Weaponizing USB Gadgets with HID Devices: The Revenge of P4wnP1
As most of you already know, at the beginning of 2017, appeared on the market the Hak5’s BashBunny.
It is an interesting toy, but someone (i.e. Mame82) decided to create a way cooler version based on a 11$ Raspberry Pi Zero W. Which is inheriting the concept of AirGap bypass from USaBuse.
Anyway, for more information about P4wnP1 features checkout its Github repo: https://github.com/mame82/P4wnP1 As I was discussing with Mame82, P4wnP1 + RPi ZeroW is a really cool toy, which enhances the features (i.e. remote HID attacks and AirGap bypass) that were already available in whid.ninja. However the only obvious side effect of using a Raspberyr Pi Zero, rather than a dedicated and miniaturized hardware, is that it is quite difficult to conceive it into the usual USB dongle case. In this post I wanted to show you how I resolved this issue. I have decided to start with my favorite USB gadget, that all victims (geeks and not) cannot refrain themselves to plug into their PCs: a Plasma Ball.
How? Why? WTF?
The main idea behind it is to test for Social Engineering weaknesses within your target organization (e.g. DLP policy violations) and to bypass physical access restrictions to Target’s device. Usually, I create a fancy brochure (sample template https://github.com/whid-injector/WHID/tree/master/tools/Social_Engineering_Lures ) attached with a weaponized USB gadget and then use a common delivery carrier (e.g. UPS, DHL, FedEx).
How to modify the Plasma Ball in order to hide a RPi Zero W (with P4wnP1 installed) is trivially obscene.
As you see it does look cool! No one will ever resist to plug it in an USB port (luckily the one of a PC though).
P.S. At the moment I am designing a new toy! THE Pentest Drop Box! In order to convince the Manufacturer that is a cool idea I need as many feedback as possible and show him that people is interested on it. It would be awesome if you could share this Tweet! https://twitter.com/LucaBongiorni/status/895736175222181888