Many sysadmins understand how to set up and maintain a network, but the concept of auditing is an entirely different world. In the first part of a series on auditing and penetration testing (pentesting), we introduce the concepts and tools for putting all that security to the test. We’ll also talk about our pentest platform of choice, the Pwn Plug.
Introducing the Pwn Plug
As mentioned when discussing tools, the Pwn Plug is designed to sit squarely in the middle of the industrial vulnerability scans and the built-by-hand pentest system. It’s designed from the ground up to be everything that a pentester needs in a small, polished package. Configure it, plug it into the wall, plug it into the network, and instantly, you have many of the same pentesting powers available in Backtrack Linux and a couple of the most amazing abilities ever – easy setup, and a host of “outbound” communication methods that will leave your IDS bewildered beyond belief.
Pwnie Express has packed a lot into a little package – we’re using the PwnPlug Elite for our articles, but even the cheapest of the bunch (the Mini) has access to all but a couple of the features we’ll cover here in our tutorials. The most important features included on the Elite version are advanced security bypassing on wired networks and the ability to actually not even use the target network to “phone home,” instead using a 3G/4G cellular connection that receives inputs by SMS. The SMS feature in particular is more for advanced long-term testing and monitoring and, though a huge selling point for a person who needs to monitor several complex networks, is well beyond the scope of anyone needing this primer. The security bypass, however, is a pretty major feature even for a beginner, as it allows you to test a few things on more secure networks that you couldn’t easily do without it.
The PwnPlug strikes a perfect balance between cost and function – unlike products such as Metasploit Pro and CORE Impact, it’s a one-time entry fee of between $500-$1,000 (depending on model) with no future costs. Unlike Backtrack, it doesn’t require any separate hardware to make it work. Thanks to its easy setup, it’s the perfect tool for someone who isn’t entirely familiar with the intricacies of the security field to keep themselves up-to-date with the same tools that an attacker would use… but provides a full pentesting platform for those who are already knowledgeable and are looking for something efficient and easy to deploy.
This cannot – CANNOT – be understated: The tools that are on a PwnPlug are the tools used against many networks.
This leads to one of the greatest misconceptions about the Pwn Plug, including an entire article in Wired magazine that completely misstated the device’s purpose: Is the PwnPlug is a hacking tool? No – it could be, but most script-kiddies are cheap, want bigger antennas and a screen for war-driving, don’t want to leave $1,000 systems unattended (even if they ARE discreet), and (if they’re any good) are probably using the tools already on the laptop they’re trying to break in with. It is a tool designed by hackers for pentesters. The point of the Pwn Plug is so that WE, who need to be aware of the tools, techniques and technology used against us, can effectively audit our networks in the same way that an attacker would attempt to attack it.
One of my favorite parts of the Pwn Plug is its simplified configuration. All of the plug’s network settings can be controlled via a Web-based UI (called, unoriginally, PlugUI), allowing you to make changes quickly and easily. Arguably the most important of these configuration options is the way the device interfaces with you, the pentester – setting up complex options that can be difficult to get working via individual commands are nothing more than a checkbox away. Once configured, it can simply be taken to the site, plugged in the wall and the network, and left to do it’s thing. If all goes well (or poorly, depending on your network setup), it will let you know via your chosen method that it’s ready to roll, and is awaiting your command.
Having the more common tools for pentesting built in the PlugUI would be a nice touch, because most all of the setup options just deal with how the Pwn Plug connects to the world around it. The proper auditing still begins from the command line on the device, same as on Backtrack. However, most of the tools we’ll be covering can be taught effectively even if you don’t have a lot of Linux CLI experience. Pwnie Express has talked about a massive update to the PlugUI that will allow much more Web-based functionality, which is a concept I do hope that it can implement. Though many tools are better with a host of options more suited for a command line, there are quite a few things that are basic pentest concepts that can be automated by scripts and run through the Web interface, saving their results for more complex command-line functions later on. The unit already does one of these right now with a “Passive Recon” mode, which turns the box into a stealthy little information gatherer by analyzing the network traffic passed and obtaining things like IPs, OS guesses, open/used ports, and clear-text passwords.
Each model in the series comes with a lot of testing firepower, including Wi-Fi by default and Bluetooth as an option (standard on Elite models). This, on its own, is a huge selling feature for me – matching up Wi-Fi cards that have the proper chipset to go into Passive/Monitor mode can be a giant pain. It also means that for the price of entry, you aren’t having to spend extra money finding a way to test your mobile systems or wireless network. Also optional on the lower models is an extra USB-Ethernet adapter to let the Pwn Plug function as a completely pass-through appliance, allowing it to function transparently on switched networks. On the Elite model, this is upgraded further to allow the advanced one-click Network Access Control (NAC) bypass, which is a huge bonus for testing Active Directory, Kerberos or other protected networks.
It’s this versatility that makes the Pwn Plug such a good platform. In a flash, we can put it inside or outside of the NAC controls or Wi-Fi network. We can stealth it to be un-ping-able and virtually undetectable, or treat it like a system already on the network. We can contact it in a variety of ways. We can position it at nearly every layer of network security as if we had breached that particular layer. And at each layer, we still have the full suite of tools at our disposal, instead of being limited to certain ones based on our own attacking skills. This is a vital benefit to this particular platform – it assumes we aren’t an elite hacker that knows everything about breaking and entering, and therefore gives us the access a more skilled attacker might get that maybe we wouldn’t if we were trying to break through the layers ourselves.
If there is one complaint to the Pwn Plug, it’s that of limited memory and processing firepower. You can’t expect a device that is the size of a large power adapter to be a computational powerhouse, but certain intensive tasks do take a while. The memory hampers it more, especially since some programs (like the Metasploit Framework) are already needing to be “shaped” by Pwnie Express to run within the 512MB of RAM and storage. Though the SD card slot built into the higher-end devices helps, that doesn’t assist with the actual program/OS storage. The device works wonderfully for its target purposes, but it takes some patience with parts of the toolset.
Before we get too far into discussing the tools provided in the Pwn Plug, however, we still have a bit more very important theory to cover – how an attack actually happens.