P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W (required for HID backdoor).
The successor of P4wnP1 is called P4wnP1 A.L.O.A. and hosted here: https://github.com/mame82/P4wnP1_aloa
This repo isn't really suspended, but I'm using all of my time to work on P4wnP1's successor. The new Repo is still private, but information on progress are published via twitter, from time to time (@P4wnP1 or @MaMe82).
More important: Don't waste your time following complicated install instructions: A ready-to-go image of latest P4wnP1 version could be found on the release page: https://github.com/mame82/P4wnP1/releases (seems some of you missed it).
Official WiKi started by @jcstill and @Swiftb0y
There isn't a short summary of this README. If you want to handle this nice tool, I'm afraid you have to read this.
The most important sections: - Windows LockPicker - HID covert channel frontdoor - HID covert channel backdoor (this is the new main feature) - Getting started section
Since the initial release in February 2017, P4wnP1 has come a long way. Today advanced features are merged back into the master branch, among others: - the Windows LockPicker (unlock Windows boxes with weak passwords, fully automated by attaching P4wnP1) - the HID covert channel backdoor (Get remote shell access on air gapped Windows targets tunneled only through HID devices, relayed to a WiFi hotspot with SSH access with a Pi Zero W. The target doesn't see a network adapter, serial or any other communication device.) - the HID covert channel frontdoor (Get access to a python shell on P4wnP1 from a restricted Windows host, tunneled through a raw HID device with low footprint. The target doesn't see a network adapter, serial or any other communication device.) - refined USB, modular USB setup
led_blink)payloads/ subfolder for examples)As it is a flexible framework, P4wnP1 allows to develop custom payloads only limited by the imagination of the pentester using it. To get a basic idea some payloads are already included and described here:
This payload extends the "Snagging creds from locked machine" approach, presented by Mubix (see credits), to its obvious successor:
P4wnP1 LockPicker cracks grabbed hashes and unlocks the target on success, using its keyboard capabilities. This happens fully automated, without further user interaction.
I'm still no video producer, so maybe somebody feels called upon to do a demo.
Here's my (sh**ty) attempt:

Here's a version of someone doing this much better, thanks @Seytonic

collected folder, along with the hashes).The payload Win10_LockPicker.txt has to be chosen in setup.cfg to carry out the attack. It is important to modify the payloads "lang" parameter to your target's language. If you attach a HDMI monitor to P4wnP1, you could watch the status output of the attack (including captured hash and plain creds, if you made it this far).
This payload runs a PowerShell script, typed out via P4wnP1's built-in keyboard, in order to dump stored credentials of Microsoft Edge or Internet Explorer. Fetched credentials are stored to P4wnP1's flashdrive (USB Mass Storage). As the name implies, this payload is the result of an hakin9 article on payload development for P4wnP1, which is yet unpublished. For this reason, the payload has RNDIS enabled, although not needed to carry out the attack. Its main purpose is to show how to store the result from a keyboard based attack, to P4wnP1's flashdrive, although the drive letter is only known at runtime of the payload.
This payload plants a backdoor which allows to access a command shell with SYSTEM level privileges from the Windows Lockscreen. Once planted, the shell is triggered by sticky keys.
The payload itself is purely keyboard based.
The widely known approach to achieve the payloads's goal, is to replace the sethc.exe file. Anyway, this payload does the change based on a registry hack (Debugger property of Image execution options). This means the attack is less noisy, as the filesystem doesn't get touched directly. Additionally the payload shows how to use P4wnP1's keyboard triggers. Pressing NUMLOCK multiple times plants the backdoor, while pressing SCROLLLOCK multiple times removes the backdoor again.
Last but not least, the attack demoes a simple UAC bypass, as the PowerShell session used has to be ran with elevated privileges.
The attack requires an unlocked target run by an Administrator account.
The payload demoed here isn't published yet.
The video is produced by @Seytonic, you should check out his youtube channel with hacking related tutorials and various projects, if you're interested in more stuff like this (link in credits).
@Seytonic thanks for the great tutorial
shell command to create remote shell (only with covert channel connection)hid_backdoor.txt payload is runninghid_backdoor.txt payload in setup.cfg (using the interactive USB OTG mode or one of the payloads with SSH network access, like network_only.txt)P4wnP1 (password: MaMe82-P4wnP1)pi@172.24.0.1pi, which is raspberry in the default configuration.help shows available commandsSetKeyboardLayout to set the keyboard layout according to your target's language. This step is important and should always be taken first, otherwise most keyboard based attacks fail.GetKeyboardLayout. The default keyboard language for the P4wnP1 backdoor shell could be changed in hidtools/backdoor/config.txtSendKeys command followed by an ASCII key sequence to send keystrokes to the targetSendKeys command is somehow restricted, no control keys could be sent, even a RETURN is problematic. So for more complex key sequences the FireDuckyScript command comes to help.FireDuckyScript accepts the name of a script residing in the DuckyScript/ folder. The folder is prefilled with some demo scripts. If you omit the script name behind the FireDuckyScript command, you will be presented with a menue to choose a script. If you wonder why one would write a DuckyScript sending an <ALT> + <F4> only, you're thinking in the old world of RubberDucky. With P4wnP1 and its capbility to run DuckyScripts dynamically, such short scripts come in handy. If you don't know what I'm talking about run the P4wnP1_youtube.duck script and you'll know where scripts like AltF4_Return.duck are needed ;-)So that's all
... no just joking. Four months without commits wouldn't have been passed if there isn't more. Up till here, there was no covert channel co
$ claude mcp add P4wnP1 \
-- python -m otcore.mcp_server <graph>