P4wnP1_aloa icon indicating copy to clipboard operation
P4wnP1_aloa copied to clipboard

Published 20 hours ago verified publisher icon RoganDawes

Powershell on covert channel: "Closing handle to native WiFi API"

Open b1116490 opened this issue 5 years ago • 9 comments

Hello. When I try to use the WiFi covert channel script on my own PC, I get this error after stage 2 presumably starts:

Process died with exit code: -3 Closing handle to native WiFi API Process died with exit code: -3 Closing handle to native WiFi API Process died with exit code: -3 Closing handle to native WiFi API Process died with exit code: -3 Closing handle to native WiFi API Process died with exit code: -3 Closing handle to native WiFi API Process died with exit code: -3 Closing handle to native WiFi API Process died with exit code: -3 Closing handle to native WiFi API Process died with exit code: -3

etc. Not sure what more details I should add or how to troubleshoot.

Edit: I did use the master template for this.

b1116490 avatar Jul 12 '19 00:07 b1116490

Apologies, I seem to have made progress through random trial-and-error, but now I am at a roadblock again. My victim PC doesn't seem to want to connect to the hidden AP, which I only saw for a brief moment in the list of WiFi spots, but I suppose that's what makes it hidden. Trying to connect to that manually fails. I am at a loss.

b1116490 avatar Jul 19 '19 17:07 b1116490

What exactly have you done? Ran the bash script or deployed the covert channel master template?

There is no hidden AP to connect to, the covert channel hides data in 802.11 probe requests/responses

mame82 avatar Jul 24 '19 06:07 mame82

Sorry, I did say in the first post that I deployed the covert channel master template, but I should have been more clear. I have also assumed a few things about how it works, from the behavior of my PC when I launch the attack and the things I read on the wiki.

Here is precisely what I do:

  1. Plug in the P4wnP1 with nearly default settings, with only the WiFi and BT access point name and passwords changed. (through the master template, the wifi settings reset to the default creds.)
  2. Connect to it through BT, and deploy the covert channel master template.
  3. Let it enter the payload into powershell, with an US keyboard, no issues there.
  4. This shows up on the PS window after the payload is entered:

Start receiving stage2 ..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................stage2 reassembled

GAC Version Location

False v2.0.50727 Starting test Trying to connect covert channel via '802.11n USB Wireless LAN Card' Connect Init Request 1 (to srvID 9)... Scan completed! Network Available! SSID recieved: (censored) Discarded SSID: (censored) SSID recieved: (censored) Discarded SSID: (censored) Scan completed! SSID recieved: (censored) Discarded SSID: (censored) SSID recieved: (censored) Discarded SSID: >(censored) Network Available! Scan completed! SSID recieved: (censored)

And so on. From there I suspect something might be wrong, since this isn't what it looked like on videos showing the process.

  1. SSH into the P4wnP1. do screen -d -r wifi_c2. The arguments might be the other way around 6.This is what I see on the terminal next:

Bound to server ID 9 Listening for incoming connections (max 15) MaMe82 WiFi covert channel > InReq1: Connection request from client IV: (some code) ...InRsp1: Handing out client ID 1

From there on I have access to commands. When I type sessions however I get no results, and when I type interact 1 it tells me that I need to enter a valid client ID according to the sessions command. Note that the PS window is still looping through the same messages.

The odd thing is that, while following the same procedure before, I have gotten different results. Sometimes I would get a result when typing sessions, but with no success when trying to interact with it. I have also had different results on PS.

When I exit out of screen on ssh, I can see some errors from /usr/local/P4wnP1/legacy/wifi_server.py, namely in order lines 1189, 1045 and 747.

Thank you for your reply.

b1116490 avatar Jul 29 '19 00:07 b1116490

Hello. I have the same problem mentioned by b1116490. I ran the bash script like Seytonic did in his video .

ghost avatar Sep 27 '19 18:09 ghost

I'm running into the same issues here -- adding some additional information:

I manually SSH into the RPi0w and run the wifi_covert_channel.sh before deploying the hidscript. All other reqs are in place (usb gadget options from the template)

The payload is deployed fine and leaves the same display on the PS window of receiving and discarding SSIDs on loop.

The SSH window that ran wifi_covert_channel.sh shows "Ended stage2 delivery", but no other prompts, etc. No other commands can be typed here without interrupting the script.

The screen -d -r wifi_c2 shows "InReq1: Connection request from client IV: [code]" and "InRsp1: Handing out client ID 1", but doesn't show any response or the addition of that IV into the accept-queue like the seytonics video does. Sessions lists nothing. You can't use interact to interact with any since there aren't any sessions available.

I've reimaged the SD card, and tested on 3 different machines with different specs/HW/etc running Windows 10 Build 1903 on each. Same results.

Screenshots of screen command, the sh script, and the payload on victim.

screen sh ssid

DarkTech2 avatar Dec 14 '19 19:12 DarkTech2

same exact issue here, please let me know if you find any solution

devoniodd avatar Dec 16 '19 15:12 devoniodd

I am also experiencing this issue, wondering if anyone has figured it out?

wthorstad avatar Dec 19 '19 20:12 wthorstad

I am having the same issue getting Process died with exit code: -1 Closing handle to native WiFi API Process died with exit code: -1 Closing handle to native WiFi API Process died with exit code: -1 Closing handle to native WiFi API Process died with exit code: -1 Closing handle to native WiFi API Process died with exit code: -1 Closing handle to native WiFi API Process died with exit code: -1 Closing handle to native WiFi API Process died with exit code: -1 Closing handle to native WiFi API Process died with exit code: -1 Did Microsoft patch the WIFI API to fix this vulnerability?

newberryb avatar Jan 07 '20 18:01 newberryb

Exactly the same issue encountered - anyone found a resolution as I have spent 2+ days on this one?

Makes no difference whether Startup Master Template is set to 'wifi covert channel' or same HIDScript is run manually.

One additional piece of info I will add is that the laptop I have the Raspberry Pi Zero W plugged into tried to connect to covert channel via built-in wireless adapter but finishes scan without showing any connection found (see attachment). Could this be that it is unable to connect to the P4wnP1 Access Point?

Any help would be much appreciated as I am about ready to give up and move onto a different project. IMG_5512

beerinfinity avatar Nov 19 '20 19:11 beerinfinity