Pwnie Express Releases Citadel PX for Distributed Penetration Testing

Citadel Px – an all-new software solution from Pwnie Express, enables robust security assessment and monitoring of networks, applications, and wireless networks for multiple branch offices

May 30, 2014

Pwnie Express introduces Citadel PX: the all-new distributed security assessment and remote penetration testing solution. Designed for assessment providers and the distributed enterprise, Citadel PX allows command and control of penetration testing and security assessment efforts remotely. Citadel PX minimizes travel and time constraints so companies can conduct assessments and have ultimate visibility of their security risk posture.

Citadel PX helps:

  • Manage multiple simultaneous penetration tests.
  • Improve visibility of penetration testing and security assessment processes.
  • Automates penetration testing tasks using the Pwnie Express robust automation framework.
  • Gain awareness of network, application,and wireless assets.

CTO Jonathan Cran says, “Citadel PX is ideal for banks, retail outlets, government agencies and other Enterprise-level businesses interested in penetration testing multiple locations through one centralized management console for both wired and wireless networks.”

Pwnie Express, established in 2010, enables scalable, rapid-deployment security assessment tools for the distributed enterprise.

[Press Release]

“Advanced Persistent Pentesting” Slides

Slides are available for our “Advanced Persistent Pentesting: Fighting Fire with Fire” talk from Hacker Halted 2012. The central thesis of the presentation is that pentesters have all the tools available to them to simulate an APT, and that the focus on the pentesting report as a binary pass / fail has been wrong. We should be focusing on the result a bit, but we should be focusing on the process far more.

Some of the take aways from the presentation:

  • Both the tester and the test target should work closely together for maximum value.
  • Pentests should not operate in a silo.
  • As a defender, if you don’t want the results, you want the IR capability.
  • Adding or enhancing a capability qualifies as actionable results.
  • Offensive capabilities lead, defensive capabilities lag (several years?).

Thanks again to the entire crew at Hacker Halted that made this possible.

Simple 4G with the Freedom Stick and Pwn Plug

Hey all, just had a chance to try out FreedomPop‘s FreedomStick4G with the Pwn Plug Elite. It works out of the box. Simply plug the device in, wait about 25 seconds for it to connect, and ‘lsusb’ to make sure it was detected:

root@elite:~# lsusb
Bus 001 Device 007: ID 198f:8160 Beceem Communications Inc.

Then, run an ‘ifconfig -a’  to see the device:

root@elite:~# ifconfig -a
eth1      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

then grab an address with ‘dhclient’:

root@elite:~: dhclient eth1
root@elite:~: ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
inet addr:X.X.X.X  Bcast:X.X.X.X  Mask:
inet6 addr: fe80::21d:88ff:fe51:b3bd/64 Scope:Link
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2626 (2.5 KiB)  TX bytes:1346 (1.3 KiB)

It appears to be using the Clear Wireless network, as I got an address with the name “” – They’re also blocking inbound SSH, so configure a reverse shell using the command line or the Plug UI, and you’re pwning over 4G!

Below you can see the relative size of the Freedom Stick with the Pwn Plug Elite.


Special thanks to Bill Lynch for pointing us at this handy tool!

October Newsletter

Here are some updates on what we have been doing over the last several months.

Team Building

Jonathan “jcran” Cran joined as CTO. jcran leads the development of our security assessment platform. He previously built and ran the quality assurance program for Rapid7’s Metasploit products.

Conference Updates

We had an awesome time sponsoring and exhibiting at Black Hat, DefCon and Derbycon.  Thanks to our many friends and supporters. You can catch the press on these and other events here.

New Product Releases

The Power Pwn – Same functionality as the Pwn Plug, in the form factor of a power strip.

Enterprise Pentesting Appliance (PX-EPA) – A high-performance, robust, and security-hardened pentesting appliance for permanent enterprise/federal branch office deployments. Supports Nessus server, Metasploit Pro, and Cobalt Strike natively, as well as Qualys, Acunetix, and nCircle as virtual guest machines.

Pwn Plug Mini – Half the size of the Pwn Plug with all of the same features and functionality of the Pwn Plug Wireless.

Federal News

Country of Origin Determination – The Department of Homeland Security has designated the Pwn Plug as being made in the United States for purposes of federal procurement. Federal agencies can read more here: Department of Homeland Security Notice of Final Determination

Latest Press

We’ve been fortunate to have lots of interest in the Power Pwn over the last few months. Here are a few of the highlights!

Thats all for now. Stay tuned for some additional exciting things that we have in store for you before year end. Thanks for your support!

The Pwnie Express Team

Winner, winner!

We caught @Mrt0ph rocking one of our classic Pwnie Express Tee-shirts last month during our monthly contest.

We were particularly impressed in light of the limited distribution of these little keepers. Congratulations to @Mrt0ph for submitting the winning photo. We’re going to give him a Pwn Plug Mini for his efforts. Thanks to all who participated.

Keep wearing those shirts!

Distributed Penetration Testing Becomes Easy With Pwnie Express Citadel PX

By Ritu Saxena

Pwnie Express, the company that came into existence in late 2009, with a mission to provide innovative security assessment products for today’s enterprises, has recently announced an all new security assessment and remote penetration testing product for distributed enterprises called Citadel PX. Citadel PX forms the core part of Pwnie Express’s vision of controlling enterprise-wide penetration testing and security assessment from a single interface.

Citadel PX is a scalable and rapid-deployment solution backed by hardware or virtual sensors which continuously monitors the network, runs vulnerability assessments, and conducts penetration tests from anywhere in the world. The console or Command Post serves a central interface to manage the sensors and gather results. Once the sensors are installed and configured, they initiate a reverse connection back to the Command Post, giving IT Admin control of their capabilities and automation.

 (Original Article)

Practical Remote Access – Running VMware VMs on the Enterprise Pentesting Appliance

The EPA can handle booting & forwarding the screen of VMs in a remote environment, and it’s relatively easy to get a Backtrack instance on the EPA via the LiveCD ISO, but let’s say you have an existing VMWare image that you want to run in a remote environment – how do you do it? Using the Backtrack VM as an example, here’s the dirt:

1) Download the VM from the fine folks at Offensive Security

2) You’ll need to modify the .vmdk to consolidate it into a single file. (This step requires a utility bundled with VMWare Workstation, so run it on a machine where you have Workstation installed):

# vmware-vdiskmanager -r BT5R3-GNOME-VM-32.vmdk -t 0 BT5R3-GNOME-VM-32-SINGLE-FILE.vmdk

NOTE: Case sensitivity of the file name and extension is important

3) Copy the newly-created single .vmdk and the corresponding .vmx file to the EPA using scp from your workstation:

# scp BT5R3-GNOME-VM-32.vmx pwnie@[epa]:/opt/pwnix/virtual-machines/

# scp BT5R3-GNOME-VM-32-SINGLE-FILE.vmdk pwnie@[epa]:/opt/pwnix/virtual-machines/

4) Now, on the EPA, convert the vmx settings to xml using ‘vmware2libvirt’ and remove the now-defunct vmx file

# apt-get install virt-goodies

# cd /opt/pwnix/virtual-machines

# vmware2libvirt -f BT5R3-GNOME-VM-32.vmx > BT5R3-GNOME-VM-32.xml

# rm BT5R3-GNOME-VM-32.vmx

5) In order for virsh / KVM to read the file, you’ll need to convert the single .vmdk into a raw image using qemu-img and remove the now-defunct vmdk:

# qemu-img convert -f vmdk BT5R3-GNOME-VM-32.vmdk -O BT5R3-GNOME-VM-32.img

# rm BT5R3-GNOME-VM-32.vmdk

6) Use your editor of choice (nano / vim / vi) to edit the name of the newly-converted raw disk – change the <source-file> directive to point to the new raw .img disk :

# nano target.xml

<source file='/opt/pwnix/virtual-machines/BT5R3-GNOME-VM-32.img'/>

7) Import the xml to virsh now that it points to the .img file:

# virsh -c qemu:///system define BT5R3-GNOME-VM-32.xml

8) List the current VMs to ensure it was imported correctly:

# virsh list --all

9) Delegate the proper permissions on the directory:

# chown libvirt-qemu:kvm /opt/pwnix/virtual-machines/BT5R3-GNOME-VM-32*

# chmod 775 /opt/pwnix/virtual-machines/BT5R3-GNOME-VM-32*

10) Start the VM

# virsh start BT5R3-GNOME-VM-32

11) Connect to the VM from a Linux host with virt-viewer (or VNC) installed

$ virt-viewer -c qemu+ssh://pwnie@[epa]/system BT5R3-GNOME-VM-32

… And you’re good to go. Happy hunting! Check out the Enterprise Pentesting Appliance documentation if you’re interested in more detailed documentation like this!

NOTE: To stop the VM, run:

# virsh destroy BT5R3-GNOME-VM-32

NOTE: To unregister / remove the VM, run:

# virsh undefine BT5R3-GNOME-VM-32


Raspberry Pwn: A Pentesting Release for the Raspberry Pi

Pwnie Express is happy to announce the initial release of Raspberry Pwn! Security enthusiasts can now easily turn their Raspberry Pi into a full-featured security penetration testing and auditing platform! This fully open-source release includes the following testing tools: SET, Fasttrack, kismet, aircrack-ng, nmap, dsniff, netcat, nikto, xprobe, scapy, wireshark, tcpdump, ettercap, hping3, medusa, macchanger, nbtscan, john, ptunnel, p0f, ngrep, tcpflow, openvpn, iodine, httptunnel, cryptcat, sipsak, yersinia, smbclient, sslsniff, tcptraceroute, pbnj, netdiscover, netmask, udptunnel, dnstracer, sslscan, medusa, ipcalc, dnswalk, socat, onesixtyone, tinyproxy, dmitry, fcrackzip, ssldump, fping, ike-scan, gpsd, darkstat, swaks, arping, tcpreplay, sipcrack, proxychains, proxytunnel, siege, sqlmap, wapiti, skipfish, w3af   Download your Raspberry Pwn here: Special thanks to @zenofex for letting us borrow his Pi. Enjoy! – The Pwnie Express Team

Learn More About Rogue Devices

What’s in your pentesting kit?

We were recently working on an audit of the Pwn Appliance, checking to ensure each tool was documented, relevant, useful, AND up-to-date. If you look at the pure number of tools, we’re a little slanted toward tunneling, network pentesting, and wireless utilities right now, but of course you have root access to your device, and can install whatever you’d like.

We’re loving the stories we get of folks using tools like SET, BeEF, or SQLMap on internal networks after tossing it in the corner.

Here’s a high-level view of the toolkit:


And here’s the full list of packages (note there are some others that are not installed via package, but this covers the majority). We believe that Pwnie devices firmly belong in the pentester’s toolkit – whether you’re doing local or remote network, webapp, wireless, or physical work.

Many testers have encountered scenarios where (lack of) Internet access or time dictated that their toolkit be prepared in advance of a test. Particularly for on-site work.  What’s your pentesting kit consist of? Which hardware? Which software?