We've been able to use the Pwn Plug on a few LARES Red Team tests.
We've mostly utilized the 3G out of band functionality, this allows us to more easily bridge that gap between physical and electronic attack. Either way its been great and definitely a value add for us.
Pwn Plug Elite gives you several methods to egress a network
http://pwnieexpress.com/pages/remote-access
First some shots of the web interface to set up the various tunnels (taken from the web site)
![]()
![]()
Its pretty straightforward and the documentation the pwnie express guys provide will get you up and running with whatever tunnel method you choose.
ok now action shots.
Pwn Plug hanging out in an empty cube hooked up to the network
![]()
With the 3G stick plugged in. sorry kinda blurry, couldnt go back and take another ;-/
![]()
Final placement behind some boxes where it hung out for a few days.
![]()
Othere useful reading/resources
http://pwnieexpress.com/blogs/news/6156894-using-at-t-dataconnect-sim-cards-with-pwn-plug-elite
http://pwnieexpress.com/blogs/news/6156896-using-t-mobile-4g-pay-by-the-day-with-pwn-plug-elite
http://www.securitygeneration.com/security/pwn-plug-command-execution-using-usb-sticks/
http://www.securitygeneration.com/security/reverse-ssh-over-tor-on-the-pwnie-express/
http://www.securitygeneration.com/security/pwniescripts-for-pwnie-express/![]()
We've mostly utilized the 3G out of band functionality, this allows us to more easily bridge that gap between physical and electronic attack. Either way its been great and definitely a value add for us.
Pwn Plug Elite gives you several methods to egress a network
http://pwnieexpress.com/pages/remote-access
:: All Pwn Plugs include aggressive reverse tunneling capabilities for persistent remote SSH access.
:: All tunnels are encrypted via SSH and will maintain access wherever the plug has an Internet connection.
:: The following covert tunneling options are available for traversing strict firewall rules & application-aware IPS:
- SSH over any TCP port
- SSH over HTTP requests (appears as standard HTTP traffic)
- SSH over SSL (appears as HTTPS)
- SSH over DNS queries (appears as DNS traffic)
- SSH over ICMP (appears as outbound pings)
- SSH over ICMP (appears as outbound pings)
- SSH Egress Buster (top 10 common egress ports)
- Out-of-band SSH over 3G/GSM cellular (Elite models)
First some shots of the web interface to set up the various tunnels (taken from the web site)
Its pretty straightforward and the documentation the pwnie express guys provide will get you up and running with whatever tunnel method you choose.
ok now action shots.
Pwn Plug hanging out in an empty cube hooked up to the network
Final placement behind some boxes where it hung out for a few days.
Othere useful reading/resources
http://pwnieexpress.com/blogs/news/6156894-using-at-t-dataconnect-sim-cards-with-pwn-plug-elite
http://pwnieexpress.com/blogs/news/6156896-using-t-mobile-4g-pay-by-the-day-with-pwn-plug-elite
http://www.securitygeneration.com/security/pwn-plug-command-execution-using-usb-sticks/
http://www.securitygeneration.com/security/reverse-ssh-over-tor-on-the-pwnie-express/
http://www.securitygeneration.com/security/pwniescripts-for-pwnie-express/
