All aboard! Pwnie Express has done it again. In addition to supporting both 3G and Wireless connectivity, the Pwn Plug Elite can bypass virtually all NAC/802.1x/RADIUS implementations, providing a reverse shell backdoor and full connectivity to NAC-restricted networks!
How does it work?
- First, the Pwn Plug is placed in-line between an 802.1x-enabled client PC and a wall jack or switch.
- Using a modified layer 2 bridging module, the Pwn Plug transparently passes the 802.1x EAPOL authentication packets between the client PC and the switch.
- Once the 802.1x authentication completes, the switch grants connectivity to the network.
- The first outbound port 80 packet to leave the client PC provides the Pwn Plug with the PC’s MAC/IP address and default gateway.
- To avoid tripping the switch’s port security, the Pwn Plug then establishes a reverse SSH connection using the MAC and IP address of the already authenticated client PC.
- Once connected to the plug’s SSH console, you will have access to any internal subnets accessible by the client PC. As an added bonus, connections to other systems within the client PC’s local subnet will actually appear to source from the subnet’s local gateway!