Posts

Introducing the Pwn Pad 4: the latest Pwnie mobile sensor for wired, wireless and Bluetooth device detection, classification, and penetration testing

We’re excited to announce pre-sale of the Pwn Pad 4, a commercial-grade security tablet designed for remote security assessment. The Pwn Pad 4 combines a portable security detection and pen-testing tool with a powerful enterprise security platform.  In addition, even the pentesting abilities have some exciting new features: with Kali Rolling and Blue Hydra (a Pwnie-developed capability), it’s the only pentesting tablet with Bluetooth capabilities that offers energy efficient and conventional Bluetooth detection and fingerprinting.

The Pwn Pad 4 features the following enhanced capabilities:

  • Blue Hydra, An industry first from Pwnie Express, the Pwn Pad 4 now includes Blue Hydra, the first device discovery software capable of detecting low power and classic Bluetooth devices.
  • Portable Pen-Testing Doubling as Threat Detection Sensors: The tablet is completely integrated with Pwnie Express’ Pwn Pulse SaaS platform for real-time wired and wireless, BYOD and IoT threat detection. This allows security professionals to leverage the versatile pen testing capabilities of a portable pad andwith the centralized visibility and historical records of enterprise data.
  • Kali Linux Rolling Distribution: The tablet comes prepackaged with the latest Kali Rolling edition, which includes an arsenal of tools and scripts for the hands-on, on-the-go cyber security professional.
  • Enhanced Configuration and Setup: The Pwn Pad 4 is more user-friendly than its earlier counterparts, with a consumer-like setup and configuration wizard that allows customers to streamline the initial implementation, upgrading and use of non-Pwnie Android apps.  

The Pwn Pad 4 is now available for pre-sale and will be generally available on June 1.  For more information, please visit  or contact sales@pwnieexpress.com or call (855) 793-1337.

Pwnie Express on Good Morning America

Watch Video Here

Pwnie Express founder and CTO Dave Porcello was recently featured on Good Morning America to help raise awareness on the cyber attacks currently targeting hotel guests across the globe. In this segment, Dave demonstrates two of today’s most common attacks: malicious WiFi hotspots (aka “Dark Hotel” attacks or “Evil Access Point hotspots”) and keystroke logging devices (aka “keyloggers”).

As shown by our “Project Eavesdrop” experiment with NPR, these attacks can expose a tremendous amount of personal information to a cyber criminal, including:

  • All visited websites, URLs, & search keywords
  • Passwords to banking/financial accounts, email accounts, & social media sites
  • Emails, photos, documents, & software downloads
  • Internet phone calls & video chat sessions
  • Physical location / GPS coordinates

In the past, these attacks required specialized equipment and a high level of technical expertise. Over the years, the proliferation of plug-and-play “cyber espionage devices” has made these attacks easier than setting up a home router.

“Evil Access Point” (Evil AP) hotspot devices and keyloggers come in a variety of portable, stealthy form factors and can be purchased online for as little as $20:

Pineapple

Device1

Device 2

In the first demonstration, Dave simulates a “Dark Hotel” attack showing how an attacker can use an Evil AP to obtain personal information from hotel guests. Using a setup similar to the NPR Project Eavesdrop drop box, Dave was able to see all visited websites, URLs, images, and search keywords in real-time.

Next, Dave uses a combination of SSL-bypass and Fake Login Pages to simulate a password capture attack against several email and social media accounts, as well as a credit card number capture attack through a fake hotel guest portal page:

OurHotel

Unfortunately, these “Dark Hotel” attacks are nearly impossible to detect by the average hotel-goer. Once a hotel guest unknowingly connects to one of these Evil AP hotspots, all their Internet traffic can be monitored, recorded, intercepted, and tampered with by the attacker.

Dave then illustrates how wireless keylogger devices, (Now sold at Amazon and Sears), can capture everything typed into a hotel business center or kiosk computer, including passwords and credit card numbers. Your captured keystrokes can then be transmitted wirelessly over the Internet to an attacker residing anywhere in the world.

Keyloggers

Lastly, Dave shows how the Pwnie Express Pwn Pad can be used by a security professional to detect and track down Evil AP hotspots:

PwnPadAction

Just like we expect hotels to keep us physically safe with modern door locks and secured windows, we need to begin expecting hotels to protect us online as well. Pwnie Express and other cyber security vendors offer technologies such as Pwn Pulse that are increasingly being deployed by hotels, banks, hospitals, and other organizations to detect and disable these types of attacks.

 

Evil APs defined:

Rogue/Evil Access Points — or unauthorized and unmanaged WiFi devices —  can spell the end for even the most mature of Information Security programs. Rogue APs can take many forms: non-malicious employees plugging in their own Access Points for convenience, mis-or-unconfigured Wirelessly-enabled printers, or a $5 USB WiFi adapter that can be leveraged by criminals to stand up Fake Access Points from the parking lot. Unintentional, with malicious intent, or as a genuine mistake, a Rogue Access Point not under your control can give criminals direct access into your internal networks.

Evil Access Points can defeat even the most stringent WIPS/WIDS deployments, as they play on the weakest portion of any Security Program – the “Human Element.” Gone are the days of criminals having to have specialized Wireless gear and intimate knowledge of *nix to do this. With minimal cost and effort, any criminal can set up an EvilAP to lure – or even force – unsuspecting employees into joining fake wireless networks masquerading as legitimate networks.

 

Wireless Keyloggers defined:

Wireless keyloggers are rapidly becoming a physical security attack tool of choice. Keyloggers – traditionally found in software – allow for the storing of all keystrokes entered by the victim on the compromised machine. Criminals are now leveraging micro-USB sticks (some of which are so small, you wouldn’t notice them plugged in) to capture all keystrokes on the target computer. This inevitably leads to the disclosing of passwords and other sensitive information. Today’s keyloggers use remote connectivity methods (such as WiFi or Bluetooth) to offload or exfiltrate their capture information. Since they aren’t directly tied your organization’s wireless infrastructure, wireless keyloggers can operate virtually undetected.

 

Additional resources:

Dow Jones: “Five top cyber espionage devices”

http://thetally.efinancialnews.com/2014/09/five-top-cyber-espionage-devices/

 

Pwnie Express & NPR: “Project Eavesdrop”

http://store.pwnieexpress.com/blog/pwnie-express-on-npr/

 

Project Eavesdrop Part 1: “The Drop Box”

http://store.pwnieexpress.com/npr-blog-series-part-1-the-drop-box/

 

Project Eavesdrop Part 2: “A Week in the Life”

http://store.pwnieexpress.com/npr-blog-series-part-2-a-week-in-the-life/

 

The Evolution of Rogue Devices

http://store.pwnieexpress.com/the-evolution-of-rogue-devices/

 

Evil AP: An Introduction

http://store.pwnieexpress.com/introduction-evilap/

 

Bypassing HSTS SSL with the Mana Toolkit

http://store.pwnieexpress.com/bypassing-hsts-ssl-with-the-mana-toolkit/

 

Stealing Credentials with Fake Login Pages

http://store.pwnieexpress.com/stealing-credentials-with-fake-login-pages/

 

Mapping WiFi Networks on the Pwn Pad 2014

http://store.pwnieexpress.com/mapping-wifi-networks-pwn-pad-2014/

_______________________________________________________
If you are a security professional or commercial organization interested in detecting rogue devices that may be present within your enterprise, please contact us at 1-855-793-1337 or at info@pwnieexpress.com, and our team of security experts will be in touch with you.









Job description: Infosec Ranger at Pwnie Express

Help Net Security

Job description: Infosec Ranger at Pwnie Express

November 14, 2014

By Mirko Zorz

 

When I learned that well-known hacker and conference speaker Jayson Street decided to join the Pwnie Express team, I knew this was the perfect time for an interview.


You’ve been highly independent, traveling the world on assignments for several years. What made you settle down to work for Pwnie Express?The main thing that drew me to working with Pwnie Express was the team and their commitment to being part of the broader community. From the very beginning Pwnie Express’s founder Dave and his crew were always part of the community. They don’t just sponsor community conferences – they also give out their PWN devices for free. No matter how much they grow I know they will never forget their roots! 

On a side note, a funny behind the scenes story on my introduction to the team: I was first approached by Dave at DerbyCon this year. He introduced me to Paul the CEO of Pwnie Express and we had a great conversation. Though later that night I met Paul again but this time I was in a bright yellow Minion onesie. Upon seeing him I sheepishly said to him, “So rethinking the idea of having me working with your team?” His response was to laugh and say, “Oh no, this confirms it – you’re a perfect fit.”

 

(Original Article)

Security Innovation Network (SINET) Announces Its 2014 Top 16 Emerging Cybersecurity Companies

The Security Innovation Network™ (SINET), an organization focused on advancing Cybersecurity innovation through public-private collaboration, announced today the winners of its annual SINET 16 competition. The companies, which were selected from a pool of 180 applicants from around the world, represent a range of Cybersecurity solution providers who are identifying cutting-edge technologies to address Cybersecurity threats and vulnerabilities. The selected companies will share their work with buyers, builders, investors and researchers during the SINET Showcase on Dec. 3 – 4, 2014 at the National Press Club in Washington, DC.

The competition requires that revenues be under $15 million and this year’s applicant pool of early stage and emerging technology companies was the most competitive since SINET began the initiative six years ago. The entries were vetted in a two-stage process by the SINET Showcase Steering Committee, which was comprised of 60 security experts drawn from government, academia and the private sector.

ABOUT THE 2014 SINET 16 INNOVATORS

The following companies were selected as the 2014 SINET 16 Innovators:

Click Security focuses on advanced threat detection, offering solutions that provide security visibility, automatically build rich context around otherwise independent and inconclusive product alerts, detect attack activity missed by traditional security products, and automate the hunt for the unknown.

Contrast Security brings continuous application security to the enterprise by identifying security vulnerabilities in real-time at portfolio scale.

CrowdStrike is a global provider of security technologies and services focused on identifying advanced threats and targeted attacks.

Cylance, Inc. is the first company to apply artificial intelligence, algorithmic science and machine learning to Cybersecurity that improves the way companies, governments and end users proactively solve the world’s most difficult security problems.

Cyphort, Inc. is an innovative provider of Advanced Threat Protection solutions that deliver a complete defense against current and emerging Advanced Persistent Threats, targeted attacks and zero day vulnerabilities.

GuruCul is a security risk intelligence provider, featuring GuruCul Risk Analytics (GRA), an Identity-Centric Behavioral Risk Intelligence platform that helps organizations efficiently prevent insider threat and fraud and protect intellectual property and regulated information.

Interset provides a highly intelligent and accurate insider and targeted outsider threat detection solution that unlocks the power of behavioral analytics, machine learning and big data to provide the fastest, most flexible and affordable way for IT teams of all sizes to operate a data protection program.

Norse Corporation focuses on live attack intelligence, delivering continuously updated Internet and Darknet intel that helps organizations detect and block attacks that other systems miss.

PFP Cybersecurity provides a unique, anomaly-based Cybersecurity threat detection technology that can find any cyber intrusion in any device, including active and dormant attacks.

PhishMe, Inc. provides threat management for organizations concerned about human susceptibility to advanced targeted attacks by enabling employees to identify, report, and mitigate spear phishing, malware, and drive-by threats.

Pwnie Express provides simple and scalable asset discovery, vulnerability scanning, and penetration testing solutions for remote sites and all wireless spectrums.

SecureRF Corporation provides cryptographic security solutions for wireless sensors, embedded systems and other devices where little or no security currently exists.

Shape Security has developed advanced technology that defends against attacks from malware, botnets and scripts by constantly re-shaping the web code.

Skyhigh Networks is a Cloud Visibility and Enablement Company that enables organizations to adopt cloud services with appropriate security, compliance, and governance.

vArmour is a data center security company designed to protect the data of enterprises and service providers from advanced attackers and lateral moving threats.

ZeroFOX is a social risk management company that enables organizations to identify, manage and mitigate information security risk introduced through social media.

“I am proud and excited to once again partner with the DHS S&T Directorate as we recognize this year’s SINET 16 Innovators,” says Robert Rodriguez, Chairman and Founder of SINET. “Only 16 companies were selected out of 180 applications by our esteemed committee so they might present their innovative solutions on stage in front of 400 investors builders, buyers and researchers. Of our four programs each year, Silicon Valley, New York City, Washington DC and London, the Showcase is my favorite as it has a clear deliverable in our mission to advance innovation in the Cybersecurity domain.”

“The continued robust investment and M&A activity are strong bellwethers that we are not only experiencing an exciting period in our lives but are a true testament to the dynamics of the Cybersecurity market, which highlights the continued need for innovative and hopeful solutions.”

ABOUT SINET SHOWCASE

SINET Showcase provides a platform for the business of Cybersecurity to take place as emerging technology companies are able to present their solutions and connect with a select audience of nearly 400 venture capitalists, investment bankers as well as industry and government buyers. The program, which is supported by the Department of Homeland Security, Science & Technology Directorate, also features commentary on the latest investment and Cybersecurity trends from the industry’s foremost experts. The program includes educational workshops, panel sessions, an interactive luncheon hour and a networking reception.

To register for SINET Showcase and to see a complete list of speakers and a program agenda, visit http://www.security-innovation.org/showcase_2014.htm.

ABOUT SINET

SINET is a community builder and strategic advisor whose mission is to advance innovation and enable global collaboration between the public and private sectors to defeat Cybersecurity threats. Its public-private partnership events are supported by the U.S. Department of Homeland Security, Science & Technology Directorate. SINET also offers advisory services and a membership program that have helped build thousands of relationships and delivered value across a broad spectrum of the security community to include buyers, builders, researchers and investors. For more information, visitwww.security-innovation.org. Connect with us on Twitter at @SINETconnection and follow all the news about this year’s SINET 16 and Showcase event with #SINET16 and #SINETDC.

 

(Original Article)

WPS Cracking with Reaver

We’ve previously covered how ineffectual WEP encryption is for securing a wireless network, showing that the Pwn Plug R3 can easily break into a WEP network in less than one minute. But considering how old WEP is, that shouldn’t really come as much of a surprise. Most networks will now be running the much more robust WiFi Protected Access (WPA), with WEP running mainly on the older systems that haven’t been updated or maintained.

But while it’s not as trivial as breaking into a WEP network, WPA is not completely infallible. Here we will take a look at one of the methods used to crack into a WPA network, and some of the pitfalls you may encounter.

 

WPS Pin Attack

An often overlooked feature on many WiFi routers and access points is WiFi Protected Setup (WPS). This is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the access point and the client device (the client side “button” is often in software) at the same time. The devices trade information, and then set up a secure WPA link.

On the surface, this is a very clever feature. It allows less savvy users to establish a secure connection between their devices quickly and easily, and as it requires physical access to the hardware, it would seem relatively secure.

But a tool called Reaver has been designed to brute-force the WPA handshaking process remotely, even if the physical button hasn’t been pressed on the access point.

While some newer devices are building in protection against this specific attack, the Reaver WPS exploit remains useful on many networks in the field.

Note: To be clear, WPS is the vulnerable system in this case, not WPA. If a network has WPS disabled (which they should, given the existence of tools such as this), it will be immune to the following attack.

 

Finding a Network

If you’ve read the previous tutorial on cracking into a WEP network, you’ll recognize the command used to get the hardware into monitor mode:

 

airmon-ng start wlan0

 

From here you could use airodump-ng to look for networks, but Reaver actually includes its own tool for finding vulnerable WPS implementations which is much more straightforward. To start it, run the following command:

 

wash -i mon0

 

The output will look something like this:

WPS Cracking

This shows two networks which are, at least in theory, vulnerable to the WPS brute force attack Reaver uses. Note the “WPS Locked” column; this is far from a definitive indicator, but in general, you’ll find that APs which are listed as unlocked are much more likely to be susceptible to brute forcing. You can still attempt to launch an attack against a network which is WPS locked, but the chances of success aren’t very good.

 

Launching Reaver

Once you’ve found a network you wish to run the attack against, operating Reaver is very straightforward. The basic command needs only the local interface, channel, and ESSID to be specified. The command to launch Reaver against the “linksys” network above would look like this:

 

reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv

 

The only part of the above command that might not be immediately obvious is “-vv”; this enables verbose output which greatly helps when trying to gauge how well Reaper is (or is not) progressing.

Once you’ve started Reaver, you’ll start seeing output like this:

Reaver

This output shows that WPS pins are successfully being tried against the target (here we see 12345670 and 00005678 are being tested), and Reaver is operating normally.

 

Advanced Options

Ideally, the basic command works and the attack progresses as expected. But in reality, different manufacturers have been trying to implement protections against Reaver-style attacks, and additional options may be required to get the attack moving.

As an example, the following command adds a few optional switches that can help to get Reaver working on more picky devices:

 

reaver -i mon0 -c 6 -b 00:23:69:48:33:95  -vv -L -N -d 15 -T .5 -r 3:15

 

The core command hasn’t changed, the additional switches just change how Reaver behaves:

-L

Ignore locked WPS state.

-N

Don’t send NACK packets when errors are detected.

-d 15

Delay 15 seconds between PIN attempts.

-T

Set timeout period to half a second.

-r 3:15

After 3 attempts, sleep for 15 seconds

 

This is by no means an exhaustive list of Reaver options, but it gives an idea on what kind of things you might want to try.

 

Attack Duration

Even under ideal conditions, Reaver can take a very long time to complete its run. There is an element of chance involved, the brute forcing could theoretically discover the PIN very quickly, but in general it is going to take many hours to even make a dent in the possible pool of PINs.

Luckily, Reaver keeps a progress log file automatically, so you can stop the attack at any time and resume whenever it’s convenient. Spending a few hours a day running Reaver against the same network should uncover its PIN and through that the WPA passphrase…eventually.


Learn More About Rogue Devices

Pwnie Express’s “Pwn Pulse” SaaS Security Assessment Solution Gets Top Scores in Rigorous Security Audit

TrustedSec Tests First-of-Its-Kind Enterprise Remote Location Intelligence Platform

Boston, MA, October 21, 2014 – Pwnie Express today announced that its new Pwn Pulse software as a service (SaaS) solution scored top marks in a comprehensive security audit performed by leading security-consulting firm TrustedSec, LLC. An end-to-end security assessment solution designed specifically for hard-to-reach distributed remote sites, Pwn Pulse delivers real-time wired and wireless asset discovery, continuous vulnerability scanning, pentesting, risk trending and alerting.  The enterprise-class offering uses Pwnie Express’s easy-to-deploy sensors combined with central management to provide highly scalable continuous intelligence across remote locations. “We were very impressed with how Pwn Pulse compared to the security of most other SaaS platforms,” said Dave Kennedy, President and CEO of TrustedSec. “Pwnie Express is clearly paving the way to a new baseline security profile for SaaS.” Enterprises across verticals have lauded Pwnie Express’s new Pwn Pulse software as a service (SaaS) solution, calling it “groundbreaking”  for its ability to easily provide visibility across their remote locations. “Pwn Pulse allows us to have true policies in regards to our networks and computers and a true way to test them,” said Eric Gilbert, Manager of IT Operations for Black, Mann & Gramm, L.L.P, who took part in the Beta program. “It gives us the ability to not only have the policies on hardening our hardware but also a way to verify that it’s where it’s supposed to be.” Pwnie Express CTO and Founder Dave Porcello welcomed the TrustedSec audit, remarking:  “We are thrilled that Pwn Pulse performed so well after being pummeled by some of the top web application security pentesters in the industry. The fact that we scored so impressively with zero critical or high priority vulnerabilities validates our commitment to delivering a best-of-breed differentiated remote security assessment solution.” Pwnie Express’s new SaaS solution completes the entire enterprise security assessment lifecycle. The solution delivers a robust centralized management console. It also easily and seamlessly integrates with existing security information and event management (SIEM) products. Product benefits include:

o   Provides a cost-effective lightweight, non-intrusive and easy-to-deploy solution for remote locations

o   Delivers the most comprehensive asset discovery to remote sites

o   Extends vulnerability management to remote sites

o   Enables subsequent on-demand penetration testing to remote sites

o   Allows for easy anywhere multi-site deployment

o   Increases frequency and scope of remote site assessment

o   Expands awareness of wired, wireless, BYOD and rogue devices across all sites

o   Addresses PCI DSS and HIPAA compliance requirements at remote sites

o   Reduces travel and operational overhead required to do security testing

Availability: Pwn Pulse is  generally available. For more information please contact: sales@pwnieexpress.com (855) 793 – 1337

 

[Press Release]

10 Reasons Why Pwn Pulse Will Save You Time and Money

1. Real Time Wired, Wireless, and Bluetooth Asset Discovery

Pwn Pulse allows you to automatically discover both wired and wireless assets and helps security professionals locate rogue devices and create a comprehensive list of network devices and exceptions that may be noncompliant or harmful. Pulse detects wireless and Bluetooth devices, unlike software-agent-based solutions, so Pwn Pulse can let you actually “see all the things”.

2. Vulnerability Scanning and Validation

Runs a custom vulnerability scanner on a schedule determined by the user and visually displays aggregate data and trends while allowing technical users to drill down into the details. So you can know what’s out there to get you.

3. Penetration testing

Users can run custom scripts and assessments remotely through Pwn Pulse to further test and validate security gaps revealed by routine vulnerability scans. It’s the classic Pwnie pentesting experience.

4. Analysis of security information across a distributed network

Analytics allow users to visualize trends across the company and/or within a remote location including  a comprehensive view of assets and vulnerabilities discovered by specific sensors or groups of sensors. Results are graphically displayed on an intuitive dashboard.Because big data has taught us that more information is better… (but only when it’s organized well)

5. Frictionless Plug and play deployment

Easy to deploy without the need to install and manage agents, Pwnie Express sensors are plug-and-play, so employees in remote locations simply plug the sensors into the network. Pwn Pulse is the perfect solution for a company without technical resources at its remote sites – my grandmother could plug in a Pwnie sensor!

6. Centrally managed, easy-to-use graphic interface

Security professionals can both see its output and control its capabilities remotely. Pwn Pulse is designed to be integrated with System Integration and Event Management (SIEM) software, but even without SIEM software Pwn Pulse is the aesthetically pleasing way to assess security – anybody can see how beautifully secure your remote sites are.

7. Safe and Secure – even Dave Kennedy of TrustedSec thinks so!

Sensors are pre-configured to only communicate with their central management server, all communications and databases are encrypted, and all services are segmented to provide the highest level of defense. Because a security tool should be secure.

8. Customers love it!

You’re not the first one to use it, and people seem to like it so far:

  • It’s a “solution that allowed me to do these scans more frequently and without having to be onsite.”
  • “It allows us to have true policies in regards to our networks and computers and a true way to test that. It gives us the ability to not only have the policies on hardening our hardware but also a way to verify that it’s where it’s supposed to be.”
  • “It solves the pressing problem of continuous and comprehensive assessment of remote locations.”

 9. Enterprise Capable

Pwn Pulse is designed to be a highly scalable solution capable of supporting thousands of sensors at remote locations. Each sensor reports back to its central console and users can remotely control individual sensors for penetration testing. This Pwnie grows with you.

10. It can find that *rogue* printer in your office

All jokes aside, wirelessly-connected printers are a problem.


*If you really want to read the dry stuff, Pwnie Express has also released a press release on Pwn Pulse.*

 


 

(Fast) WEP Cracking on the Pwn Plug R3

It’s common knowledge that Wired Equivalent Privacy (WEP) is a completely broken form of WiFi security, but not everyone knows just how trivial it can be to defeat with a properly configured appliance such as the Pwn Plug R3. Not only is the R3 ready to go with the latest versions of all the required software, it’s also equipped with a high performance injection-capable wireless chipset and enough processing power to easily crunch the target network’s key.

Finding a Target

To start, we’ll put the R3’s internal WiFi radio into monitor mode, and see what networks are operating in the area. Running the following commands will setup the hardware and show a list of networks and their pertinent information:

airmon-ng start wlan0

airmon-ng mon0

You’ll be presented with a screen that will look something like this:

WEP Cracking

Here we can see we have a perfect target, a network named “linksys” on channel 6 which is running WEP encryption and has a nice strong signal.

Capturing Data

The next step is to use airodump-ng to capture data from the network, which we’ll eventually use to crack the WEP key. Simply plug in the values discovered from airmon-ng into airodump-ng:

airodump-ng -c <CHANNEL> -w <LOGFILE> –bssid <AP MAC> mon0

So the command to start dumping data from our “linksys” network would be:

airodump-ng -c 6 -w linksys –bssid 00:23:69:48:33:95 mon0

The resulting display will show clients connected to the network, as well as how much data is actually moving through the air:

WEP 2

Not much is happening on this network right now, but using packet injection, we’ll soon change that.

Note: Keep airodump-ng running in the background while performing the next steps.

Packet Injection

Circumventing WEP requires a large amount of encrypted data to be captured from the network so there’s enough information to crack the key. Under normal circumstances this would mean an attacker would need to wait around and capture data as it’s sent out by the network in the course of normal operation. The key to cracking WEP quickly is using packet injection to force the network to send more data out than it would normally.

The first step is to associate the R3 with the target network, which can be done with the following command:

aireplay-ng -1 0 -a 00:23:69:48:33:95 mon0

Which will give you the following output:

WEP 3

 

This command will throw up a few lines, but the only important one you need to look for is the final one. If you get a little smiley face, you’re good to go.

Finally, we’ll use another aireplay-ng command to start flooding the network with data, which will be captured by airodump-ng that we’ve been running in the background from earlier.

aireplay-ng -3 -b 00:23:69:48:33:95 mon0

Keep an eye on the last line of aireplay-ng’s output to see the the attack progressing.

WEP 4

Cracking the Key

With data pouring into the Pwn Plug, there’s only one thing left: use aircrack-ng against the growing capture file to crack the WEP key. By running aircrack-ng against the capture file as it’s being filled by airodump-ng, the process will continue until the necessary amount of data is collected (which varies from network to network).

Simply give aircrack-ng the name of the log file you specified when running airodump-ng:

aircrack-ng linksys-01.cap

A few seconds later, you should see the cracked WEP key ready for use

WEP 5

In practice, it will probably take longer to read the steps involved in cracking WEP than it does to actually recover the key. With the processing power and WiFi chipset in the Pwn Plug R3, going from target acquisition to recovered key can be done within a minute.

 

Standard Reverse SSH

Next in our how-to Pwnie is a tutorial in how to set up a standard reverse SSH connection. In order to get past firewalls and communicate directly with a Pwn Pro sensor located in a remote location, a reverse SSH connection must be set up. This demonstration will be using a Pwn Pro, though any Pwn Appliance or Pwn Plug will work. The video guides you through specifying the Kali Linux connection and setting up various types of reverse shells (standard, reverse over DHS, etc). All you need to do is supply a DNS resolvable name and a port number. The guide then continues to describe the different types of SSH and which may be most useful for your use case. The tutorial also explains how you can add a second SSH receiver. And be sure to watch the video! A contest featuring this video will be going up on our weekly promotions page soon.

Employees, Education, and Social Engineering

In conversations with CISO’s and others in charge of security, the Pwnies keep hearing the same thing: employees are usually the weakest link.

When people think of hackers, the stereotype is still of some guy in a basement, silently, remotely, and independently accessing the world around them. Of course this is sometimes true, but this ignores the simple fact that sometimes the easiest way to get into a system is to walk (often quite literally) right through the front door (both literally and figuratively).

Lately this threat has become even more visible, many of the recent large breaches used social engineering as the initial attack vector. The now infamous Target and RSA breaches started with targeted phishing emails. A yearly demonstration of social engineering’s effectiveness against even established companies happens every year at DEF CON’s Social Engineering Capture the Flag contest, a competition sponsored by SocialEngineer.org to see how many “flags,” or useful pieces of information, employees at these companies will disclose. 2014’s theme was “retail”, and most of the organizations tested failed with flying colors.

The most effective security audits take this into account, and use social engineering to test the security of the organization – calling for passwords, looking for devices left lying around, and plugging in things that shouldn’t have even been let through the door. Both adversaries and auditors use social engineering to do this, and employees usually don’t know what’s hit them – without knowing how people might take advantage of them, they’ve been left unequipped for the breach.

These problems may be obvious to security professionals, but it can be considerably more difficult to drive the problem home with  everyone else – those who feel that security is taken care of through compliance, or that all cyber attacks are divorced from the physical world. Recalling last week’s post “Scare the CEO,” a crucial part of any effective security plan is education. The most effective form of education is hands on. So, show your employees and colleagues what social engineering is…  as they say, it “takes one to know one”.

As an example of what can go wrong, Pwnie Express has a video called “Don’t Get Pwned,”  showing what it would look like for a pentester to breach an office by exploiting common vulnerabilities.

Check out Social Engineer.org for more.