Copyright 2013 Pwnie Express. All rights reserved. Manual revision 07.23.

2013

Pwn Plug R2 User Manual

Note: The online version o this !anual is !aintained here" http"##www.pwnieexpress.$o!#pages#do$u!entation

Table of Contents:
Introduction Core features Hardware specs Legal disclaimers Getting started Using the Pwnix UI Accessing Pwnix UI Setup page System Authentication Networ Config !e"erse Shell #ey Clean up History and Logs Update $e"ice !estart $e"ice Ser"ices page Passi"e !econ %"il AP !e"erse Shells page System $etails page Help page Using the re"erse shells !e"erse shell o"er"iew &ypical deployment scenario Acti"ating the re"erse shells Configuring 'ac trac to recei"e the re"erse shells Connecting to the re"erse shells $eploying to target networ Using SSH port forwarders on 'ac trac %xample () Connecting to remote !$P ser"ers %xample *) Connecting to remote we+ ser"ers Creating an SSH ,PN Sample en"ironment Acti"ating the SSH ,PN tunnel Using the wireless hardware
Copyright 2013 Pwnie Express. All rights reserved.

-.*/(( wireless Connecting to an open wifi networ !unning Airodump0ng 1 #ismet Pac et in2ection 1 3%P crac ing 3ireless client de0authentication 'luetooth Using the 'luetooth adapter 4G5GS6 cellular Using the unloc ed GS6 adapter Connecting to the Internet "ia 7G Using the SSH0o"er07G shell Accessing the pentesting tools Accessing 6etasploit Accessing 6etasploit "ia msfrpcd !unning additional pentesting tools Pentesting !esources Using ad"anced features NAC5-.*/(x 'ypass NAC 'ypass o"er"iew %na+ling NAC 'ypass mode NAC 'ypass trou+leshooting $isa+ling NAC 'ypass mode Stealth 6ode 6aintaining your Pwnie de"ice Updating the Pwnix software Accessing the local serial console !e"iewing the Pwnix en"ironment How to get support

Copyright 2013 Pwnie Express. All rights reserved.

Introduction
%ntrodu$ing the Pwn Plug &2" a tightly'integrated penetration testing plat or! in a porta(le) shippa(le) plug'and'pwn or! a$tor. *ith on(oard high'gain wireless and dual'Ethernet) external high'gain +luetooth) ,-#-.M $ellular) !ore storage) and !any so tware i!prove!ents) the Pwn Plug &2 is the enterprise pentester/s drea! tool.

Core features
8 8 8 8 8 8 8 8 8 8 8 8 8 8 0n(oard high'gain 102.11(#g#n wireless supporting pa$2et in3e$tion 0n(oard dual -iga(it Ethernet or 4AC (ypass 5 networ2 !onitoring External high'gain +luetooth adapter 6up to 1000/7 supporting pa$2et in3e$tion External unlo$2ed ,-#-.M $ellular adapter 6.%M $ard not in$luded7 Auto!ated wired 4AC#102.1x#&A8%9. (ypass .i!ple we('(ased ad!inistration and in'produ$t updates with :Pwnix 9%: 0ne'$li$2 Evil AP 5 Passive &e$on servi$es Maintains persistent reverse'..; a$$ess to your target networ2 9ses < di erent $overt $hannels to tunnel through appli$ation'aware irewalls 5 %P. .upports ;TTP proxies) ..;'=P4) 5 0pen=P4 0ut'o '(and ..; a$$ess over ,-#-.M $ell networ2s &uns Pwnix) a $usto! 8e(ian distro (ased on >ali ?inux 62ali.org7 0..'(ased pentesting tool2it in$ludes Metasploit) .ET) >is!et) Air$ra$2'4-) ..?strip) n!ap) ;ydra) w3a ) .$apy) Etter$ap) +luetooth#=o%P#%Pv< tools) 5 !any !ore 9npinga(le and no listening ports in stealth !ode

Hardware specs
8 8 8 8 8 8 8 8 8 Pro$essor # &AM" 1.2-;@ Ar!ada'370 CP9 # 1-+ 88&3 8is2 storage" 32-+ !i$ro.8;C 6Class 107 0n(oard wireless" ;igh'gain 102.11(#g#n) pa$2et in3e$tion 5 !onitor !ode) 1A external antenna 0n(oard %#0" 2x -iga(it Ethernet) 2x 9.+ 3.0) serial $onsole) !i$ro.8 slot External high'gain +luetooth adapter 6up to 1000/ range7 supporting pa$2et in3e$tion 5 !onitor !ode 0ptional support or Big(ee#Bwave) &C%8) and .o tware'8e ined &adios 6.8&7 =oltage" 110'2,0v 6Adapters availa(le7 Power draw" D watts idle) 1D watts !ax 8i!ensions" D.2: x 3.7: x 0.1:

Legal disclaimers
Copyright 2013 Pwnie Express. All rights reserved.

E All &apid Co$us .e$urity) %n$. 8+A Pwnie Express produ$ts are or legally authori@ed uses only. +y using this produ$t you agree to the ter!s o the &apid Co$us .e$urity E9?A" 6http"##pwnieexpress.$o!#pd s#&C.E9?A.pd 7 E This produ$t $ontains (oth open sour$e and proprietary so tware" Proprietary so tware is distri(uted under the ter!s o the &apid Co$us .e$urity E9?A" 6http"##pwnieexpress.$o!#pd s#&C.E9?A.pd 7. 0pen sour$e so tware is distri(uted under one or !ore o the ollowing li$enses" F F F F -49 P9+?%C ?%CE4.E 6;TTP"##***.-49.0&-#?%CE4.E.#-P?.;TM?7. +.8'3'C?A9.E ?%CE4.E 6;TTP"##***.0PE4.09&CE.0&-#?%CE4.E.#+.8'3'C?A9.E7" 0PE4..? T00?>%T 89A? ?%CE4.E 6;TTP"##***.0PE4..?.0&-#.09&CE#?%CE4.E.;TM?7 APAC;E ?%CE4.E) =E&.%04 2.0 6;TTP"##***.APAC;E.0&-#?%CE4.E.#?%CE4.E'2.0.;TM?7

E As with any so tware appli$ation) any downloads#trans ers o this so tware are su(3e$t to export $ontrols under the 9... Co!!er$e 8epart!ent/s Export Ad!inistration &egulations 6EA&7. +y using this so tware you $erti y your $o!plete understanding o and $o!plian$e with these regulations.

Getting started
(/ */ 7/ 4/ 9/ Conne$t the provided wireless antenna to the .MA 3a$2 on the side o the devi$e. Conne$t the on(oard Ethernet 3a$2 to a lo$al networ2 or swit$h. Conne$t the AC adapter to a power sour$e. The devi$e will power on auto!ati$ally. The de ault devi$e %P address is 1G2.1<1.G.10 6net!as2 2DD.2DD.2DD.07. To a$$ess the devi$e or the irst ti!e) $on igure your ?inux#Ma$#*indows syste! with the ollowing %P settings" %P address" 1G2.1<1.G.11 4et!as2" 2DD.2DD.2DD.0 Tip: 0n ?inux hosts you $an $on igure a virtual inter a$e as shown"

# ifconfig eth0:1 192 1!" 9 11#2$

:/ Con ir! $onne$tivity to the devi$e (y pinging it"

% ping 192 1!" 9 10

;/ Hou $an now a$$ess the devi$e through the Pwnix 9%. Pro$eed to I9sing the Pwnix 9%A (elow. Tip: Hou $an now also $onne$t to the devi$e via ..; 6de ault login pwnie : pwnplug"0007. Cro! a ?inux#Ma$ host) run the ollowing $o!!and 6Cor *indows users) we re$o!!end the PuTTH ..; $lient7"

% ssh pwnie&192 1!" 9 10

Copyright 2013 Pwnie Express. All rights reserved.

Note: The IpwnieA syste! a$$ount is a standard user with sudo privileges. Most o the syste! $o!!ands and pentesting tools re eren$ed in this !anual !ust (e run as root) as indi$ated (y a hash tag 6J7 pro$eeding the $o!!and. 0n$e logged in as IpwnieA) you $an sudo to root as ollows"

% su'o su (

Using the Pwnix UI

Accessing Pwnix UI
(/ 0pen a we( (rowser and a$$ess the 9%" https"##Kdevi$eLipLaddressM"1,,3 Tip: % a$$essing or the irst ti!e) the de ault 9&? is https"##1G2.1<1.G.10"1,,3 */ The 9% is ..?'ena(led) (ut you will re$eive a warning as the $erti i$ate is sel 'signed. 7/ At the login pro!pt) enter your userna!e#password 6de ault is pwnie : pwnplug"0007 4/ The I.etupA page appears. )*portant: *e re$o!!end $hanging the de ault IpwnieA user password as soon as possi(le. Pro$eed to I.yste! Authenti$ationA (elow.

Setup page
System Authentication
1. Cli$2 I.etupA on the top !enu. 2. Cli$2 I.yste! Authenti$ationA 3. Enter a new password or the IpwnieA user into (oth ields and $li$2 IChange passwordA. Note: This will $hange the password or the /pwnie/ 9% user and the /pwnie/ syste! 6?inux#..;7 a$$ount. Pwnix 9% authenti$ation is integrated with ?inux PAM) allowing the 9% and syste! passwords to (e syn$ed or the IpwnieA user. ,. Cli$2 I?ogoutA on the top !enu to re'authenti$ate with your new $redentials. Tip: Hou $an also set the IpwnieA userNs password via the $o!!and line) as shown"

# passw' pwnie
Please note that i you $hange the password ro! the $o!!and line it will $hange the Pwnix 9% password as well.
Copyright 2013 Pwnie Express. All rights reserved.

Networ Config
1. Cli$2 I.etupA on the top !enu. 2. Cli$2 I4etwor2 Con igA. 3. The devi$eNs on(oard networ2 inter a$es are displayed under ICurrent 4etwor2 .ettingsA. +y de ault) the Pwn Plug &2 ships with the ollowing inter a$es" E E E E eth0 ' The right'!ost Ethernet 3a$2 on the rear o the unit 6$on igured or 8;CP (y de ault7 eth0"1 ' The virtual de ault inter a$e or initial a$$ess 61G2.1<1.G.10#2, (y de ault7 eth1 ' The right'!ost Ethernet 3a$2 on the rear o the unit wlan0 ' The on(oard 102.11 wireless adapter 680*4 (y de ault7

,. To $hange the devi$eNs host na!e) enter a new host na!e and $li$2 IChange hostna!eA. Tip: A ter $hanging the hostna!e) log out o any a$tive ter!inal sessions to update your ter!inal pro!pt. D. To $on igure 4TP .ervers enter 3'7 4TP .ervers and $li$2 ICon igure 4TPA. <. To $hange the %P $on iguration or eth0) $li$2 the ICon igureA lin2 in the adapter ta(le. E eth0 is $on igured or 8;CP (y de ault. To set a stati$ %P or eth0) .ele$t I.tati$ Con igA) enter a new %P address) networ2 !as2) de ault gateway) and pri!ary 84. server and $li$2 IApply stati$ %P settingsA. Note: A ter the devi$eNs %P address is $hanged) re$onne$t to the 9% using the newly assigned %P address. E To set eth0 to a$Ouire networ2 settings ro! a 8;CP server instead 6re$o!!ended7) $li$2 IEna(leA on the 8;CP Ta(. Note: A ter swit$hing to 8;CP) youNll need to a$$ess the devi$e via the virtual de ault inter a$e 61G2.1<1.G.107 or via lo$al serial $onsole to deter!ine the new %P address assigned (y 8;CP. 0n$e the new 8;CP'assigned %P address is 2nown) re$onne$t to the 9% using the newly assigned %P address. E To $hange the eth0 inter a$e MAC address) enter a new MAC and $li$2 IChange MACA. 4ote that the eth0 MAC address will always revert (a$2 to the hardware de ault a ter a re(oot. Tip: The virtual de ault inter a$e 61G2.1<1.G.107 $an (e shut down (y running the ollowing at the ..; or serial $onsole $o!!and line.

# if'own eth0:1

!e"erse Shell #ey

1. Cli$2 I.etupA on the top !enu.
Copyright 2013 Pwnie Express. All rights reserved.

2. Cli$2 I&everse .hell >eyA 3. This se$tion shows the $urrent root user ..; 2ey used to esta(lish the reverse shells. ,. 60ptional7 To generate a new 2ey pair or the reverse shells) $li$2 I-enerateA. Tip: % a 2ey pair doesnNt already exist) a new one will (e auto!ated generated a ter ena(ling one or !ore reverse shells on the I&everse .hellsA page.

Clean up History and Logs

1. Cli$2 I.etupA on the top !enu. 2. 9nder IClean up Pwnix ;istory and ?ogsA) $li$2 the ICleanup nowA (utton. 3. This $lears the root userNs (ash history) 9% logs) and all logs in #var#log. Note: The (ash history or any $urrently a$tive root user sessions will (e $leared at next logout. Tip: The $leanup s$ript $an also (e invo2ed ro! the $o!!and line as ollows"

# #opt#pwni+#pwni+(scripts#cleanup sh

Update $e"ice
1. Cli$2 I.etupA on the top !enu. 2. 9nder :9pdate 8evi$e:) $li$2 the :9pdate 4ow: (utton. Note: The devi$e !ust have %nternet a$$ess via ports 10 and ,,3 or the update to su$$eed. 3. The latest sta(le Pwnix release is downloaded and applied 6typi$ally 3'D !inutes7. Hou will (e redire$ted to the update log. E E The $urrent Pwnix version $an (e viewed under the I.yste! 8etailsA ta( The Pwnix 9pdate log $an (e view under the I.yste! 8etailsA ta(

!estart $e"ice
1. Cli$2 I.etupA on the top !enu. 2. 9nder :&estart 8evi$e:) $li$2 the :&e(oot 4ow: (utton. 3. The devi$e will re(oot i!!ediately.

Ser"ices page
Copyright 2013 Pwnie Express. All rights reserved.

Passi"e !econ
1. 2. 3. ,. Cli$2 I.ervi$esA on the top !enu. Cli$2 IPassive &e$onA. Cli$2 IEna(leA to start the passive re$on servi$e. *hile ena(led) the devi$e will passively listen on eth0) re$ording ;TTP reOuests) user'agents) $oo2ies) 0. guesses) and $lear'text passwords to the ollowing logs" -TTP re.uests: #var#log#pwnix#passiveLre$on#http.log /0 guesses: #var#log#pwnix#passiveLre$on#p0 .log Clear(te+t passwor's: #var#log#pwnix#passiveLre$on#dsni .log Tip: Passive &e$on is !ost e e$tive when the Pwnie devi$e is in 4AC +ypass # transparent (ridging !ode) or when $onne$ted to a swit$h !onitor#.PA4 port or networ2 tap. Tip: The Passive re$on servi$e $an also (e ena(led#disa(led ro! the $o!!and line as ollows" To ena(le"

, , ,

# ser1ice pwni+2passi1e2recon start # up'ate(rc ' pwni+2passi1e2recon 'efaults

To disa(le"

# ser1ice pwni+2passi1e2recon stop # up'ate(rc ' (f pwni+2passi1e2recon re*o1e

%"il AP
(/ */ 7/ 4/ 9/ Ensure the wireless antenna is $onne$ted to the devi$e. Cli$2 I.ervi$esA on the top !enu. Cli$2 IEvil APA. Cli$2 I.tart .ervi$eA *ireless $lients will (egin $onne$ting to the AP) either auto!ati$ally via pre erred networ2 lists or (y dire$t AP asso$iation. Tip: To view realti!e Evil AP a$tivity ro! the $o!!and line"

# tail (f #1ar#log#pwni+#e1ilap log

:/ +y de ault the devi$e will un$tion as a standard AP) transparently routing all $lient %nternet reOuests through the wired inter a$e 6eth07. Tip: The Evil AP servi$e $an also (e ena(led#disa(led ro! the $o!!and line as ollows" To ena(le"

# ser1ice pwni+2e1il2ap start # up'ate(rc ' pwni+2e1il2ap 'efaults

Copyright 2013 Pwnie Express. All rights reserved.

To disa(le"

# ser1ice pwni+2e1il2ap stop # up'ate(rc ' (f pwni+2e1il2ap re*o1e

Tip: The Evil AP inter a$e and ..%8 $an $usto!i@ed in #opt#pwnix#pwnix'$on ig#servi$es#evilLap.$on

!e"erse Shells page

.ee se$tion I9sing the reverse shellsA or details on this eature.

System $etails page

This se$tion displays the devi$eNs so tware release level)syste! logs) dis2 usage) et$.

Help page
This se$tion $overs (asi$ 9% inter a$e usage. This user guide is !ore thorough.

Using the re"erse shells

!e"erse shell o"er"iew
E All Pwnie devi$es in$lude aggressive reverse tunneling $apa(ilities or persistent re!ote ..;
a$$ess. E ..; over ;TTP) ;TTP.#..?) 84.) %CMP) and other $overt tunneling options are availa(le or traversing stri$t irewall rules) we( ilters) 5 appli$ation'aware %P.. E All tunnels are en$rypted via ..; and will !aintain a$$ess wherever the devi$e has an %nternet $onne$tion ' in$luding wired) wireless) and ,-#-.M where availa(le.

&ypical deployment scenario

Copyright 2013 Pwnie Express. All rights reserved.

<

1. 0n a staging#la( networ2) ena(le the desired reverse shells 6see IA$tivating the reverse shellsA7 2. Con igure a +a$2tra$2 D syste! to re$eive the reverse shells 6see ICon iguring +a$2tra$2 to re$eive the reverse shellsA7 3. Test the reverse shells in a la( # lo$al ?A4 to $on ir! all shells are wor2ing as expe$ted 6see IConne$ting to the reverse shellsA7 ,. K0ptionalM Ena(le .tealth Mode 6see I9sing the Pwnix 9%A7 D. 8eploy the devi$e to your target networ2 and wat$h your ..; re$eiver or in$o!ing shells 6see I8eploying to target networ2A7

Acti"ating the re"erse shells

1. ?og into the Pwnix 9%. 2. Cli$2 I&everse .hellsA on the top !enu. 3. .ele$t the na!e o the shell you wish to $on igure. Tip: To (est !aintain persistent re!ote a$$ess) ena(le all o the reverse shells. ,. Enter the ..; shell re$eiver %P address or 84. na!e or ea$h sele$ted reverse shell. The devi$e will $onne$t to this shell re$eiver syste! to esta(lish the reverse shell $onne$tions. D. Choose how o ten the reverse shell $onne$tion should (e atte!pted. +y de ault) a shell $onne$tion will (e atte!pted every !inute 6re$o!!ended7. Note: To use an ;TTP proxy or the I..; over ;TTP TunnelA) ena(le the I9se ;TTP ProxyA $he$2(ox and enter the proxy server address and port 6and optionally) proxy server $redentials7. Note: The ;TTP proxy auth password is stored in $lear text in #opt#pwnix#pwnix' s$ripts#s$riptL$on igs <. Cli$2 :Con igure: at the (otto! o ea$h or! to apply your $hanges. Note: The ollowing ..; $lient $on ig dire$tives 6#et$#ssh#sshL$on ig7 are set on all devi$es to allow or auto!ation o reverse shell $onne$tions. +e sure you understand the se$urity i!pli$ations o these settings (e ore $onne$ting to other ..; servers ro! the devi$e. .tri$t;ost>eyChe$2ing no 9ser>nown;ostsCile #dev#null

Copyright 2013 Pwnie Express. All rights reserved.

(.

7. Pro$eed to $on igure your shell re$eiver.

Configuring 'ac trac to recei"e the re"erse shells

A +a$2tra$2 D syste! 6+a$2tra$2 D &3 re$o!!ended7 $an serve as the ..; tunnel :re$eiver:. The Pwn Plug will $onne$t to this syste! when initiating the reverse shell $onne$tions. Note: These steps assu!e youNre using +a$2tra$2 D &3 as your ..; re$eiver. 0lder +a$2tra$2 distri(utions !ay (e used) (ut di erent steps !ay apply. 1. 2. 3. ,. D. <. Pla$e your Pwnie devi$e and the +a$2tra$2 syste! on the sa!e lo$al networ2#su(net ?ogin to the +a$2tra$2 syste! and open Cire ox Conne$t to the 9%" https"##Kdevi$eLipLaddressM"1,,3 ?ogin to the 9% when pro!pted. Cli$2 I&everse .hellsA on the top !enu. Cli$2 the I-enerate +a$2tra$2 $on igA lin2 at the top o the page 6under step D7 to download the :(a$2tra$2Lre$eiver.sh: s$ript. 7. .ave the s$ript ile 6(a$2tra$2Lre$eiver.sh7 into the root userNs ho!e dire$tory 6sele$ted (y de ault7 1. 0pen a ter!inal window and enter the ollowing $o!!ands"

# c' # ch*o' 3+ bac4trac42recei1er sh # #bac4trac42recei1er sh

G. The s$ript auto'$on igures and starts the reverse shell listeners on +a$2tra$2. 10. *hen pro!pted) enter the desired $erti i$ate in or!ation or the stunnel ..? $erti i$ate 6or 3ust press E4TE& to a$$ept the de aults7 11. 0n$e the auto'$on ig s$ript $o!pletes you will see" KPM .etup Co!plete. KPM Press E4TE& to listen or in$o!ing $onne$tions.. 12. Press E4TE& to wat$h or in$o!ing devi$e $onne$tions. Ea$h reverse shell will atte!pt to $onne$t using the interval you spe$i ied in the 9%. Tip: Hou $an list all a$tive devi$e $onne$tions at any ti!e (y typing"

# netstat (lntup$ 5 grep 666

13. Pro$eed to IConne$ting to the reverse shellsA.

Connecting to the re"erse shells

Copyright 2013 Pwnie Express. All rights reserved.

((

1. 0pen a ter!inal window on your shell re$eiver syste! and $onne$t to any availa(le IlisteningA Pwnie devi$e shell as ollows" ( ( ( ( ( ( ( 0tan'ar' 00-: ssh pwnieQlo$alhost 'p 3333 00- 7gress 8uster: ssh pwnieQlo$alhost 'p 333, 00- o1er 9N0: ssh pwnieQlo$alhost 'p 333D 00- o1er 00:: ssh pwnieQlo$alhost 'p 333< 00- o1er $;#;0M: ssh pwnieQlo$alhost 'p 3337 00- o1er -TTP: ssh pwnieQlo$alhost 'p 3331 00- o1er )CMP: ssh pwnieQlo$alhost 'p 333G

1. Enter your plugNs pwnie ..; user password and voilaR Hou/re now re!otely $onne$ted to the devi$e through the reverse shell. 2. Pro$eed to I8eploying to target networ2A 0tan'ar' 00- # 00- 7gress 8uster Note: % thereNs no irewall (etween the plug and your shell re$eiver syste!) (e sure the shell re$eiver syste! ..; server is listening on the ports you sele$ted or the .tandard &everse ..; and ..; Egress +uster shells in the 9%. Cor exa!ple) i you set port 31337 or .tandard &everse ..;) add the line IPort 31337A to #et$#ssh#sshdL$on ig) then restart ..;d 6#et$#init.d#ssh restart7. Tip: The ..; re$eiver address $an (e anony!i@ed using the ITor ;idden .ervi$eA eature as des$ri(ed here http"##www.se$uritygeneration.$o!#se$urity#reverse'ssh'over'tor'on'the'pwnie' express#

.pe$ial than2s to .e(astien S. o .e$urity -eneration or strea!lining the ..; re$eiver setup pro$ess) and to ?an$e ;oner or his resilient autossh s$ript i!prove!ents.

$eploying to target networ

1. Pla$e your shell re$eiver syste! (ehind a pu(li$' a$ing irewall. 2. Con igure the appropriate port orwarders on your irewall"

Copyright 2013 Pwnie Express. All rights reserved.

(*

0tan'ar' Re1erse 00-: Corward the port sele$ted in the 9% to port 22 o your shell re$eiver. 00- o1er -TTP: Corward port 10 to port 10 o your shell re$eiver syste! 00- o1er 00:: Corward port ,,3 to port ,,3 o your shell re$eiver syste! 00- o1er 9N0: Corward 98P port D3 to 98P port D3 o your shell re$eiver syste! 00- o1er )CMP: &eOuires your shell re$eiver syste! to (e dire$tly $onne$ted to the %nternet 6no irewall7. 00- o1er 6;: Corward the port sele$ted in the 9% to port 22 o your shell re$eiver syste! 00- 7gress 8uster: Corward all ports sele$ted in the 9% to port 22 o your shell re$eiver syste!

1. %n the Pwnix 9% 6I&everse .hellsA page7) $on igure the reverse shells to $onne$t to your irewallNs pu(li$ %P address 6or 84. na!e i availa(le7. 2. 60ptional7 Ena(le .tealth Mode 3. Hou $an now deploy the devi$e to your target networ2. The devi$e will auto!ati$ally Iphone ho!eA to your shell re$eiver syste!) providing en$rypted re!ote a$$ess to your target networ2. Tip: %n so!e environ!ents you !ay wish to s$hedule a nightly re(oot o the devi$e to re'initiate all $onne$tions ro! the devi$e side. This way) i so!e part o the $onne$tion pro$ess $rashes on the devi$e side 6 or exa!ple) sshd7) the $onne$tion pro$ess will start I reshA again a ter the re(oot.

Using SSH port forwarders on 'ac trac

%xample )* Connecting to remote !$P ser"ers
(/ 0n +a$2tra$2"

# ssh pwnie&localhost (p <<<< (N: 66"9:+++ +++ +++ +++:66"9

.. where :TTTT: is the lo$al listening port o an a$tive reverse shell 6su$h as 3333 or standard reverse ..;7) and where :xxx.xxx.xxx.xxx: is the %P address o an &8P target syste! on the re!ote networ2 your Pwnie devi$e is physi$ally $onne$ted to. */ ?ogin to the devi$e when pro!pted. 7/ Conne$t to the re!ote &8P server through the ..; tunnel (y using :lo$alhost:"

# r'es4top localhost
Copyright 2013 Pwnie Express. All rights reserved.

(7

%xample +* Connecting to remote we, ser"ers

(/ 0n +a$2tra$2"

# ssh pwnie&localhost (p <<<< (N9 "0"0

.. where :TTTT: is the lo$al listening port o an a$tive reverse shell 6su$h as 3333 or standard reverse ..;7. */ ?ogin to your Pwnie devi$e when pro!pted. 7/ 0pen Cire ox and $on igure it to use lo$alhost as an ;TTP proxy on port 1010. 4/ Hou $an now $onne$t to any we( server on the re!ote networ2 (y entering the %P address or 9&? into Cire ox.

Creating an SSH -PN

0pen..; server supports ..;'(ased =P4 tunnelling through any a$tive reverse shell) allowing transparent 6al(eit slow7 a$$ess to your target networ2 ro! your +a$2tra$2 !a$hine. This is !ainly use ul when the need arises or a -9%'(ased or third'party pentesting tool) su$h as +urp.uite) 4essus) &e!ote 8es2top $lient) et$.

Sample en"ironment
The steps (elow assu!es the ollowing %P addresses#ranges. .u(stitute the addresses#ranges or your target and lo$al 6+a$2tra$27 networ2s where appropriate.

E E E E E E

Target networ2 6where the devi$e is deployed7" 172.1<.1.0#2, ?o$al networ2 6where +a$2tra$2 ..; re$eiver is lo$ated7" 1G2.1<1.1.0#2, =P4 networ2" 10.1.1.0#30 +a$2tra$2 =P4 address 6tun0 inter a$e7" 10.1.1.1 Pwnie devi$e =P4 address 6tun0 inter a$e7" 10.1.1.2 Assu!es a reverse shell is $urrently esta(lished and listening on lo$alhost"3333 6.tandard &everse ..;7. Any a$tive reverse shell $an (e used to $arry the =P4 tunnel 6$hange I3333A where appropriate7.

Acti"ating the SSH -PN tunnel

(/ 0n +a$2tra$2 6=P4 $lient7"

# ssh (f (w 0:0 localhost (p 6666 true

6?ogin to the devi$e as root when pro!pted7
Copyright 2013 Pwnie Express. All rights reserved.

(4

# ifconfig tun0 10 1 1 1 10 1 1 2 net*as4 2== 2== 2== 2=2 # route a'' (net 1>2 1! 1 0#2$ gw 10 1 1 2
*/ 0n your Pwnie devi$e 6=P4 server7"

# #opt#pwni+#pwni+(scripts#7nable200-2?PN sh
7/ The ..; =P4 tunnel should now (e a$tive. 4/ 0n +a$2tra$2) test $onne$tivity to target networ2 through the =P4 tunnel"

# ping 10 1 1 2 # ping 1>2 1! 1 1 @or anA re*ote *achine on the target networ4B # n*ap (sP 1>2 1! 1 C
9/ To disa(le the =P4 tunnel on the +a$2tra$2 side"

# ifconfig tun0 'own

:/ To disa(le the =P4 tunnel on your Pwnie devi$e"

# #opt#pwni+#pwni+(scripts#9isable200-2?PN sh

Using the wireless hardware

./+0)) wireless
Connecting to an open wifi networ
(/ .et the wireless inter a$e to !anaged !ode"

# iwconfig wlan0 *o'e *anage'

*/ +ring up the inter a$e"

# ifconfig wlan0 up
7/ .$an or a$$ess points in the area"

# iwlist scan
Copyright 2013 Pwnie Express. All rights reserved.

(9

4/ Asso$iate with an a$$ess point with ..%8 Iexa!pleA on $hannel <"

# iwconfig wlan0 essi' De+a*pleE # iwconfig wlan0 channel !

9/ &estart the inter a$e"

# ifconfig wlan0 'own # ifconfig wlan0 up

:/ A$Ouire a 8;CP address"

# 'hclient wlan0

!unning Airodump1ng 2 #ismet

(/ +ring down the inter a$e"

# ifconfig wlan0 'own

*/ To laun$h airodu!p'ng"

# airo'u*p(ng wlan0
Note: The output o airodu!p'ng will only display properly within an ..; session 6running airodu!p'ng ro! the serial $onsole is not re$o!!ended7. 7/ *hen inished) press CT&?PC to exit 4/ To laun$h >is!et"

# 4is*et
9/ Press E4TE& 3 ti!es) then TA+) then E4TE& :/ *hen inished) press CT&?PC to exit Tip: Certain wireless tools !ay leave the wireless adapter in a !ode thatNs not $o!pati(le with other wireless tools. %tNs generally re$o!!ended to set the inter a$e to a IdownA state (e ore running !ost wireless tools"

# ifconfig wlan0 'own

Pac et in3ection 2 4%P crac ing

(/ To run a si!ple pa$2et in3e$tion test) exe$ute the ollowing $o!!ands. This exa!ple assu!es a *EP'ena(led a$$ess point on $hannel < with ..%8 Iexa!pleA is within range o the devi$e.
Copyright 2013 Pwnie Express. All rights reserved.

(:

# # # #

ifconfig wlan0 up iwconfig wlan0 channel ! ifconfig wlan0 'own aireplaA(ng (e e+a*ple ((test wlan0

*/ ?oo2 or the ollowing output"

17"1G",D *aiting or (ea$on ra!e 6E..%8" exa!ple7 on $hannel < Cound +..%8 :00"13"10"GE"D2"38: to given E..%8 :exa!ple:. 17"1G",D Trying (road$ast pro(e reOuests... 17"1G",D %n3e$tion is wor2ingR 17"1G",< Cound 1 AP
7/ To auto'$ra$2 all *EP'ena(led a$$ess points on $hannel < using wep(uster"

# ifconfig wlan0 'own # wepbuster !

Tip: *EP $ra$2ing per or!an$e is dependant on the a!ount o wireless $lient tra i$ (eing generated on the target wi i networ2. The !ore tra i$ on the wireless networ2) the aster the $ra$2ing pro$ess.

4ireless client de1authentication

(/ This exa!ple assu!es the target a$$ess point is on $hannel <"

# iwconfig wlan0 channel !

*/ %n one ter!inal) start airodu!p'ng"

# airo'u*p(ng ((bssi' FMGC of target GPH (c ! wlan0

7/ Then) in a se$ond ter!inal) start the $lient de'authenti$ation"

# aireplaA(ng (0 0 (a FMGC of target GPH (c FMGC of target clientH wlan0

'luetooth
Using the 'luetooth adapter
1. Conne$t the .E4A 98100 +luetooth 9.+ adapter to the devi$e. 2. Con ir! the output o the ollowing $o!!ands"
Copyright 2013 Pwnie Express. All rights reserved.

(;

# lsusb
+us 001 8evi$e 002" %8 0a12"0001 Ca!(ridge .ili$on &adio) ?td +luetooth 8ongle 6;C% !ode7

# hciconfig hci1
h$i1" Type" +&#E8& +us" 9.+ +8 Address" TT"TT"TT"TT"TT"TT AC? MT9" 310"10 .C0 MT9" <,"1 80*4 &T (ytes",<< a$l"0 s$o"0 events"11 errors"0 TT (ytes"73 a$l"0 s$o"0 $o!!ands"17 errors"0 7/ Ena(le the +luetooth inter a$e and set it to I4on'8is$overa(leA"

# hciconfig hci1 up # hciconfig hci1 noscan

4/ To s$an or re!ote +luetooth devi$es

# hcitool (i hci1 scan ((flush ((info ((class

9/ To ping the address o a re!ote +luetooth devi$e

# l2ping (i hci1 <<:<<:<<:<<:<<:<<

:/ To du!p +luetooth pa$2ets"

# hci'u*p (i hci1 (t (<

;/ To pair with a re!ote +luetooth devi$e"

# blueI(si*ple(agent hci1 <<:<<:<<:<<:<<:<<

)MP/RTGNT: +e ore dis$onne$ting the 9.+ +luetooth adapter) always set the inter a$e to a 80*4 state irst (y running the $o!!and (elow. 8is$onne$ting the adapter while the inter a$e is 9P !ay $ause a syste! $rash.

# hciconfig hci1 'own

5G6GS7 cellular
Using the unloc ed GS7 adapter
The unlo$2ed -.M adapter supports ive -.M $ell (ands 6;.8PA # -.M # 9MT. # E8-E # -P&.7 and is $o!pati(le with AT5T) T'!o(ile) =oda one) 0range) and -.M $arriers in over 1<0 $ountries.

Copyright 2013 Pwnie Express. All rights reserved.

(-

;0M carriers in the G*ericas: http"##en.wi2ipedia.org#wi2i#?istLo L!o(ileLnetwor2LoperatorsLo LtheLA!eri$as ;0M carriers in 7urope: http"##en.wi2ipedia.org#wi2i#?istLo L!o(ileLnetwor2LoperatorsLo LEurope Note: =eri@on) .print) =irgin Mo(ile) and other C8MA $arrier .%Ms will not wor2 in the unlo$2ed -.M adapter. 1. Cirst) o(tain a .%M $ard ro! the -.M $ell provider o your $hoi$e. %n the 9.) .%M $ards ro! AT5T and T'!o(ile devi$es 6in$luding iPhones7 are supported. Note: The !o(ile servi$e atta$hed to the .%M $ard !ust have !o(ile (road(and data servi$e. =eri y you $an a$$ess the %nternet ro! your phone using the .%M $ard (e ore pro$eeding. 2. .lide open the the plasti$ $over on the -.M adapter. 3. %nsert your .%M $ard into the adapter with the not$h positioned as shown (y the line drawing on the .%M slot) with the .%M $ard $onta$ts a$ing down. Note: Many -.M phones) in$luding the iPhone,P) use a !i$ro'.%M instead o a standard'si@ed .%M $ard. To it these .%M $ards into the -.M adapter) use the in$luded !i$ro'.%M $ard adapter. ,. .lide the plasti$ $over (a$2 onto the adapter. D. Conne$t the -.M adapter to the devi$eNs 9.+ port. <. Con ir! the -.M adapter is dete$ted properly 6note adapter dete$tion !ay ta2e 1D'20 se$onds7"

# lsusb
+us 003 8evi$e 003" %8 12d1"1D0< ;uawei Te$hnologies Co.) ?td. E3G1 ?TE#9MT.#-.M Mode!#4etwor2$ard ;/ To Ouery the -.M !ode! or adapter details"

# gs*ctl (' #'e1#ttAU080 *e

Note: % the $o!!and returns I.%M ailureA) the .%M $ard is either !issing or not inserted properly. Tip: % the !ode! does not respond on #dev#tty9.+0 a ter 10 se$onds) try #dev#tty9.+1) #dev#tty9.+2) or #dev#tty9.+3 -/ To list $ellular operators in range"

# gs*ctl (' #'e1#ttAU080 op

</ To show $urrently atta$hed operator"

# gs*ctl (' #'e1#ttAU080 currop

(./ To show signal strength o $urrent operator $onne$tion"

# gs*ctl (' #'e1#ttAU080 sig

Copyright 2013 Pwnie Express. All rights reserved.

(<

((/ To $he$2 P%4 status 6&EA8H U 4o P%4 set7"

# gs*ctl (' #'e1#ttAU080 pin

(*/ To send a text !essage"

# gs*sen's*s (' #'e1#ttAU080 F'estination 11('igit cell nu*berH JTestJ

(7/ To !a2e an out(ound phone $all"

# gs*ctl (' #'e1#ttAU080 (o 'ial F11('igit phone nu*berH

Connecting to the Internet "ia 8G

(/ Call the appropriate pppd dialup s$ript"

Cor the unlo$2ed -.M adapter"

# ppp' no'etach call e1!0 K

Cor the =eri@on # =irgin Mo(ile adapters"

# ppp' no'etach call 1+e1'o K

Cor the T'!o(ile &o$2et ,- adapter"

# ppp' no'etach call t*obile K

*/ Assu!ing a 3- $ellular data signal is availa(le) the adapter will esta(lish an %nternet $onne$tion within 10'20 se$onds. 0n$e $onne$ted) you will see a solid ?E8 on the top o the adapter. 7/ K0ptionalM &eset the de ault route to use the 3- inter a$e 6ppp07"

# route 'el 'efault # route a'' 'efault ppp0

4/ Test 3- %nternet $onne$tivity"

# ping google co* # traceroute google co*

9/ To $lose the 3- $onne$tion and restore %nternet $onne$tivity on eth0"

# 4illall (s 0);-UP ppp' # if'own eth0 KK ifup eth0

Copyright 2013 Pwnie Express. All rights reserved.

*.

Using the SSH1o"er18G shell

The ..;'over'3- reverse shell provides se$ure) out'o '(and a$$ess to your Pwnie devi$e wherever a 3$ellular data signal is availa(le. *hile this (ypasses your target networ2Ns peri!eter) a reverse shell is still re$o!!endedV !any $ell $arriers do not assign pu(li$ %P addresses to 3- data a$$ess devi$es.

(/ % you havenNt done so already) $o!plete the reverse shell setup steps 6see IA$tivating the reverse shellsA and ICon iguring the ..; re$eiverA7 */ %n the I&everse .hellsA page in 9%) ena(le the I..; over 3-#-.MA shell. 7/ Con igure the shell to $onne$t to your irewallNs pu(li$ %P address 6or 84. na!e i availa(le7. 4/ Enter the destination port youNd li2e the Pwnie devi$e to use or the ..; $onne$tion. 9/ .ele$t your 3- adapter ro! the drop'down list. :/ Cli$2 the ICon igure all shellsA (utton. ;/ Con igure your irewall to orward the port sele$ted in the 9% to port 22 on your +a$2tra$2 !a$hine. -/ 0n the +a$2tra$2 ..; re$eiver) wat$h or the in(ound ..;'over'3- $onne$tion"

# watch (' Dnetstat (lntup$ 5 grep 666>E

</ 0n$e the $onne$tion appears) $onne$t to your Pwnie devi$e as shown"

# ssh pwnie&localhost (p 666>

(./ Enter your Pwnie devi$e ..; user password and voilaR Hou/re now re!otely $onne$ted to the devi$e through the reverse shell.. over 3-R Note: The 3- $onne$tion will (e released and re$onne$ted at the sele$ted retry interval until a reverse ..; tunnel is esta(lished.

Accessing the pentesting tools

Accessing 7etasploit
Copyright 2013 Pwnie Express. All rights reserved.

*(

The Metasploit (inaries 6!s $onsole) !s $li) et$.7 $an (e run ro! any dire$tory. .i!ply type W!s $onsoleN to laun$h the lo$al Metasploit Console.

Accessing 7etasploit "ia msfrpcd

The !s rp$d servi$e $an (e $usto!i@ed (y editing the ile #opt#pwnix#pwnix'$on ig#servi$es#!s pr$d.$on "

# nano #opt#pwni+#pwni+(config#ser1ices#*sfrpc' conf

To restart the !s rp$d servi$e"

# ser1ice pwni+2*sfrpc restart

To a$$ess the !s rp$d servi$e ro! a re!ote host) you will need a I ront'endA appli$ation. *e suggest using +a$2tra$2 or this. ?og into +a$2tra$2 with your $redentials) and run the ollowing ro! the $o!!andline"

# # # #

start+ c' #opt#*etasploit #'iagnostic2shell #*sf6#*sfgui

?ogin to !s gui using the $redentials spe$i i$ in #opt#pwnix#pwnix'$on ig#servi$es#!s pr$d.$on Note: Hou !ay have to open !s gui !ore than on$e to get it to pro!pt you or a server. +y de ault it starts an !s rp$d instan$e on the lo$al +a$2tra$2 syste!.

!unning additional pentesting tools

Than2s to the ro$2 stars at the >ali ?inux pro3e$t 62ali.org7) all (elow pentesting tools are pre'installed as 8e(ian pa$2ages and $an (e run ro! any path on the syste!"

aircrac 0ng amap arp0scan arping +ed +luelog +lue= cisco0auditing0tool

gpsd gra++er hping7 httptunnel hydra iodine 2ohn ismet

p.f pingtunnel plecost proxychains proxytunnel redfang scapy se0tool it

sslstrip stunnel tcpflow thc0ip": thehar"ester tinyproxy u+ertooth udptunnel **

Copyright 2013 Pwnie Express. All rights reserved.

cisco0glo+al0exploiter cryptcat dar stat dmitry dns*tcp dnsenum dnstracer dsniff ettercap fierce fimap fping

l+d md 7 metagoofil miranda miredo n+tscan netcat netdisco"er ngrep ni to nmap onesixtyone

send%mail sipcrac sipsa s ipfish smtp0user0enum snmpchec socat s>lmap s>lnin2a ssldump sslscan sslsniff

ussp0push waffit wapiti wee"ely wep+uster wifitap wifite xpro+e*

Pentesting !esources
8 8 8 P&%S) http)55www/pentest0standard/org5index/php5P&%S?&echnical?Guidelines Analysis of 6etasploit relati"e to P&%S) http)55www/tinyurl/com5msf0ptes 6etasploit Unleashed

Using ad"anced features

NAC6./+0)x 'ypass
NAC 'ypass o"er"iew
This devi$e $an (ypass !ost wired 4AC#102.1x#&A8%9. i!ple!entations) providing a reverse shell (a$2door and ull $onne$tivity to 4AC'restri$ted networ2s.

.pe$ial than2s to .2ip 8u$2wall and his 102.1x (ridging resear$h" http"##1021x(ridge.google$ode.$o!
;ereNs how it wor2s"
Copyright 2013 Pwnie Express. All rights reserved.

*7

1. Cirst) the devi$e is pla$ed in'line (etween an 102.1x'ena(led $lient PC and a wall 3a$2 or swit$h. 2. 9sing a !odi ied layer 2 (ridging !odule) the devi$e transparently passes the 102.1x EAP0? authenti$ation pa$2ets (etween the $lient PC and the swit$h. 3. 0n$e the 102.1x authenti$ation $o!pletes) the swit$h grants $onne$tivity to the networ2. ,. The irst out(ound port 10 pa$2et to leave the $lient PC provides the devi$e with the PCNs MAC#%P address and de ault gateway. D. To avoid tripping the swit$hNs port se$urity) the devi$e then esta(lishes a reverse ..; $onne$tion using the MAC and %P address o the already authenti$ated $lient PC. <. 0n$e $onne$ted to the devi$eNs ..; $onsole) you will have a$$ess to any internal su(nets a$$essi(le (y the $lient PC. Tip: .in$e I4AC (ypass !odeA e e$tively turns the devi$e into a transparent (ridge) it $an (e used even where 4AC#102.1x $ontrols are not present on the target networ2.

%na,ling NAC 'ypass mode

)*portant: Ena(ling 4AC +ypass !ode will prevent dire$t a$$ess to your Pwnie devi$eNs ..; server and Pwnix 9% over the networ2. 0n$e stealth !ode is ena(led) a$$ess to the devi$e $an only (e o(tained through a reverse shell or the lo$al serial $onsole. Note: These steps !ust (e ollowed in the exa$t seOuen$e shown to avoid tripping swit$h port se$urity 6whi$h o ten $o!pletely disa(les the swit$h port and !ay alert networ2 personnel7. 1. .etup your desired reverse shells 6see I9sing the reverse shellsA7. 2. ?ogin to your devi$e via ..; and run the ollowing $o!!and"

# ser1ice pwni+2nac2bApass start

,. Powero the devi$e. At next (oot) the devi$e will (e in 4AC (ypass !ode.

Note: A ter re(ooting you will no longer (e a(le to dire$tly $onne$t to the devi$e via the Pwnix 9% or ..;. D. 8eploy the devi$e to your target environ!ent as ollows" L Conne$t the devi$e to a power outlet. L *ait at least 30 se$onds or the devi$e to ully (oot into 4AC (ypass !ode.
Copyright 2013 Pwnie Express. All rights reserved.

*4

L 8is$onne$t the $lient PCNs Ethernet $a(le ro! the wall 3a$2. L Conne$t the devi$eNs pri!ary Ethernet port 6eth07 to the Ethernet wall 3a$2 Note: eth0 is the right'!ost Ethernet 3a$2 on the rear o the unit L %!!ediately $onne$t the Ethernet'over'9.+ adapter 6eth17 to the $lient PC. Note: eth1 is the le t'!ost Ethernet 3a$2 on the rear o the unit <. The $lient $o!pletes its nor!al 102.1x authenti$ation pro$ess transparently through the devi$e. 7. *hen the irst out(ound ;TTP port 10 pa$2et leaves the $lient PC) the reverse shell $onne$tion s$hedule will re'initiate auto!ati$ally.

NAC 'ypass trou,leshooting

1. ?og into the devi$eNs serial $onsole 6see IA$$essing the lo$al serial $onsoleA7 2. Con ir! all out(ound pa$2ets are tagged with the $lient PCNs MAC and %P address"

# tcp'u*p (nnei eth0

,. Con ir! 102.1x EAP0? authenti$ation pa$2ets are (eing orwarded (y the (ridge" /n the Min'ows client PC: a b c ' e f g h i N 4 l .tart the *ired Auto$on ig servi$e 0pen the ?A4 $onne$tion properties # Authenti$ation ta( 0pen IPEAPA settings 9n$he$2 the I=alidate server $erti i$ateA $he$2(ox and $li$2 0> Cli$2 the IAdditional settingsA (utton Che$2 Ispe$i y authenti$ation !odeA .ele$t Iuser authenti$ationA ro! the drop'down (ox Cli$2 the I&epla$e $redentialsA (utton userna!e" testuser password" testpasswd Cli$2 0>) then 0> again to $lose networ2 $onne$tion setup To generate EAP0? pa$2ets) restart the *ired Auto$on ig servi$e

/n the Pwn Plug: a b t$pdu!p 'nnei eth0 Xegrep EAP0? ?oo2 or out(ound EAP0? pa$2ets. Exa!ple" 1D"31"D,.3332G2 00"0$"2G"D$"7,",1 Y 01"10"$2"00"00"03) ethertype EAP0? 60x111e7) length <0" EAP0? start Tip: To !anually or$e a lin2 re resh ro! the $o!!and line" *ii(tool (r eth0 O *ii(tool (r eth1

$isa,ling NAC 'ypass mode

Copyright 2013 Pwnie Express. All rights reserved.

*9

1. ?og into the devi$e through a reverse shell or the serial $onsole 6see IA$$essing the serial $onsoleA7. 2. &un the ollowing $o!!and"

# ser1ice pwni+2nac2bApass stop

3. &e(oot

Stealth 7ode
*hen ena(led) stealth !ode does the ollowing" E E E E E 8isa(les %Pv< support 6prevents noisy %Pv< (road$asting7 8isa(les %CMP replies 6wonNt respond to ping reOuests7 8isa(les the 9% 6$loses port 1,,37 .ets the lo$al ..; server to listen on the loop(a$2 address only 6$loses port 22 to the outside7 .till allows all reverse shells to un$tion as expe$ted

)*portant: Ena(ling stealth !ode will prevent dire$t a$$ess to your Pwnie devi$eNs ..; server and Pwnix 9% over the networ2. 0n$e stealth !ode is ena(led) a$$ess to the devi$e $an only (e o(tained through a reverse shell or the lo$al serial $onsole. To ena(le .tealth Mode) run the ollowing $o!!ands"

# up'ate(rc ' pwni+2stealth 'efaults # ser1ice pwni+2stealth start

To disa(le .tealth Mode"

# ser1ice pwni+2stealth stop # up'ate(rc ' (f pwni+2stealth re*o1e

Tip: Cor additional stealthiness) run the ollowing $o!!ands" E % using 8;CP) 2ill the dh$lient pro$ess 6$loses listening 98P port <17"

# 4illall 'hclient
E &ando!i@e your MAC address"

# *acchanger (r eth0
E 8isa(le A&P replies 6$are ulR this !ay a e$t networ2 $onne$tivity7"

# ifconfig eth0 (arp

Copyright 2013 Pwnie Express. All rights reserved.

*:

7aintaining your Pwnie de"ice

Updating the Pwnix software
To update the Pwnix so tware plat or! to the latest release 6in$luding se$urity updates7) ollow the steps shown in se$tion I9sing the Pwnix 9% Z .etup page Z 9pdate devi$eA.

Accessing the local serial console

The serial $onsole is use ul or de(ugging or when a networ2 $onne$tion is unavaila(le. 1. Conne$t the supplied !ini'9.+ $a(le (etween the plugNs !ini'9.+ serial port and a ?inux !a$hine. 0n so!e older ?inux 2ernels) the ollowing $o!!ands !ay (e reOuired"

# *o'probe usbserial # *o'probe ft'i2sio 1en'orP0+9e"" pro'uctP0+9e"f

Tip: Cor *indows#Ma$ syste!s see" http"##www.plug$o!puter.org#8o$u!entation#howtos#serial' ter!inal# 2. Conne$t to the plugNs serial $onsole using s$reen 6note on so!e distros this !ust (e run as root7"

# screen #'e1#ttAU080 11=200

Tip: % s$reen ter!inates a ter a ew se$onds) use Id!esgA to $on ir! the plug is showing up as a 9.+ serial devi$e. Exa!ple"

K1D3<0.G,11<1M us( D'3" CT8% 9.+ .erial 8evi$e $onverter now atta$hed to tty9.+0
% the serial inter a$e is showing up as so!ething other than Itty9.+0A 6su$h as tty9.+17) ad3ust the Is$reenA $o!!and a$$ordingly. 3. Press E4TE& twi$e Tip: % a login#$o!!and pro!pt does not appear) or i you see a line o Ouestion !ar2s or strange' loo2ing $hara$ters) try pressing CT&?PC several ti!es or dis$onne$ting#re$onne$ting the !ini'9.+ serial $a(le. ,. At the login pro!pt) login with the pwnie user a$$ount. 6de ault login is pwnie : pwnplug"0007 Tip: To exit a s$reen session) press CT&?PA) then (a$2slash 6 [ 7) then H
Copyright 2013 Pwnie Express. All rights reserved.

*;

!e"iewing the Pwnix en"ironment

, .how devi$e so tware revision"

# grep Release #etc#*ot'

E .how 2ernel version"

# una*e (r
E .how date#ti!e"

# 'ate
E .how ilesyste! dis2 usage 6note your dis2 usage !ay vary7"

# 'f (h
E .how CP9 details"

# cat #proc#cpuinfo
E .how total !e!ory"

# grep Me*Total #proc#*e*info

E .how $urrent eth0 $on ig"

# ifconfig eth0
E .how $urrently listening TCP#98P servi$es 6note dh$lient wonNt (e present i not using 8;CP7"

# netstat (lntup
E Che$2 syslog or errors) warnings) et$"

# egrep (i Jwarn5fail5crit5error5ba'5unableJ #1ar#log#*essages

E .how &u(y version"

# rubA (1
E .how Perl version"

# perl (1
Copyright 2013 Pwnie Express. All rights reserved.

*-

E .how Python version"

# pAthon (?

How to get support

E Pwnie Express .upport Portal" http"##www.pwnieexpress.$o!#pages#support E Pwnie Express Co!!unity .upport Coru!" http"## oru!.pwnieexpress.$o!

Copyright 2013 Pwnie Express. All rights reserved.

*<