-
Notifications
You must be signed in to change notification settings - Fork 662
/
template.txt
145 lines (125 loc) · 4.77 KB
/
template.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# This file is part of P4wnP1.
#
# Copyright (c) 2017, Marcus Mengs.
#
# P4wnP1 is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# P4wnP1 is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with P4wnP1. If not, see <http://www.gnu.org/licenses/>.
# P4wnP1 payload Template by MaMe82
# ==========================
# Empty payload starting all USB functions
# - USB Mass storage
# - CDC ECM device (Linux ethernet over USB)
# - RNDIS device (Windows ethernet over USB)
# - USB keyboard
# =============================
# USB setup
# =============================
# Make sure to change USB_PID if you enable different USB functionality in order
# to force Windows to enumerate the device again
USB_VID="0x1d6b" # Vendor ID
USB_PID="0x0106" # Product ID
USE_ECM=true # if true CDC ECM will be enabled (Ethernet over USB for Windows)
USE_RNDIS=true # if true RNDIS will be enabled (Ethernet over USB for macOS/Linux)
USE_HID=true # if true HID keyboard will be enabled (USB keyboard attacks)
USE_UMS=true # if true USB Mass Storage will be enabled
USE_RAWHID=true # if true HID raw device will be enabled (used by HID covert channel payloads)
# ==========================
# Network and DHCP options for Ethernet over USB
# ==========================
# We choose an IP with a very small subnet (see comments in README.rst)
IF_IP="172.16.0.1" # IP used by P4wnP1
IF_MASK="255.255.255.252"
IF_DHCP_RANGE="172.16.0.2,172.16.0.3" # DHCP Server IP Range
# ============================
# Network and DHCP options for WiFi (Pi Zero W with "wlan0" present)
# ============================
WIFI_ACCESSPOINT=true
WIFI_ACCESSPOINT_PSK="MaMe82-P4wnP1"
WIFI_ACCESSPOINT_IP="172.24.0.1" # IP used by P4wnP1
WIFI_ACCESSPOINT_NETMASK="255.255.255.0"
WIFI_ACCESSPOINT_DHCP_RANGE="172.24.0.2,172.24.0.100" # DHCP Server IP Range
# =====================
# Keyboard config
# =====================
# Keyboard language for outhid and duckhid commands
# possible languages: "be", "br", "ca", "ch", "de", "dk", "es", "fi", "fr", "gb", "hr", "it", "no", "pt", "ru", "si", "sv", "tr", "us"
lang="us"
# This function gets called after the target host enables the network interface
# (RNDIS, CDC ECM or both have to be enabled)
function onNetworkUp()
{
# commands in this callback function are ran as root
#
# available variables:
# $IF_IP: IP used by P4wnP1
# $IF_MASK: Netmask used by P4wnP1
# $IF_DHCP_RANGE: P4wnP1 DHCP Server IP Range
# $active_interface: Internal network interface in use by P4wnP1 (usb0, usb1 or none)
# $wdir: Absolute path to P4wnP1 main directory
#
# available commands:
# outhid
# Pipe ASCII into this command to output via HID keyboard on target
# The output keyboard layout is derived from the "lang" option (Keyboard config)
# Note: A newline character (ASCII 0x0A) is interpreted as RETURN key
# outhid only works if USE_HID=true
#
# Example: echo "Hello World | outhid"
#
# duckhid
# Pipe DuckyScript into this command to output via HID keyboard on target
# The output keyboard layout is derived from the "lang" option (Keyboard config)
# duckhid only works if USE_HID=true
#
# Example (starting notepad, indents only for readability):
# cat << EOF | duckhid
# DELAY 500
# GUI r
# DELAY 500
# STRING notepad.exe
# ENTER
# EOF
}
# this function gets called if the target host received a DHCP lease
# (DHCP client has to be running on target)
function onTargetGotIP()
{
# commands in this callback function are ran as root
#
# available variables:
# same as onNetworkUp()
#
# additional variables:
# $target_ip: The IP the target host received via its DHCP lease
#
# available commands:
# same as onNetworkUp()
}
# this function gets called after P4wnP1 finished booting
# Caution: This doesn't necessarily mean that "onNetworkUp" or "onTargetGotIP"
# have already been called
function onBootFinished()
{
# commands in this callback function are ran as user root
}
# commands in this function are ran if the user pi logs in (SSH or local)
function onLogin()
{
# commands in this callback function are ran as user pi
}
# this function gets called if the target is done installing the driver for the HID keyboard
# (USE_HID and HID_KEYBOARD_TEST have to be set to "true")
function onKeyboardUp()
{
# commands in this callback function are ran as user root
}