Full Report
As part of our preparations for our upcoming RingZer0 “Q Division” Training, I have been working on making a software image for the FriendlyArm NanoPi R1S Single Board Computer (SBC) that we’ll be using to demonstrate some close quarters techniques. I will detail the process of configuring an R1S by installing the Armbian distribution as well as P4wnP1 ALOA. We will also take a quick look at getting USBProxy configured to act as a keylogger.
Analysis Summary
# Tool/Technique: P4wnP1 ALOA
## Overview
P4wnP1 ALOA is a framework designed to turn Single Board Computers (SBCs) with a USB Device Controller (UDC) into USB attack tools. It was originally created for the Raspberry Pi Zero W but is shown here being adapted for the FriendlyArm NanoPi R1S. It allows the SBC to emulate human interaction devices (like keyboards) and other USB devices for red teaming activities.
## Technical Details
- Type: Tool / Framework
- Platform: ARM-based SBCs (specifically FriendlyArm NanoPi R1S, applicable to others with UDC like Raspberry Pi Zero W). Target hosts would typically be connected to the R1S acting as a USB device.
- Capabilities: Manages the USB Device Controller (UDC) to present itself as various USB devices, supports remote access (via WiFi AP or Ethernet), and serves a web interface for management.
- First Seen: Information not explicitly provided in the text, but the repository is mentioned in the context of recent training setup (May 2020).
## MITRE ATT&CK Mapping
The primary function described relates to device manipulation and initial access/persistence via physical/close-quarters interaction.
- [TA0001 - Initial Access]
- [T1318 - Hardware Addition (USB)] (Implied, as it positions the device to interact physically)
- [TA0005 - Defense Evasion]
- [T1027 - Obfuscated Files or Information] (Though the tool itself is used for execution, its capability to emulate trusted devices aids evasion)
- [TA0002 - Execution]
- [T1204.002 - User Execution: Malicious File] (If used to execute payloads after successful device emulation)
## Functionality
### Core Capabilities
- Configuration of an SBC (NanoPi R1S) to act as a USB attack platform.
- Disables default serial console to free up the UDC.
- Installation and enabling of the P4wnP1 service via systemd.
- Can be used to emulate USB network interfaces (detailed in follow-up posts).
### Advanced Features
- Remote management capability via a configured Access Point (using built-in WiFi) or via SSH over Ethernet during setup.
- Utilizes pre-built binaries compatible across similar ARM architectures (e.g., RPi Zero W binaries working on R1S).
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: `P4wnP1_*`, `P4wnP1.service`, webapp files, `dnsmasq` (dependency).
- Registry Keys: [Not applicable - Linux OS]
- Network Indicators: Used to set up a WiFi Access Point (AP) for remote communication (Hostnames/IPs unknown).
- Behavioral Indicators: Disabling `[email protected]`, unloading/preventing loading of the `g_serial` module, starting the `P4wnP1.service`.
## Associated Threat Actors
- Training Environment/Red Team Operations (SensePost "Q Division" Training setup).
## Detection Methods
- [Signature-based detection]
- Monitoring for specific configuration file modifications (e.g., removal of `/etc/modules`, disabling systemd console services).
- [Behavioral detection]
- Detecting services attempting to bind deeply to USB hardware controllers (UDC).
- Monitoring for the installation of `dnsmasq` alongside git-cloned tools in `/usr/local/`.
- [YARA rules if available]
- [Not provided in the article]
## Mitigation Strategies
- Restrict physical access to sensitive equipment (SBCs).
- Monitor system services initialization scripts for unauthorized changes (e.g., disabling standard console services like `serial-getty`).
- Strict control over the loading of kernel modules related to USB gadget functionality.
## Related Tools/Techniques
- P4wnP1 (Original tool).
- Other USB attack platforms utilizing UDCs (e.g., Rubber Ducky-like payloads executed from an SBC).
***
# Tool/Technique: USBProxy
## Overview
USBProxy is a tool repurposed here to act as a basic keylogger by mirroring USB device traffic between a host and a device plugged into the SBC. It intercepts and relays packets, allowing for sniffing of USB protocol data.
## Technical Details
- Type: Tool
- Platform: Linux SBCs (FriendlyArm NanoPi R1S). Requires `libusb` and `libusb-dev`.
- Capabilities: USB device mirroring, USB protocol research, and out-of-the-box capability to act as a keylogger.
- First Seen: Marked as "legacy" in the article, exact original date not specified.
## MITRE ATT&CK Mapping
The primary use case described is packet sniffing and data exfiltration via physical interception.
- [TA0010 - Exfiltration]
- [T1041 - Exfiltration Over C2 Channel] (If keystrokes are sent externally via the SBC's network connection)
- [TA0005 - Defense Evasion]
- [T1027 - Obfuscated Files or Information] (Use of ROT13 filter complicates log review, although the filter is often disabled/modified).
- [TA0009 - Collection]
- [T1056.001 - Input Capture: Keylogging]
## Functionality
### Core Capabilities
- "Mirrors" a USB device plugged into the SBC's USB-A port by creating identical USB gadget descriptors.
- Copies packets between the physical device connection and the SBC's internal processing path.
- Keylogging functionality (`usb-mitm -k` or `usb-mitm -k[file]`).
### Advanced Features
- Ability to apply packet filters (e.g., ROT13 filter mentioned, often overridden).
- Potential for other USB attacks (e.g., presenting as a network interface with priority routing).
- Can monitor existing external USB keyboards plugged through the R1S.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: `usb-mitm` (the executable).
- Registry Keys: [Not applicable]
- Network Indicators: [None associated directly with USBProxy, though the host SBC communicates externally.]
- Behavioral Indicators: The `usb-mitm` process running, interacting with USB devices, and writing captured data to log files (`outputfile`).
## Associated Threat Actors
- Red Teamers / Security Researchers.
## Detection Methods
- [Signature-based detection]
- Signatures based on the `usb-mitm` executable binary.
- [Behavioral detection]
- Monitoring processes reading/writing high volumes of data to files while actively interacting with USB mass storage or HID class devices in an unusual manner.
- Detecting unexpected compilation dependencies on `libusb`.
- [YARA rules if available]
- [Not provided in the article]
## Mitigation Strategies
- Employing physical security to prevent unauthorized connection of devices to USB ports that might host such sniffing tools.
- Regular inspection of SBCs used in testing environments for unusual compilation artifacts or running processes.
## Related Tools/Techniques
- Devices that emulate human interface devices (HID) to inject keystrokes.
***
# Technique: Close Quarters Techniques / Physical Device Manipulation
## Overview
The setup described prepares the SBC to act as an intermediary or controller in physically close-range engagements. This involves preparing a dedicated hardware platform (R1S) to leverage USB and (in Part 2) Ethernet to directly influence, inject data into, or monitor victim systems connected to the SBC.
## Technical Details
- Type: Technique / Operational Procedure
- Platform: Targets hosts accessible via USB (HID/Keyboard attacks) or direct Ethernet connection (MITM).
- Capabilities: Injecting simulated keystrokes/mouse movements, sniffing USB traffic, performing Ethernet Man-in-the-Middle (MITM) attacks.
- First Seen: N/A (General red team methodology).
## MITRE ATT&CK Mapping
Focusing on the physical deployment and immediate effects:
- [TA0007 - Credential Access]
- [T1056.001 - Input Capture: Keylogging] (via USBProxy)
- [TA0009 - Collection]
- [T1056.001 - Input Capture: Keylogging]
- [TA0009 - Collection]
- [T1560.001 - Archive via Utility: Zip or Rar] (Implied if captured data is compressed later)
- [TA0011 - Command and Control]
- [T1090 - Proxy] (Upcoming Ethernet MITM technique outlined for Part 2)
## Functionality
### Core Capabilities
- Establishing a covert hardware platform (SBC) for low-level interaction.
- Utilizing the SBC's UDC capabilities to impersonate trusted USB peripherals (e.g., keyboard/mouse).
### Advanced Features
- **USB Sniffing/Keylogging:** Intercepting input from an actual external keyboard plugged into the SBC.
- **Hardware Relay:** Intention to act as a transparent device (USB or Ethernet MITM) to hijack legitimate network connections and IP/MAC addresses of the victim.
## Indicators of Compromise
- File Hashes: [N/A, describes an overall procedure]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: The R1S establishing a local network presence, potentially masquerading as a victim's legitimate device (ARP poisoning/spoofing implied for Part 2).
- Behavioral Indicators: Unexplained USB enumeration events corresponding to the R1S's actions, or unusual network routing through the SBC.
## Associated Threat Actors
- Red Team Operators, Advanced Persistent Threats (APTs) if weaponized for persistence post-breach.
## Detection Methods
- [Signature-based detection]
- [N/A]
- [Behavioral detection]
- Detecting unusual network topology changes suspicious of a layer 2 MITM (which Part 2 aims to achieve).
- Alerting on unexpected UDC behavior or rapid device enumeration/re-enumeration sequences on target systems.
- [YARA rules if available]
- [N/A]
## Mitigation Strategies
- Strict physical access control to network infrastructure and unattended endpoints.
- Network segmentation and use of Network Access Control (NAC) to verify device identity and MAC/IP binding.
- Disabling unnecessary USB ports or implementing port security policies.
## Related Tools/Techniques
- Rubber Ducky
- LAN Turtle (For Ethernet MITM/C2 relay)