Exchange...Get in touch

[mame82]

Looked into your mimikatz payload.

It would be a good idea to load mimikatz via covert HID channel into the PowerShell session and get rid of the webserver. Seems I need to develop another HID payload and a built-in command for P4wnP1 to download files via HID into memory. This would be less evasive and could nicely deal with endpoint protections which don't account for USB HID PnP devices.

Would you like to contribute payloads to P4wnP1? (guess I need to finalize the payload format to avoid reworking them all the time)

[mame82]

Btw. the reason of packing JtR was to start bruteforcing NetNTLMv2 hashes captured from locked machines and unlock the machine via HID keyboard (if the password is weak enough, ~ 100000 hashes per second are possible on Pi Zero). I haven't finished this because "Snagging cress from locked machines" fails in most cases. But I guess it would be a nice payload to and is perfectly doable.

[ZeteMKaa]

Yeah was playing around to see what would be a good option to load the Mimikatz payload into memory and dumping the output on the Pi. Was trying to use the new hid_payload in the devel branch was not able to link them together. And typing out the entire base64 encoding also was not a solution :)

The solution you propose would be great! And able to bypass most security solutions with some tweaking on the Mimikatz code. I would really like to contribute and test for the project. Been playing around with it for the last weeks and love the possibilities.

[mame82]

So we are talking about two additions...
Reading files in via HID (mimikatz payload) and writing back to P4wnP1 via HID (mimikatz results + data exfiltration).

To do list is growing, but the days are still limited to 24 hours :-(

At least loading Mimikatz into a PowerShell internal variable should be possible with the HID PoC:

The approach of loading a file from P4wnP1 to an inmemory PowerShell variable is shown in the video. The file only has to be exchanged by a mimikatz payload and the loaded variable has to be invoked with iex. Of course this would be a real insider attack, as it has to be done interactively (no USB drive by). The benefit of endpoint protection bypass remains.

Of course this would require an admin session or a priv esc (brings eternalblue into mind...which again needs RNDIS to connect via SMB ).

So yes, there are some possibilities, especially in combination with the Wi-Fi part

[mame82]

I would really like to contribute and test for the project.

Looking forward to this, thanks in advance

[ZeteMKaa]

Looking forward to this, thanks in advance

Should I just create pull requests for this? And in which branch? Do you have a Slack/Discord/IRC channel?

[mame82]

The devel branch makes sense. I'm going to replace the master with it, when development of the HID backdoor is finished.

As I'm not using chats, a simple PR is a good idea. Changes could be discussed before accepting the PR and are documented.

Payloads have could be adjusted with in ongoing changes in devel branch.

The snippet in https://github.com/mame82/P4wnP1/blob/master/get_and_crack_last.sh for example uses absolute path to call binaries. As the install path of P4wnP1 isn't fixed anymore every path has to be changed to use $wdir to incorporate into current payload structure.

This could easily be reworked in devel branch.

Additionally a description template should be added into payload comments, to declare the author, payload name and description of a contributed payload.