Sunday, March 11, 2012

More Mayhem with Pwn Plug

In my last post regarding Pwn Plug I discussed the features available to those of you who build your own with a Sheevaplug and Pwn Plug Community Edition.
Here I'll give you an overview of some of the additional pwntastic upside you'll benefit from should you choose to buy Pwn Plug Wireless, 3G, or Elite. Wireless will get you an external 1000mW USB ALFA, 3G offers am O2 E160, and an Elite includes 16GB SDHC card for extra storage (along with all the goodies you get with Wireless & 3G). All commercial versions  include support and the Plug UI which makes setup insanely simple. I configured the Pwn Plug I tested for 802.11 evil with the ALFA as seen in Figure 1.

Figure 1: Pwn Plug Wireless
In the Pwn Plug UI (HTTPS over port 8443 by default) I clicked Basic Setup, then Evil AP Config. Figure 2 shows the AMIEVIL SSID coming to life.

Figure 2: Am I evil?
This is a GUI configuration method for airbase-ng, specifically airbase-ng -P -C 30 -c 3 -e AMIEVIL -v mon0.
Then all you need to do is follow with Karmetasploit via ./msfconsole -r karma.rc and you're off. "Karmetasploit is a great function within Metasploit, allowing you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients."
In addition to all the MSF3 functionality you'd expect you can also utilize David Kennedy's Fast Track. I ran  ./fast-track.py -i, selected 6. Exploits, then 7. mIRC 6.34 Remote Buffer Overflow Exploit. Figure 3 show my Windows XP SP 3 victim coming aboard for pwnzor.

Figure 3: mIRC pwn


With you Pwn Plug firmly established on your target network your recon options are also endless with an 802.11 interface enabled. Figure 4 shows Kismet happily enumerating from the Pwn Plug.

Figure 4: Kismet
So much fun, so little time. For those of you with penetration testing duties that include social engineering and red teaming tactics, I strongly suggest you explore the Pwnie Express site for yourself and the Pwn Plug options and features. You will not be disappointed.



No comments:

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...