Raspberry Pi Zero W P4wnP1 A.L.O.A

    Introduction

    The Raspberry Pi Zero W P4wnP1 A.L.O.A. (A Little Offensive Application) image is a highly customized version of Kali Linux. It allows you to connect the Raspberry Pi to a computer, and send commands, or use its networking, all without having to interact with it, although you can do that too!

    The P4wnP1 A.L.O.A software includes a number of features that the original P4wnP1 had such as Plug & Play USB device emulation, and Wi-Fi via a modified copy of the Nexmon firmware which allows for KARMA attacks, Bluetooth support, Wi-Fi covert channel, and while monitor mode is included, it is NOT supported, but also adds HIDScript which is similar to DuckyScript for payloads but based on JavaScript.

    Currently the P4wnP1 A.L.O.A. image only supports the Raspberry Pi Zero W, not Zero 2 W.

    Quick install and usage

    1. Download and validate the Kali Linux Raspberry Pi Zero W P4wnP1 ALOA image from the downloads area. The process for validating an image is described in more detail on Downloading Kali Linux.

    2. Use the dd utility to image this file to your microSD card. In our example, we use a microSD which is located at /dev/sdb. Change this as needed.

    This process will wipe out your microSD card. If you choose the wrong storage device, you may wipe out your computers hard disk.

    $ xzcat kali-linux-2022.3-raspberry-pi-zero-w-p4wnp1-aloa-armel.img.xz | sudo dd of=/dev/sdb bs=4M status=progress
    

    This process can take a while, depending on your PC, your microSD card’s speed, and the size of the Kali Linux image.

    1. Once the dd operation is complete, plug the microSD card into your Raspberry Pi Zero W.

    2. From another computer, connect to the default wireless network ๐Ÿ’ฅ๐Ÿ–ฅ๐Ÿ’ฅ โ“…โžƒโ“Œโ“ƒ๐Ÿ…Ÿโถ of P4wnP1 A.L.O.A. with the password MaMe82-P4wnP1

    3. Once you are connected to the P4wnP1 A.L.O.A. wireless network, you can access the system via either:

    • The web interface (http://172.24.0.1:8000)
    • Command line using SSH (ssh [email protected]), then run the P4wnP1_cli command
    • Locally compile the P4wnP1 A.L.O.A. CLI software, and pass host along with your commands

    One of the important customizations of this Kali Linux image, is that both the root and kali users can SSH in. The root user has the default password of toor.

    1. Go wild

    Features

    P4wnP1 A.L.O.A. by MaMe82 is a framework which turns a Raspberry Pi Zero W into a flexible, low-cost platform for pentesting, red teaming and physical engagements… or into “A Little Offensive Appliance”.

    P4wnP1 A.L.O.A. is not meant to:

    • Be a “weaponized” tool
    • Provide RTR payloads, which could be carried out by everybody, without understanding what’s going on or which risks are involved

    P4wnP1 A.L.O.A. is meant to:

    • Be a flexible, low-cost, pocket sized platform
    • Serve as enabler for tasks like the one described here
    • Support prototyping, testing and carrying out all kinds of USB related tasks, commonly used during pentest or redteam engagements, without providing a finalized static solution

    P4wnP1 A.L.O.A. provides a configuration, which utilizes the given components to do the following things:

    • Drive-by against Windows hosts in order to deliver in-memory client code to download stage2 via HID covert channel, based on keystroke injection (HIDScript)
    • Starting the keystroke injection, as soon as P4wnP1 is connected to a USB host (TriggerAction issuing HIDScript)
    • Bring up the stager, which delivers the Wi-Fi covert channel client agent via HID covert channel, as soon as the keystroke injection starts (TriggerAction running a bash script, which again starts the external server)
    • Bring up the Wi-Fi covert channel server, when needed (same TriggerAction and BashScript)
    • Deploy a USB setup which provides a USB keyboard (to allow keystroke injection) and an additional raw HID device (serves as covert channel for stage2 delivery) - the USB settings are stored in a settings template
    • Deploy a Wi-Fi setup, which allows remote access to P4wnP1, in order to allow interaction with the CLI frontend of the Wi-Fi covert channel server - the Wi-Fi settings are stored in a settings template
    • Provide a single point of entry, to deploy all the needed configurations at once (done by a Master Template, which consists of proper Wi-Fi settings, proper USB settings and the TriggerActions needed to start the HIDScript)

    The best place for up to date information is on the project’s README.

    If you need a reminder of the default passwords again:

    • SSH:

      • root/toor
      • kali/kali
    • Wi-Fi:

      • SSID: ๐Ÿ’ฅ๐Ÿ–ฅ๐Ÿ’ฅ โ“…โžƒโ“Œโ“ƒ๐Ÿ…Ÿโถ
      • PSK: MaMe82-P4wnP1

    Problems, questions, feedback? Join us in the forums


    Updated on: 2022-Aug-10
    Author: steev