Penetration testing

Automated Penetration Testing Redefined with CITADEL PX from Pwnie Express

July 15, 2013 by Aditya Balapure

After the huge success of Pwn Plug, Power Pwn and Pwn Pad we have another great product from Pwnie Express named Citadel PX. Pwnie Express is a company known for awesome products for security testers, to make security assessments and penetration testing effective and simple.

Citadel PX is a distributed penetration testing system which is comprised of two components:

  • Command Post – The Command Post provides a centralized management and automation interface for the Outposts.
  • Outpost – Also known as sensors. Outposts are the systems deployed to the test environment. Once deployed and connected to the Command Post, the Outpost is used to run automation, and provide manual access.


As described above we have two components in the Citadel PX. The Command Post is available as a centralized management system for managing all the penetration tests across different networks. While we deploy various sensors in the locations of our network which connects to the command post.

Presently we have our command post setup by the Pwnie Express team:

The Command Post dashboard provides a high level overview of connected Outposts, network visibility and system health. This also shows us information on the recently completed assessments and running/queued tasks.

The Outposts which are the appliances that are distributed throughout our enterprise environment are managed through the command post and can be included with Groups. Groups allow the management of our penetration tests, execution of various tasks for assessment, updates and user defined tasks.


To set up Citadel, we’ll deploy hardware or virtual Outposts on our network which would connect back to the Command Post. The Outpost is a pre configured hardware or virtual machine (VMware or AMI) which can be booted up using Virtual Box or VMware technologies. It is a Linux based Ubuntu 12.04 machine which can be put in bridged mode to establish a connection with the Command Post. Once we have set the virtual machine up, we will now move on to registering the Outpost sensor to the Command Post.

Simply type in https://[outpost_ip_address]:1443
to navigate to the Outpost’s registration page.

In this case, we deployed the Outpost machine with a bridged IP address of I open this up in the browser as shown above in the screenshot.

We now simply put in our Command Post DNS/IP, the connection password and register our Outpost.

Browsing to the Command Post interface at https://command-post-ip:443 we have our outpost registered and available. Let’s move on to configuring it, Click Sensors à EPA- 2920003d93f8 (which is the generated name for our sensor), then click Edit.

The outpost (EPA-2920003d93f8) has been put up for our office network as pictured in the above screenshot. The network range we provided is on which the office network is hosted. Now we are done with the configuration and simply submit these settings to make our sensor active.

We are done with the setup now and can move on to the automation, Citadel calls the penetration test automation assessments.


The Citadel PX offers two types of assessments:

  • Automated Assessments – These are preconfigured automated tasks that are hooked into Citadel PX’s reporting system.
  • Custom Assessments – These are highly configurable, allowing for the input of custom scripts to leverage the powerful penetration testing tool sets found on each sensor.

So now let’s demo a Custom Assessment first, which is the tricky part and then we will move on to automated assessments.

Custom Assessment Demo

We create a new custom assessment in our Command Post.

We select the tasks which have to be performed. In our case we have selected Network Discovery and Default Password Audit. Next we select the sensor as per the network which has to be selected for assessment. Now we run our assessment named Monthly Scan 2.

We can see in the custom assessment sections, two tasks have been deployed which we selected (pictured above) and are running. Let’s wait for some time to have elapsed for results of the assessment.

We can see in the above screenshots that there were no successful logins with the Default Password Audit. Indicating we didn’t have default accounts running on our systems in the office network. The Network Discovery assessment shows the live systems with the services and ports which they are currently running. Hence we can see doing two audits is as easy as a walk in the garden. Awesome!

Managing Tasks

The best part about Citadel PX’s custom scans, is that we can manually create and edit our own assessments. Here is a list of our custom tasks:

Here is our Discover Hosts (Nmap Full –Connect Scan)

Let’s try editing this:

And now let’s save this task. Below are newly edited nmap commands and the network range parameter is our target network of the sensor’s network range.

Now let’s try to create a custom task especially for our enterprise office network.

So we can see here that we have created a custom scan for nmap with a special query suited for our office network. Let’s now save this with a click. Ahh this makes my life so easy! J

Let’s now run this task as a custom assessment.

It was clean and easy, here are the results:

So we saw above how to work with custom scans, creating our own tasks and deploying those over our networks. Wait! We’re still left with a lot!

Automated Assessments

Here we will demo a quick how to complete an automated assessment. We simply select Automated under the Assessment tab and set our assessments. We’ll have similar results as our custom assessment since the assessment functions are the same and hence I am skipping the results.


Assets – are a collection of all devices detected across the various networks, visible to any of the connected sensors. This information is parsed from previously run Automated assessments and is exportable for easy record keeping over time. Have a look at various assets detected across the network:

We even have the option to download all our assets as a CSV file for manual reviewing. Isn’t that just awesome!


We have a really cool reporting section @ Citadel PX and will show us the results of our automated assessments.

Hacking Through SSH

Let’s configure our sensor and Command Post to receive reverse SSH connections.

Let’s connect to our sensor via Putty since were using Windows right now. So I try will to have SSH here for my sensor.

And damn! I’m in! Now let us get our hands dirty with Metasploit on our office network.

Home sweet home it is, our lovely Metasploit shell. J From our custom scan we detected a Windows XP machine. Let’s check whether it is vulnerable to the Netapi exploit.

We set up rhost as the Windows system IP and fire up the exploit command. Owned!

Seriously life has become so easy using penetration testing systems with Citadel PX!

We even have an option to custom scan web servers using Nikto.

So this was all about Citadel PX. I would like to thank Jonathan Cran from Pwnie Express for providing me with an opportunity to test this awesome product.


Posted: July 15, 2013
Aditya Balapure
View Profile

Aditya Balapure is an information security researcher, consultant, author with expertise in the field of web application penetration testing and enterprise server security. Aditya has 3 years of practical experience in the field of information security. He has quite a few credentials to his name such as CEH, ECSA, MCP and a few international publications. His deep interest in vulnerability assessment and offensive penetration testing groups him among the white hats of the information security arena. Aditya Balapure is involved into many corporate trainings besides his constant hobby of open vulnerability disclosure.