When Charlos dropped a GSM-ready drop box into Paul Meyer’s flat in “Stealing the network: How to Own a Continent” (Syngress, 2004), I remember sitting up wide-eyed thinking, “I want that“.
In 2004, this was fringe tech; doable, but attainable only by an elite few. With the pervasiveness of 3G coverage and ever-shrinking micro hardware, you would think this would be a commodity pentesting tool by now.
Seriously, it’s 2011. Where’s my creeper box?
Well, until recently the Small Form Factor market has missed the creeper hardware sweet spot. Most embedded Linux devices are too slow to run commodity Linux distros, and the pricier x86-based micro-appliances aren’t exactly designed for stealth applications.
Enter the Pwn Plug. Built on the Marvell Sheevaplug, it’s small enough (4.3 x 2.7 x 1.9 inches), quick enough at 1.2 GHz, and supports Debian, Fedora, FreeBSD, and OpenWRT ARM distributions. And perhaps most importantly… it doesn’t look like a computer!
The stealth factor:
Stashed under a desk, behind a printer, or in a conference room, this fanless creeper can pass for an AC adapter, air freshener, surge protector, thermostat, etc. For wireless pentests, any power outlet in range will do.
Let’s not rule out drop ceilings! Idling at 3 watts, the plug can run for days or weeks off a UPS, custom battery back, or solar panel (yes, this has been done!).
On the Ethernet-side, drop the plug into “stealth mode” (no listening ports or ping replies) and use the 3G/GSM model for an entirely out-of-band backdoor!
The persistent backdoor:
The plug includes an aggressive “egress buster” script for remote SSH access wherever the plug has Internet connectivity – including wired, wireless, and 3G/GSM. By default, the plug will attempt a reverse shell every minute through several covert channels:
- SSH over 3G/GSM. The stealthiest option; no backdoor traffic touches the target LAN!
- SSH over HTTP requests with proxy support (appears as standard HTTP traffic)
- SSH over SSL (appears as HTTPS)
- SSH over DNS queries (appears as DNS traffic)
- SSH over ICMP (appears as outbound pings)
For added Ninjutsu, the plug can be configured to send an SMS text message to your phone when a remote shell is established.
The pentesting goodies!
Metasploit, Fasttrack, SET, SSLstrip, Kismet, Aircrack-NG, WEPbuster, Karma, nmap, dsniff, netcat, nikto, nbtscan, xprobe2, inguma, scapy, ettercap, medusa… all the good stuff! The internal NAND disk-on-chip is a bit limiting at 512MB, so an extra SD card is key for larger exploit collections, wordlists, etc.
Benefits for commercial pentesters:
- No client-side config or firewall changes needed
- Great for remote clients who want to avoid the travel costs of an onsite pentest
- Stealthier, simpler, and more compact than netbooks and micro-atx appliances
Indeed, after 7 years my long-coveted creeper box has finally arrived. And nothing says Sneakers like a text message from an elegantly-placed drop box as you exit your target facility’s parking lot in an unmarked utility van.
[Plug photo by Matt Biddulph (CC-BY-SA)]