Pwnie Express’ Pwn Plug R2 + Solar + Quadcopter = Flying Security Nightmare

Pwnie Express has a knack for stuffing powerful security testing tools into innocuous housings, and this time their flexing that unique talent with the Pwnie Plug R2.

via Pocket http://www.engadget.com/2013/07/31/pwnie-express-pwn-plug-r2/

Pwnie Plug R2 with 4G cell connection + software defined radio + solar battery charger + quadcopter = Flying security nightmare

I want one now!! Makes my Fonera (Jasager) and TPLink pineapple look like toys.. Software Defined Radio….shudder

Core features:

  • Onboard high-gain 802.11b/g/n wireless supporting packet injection & monitor mode
  • Onboard dual Gigabit Ethernet for NAC bypass and network monitoring
  • External high-gain Bluetooth adapter (up to 1000′) supporting packet injection
  • External unlocked 4G/GSM cellular (SIM not included)
  • Automated wired NAC/802.1x/RADIUS bypass
  • Simple web-based administration and in-product updates with “Pwnix UI”
  • One-click Evil AP & Passive Recon services
  • Persistent reverse-SSH access to your target network
  • 6 different covert channels to tunnel through application-aware firewalls & IPS
  • Supports HTTP proxies, SSH-VPN, & OpenVPN
  • Out-of-band SSH access over 4G/GSM cell networks
  • Runs Pwnix, a custom Debian distro based on Kali Linux
  • OSS-based pentesting toolkit includes Metasploit, SET, Kismet, Aircrack-NG, SSLstrip, nmap, Hydra, w3af, Scapy, Ettercap, Bluetooth/VoIP/IPv6 tools, & many more
  • Unpingable and no listening ports in stealth mode

Hardware specs:

  • Processor / RAM: 1.2GHz Armada-370 CPU / 1GB DDR3
  • Disk storage: 32GB microSDHC (Class 10)
  • Onboard wireless: High-gain 802.11b/g/n, packet injection & monitor mode, 8” external antenna
  • Onboard I/O: 2x Gigabit Ethernet, 2x USB 3.0, serial console, microSD slot
  • External high-gain Bluetooth adapter (up to 1000′ range) supporting packet injection & monitor mode
  • Optional support for Zigbee/Zwave, RFID, and Software-Defined Radios (SDR)
  • Voltage: 110-240v (Adapters available)
  • Power draw: 5 watts idle, 15 watts max
  • Dimensions: 5.2″ x 3.7″ x 0.8″
The included unlocked 4G/GSM adapter is:
  • Compatible with SIM cards from AT&T, T-mobile, Vodafone, Orange, and GSM carriers in over 160 countries (SIM card not included)
  • HSDPA/UMTS (850/1700/1900/2100MHz)
  • GSM/GPRS/EDGE (850/900/1800/1900MHz)

Chromecast Hacking Has Begun

chromecast
Initial chromecast testing has revealed that it is a DIAL device and sniffing shows several interesting commands that can be sent to it.

The chromecast dongle is apparently listening on http port 8008. (Also port 9080 while Netflix app is running)

Some control can be established by sending simple HTTP GET’s, POST’s and DELETE’s.

** For these examples the youtube app is running, also available are Netflix, ChromeCast, and GoogleMusic.

get device information xml:
curl http://10.0.1.2:8008/ssdp/device-desc.xml

get detailed device information json:
curl http://10.0.1.2:8008/setup/eureka_info?options=detail

scan for available wifi:
curl http://10.0.1.2:8008/setup/scan_results

get supported time zones:
curl http://10.0.1.2:8008/setup/supported_timezones

get info about current app:
curl -H “Content-Type: application/json” http://10.0.1.2:8008/apps/YouTube -X GET

send youtube video to chromecast:
curl -H “Content-Type: application/json” http://10.0.1.2:8008/apps/YouTube -X POST -d ‘v=oHg5SJYRHA0’

kill current running app:
curl -H “Content-Type: application/json” http://10.0.1.2:8008/apps/YouTube -X DELETE

reboot the chromecast dongle:
curl -H “Content-Type: application/json” http://10.0.1.2:8008/setup/reboot -d ‘{“params”:”now”}’ -X POST

factory default reset the chromecast dongle:
curl -H “Content-Type: application/json” http://10.0.1.2:8008/setup/reboot -d ‘{“params”:”fdr”}’ -X POST

Hopefully more to come… Focusing on the websocket connections now

I would like to be able to send commands (power, volume, source) to the tv through the hdmi-cec connection of the chromecast.