From 4feb3c0bfa204cbf00f28a18b463f7dbcdb1e591 Mon Sep 17 00:00:00 2001 From: DeadPackets Date: Tue, 30 Oct 2018 09:19:12 +0400 Subject: [PATCH 1/4] Inital attempt at WPA2 Enterprise support --- Responder | 2 +- boot/init_wifi.sh | 40 ++++++++++++++++++++++++++++++++++++---- duckencoder | 2 +- setup.cfg | 2 ++ 4 files changed, 40 insertions(+), 6 deletions(-) diff --git a/Responder b/Responder index bd2e4b5..2b322b2 160000 --- a/Responder +++ b/Responder @@ -1 +1 @@ -Subproject commit bd2e4b5bc7b4ffcc6a7f8c239a0a945c2c822041 +Subproject commit 2b322b227e1123aa1ae95bda49dbf906e06d04ab diff --git a/boot/init_wifi.sh b/boot/init_wifi.sh index 587c5b3..9a588b4 100644 --- a/boot/init_wifi.sh +++ b/boot/init_wifi.sh @@ -215,6 +215,25 @@ function generate_wpa_entry() res=$(wpa_passphrase "$1" "$2") && echo "$res" | grep -v -e "#psk" } +function generate_wpa_enterprise_entry() +{ + + #wpa_passphrase $1 $2 | grep -v -e "#psk" + # output result only if valid password was used (8..63 characters) + res="network={ + ssid=\"$1\" + scan_ssid=1 + key_mgmt=WPA-EAP + group=CCMP TKIP + eap=PEAP + identity=\"$2\" + password=\"$3\" + phase1=\"peapver=0\" + phase2=\"MSCHAPV2\" + }" + echo $res; +} + function scan_for_essid() { # scan for given ESSID, needs root privs (sudo appended to allow running from user pi if needed) @@ -228,6 +247,9 @@ function scan_for_essid() # check for PSK CCMP if (echo "$scanres" | grep -q -e "CCMP" && echo "$scanres" | grep -q -e "PSK"); then echo "WPA2_PSK" # confirm WPA2 usage + # check for WPA2 enterprise + elif (echo "$scanres" | grep -q -e "CCMP" && echo "$scanres" | grep -q -e "802.1x"); then + echo "WPA2_802" else echo "WPA2 no CCMP PSK" fi @@ -252,9 +274,13 @@ function generate_wpa_supplicant_conf() # if # WIFI_CLIENT_STORE_NETWORK == false # delete the network entry, to overwrite the old entry in next step (but don't store it later on) - - generate_wpa_entry "$1" "$2" > /tmp/current_wpa.conf - sudo bash -c 'cat /tmp/current_wpa.conf >> /tmp/wpa_supplicant.conf' + if [ $3 == "WPA_PSK" ]; then + generate_wpa_entry "$1" "$2" > /tmp/current_wpa.conf + sudo bash -c 'cat /tmp/current_wpa.conf >> /tmp/wpa_supplicant.conf' + else + generate_wpa_enterprise_entry "$1" "$2" "$3" > /tmp/current_wpa.conf + sudo bash -c 'cat /tmp/current_wpa.conf >> /tmp/wpa_supplicant.conf' + fi # ToDo: store the new network back to persistent config # if @@ -284,10 +310,16 @@ function start_wifi_client() if [ "$res" == "WPA2_PSK" ]; then echo "Network $WIFI_CLIENT_SSID found" echo "... creating config" - generate_wpa_supplicant_conf "$WIFI_CLIENT_SSID" "$WIFI_CLIENT_PSK" + generate_wpa_supplicant_conf "$WIFI_CLIENT_SSID" "$WIFI_CLIENT_PSK" "$res" # Pass wifi auth type echo "... connecting ..." start_wpa_supplicant return 0 + elif [ "$res" == "WPA2_802" ]; then + echo "Network $WIFI_CLIENT_SSID found" + echo "... creating config" + generate_wpa_supplicant_conf "$WIFI_CLIENT_SSID" "$WIFI_CLIENT_USERNAME" "$WIFI_CLIENT_PASSWORD" "$res" # Pass wifi credentials instead of PSK + echo "... connecting ..." + start_wpa_supplicant else echo "Network $WIFI_CLIENT_SSID not found" return 1 # indicate error diff --git a/duckencoder b/duckencoder index 4af3dd2..a8080df 160000 --- a/duckencoder +++ b/duckencoder @@ -1 +1 @@ -Subproject commit 4af3dd262f43a9328894b4342cb97de675ee2d87 +Subproject commit a8080dfbee9333496759f5041b8081917df9adc0 diff --git a/setup.cfg b/setup.cfg index 962cfe0..9f16fa7 100644 --- a/setup.cfg +++ b/setup.cfg @@ -75,6 +75,8 @@ WIFI_CLIENT_SSID="Accespoint Name" # name of target network WIFI_CLIENT_PSK="AccessPoint password" # passphrase for target network WIFI_CLIENT_STORE_NETWORK=false # unused right now, should be used to store known networks, but priority has to be given if multiple known networks are present WIFI_CLIENT_OVERWRITE_PSK=true # unused right now, in case the network WIFI_CLIENT_STORE_NETWORK is set an existing PSK gets overwritten +WIFI_CLIENT_USERNAME="Anon" # Username for WPA2 Enterprise +WIFI_CLIENT_PASSWORD="Some password" # Password for WPA2 Enterprise # ================================== # Keyboard settings for HID keyboard From 990e3eaf5627eda1cf8e4b475e223cef3eb8f39d Mon Sep 17 00:00:00 2001 From: DeadPackets Date: Tue, 30 Oct 2018 09:43:41 +0400 Subject: [PATCH 2/4] Fixes and release --- boot/init_wifi.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/boot/init_wifi.sh b/boot/init_wifi.sh index 9a588b4..26736fb 100644 --- a/boot/init_wifi.sh +++ b/boot/init_wifi.sh @@ -220,7 +220,7 @@ function generate_wpa_enterprise_entry() #wpa_passphrase $1 $2 | grep -v -e "#psk" # output result only if valid password was used (8..63 characters) - res="network={ + echo "network={ ssid=\"$1\" scan_ssid=1 key_mgmt=WPA-EAP @@ -230,8 +230,8 @@ function generate_wpa_enterprise_entry() password=\"$3\" phase1=\"peapver=0\" phase2=\"MSCHAPV2\" - }" - echo $res; +}" + } function scan_for_essid() From 0ec82e81d061d0ecac7cc0e9b952955f2c882c4b Mon Sep 17 00:00:00 2001 From: DeadPackets Date: Tue, 30 Oct 2018 10:56:32 +0400 Subject: [PATCH 3/4] Some changes --- Responder | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Responder b/Responder index 2b322b2..bd2e4b5 160000 --- a/Responder +++ b/Responder @@ -1 +1 @@ -Subproject commit 2b322b227e1123aa1ae95bda49dbf906e06d04ab +Subproject commit bd2e4b5bc7b4ffcc6a7f8c239a0a945c2c822041 From 88f2b1e44bc613f15fc0b6862b28da1f6078da9b Mon Sep 17 00:00:00 2001 From: DeadPackets Date: Tue, 30 Oct 2018 11:16:00 +0400 Subject: [PATCH 4/4] Added hostname and usb manufacturer and product name customization --- boot/boot_P4wnP1 | 3 +-- boot/init_usb.sh | 4 ++-- setup.cfg | 7 +++++++ 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/boot/boot_P4wnP1 b/boot/boot_P4wnP1 index dde462c..3f89541 100755 --- a/boot/boot_P4wnP1 +++ b/boot/boot_P4wnP1 @@ -129,8 +129,7 @@ fi # change hostname to make P4wnP1 resolveable on "name.local" if $WIFI || $USB_ETHERNET; then - hostname="MAME82-P4WNP1" - + hostname=$P4WNP1_HOSTNAME # Makes hostname configurable hostname $hostname echo $hostname > /etc/hostname diff --git a/boot/init_usb.sh b/boot/init_usb.sh index bfa9810..131b8f6 100644 --- a/boot/init_usb.sh +++ b/boot/init_usb.sh @@ -63,9 +63,9 @@ function init_usb() echo "deadbeefdeadbeef" > strings/0x409/serialnumber # echo "deadbeefdeadbe11" > strings/0x409/serialnumber # set manufacturer - echo "MaMe82" > strings/0x409/manufacturer + echo $USB_MANUFACTURER > strings/0x409/manufacturer # set product - echo "P4wnP1 by MaMe82" > strings/0x409/product + echo $USB_PRODUCT_NAME > strings/0x409/product # create configuration instance (for RNDIS, ECM and HDI in a SINGLE CONFIGURATION to support Windows composite device enumeration) # ================================================================================================================================ diff --git a/setup.cfg b/setup.cfg index 9f16fa7..e2333ef 100644 --- a/setup.cfg +++ b/setup.cfg @@ -5,6 +5,8 @@ # these are the default settings # the setting are only used, if not defined in the payload itself ########################### +# A settings to change the internal hostname +P4WNP1_HOSTNAME="MAME82-P4WNP1" # USB setup # --------------------------- @@ -20,6 +22,11 @@ USE_HID_MOUSE=true # if true HID mouse will be enabled USE_RAWHID=false # if true a raw HID device will be enabled USE_UMS=false # if true USB Mass Storage will be enabled +# Settings to change USB manufacturer and product name which will appear +# when the drivers are being installed on victim +USB_MANUFACTURER="MaMe82" +USB_PRODUCT_NAME="P4wnP1 by MaMe82" + # =========================================== # Network and DHCP options USB over Ethernet # ===========================================