Pwnie express Pwn plug r3 User manual

Pwnie Express User Manual

Pwn Plug R3 Fixed Sensor

The latest version of this manual is maintained here:

https://www.pwnieexpress.com/support/

Contents

Legal Disclaimers.....................................................................................................4

Specifications..........................................................................................................4

Getting Started .......................................................................................................4

Using the Pwnix UI ..................................................................................................5

Setup page .............................................................................................................5

System Authentication ........................................................................................5

Network Config ..................................................................................................6

Reverse Shell Key...............................................................................................7

Clean up History and Logs ...................................................................................8

Update Device....................................................................................................8

Restart Device ...................................................................................................9

Services page .......................................................................................................9

Passive Recon ....................................................................................................9

Evil AP ............................................................................................................10

NTP ................................................................................................................11

Reverse Shells page ............................................................................................11

Activating the reverse shells ..............................................................................11

Configuring Kali to receive the reverse shells .......................................................12

Connecting to the reverse shells.........................................................................13

Deploying to target network...............................................................................14

Using SSH port forwarders on Kali.........................................................................15

Connecting to remote RDP servers......................................................................15

Connecting to remote web servers......................................................................15

Creating an SSH VPN...........................................................................................16

Activating the SSH VPN tunnel ...........................................................................16

Using the wireless hardware ...................................................................................17

802.11 wireless ..................................................................................................17

Connecting to an open Wi-Fi network ..................................................................17

Running Airodump-ng & Kismet..........................................................................18

Packet injection................................................................................................18

Wireless client de-authentication ........................................................................19

Bluetooth ...........................................................................................................19

Using the Bluetooth adapter...............................................................................19

4G/GSM Cellular .................................................................................................20

Using the unlocked GSM adapter ........................................................................20

Connecting to the Internet using the adapter .......................................................23

Accessing the pentesting tools ................................................................................26

Accessing Metasploit............................................................................................26

Running additional pentesting tools .......................................................................26

Pentesting Resources ........................................................................................27

Using advanced features ........................................................................................27

Stealth Mode ......................................................................................................27

NAC/802.1x Bypass.............................................................................................28

NAC Bypass overview........................................................................................28

Enabling NAC Bypass mode ...............................................................................29

NAC Bypass troubleshooting ..............................................................................30

Disabling NAC Bypass mode...............................................................................30

Maintaining your Pwnie sensor ................................................................................31

Updating the Pwnix software ................................................................................31

Reviewing the Pwnix environment .........................................................................31

How to obtain support .........................................................................................32

Legal Disclaimers

All Pwnie Express products are for legally authorized use only.

By using this product you agree to the terms of the Rapid Focus Security, Inc. EULA:

(http://www.pwnieexpress.com/wp-content/uploads/2014/12/Pwnie-Express-EULA-10-13-14-.pdf)

This product contains both open source and proprietary software:

oProprietary software is distributed under the terms of the Rapid Focus Security, Inc. EULA:

(http://www.pwnieexpress.com/wp-content/uploads/2014/12/Pwnie-Express-EULA-10-13-14-

.pdf)

oOpen source software is distributed under one or more of the following licenses:

GNU PUBLIC LICENSE

(https://www.gnu.org/licenses/gpl.html)

BSD-3-CLAUSE LICENSE

(http://opensource.org/LICENSES/BSD-3-CLAUSE)

OPENSSL TOOLKIT DUAL LICENSE

(https://www.openssl.org/source/license.html)

APACHE LICENSE, VERSION 2.0

(https://www.apache.org/licenses/LICENSE-2.0.html)

As with any software application, any downloads/transfers of this software are subject to export controls

under the U.S. Commerce Department's Export Administration Regulations (EAR):

(http://www.bis.doc.gov/index.php/regulations/export-administration-regulations-ear). By using this

software, you certify your complete understanding of and compliance with these regulations.

Specifications

Hardware

oProcessor: 1.1GHz dual-core Intel Celeron (2 threads, 64-bit)

oMemory: 2GB 1600MHz DDR3

oDisk Storage: 32GB mSATA SSD

oOnboard I/O: 1x Gigabit Ethernet, 3x USB ports, 1x HDMI

oDimensions: 4.6” x 4.4” x 1.5”

Wireless

oOnboard high-gain dual-band 802.11a/b/g/n wireless supporting packet injection & monitor mode

(internal antenna)

oOnboard Bluetooth supporting device scanning & monitor mode (internal antenna)

4G GSM LTE USB Adapter

oCompatible with SIM cards from AT&T, T-Mobile, Vodafone, Orange, and GSM carriers in over

160 countries (SIM card not included)

o4G LTE FDD - B20/B8/B1/B3/B7 800/900/1800/2100/2600Mhz

oGSM: 850/900/1800/1900MHz

oSIM/USIM card: standard 6-pin SIM card interface

Getting Started

1. Connect the onboard Ethernet port (eth0) to the local area network (LAN).

2. Connect the AC adapter to a power source.

3. Press the round power button on the top of the sensor.

4. Use a web browser to login to the Pwnix UI, acquire all available updates and configure the sensor.

5. After the sensor has been configured for use, the sensor is accessed either through an SSH connection

established to the sensor or through a Reverse SSH connection established from the sensor.

Note: By default, the Ethernet port (eth0) on the sensor uses DHCP to acquire its IP address. Whereas this will

initially be unknown, it is recommended to run nmap (e.g. nmap x.x.x.0/24 –p 22,1443 --open) to scan the

network subnet from a laptop (or desktop) to discover the IP assigned to the eth0 interface. Once learned, open

a web browser and go to https://

x.x.x.x

:1443 (where x.x.x.x is the IP address assigned) to access the Pwnix UI.

If DHCP is not used within the LAN or if the sensor is unable to acquire an IP address via DHCP, the sensor has a

virtual Ethernet interface (eth0:1) with IP address 192.168.9.10/24 already assigned. To access the sensor via its

virtual Ethernet interface will require IP address 192.168.9.11/24 assigned to a laptop (or desktop). Then, from

this system plugged into the same LAN the sensor is located within and assuming the network allows the

simultaneous broadcast of the additional 192.168.9.0/24 network, the laptop or desktop should be able to PING

the IP address assigned to the sensor, (i.e. ping 192.168.9.10). If successful, open a web browser and go to

https://192.168.9.10:1443 to access the Pwnix UI.

Tip: If unsuccessful with accessing the virtual Ethernet interface in this manner, the most likely cause would be

the network not allowing the simultaneous broadcast of the 192.168.9.0/24 network. To resolve, simply connect

the Ethernet interface on the sensor directly to the Ethernet interface on the laptop (or desktop), then try to ping

the IP address assigned to the sensor’s virtual Ethernet interface, (e.g. ping 192.168.9.10). If successful, open

a web browser and go to https://192.168.9.10:1443 to access the Pwnix UI.

Using the Pwnix UI

Note: When accessing the Pwnix UI for the first time, you will need to accept/acknowledge the warning about a

self-signed certificate to continue.

1. At the login prompt, enter pwnie for the username and enter pwnplug8000 (the default) for the

password.

2. Next, the “Setup” page appears.

Setup page

System Authentication

1. From the “Setup” page, under “General Configuration”, click “System Authentication”.

2. Enter the current password for the “pwnie” user account, then enter a new password and provide its

confirmation.

IMPORTANT: We strongly recommend changing the default password for the “pwnie” user account as

soon as possible.

3. Next, click “Change Password” button.

Note: This will change the password for the “pwnie” UI user and the “pwnie” system (Linux/SSH)

account. Pwnix UI authentication is integrated with Linux PAM, allowing the UI and system passwords to

be synchronized for the “pwnie” user.

4. Afterward, click “Logout” on the top menu and then re-login to re-authenticate with your new credentials.

Tip: After the sensor is deployed, and if accessing the sensor through an SSH connection, you can also set the

“pwnie” user’s password via the command line, as shown:

# passwd pwnie

Note: Please note that if you change the password from the command line it will change the Pwnix UI password

as well.

Network Config

Note: If the sensor is being accessed via the virtual Ethernet interface (eth0:1), then it is recommended to

manually set an IP address to the Ethernet interface (eth0), restart the sensor, then access the sensor via the

Ethernet interface (eth0) and the IP address assigned from this point forward.

1. From the “Setup” page, under “General Configuration”, click “Network Config”.

2. Under “Current Network Settings”, the Ethernet network interface(s) will be displayed reflecting the IP

assigned and their state.

Depending on configuration, the following interfaces may be visible:

eth0 - This Ethernet interface is located on the rear of the sensor and is configured for DHCP by default

eth0:1 - This virtual Ethernet interface is used if DHCP is not available

eth1 –This Ethernet interface is only available when using the external USB Ethernet adapter (See NAC

Bypass)

wlan0 - The onboard 802.11 wireless adapter (DOWN by default)

wlan0mon - The onboard 802.11 wireless adapter in monitor mode (DOWN by default)

3. To change the IP configuration for eth0, click the “eth0” link in the adapter table.

4. Under “Configuration for eth0”, the Ethernet interface eth0 is configured to use DHCP by default. To set

a static IP for eth0, click “Static Config” under “Configure eth0 Settings”, then enter a new IP Address,

Netmask, Default gateway IP, and Primary DNS server IP.

5. Afterward, click the “Apply Static IP Settings” button.

Note: After the sensor’s IP address is changed for the Ethernet interface (eth0), logout and reconnect to the

Pwnix UI using the newly assigned IP address.

If the IP address to the Ethernet interface eth0 has been set to a Static IP, to set eth0 to acquire its network

settings from a DHCP server instead, select “DHCP”, then click the “Enable” button.

Under “Change eth0 MAC Address”, the current MAC Address assigned to the Ethernet interface (eth0) is

displayed. To change the MAC Address, enter a new MAC Address and click the “Change MAC” button.

Note: The eth0 MAC address will always revert back to the hardware default if the sensor is rebooted.

Tip: If it is desired to shut down the virtual Ethernet interface (eth0:1), this can be performed by running the

following command with an SSH connection with the sensor.

# ifdown eth0:1

Under “Change Hostname”, the current hostname assigned to the sensor is displayed. To change the

hostname, provide a new hostname and click the “Change Hostname” button.

Tip: After changing the hostname, log out of any active SSH terminal sessions, then re-login to update the

prompt.

Under “Configure NTP Servers”, the current NTP servers are displayed. To change the NTP Servers for

use, enter two or more NTP Servers and click the “Configure NTP” button. Afterward, go to the

“Services” page and under “Service Management”, select “Manage Service” for NTP and ensure it is set to

enabled.

Reverse Shell Key

1. From the “Setup” page, under “General Configuration”, click “Reverse Shell Key”.

2. Under “Current Key”, if it has already been generated, the current SSH Public Key for the sensor is

displayed, which is used establish the Reverse Shells.

Tip: If no key pair is displayed a key pair will be generated automatically after enabling one or more

reverse shells on the “Reverse Shells” page.

Optional: If desired to create or change the key pair, click the “Generate” button (found under

“Generate New Key”) to generate a new key pair for the Reverse Shells.

Pwn Pulse is a distributed security assessment service providing unparalleled visibility, vulnerability scanning, and

insight into your remote branch offices and networks. By aggregating data from multiple sensors, Pwn Pulse is

able to combine real time Wired, Wireless, and Bluetooth asset discovery with local, on-demand vulnerability

scanning to provide unprecedented risk awareness of your organization’s hardest to reach areas.

If you have purchased a subscription to Pwn Pulse to allow a specific number of sensors and you have completed

the registration process to successfully login to Pwn Pulse, you are eligible to “join” that number of sensors to

Pwn Pulse by performing the steps below.

IMPORTANT: Do not register the sensor to Pwn Pulse unless the sensor is already physically located within the

network it is to report data upon. Additionally note the connectivity from the sensor requires TCP port 443 to the

Internet and because of bidirectional certificates used to secure the connection, the use of a proxy server is

unsupported.

1. On the System Setup page, under “General Configuration”, click “Register to Pwn Pulse”

2. When a sensor has yet to be registered, three fields will be visible; see screenshot below.

a. Provide the Dispatch Hostname (i.e. Pwn Pulse) required for use (#1). Specifying the port is not

required.

b. Provide the Sensor Name required for use (#2). It is encouraged the name of the sensor is

indicative of the geolocation location or branch office where the sensor is located.

c. Provide the Contact Name (#3) of an individual who might be responsible for the administration

of the sensor

3. After providing the required fields, click the “Connect to Dispatch” button (#4) to join the sensor to Pwn

Pulse.

4. Wait five minutes, then login to Pwn Pulse and go to the “Unapproved Sensors” page.

5. When the sensor appears on the list, click the Approve button to complete the process of joining the

sensor to Pwn Pulse.

6. In approximately 10-15 minutes, the main Dashboard will reflect statistics based upon the default tasks

configured to run by the sensor.

Repeat the above steps to join additional sensors to Pwn Pulse.

Clean up History and Logs

On the “Setup” page, under “General Configuration”, click the “Cleanup now” button.

This clears the root user’s bash history, UI logs, and all logs in /var/log.

Note: The bash history for any currently active root user sessions will be cleared upon the next logout.

Tip: If accessing the sensor through an SSH connection, the cleanup script can also be run from the command

line, as shown:

# /opt/pwnix/pwnix-scripts/cleanup.sh

Update Device

IMPORTANT: To acquire updates, the following external web sites *must* be accessible from the sensor via

the ports specified below. If access to one or more is blocked the result of a firewall, proxy server or web

filtering solution in use, the update process will fail rendering the Pwnix UI to become inaccessible. If it is

necessary, add the exclusion(s) below to the firewall, proxy server or web filtering solution *before* attempting

to update the sensor:

Allow TCP port 443 to *.pwnieexpress.com

Allow TCP port 80 to *.kali.org

Allow TCP port 443 to *.rubygems.org

Allow TCP ports 22, 443, and 9418 to *.github.com

1. On the “Setup” page, under “Update Device”, click the “Update Now” button.

Note: Depending upon connection speed and the number of updates to install, please allow 3-5 minutes

to allow the process to complete. While updating the sensor, the Pwnix UI may become temporarily

unavailable. To determine if/when the process has completed, please review the “Pwnix Update Log”

under “System Logs”, on the “System Details” page. When the update process has completed, the last

line in the log will show “

System update completed

”.

Tip: If accessing the sensor through an SSH connection, you can also update the sensor as follows:

# /opt/pwnix/chef/update.sh

Note: After the update has completed it is recommended to restart the sensor.

Restart Device

1. On the “Setup” page, under "Restart Device", click the "Reboot Now" button and the sensor will reboot

immediately.

Tip: If accessing the sensor through an SSH connection, you may also restart the sensor as follows:

# reboot

Services page

From the Services page, the Passive Recon, Evil AP, and NTP services can be managed (i.e. enabled or disabled)

Passive Recon

On the “Services” page, under “Service Management”, click “Manage Service” to change the status of the Passive

Recon service.

Depending upon its status, click “Enable Service” to start the passive recon service or “Disable Service” to stop

the passive recon service.

Note: When enabled, the sensor will passively listen on the Ethernet interface eth0, recording HTTP requests,

user-agents, cookies, OS guesses, and clear-text passwords to the following logs:

HTTP requests: /var/log/pwnix/passive_recon/http.log

OS guesses: /var/log/pwnix/passive_recon/p0f.log

Clear-text passwords: /var/log/pwnix/passive_recon/dsniff.log

Note: Passive Recon is most effective when the sensor is in NAC Bypass / transparent bridging mode, or when

connected to a switch monitor/SPAN port or network tap.

Tip: If accessing the sensor through an SSH connection, you may also enable or disable the Passive Recon

service from the command line, as follows:

To enable the Passive Recon service, run the following commands:

# service pwnix_passive_recon start

# update-rc.d pwnix_passive_recon defaults

To disable the Passive Recon service, run the following commands:

# service pwnix_passive_recon stop

# update-rc.d -f pwnix_passive_recon remove

Evil AP

On the “Services” page, under “Service Management”, click “Manage Service” to change the status of the “Evil

AP” service.

Depending upon its status, click “Start Service” to start the Evil AP service or “Disable Service” to stop the Evil AP

service.

Note: When enabled, the Evil AP will perform a “Karma” attack against all wireless client devices, which results

with wireless client devices to connect automatically to the Evil AP created by the sensor, based upon the

broadcasted probe requests learned from the client devices. When wireless client devices connect to the Evil AP,

the traffic from the wireless client devices is routed through the Ethernet interface (eth0).

Tip: If accessing the sensor through an SSH connection, to view real-time Evil AP activity from the command line,

type the following:

# tail -f /var/log/pwnix/evilap.log

Tip: If accessing the sensor through an SSH connection, you may also enable or disable the Evil AP service from

the command, as follows:

To enable Evil AP, run the following commands:

# service pwnix_evil_ap start

# update-rc.d pwnix_evil_ap defaults

Table of contents

Popular Security Sensor manuals by other brands

Honeywell Home

Honeywell Home PROSiXCOCN Installation and setup guide

Duevi

Duevi SIRPZ-RB-868 Operation

RKI

RKI 65-2483RK Operator's manual

Nortech

Nortech PD160 Enhanced Series user manual

Omron

Omron K8AC-H2 manual

Agilent Technologies

Agilent Technologies G8610 Series Quick reference card

Shinko

Shinko SE2EA-1-0-0 instruction manual

Det-Tronics

Det-Tronics X Series instructions

ACR Electronics

ACR Electronics COBHAM RCL-300A Product support manual

TOOLCRAFT

TOOLCRAFT 1712612 operating instructions

Elkron

Elkron IM600 Installation, programming and functions manual

Bosch

Bosch WEU PDO 6 Original instructions

THORLABS

THORLABS PDA10JT user guide

Waeco

Waeco UV-DETECT operating manual

Intermatic

Intermatic IOS-DSIMF manual

Siemens

Siemens AZL66 Series manual

BTI

BTI Profiline Multi Finder operating instructions

Challenger

Challenger SL01 instruction manual

PWNIE Express Pwn Plug R3 User manual

Popular Security Sensor manuals by other brands