An Information Security Community
Martin Bos (purehate)
Eric Milam (brav0hax)
As security consultants we’ve had an opportunity to pentest some of the world’s most interesting companies. Technology and penetration testing is our passion and as such - we love our tools (toys)! Having worked with a load of them over the years it’s easy to embrace the good and dismiss the rest. The devices released by the team at Pwnie Express are far from toys in the traditional sense. These devices are small form factor penetration testing platforms, can be easily concealed and used to remotely control entire corporate networks remotely. We’ve always pined for the opportunity to really let loose, and use everything in our Pwnie arsenal to its full capacity to capitalize on our ability to push every tool or resource to its limits.
On an attack simulation engagement, our target requested we pull out all the stops. As part of our arsenal, we packed all things pwnie. Both of us were armed with pwn phones, a pwn pad and of course an original pwn plug elite. During the international portion of the engagement, we purchased SIM cards for our pwn phones and pwn pad. Now that we had our tools fully loaded we were set to go.
Once we arrived at the customer location, a pretext SE scenario allowed us to access a conference room where we planted a pwn plug behind the conference room’s computer. The customer had very tight egress filtering at the perimeter and we were unsure we’d be able to get an outbound shell. After about ten minutes, we used a pwn phone to SSH to our command and control server.
A challenge often encountered when using devices such as the Pwn Plug, is the ability to know whether the reverse connection is successful. One of the nice things about the Pwn Pad and Phone is they are GSM capable, and it’s as simple as purchasing a SIM card for the country being tested to get them working. Having working Pwn Phones allowed us to check to make sure the Pwn Plug had successfully created an outbound shell before leaving the building. To our delight we had a shell waiting for us, granting access to the internal network. The pwnie scripts managed to negotiate a connection over TCP port 443, bypassing their tightly secure proxy server.
Now that we had secured a reliable connection, we decided to hook up the pwn pad to the internal network using the USB Ethernet dongle, an idea that came up in conversation with Dave Kennedy, CEO of TrustedSec. The pwn pad provided another shell out to the command and control server which we accessed with a pwn phone from the parking lot. Now we had two devices on the internal network that were accessible externally in about 30 minutes with almost no effort. After we confirmed everything was set up successfully and fully functioning, we walked around the building with the pwn pad “assessing the wireless network.” We were able to capture some handshakes pretty easily using wifite and then left the location with the pwn plug behind for persistent access.
Through that single pwn plug we were able to complete the entire penetration test, remotely control the target company’s networked assets and capture all the flags in the SOW. By the time we were ready to go to the next location for physical testing, we already had domain admin accounts, email accounts, our name in the global address book and a nice write up about each of us on the customer’s intranet page. In other words, if anyone were to look us up, we were legitimate employees with the information to back up our pretext scenario.
The pwn plug we planted was at the client site for seven weeks undetected. Not only were we able to use the device to perform asset scanning and run smbexec, we used it to pivot all our attack traffic. Once we returned to the states, we pivoted traffic from our home networks to the command and control server, to the pwn plug and out to anywhere we wanted on the target network. This was not limited to scanning; we forwarded RDP traffic and even ran smbexec from our local system to exfiltrate a 12GB ntds.dit file through the pwn plug.
After using these devices from pwnie express and pushing them to limits we didn’t think they could reach, we can definitely say they far exceeded our original expectations. Even though it was fun to play with the tools, pwnie’s functionality clearly sets them apart from toys. We’re looking forward to the next opportunity, this time with a new improved pwn plug r2. We are grateful to the team at pwnie express for creating these tools and hope others can find them as incredibly useful as we have.