The OG150 is a small, automated, plug-and-play security device commonly referred to as a penetration testing drop box. The OG150 hardware supports integrated wired and wireless interfaces that permit a wide range of security tests to be performed against the target network infrastructure and associated IT resources. You can view a video of the OG150 Deluxe Package contents at OG150 Contents Video.
This was originally a code name given to the product during its initial development. The name ‘stuck’ and is now used for the publicly released version. The 'OG' stands for Original Gangster, a term used amongst colleagues (special mention to Heath Russell and Grant Isaacs). The 150 refers to the weight of the prototype version in grams. I was surprised at how something so small and light could be so potent, so decided to include a reference to the weight in the product name. Interestingly, the weight of the publically released version is now 122 grams based on changes made to hardware components. Please note: The weight of the OG150 is indicative only and may vary depending on availability of hardware components.
The OG150 is built upon the TP-Link TL-WR703N router. TP-Link was founded in 1996 in Shenzhen and is a manufacturer of computer networking products based in China. During the hardware selection process, I also evaluated the TP-Link TL-MR3020 and SheevaPlug. I concluded that the TP-Link TL-WR703N router was the best fit, given its lightweight design with integrated feature set. The TP-Link TL-WR703N supports the following features;
- Atheros AR7240 CPU (400Mhz)
- Atheros AR9331 Chipset (integrated wireless)
- 802.11 b/g/n 150Mbps (130Mbps real)
- Wireless power output 20dBm - 100mW
- 4 MB flash memory *
- 32 MB RAM *
- USB 2.0 port (High-Speed only, use an external High-Speed hub for Full/Low-Speed devices)
- Powered via micro-USB socket
- Tiny form factor: 5.7cm x 5.7cm x 1.8cm
* The main limitation of this platform is the amount of flash and RAM. I have overcome this limitation by connecting a 4GB USB stick to the OG150. The USB stick has been configured to provide the OG150 with an additional 1GB swap space and 3GB of storage space.
The key point to remember is that the OG150 needs to be physically connected to the target network (wired Ethernet connection). There are many ways in which this can be achieved, for example:
- Piggyback an authorised user into the target environment (follow a user with a valid swipe card as they enter a building). This is a form of Social Engineering.
- Post the OG150 to a user for remote deployment.
- Source a network port that is available in a publically available area. Typical scenarios are airports, hospitals and hotels. *
* The OG150 has been programmed to turn on a blue LED when a network link is physically detected. This allows the OG150 to be connected with a quick visual check verifying if the network port is ‘up’.
The OG150 is flashed with a custom build of OpenWRT (Linux based) operating system - "Attitude Adjustment 12.09 RC1". Over 2500 OpenWRT packages have been compiled to run with my custom build of OpenWRT which are hosted on the OG150 website. Finally, the following packages are pre-installed on the OG150;
- Aircrack - Wireless exploitation and enumeration suite
- Airpwn - Airpwn is a framework for 802.11 (wireless) packet injection
- ATFTP - TFTP client
- AutoSSH - A program to automatically start an SSH session and monitor it, restarting it as necessary should it die or stop passing traffic
- CDP-Tools - A set of tools for working with the Cisco Discovery Protocol
- Coova-chilli - CoovaChilli is a feature rich software access controller that provides a captive portal / walled-garden environment and uses RADIUS or a HTTP protocol for access provisioning and accounting. Typically used for wireless hotspots.
- Dsniff - Dsniff is a collection of tools for network auditing and penetration testing
- Elinks - ELinks is a well-established feature-rich text mode web (HTTP) browser
- Ettercap - Ettercap is a multipurpose sniffer/interceptor/logger for the switched LAN
- Iperf - Used for measuring maximum TCP and UDP bandwidth performance. Iperf reports bandwidth, delay jitter, datagram loss.
- NBTscan - NBTscan is a program for scanning IP networks for NetBIOS name information
- NMAP - Powerful port and vulnerability scanner
- OpenVPN - A virtual private network daemon to allow the creation of VPN tunnels
- Ping - Uses the ICMP protocol to verify IP reachability
- SSLStrip - Transparently hijacks HTTPS traffic on a network
- SSMTP - SSMTP is a send-only emulator that allows the OG150 to send you emails
- TCPDUMP - A powerful command-line packet analyser/sniffer
- Tor - Tor provides anonymity by bouncing your communications around a distributed network of relays run by volunteers all around the world
- Traceroute - Traceroute is a network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network.
- TTCP - TTCP (test TCP) is a utility program for measuring network throughput
- UDPCast - UDPcast is a file transfer tool that uses Multicast
- VRRPD - VRRP daemon (vrrpd) is an RFC 2338 compliant implementation of the Virtual Router Redundancy Protocol (VRRP)
- YAFC - FTP Client
- ...Much more!!
There are two similar penetration testing drop boxes available for purchase; MiniPwner and Pwnie Express. I am a big fan of the individuals and organisations that have developed these products and have nothing but praise for their work. The MiniPwner is similar to the OG150, providing a base platform for the user. Although the MiniPwner lacks the automation of the OG150, the forums hosted on the product website are helpful. The Pwnie Express is a more powerful device, capable of running applications such as Metasploit using a custom GUI. The Pwnie Express is based on the SheevaPlug hardware, which surprisingly does not feature an integrated wireless interface (to support wireless, you need to attach an external wireless card). I believe that there is a market for each type of device, depending on the user requirements and budget available. Please check out the websites to see the great work that has been done:
You may have noticed from the photos of the OG150 that everything is black – the router, battery, Ethernet cable and the USB cable are all black. The reason is trivial, it is my personal opinion that everything related to network security simply looks better when it is black.
No. If you buy an OG150, you will receive a 50+ page User Guide that will simply explain how you can customise and operate the OG150. The User Guide assumes no prior knowledge of Linux. Updates to the User Guide will be provided free of charge when they are available.
No. At present the OG150 is managed purely through a CLI (command line interface) using the SSH protocol. Adding a web interface to the OG150 is on the radar, but this is not likely to be implemented for at least 12 months.
It takes approximately 1 hour to fully charge the battery. Testing shows that a fully charged battery powers the OG150 for over 5 hours (with wireless enabled). If this is not sufficient, you are advised to connect the OG150 to a wall mount power outlet.
The only feature that will totally nullify the OG150 is IEEE 802.1x port authentication. This protocol effectively disables the network port until a user and/or device has successfully authenticated. Cisco ISE is my preferred choice when implementing IEEE 802.1x port authentication. In addition, a properly configured firewall that filters outbound traffic, will severely restrict the OG150 and its use. Please note: There are tools publically available that can bypass IEEE 802.1x port authentication, however this is not currently supported by the OG150.
I do not promote or endorse malicious hacking. The OG150 has been developed for use by legitimate Penetration Testers and for educational purposes only.
Testing shows that Video and Audio streamed using Java with an image resolution VGA (640X480) uses:
Lots! I will continue to develop and expand the User Guide to demonstrate scenarios where the OG150 can be used (updates to the User Guide will be provided free of charge when they are available). A new hardware platform is on the radar that will provide additional services such as an LCD display and 3G/Bluetooth support. I have not put any timescales on when this will be available.