HIDE_SSID=false # use to hide SSID of WLAN (you have to manually connect to the name given by WIFI_ACCESSPOINT_NAME)
# WiFi Client Settings
# --------------------
WIFI_CLIENT=false # enables connecting to existing WiFi (currently only WPA2 PSK)
# example payload: wifi_connect.txt
# Warning: could slow down boot, because:
# - scan for target network is issued upfront
# - DHCP client is started and waits for a lease on WiFi adapter
# Note: if WIFI_ACCESSPOINT is enabled, too:
# - P4wnP1 tries to connect to the given WiFi
# - if connection fails, the AccessPoint is started instead
WIFI_CLIENT_SSID="Accespoint Name" # name of target network
WIFI_CLIENT_PSK="AccessPoint password" # passphrase for target network
WIFI_CLIENT_STORE_NETWORK=false # unused right now, should be used to store known networks, but priority has to be given if multiple known networks are present
WIFI_CLIENT_OVERWRITE_PSK=true # unused right now, in case the network WIFI_CLIENT_STORE_NETWORK is set an existing PSK gets overwritten
# ==================================
# Keyboard settings for HID keyboard
# ==================================
lang="us" # Keyboard language for outhid and duckhid commands
HID_KEYBOARD_TEST=true # if enabled 'onKeyboardUp' is fired as soon as the host initializes the keyboard
# ===============================================
# Settings for reachback connections with AutoSSH
# ===============================================
AUTOSSH_ENABLED=false # if enabled P4wnP1 will continuously try to bring up a SSH connection tunneling out its internal SSH server to a remote SSH Server
AUTOSSH_REMOTE_HOST=YourSSH-server.com # host address of the remote SSH server
AUTOSSH_REMOTE_USER=root # valid user of the remote SSH server (passwordless login has to be possible with the key given by AUTOSSH_PRIVATE_KEY)
AUTOSSH_PRIVATE_KEY="$wdir/ssh/keys/P4wnP1_id" # private key used to login to the remote server (has to be present in ~/.ssh/authorized_keys file of AUTOSSH_REMOTE_USER)
AUTOSSH_PUBLIC_KEY="$wdir/ssh/keys/P4wnP1_id.pub" # this key has to be present in ~/.ssh/authorized_keys file of AUTOSSH_REMOTE_USER, (use ./ssh/pushkey.sh to assist)
AUTOSSH_REMOTE_PORT=8765 # P4wnP1's SSH shell will be reachable at this port on the remote SSH server (the port is bound to localhost and thus not exposed to public facing IP)
# =============================
# Settings for USB Mass Storage
# =============================
# =====================
# Payload selection
# =====================
PAYLOAD=network_only.txt
#PAYLOAD=hid_backdoor_remote.txt # AutoSSH "reachback" version of hid_backdoor (see payload comments for details)
#PAYLOAD=wifi_connect.txt
#PAYLOAD=stickykey/trigger.txt # Backdoor Windows LockScreen with SYSTEM shell, triggered by NUMLOCK, trigger SCROLLLOCK to revert the changes
#PAYLOAD=hakin9_tutorial/payload.txt # steals stored plain credentials of Internet Explorer or Edge and saves them to USB flash drive (for hakin9 tutorial)
#PAYLOAD=Win10_LockPicker.txt # Steals NetNTLMv2 hash from locked Window machine, attempts to crack the hash and enters the plain password to unlock the machin on success
#PAYLOAD=hid_backdoor.txt # under (heavy) development
#PAYLOAD=hid_frontdoor.txt # HID covert channel demo: Triggers P4wnP1 covert channel console by pressing NUMLOCK 5 times on target (Windows)
#PAYLOAD=hid_keyboard.txt # HID keyboard demo: Waits till target installed keyboard driver and writes "Keyboard is running" to notepad
#PAYLOAD=hid_keyboard2.txt # HID keyboard demo: triggered by CAPS-, NUM- or SCROLL-LOCK interaction on target