Video RSA: The Pwn Pad is an Android Tablet-Based Penetration Tester (Video) 46
Oliver: Hi. My name is Oliver Wies, ‘Awk’ at Pwnie Express. I am a developer for different mobile pentesting platforms. This is the Pwn Pad, and I am going to give you a little demonstration and talk about it.
Tim: Please. Can you talk about the hardware first? What is it that you are holding?
Oliver: So this is a Google Nexus 7 tablet. It is running Android Jellybean 4.2.1. And then with a recompiled kernel to support packet injection and the Bluetooth stuff. And then underneath is a Ubuntu CH root environment with all the different security and hacker tools installed.
Tim: Now talk about what are some of those tools? What do you have installed?
Oliver: So, we have a wide range of cutting edge wireless tools installed on here, as well as the standard network tools. So, the wireless side, we’ve got the Aircrack-ng Suite, there’s Kismet Newcore, that also works with the Ubertooth. There’s Wi-Fi, which is frontend to Aircrack-ng for automation. There is Hostapd which is another that can be used for an Evil AP. There is the FreeRADIUS WPE stuff, Asleap, EAPeak. So there is a lot of capabilities of doing enterprise level wireless pentests. And then there is also some Bluetooth tools as well, Bluelog, Bluebugger, some basic, the Bluez Utils suite, and then the Ubertooth tools as well. And then on the network side, we’ve got Tshark, Tcpdump, SSLstrip, Dsniff, Ettercap-ng, the Social Engineering Toolkit, Metasploit, Easy Creds, and an OpenVAS vulnerability scanner.
Tim: Now the software under here is [Intensity]. It is open source, it’s well known, so talk about how it is different from somebody picking up a Nexus 7, like what it does take to make all these things work on this hardware?
Oliver: Well, a few months that is for sure. Basically, installing an Ubuntu CH root environment is pretty trivial these days on an Android device, granted you have enough space and you have rooted your device, so you have root access. But once you do that, in order to get these kind of devices working with it that you packet injection, you have to recompile the Android kernel to support those modes.
Tim: Why did you have to put on the Ubuntu environment at all?
Oliver: Because a lot of the standard tools won’t just run in Android. Android is Unix-based. But it doesn’t have a lot of the libraries and a lot of the tools that a full Ubuntu Linux has which is why we chose that.
Tim: And what kind of work went into actually making the tools work, once you had those big pieces on?
Oliver: Yeah, there are a lot of tools that are pretty standard in the Ubuntu repositories that you could apt get install but there are a lot of the latest cutting edge ones like Kismet and Ettercap-ng that you have to compile from source. Also some of the other wireless tools like MDK3. We put the latest version of Aircrack on there as well. A lot of the really cutting edge tools you just can’t find in the Ubuntu repositories, especially for ARM because this is ARM processors. So I ended up compiling them directly on the device itself.
Tim: Now we are at a security show and I presume you have been running this here at the show.
Oliver: Most of the time, yeah, we’ve been doing quite a bit of demos, just showing that things will connect, AT&T, Wi-Fi specifically, things will just connect to that automatically, and it is very easy to just show, I’m going to show you right here, that even though this isn’t doing anything evil except allowing people to connect, it will show that basically a lot of devices are just going to automatically connect to an open network when they see it. And it is also using Airbase, which is pretty aggressive. So you can start to see things connect.
Tim: So even at a show like this people are not as security conscious as maybe they should be?
Oliver: Even at a show like this. Yeah, you think that at a security show people would be conscious about turning their wireless off, but it’s not the case. Convenience, the convenience factor is always going to win in the end.
Tim: Now is this an outgrowth of the Pwnie Plug? The earlier product, the plug that was here last year? And that is still available?
Oliver: Yes. That is correct.
Tim: So how does this differ in what capabilities it offers?
Oliver: Well, this is really good for doing a wireless assessment; it looks really sleek, it is really easy to use, a lot of the tools that would take the time to sit down at the laptop and set them up, they are already pretty configured. You basically plug the adapter in and hit the icon and it goes. So you can very quickly assess the security of a wireless environment, you can see what a Bluetooth environment looks like, you can even attack the wired side, but it basically just takes a lot of the well-known tools that require a set up and make them easy and quick to use, and the shell as well, and of course, the plug doesn’t have a nice screen and a quad core processor.
Tim: Or a battery?
Oliver: Or the battery, yeah.
Tim: So you could I guess leave this and book shop for a while, and come back?
Oliver: Yeah, one of the tools is the reverse SSH shell, so you could leave this somewhere and have it connect to an SSH server somewhere else over the 3G network and then get into it, and start hacking wireless from there, so you just enter in your address in the port and then it will connect back and you can leave it.
Tim: So what does this cost? And what goes into that? For instance, I see you’ve got a different wireless card on here, can you talk in detail about what’s the wireless that you’ve got attached to the back there?
Oliver: Yeah, so this is a TP-link adapter. This is a unique card in that it supports a packet injection, monitor mode and wireless promiscuous mode, which lets you do sidejacking.
Tim: And how is it attached to the device?
Oliver: So this is just a standard OTG USB cable. One of the really nice things about Android devices is there is a lot of support for USB, so you can practically plug in any USB device and access it through Android. So flash drives, keyboards, mice, and now adapters with the kernel work that we’ve done. So this is like a long range wireless card. It also comes with a small Bluetooth adapter. It also comes with an USB Ethernet adapter, so that you could plug it into the wire. And the price on the product it also comes with this nice case with the Velcro. And the price point on it is $800 for the whole kit, but if you have a Nexus 7 the software will be available on our website to download, and you can get the adapter separately.
Tim: And the kernel work you’ve done, that all goes back upstream?
Oliver: Yeah, basically, we provide it to the community; all our stuff is open source so it is available.
Tim: And if someone didn’t want this, who are you competitors? I mean, you’ve got an open source portable thing?
Oliver: Yeah, I mean this is really the first time we have seen an Android device doing packet injection publicly that we know of. So it is hopefully the first of many, but it is kind of definitely a new thing.
Tim: And what kind of reaction have you gotten from people?
Oliver: People are psyched. People are really excited about it. The Pwn Phone was great, definitely a different piece, it was already running Linux, had an internal card that supported packet injection and monitor mode and this is kind of a whole new realm. So it’s really coming together.
Tim: And as a developer, where are you based, and how distributed is the company right now?
Oliver: We are based out of Vermont, and we started out as three people, and now we are about fifteen, and we are planning to continue expanding, and we will probably start popping up all over the place.
Tim: What should we look for next?
Oliver: Well, I think there will probably be another phone on the horizon soon. I mean this is our first tablet, but expect to see another phone soon.
Pwn Pad Passes Perl Philter Phor (Score:2, Insightful)
Duplicates [slashdot.org]
Nice Tablet (Score:3, Insightful)
I good see the hardware/software is flexable - even in these days of walled gardens.
My wife just got me a TP adapter, so I now have a net project to look forward too.
Re: (Score:1)
Huh? Where? (Score:1)
If you can't see the video (or want to read along) the transcript is below.
Where? If I may ask? Are we engaged in some kind of mediocrity?
Re: (Score:2)
See: "Hide/Show Transcript" under the image that may or may not be there.
Re: (Score:3)
Click the "Hide/Show Transcript" link under the video.
Yeah, not very clear.
Re: (Score:1)
Sooo... (Score:2, Informative)
It's an $800 sub-par tablet with a bunch of free software installed that any "pwner" worth his/her salt should know how to get on their own. Meh.
Re: (Score:1)
Re: (Score:2)
It's an $800 sub-par tablet
My Nexus 7 cost £200 (~$300). And I've yet to find anything it can't do (within reason).
Am I the only one who was thinking Rockwell? (Score:2)
Not Really Revolutionary (Score:2)
Hak5 covered the USB dongle + sniffing, etc part of it. The rest is just compiling the tools which are free and possibly cranking out an Android gui for a few of them.
Re:Not Really Revolutionary (Score:5, Insightful)
They don't claim it's revolutionary. Also the integration and pre-configuration is very important to many people who would be interested in such a product. Much more so than your dimissive comment would make it seem. Sure, one could buy all the parts separately, recompile the kernel and all the software and put it tall together hemselves. On the other hand, most people's time is not worthless so the price is worth the fact that one can be up and running immediately.
Re:Not Really Revolutionary (Score:4, Interesting)
But mostly I don't think this is for consumers or enthusiasts .
Let's say $300 for the most expensive nexus 7 and they're selling this for $800.
Maybe $100 for all of the other extra hardware (very generous as the wifi adapter is $15-20, etc)
That means you're paying $400, half of the device, for them to: compile a custom kernel for android (turn on packet injection), install an ubuntu chroot, install most of the packages from apt, and build a couple of them from source.
They're using an ubuntu chroot so no need for android custom gui apps.
$400 is a pretty hefty convenience cost but I guess I could see where for business purposes that would make sense for some people.
Re: (Score:3)
You're pretty much dead on with your numbers:
32GB Nexus 7 w/ AT&T 3G - $300 [google.com]
TP-Link TL-WN722N (atheros usb wifi) - $20 [newegg.com]
Sena UD100 (Bluetooth USB) - $40 [sena.com]
USB Ethernet adapter - ~$30 (really? Damn!)
OTG cable (host mode) - $2 [amazon.com]
I wonder how long it takes them to compile/load all those apps? Would be interesting to break it down and see just how much per hour these guys are charging.
Re: (Score:2)
That leaves 2 months of sunk costs working on the initial setup (what they claim in the video) and handling packaging/billing/shipping/tax.
Re: (Score:2)
Don't see why not; heck, they can probably use scripts to automate the whole process, I know I would.
Re: (Score:2)
So all the person has to do is plug the wireless usb device in, click the icon and then see what the surrounding wireless/wired network is like.
The other point is the battery, quad core cpu and work done on usb hardware to inject into wireless.
Its all open source too
Advice For Doing Interviews (Score:3)
Word of advice: try letting the interviewee answer the current fucking question before you ask another one.
I, personally, would like to know what the cost will be, but thanks to Timmy's piss-poor interviewing skills, I'll have to seek the information elsewhere.
Re: (Score:2)
And the price point on it is $800 for the whole kit,
Straight from the transcript...
Re: (Score:2)
And the price point on it is $800 for the whole kit,
Straight from the transcript...
Yea, I see that now; 3, 4 questions further down.
Timmy should have given him an opportunity to answer before moving to a new line of questioning; Journalism 101.
Re: (Score:2)
No, it was in the response to the question from right after what you quoted.
Re: (Score:2)
No, it was in the response to the question from right after what you quoted.
Right:
And what goes into that?
There's 1...
For instance, I see you’ve got a different wireless card on here, can you talk in detail about what’s the wireless that you’ve got attached to the back there?
#2...
And how is it attached to the device?
aaaand 3.
Re: (Score:2)
No. The end part of what you quoted was the response:
Oliver: Yeah, so this is a TP-link adapter. This is a unique card in that it supports a packet injection, monitor mode and wireless promiscuous mode, which lets you do sidejacking.
Right below that is the question and answer from where I quoted:
Tim: And how is it attached to the device?
Oliver: So this is just a standard OTG USB cable. One of the really nice things about Android devices is there is a lot of support for USB, so you can practically plug in any USB device and access it through Android. So flash drives, keyboards, mice, and now adapters with the kernel work that we’ve done. So this is like a long range wireless card. It also comes with a small Bluetooth adapter. It also comes with an USB Ethernet adapter, so that you could plug it into the wire. And the price on the product it also comes with this nice case with the Velcro. And the price point on it is $800 for the whole kit, but if you have a Nexus 7 the software will be available on our website to download, and you can get the adapter separately.
So, as I said it's the very next response after what you quoted. Not 3 to 4 questions further down.
Re: (Score:2)
Agree to disagree, not worth my time to argue.
Re: (Score:2)
IME, "Agree to disagree" seems to be code for "drop it so I don't have to cop to being wrong."
Re: (Score:2)
IME, "Agree to disagree" seems to be code for "drop it so I don't have to cop to being wrong."
1) What does "IME" mean?
2) Actually, it's code for "I've got better things to do with my time than waste it waxing philosophic with some annoying internet pedant." At least, it is when I use the phrase; YMMV.
Re: (Score:2)
"In my experience."
Re: (Score:2)
Ah.
Learn something new every day.
36 Chambers of Pwning (Score:2)
RSA has always been one of my favorite hip-hop artists.
Re: (Score:2)
Pwn Pad? Sounds fun. (Score:2)
Hey baby, wanna experience my pwn pad together with me tonight?
hacking with kids (Score:1)
SuckerPad (Score:1)