Friday, September 7, 2012

Pwn Plug Elite Action Shots

We've been able to use the Pwn Plug on a few LARES Red Team tests.

We've mostly utilized the 3G out of band functionality, this allows us to more easily bridge that gap between physical and electronic attack.  Either way its been great and definitely a value add for us.

Pwn Plug Elite gives you several methods to egress a network

:: All Pwn Plugs include aggressive reverse tunneling capabilities for persistent remote SSH access.
:: All tunnels are encrypted via SSH and will maintain access wherever the plug has an Internet connection.
:: The following covert tunneling options are available for traversing strict firewall rules & application-aware IPS:
  • SSH over any TCP port
  • SSH over HTTP requests (appears as standard HTTP traffic)
  • SSH over SSL (appears as HTTPS)
  • SSH over DNS queries (appears as DNS traffic)
  • SSH over ICMP (appears as outbound pings)
  • SSH over ICMP (appears as outbound pings)
  • SSH Egress Buster (top 10 common egress ports)
  • Out-of-band SSH over 3G/GSM cellular (Elite models)
yak yak, lets see some action shots!

First some shots of the web interface to set up the various tunnels (taken from the web site)

Its pretty straightforward and the documentation the pwnie express guys provide will get you up and running with whatever tunnel method you choose.

ok now action shots.

Pwn Plug hanging out in an empty cube hooked up to the network

With the 3G stick plugged in. sorry kinda blurry, couldnt go back and take another ;-/

Final placement behind some boxes where it hung out for a few days.

Othere useful reading/resources

1 comment:

savant said...

Great action shots. I've been using T-Mobile's Pay by the Day plan. $2 a day for EDGE or $3 for 4G, perfect for consulting without buying a whole month at a time. EDGE is too slow for exfil but more than enough to configure another channel. SMS-to-bash works well too.