The Pwnie Express (PwnPlug) is a great little tool for hackers, pentesters and social engineers alike. While I don’t advocate the use of a Pwnie for illicit purposes, I was intrigued about using it as an untraceable tap into a network. Out of the box the Pwnie allows you to configure reverse SSH connections, exfiltrated over a number of different protocols including HTTP, SSL, ICMP and DNS.
While these are great for getting out of controlled networks, they all require the Pwnie to be configured with the IP address of your SSH server, which could potentially be traced back to you. It also requires your SSH server to be able to directly receive connections at the IP/hostname configured on the Pwnie. While one could run an SSH server on a proxy box somewhere, I felt that was too primitive, so I installed Tor on my Pwnie and configured a Tor Hidden Service on my SSH server.
Note: For the purposes of this tutorial, the SSH server will be running on BackTrack 5. I’m assuming you’ve already performed the initial Pwnie Express setup steps on the server! Check out my PwnieScripts to help speed up and automate the Pwnie setup.
These instructions do not yet work on Pwn Plug software >= 1.1 as they’ve changed the layout of things! Will update this post when I get the time.
The Pwnie Express (PwnPlug) is a purpose-built penetration testing device in a plug form factor. A key feature is its ability to exfiltrate from a network and connect back to your SSH server using HTTP, SSL, ICMP or DNS tunnels. Check out my tutorial on how to hack your Pwnie to make untraceable reverse SSH connections over Tor.
There are a number of steps required to set up the computer on which the Pwnie’s reverse SSH connections will be received (setting up the listeners). To simplify and automate this process, I’ve put them together into a set of very simple bash scripts. I’m hoping to turn two of these into a proper init.d script, but haven’t yet had the time. The PwnieScripts set contains the following five bash scripts, and are designed to be used on BackTrack 5 (although they can easily be adapted to work on any other distro):
- pwnsetup.sh: Automates the Pwnie Express setup process by enabling SSHD, generating SSH keys, creating a ‘pwnplug’ user, installing HTTPTunnel, generating an SSL certificate, configuring stunnel, and configuring DNS2TCP.
- pwnstart.sh: Kills any existing listeners, and then starts SSHD as well as new HTTPTunnel, stunnel (SSL tunnel), DNS2TCP (DNS tunnel) and ptunnel (ICMP tunnel) listeners.
- pwnwatch.sh: One-line script to monitor netstat for incoming connections from Pwnie Express.
- pwnconnect.sh: aka. the Lazy Script – initiates an SSH connection to the first available established connection from Pwnie Express, so you don’t have to check which ones are active. It’ll use the more secure/relible ones first (SSL, HTTP) where available. Use the -t flag to only connect over Tor.
- pwnstop.sh: Kills all existing HTTPTunnel, stunnel, DNS2TCP and ptunnel listener processses.
Download PwnieScripts (tgz 4kb)
v0.1: Initial release.
BackTrack 5 – codenamed “Revolution” – is currently under development, and the team is working on updating both system and tools. At the moment it’s running a 2.6.38-rc5 kernel, improved wireless drivers, and a new KDE 4 theme is being put together.
An initial release won’t be available for at least a couple months. If you have any requests or recommendations, now’s the time to make them on the BackTrack forums.
Here are a few teaser screenshots of BT5.
[Updated 10/5/2011] BackTrack 5 is out!
In a post to the OpenBSD mailing list, developer Theo de Raadt reveals an email from an ex-contributor (Gregory Perry) alleging that money was accepted from the FBI around 2000-2001, in return for implementing a backdoor into the IPSec stack. Such a backdoor would give the FBI the ability to eavesdrop on any IPSec connection made using OpenBSD, or any other projects that have since made use of its IPSec code.
Clearly this would be a big deal if true, and although we know that open source projects are regularly backdoored by rogue developers or ‘hackers’ (such as the recent ProFTPd backdoor), it is not often that we hear of governments inserting some themselves. Should we be surprised? After all it is known that the NSA was involved with the development of DES by altering the algorithm’s S-Boxes and suggesting a shorter key length. There are also rumors of a covert backdoor in several versions of the Windows OS. That said, many people are smelling a troll in this case.
Following this information (can we call it a leak rumor?), OpenBSD’s IPSec code will undoubtedly come under quite a bit of scrutiny, and I’m sure we will hear a lot more about it should anything untoward be uncovered.
Read the full mailing list post here, archived below for posterity.
[Update] Scott Lowe denies being affiliated with the FBI, and Jason Wright denies having inserted a backdoor. This is sounding more and more like a trolling. To what end, I couldn’t speculate. It’s also worth noting that this kind of activity would probably not fall under a normal NDA, but under a government-level Top Secret classification which lasts at least 25 years…