Pwned again: An exclusive look at Pwnie Express’ newest hack-in-a-box

Tomorrow at the Black Hat security conference in Las Vegas, the Pwnie Express will officially unleash Pwn Plug R2, the next generation in its arsenal of penetration testing and hacking hardware. Ars got an exclusive rundown in advance on the device from Dave Porcello, founder and CEO of Pwnie Express.

The new Pwn Plug looks less like a DC power supply plug—the form factor of its predecessor—and more like a small Wi-Fi access point or router. But inside, it's really a Linux-powered NSA-in-a-box, providing white hat hackers and corporate network security professionals a "drop box" system that can be remotely controlled over a covert Internet channel or a cellular data connection.

"Some people will use these for physical penetration tests," Porcello said. "They can go into a bank branch or a retail store, or even a corp office, and pretend to be a telecom technician or someone from the power company or whatever and drop it under someone's desk, or in a wiring closet, or behind a printer." And for other applications, such as corporate security auditing, Porcello said, "it's just as useful to send to remote sites without having to travel—a corporate security manager can just ship a box out to a retail store and have a store manager or branch manager just plug it in."

My, what big ears you have

The Pwn Plug R2 is equipped with a 1.2GHz Armada-370 ARM CPU and one gigabyte of DDR3 memory. It also has 32 gigabytes of local "disk" storage in the form of a 32GB microSDHC card. Initially priced at $895, the R2 is a significant step up from its predecessor from last year. While it lacks the stealthy profile of the original Pwn Plug, the R2 is still relatively inconspicuous, measuring 5.2" x 3.7" x 0.8" without its antenna. It can either hide in plain sight or be easily concealed.

Once a Pwn Plug R2 is deployed and turned on, it will start trying to find a way to call home to establish a persistent SSH connection between the device and its operator's server—including a GSM-based 4G cellular data connection compatible with AT&T and TMobile. "Out of the box you can configure it to try six different covert channels," Porcello said. "It'll automatically tunnel out of whatever network it's plugged into over a bunch of differently used covert channels that attackers usually use, such as tunneling over a trusted protocol like HTTP, SSL, DNS, and ICMP. And then if none of those works, you can always access over 4G. Or if your test is to try to avoid detection, than 4g is the way to go, because none of your control traffic will hit the target network."

The Pwn Plug R2 comes with built-in 801.11 b, g, and n Wi-Fi capability and a high-gain industrial Bluetooth adapter. It also has two gigabit Ethernet ports for Network Access Control (NAC) bypass, transparent bridging, and passive network traffic monitoring applications.

The Bluetooth adapter can be used to intercept signals from smartphones, computers, headsets, and other devices at a distance of up to 3,000 feet with the addition of a 12-inch 9dBi omnidirectional antenna. "We haven't proven that yet," Porcello said. "But that's what the manufacturer says. You could put one device in the middle of a large facility and cover the whole premises."

There are also provisions for add-on devices on the Pwn Plug R2 that take its wireless intercept capabilities well beyond the usual suspects. Pwnie Express added support for the HackRF software-defined radio device, and it will sell a customized version modified to support Pwn Plug R2 as an add-on. Porcello added that Pwnie Express is talking with Nuand about the bladeRF software-defined radio. "Those guys are going to be at DefCon this year," he said. "Their board looks really slick. One of my guys talked to their team at RSA earlier this year, and they have some pretty slick features that might not compete with HackRF."

The addition of software-defined radios for remote penetration testing opens up a whole new bag of tricks. "Software defined radios are huge for pen testers—they open up the entire spectrum," Porcello said. "Some of these cover frequencies from 20MHz up to 10GHz, so that includes everything from police scanner frequencies to text message and pager traffic, satellite traffic, and GPS, RFID, Zigbee, and Zwave industrial wireless—all with one device."

Industrial and home control wireless technologies, such as Zwave, Zigbee, and RFID, are an area of security vulnerability that often goes overlooked in information security audits. RFID is an area of special interest for penetration testers because of its use in access control badges, touchless payment systems, SpeedPass toll systems, passports, and drivers' licenses.

"The most common thing that everyone has with RFID is the physical access tags, those proximity tags used to access facilities," Porcello said. "Those are so easy to clone that it's a major security problem. The whole industry and community has known about this from the beginning, and there hasn't been a lot done to improve the security. It's so much easier to copy than a physical hardware key. You can pick up the signal from up to 70 feet away, if you have a big enough antenna. If someone's walking down the street, you can sniff the key right out of their pocket and then clone it on to a blank RFID tag."

Software with teeth

Some of the major enhancements to the latest Pwn Plug are in its software. The system now runs on Pwnix, a customized version of Offensive Security's Kali. Kali is a Debian-based Linux distribution built specifically for penetration testing. It's the successor to BackTrack Linux.

"They've changed the name for this distro because it is a dramatic improvement," Porcello said. "It’s much more streamlined, much more secure out of the box now, more enterprise ready. And they've converted all the pen testing tools to Debian packages, so you can actually install and remove any pen testing tool through their repository without having to compile it from source." He added that Pwnie Express has partnered with Offensive Security to adapt the distro to the Pwn Plug R2, and the company will be using the operating system for all its future products.

The other major software change is the Pwn Plug R2's interface. "It has an all new UI now," Porcello said. "It's integrated with our Citadel platform—a central management tool for Pwnie devices. We see a lot of customers are starting to deploy these on a larger scale, and once you get over like five or 10 units, it becomes unmanageable to connect to each one individually to update it and send tasks to it."

The "local" Web UI for the Pwn Plug R2 includes a number of "one-click" penetration testing tasks, such as configuring the device as an "Evil AP." That's a Wi-Fi access point that detects the use of common application protocols such as Web, e-mail, and domain name service traffic.

Another one-click setting configures the Pwn Plug for "passive reconnaissance," Porcello said. "Just push a button and it will start logging all of the HTTP requests it sees on the network—cookies and passwords and e-mail addresses and that sort of thing."

Additional features in the Pwn Plug R2's arsenal of pwnness include, among other things:

• New wireless penetration testing attacks, including the FreeRADIUS attack for high-security enterprise Wi-Fi networks
• Metasploit, the open-source penetration testing framework from Rapid7
• The Social Engineer Toolkit, an open-source tool written in Python designed for social engineering attacks on networks
• Kismet and Aircrack-NG, two Wi-Fi network attack tools
• nmap, a port-scanning tool
• SSLstrip, an SSL man-in-the-middle attack tool that hijacks links to secure HTTP sites
• THC Hydra, a network authentication "cracker"
• The w3af Web attack framework, Scapy packet spoofing tool, and Ettercap packet capture tool

All of that adds up to a fairly nasty surprise for a network on the receiving end. But it's better that surprise be coming from your own security audit than from a less well-intentioned hacker "drop-box" that finds its way into your network.