PwnPi 3 Final Review
I recently got to use the PwnPi 3 Final release, I thought I would do a little review, as traditionally this product didn't live up to the standard of the PwnPlug, but the idea of $35 alternative to the $695 famous drop box was intriguing. You can use this tutorial for flashing the image. For our review, I'm using a Raspberry Pi 1 model B and the PwnPi 3 Final release listed below:
The PwnPi comes with an impressive list of tools, a nice busybox UI, and some preconfigure remote administrative capabilities. The OS is based on Raspbian but feels more like Kali. I really enjoy the preconfigured Conky setup, it gives a lot of nice information and hacker feel to the desktop. The tools included make it an effective network pen test suite, however the CPU on my Pi 1 model B was a limiting factor with a number of the tools. That said, the preconfigured callback features make it an easy rouge device to add to a network. Your likely going to want to use the VNC callback (it comes preconfigured with a VNC and netcat call back), as the netcat callback will be unencrypted and insecure. The tool list is below, in a mashup of the PwnPi site and sourceforce tool list:
Information Gathering
---------------------
theharvester - gather emails, subdomains, hosts, employee names, open ports and banners
tcpspy - Incoming and Outgoing TCP/IP connections logger
tcpflow - TCP flow recorder
pscan - Format string security checker for C files
ngrep - nmap tool for parsing scan results
bing-ip2hosts - Enumerate hostnames for an IP using bing
hostmap - hostnames and virtual hosts discovery tool
metagoofil - an information gathering tool designed for extracting metadata
mdk3 - bruteforce SSID's, bruteforce MAC filters, SSID beacon flood
lynis - security auditing tool for Unix based systems
enum4linux - a tool for enumerating information from Windows and Samba systems
chaosreader - trace network sessions and export it to html format
kismet - Wireless 802.11b monitoring tool
btscanner - ncurses-based scanner for Bluetooth devices
airodump-ng - Wireless tool for capturing handshakes
ike-scan - discover and fingerprint IKE hosts (IPsec VPN Servers)
svmap
sslscan - Fast SSL scanner
ncat
ipcalc
nbtscan - A program for scanning networks for NetBIOS name information
amap - a powerful application mapper
sslstrip - SSL/TLS man-in-the-middle attack tool
sslsniff - SSL/TLS man-in-the-middle attack tool
ssldump - An SSLv3/TLS network protocol analyzer
onesixtyone - fast and simple SNMP scanner
swaks - SMTP command-line test tool
smbclient
tcptraceroute
netmask
dmitry - Deepmagic Information Gathering Tool
xprobe2
p0f - Passive OS fingerprinting tool
wireshark - network traffic analyzer - GTK+ version
tcpdump - command-line network traffic analyzer
zenmap - The Network Mapper Front End
svwar
nmap - The Network Mapper
netdiscover - active/passive network address scanner using arp requests
hping3 - Active Network Smashing Tool
fping - sends ICMP ECHO_REQUEST packets to network hosts
arp-fingerprint
arping
dnswalk - Checks dns zone information using nameserver lookups
dnstracer
Vulnerability Assessment
------------------------
wbox - HTTP testing tool and configuration-less HTTP server
ratproxy - passive web application security assessment tool
netwox - networking utilities
lsat
bfbtester - Brute Force Binary Tester
sqlninja - SQL Server injection and takeover tool
airodump-ng
sqlbrute - a tool for brute forcing data out of databases using blind SQL injection
wash - scan for vunerable WPS access points
wapiti - Web application vulnerability scanner
w3af - framework to find and exploit web application vulnerabilities
mysqloit - SQL Injection takeover tool focused on LAMP
sqlmap - tool that automates the process of detecting and exploiting SQL injection flaws
skipfish - fully automated, active web application security reconnaissance tool
nikto - web server security scanner
metagoofil - an information gathering tool designed for extracting metadata
openvas-client - Remote network security auditor, the client
openvas-server - remote network security auditor - server
svcrack - Sipvicious tool for cracking Voip logins
Exploitation Tools
------------------
w3af-console - framework to find and exploit web application vulnerabilities (CLI only)
msfpayload - payload generation tool from metasploit
exploit-db - Exploit Database
bsqlbf - Blind SQL injection brute forcer tool
inguma - Open source penetration testing toolkit
msfencode - payload encoding tool from metasploit
msfvenom - payload generation and encoding tool from metasploit
msfconsole - metasploit console
s.e.t - Social Engineers Toolkit
aircrack-ng - WEP/WPA cracking program
reaver - brute force attack tool against Wifi Protected Setup PIN number
airmon-ng
airodump-ng
aireplay-ng
sslstrip - SSL/TLS man-in-the-middle attack tool
mysqloit - SQL Injection takeover tool focused on LAMP
sqlninja - SQL Server injection and takeover tool
sqlmap - tool that automates the process of detecting and exploiting SQL injection flaws
isr-evilgrade - take advantage of poor upgrade implementations by injecting fake updates
Privilege Escalation
--------------------
voiphopper - VoIP infrastructure security testing tool
yersinia - Network vulnerabilities check software
voipong - VoIP sniffer and call detector
wireshark - network traffic analyzer - GTK+ version
tcpdump - command-line network traffic analyzer
ettercap - Network man in the middle tool
tcpreplay - Tool to replay saved tcpdump files at arbitrary speeds
tcpick - TCP stream sniffer and connection tracker
pdfcrack - PDF files password cracker
packit - Network Injection and Capture
packeth - Ethernet packet generator
netsed - network packet-altering stream editor
filesnarf
mailsnarf
msgsnarf
urlsnarf
dsniff - Various tools to sniff network traffic for cleartext insecurities
darkstat - network traffic analyzer
mdk3 - bruteforce SSID's, bruteforce MAC filters, SSID beacon flood
pentbox - Suite that packs security and stability testing oriented tools
medusa - fast, parallel, modular, login brute-forcer for network services
hydra - Very fast network logon cracker
sipcrack - SIP login dumper/cracker
john the ripper -active password cracking tool
fcrackzip - password cracker for zip archives
Maintaining Access
------------------
6tunnel - TCP proxy for non-IPv6 applications
vidalia - controller GUI for Tor
ptunnel - Tunnel TCP connections over ICMP packets
netcat-traditional - TCP/IP swiss army knife
ftp-proxy - application level proxy for the FTP protocol
udptunnel - tunnel UDP packets over a TCP connection
tinyproxy - A lightweight, non-caching, optionally anonymizing HTTP proxy
stunnel4 - Universal SSL tunnel for network daemons
socat - multipurpose relay for bidirectional data transfer
proxychains - proxy chains - redirect connections through proxy servers
iodine - tool for tunneling IPv4 data through a DNS server
dns2tcp - TCP over DNS tunnel client and server
cryptcat - A lightweight version netcat extended with twofish encryption
Stress Testing
--------------
mz - versatile packet creation and network traffic generation tool
siege - HTTP regression testing and benchmarking utility
Reverse Engineering
-------------------
dissy - graphical frontend for objdump
splint - tool for statically checking C programs for bugs
Adding a wireless card to your Pi is a nice touch as well. I sure was relived when my TP-Link TL-WN722N played nicely, even though it's not on the following supported wireless list, it instantly showed up on iwconfig. Using wireless, it would be easy to drop this kind of device anywhere in a corporate environment, under or behind a desk. The following is the list of officially supported wifi cards:
3COM 3CRUSB10075
7DayShop W-3S01BLK
Alfa AWUS036NEH
Alfa AWUS036NH
Alfa AWUS036H
Alfa AWUS036H
Alfa AWUS036NHA
AirLink101 AWLL5088
Asus USB-N10
Asus USB-N13
Asus WL-167G v1
Asus WL-167G v3
AusPi Technologies WiFi Adapter
Belkin F5D7050 v3000
Belkin F5D8053 ver6001
Belkin F5D8053 ver6001
Belkin F7D1101 v1
Belkin F7D2102 N300 Micro
Belkin F9L1001v1 N150
Belkin Surf Micro
BlueProton BT3
Buffalo WLI-UC-GNM
Buffalo WLI-UC-G300N
Conceptronic C300RU
Conrad N150 mini
DELL Wireless 1450
DIGICOM USBWAVE54
DIGICOM USBWAVE300C
D-Link AirPlus G DWL-G122
D-Link DWA-110 Version A1
D-Link DWA-121 Version A1
D-Link DWA-131 Version A1
D-Link DWA-140 Version B1
D-Link DWA-160 Version B1
D-Link DWA-160 Version A2
D-Link WUA-1340(Version A1
Edimax EW-7811Un
Edimax EW-7318USg
Edimax EW-7711UAn
Edup 150MBPS Wi-Fi Adapter
Edup Ultra-Mini Nano
Edup EP-N8508
Eminent EM4575
EnGenius EUB9603
Gigabyte GN-WB32L
IOGear GWU625
Linksys WUSB100 v2
Linksys WUSB600N
Linksys Linksys WUSB54GC
LogiLink Nano Adapter 802.11n
Mvix Nubbin MS-811N
Netgear N150
Netgear N150
Netgear WG111v1
Netgear WG111v2
Netgear WNA1000M
OvisLink Evo-W300USB
Patriot Memory PCBOWAU2-N
Ralink RT2770F
Ralink RT3070
Ralink RT2501
Ralink RT2573
Ralink RT5370
Rosewill RNX-N180UBE
Rosewill RNX-G1 Wireless B/G Adapter
Rosewill RNX-MiniN1
Sabrent USB-A11N
Sagem XG-760N
Sempre WU300-2
Sitecom N300
SL SL-1507N
SMC SMCWUSBS-N
SMC SMCWUSB-G
Sony UWA-BR100
Tenda W311MI
Tenda W311U
The Pi Hut USB 802.11n
TP-Link TL-WN422G v2
TP-Link TL-WN721N
TP-Link TL-WN723N
TP-Link TL-WN821N
Trendnet TEW-648UBM
Widemac RT5370
ZyXEL NWD2105
ZyXEL G-202
In conclusion, the PwnPi 3 makes an effective pen test drop box solution. You can't beat that price, and I've even ordered a new Raspberry Pi 2 to try it out on the upgraded hardware. Here's a good example at using it for arp spoofing and backdooring unencrypted binaries. Here's to adding another tool to the arsenal, especially one can enable such lasting network persistence for so cheap!
The PwnPi comes with an impressive list of tools, a nice busybox UI, and some preconfigure remote administrative capabilities. The OS is based on Raspbian but feels more like Kali. I really enjoy the preconfigured Conky setup, it gives a lot of nice information and hacker feel to the desktop. The tools included make it an effective network pen test suite, however the CPU on my Pi 1 model B was a limiting factor with a number of the tools. That said, the preconfigured callback features make it an easy rouge device to add to a network. Your likely going to want to use the VNC callback (it comes preconfigured with a VNC and netcat call back), as the netcat callback will be unencrypted and insecure. The tool list is below, in a mashup of the PwnPi site and sourceforce tool list:
Information Gathering
---------------------
theharvester - gather emails, subdomains, hosts, employee names, open ports and banners
tcpspy - Incoming and Outgoing TCP/IP connections logger
tcpflow - TCP flow recorder
pscan - Format string security checker for C files
ngrep - nmap tool for parsing scan results
bing-ip2hosts - Enumerate hostnames for an IP using bing
hostmap - hostnames and virtual hosts discovery tool
metagoofil - an information gathering tool designed for extracting metadata
mdk3 - bruteforce SSID's, bruteforce MAC filters, SSID beacon flood
lynis - security auditing tool for Unix based systems
enum4linux - a tool for enumerating information from Windows and Samba systems
chaosreader - trace network sessions and export it to html format
kismet - Wireless 802.11b monitoring tool
btscanner - ncurses-based scanner for Bluetooth devices
airodump-ng - Wireless tool for capturing handshakes
ike-scan - discover and fingerprint IKE hosts (IPsec VPN Servers)
svmap
sslscan - Fast SSL scanner
ncat
ipcalc
nbtscan - A program for scanning networks for NetBIOS name information
amap - a powerful application mapper
sslstrip - SSL/TLS man-in-the-middle attack tool
sslsniff - SSL/TLS man-in-the-middle attack tool
ssldump - An SSLv3/TLS network protocol analyzer
onesixtyone - fast and simple SNMP scanner
swaks - SMTP command-line test tool
smbclient
tcptraceroute
netmask
dmitry - Deepmagic Information Gathering Tool
xprobe2
p0f - Passive OS fingerprinting tool
wireshark - network traffic analyzer - GTK+ version
tcpdump - command-line network traffic analyzer
zenmap - The Network Mapper Front End
svwar
nmap - The Network Mapper
netdiscover - active/passive network address scanner using arp requests
hping3 - Active Network Smashing Tool
fping - sends ICMP ECHO_REQUEST packets to network hosts
arp-fingerprint
arping
dnswalk - Checks dns zone information using nameserver lookups
dnstracer
Vulnerability Assessment
------------------------
wbox - HTTP testing tool and configuration-less HTTP server
ratproxy - passive web application security assessment tool
netwox - networking utilities
lsat
bfbtester - Brute Force Binary Tester
sqlninja - SQL Server injection and takeover tool
airodump-ng
sqlbrute - a tool for brute forcing data out of databases using blind SQL injection
wash - scan for vunerable WPS access points
wapiti - Web application vulnerability scanner
w3af - framework to find and exploit web application vulnerabilities
mysqloit - SQL Injection takeover tool focused on LAMP
sqlmap - tool that automates the process of detecting and exploiting SQL injection flaws
skipfish - fully automated, active web application security reconnaissance tool
nikto - web server security scanner
metagoofil - an information gathering tool designed for extracting metadata
openvas-client - Remote network security auditor, the client
openvas-server - remote network security auditor - server
svcrack - Sipvicious tool for cracking Voip logins
Exploitation Tools
------------------
w3af-console - framework to find and exploit web application vulnerabilities (CLI only)
msfpayload - payload generation tool from metasploit
exploit-db - Exploit Database
bsqlbf - Blind SQL injection brute forcer tool
inguma - Open source penetration testing toolkit
msfencode - payload encoding tool from metasploit
msfvenom - payload generation and encoding tool from metasploit
msfconsole - metasploit console
s.e.t - Social Engineers Toolkit
aircrack-ng - WEP/WPA cracking program
reaver - brute force attack tool against Wifi Protected Setup PIN number
airmon-ng
airodump-ng
aireplay-ng
sslstrip - SSL/TLS man-in-the-middle attack tool
mysqloit - SQL Injection takeover tool focused on LAMP
sqlninja - SQL Server injection and takeover tool
sqlmap - tool that automates the process of detecting and exploiting SQL injection flaws
isr-evilgrade - take advantage of poor upgrade implementations by injecting fake updates
Privilege Escalation
--------------------
voiphopper - VoIP infrastructure security testing tool
yersinia - Network vulnerabilities check software
voipong - VoIP sniffer and call detector
wireshark - network traffic analyzer - GTK+ version
tcpdump - command-line network traffic analyzer
ettercap - Network man in the middle tool
tcpreplay - Tool to replay saved tcpdump files at arbitrary speeds
tcpick - TCP stream sniffer and connection tracker
pdfcrack - PDF files password cracker
packit - Network Injection and Capture
packeth - Ethernet packet generator
netsed - network packet-altering stream editor
filesnarf
mailsnarf
msgsnarf
urlsnarf
dsniff - Various tools to sniff network traffic for cleartext insecurities
darkstat - network traffic analyzer
mdk3 - bruteforce SSID's, bruteforce MAC filters, SSID beacon flood
pentbox - Suite that packs security and stability testing oriented tools
medusa - fast, parallel, modular, login brute-forcer for network services
hydra - Very fast network logon cracker
sipcrack - SIP login dumper/cracker
john the ripper -active password cracking tool
fcrackzip - password cracker for zip archives
Maintaining Access
------------------
6tunnel - TCP proxy for non-IPv6 applications
vidalia - controller GUI for Tor
ptunnel - Tunnel TCP connections over ICMP packets
netcat-traditional - TCP/IP swiss army knife
ftp-proxy - application level proxy for the FTP protocol
udptunnel - tunnel UDP packets over a TCP connection
tinyproxy - A lightweight, non-caching, optionally anonymizing HTTP proxy
stunnel4 - Universal SSL tunnel for network daemons
socat - multipurpose relay for bidirectional data transfer
proxychains - proxy chains - redirect connections through proxy servers
iodine - tool for tunneling IPv4 data through a DNS server
dns2tcp - TCP over DNS tunnel client and server
cryptcat - A lightweight version netcat extended with twofish encryption
Stress Testing
--------------
mz - versatile packet creation and network traffic generation tool
siege - HTTP regression testing and benchmarking utility
Reverse Engineering
-------------------
dissy - graphical frontend for objdump
splint - tool for statically checking C programs for bugs
Adding a wireless card to your Pi is a nice touch as well. I sure was relived when my TP-Link TL-WN722N played nicely, even though it's not on the following supported wireless list, it instantly showed up on iwconfig. Using wireless, it would be easy to drop this kind of device anywhere in a corporate environment, under or behind a desk. The following is the list of officially supported wifi cards:
3COM 3CRUSB10075
7DayShop W-3S01BLK
Alfa AWUS036NEH
Alfa AWUS036NH
Alfa AWUS036H
Alfa AWUS036H
Alfa AWUS036NHA
AirLink101 AWLL5088
Asus USB-N10
Asus USB-N13
Asus WL-167G v1
Asus WL-167G v3
AusPi Technologies WiFi Adapter
Belkin F5D7050 v3000
Belkin F5D8053 ver6001
Belkin F5D8053 ver6001
Belkin F7D1101 v1
Belkin F7D2102 N300 Micro
Belkin F9L1001v1 N150
Belkin Surf Micro
BlueProton BT3
Buffalo WLI-UC-GNM
Buffalo WLI-UC-G300N
Conceptronic C300RU
Conrad N150 mini
DELL Wireless 1450
DIGICOM USBWAVE54
DIGICOM USBWAVE300C
D-Link AirPlus G DWL-G122
D-Link DWA-110 Version A1
D-Link DWA-121 Version A1
D-Link DWA-131 Version A1
D-Link DWA-140 Version B1
D-Link DWA-160 Version B1
D-Link DWA-160 Version A2
D-Link WUA-1340(Version A1
Edimax EW-7811Un
Edimax EW-7318USg
Edimax EW-7711UAn
Edup 150MBPS Wi-Fi Adapter
Edup Ultra-Mini Nano
Edup EP-N8508
Eminent EM4575
EnGenius EUB9603
Gigabyte GN-WB32L
IOGear GWU625
Linksys WUSB100 v2
Linksys WUSB600N
Linksys Linksys WUSB54GC
LogiLink Nano Adapter 802.11n
Mvix Nubbin MS-811N
Netgear N150
Netgear N150
Netgear WG111v1
Netgear WG111v2
Netgear WNA1000M
OvisLink Evo-W300USB
Patriot Memory PCBOWAU2-N
Ralink RT2770F
Ralink RT3070
Ralink RT2501
Ralink RT2573
Ralink RT5370
Rosewill RNX-N180UBE
Rosewill RNX-G1 Wireless B/G Adapter
Rosewill RNX-MiniN1
Sabrent USB-A11N
Sagem XG-760N
Sempre WU300-2
Sitecom N300
SL SL-1507N
SMC SMCWUSBS-N
SMC SMCWUSB-G
Sony UWA-BR100
Tenda W311MI
Tenda W311U
The Pi Hut USB 802.11n
TP-Link TL-WN422G v2
TP-Link TL-WN721N
TP-Link TL-WN723N
TP-Link TL-WN821N
Trendnet TEW-648UBM
Widemac RT5370
ZyXEL NWD2105
ZyXEL G-202
In conclusion, the PwnPi 3 makes an effective pen test drop box solution. You can't beat that price, and I've even ordered a new Raspberry Pi 2 to try it out on the upgraded hardware. Here's a good example at using it for arp spoofing and backdooring unencrypted binaries. Here's to adding another tool to the arsenal, especially one can enable such lasting network persistence for so cheap!
