PC Backdoor With Pi Zero | P4wnP1 A.L.O.A Tutorial

  • Published on Jun 2, 2019
  • 👉👉Check out MALTRONICS maltronics.com/?PPBDOOR
    PCBWay (5TH ANNIVERSARY SALE NOW ON): www.pcbway.com/anniversary5sales.html?from=Seytonic

    Previous setup video + steal files: ru-clip.net/video/I_BjCdJlCo4/video.html
    github page: github.com/mame82/P4wnP1_aloa
    mame82 twtr: mame82
    win32disk imager: sourceforge.net/projects/win32diskimager/
    pi zero antenna mod (not needed for this video): ru-clip.net/video/KonrpeVRRjc/video.html

    Check out my site: www.seytonic.com
    Follow me on twitter: seytonic
    Discord server: discord.gg/seytopia
  • Science & TechnologyScience & Technology

Comments • 159

  • Seytonic
    Seytonic  3 months ago +88

    Another video, another demonetization :)))))))

    • Berit Larsaig
      Berit Larsaig 2 months ago

      @Daemon Drop dead

    • Once Upon A Cross
      Once Upon A Cross 2 months ago

      I just realized how muppets get triggered when some one said they will unsubed. Is this what game culture and Pre-Order culture is?🤣🤣🤣

    • BlueDrafter13
      BlueDrafter13 2 months ago

      @Commander Crash definitively doesn't work out of the box that's for sure. it keeps throwing a hidstager.py error when stage 2 of of the covert script for me, saying there is an error in the code on multiple lines. doesn't seem to be any troubleshooting that i have been able to find.

    • Steve
      Steve 3 months ago

      Burgerl X it uses kali rolling to update ,if it didn’t you could just add the repo to your /etc/apt/sources.list and update or grab it from git or the net straight from rapid. Controlling it from the web ui is another thing I’m not sure, you can still ssh into your pi while aloa is running like he said in the vid as long as you’ve got a shell it’s all good 👍🏼🐚🐚🐚. I’m more interested in how this covert channel works ⁉️

    • Steve
      Steve 3 months ago

      Who’s channel ?

    WoLFyy THETHE 14 days ago

    i have a problem how about if the victim put super glue in the pc to himself and he dont leave the pc , U Must always plug to get access i love remotely things exemple get cmdshell remotely like "eternalblue or doublepulsar via lan or wan

  • Marcus
    Marcus 24 days ago

    I got this to kind of work one time. After that it wouldn’t boot. Changed sd cards, reflashed a billion times, changed card readers, changed source of aola image (github vs offensive-security), different software, and never got it to boot again.... Is Windows this shitty or is my BRAND NEW pi dead, or is it a bug in the image? I’ve exhausted almost everything besides a new pi.......

  • jord roest
    jord roest 28 days ago

    If i try to install i get this message "pi@raspberrypi:~/P4wnP1 $ sudo ./install.sh Testing Internet connection and name resolution...
    ...[pass] Internet connection works
    Testing if the system runs Raspbian Jessie or Stretch...
    ...[Error] Pi is not running Raspbian Jessie or Stretch! Exiting ..." And i install raspbian from this page: www.raspberrypi.org/downloads/raspbian/ can someone help?

  • 20198570934807 9280394820948

    I did everything the same way you did but it when I press run in the HID tab, it says that the job started but it never finishes. Any idea?

  • akiMC
    akiMC Month ago +1

    Does anyone have an idea why my P4wnP1 A.L.O.A won't run any HID scripts, it just says Job 1 running and it never finishes, im using a raspberry pi zero w and im targeting windows 10. I did everything just like Seytonic did so I didnt mess anything up. I posted a github issue here: github.com/mame82/P4wnP1_aloa/issues/160. so any help is very appreciated!

  • Johnathan Costa
    Johnathan Costa Month ago

    I've been following P4wnP1 and I really would like to try the A.L.O.A., but so far I couldn't set it up with only my notebook, SD Card, and Pi Zero. I'm saving for uni fees and buying a display and keyboard isn't an option at the moment.
    So far I tried hard but I've no idea how to set up the wifi and ignore/delete the Linux login prompt in the Kali Image booted in the SD Card (alike the headless pi zero w set up) but I imagine that it isn't impossible.
    Could you help me out?

  • compactdiscman
    compactdiscman 2 months ago

    When I type sessions nothing shows up, I have followed the rest of the steps

  • Dickie Wilken
    Dickie Wilken 2 months ago

    Nice videos, quick question. I don't see the `Setup.cfg` file in the aloa version. Was the file location moved? Does winlockpicker work on aloa?

    • billy jones
      billy jones Month ago

      I would also like to know. Did you figure it out?

  • Alexandru Gavrilescu
    Alexandru Gavrilescu 2 months ago

    Hi, could you please tell me where is the location of the scripts folder? I am trying to follow a tutorial and I am missing the folder "/usr/local/P4wnP1/scripts/", the only "scripts" folder I could find is in /P4wnP1/dist/ but i don't this this is the right one because it contains only some of the default scripts but not the custom ones that I saved via the GUI. I would very much appreciate your help. Thanks

  • Meyer ᴖᴥᴖ
    Meyer ᴖᴥᴖ 2 months ago

    Hey @Seytonic when I run this I can't seem to find my session. Nothing pops up even after I have run wifi_covert_channel.sh on the website. Do you know why this is?

  • M Isa
    M Isa 2 months ago

    Can a raspberry pi connect and create an AP at the same time without an external adapter?

  • Niki Duma
    Niki Duma 2 months ago

    A new raspberry pi 4 is available. Can this work on a new pi4?

    • akiMC
      akiMC Month ago

      No, the Pi zero is the only one that can simulate other devices.

  • Bearded Lady
    Bearded Lady 2 months ago

    Hi there, I have tried and tried to run the | (Pipe) command but am unable to map it on the PiZero (P4wnP1 A.L.O.A). Do you have any ideas why im getting wrong mapping? When | is entered/typed a ~ comes in place.
    Thanks in advance

  • Ray Schwarz
    Ray Schwarz 3 months ago +1

    I love ur vids :D
    Dangerous Vid.

  • Adam Catley
    Adam Catley 3 months ago

    Does this not work for ethernet connected PCs?

    • Ross Morella
      Ross Morella 3 months ago

      this will work for ethernet connected pcs as well as wifi connected pcs. the connection happens via the usb cable

  • Adam Catley
    Adam Catley 3 months ago

    How do you get it working for a UK keyboard?

    • Adam Catley
      Adam Catley 3 months ago

      @Yato_ God I looked on github, the GB layout os broken

    • Yato_ God
      Yato_ God 3 months ago

      You Don't. 😈😎

  • Good Man
    Good Man 3 months ago

    Wait...do you have to physically open the website on the target pc?

  • Chad Yordy
    Chad Yordy 3 months ago +1

    When I tried it stays stuck on job state running

  • dubstep1994
    dubstep1994 3 months ago

    7:45 why not build/plug the raspberry pi into the pc?

  • dubstep1994
    dubstep1994 3 months ago +8

    HAK5 got owned by our lovely Raspberry Pi Kali Linux Community! What a badass software !

  • XxMatty KidxX
    XxMatty KidxX 3 months ago +1

    Is that a corsair carbide 275r?

    • LatusCrest
      LatusCrest 3 months ago

      Yes. He made a video on building his new pc in it.

  • o o
    o o 3 months ago

    I´m here.

  • Anwar Al Shamkhany
    Anwar Al Shamkhany 3 months ago

    I'm having some trouble at 5:09 as the wifi_covert channel.sh is not green

  • Trojanics Beats
    Trojanics Beats 3 months ago

    do i need an web server?

    • Ross Morella
      Ross Morella 3 months ago

      watch the whole video, the full steps are layed out and it's simple to do

  • Birdcrumbs
    Birdcrumbs 3 months ago

    This doesn't work for me. When the P4wnP1 injects the keystrokes, it just injects about a hundred lines of garbage code. I've reflashed the image multiple times.

    • akiMC
      akiMC Month ago

      Maybe wrong keyboard layout?

  • Jake Guard
    Jake Guard 3 months ago +1

    If only it could be minimized, or something similar on an esp with SD card

  • jameswalker199
    jameswalker199 3 months ago +3

    It occurred to me you could probably PwnPi your own PC for increased security. Imagine fixing a little Pi Zero (and maybe Adafruit fona) behind the motherboard, connecting it to the internal USB headers, then you have a backdoor into your PC even if it gets stolen and the OS reinstalled.
    Bonus stealth points if you hide the Pi in something that already plugs into the USB, like a drive-bay card reader.

  • Skribbsta
    Skribbsta 3 months ago

    When mine runs it just brings up a powershell window writes the code and gives a ton of errors

    • TheMaMe82
      TheMaMe82 3 months ago

      Set "WiFi covert channel" as Startup MasterTemplate on "generic settings" tab. Save the settings an re-attach P4wnP1 to the host. The payload should be typed out automatically.
      There are two possible causes for Powershell errors:
      1) Wrong language settings in the HIDScript
      2) The python script for the second stage of the payload isn't running (started by a TriggerAction, delivers stage 2 via HID raw channel)

  • Can we hit 1000 subs So i can brag at school

    What are some things i can do with the stolen devices i do have a pi zero which my brother bought me

  • Burgerl X
    Burgerl X 3 months ago +8

    @Seytonic you mentioned last aloa video that it runs on kali, and has all the tools.
    Is it possible to run mfc and bruteforce the user's password?

  • Ben Domino
    Ben Domino 3 months ago

    hey i'm curious, can this little device steal data or credentials on /home/user if it's plugged in linux box or lets say a raspberry pi running raspbian os?

    • akiMC
      akiMC Month ago

      It can be just like Seytonic showed in the Exfiltrating files with a Pi zero video (ru-clip.net/video/I_BjCdJlCo4/video.html). Keep in mind that the way you open up the terminal and the commands you type in would be different.

  • John Sadiq
    John Sadiq 3 months ago +1

    @Seytonic hey im trying to be on my way to become an ethical hacker. Can you make a video for how to protect against people who may try to do some of these attacks. please and thank you

  • Azuraii
    Azuraii 3 months ago

    Really nice tutorial! When you said you need an internet connection to download netcat, you could always use the storage to hold the netcat.exe and simply copy it to the target pc. If the computer doesn't have access to wifi, you can enable lan over usb and connect to that and access the shell over ssh through the pi. Only issue is that it requires the pi to be plugged in the whole time you wan't access to the shell.

    SHASHANK S SHASHANK S 3 months ago +1

    Nice Bro You are Awesome Love from India 👌👌👌

  • Future Productions
    Future Productions 3 months ago

    It's Scary to think that it would be so easy to hide this into a keyboard like a razor gaming one and then the attacker could package it back up then sale it on ebay for and make it look as unhampered as u can are even return it to a store good video be good boyz&girlz

  • horrorweedvideo
    horrorweedvideo 3 months ago

    Even more random though. Is it possible to emulate a USB monitor? Could one then duplicate the monitor in windows and screen cap what's going on?

    • TheMaMe82
      TheMaMe82 3 months ago

      No. I already investigated this. All USB classes which allow streaming video are meant to deliver the stream from device to host (f.e. Webcams)

  • horrorweedvideo
    horrorweedvideo 3 months ago +1

    What if we made a fake fullscreen "windows update" video/gif, which the hid script would launch from a partition?

    • Ross Morella
      Ross Morella 3 months ago

      i made an HIDscript for this, it loads up a fullscreen fake windows update website pastebin.com/uZYrtbJL

    • Jared Neaves
      Jared Neaves 3 months ago


  • Dean Oh
    Dean Oh 3 months ago

    I get nothing for the 'sessions' command

    • TheMaMe82
      TheMaMe82 3 months ago

      Likely sth went wrong rolling out the client agent, thus it isn't able to connect back to P4wnP1

  • R.
    R. 3 months ago +3

    More pi zero projects❤️

  • TheMaMe82
    TheMaMe82 3 months ago +7

    Thx for the great video. Here some (yet undocumented) additions to ease things up:
    1) There is a MasterTemplate called "WiFi covert channel" which loads all needed settings in a single shot once deployed (USB settings, TriggerActions, Network settings)
    2) If the aforementioned MasterTemplste is selected as 'Startup MasterTemplate' in "generic settings" tab, these settings persist P4wnP1 reboot. This means, each time one plugs P4wnP1 into a USB host, it rolls out the covert channel agent. If P4wnP1 is plugged into a power supply, it will auto start the C2 server, which receives connections from 'infected' clients. After a Login to P4wnP1 WiFi, all client sessions are accessible from the SSH shell.
    "Infected" clients automatically reconnect to P4wnP1, everytime they get in range. The respective client doesn't need to be connected to any WiFi to make this work.

  • Oat lord
    Oat lord 3 months ago

    Doesn't windows prompt at times for hid driver install, especially if the user has no access?

    • Ross Morella
      Ross Morella 3 months ago

      @Oat lord at most it might produce the "device connected" sound... keyboards and mice are basically universal so it wouldnt need different drivers

    • Oat lord
      Oat lord 3 months ago

      @TheMaMe82 I trust you, but I swear I can remember being prompted to install a driver for an HID device. Maybe I'm confusing Arduino for keyboard.

    • TheMaMe82
      TheMaMe82 3 months ago


  • Once Upon A Cross
    Once Upon A Cross 3 months ago +5

    How dose one execute a .exe file with P4wnP1? I have the .exe saved via UMS and want to call it everytime its connected to a computer. I have tryed sevral scripts but all want me to use internet to call a .exe I want to do this local.

    • Azuraii
      Azuraii 3 months ago +1

      Using CMD, you can do this:
      type("for /f %D in ('wmic volume get DriveLetter^, Label ^| find \"WINUSB\"') do set usbdrive=%D")
      the UMS must be called WINUSB (change in the above line to use another name)
      then to launch the exe, you would do %usbdrive%\\blahblah.exe (the extra backslash is just to escape the following one)

    • Once Upon A Cross
      Once Upon A Cross 3 months ago +1

      TheMaMe82, Thanks :) And ya its loud. But this is for my curiosity and not to be used on a victim... Of course not without permission ;)

    • TheMaMe82
      TheMaMe82 3 months ago +1

      Use the technique explained in last P4wnP1 video by @seytonic in order to identify the flashdrive with the PE (.exe) file. Instead of copying files to this volume, you could change the PowerShell commands to start the respective binary.
      Type out the respective Powershell script via keystroke injection, like @seytonic showed.
      Be aware that launching binaries is the "loudest" thing one could do, thus it is likely you hit the AV in case the PE file is suspicious

    • Once Upon A Cross
      Once Upon A Cross 3 months ago +3

      Daemon, I figure. But had to try. Besides i figured this out without the response of others. And besides I don't get high off of "likes."

    • Daemon
      Daemon 3 months ago +4

      @V is for Voltage Good luck on getting a response. Next time just act like the rest of the idiots in here and say "Grate Video" or "Love your Videos" or "discord server squad" or some stupid shit like that and maybe you will get a like from Seytonic. But i'm sure he will not be answering questions like this he may not know.

  • iblackfeathers
    iblackfeathers 3 months ago +3

    more practical use cases than the ducky. 👍

  • Burgerl X
    Burgerl X 3 months ago +1

    1:08 or a Digispark

  • Burgerl X
    Burgerl X 3 months ago +1

    Is there a way for it to run on a raspberry pi non-w?

    • venum.
      venum. 2 months ago

      Samy Haffoudhi does the pi zero not support hid!

    • Burgerl X
      Burgerl X 3 months ago

      @TheMaMe82 ok thx

    • TheMaMe82
      TheMaMe82 3 months ago

      No, the firmware of Pi0w's WiFi chip has been modified to allow this kind of attack (heavy lifting is offloaded to integratef Broadcom WiFi chip) ... only works on Pi0W

    • Samy Haffoudhi
      Samy Haffoudhi 3 months ago

      as far as I know the pi zero w is the only pi with HID support so I don't think so, sorry

  • Billy M
    Billy M 3 months ago +1

    Doesn't seem to work for me.

    The powershell keeps saying "Process died with exit code: -1
    No valid handle for native WiFi API received"

    • TheMaMe82
      TheMaMe82 3 months ago

      @Billy M
      The web frontend allows overwriting scripts in order to update them. For deletion, I'm afraid, you have to use ssh/scp.
      Script path is `/usr/local/P4wnP1/HIDScripts`

    • Billy M
      Billy M 3 months ago

      @TheMaMe82 Thank you for explaining this!

      Would it be possible for you to add a delete option in the web interface so people can delete unwanted scripts? I've made some HID scripts and then later found better ways of doing them and would like to be able to delete the old ones but I don't see an option for that.

    • TheMaMe82
      TheMaMe82 3 months ago

      @Billy M yes, it is a multi stage payload:
      Stage 1:
      Delivered via keystroke injection (P4wnP1 plugged)
      Stage 2: Delivered via HID covert channel (P4wnP1 plugged, special service pipes larger payload parts via HID channel into memory of USB host)
      Stage 3: In memory payload starts communication utilizing WiFi scans. This needs a WiFi interface, but no connection to a WiFi, as data is hidden in every scan. P4wnP1 could be unplugged at this stage.
      When P4wnP1 is powered up again, and the python script for the C2 server is started, it recognizes those "malformed" scans and sends special responses (again carrying data). At the same time P4wnP1 opens a normal WiFi Access Point. Once you connect to this AP from a different host, a SSH session allows access to the C2-Server command line interface shown in the video. From this command line interface, all "infected" clients in range of P4wnP1 could be controlled with the `interact` command (up to 16 clients).
      So there are two WiFi connections:
      The hidden one from the "infected" client (no real WiFi, as the host doesn't need to be connected to a WiFi) and a real WiFi connection from the "control host" to P4wnP1's C2 server.
      Managing all those connections is entirely done by P4wnP1 ... to be more specific, by its WiFi chip, as everything happens in the modified WiFi firmware (which is a nexmon mod)

    • Billy M
      Billy M 3 months ago

      @Daemon The video was great!!!

    • Billy M
      Billy M 3 months ago

      @TheMaMe82 Does this require the PC to have a wifi card in it? I thought it was connecting through the pi's wifi and receiving commands that way?

  • NTD Dux
    NTD Dux 3 months ago

    when i click run nothing happens, and there are no open sessions on the control on ssh. help?

    • Adam Catley
      Adam Catley 3 months ago

      This keeps happening to me too. I think it's just when you use ethernet. The problemo is a lot of PCs do so I think I'll switch back to the old P4wnP1

    • Raul Tai
      Raul Tai 3 months ago

      What do you mean by "nothing happens"? Mine also doen't show any sessions either, so if we understand whether or not our problems are the same we might be able to help each other.

    • Seytonic
      Seytonic  3 months ago +1

      Perhaps open an issue on github?

  • SweedishSlenderman
    SweedishSlenderman 3 months ago

    For me when running the shell all i get is errors but amazing video.

    • Adam Catley
      Adam Catley 3 months ago

      @Seytonic I can't get a GB keyboard working. It types loads of Spanish characters or something

    • SweedishSlenderman
      SweedishSlenderman 3 months ago

      even using the preloaded wifi_covert_channel.sh program, when compiling the powershell displays errors which is odd.

    • Seytonic
      Seytonic  3 months ago

      Make sure you're using the correct language.

  • Drop Cake
    Drop Cake 3 months ago +2

    Hey Seytonic. GREAT video! I really like your through and easy to understand explanations. Keep it up! Good work!

  • Paul Morrey
    Paul Morrey 3 months ago


  • GameRider
    GameRider 3 months ago

    Does the pi need to be attached to the pc to work or can we remove it after its done running the script

    • TheMaMe82
      TheMaMe82 3 months ago

      @GameRider No, once the shell is running, it stays up till the process is killed (won't persist reboot).
      If the Pi loses power, you could restart the C2 server and the client will connect back again

    • TheMaMe82
      TheMaMe82 3 months ago

      The Pi can be removed, once the shell is deployed. If you re-power it elsewhere and start the C2 server, again, the client will connect back in (Pi could be accessed via WiFi)

    • GameRider
      GameRider 3 months ago

      @Seytonic does removing the pi effect the reverse shell installed on the victims pc

    • Seytonic
      Seytonic  3 months ago +2

      If you remove the pi, how will you connect to the shell?

  • Dominik Tarnowski
    Dominik Tarnowski 3 months ago

    Nice video, but I'd recommend using a microcontroller (like nodemcu) instead of a microprocessor for a much shorter boot time

    • TheMaMe82
      TheMaMe82 3 months ago

      Not a bad idea. Would require sending, parsing and generating special crafted 802.11 frames (doable) + Keeping up a 802.11 complient hotspot at the same time (doable, but not easy to manage all states) + Implement the C2 logic (could get heavy) + emulating a USB HID device for payload delivery (maybe doable, storing the payload on flash ... doable too, holding it in RAM = impossible --> needs some magic). Managing client sessions and buffer IO with dynamic memory allocation (with some external RAM, maybe). Wrapping all together, run it in multiple threads ... yeah doable.
      Suggestion: Start implementing a full fledged multithreading OS for the uC, first (and be sure to keep bootup time short)

    • Seytonic
      Seytonic  3 months ago +3

      Are you offering to port p4wnp1 to the esp8266?

  • stan van de wiel
    stan van de wiel 3 months ago +2

    Le nice video

  • Ethan's Earth
    Ethan's Earth 3 months ago +2

    i want to try one of these things on my friends to prank them but i also dont want to get arested by thier parents

  • Anthony S
    Anthony S 3 months ago +3

    Great video. I modified that hak5 method a bit though and have p4wnp1 aloa type the tcp shell one liner directly in a hidden window instead of downloading a script. Can I send you the .js so you can tell me what you think?

    • TheMaMe82
      TheMaMe82 3 months ago

      @Anthony S Got it, thx man.
      Be sure to check out helper.js HIDScript from ALOA. It includes some nice PowerShell stubs which could be used for other implementations relying on keystroke injection (f.e. the Window hiding stub)

    • Anthony S
      Anthony S 3 months ago

      @TheMaMe82 right, in the beginning of the video Seytonic addressed the tcp shell that hak5 posted about with their rubber ducky, I've changed that method slightly to get a tcp shell in PowerShell. Love your work btw @TheMame82 I've been playing with it for years, big fan.

    • TheMaMe82
      TheMaMe82 3 months ago +1

      This is not a TCP shell. Communication is hidden in WiFi network scans and respective response frames. It works on multiple WiFi channels, no matter if the actual target host is connected to a WiFibor not

  • WarHawk427
    WarHawk427 3 months ago +1

    Do you have a video on how you added that antenna?

  • icycrash
    icycrash 3 months ago +1

    Pwnp1 never starts the wifi network. I flashed it on a SD card and left it plugged in for an hour and it never came up.

    • TheMaMe82
      TheMaMe82 3 months ago

      @icycrash you should open a github issue.

    • Daemon
      Daemon 3 months ago +2

      Hey look i'm 1st yaaaa

    • icycrash
      icycrash 3 months ago

      @Kevin Bhasi pi zero w. I've used multiple PC's to write the SD card and tried multiple pieces of software to.

    • Kevin Bhasi
      Kevin Bhasi 3 months ago

      What Raspberry Pi model are you using?

    • Benjamin Maynard
      Benjamin Maynard 3 months ago

      pi zero w?

  • Infεctεd | Gaming and more

    Need more of those videos!!

  • NTD Dux
    NTD Dux 3 months ago

    can i do this on my phone?

    • Anthony S
      Anthony S 3 months ago

      You can access the aloa interface from your phone. I also use termux to give me a terminal that I can use from my phone.