Documente Academic
Documente Profesional
Documente Cultură
2013
Table of Contents:
Introduction Core features Hardware specs Legal disclaimers Getting started Using the Pwnix UI Accessing Pwnix UI Setup page System Authentication Networ Config !e"erse Shell #ey Clean up History and Logs Update $e"ice !estart $e"ice Ser"ices page Passi"e !econ %"il AP !e"erse Shells page System $etails page Help page Using the re"erse shells !e"erse shell o"er"iew &ypical deployment scenario Acti"ating the re"erse shells Configuring 'ac trac to recei"e the re"erse shells Connecting to the re"erse shells $eploying to target networ Using SSH port forwarders on 'ac trac %xample () Connecting to remote !$P ser"ers %xample *) Connecting to remote we+ ser"ers Creating an SSH ,PN Sample en"ironment Acti"ating the SSH ,PN tunnel Using the wireless hardware
Copyright 2013 Pwnie Express. All rights reserved.
-.*/(( wireless Connecting to an open wifi networ !unning Airodump0ng 1 #ismet Pac et in2ection 1 3%P crac ing 3ireless client de0authentication 'luetooth Using the 'luetooth adapter 4G5GS6 cellular Using the unloc ed GS6 adapter Connecting to the Internet "ia 7G Using the SSH0o"er07G shell Accessing the pentesting tools Accessing 6etasploit Accessing 6etasploit "ia msfrpcd !unning additional pentesting tools Pentesting !esources Using ad"anced features NAC5-.*/(x 'ypass NAC 'ypass o"er"iew %na+ling NAC 'ypass mode NAC 'ypass trou+leshooting $isa+ling NAC 'ypass mode Stealth 6ode 6aintaining your Pwnie de"ice Updating the Pwnix software Accessing the local serial console !e"iewing the Pwnix en"ironment How to get support
Introduction
%ntrodu$ing the Pwn Plug &2" a tightly'integrated penetration testing plat or! in a porta(le) shippa(le) plug'and'pwn or! a$tor. *ith on(oard high'gain wireless and dual'Ethernet) external high'gain +luetooth) ,-#-.M $ellular) !ore storage) and !any so tware i!prove!ents) the Pwn Plug &2 is the enterprise pentester/s drea! tool.
Core features
8 8 8 8 8 8 8 8 8 8 8 8 8 8 0n(oard high'gain 102.11(#g#n wireless supporting pa$2et in3e$tion 0n(oard dual -iga(it Ethernet or 4AC (ypass 5 networ2 !onitoring External high'gain +luetooth adapter 6up to 1000/7 supporting pa$2et in3e$tion External unlo$2ed ,-#-.M $ellular adapter 6.%M $ard not in$luded7 Auto!ated wired 4AC#102.1x#&A8%9. (ypass .i!ple we('(ased ad!inistration and in'produ$t updates with :Pwnix 9%: 0ne'$li$2 Evil AP 5 Passive &e$on servi$es Maintains persistent reverse'..; a$$ess to your target networ2 9ses < di erent $overt $hannels to tunnel through appli$ation'aware irewalls 5 %P. .upports ;TTP proxies) ..;'=P4) 5 0pen=P4 0ut'o '(and ..; a$$ess over ,-#-.M $ell networ2s &uns Pwnix) a $usto! 8e(ian distro (ased on >ali ?inux 62ali.org7 0..'(ased pentesting tool2it in$ludes Metasploit) .ET) >is!et) Air$ra$2'4-) ..?strip) n!ap) ;ydra) w3a ) .$apy) Etter$ap) +luetooth#=o%P#%Pv< tools) 5 !any !ore 9npinga(le and no listening ports in stealth !ode
Hardware specs
8 8 8 8 8 8 8 8 8 Pro$essor # &AM" 1.2-;@ Ar!ada'370 CP9 # 1-+ 88&3 8is2 storage" 32-+ !i$ro.8;C 6Class 107 0n(oard wireless" ;igh'gain 102.11(#g#n) pa$2et in3e$tion 5 !onitor !ode) 1A external antenna 0n(oard %#0" 2x -iga(it Ethernet) 2x 9.+ 3.0) serial $onsole) !i$ro.8 slot External high'gain +luetooth adapter 6up to 1000/ range7 supporting pa$2et in3e$tion 5 !onitor !ode 0ptional support or Big(ee#Bwave) &C%8) and .o tware'8e ined &adios 6.8&7 =oltage" 110'2,0v 6Adapters availa(le7 Power draw" D watts idle) 1D watts !ax 8i!ensions" D.2: x 3.7: x 0.1:
Legal disclaimers
Copyright 2013 Pwnie Express. All rights reserved.
E All &apid Co$us .e$urity) %n$. 8+A Pwnie Express produ$ts are or legally authori@ed uses only. +y using this produ$t you agree to the ter!s o the &apid Co$us .e$urity E9?A" 6http"##pwnieexpress.$o!#pd s#&C.E9?A.pd 7 E This produ$t $ontains (oth open sour$e and proprietary so tware" Proprietary so tware is distri(uted under the ter!s o the &apid Co$us .e$urity E9?A" 6http"##pwnieexpress.$o!#pd s#&C.E9?A.pd 7. 0pen sour$e so tware is distri(uted under one or !ore o the ollowing li$enses" F F F F -49 P9+?%C ?%CE4.E 6;TTP"##***.-49.0&-#?%CE4.E.#-P?.;TM?7. +.8'3'C?A9.E ?%CE4.E 6;TTP"##***.0PE4.09&CE.0&-#?%CE4.E.#+.8'3'C?A9.E7" 0PE4..? T00?>%T 89A? ?%CE4.E 6;TTP"##***.0PE4..?.0&-#.09&CE#?%CE4.E.;TM?7 APAC;E ?%CE4.E) =E&.%04 2.0 6;TTP"##***.APAC;E.0&-#?%CE4.E.#?%CE4.E'2.0.;TM?7
E As with any so tware appli$ation) any downloads#trans ers o this so tware are su(3e$t to export $ontrols under the 9... Co!!er$e 8epart!ent/s Export Ad!inistration &egulations 6EA&7. +y using this so tware you $erti y your $o!plete understanding o and $o!plian$e with these regulations.
Getting started
(/ */ 7/ 4/ 9/ Conne$t the provided wireless antenna to the .MA 3a$2 on the side o the devi$e. Conne$t the on(oard Ethernet 3a$2 to a lo$al networ2 or swit$h. Conne$t the AC adapter to a power sour$e. The devi$e will power on auto!ati$ally. The de ault devi$e %P address is 1G2.1<1.G.10 6net!as2 2DD.2DD.2DD.07. To a$$ess the devi$e or the irst ti!e) $on igure your ?inux#Ma$#*indows syste! with the ollowing %P settings" %P address" 1G2.1<1.G.11 4et!as2" 2DD.2DD.2DD.0 Tip: 0n ?inux hosts you $an $on igure a virtual inter a$e as shown"
Note: The IpwnieA syste! a$$ount is a standard user with sudo privileges. Most o the syste! $o!!ands and pentesting tools re eren$ed in this !anual !ust (e run as root) as indi$ated (y a hash tag 6J7 pro$eeding the $o!!and. 0n$e logged in as IpwnieA) you $an sudo to root as ollows"
% su'o su (
Setup page
System Authentication
1. Cli$2 I.etupA on the top !enu. 2. Cli$2 I.yste! Authenti$ationA 3. Enter a new password or the IpwnieA user into (oth ields and $li$2 IChange passwordA. Note: This will $hange the password or the /pwnie/ 9% user and the /pwnie/ syste! 6?inux#..;7 a$$ount. Pwnix 9% authenti$ation is integrated with ?inux PAM) allowing the 9% and syste! passwords to (e syn$ed or the IpwnieA user. ,. Cli$2 I?ogoutA on the top !enu to re'authenti$ate with your new $redentials. Tip: Hou $an also set the IpwnieA userNs password via the $o!!and line) as shown"
# passw' pwnie
Please note that i you $hange the password ro! the $o!!and line it will $hange the Pwnix 9% password as well.
Copyright 2013 Pwnie Express. All rights reserved.
Networ Config
1. Cli$2 I.etupA on the top !enu. 2. Cli$2 I4etwor2 Con igA. 3. The devi$eNs on(oard networ2 inter a$es are displayed under ICurrent 4etwor2 .ettingsA. +y de ault) the Pwn Plug &2 ships with the ollowing inter a$es" E E E E eth0 ' The right'!ost Ethernet 3a$2 on the rear o the unit 6$on igured or 8;CP (y de ault7 eth0"1 ' The virtual de ault inter a$e or initial a$$ess 61G2.1<1.G.10#2, (y de ault7 eth1 ' The right'!ost Ethernet 3a$2 on the rear o the unit wlan0 ' The on(oard 102.11 wireless adapter 680*4 (y de ault7
,. To $hange the devi$eNs host na!e) enter a new host na!e and $li$2 IChange hostna!eA. Tip: A ter $hanging the hostna!e) log out o any a$tive ter!inal sessions to update your ter!inal pro!pt. D. To $on igure 4TP .ervers enter 3'7 4TP .ervers and $li$2 ICon igure 4TPA. <. To $hange the %P $on iguration or eth0) $li$2 the ICon igureA lin2 in the adapter ta(le. E eth0 is $on igured or 8;CP (y de ault. To set a stati$ %P or eth0) .ele$t I.tati$ Con igA) enter a new %P address) networ2 !as2) de ault gateway) and pri!ary 84. server and $li$2 IApply stati$ %P settingsA. Note: A ter the devi$eNs %P address is $hanged) re$onne$t to the 9% using the newly assigned %P address. E To set eth0 to a$Ouire networ2 settings ro! a 8;CP server instead 6re$o!!ended7) $li$2 IEna(leA on the 8;CP Ta(. Note: A ter swit$hing to 8;CP) youNll need to a$$ess the devi$e via the virtual de ault inter a$e 61G2.1<1.G.107 or via lo$al serial $onsole to deter!ine the new %P address assigned (y 8;CP. 0n$e the new 8;CP'assigned %P address is 2nown) re$onne$t to the 9% using the newly assigned %P address. E To $hange the eth0 inter a$e MAC address) enter a new MAC and $li$2 IChange MACA. 4ote that the eth0 MAC address will always revert (a$2 to the hardware de ault a ter a re(oot. Tip: The virtual de ault inter a$e 61G2.1<1.G.107 $an (e shut down (y running the ollowing at the ..; or serial $onsole $o!!and line.
# if'own eth0:1
2. Cli$2 I&everse .hell >eyA 3. This se$tion shows the $urrent root user ..; 2ey used to esta(lish the reverse shells. ,. 60ptional7 To generate a new 2ey pair or the reverse shells) $li$2 I-enerateA. Tip: % a 2ey pair doesnNt already exist) a new one will (e auto!ated generated a ter ena(ling one or !ore reverse shells on the I&everse .hellsA page.
# #opt#pwni+#pwni+(scripts#cleanup sh
Update $e"ice
1. Cli$2 I.etupA on the top !enu. 2. 9nder :9pdate 8evi$e:) $li$2 the :9pdate 4ow: (utton. Note: The devi$e !ust have %nternet a$$ess via ports 10 and ,,3 or the update to su$$eed. 3. The latest sta(le Pwnix release is downloaded and applied 6typi$ally 3'D !inutes7. Hou will (e redire$ted to the update log. E E The $urrent Pwnix version $an (e viewed under the I.yste! 8etailsA ta( The Pwnix 9pdate log $an (e view under the I.yste! 8etailsA ta(
!estart $e"ice
1. Cli$2 I.etupA on the top !enu. 2. 9nder :&estart 8evi$e:) $li$2 the :&e(oot 4ow: (utton. 3. The devi$e will re(oot i!!ediately.
Ser"ices page
Copyright 2013 Pwnie Express. All rights reserved.
Passi"e !econ
1. 2. 3. ,. Cli$2 I.ervi$esA on the top !enu. Cli$2 IPassive &e$onA. Cli$2 IEna(leA to start the passive re$on servi$e. *hile ena(led) the devi$e will passively listen on eth0) re$ording ;TTP reOuests) user'agents) $oo2ies) 0. guesses) and $lear'text passwords to the ollowing logs" -TTP re.uests: #var#log#pwnix#passiveLre$on#http.log /0 guesses: #var#log#pwnix#passiveLre$on#p0 .log Clear(te+t passwor's: #var#log#pwnix#passiveLre$on#dsni .log Tip: Passive &e$on is !ost e e$tive when the Pwnie devi$e is in 4AC +ypass # transparent (ridging !ode) or when $onne$ted to a swit$h !onitor#.PA4 port or networ2 tap. Tip: The Passive re$on servi$e $an also (e ena(led#disa(led ro! the $o!!and line as ollows" To ena(le"
, , ,
%"il AP
(/ */ 7/ 4/ 9/ Ensure the wireless antenna is $onne$ted to the devi$e. Cli$2 I.ervi$esA on the top !enu. Cli$2 IEvil APA. Cli$2 I.tart .ervi$eA *ireless $lients will (egin $onne$ting to the AP) either auto!ati$ally via pre erred networ2 lists or (y dire$t AP asso$iation. Tip: To view realti!e Evil AP a$tivity ro! the $o!!and line"
To disa(le"
Help page
This se$tion $overs (asi$ 9% inter a$e usage. This user guide is !ore thorough.
<
1. 0n a staging#la( networ2) ena(le the desired reverse shells 6see IA$tivating the reverse shellsA7 2. Con igure a +a$2tra$2 D syste! to re$eive the reverse shells 6see ICon iguring +a$2tra$2 to re$eive the reverse shellsA7 3. Test the reverse shells in a la( # lo$al ?A4 to $on ir! all shells are wor2ing as expe$ted 6see IConne$ting to the reverse shellsA7 ,. K0ptionalM Ena(le .tealth Mode 6see I9sing the Pwnix 9%A7 D. 8eploy the devi$e to your target networ2 and wat$h your ..; re$eiver or in$o!ing shells 6see I8eploying to target networ2A7
(.
((
1. 0pen a ter!inal window on your shell re$eiver syste! and $onne$t to any availa(le IlisteningA Pwnie devi$e shell as ollows" ( ( ( ( ( ( ( 0tan'ar' 00-: ssh pwnieQlo$alhost 'p 3333 00- 7gress 8uster: ssh pwnieQlo$alhost 'p 333, 00- o1er 9N0: ssh pwnieQlo$alhost 'p 333D 00- o1er 00:: ssh pwnieQlo$alhost 'p 333< 00- o1er $;#;0M: ssh pwnieQlo$alhost 'p 3337 00- o1er -TTP: ssh pwnieQlo$alhost 'p 3331 00- o1er )CMP: ssh pwnieQlo$alhost 'p 333G
1. Enter your plugNs pwnie ..; user password and voilaR Hou/re now re!otely $onne$ted to the devi$e through the reverse shell. 2. Pro$eed to I8eploying to target networ2A 0tan'ar' 00- # 00- 7gress 8uster Note: % thereNs no irewall (etween the plug and your shell re$eiver syste!) (e sure the shell re$eiver syste! ..; server is listening on the ports you sele$ted or the .tandard &everse ..; and ..; Egress +uster shells in the 9%. Cor exa!ple) i you set port 31337 or .tandard &everse ..;) add the line IPort 31337A to #et$#ssh#sshdL$on ig) then restart ..;d 6#et$#init.d#ssh restart7. Tip: The ..; re$eiver address $an (e anony!i@ed using the ITor ;idden .ervi$eA eature as des$ri(ed here http"##www.se$uritygeneration.$o!#se$urity#reverse'ssh'over'tor'on'the'pwnie' express#
.pe$ial than2s to .e(astien S. o .e$urity -eneration or strea!lining the ..; re$eiver setup pro$ess) and to ?an$e ;oner or his resilient autossh s$ript i!prove!ents.
1. Pla$e your shell re$eiver syste! (ehind a pu(li$' a$ing irewall. 2. Con igure the appropriate port orwarders on your irewall"
(*
0tan'ar' Re1erse 00-: Corward the port sele$ted in the 9% to port 22 o your shell re$eiver. 00- o1er -TTP: Corward port 10 to port 10 o your shell re$eiver syste! 00- o1er 00:: Corward port ,,3 to port ,,3 o your shell re$eiver syste! 00- o1er 9N0: Corward 98P port D3 to 98P port D3 o your shell re$eiver syste! 00- o1er )CMP: &eOuires your shell re$eiver syste! to (e dire$tly $onne$ted to the %nternet 6no irewall7. 00- o1er 6;: Corward the port sele$ted in the 9% to port 22 o your shell re$eiver syste! 00- 7gress 8uster: Corward all ports sele$ted in the 9% to port 22 o your shell re$eiver syste!
1. %n the Pwnix 9% 6I&everse .hellsA page7) $on igure the reverse shells to $onne$t to your irewallNs pu(li$ %P address 6or 84. na!e i availa(le7. 2. 60ptional7 Ena(le .tealth Mode 3. Hou $an now deploy the devi$e to your target networ2. The devi$e will auto!ati$ally Iphone ho!eA to your shell re$eiver syste!) providing en$rypted re!ote a$$ess to your target networ2. Tip: %n so!e environ!ents you !ay wish to s$hedule a nightly re(oot o the devi$e to re'initiate all $onne$tions ro! the devi$e side. This way) i so!e part o the $onne$tion pro$ess $rashes on the devi$e side 6 or exa!ple) sshd7) the $onne$tion pro$ess will start I reshA again a ter the re(oot.
# r'es4top localhost
Copyright 2013 Pwnie Express. All rights reserved.
(7
Sample en"ironment
The steps (elow assu!es the ollowing %P addresses#ranges. .u(stitute the addresses#ranges or your target and lo$al 6+a$2tra$27 networ2s where appropriate.
E E E E E E
Target networ2 6where the devi$e is deployed7" 172.1<.1.0#2, ?o$al networ2 6where +a$2tra$2 ..; re$eiver is lo$ated7" 1G2.1<1.1.0#2, =P4 networ2" 10.1.1.0#30 +a$2tra$2 =P4 address 6tun0 inter a$e7" 10.1.1.1 Pwnie devi$e =P4 address 6tun0 inter a$e7" 10.1.1.2 Assu!es a reverse shell is $urrently esta(lished and listening on lo$alhost"3333 6.tandard &everse ..;7. Any a$tive reverse shell $an (e used to $arry the =P4 tunnel 6$hange I3333A where appropriate7.
(4
# ifconfig tun0 10 1 1 1 10 1 1 2 net*as4 2== 2== 2== 2=2 # route a'' (net 1>2 1! 1 0#2$ gw 10 1 1 2
*/ 0n your Pwnie devi$e 6=P4 server7"
# #opt#pwni+#pwni+(scripts#7nable200-2?PN sh
7/ The ..; =P4 tunnel should now (e a$tive. 4/ 0n +a$2tra$2) test $onne$tivity to target networ2 through the =P4 tunnel"
# ping 10 1 1 2 # ping 1>2 1! 1 1 @or anA re*ote *achine on the target networ4B # n*ap (sP 1>2 1! 1 C
9/ To disa(le the =P4 tunnel on the +a$2tra$2 side"
# #opt#pwni+#pwni+(scripts#9isable200-2?PN sh
# ifconfig wlan0 up
7/ .$an or a$$ess points in the area"
# iwlist scan
Copyright 2013 Pwnie Express. All rights reserved.
(9
# 'hclient wlan0
# airo'u*p(ng wlan0
Note: The output o airodu!p'ng will only display properly within an ..; session 6running airodu!p'ng ro! the serial $onsole is not re$o!!ended7. 7/ *hen inished) press CT&?PC to exit 4/ To laun$h >is!et"
# 4is*et
9/ Press E4TE& 3 ti!es) then TA+) then E4TE& :/ *hen inished) press CT&?PC to exit Tip: Certain wireless tools !ay leave the wireless adapter in a !ode thatNs not $o!pati(le with other wireless tools. %tNs generally re$o!!ended to set the inter a$e to a IdownA state (e ore running !ost wireless tools"
(:
# # # #
ifconfig wlan0 up iwconfig wlan0 channel ! ifconfig wlan0 'own aireplaA(ng (e e+a*ple ((test wlan0
17"1G",D *aiting or (ea$on ra!e 6E..%8" exa!ple7 on $hannel < Cound +..%8 :00"13"10"GE"D2"38: to given E..%8 :exa!ple:. 17"1G",D Trying (road$ast pro(e reOuests... 17"1G",D %n3e$tion is wor2ingR 17"1G",< Cound 1 AP
7/ To auto'$ra$2 all *EP'ena(led a$$ess points on $hannel < using wep(uster"
'luetooth
Using the 'luetooth adapter
1. Conne$t the .E4A 98100 +luetooth 9.+ adapter to the devi$e. 2. Con ir! the output o the ollowing $o!!ands"
Copyright 2013 Pwnie Express. All rights reserved.
(;
# lsusb
+us 001 8evi$e 002" %8 0a12"0001 Ca!(ridge .ili$on &adio) ?td +luetooth 8ongle 6;C% !ode7
# hciconfig hci1
h$i1" Type" +&#E8& +us" 9.+ +8 Address" TT"TT"TT"TT"TT"TT AC? MT9" 310"10 .C0 MT9" <,"1 80*4 &T (ytes",<< a$l"0 s$o"0 events"11 errors"0 TT (ytes"73 a$l"0 s$o"0 $o!!ands"17 errors"0 7/ Ena(le the +luetooth inter a$e and set it to I4on'8is$overa(leA"
5G6GS7 cellular
Using the unloc ed GS7 adapter
The unlo$2ed -.M adapter supports ive -.M $ell (ands 6;.8PA # -.M # 9MT. # E8-E # -P&.7 and is $o!pati(le with AT5T) T'!o(ile) =oda one) 0range) and -.M $arriers in over 1<0 $ountries.
(-
;0M carriers in the G*ericas: http"##en.wi2ipedia.org#wi2i#?istLo L!o(ileLnetwor2LoperatorsLo LtheLA!eri$as ;0M carriers in 7urope: http"##en.wi2ipedia.org#wi2i#?istLo L!o(ileLnetwor2LoperatorsLo LEurope Note: =eri@on) .print) =irgin Mo(ile) and other C8MA $arrier .%Ms will not wor2 in the unlo$2ed -.M adapter. 1. Cirst) o(tain a .%M $ard ro! the -.M $ell provider o your $hoi$e. %n the 9.) .%M $ards ro! AT5T and T'!o(ile devi$es 6in$luding iPhones7 are supported. Note: The !o(ile servi$e atta$hed to the .%M $ard !ust have !o(ile (road(and data servi$e. =eri y you $an a$$ess the %nternet ro! your phone using the .%M $ard (e ore pro$eeding. 2. .lide open the the plasti$ $over on the -.M adapter. 3. %nsert your .%M $ard into the adapter with the not$h positioned as shown (y the line drawing on the .%M slot) with the .%M $ard $onta$ts a$ing down. Note: Many -.M phones) in$luding the iPhone,P) use a !i$ro'.%M instead o a standard'si@ed .%M $ard. To it these .%M $ards into the -.M adapter) use the in$luded !i$ro'.%M $ard adapter. ,. .lide the plasti$ $over (a$2 onto the adapter. D. Conne$t the -.M adapter to the devi$eNs 9.+ port. <. Con ir! the -.M adapter is dete$ted properly 6note adapter dete$tion !ay ta2e 1D'20 se$onds7"
# lsusb
+us 003 8evi$e 003" %8 12d1"1D0< ;uawei Te$hnologies Co.) ?td. E3G1 ?TE#9MT.#-.M Mode!#4etwor2$ard ;/ To Ouery the -.M !ode! or adapter details"
(<
*.
(/ % you havenNt done so already) $o!plete the reverse shell setup steps 6see IA$tivating the reverse shellsA and ICon iguring the ..; re$eiverA7 */ %n the I&everse .hellsA page in 9%) ena(le the I..; over 3-#-.MA shell. 7/ Con igure the shell to $onne$t to your irewallNs pu(li$ %P address 6or 84. na!e i availa(le7. 4/ Enter the destination port youNd li2e the Pwnie devi$e to use or the ..; $onne$tion. 9/ .ele$t your 3- adapter ro! the drop'down list. :/ Cli$2 the ICon igure all shellsA (utton. ;/ Con igure your irewall to orward the port sele$ted in the 9% to port 22 on your +a$2tra$2 !a$hine. -/ 0n the +a$2tra$2 ..; re$eiver) wat$h or the in(ound ..;'over'3- $onne$tion"
*(
The Metasploit (inaries 6!s $onsole) !s $li) et$.7 $an (e run ro! any dire$tory. .i!ply type W!s $onsoleN to laun$h the lo$al Metasploit Console.
# # # #
?ogin to !s gui using the $redentials spe$i i$ in #opt#pwnix#pwnix'$on ig#servi$es#!s pr$d.$on Note: Hou !ay have to open !s gui !ore than on$e to get it to pro!pt you or a server. +y de ault it starts an !s rp$d instan$e on the lo$al +a$2tra$2 syste!.
cisco0glo+al0exploiter cryptcat dar stat dmitry dns*tcp dnsenum dnstracer dsniff ettercap fierce fimap fping
l+d md 7 metagoofil miranda miredo n+tscan netcat netdisco"er ngrep ni to nmap onesixtyone
send%mail sipcrac sipsa s ipfish smtp0user0enum snmpchec socat s>lmap s>lnin2a ssldump sslscan sslsniff
Pentesting !esources
8 8 8 P&%S) http)55www/pentest0standard/org5index/php5P&%S?&echnical?Guidelines Analysis of 6etasploit relati"e to P&%S) http)55www/tinyurl/com5msf0ptes 6etasploit Unleashed
.pe$ial than2s to .2ip 8u$2wall and his 102.1x (ridging resear$h" http"##1021x(ridge.google$ode.$o!
;ereNs how it wor2s"
Copyright 2013 Pwnie Express. All rights reserved.
*7
1. Cirst) the devi$e is pla$ed in'line (etween an 102.1x'ena(led $lient PC and a wall 3a$2 or swit$h. 2. 9sing a !odi ied layer 2 (ridging !odule) the devi$e transparently passes the 102.1x EAP0? authenti$ation pa$2ets (etween the $lient PC and the swit$h. 3. 0n$e the 102.1x authenti$ation $o!pletes) the swit$h grants $onne$tivity to the networ2. ,. The irst out(ound port 10 pa$2et to leave the $lient PC provides the devi$e with the PCNs MAC#%P address and de ault gateway. D. To avoid tripping the swit$hNs port se$urity) the devi$e then esta(lishes a reverse ..; $onne$tion using the MAC and %P address o the already authenti$ated $lient PC. <. 0n$e $onne$ted to the devi$eNs ..; $onsole) you will have a$$ess to any internal su(nets a$$essi(le (y the $lient PC. Tip: .in$e I4AC (ypass !odeA e e$tively turns the devi$e into a transparent (ridge) it $an (e used even where 4AC#102.1x $ontrols are not present on the target networ2.
Note: A ter re(ooting you will no longer (e a(le to dire$tly $onne$t to the devi$e via the Pwnix 9% or ..;. D. 8eploy the devi$e to your target environ!ent as ollows" L Conne$t the devi$e to a power outlet. L *ait at least 30 se$onds or the devi$e to ully (oot into 4AC (ypass !ode.
Copyright 2013 Pwnie Express. All rights reserved.
*4
L 8is$onne$t the $lient PCNs Ethernet $a(le ro! the wall 3a$2. L Conne$t the devi$eNs pri!ary Ethernet port 6eth07 to the Ethernet wall 3a$2 Note: eth0 is the right'!ost Ethernet 3a$2 on the rear o the unit L %!!ediately $onne$t the Ethernet'over'9.+ adapter 6eth17 to the $lient PC. Note: eth1 is the le t'!ost Ethernet 3a$2 on the rear o the unit <. The $lient $o!pletes its nor!al 102.1x authenti$ation pro$ess transparently through the devi$e. 7. *hen the irst out(ound ;TTP port 10 pa$2et leaves the $lient PC) the reverse shell $onne$tion s$hedule will re'initiate auto!ati$ally.
/n the Pwn Plug: a b t$pdu!p 'nnei eth0 Xegrep EAP0? ?oo2 or out(ound EAP0? pa$2ets. Exa!ple" 1D"31"D,.3332G2 00"0$"2G"D$"7,",1 Y 01"10"$2"00"00"03) ethertype EAP0? 60x111e7) length <0" EAP0? start Tip: To !anually or$e a lin2 re resh ro! the $o!!and line" *ii(tool (r eth0 O *ii(tool (r eth1
*9
1. ?og into the devi$e through a reverse shell or the serial $onsole 6see IA$$essing the serial $onsoleA7. 2. &un the ollowing $o!!and"
Stealth 7ode
*hen ena(led) stealth !ode does the ollowing" E E E E E 8isa(les %Pv< support 6prevents noisy %Pv< (road$asting7 8isa(les %CMP replies 6wonNt respond to ping reOuests7 8isa(les the 9% 6$loses port 1,,37 .ets the lo$al ..; server to listen on the loop(a$2 address only 6$loses port 22 to the outside7 .till allows all reverse shells to un$tion as expe$ted
)*portant: Ena(ling stealth !ode will prevent dire$t a$$ess to your Pwnie devi$eNs ..; server and Pwnix 9% over the networ2. 0n$e stealth !ode is ena(led) a$$ess to the devi$e $an only (e o(tained through a reverse shell or the lo$al serial $onsole. To ena(le .tealth Mode) run the ollowing $o!!ands"
# 4illall 'hclient
E &ando!i@e your MAC address"
# *acchanger (r eth0
E 8isa(le A&P replies 6$are ulR this !ay a e$t networ2 $onne$tivity7"
*:
K1D3<0.G,11<1M us( D'3" CT8% 9.+ .erial 8evi$e $onverter now atta$hed to tty9.+0
% the serial inter a$e is showing up as so!ething other than Itty9.+0A 6su$h as tty9.+17) ad3ust the Is$reenA $o!!and a$$ordingly. 3. Press E4TE& twi$e Tip: % a login#$o!!and pro!pt does not appear) or i you see a line o Ouestion !ar2s or strange' loo2ing $hara$ters) try pressing CT&?PC several ti!es or dis$onne$ting#re$onne$ting the !ini'9.+ serial $a(le. ,. At the login pro!pt) login with the pwnie user a$$ount. 6de ault login is pwnie : pwnplug"0007 Tip: To exit a s$reen session) press CT&?PA) then (a$2slash 6 [ 7) then H
Copyright 2013 Pwnie Express. All rights reserved.
*;
# una*e (r
E .how date#ti!e"
# 'ate
E .how ilesyste! dis2 usage 6note your dis2 usage !ay vary7"
# 'f (h
E .how CP9 details"
# cat #proc#cpuinfo
E .how total !e!ory"
# ifconfig eth0
E .how $urrently listening TCP#98P servi$es 6note dh$lient wonNt (e present i not using 8;CP7"
# netstat (lntup
E Che$2 syslog or errors) warnings) et$"
# rubA (1
E .how Perl version"
# perl (1
Copyright 2013 Pwnie Express. All rights reserved.
*-
# pAthon (?
*<