Permalink
Switch branches/tags
Nothing to show
Find file Copy path
c0cbc5d Sep 5, 2017
1 contributor

Users who have contributed to this file

146 lines (125 sloc) 4.77 KB
# This file is part of P4wnP1.
#
# Copyright (c) 2017, Marcus Mengs.
#
# P4wnP1 is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# P4wnP1 is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with P4wnP1. If not, see <http://www.gnu.org/licenses/>.
# P4wnP1 payload Template by MaMe82
# ==========================
# Empty payload starting all USB functions
# - USB Mass storage
# - CDC ECM device (Linux ethernet over USB)
# - RNDIS device (Windows ethernet over USB)
# - USB keyboard
# =============================
# USB setup
# =============================
# Make sure to change USB_PID if you enable different USB functionality in order
# to force Windows to enumerate the device again
USB_VID="0x1d6b" # Vendor ID
USB_PID="0x0106" # Product ID
USE_ECM=true # if true CDC ECM will be enabled (Ethernet over USB for Windows)
USE_RNDIS=true # if true RNDIS will be enabled (Ethernet over USB for macOS/Linux)
USE_HID=true # if true HID keyboard will be enabled (USB keyboard attacks)
USE_UMS=true # if true USB Mass Storage will be enabled
USE_RAWHID=true # if true HID raw device will be enabled (used by HID covert channel payloads)
# ==========================
# Network and DHCP options for Ethernet over USB
# ==========================
# We choose an IP with a very small subnet (see comments in README.rst)
IF_IP="172.16.0.1" # IP used by P4wnP1
IF_MASK="255.255.255.252"
IF_DHCP_RANGE="172.16.0.2,172.16.0.3" # DHCP Server IP Range
# ============================
# Network and DHCP options for WiFi (Pi Zero W with "wlan0" present)
# ============================
WIFI_ACCESSPOINT=true
WIFI_ACCESSPOINT_PSK="MaMe82-P4wnP1"
WIFI_ACCESSPOINT_IP="172.24.0.1" # IP used by P4wnP1
WIFI_ACCESSPOINT_NETMASK="255.255.255.0"
WIFI_ACCESSPOINT_DHCP_RANGE="172.24.0.2,172.24.0.100" # DHCP Server IP Range
# =====================
# Keyboard config
# =====================
# Keyboard language for outhid and duckhid commands
# possible languages: "be", "br", "ca", "ch", "de", "dk", "es", "fi", "fr", "gb", "hr", "it", "no", "pt", "ru", "si", "sv", "tr", "us"
lang="us"
# This function gets called after the target host enables the network interface
# (RNDIS, CDC ECM or both have to be enabled)
function onNetworkUp()
{
# commands in this callback function are ran as root
#
# available variables:
# $IF_IP: IP used by P4wnP1
# $IF_MASK: Netmask used by P4wnP1
# $IF_DHCP_RANGE: P4wnP1 DHCP Server IP Range
# $active_interface: Internal network interface in use by P4wnP1 (usb0, usb1 or none)
# $wdir: Absolute path to P4wnP1 main directory
#
# available commands:
# outhid
# Pipe ASCII into this command to output via HID keyboard on target
# The output keyboard layout is derived from the "lang" option (Keyboard config)
# Note: A newline character (ASCII 0x0A) is interpreted as RETURN key
# outhid only works if USE_HID=true
#
# Example: echo "Hello World | outhid"
#
# duckhid
# Pipe DuckyScript into this command to output via HID keyboard on target
# The output keyboard layout is derived from the "lang" option (Keyboard config)
# duckhid only works if USE_HID=true
#
# Example (starting notepad, indents only for readability):
# cat << EOF | duckhid
# DELAY 500
# GUI r
# DELAY 500
# STRING notepad.exe
# ENTER
# EOF
}
# this function gets called if the target host received a DHCP lease
# (DHCP client has to be running on target)
function onTargetGotIP()
{
# commands in this callback function are ran as root
#
# available variables:
# same as onNetworkUp()
#
# additional variables:
# $target_ip: The IP the target host received via its DHCP lease
#
# available commands:
# same as onNetworkUp()
}
# this function gets called after P4wnP1 finished booting
# Caution: This doesn't necessarily mean that "onNetworkUp" or "onTargetGotIP"
# have already been called
function onBootFinished()
{
# commands in this callback function are ran as user root
}
# commands in this function are ran if the user pi logs in (SSH or local)
function onLogin()
{
# commands in this callback function are ran as user pi
}
# this function gets called if the target is done installing the driver for the HID keyboard
# (USE_HID and HID_KEYBOARD_TEST have to be set to "true")
function onKeyboardUp()
{
# commands in this callback function are ran as user root
}