Tag Archives: arp

To have a ‘hacker’ phone or not… that is the question

Mr. Robot - Pwnphone

Can I recommend from my experience for any average Joe, security specialist, or even computer enthusiast to have a rooted, custom kernel, Nethunter Android based phone as their primary cell phone to rely on? Honestly no, unless you have the time, resources, and expertise to troubleshoot issues with the device. Don’t get me wrong, it is awesome to have a device that fits in your pocket that when setup right, can do nmap vulnerability scans, arp poisoning, run the Social Engineering Toolkit and a plethora of other tools/actions. But you have to remember, projects like Nethunter, which are great for what they are, are community driven and fixes/issues may have to be resolved by the end user themselves.

If you’re going to venture down this path, feel free to but take some things into consideration. If this is going to be your primary phone, in the event of an emergency, can you count on it to not freeze or reboot when you need it? This is not to say that vanilla/stock phones won’t let you down but usually the vanilla/stock phones have more support and tend to be more stable. So with a security suite like Nethunter, which is not a ROM but is meant to run on top of a stock Android OS with a custom kernel, in my humble opinion you’re only adding complexity to the device and more chances to have an unstable device.

Another question you have to ask yourself would include, do you trust all these tools/pieces of software on your primary phone that you may use for banking and private matters? By rooting your phone and installing the likes of Nethunter, you are potentially turning your phone into a more advanced spying tool that could be used against you. (Also take note that rooting your phone just makes it less secure.) Just think of this, if an adversary can get onto a server through whatever exploitative means and they discovered a Kali chroot environment, how much more potential damage could they do? Now imagine this ‘server’ is your phone that you constantly keep on and charged and with you at nearly all times.

This is to not say that I advocate against ‘hacker’ phones or turning phones into offensive security devices. My point is that there’s a lot to take into consideration.  If you want a stable phone to do your regular smart phone related matters on, I recommend something stock with little to no mods and if you want a ‘hacker’ phone, I recommend getting a second phone that you do not heavily rely on. 

Now if we could run virtual machines on our phones with security hardened hardware passthrough options… that would make things interesting. (Interesting discussion here .)

arp-sentinel

Those of us who understand some of the great weaknesses in IPv4, know that under certain circumstances (especially in local area networks), attackers can carry out some pretty devious tasks. Arp-spoofing (http://en.wikipedia.org/wiki/ARP_spoofing) can be used to intercept traffic and even modify it accordingly to the attacker’s will. Programs like arpspoof, cain&abel, and especially ettercap-ng, when abused, can be used for purloining credentials and potentially identities.

With this being true, I decided to write an implementation of a arp-spoofing detection program that is geared toward Ubuntu/Debian. The beauty of this program, is that instead of just creating logs that non-tech savvy users would most likely not glance at, this program alerts the end user via x-message. Granted, this x-message window can potentially get annoying, however this was intended. The end user needs to be alerted of if arp-spoofing is taking place, their information could be potentially at great risk.

The beauty behind arp-sentinel, is that it uses very low resources and is mainly intended for end users who run Ubuntu on a laptop, who use insecure hotspots for whatever purposes. Here’s a screen shot of ‘top’ being used under Ubuntu 9.10 on a virtual machine:

Nifty eh? Here’s also a screen shot of the warning message that is displayed:

Here’s the program in a tar file:

http://zitstif.no-ip.org/arp-sent/arp-sentinel.tar

MD5sum: 79c54891a7b235bf6a2f5d4c779771c3

Tested to work on Ubuntu 9.10.