Pwnie Express

Our Tech


Remote Access

 


:: All Pwn Plugs include aggressive reverse tunneling capabilities for persistent remote SSH access.

:: All tunnels are encrypted via SSH and will maintain access wherever the plug has an Internet connection.

:: The following covert tunneling options are available for traversing strict firewall rules & application-aware IPS:


  • SSH over any TCP port
  • SSH over HTTP requests (appears as standard HTTP traffic)
  • SSH over SSL (appears as HTTPS)
  • SSH over DNS queries (appears as DNS traffic)
  • SSH over ICMP (appears as outbound pings)
  • SSH over ICMP (appears as outbound pings)
  • SSH Egress Buster (top 10 common egress ports)
  • Out-of-band SSH over 3G/GSM cellular (Elite models)

PwnPlug Toolkit

Preinstalled Pentesting Tools

The following open source pentesting tools are included on all Pwn Plugs [repository here]

alive6
amap
amap6
arping
arp-scan
asp-auditor
bed
cisco-auditing-tool
cisco-global-exploiter
cms-explorer
cryptcat
DarkMySQLi
darkstat
denial6
detect-new-ip6
dmitry
dnsdict6
dnsenum
dnstracer
dos-new-ip6
dsniff
easy-creds
ettercap
 exploit6
fake_advertise6
fake_dhcps6
fake_dnsupdate6
fake_mipv6
fake_mld26
fake_mld6
fake_mldrouter6
fake_router6
Fasttrack
fierce
fimap
flood_advertise6
flood_dhcpc6
flood_mld26
flood_mld6
flood_mldrouter6
flood_router6
flood_solicitate6
fping
fragmentation6
ftp
fuzz_ip6
 goohost
gpsd
grabber
hping3
hydra
implementation6
iodine
ipcalc
john
kill_router6
lbd
mdk3
metagoofil
metasploit 4
miranda
miredo
nbtscan
nc
ndpexhaust6
netdiscover
nikto
nmap
onesixtyone
 openssl
openvpn
parasite6
plecost
proxychains
proxytunnel
randicmp6
redir6
rsmurf6
scapy
sendpees6
sendpeesmp6
SET
sickfuzz
sipcrack
sipsak
sipvicious
skipfish
smtp-user-enum
smurf6
snmpcheck
snmpenum
socat
 sqlbrute
sqlmap
sqlninja
ssldump
sslscan
sslsniff
sslstrip
tcptraceroute
telnet
thcping6
theharvester
tinyproxy
toobig6
trace6
ua-tester
udptunnel
voiper
waffit
wapiti
weevely
wifitap
wifite
wifizoo
xprobe2

The Pwnie Express Plug UI

NAC/802.1x Bypass

All aboard! Pwnie Express has done it again. In addition to supporting both 3G and Wireless connectivity, the Pwn Plug Elite can bypass virtually all NAC/802.1x/RADIUS implementations, providing a reverse shell backdoor and full connectivity to NAC-restricted networks!

How does it work?

  1. First, the Pwn Plug is placed in-line between an 802.1x-enabled client PC and a wall jack or switch.
  2. Using a modified layer 2 bridging module, the Pwn Plug transparently passes the 802.1x EAPOL authentication packets between the client PC and the switch.
  3. Once the 802.1x authentication completes, the switch grants connectivity to the network.
  4. The first outbound port 80 packet to leave the client PC provides the Pwn Plug with the PC’s MAC/IP address and default gateway.
  5. To avoid tripping the switch’s port security, the Pwn Plug then establishes a reverse SSH connection using the MAC and IP address of the already authenticated client PC.
  6. Once connected to the plug’s SSH console, you will have access to any internal subnets accessible by the client PC. As an added bonus, connections to other systems within the client PC’s local subnet will actually appear to source from the subnet’s local gateway!



Pwn Plug Software Release 1.1

After much development, testing, and late night brainstorming, Pwn Plug software release 1.1 is now shipping on all new plug orders! And yes, our commercial customers can upgrade free of charge (click here).

This is a MAJOR release, including an entirely new Linux distro. Here’s just a sampling of the new feature set:

 

OS & performance improvements!

  • OS upgraded to Debian 6 (Squeeze)
  • 20-second boot up
  • Faster file-system (UBIFS)


New tunneling features!

  • SSH Egress Buster
  • OpenVPN & SSH-VPN support
  • New covert channels (udptunnel, iodine, etc)
  • Support for authenticating HTTP proxies
  • More resilient tunnels (thanks Lance Honer!)


New Plug UI features!

  • Point-and-click SSH receiver (Backtrack) setup
  • One-click NAC Bypass (Elite models)
  • One-click Passive Recon
  • One-click Stealth Mode
  • One-click History Wipe


New wireless features!

  • Support for 802.11n and hundreds of new wireless devices
  • JP Ronin’s Bluetooth pentesting suite
  • Kismet new-core with Ubertooth support
  • Zigbee support (thanks Travis Goodspeed!)
  • 4G cell network support (Elite models)
  • War dialing via GSM modem (Elite models)
  • SMS text-to-bash (Elite models) :

 

 

 

..and of course, more tools!

  • Over 50 new pentesting tools!
  • Web app testing tools, including w3af
  • Database/SQL testing tools
  • THC IPv6 toolkit
  • VoIP testing tools

A HUGE thanks to our customers and supporters! Your feedback and dedication has allowed us to create the most robust and reliable pentesting drop box on the planet!