One of the challenges a pen tester must learn to overcome is the requirement to be at a customer's physical location to perform a test. Of course you could always utilize the customer's VPN, or build your own custom apps, but you'd need approval to allow the outbound connection and you have the time to get it properly set up.
Imagine a world where you could ship a piece of hardware, or have the client download a virtual device instead. What if all the testing setup was just handled for you? You could perform more testing every week, increase the amount of remote testing thereby reducing travel costs, utilize an easy interface to connect back, sniff traffic while off-site, conduct automated assessments, and even be able to perform a remote incident response. This sounds a bit unrealistic.
The team from Pwnie Express has been hard at work making the unrealistic come to fruition. We were able to connect and discuss their latest offering, Citadel PX, which was purpose built to enable a tester to get more done with less effort and travel.
Citadel PX is a Web-based product designed to remotely manage testing sensors. When we asked about the sensors, we learned there were hardware and virtual versions available, built on Ubuntu Server 12.04 and jam packed with pentesting tools.
The sensors support tools natively such as Nessus 5.03 server, Metasploit Pro, Cobalt Strike, SET, w3af, Kismet, Aircrack, SSLstrip, nmap, Hydra, dsniff, Scapy, Ettercap, Bluetooth/VoIP/IPv6 tools, & many more. Pwnie even enables virtual guest machines with the hardware solution, including Backtrack, Qualys, Acunetix, nCircle, and other solutions. The sensors are also hardened per NSA, NIST, DoD, and DISA guidelines, including encrypted volumes for pentest results.
As a pen tester using Citadel PX, you can use the built-in automation, define your own custom automation, or even utilize an on-demand reverse shell capability to get an interactive shell on the device. The system acts somewhat like a simple bot net, polling to the Citadel PX console every 10 seconds for instruction.
When Jonathan Cran, CTO at Pwnie Express, gave me a walk-through of Citadel PX, I saw a slick Rails-based interface with hearty documentation. Some of the cool features that stood out are the ability to grab WiFi results from the integrated hardware, ability to run commands from the remote user interface as tasks for automation, and you can write your own plug-ins using Ruby.
Now breaking into the software and services market, Jonathan Cran commented directly to pen testers that the Citadel PX "bridged testers to remote networks and enabled them to go further, faster, than ever before."
If you're using a service such as Citadel PX, it may prompt security concerns for your customers. Jonathan addressed this, saying, "Citadel PX maintains a secure lightweight connection via SSL, and if necessary, a persistent Reverse SSH shell." He added that "it can support traditional VPN connections as well." Citadel PX can also tunnel through application-aware firewalls and Intrusion Prevention Systems.
Why is this important to you? First, a reduction in travel is clearly a cost benefit to you and your customers while improving your quality of life. Second, the ability to perform increased remote automated assessments in a work week with established customers means you are more attractive from a cost perspective than your competitors.
Citadel PX provides you with an easy user interface to get connected back into your customer's environment. Having the ability to remotely sniff your customer's network is another benefit which evolves the capabilities of the pen tester, enabling them to better understand traffic patterns on the network, and even to perform incident response.
Jonathan explained that during beta testing in a customer's network, the sensors actually detected malware and reported it back to the Citadel PX console. Analyzing attack patterns from that same console enabled Pwnie Express to assist with understanding the attack and which devices were compromised.
Citadel PX is available for purchase here
No security, no privacy. Know security, know privacy.
David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter @DSchwartzberg