Network breaking and entering: Ars tests the Pwn Plug R3

BY SEAN GALLAGHER
ARS TECHNICA

Imagine for a moment the following scenario: you’re the manager for a busy bank branch in a major city. You come back from lunch and are told by one of your employees that someone from corporate IT dropped by to check on a reported problem with a branch PC. You don’t remember putting in a trouble ticket with IT, but apparently the guy left after looking under a desk and re-plugging a network cable or something. It took less than five minutes. You think nothing of it and go back to approving loans.

Three days later, you get a call from the head of corporate security, wanting to know why someone at your branch has been performing wire transfers from the accounts of customers who’ve never used your branch to accounts at offshore banks. A few hours later, you’re unplugging the bank’s network equipment while he’s shouting at you over the phone about gigabytes of corporate data being pulled down from something in your bank. And when the security team and police arrive to investigate, they find a little nondescript box plugged into a network port, connected to a broadband cellular modem.

Something like this happened to banks in London last year. A man posing as an IT contractor wired networked keyboard-video-mouse (KVM) switches connected to cellular routers into PCs at two bank branches. The ring involved with the thefts was only caught because they decided to go for a third score, and their “technician” was caught in the act. The digital heists were a variation on the hacker “drop box” strategy: boldly walking into a place of business and planting a device, often hidden in plain sight, to use as a Trojan horse to gain remote access to the business’ network.

Drop boxes have another, more law-abiding use in the security business—they allow penetration testers to check the security of organizations’ networks. If you don’t know what your network’s vulnerabilities are, you can’t very well defend it. It’s why penetration testing has grown from a small but lucrative consulting field to an integral part of some companies’ internal security practices. Penetration testing appliances like those made by Pwnie Express (AKA Rapid Focus Security LLC) have made it a lot simpler for all sizes of organizations to do that sort of testing.

Ars has some experience with Pwnie’s devices. We used the PwnPlug R2 in our joint project with NPR last summer to act as our NSA-like passive monitoring tool, and then we purchased an R2 for our ongoing security and privacy testing. So when the Pwn Plug R3, the third generation of Pwnie’s flagship pen-testing device, arrived on the scene late last year, we decided to give it a thorough workout.

The R3 is a significant step up from its predecessors in a number of ways. There’s a lot more under the hood of this device, both in terms of what’s been packed within its square shell and the computing power that drives it. While the changes made to Pwnie’s software platform are subtle and still evolving, the new hardware brings a lot more power and flexibility to the job. It also comes with a slightly more robust price tag than previous versions: $995.

That seems like a lot for a little black-and-grey box, but a lot of malice has been packed into this small package. And on that note, we apologize again to any neighbors who may have suffered occasionally buggy Wi-Fi as a result of exploring this malice on our own network.

Going corporate

The original Pwn Plug was the first commercialized penetration testing drop box. It looks superficially like a power brick, intended to fool the casual observer. The Pwn Plug R2 upped the ante with a bit more processing and networking power, and it looked like a Wi-Fi access point. At one point, there was even a variant called the Power Pwn disguised as a (working) power strip. (That product is no longer in Pwnie Express’ catalog.)

 

Both previous Plugs relied on low-cost ARM-based hardware packed into small form factors, using SD cards as mass storage. But there were certain limitations to these devices that came with their form factors. For instance, while the original Pwn Plug is still for sale as an “academic edition,” Pwnie ran into problems with the R2’s manufacturing. Ars’ first purchased R2 died, shortly after it was installed, from a heat-related problem, and Pwnie executives acknowledged other customers had similar problems. Pwnie also wanted to beef up the Pwn Plug’s hardware to meet other customer demands. Rather than just using the devices for short-term penetration tests, customers were pressing them into service for pervasive surveillance of networks in order to conduct constant security auditing.

 

At last August’s DEF CON, we got a brief hands-on with Pwnie’s up-market answer to such requests. The Pwn Pro was the first iteration on the new hardware—an industrial-cased fanless device based on Intel’s Next Unit of Computing (NUC) architecture. The Pwn Plug R3 is the more economical, portable version of the same platform, intended like its predecessors as a shippable, portable, pluggable drop box. But it can also plug into some of the capabilities of the Pwn Pro, making it a potential branch-office solution for continuous monitoring of local network security from afar without the need for local support.

The Intel NUC kit the Pwn Plut R3 is based on is not as sneaky as its predecessors—it doesn’t disguise itself as a power brick or a Wi-Fi access point. However, the R3 itself isn’t about being sneaky. It’s about being corporate and legit, while being easily shipped to a location where anyone with basic IT skills can plug it in.

 

TheNUC kit hardware used for thePwn PlugR3 is a 1.1 GHz dual core Celeron processor.Pwnie configures it with two gigabytes ofDDR3 RAM and a 32-gigabyte mSATA SSD drive for fast memory and disk I/O. It comes with just what you want for a packet-processing machine: Wi-Fi, an internal high-gain antenna, and Bluetooth. There’s also a gigabit Ethernet port and three USB ports, plus a USB Ethernet adapter to provide a second hard-wired network interface. And all of it is tucked into a nearly square 4.6″×4.4″×1.5″ case.

All that someone needs to do to get the R3 up and running is plug in its external power brick and plug in an Ethernet cable. For cases where there’s a need to bypass the target network for remote access, Pwnie provides a USB cellular broadband adapter. Penetration testers can then pre-configure the Pwn Plug to “phone home.”

All of this still comes in a form factor, minus the external power brick, that is smaller than most consumer Wi-Fi routers. It could easily be mistaken for an external hard drive or router by anyone giving it a passing glance. And another upside of the small SSD and the NUC’s fanless design is that the Pwn Plug R3 is completely silent. The only external indication that it’s up to anything is the glowing recessed power button on the top.

Since this is a NUC, there are two HDMI ports on the Pwn Plug R3. That means, unlike its predecessors, you can actually plug a local monitor and keyboard into the Pwn Plug R3 and perform set-up and administrative tasks from a local console. We found that to be a big improvement after our technical contortions to troubleshoot the R2 units used over a USB serial connection.

The core of the Pwn Plug, as always, is its software: Pwnix, a special distribution of Offensive Security’s Kali Linux operating system with some proprietary software tools for security testing, remote management, and access. The Pwn Plug can be largely configured and managed through a Web interface, though much of the real work of security auditing still happens with command-line tools.

The Web interface for the Pwn Plug is called Outpost, and it’s not the most elaborate Web console ever. Its primary purpose is basic configuration of the Pwn Plug’s networking and services, and it also offers a basic console for two of those services:

  • Passive Recon, a listening service that performs basic discovery on systems on the monitored network; and
  • EvilAP, a “malicious” Wi-Fi access point service that responds to polling requests from devices to discover insecure Wi-Fi clients.

Outpost can also be used to connect the Pwn Plug R3 to Pwn Pulse, the cloud-based security monitoring and management system with advanced remote-control features that we saw at Black Hat in August. That service is still in a limited trial, however, so we weren’t able to connect to it and test it. We’ll give that a shot in a future review.

Passive Recon mines network traffic for a number of pieces of data. There are three logs produced by Passive Recon: a full log of HTTP requests and cookies scraped from network traffic; identifying information on devices on the network pulled from their network data; and any clear-text passwords captured from network traffic.

We found a bunch of interesting stuff on a home network, like a daughter’s iPhone checking in with Apple’s servers and a flurry of password traffic. The cookie catcher caught Outlook contacting cloud servers for automatic configuration data, Dropbox phoning home, and all other manner of non-Web communications in addition to the usual collection.

In testing, EvilAP was highly effective at gathering information about the existing Wi-Fi networks around the device. It also routes traffic from devices connected through it to its Ethernet connection transparently, for the most part, so it’s possible to capture packet data from anyone connecting to it. Depending on the proximity to those other networks, we found that the connections frequently were dropped after a few moments, and some clients were unable to join the network. We also found out that some neighbors are still using WEP-based wireless security. On the plus side, the next time there’s a Comcast Internet outage, we know we can always crack a password and borrow their DSL. (Joking. Really.)

EvilAP’s default setting is, as a Pwnie Express system engineer told us, “Aggressive Mode.” That’s great for relatively simple Wi-Fi environments, but the software can experience a bit of a meltdown when exposed to more heavily populated Wi-Fi environments (like, say, an urban environment where there are over 15 Wi-Fi networks within range of the Pwn Plug R3’s high-gain antenna). Despite efforts to reduce the propagation of wireless signals—operating the Pwn Plug in a basement behind brick and cinder block—there were times when we couldn’t get devices to directly attach to the rogue access point because there were too many clients sending probe requests.

“The current implementation of EvilAP on the Pwn Plug R3 does not offer the level of flexibility we initially hoped for with regards to its configuration and can therefore become overwhelmed in environments such as what you’ve described,” the system engineer said in an e-mail about our issues. An update is pending for EvilAP that should resolve some of the issues, he said, but as of the time of this article it’s still in testing. For now, some iOS devices may not fall for EvilAP’s attempt to man-in-the-middle them and refuse to connect. We found that when we were able to significantly reduce the Wi-Fi noise, we could get devices to connect fairly easily—though Mac OS X Yosemite warned us that the security mode for the network changed since we last tried to connect.

Pwning home

Outpost is also used to configure the Pwn Plug’s method of phoning home once it’s deployed, and the various tools allow a stealthy connection to the Pwn Plug to execute those tests remotely. If there’s no firewall between you and the Pwn Plug, a simple SSH connection will do. But in cases where an inbound SSH session might be a bit harder to pull off, there are several different covert channels to choose from to communicate with the device:

  • A standard reverse SSH shell, in which the Pwn Plug establishes the connection back to a remote “receiver” workstation;
  • SSH over HTTP to make it look like regular Web traffic;
  • A DNS-based shell, which conceals the SSH session within DNS protocol traffic back to the receiver;
  • An SSL-based reverse shell to disguise the traffic as an HTTPS connection;
  • An ICMP-based shell that looks like outbound network “pings” to a firewall;
  • And an “Egress Buster,” which attempts to create a connection using any of the 10 most common open ports.

With each of these, it’s possible to create an SSH virtual private network connection back to the Pwn Plug, to allow the pen-tester to access the R3 remotely through whatever firewalls may stand in the way. Additionally, if you want even more stealth, there’s a documented way to use a Tor connection to hide the SSH connection. However, this requires a bit of configuration from the command line on the Pwn Plug and, obviously, some more work on the remote workstation.

Once the reverse shell is established, the Pwn Plug R3 can go into “stealth mode”—making the device turn off responses to pings and other network requests. It’s also possible to make the Pwn Plug use a randomized MAC address for its Ethernet adaptor to conceal its identity and even to shut off responses to ARP messages (though on some networks, this may result in the Pwn Plug losing connectivity). Having gone completely quiet, the Pwn Plug becomes virtually undetectable by network scans (though network monitoring will pick up its concealed reverse SSH traffic).

The command line is also where most of the power of the Pwn Plug resides. The Pwnix distribution includes more than 100 penetration testing and security scanning tools that run from command line, including Metasploit’s exploit framework, packet capture tools, and a variety of Wi-Fi and Bluetooth testing and exploitation applications. The Wi-Fi hardware onboard supports packet injection, so it can be used for a variety of Wi-Fi replay attacks.

Paying to play

Obviously, the Pwn Plug R3 is not the sort of thing everyone is going to want to own—it’s a professional-grade tool. It still requires a certain skillset to use at a level that justifies its $995 price tag. While the Web-configurable features provide a good way to keep tabs on what’s going on in a given network environment, the real penetration testing and auditing tools require a learning curve even we’re still moving up on. For many, the price of the Pwn Plug may not be justifiable. The hardware itself can be picked up bit by bit from NewEgg and other sources for less than half the cost, and a majority of the software that it comes packaged with is open source. Load up a generic box with Kali Linux, and you’ve already got a majority of the tools provided by the Pwn Plug.

However, the few pieces of software that are proprietary to the Pwn Plug pay for the difference in cost fairly quickly for organizations doing regular penetration testing; merely the cost of a single road trip to perform a security audit can justify the purchase. And the long-term benefit of the Pwn Plug R3 will become much more apparent when Pwn Pulse becomes generally available. The cloud service will allow organizations to manage multiple Pwn Plug and Pwn Pro “sensors” from a single cloud dashboard, and users can then deploy scripts for new security tasks through a Web interface instead of having to connect via an SSH shell to each individual device.

Even without Pwn Pulse, there’s not a lot to complain about. The Pwn Plug R3 is a worthy (and needed) successor to Pwnie’s original pen-testing drop box in an age where penetration testing has gone from being a fringe specialty in the IT industry to being part of many companies’ security culture. This is a tool that should be taken seriously… even if the name defies that.

The good

  • A new, more powerful, more reliable device that can be configured with a local monitor and keyboard.
  • Better memory and SSD storage for more reliable and faster packet grabbing.
  • Fewer external parts makes for easy setup by someone onsite, which means less travel to exciting locales by pen-testers.
  • Ready to plug into cloud-based surveillance console Pwn Pulse when it’s ready.

The bad

  • A bit more pricey than previous Pwn Plugs.
  • Web console is pretty bare bones.

The ugly

  • If you’re not ready for command-line tools, you’re not ready for Pwn Plug.

Comments are closed.