Basic WiFi Client support

boot/boot_P4wnP1

@@ -51,17 +51,21 @@ source $wdir/boot/init_wifi.sh
 check_wifi
 if $WIFI; then
 	echo "P4wnP1: Seems WiFi module is present !"
-	# connect to accesspoint after some checks
-	if $WIFI_ACCESSPOINT; then
-		echo "starting accesspoint"
-		start_wifi_accesspoint
-		if $EXISTING_AP; then
-			# PASSTHROUGH ISNT WORKING FOR SOME REASON
-			# would be nice to get some help here
-			echo "connecting to accesspoint"
-			connect_to_accesspoint
+
+	# start WIFI client
+	if $WIFI_CLIENT; then
+		# try to connect to existing WiFi according to the config
+		if start_wifi_client; then
+			WIFI_CLIENT_CONNECTION_SUCCESS=true
 		fi
 	fi
+
+	# start ACCESS POINT if needed
+	# - if WiFi client mode is disabled and ACCESPOINT mode is enabled
+	# - if WiFi client mode is enabled, but failed and ACCESPOINT mode is enabled
+	if $WIFI_ACCESSPOINT && ( ! $WIFI_CLIENT_CONNECTION_SUCCESS || ! $WIFI_CLIENT); then
+		start_wifi_accesspoint
+	fi
 fi
 
 detect_usb_hostmode # creates OTG_MODE=true if P4wnP1 is in OTG mode
@@ -80,7 +84,7 @@ if $USB_RNDIS || $USB_ECM; then
 fi
 
 # change hostname to make P4wnP1 resolveable on "name.local"
-if $WIFI || $USB_ETHERNET || $EXISTING_AP; then
+if $WIFI || $USB_ETHERNET; then
 	hostname="MAME82-P4WNP1"
 
 	hostname $hostname

boot/init_wifi.sh

@@ -8,6 +8,11 @@ function check_wifi()
 	if $wdir/wifi/check_wifi.sh; then WIFI=true; else WIFI=false; fi
 }
 
+##########################
+# WiFi AP functions
+##########################
+
+
 function generate_dnsmasq_wifi_conf()
 {
 	cat <<- EOF > /tmp/dnsmasq_wifi.conf
@@ -31,7 +36,6 @@ function generate_dnsmasq_wifi_conf()
 		dhcp-authoritative
 		log-dhcp
 EOF
-
 }
 
 function generate_hostapd_conf()
@@ -111,30 +115,97 @@ function start_wifi_accesspoint()
 	generate_dnsmasq_wifi_conf
 	dnsmasq -C /tmp/dnsmasq_wifi.conf
 }
-function connect_to_accesspoint()
+
+
+##########################
+# WiFi client functions
+##########################
+function generate_wpa_entry()
 {
-	#not sure how to setup dnsmasq and hostapd so this just gets run after the accesspoint was already started
-	sudo ifconfig wlan0 up
-	if [ $(sudo iwlist wlan0 scan | grep $EXISTING_AP_NAME) ]; then
-		# check if /etc/wpa_supplicant/wpa_supplicant.conf exists
-		printf "\"$EXISTING_AP_NAME\" was found\n"
-		if [ $(cat /etc/wpa_supplicant/wpa_supplicant.conf | grep $EXISTING_AP_NAME) ]; then
-			# only connect if its there. connect. if not open accesspoint
-			printf "entry was found, connecting...\n"
-			sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
-			sudo dhclient wlan0
-			#check if IP was obtained (to lazy to implement)
-		else
-			printf "\nNo entry for Accesspoint \"$EXISTING_AP_NAME\" found! creating one... "
-			if [ $EXISTING_AP_PSK ]; then
-				$wdir/wifi/append_secure_wpa_conf.sh $EXISTING_AP_NAME $EXISTING_AP_PSK
-				printf "success! retrying...\n"
-				connect_to_accesspoint
+
+	#wpa_passphrase $1 $2 | grep -v -e "#psk"
+	# output result only if valid password was used (8..63 characters)
+	res=$(wpa_passphrase $1 $2) && echo "$res" | grep -v -e "#psk"
+}
+
+function scan_for_essid()
+{
+	# scan for given ESSID, needs root privs (sudo appended to allow running from user pi if needed)
+	scanres=$(sudo iwlist wlan0 scan essid "$1")
+
+	if (echo "$scanres" | grep -q -e "$1\""); then # added '"' to the end to avoid partial match
+		#network found
+
+		# check for WPA2
+		if (echo "$scanres" | grep -q -e "IE: IEEE 802.11i/WPA2 Version 1"); then
+			# check for PSK CCMP
+			if (echo "$scanres" | grep -q -e "CCMP" && echo "$scanres" | grep -q -e "PSK"); then
+				echo "WPA2_PSK" # confirm WPA2 usage
 			else
-				printf "fail!\n PLEASE SPECIFY EXISTING_AP_PSK or use wifi/append_secure_wpa_conf.sh to generate an AP entry\n"
+				echo "WPA2 no CCMP PSK"
 			fi
 		fi
+
+	else
+		echo "Network $1 not found"
+	fi
+}
+
+function generate_wpa_supplicant_conf()
+{
+	# generates temporary configuration (sudo prepended to allow running from user pi if needed)
+	sudo bash -c "cat /etc/wpa_supplicant/wpa_supplicant.conf > /tmp/wpa_supplicant.conf"
+
+	# ToDo: check if configured WiFi ESSID already exists, 
+	# if
+	#	WIFI_CLIENT_STORE_NETWORK == true
+	#	WIFI_CLIENT_OVERWRITE_PSK == true
+	# delete the network entry, to overwrite in the next step
+	#
+	# if
+	#	WIFI_CLIENT_STORE_NETWORK == false
+	# delete the network entry, to overwrite the old entry in next step (but don't store it later on)
+
+	generate_wpa_entry $1 $2 > /tmp/current_wpa.conf
+	sudo bash -c 'cat /tmp/current_wpa.conf >> /tmp/wpa_supplicant.conf'
+
+	# ToDo: store the new network back to persistent config 
+	# if
+	#	WIFI_CLIENT_STORE_NETWORK == true
+	# cat /tmp/wpa_supplicant.conf > /etc/wpa_supplicant/wpa_supplicant.conf # store config change
+}
+
+function start_wpa_supplicant()
+{
+	# sudo is unneeded, but prepended in case this should be run without root
+
+	# start wpa supplicant as deamon with current config
+	sudo wpa_supplicant -B -i wlan0 -c /tmp/wpa_supplicant.conf
+
+	# start DHCP client on WiFi interface (daemon, IPv4 only)
+	sudo dhclient -4 -nw -lf /tmp/dhclient.leases wlan0
+}
+
+function start_wifi_client()
+{
+
+	sudo ifconfig wlan0 up
+
+	if $WIFI_CLIENT; then
+		echo "Try to find WiFi $WIFI_CLIENT_SSID"
+		res=$(scan_for_essid $WIFI_CLIENT_SSID)
+		if [ $res == "WPA2_PSK" ]; then
+			echo "Network $WIFI_CLIENT_SSID found"
+			echo "... creating config"
+			generate_wpa_supplicant_conf "$WIFI_CLIENT_SSID" "$WIFI_CLIENT_PSK"
+			echo "... connecting ..."
+			start_wpa_supplicant
+
+		else
+			echo "Network $WIFI_CLIENT_SSID not found"
+			return 1 # indicate error
+		fi
 	else
-		printf "\nNetwork \"$EXISTING_AP_NAME\" not found!\n"
+		return 1 # indicate error
 	fi
 }

install.sh

@@ -134,7 +134,8 @@ cp conf/default_Responder.conf Responder/Responder.conf
 sudo cp conf/default_index.html /var/www/index.html
 sudo chmod a+r /var/www/index.html
 
-# create X MB image for USB storage
+
+# create 128 MB image for USB storage
 echo "Creating 128 MB image for USB Mass Storage emulation"
 mkdir -p $wdir/USB_STORAGE
 dd if=/dev/zero of=$wdir/USB_STORAGE/image.bin bs=1M count=128
@@ -143,6 +144,7 @@ mkdosfs $wdir/USB_STORAGE/image.bin
 # create folder to store loot found
 mkdir -p $wdir/collected
 
+
 # create systemd service unit for P4wnP1 startup
 if [ ! -f /etc/systemd/system/P4wnP1.service ]; then
         echo "Injecting P4wnP1 startup script..."

payloads/network_only.txt

@@ -19,19 +19,11 @@ USE_UMS=false           # if true USB Mass Storage will be enabled
 # disable setting of static routes for all IPv4 addresses
 ROUTE_SPOOF=false
 
-# use LED based HID keyboard test
-USE_HID_TEST=true
 
-# overwrite keyboard language from setup.cfg
-lang="de" 
-
-# blink one time when payload script get's initiated
-led_blink 1 # usage at thi point is invalid, as the script gets called again on SSH login
-
-
-# commands in this function are ran on user login
-# the commans are ran by user "pi"
-function onLogin()
-{
-	return
-}
+WIFI_ACCESSPOINT=true
+WIFI_ACCESSPOINT_NAME="P4wnP1"
+WIFI_ACCESSPOINT_PSK="MaMe82-P4wnP1"
+WIFI_ACCESSPOINT_IP="172.24.0.1" # IP used by P4wnP1
+WIFI_ACCESSPOINT_NETMASK="255.255.255.0"
+WIFI_ACCESSPOINT_DHCP_RANGE="172.24.0.2,172.24.0.100" # DHCP Server IP Range
+WIFI_ACCESSPOINT_HIDE_SSID=false # use to hide SSID of WLAN (you have to manually connect to the name given by EIFI_ACCESSPOINT_NAME)

payloads/wifi_connect.txt

@@ -0,0 +1,33 @@
+# P4wnP1 demo payload by MaMe82
+# ==========================
+
+
+# =============================
+# USB setup
+# =============================
+# Make sure to change USB_PID if you enable different USB functionality in order
+# to force Windows to enumerate the device again
+USB_VID="0x1D6B"        # Vendor ID
+USB_PID="0x0237"        # Product ID
+
+USE_ECM=true            # kept enabled as fallback (could allow forwarding connection trough WiFi if added to payload)
+USE_RNDIS=true          # kept enabled as fallback (could allow forwarding connection trough WiFi if added to payload)
+USE_HID=false
+USE_RAWHID=false        
+USE_UMS=false
+
+# disable setting of static routes for all IPv4 addresses
+ROUTE_SPOOF=false
+
+WIFI_ACCESSPOINT=true
+WIFI_ACCESSPOINT_NAME="P4wnP1"
+WIFI_ACCESSPOINT_PSK="MaMe82-P4wnP1"
+WIFI_ACCESSPOINT_IP="172.24.0.1" # IP used by P4wnP1
+WIFI_ACCESSPOINT_NETMASK="255.255.255.0"
+WIFI_ACCESSPOINT_DHCP_RANGE="172.24.0.2,172.24.0.100" # DHCP Server IP Range
+WIFI_ACCESSPOINT_HIDE_SSID=false # use to hide SSID of WLAN (you have to manually connect to the name given by EIFI_ACCESSPOINT_NAME)
+
+WIFI_CLIENT=true
+WIFI_CLIENT_SSID="YourAPName" # name of target network
+WIFI_CLIENT_PSK="YourAPPassword" # passphrase for target network
+

setup.cfg

@@ -43,6 +43,20 @@ WIFI_ACCESSPOINT_NETMASK="255.255.255.0"
 WIFI_ACCESSPOINT_DHCP_RANGE="172.24.0.2,172.24.0.100" # DHCP Server IP Range
 WIFI_ACCESSPOINT_HIDE_SSID=false # use to hide SSID of WLAN (you have to manually connect to the name given by EIFI_ACCESSPOINT_NAME)
 
+WIFI_CLIENT=false 	# enables connecting to existing WiFi (currently only WPA2 PSK)
+			# example payload: wifi_connect.txt
+			# Warning: could slow down boot, because:
+			#	- scan for target network is issued upfront
+			#	- DHCP client is started and waits for a lease on WiFi adapter
+			# Note: if WIFI_ACCESSPOINT is enabled, too:
+			#	- P4wnP1 tries to connect to the given WiFi
+			# 	- if connection fails, the AccessPoint is started instead
+WIFI_CLIENT_SSID="Accespoint Name" # name of target network
+WIFI_CLIENT_PSK="AccessPoint password" # passphrase for target network
+WIFI_CLIENT_STORE_NETWORK=false # unused right now, should be used to store known networks, but priority has to be given if multiple known networks are present
+WIFI_CLIENT_OVERWRITE_PSK=true # unused right now, in case the network WIFI_CLIENT_STORE_NETWORK is set an existing PSK gets overwritten
+
+
 
 # ===============================
 # connect to normal wpa2 network
@@ -64,6 +78,7 @@ HID_KEYBOARD_TEST=true # if enabled 'onKeyboardUp' is fired as soon as the host
 # =====================
 
 PAYLOAD=network_only.txt
+#PAYLOAD=wifi_connect.txt
 #PAYLOAD=stickykey/trigger.txt # Backdoor Windows LockScreen with SYSTEM shell, triggered by NUMLOCK, trigger SCROLLLOCK to revert the changes
 #PAYLOAD=hakin9_tutorial/payload.txt # steals stored plain credentials of Internet Explorer or Edge and saves them to USB flash drive (for hakin9 tutorial)
 #PAYLOAD=Win10_LockPicker.txt # Steals NetNTLMv2 hash from locked Window machine, attempts to crack the hash and enters the plain password to unlock the machin on success