Does poisontap really work with Windows 7 or 19?
AFAIK, CDC ECM is not supported so Windows should never see the device as an ethernet device.
At least on Windows 7 it's supported, but you have to point it to the driver manually like this:
Not sure if it's possible to make it automatically recognize it.
Last I checked, this has no support for Windows 19.
So I think we agree to say that poisontap cannot hack a Windows PC as described in the README.
confirmed working on win10
Manually installing a hack doesn't count as it working.
Windows 10 required no intervention. Auto installs.
tested on win7 x64 sp1, win8.1 x64, win10 and not working: the pi zero is detected as "Other devices => RNDIS/Ethernet Gadget". any hints to make it auto install?
I've tested this on Windows 10 without any signs of the RNDIS device showing up in Device Manager.. I may need to reinstall Raspian to verify that this is not a problem with preexisting/conflicting software.
The only way to get this to "auto install" is to manually exploit your machine by installing the driver then using the device. (This requires the machine to be unlocked and the user to have elevated privileges.)
After the driver is installed then this "attack" will work. But the exploit was the driver install not this device.
Windows 10 works without a problem. I have my target machine on wifi and when the pi is plugged in, it connects to the Ethernet gadget and launches PoisonTap.
I've also tested on a Windows 10 machine without requiring installing anything. Perhaps some versions come with the driver installed. @mwwhited sounds like you're more familiar with this area, do you want to provide some suggestions in the case of the systems that do not autoload? Do you know if all ethernet-to-USB dongles use this same driver or other drivers that may provide automatic access across a wider base of users? Perhaps there's another driver we can emulate on the RPi.
I just tried on a second machine - vanilla win10 pro install. Device auto installs and comes up - it did fail the first time I plugged it in (driver installed but device issue) I unplugged and plugged back in and it came up fine.
Just wanted to validate that I hadn't previously installed driver manually on the first machine I tried it on.
I've tried several Win10 systems, and whilst the 'PoisonTap' USB Composite device installs, the CDC ECM nic driver does not
installs fine without interaction on my win 10 systems
this is the driver that is used.
Thanks for sharing @brew-ninja, appreciate the help!
Thanks. Could you do me a favour and confirm what "Bus reported device description" and "Hardware Ids" shows for that device
Bus reported device description: RNDIS/Ethernet Gadget
Blocking the device ID via local/group policy was the basis of this mitigation I suggested: #26
On some machines it is installed and recognized as a serial port, thus not working. The only solution in such a case is to take the serial port, update manually the drivers to the Acer RNDIS/Ethernet Gadget and then it will work. It was not working at first for me (but it is not a Poisontap related issue, more of a raspberry installation issue)
I have tested poisontab in three different windows seven pro machines, in each case installing the Rdnis driver manually is required for the ethernet adapter to work. I have found this page and a Pdf
HCC RNDIS Device Class Driver Windows Automatic Installation Guide v1.00.pdf
that talk about wich usb_class and subclass to advertize in order for automatic driver installation :
I have tried adding a bDeviceSubClass with a value of 0x04, with no luck but I'am quite sure we can find a way to make it work.
By the way thanks for the awesome work !
I did some more poking, and I found that the guys at ev3 (linux for Lego Mindstorm) have found a usb gadget config that appears to works : https://github.com/ev3dev/ev3-systemd/blob/ev3dev-jessie/scripts/ev3-usb.sh Will try it tomorrow and make a pull request if it's really working.
I modified the script:
echo 0x04b3 > idVendor #
echo 0x4010 > idProduct #
and the network device is installed without user interaction on a win7 x64 sp1 as
"IBM USB Remote NDIS Network Device". anyone to verify on win8 / win10?
Oh awesome! I don't have Windows available anymore but I will attempt to test on macOS 10.12.1. Someone able to test on Linux would be helpful too.
kali install =>
[196997.716921] rndis_host 3-3:1.0 usb0: register 'rndis_host' at usb-0000:00:14.0-3, RNDIS device,
Bus 003 Device 044: ID 04b3:4010 IBM Corp.
usb0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
Seems to work on win 8.1 64. Considering the issues I had on 10 were the same as on 8.1 I'd guess it should work on 10 as well.
works on win10
Fiy on my rasbian when using the g_ether module, the configfs information in the startup.sh script is not taken into account and the usb gadget default to standard value, I have to load the libcomposite module in order for the configfs to be used.
@mmourey - I managed to get this working on Windows 8 & 10 with auto installing the driver. Thanks for the hints you included in your previous posts :)
However, I failed to do the same for Windows 7. I'm not sure if it's a protection mechanism for the image I have. Did you manage to get it working on Win 7?
see attached img from Win 8 of the rpi zero without any additional driver (or manual installation)
@AddaxSoft did you try the EV3 USB VID/PID in pi_startup.sh?
echo 0x04b3 > idVendor
echo 0x4010 > idProduct
I have been testing with poisontap and I have made several clean installations but it still does not work. I followed the installation instructions step by step and nothing. In Windows 7 poisontap appears with RNDIS Ethernet Gadget without associated driver, I tried to install a driver but without success. In Windows 10 poisontap appears as a Serial USB device and I could not change the driver. I have already tried changing the ID Vendor and ID Product and without success as well. In Linux if I launch an lsusb if the device appears to me but I am not launched the capture process. I do not have any Macs to run the test.
Thank you very much for the help.
You may want to try this version which has automatic OS detection and adjusts setup based on it: