Penetration Testing – Innovative Product – RSA 2012
February 28, 2012 - San Francisco, CA - At the RSA 2012 show there was a fair number of folks walking around and showing how to get into systems along with the folks showing how well they keep them out. To help manage this constant battle, a small company in Vermont built a cool compact unit for penetration testing in networks. The PWNIE Plug by PWNIE Express is available in three models - Wireless, 3G and Elite.
The unit which is the size of a power converter (standard wall wart), operates on either 110v or 240v, only draws 2.3w of power and is the first commercial, fully loaded penetration drop box on the market. The unit provides hidden encrypted access over ethernet, wireless and 3G//GSM with close to 40 pen testing programs pre-loaded along with perl & python in an ARM based miniserver.
The new version of the unit includes fully automated NAC/802.1x/RADIUS bypass along with a secure tunnel to the network so the device cannot be detected. The device is controlled through a web based interface that is called “Plug UI” for setup and reporting. This UI and all of the pre-loaded tools are available on a Nokia N900 based phone called the Pwn Phone. This lets you receive all the results of the pen testing in real time via a cellular network so the results never pass through the network being tested. Some of the available screens that are accessible from the phone are shown at their site.
The product is available now for approx $500US, and is a simple to use, compact tool to test the security of a network. This makes the device a strong asset to an IT managers toolbox, in addition to use by sales/AEs at companies selling security solutions to help establish problems at a customer site. The product connectivity and method of bypass of the network is listed below.
Note: The 6 step sequence is a direct quote from the PWNIE Express web site for how thier technology works.
“How does it work?
1. First, the Pwn Plug is placed in-line between an 802.1x-enabled client PC and a wall jack or switch.
2. Using a modified layer 2 bridging module, the Pwn Plug transparently passes the 802.1x EAPOL authentication packets between the client PC and the switch.
3. Once the 802.1x authentication completes, the switch grants connectivity to the network.
4. The first outbound port 80 packet to leave the client PC provides the Pwn Plug with the PC’s MAC/IP address and default gateway.
5. To avoid tripping the switch’s port security, the Pwn Plug then establishes a reverse SSH connection using the MAC and IP address of the already authenticated client PC.
6. Once connected to the plug’s SSH console, you will have access to any internal subnets accessible by the client PC. As an added bonus, connections to other systems within the client PC’s local subnet will actually appear to source from the subnet’s local gateway!”
The product brings new levels of testability to the creators and supporters of networks. The challenge for IT personnel is the use of such a tool by third parties, to do undetected Pen Testing on their site and have access to the results for malevolent reasons.