Pwnie Express has opened pre-orders on a Linux-based penetration testing device that supports 4G out-of-band SSH access. The Pwn Plug R2 runs the Kali Linux-based Pwnix distribution on a 1.2GHz Marvell Armada 370 SoC, and offers dual gigabit Ethernet ports, high-gain WiFi and Bluetooth, and a variety of one-click pen-testing tricks, like running the device as an Evil AP.
Pwnie Express sells a number of devices for penetration testing — probing an organization’s security capabilities with a covert snooping device that simulates attacks. The new Pwn Plug R2 is larger, but $100 cheaper than the $995 Pwn Plug Elite. It also adds a second gigabit Ethernet port and a second USB port, as well as an eight-inch antenna.
Pwnie Express Pwn Plug R2
(click images to enlarge)
The Pwn Plug R2 also runs a new version of Linux. Instead of the previous Debian build, it uses a new Pwnix distribution based on Offensive Security’s Debian-derived pen-testing Kali Linux. According an Ars Technica interview with Dave Porcello, CEO of Pwnie Express, at the Black Hat security conference in Las Vegas, Kali Linux is a dramatic improvement over Offensive Security’s previous BackTrack Linux pen-testing distro.
Pwn Plug R2 tools screenshots
(click images to enlarge)
The 5.2 x 3.7 x 0.8-inch Pwn Plug R2 is designed as a “drop box” device that can be sent through the mail and quickly and unobtrusively installed by a novice, and then remotely monitored by a security professional. The device supports pen-testing features like automated bypass of NAC (network access control), 802.1x WiFi, and Cisco RADIUS devices, and the ability to tunnel through firewalls. “One-click” pen-testing techniques are available including establishing the device as an “Evil AP,” as well as implementing stealth mode and passive recon monitoring. The device is claimed to be “unpingable” in stealth mode, and offers no listening ports.
Marvell Armada 370 block diagram
(click image to enlarge)
The Pwn Plug R2 runs Pwnix on a Marvell Armada 370, a homegrown ARMv7 SoC design clocked to 1.2GHz that falls between the 1GHz Armada 300 and the 1GHz Cortex-A9-based, dual-core Armada 375. The device ships with 1GB of DDR3 RAM and a 32GB microSD card, and is further equipped with dual gigabit Ethernet ports, dual USB 2.0 ports, and a serial console.
The WiFi and Bluetooth radios are said to be “high gain,” and both seem to make use of the supplied eight-inch antenna. No range claims were provided for WiFi, but the Bluetooth radio can reach a whopping 1,000 feet. According to the Ars Technica story, the Bluetooth adapter can even listen in on mobile Bluetooth communication at distances of up to 3,000 feet if customers add an optional 12-inch 9dBi omnidirectional antenna.
The device also offers an unlocked SIM slot supporting 4G/GSM cards from AT&T, T-mobile, Vodafone, Orange, and GSM carriers in over 160 countries, according to Pwnie Express. The 4G network is said to be used for out-of-band SSH access.
Optional support is provided for other wireless technologies including ZigBee/Z-Wave, RFID, and software-defined radios. According to Ars Technica, a modified version of the open source HackRF SDR device is available as an add-on, although it does not appear in the datasheet.
Specifications listed for the Pwn Plug R2 include:
- Processor — 1.2GHz Armada 370 (ARMv7)
- Memory — 1GB DDR3
- Memory expansion — microSD slot with 32GB card
- 4G/GSM adapter for AT&T, T-Mobile, Vodafone, Orange, and other GSM carriers
- High-gain 802.11b/g/n
- 8-inch external antenna
- External high-gain Bluetooth adapter with 1000-foot range
- Packet injection & monitor mode for Wifi and Bluetooth
- Optional Zigbee/Zwave, RFID, and Software-Defined Radio (SDR)
- Networking — 2x gigabit Ethernet
- Other I/O: 2x USB 3.0; serial console
- Firmware/security features:
- Automated NAC/802.1x/RADIUS bypass
- Simple web-based administration with “Pwnix UI”
- One-click Evil AP, stealth mode, & passive recon
- Out-of-band SSH access over 4G/GSM cell networks
- Maintains persistent, covert, encrypted SSH access to target network
- Tunnels through application-aware firewalls & IPS
- “Unpingable” stealth mode with no listening ports
- Supports HTTP proxies, SSH-VPN, & OpenVPN
- OSS-based pentesting toolkit with Metasploit, SET, Kismet, Aircrack-NG, SSLstrip, nmap, Hydra, w3af, Scapy, Ettercap, Bluetooth/VoIP/IPv6 tools, etc.
- Power — 110-240v (adapters available); consumption 5W idle, 15W max.
- Dimensions — 5.2 x 3.7 x 0.8 inches
- Operating system — Pwnix Linux (custom version of Debian-based Kali Linux)
The Pwn Plug R2 is available for pre-order at $895, and will ship Aug. 21. More information and pre-orders are available at the Pwn Plug R2 product page.