Where's My Creeper Box?

Sunday, February 13, 2011

Dave Porcello

4332ff2719b3cf30e44538f49b87f88f

Pentesters, red teams, and offensive security ninjas... the long-fabled creeper box has finally arrived.

When Charlos dropped a GSM-ready drop box into Paul Meyer’s flat in "Stealing the network: How to Own a Continent" (Syngress, 2004), I remember sitting up wide-eyed thinking, "I want that".

In 2004, this was fringe tech; doable, but attainable only by an elite few. With the pervasiveness of 3G coverage and ever-shrinking micro hardware, you would think this would be a commodity pentesting tool by now.

Seriously, it’s 2011. Where’s my creeper box?

Well, until recently the Small Form Factor market has missed the creeper hardware sweet spot. Most embedded Linux devices are too slow to run commodity Linux distros, and the pricier x86-based micro-appliances aren’t exactly designed for stealth applications.

PwnPlug Creeper Box

Enter the Pwn Plug. Built on the Marvell Sheevaplug, it’s small enough (4.3 x 2.7 x 1.9 inches), quick enough at 1.2 GHz, and supports Debian, Fedora, FreeBSD, and OpenWRT ARM distributions. And perhaps most importantly... it doesn’t look like a computer!

The stealth factor:

Stashed under a desk, behind a printer, or in a conference room, this fanless creeper can pass for an AC adapter, air freshener, surge protector, thermostat, etc. For wireless pentests, any power outlet in range will do.

Let’s not rule out drop ceilings! Idling at 3 watts, the plug can run for days or weeks off a UPS, custom battery back, or solar panel (yes, this has been done!).

On the Ethernet-side, drop the plug into “stealth mode” (no listening ports or ping replies) and use the 3G/GSM model for an entirely out-of-band backdoor!

The persistent backdoor:

The plug includes an aggressive "egress buster" script for remote SSH access wherever the plug has Internet connectivity - including wired, wireless, and 3G/GSM. By default, the plug will attempt a reverse shell every minute through several covert channels:

  • SSH over 3G/GSM. The stealthiest option; no backdoor traffic touches the target LAN!
  • SSH over HTTP requests with proxy support (appears as standard HTTP traffic)
  • SSH over SSL (appears as HTTPS)
  • SSH over DNS queries (appears as DNS traffic)
  • SSH over ICMP (appears as outbound pings)

For added Ninjutsu, the plug can be configured to send an SMS text message to your phone when a remote shell is established.

The pentesting goodies!

Metasploit, Fasttrack, SET, SSLstrip, Kismet, Aircrack-NG, WEPbuster, Karma, nmap, dsniff, netcat, nikto, nbtscan, xprobe2, inguma, scapy, ettercap, medusa... all the good stuff! The internal NAND disk-on-chip is a bit limiting at 512MB, so an extra SD card is key for larger exploit collections, wordlists, etc.

Benefits for commercial pentesters:

  • No client-side config or firewall changes needed
  • Great for remote clients who want to avoid the travel costs of an onsite pentest
  • Stealthier, simpler, and more compact than netbooks and micro-atx appliances

Indeed, after 7 years my long-coveted creeper box has finally arrived. And nothing says Sneakers like a text message from an elegantly-placed drop box as you exit your target facility’s parking lot in an unmarked utility van.

PwnieExpress: http://pwnieexpress.com

[Plug photo by Matt Biddulph (CC-BY-SA)]

Possibly Related Articles:
37367
Enterprise Security
Penetration Testing 3G GSM backdoor Pwn Plug PwnieExpress creeper box
Post Rating I Like this!
Aed12e778f65b14311143fe22d4189b2
1297707846
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee Ive been fortunate enough to have one of these babies to test out for the past week...with about 10 mins of configuration and some dyndns.org magic, Ive been able to plug this into several networks and get my reverse shell...

very sweet!
1297711566
E376ca757c1ebdfbca96615bf71247bb
shawn merdinger Great article Dave. Thanks for sharing :)

Cheers,
--scm
1297786343
Default-avatar
Lord Nikon It's a privilege not a right! Someone definitely bought this guy a puter for Christmas!
1297869486
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.