Tag Archives: maemo

Weaponizing the Nokia N900 – Part 4.0 – A Three Year Anniversary!

Remember that the most valuable antiques are dear old friends.H. Jackson Brown, Jr.

I felt that this was an appropriate quote for my aging Nokia N900. What should I do with this phone? Should I throw it in the “Electronic Wasteland” in China and should I become just another Android user? Hell, I can even run Backtrack 5 on Android now! There are even reports that hackers have been able to get monitor mode and packet injection to work on Android devices!

However, what if I want to run a wide array of Linux based programs locally using my phone’s operating system without depending upon a chroot environment? What if I want a phone/device that has been known to be able to do packet injection, monitor mode, hostmode and not have to sign up for any large corporation’s software market like “Google Play” or Apple’s “App Store” to install software? Maybe I just want to use apt-get to install my programs for Christ’s sake! What if I just want to whip a device out of my pocket that I can quickly run mtr from to troubleshoot a client’s wireless network issues?

It is also nice to have a phone/device that has a physical keyboard versus a touch screen since in my humble opinion, I believe that touchscreen devices are meant for consuming than being productive.

I still believe the best phone for hackers is the Nokia N900 and it is a shame that Nokia decided to go the way of Microsoft. I personally believe that Nokia should have gone the route of an Android/Linux hybrid mobile operating system, but that’s just my opinion. We will have to see how well the Firefox OS or the Sailfish OS take off.

Android is a great mobile operating system but to me it is kind of a bastard version of the Linux operating system. Another problem with the Android platform is the sheer vast amount of different hardware manufactures there are. So by the time independent developers are able to get features like monitor mode working on one phone, chances are there are a dozen of other phones that have been released while the phone that the developers were able to get monitor mode working on will be given hardly much credence to.

Part of the beauty of the Nokia N900 is that it has ‘staying power’. This phone was released over 3 years go to this date. I still receive e-mails asking for support or giving me compliments on my work for the N900 which I appreciate dearly. There still is an active, smart and driven community around the world who develop applications and provide support for this phone, which I am very thankful for.

So what am I to do with this beloved device? A device that can be overclocked to 1.0GHZ, can run the OSX , can run Backtrack 5, do myriad of other tasks and is available for about $200.

Sadly, my Nokia N900 will no longer be used as a phone but as an MP3/Multimedia player that I can use for penetration testing! With about 32GB of internal storage and a MicroSD slot that can be use to extend the storage of the N900 from 32GB to 48GB, DLNA client/server support, a FM Transmitter, and Pandora client support, why would I want to shell out the extra cash for a new MP3 player that most likely won’t be able to run Metasploit locally and an OpenSSH Server?

This is why for the three year anniversary of the Nokia N900, I have written a bash shell script that helps automate weaponizing the Nokia N900 to save myself and I’m hoping many other individuals time for weaponizing the Nokia N900.

Before you download and run the this shell script, please read the following:

Firstly, I am not responsible if this program bricks/damages your N900 (but I can assure you as long as you follow my instructions you SHOULD be safe). For best results make sure you have flashed your N900 firmware to version pr1.3 (also for best results my shell script works BEST on freshly flashed N900s). I was not able to get my shell script to work properly with the pr1.2 firmware.

Plug your wall charger into your N900. Make sure you also have strong signal strength to your wireless network.

Once you have your N900 flashed, please root your N900 and install bash4. Then pull up the terminal on your N900 and as root do this:

ln -s /bin/bash4 /bin/bash

Next download this following script to your N900:

http://zitstif.no-ip.org/weaponizen900.tar

(sha1sum: c3699aea31c8ac91684e89bfdda7901bcc7f042e  weaponzenizen900.tar)

(Source code for main script is publicly viewable here: http://pastebin.com/4UXmAEQx )

Extract it via:

tar -xvf weaponizen900.tar

Then cd into the newly created folder called “n900project” and run as root:

bash weapoinzen900.sh

MAKE SURE TO FOLLOW AND PAY CLOSE ATTENTION TO ALL THE PROMPTS FROM THIS PROGRAM! Installation typically for me took about 2 hours. If your Internet connection drops out for whatever reason, for the most part it is safe to run this program again!

For a list of tools that weaponizen900.sh installs for native use, please see this: http://zitstif.no-ip.org/listweapons.txt. You can also list the installed tools by typing on your N900 ‘listweapons’. It also installs this following kernel: http://talk.maemo.org/showthread.php?t=85665. With this kernel you can do monitor mode, packet injection, and hostmode with the N900. With hostmode on the Nokia N900, you can use an OTG cable and do forensics with your N900 with tools like testdisk!

PLEASE DO NOT USE THE GUI TO UPDATE YOUR N900! Do this at your own risk! TO SAFELY UPDATE YOUR N900 PLEASE USE A SCRIPT I CREATED CALLED “update”. To update programs that have been installed by your package manager run as root:

update modded

To update programs that have been installed by your package manager and programs like Metasploit, SET, Nikto, and etc run as root:

update modded scripts

I hope this script is of great use to anyone who decides to use it. If you have any issues with this program or need any help with this program feel free to contact me via e-mail. I want to thank the Maemo forums for support on this project.

Nokia N900 Packet Injection Problems

I am writing this right after I was just about to pull my hair out due to the fact that I rely on my N900 as my primary phone (which is not necessarily the greatest idea if you tinker with it quite a bit).

I have noticed that after updating to this kernel:

Linux N900 2.6.28.10-power50

produces an issue with the bleeding-edge wireless driver that allows the N900 to be able to do packet injection. If you try to enable the driver and use it, the wlan0 interface will disappear. You will then have to reboot your phone to be able to get the wlan0 interface back.

So out of curiosity I decided to try rolling back to the previous kernel I was using that was provided with the  bleeding-edge drivers. Case and point, this was a BAD IDEA. The installation failed and upon rebooting my N900, the N900 went into a reboot loop and to power the phone off I had to pull the battery.

Gladly, I was able to reflash the phone and get it functioning.

Conclusion:

If you want to be able to do packet injection (and use awesome tools like reaver and aircrack) on your N900, you MUST (for now) use the kernel (kernel-power_2.6.28-maemo46-wl1) from  bleeding-edge.

Feel free to contact me if you need any help regarding this and I will do my best to help you.

A Note on Updating Weaponized Nokia N900s

I wanted to make this post to save time and headaches for people who own ‘weaponized’ Nokia N900s.

If you regularly update your Nokia N900 by doing (as root):

apt-get update && apt-get upgrade -y

I have ran into some issues with some of the newer packages.

Firstly, the newest beta version of nmap (5.59BETA1_armel) appears to be buggy enough to the point where it’s almost unusable.

Running this:
nmap -sS -P0 -vv www.google.com -p 80

Yields:
Starting Nmap 5.59BETA1 (http://nmap.org) at 2011-12-17 21:14 EST
Warning Hostname www.google.com resolves to 6 IPs. Using 74.125.45.147
route_dst_netlink: can’t find interface “wlan0”

Secondly, subversion (svn) gets completely broken due to a library compatibility issue:

svn -h
Segmentation fault

There has been discussion on this: http://talk.maemo.org/showthread.php?p=970467

Having svn broken really stinks, because then I am not able to update Metasploit. Who in the hell wants to run an outdated version of Metasploit? (I imagine there are some people..)

To work around this for the time being I have crafted the following shell script:

#!/bin/bash

if [ ${#} -lt 1 ]
 then
   echo "Usage:	"
   echo "./update.sh normal #This just does a normal update";
   echo "./update.sh modded #This will do a normal update and then downgrade libaprutil1, libapr1 and nmap so that they work";
   exit 1;
fi

if echo ${1} | egrep "normal"  > /dev/null;
 then
   apt-get update;
   apt-get upgrade -y;
   exit 0;
elif echo ${1} | egrep "modded"  > /dev/null;
 then
   apt-get update;
   apt-get upgrade -y;
   apt-get install nmap=5.50-2 libaprutil1=1.3.9-2 libapr1=1.4.2-1 --force-yes -y;
   apt-get clean && apt-get autoclean;
   exit 0;
else
   echo "I don't know what you are trying to do.." #Thanks Arc
   exit 2;
fi

http://zitstif.no-ip.org/update.txt
SHA1 (update.txt) = d83306d18a146a54a38ea236e3a236b4955bb81b

For the time being if you’re in a similar case like me, you’ll have to use this shell script (wget http://zitstif.no-ip.org/update.sh &&  chmod +x update.sh && ./update.sh modded).

Weaponizing the Nokia N900 – Part 3.8 – Backtrack 5 on N900

First and foremost I am not taking credit for the act of this. There are other posts on getting Bactrack 5 (ARM) onto the N900. My post mostly pertains to my experience with Backtrack 5 on the N900 and how viable of a offensive information security tool it is.

If you’re curious as to how to get Backtrack 5 running on your N900, you want to thank SuperDumb from the Maemo forums, and take a look at this forum thread. Observe that the default Backtrack 5 (arm) image will not copy over to your vfat microSD external or internal cards. vfat has a file size limit

There are some guides that advocate using ext2/3 on flash devices, but I do not condone you doing this, please see:

http://www.linux.com/archive/feature/114295

To circumvent this issue you can download an image that will work on vfat here, or if you would prefer to re-size the image yourself, follow these steps that SuperDumb graciously gave me via a PM:

Must be done under linux :
Just an example, change the dirs how you want them :

First you need to get the bt5.img out of the downloaded file from backtrack :

gunzip bt5.img.gz

These are the steps to get a img that is small enough :

mv bt5.img bt5.old.img

dd if=/dev/zero of=bt5.img bs=4k count=900000
mke2fs -F -i 8192 bt5.img

mkdir bt5old bt5new
mount -o loop bt5.old.img bt5old
mount -o loop bt5.img bt5new
cd bt5old
cp -rp * ../bt5new

After that just umount bt5old & bt5new and you should have a working img.

Once you have a working img, you will need to have qchroot on your N900 along with gainroot. Then to get Backtrack 5 running on your N900 via the non-GUI way, you simply do as follows:

1.) sudo gainroot

2.) mkdir /mnt/bt5

3.)qchroot /location/to/bt5.img /mnt/bt5

One important note I would like to add with regards to the location of the bt5.img file, is that if you’re like me and you have a bootable linux distro on mmc1, you will not want to have the bt5.img on mmc1. Once your computer mounts the mmc1 card, your mmc1 card will not be accessible via your phone.

You can get VNC up and running, however the N900 keyboard and the Backtrack 5 GUI (at least using gnome) do not get along that well. Additionally, it is resource intensive and if you ask me, to truly utilize Backtrack or almost any Linux distribution, you want to use the command line interface. This is where the power lies. There are a few exceptions to this rule but exceptions don’t necessarily make the rule.

In my humble opinion having Backtrack 5 running on your N900 is not really worth it. My reasoning is due to my experience with it. Here are a couple instances of annoyances that I ran into:

– It is unstable. There were a few times that I would make an attempt to edit sources.list, via:  ‘vi /etc/apt/sources.list’ and my phone would randomly reboot.

– The GUI does not work well at all.

– There are packages that are easily available under the N900, that aren’t easily available under Backtrack 5 (ARM). (kismet for example.)

– Some packages are just broken. For example, miredo does not work at all. (More on miredo later…)

– Nmap’s version under BT5 arm is 5.00 and you can get Nmap for maemo on the N900 at version 5.50.

– easydebian seems like a better alternative and is more stable.

I’m going to go on a bit of a tangent here that I hope is informal and useful.

With miredo not working under BT5 on the N900, that was kind of a big annoyance to myself because miredo for the Maemo even appears to be broken as well.  To get miredo working on your N900 you will want to install and use easydebian.

What is beautiful with miredo, is that you can get an IPv6 address assigned to your N900. You could then use your N900 as a hardware based trojan in a network. The whole concept is very similar to what Mubix did here. You could setup your N900 on a victim network and have ssh listing on your public IPv6 address and then log in to your N900 from an outside network over IPv6. You wouldn’t even have to do any port forwarding on the victim’s firewall/gateway/router.

I will tell you that miredo does not work on all networks and does not appear to work over the gprs0 interface on the N900 (at least with my carrier). Though it works just fine on the wlan0 interface.

Readjusting back from that tangent, summarily I would like to state that the fact that you can get Backtrack 5 working on your N900 is wonderful. Consequently, due to my experience with running BT5 on the N900, I would just advise to use easydebian over BT5 and then customize easydebian to the point that it is essentially a ‘Backtrack’ version. It will be a more stable route to go and you can learn about the tools as you install them, versus having a plethora of tools at your disposal that you may not get around to learning.

Weaponizing the Nokia N900 – Part 3.7 – More goodness and packet injection!

Thanks to Shawn Merdinger, from infosecisland for the inspiration and  thanks to many others in the information security community, I’m continuing with my ‘Weaponizing the Nokia N900’ series with another entry.

Firstly, I would like to mention that I’m contemplating on writing a program to automate the process of turning your N900 into a pentester’s device. This is largely due to the fact that the neopwn project seems to have come to a stand still. I have attempted contacting an individual from the neopwn project, however I haven’t had much luck.

In this post I will cover some of the other attacks you can carry out with your N900 as a rogue ap point using dns spoofing and David Kennedy‘s Social Engineering Toolkit. Along with that, I’ll give you information on how to get packet injection working so the aircrack suite is more useful to you.

Rogue AP Goodness:

1.) Download SET to your n900 and take note of this information:

a.) You’ll need to install some additional python modules  such as, python-crypto. Python-crypto is in the repositories if you have the extra repositorise that I mentioned  in an earlier post: http://zitstif.no-ip.org/?p=451

b.) I wasn’t able to find python-pexpect in the repositories, but luckily SET was able to download it and install it for me.

c.) If you’re planning on using metasploit in tandem with SET, you’ll need to do as follows:

ln -s /usr/bin/rub1.8 /usr/bin/ruby

Oddly enough, SET does not do a check for whether or not if you have ruby installed. I would implement something like this some where in the SET project:

http://zitstif.no-ip.org/setfix.txt

2.) See my earlier post on how to setup your n900 as a rogue ap point: http://zitstif.no-ip.org/?p=459 (Keep in mind though we’re going to inject a new step or two.)

3.) After step 4 (in the earlier rogue ap point instructions) load up SET and select number 2 for the website attack vectors section

4.) Select option 1 for the java applet attack method

5.) Now select the site cloner option

6.) Select a website to clone (Hmm anyone up for Facebook?! 😉 )

7.) For the payload, give SET’s own payload a try, it’s pretty powerful and you can even run a keylogger. In addition to that for the moment, this attack bypasses some AV solutions. (The system I tested this on was a fully patched Windows 7 x64 system that has Microsoft Security Essentials up to date, and I was able to get a session without any AV alarms going off.)

8.) Before you fire up ettercap, go to etter.dns and create an entry like this (especially if you’re using the mobilehotspot application)

www.facebook.com     A      10.105.242.1

9.) Now run this:

ettercap -i wlan0 -q -T -p -u // // -P dns_spoof

What I adore about this attack, is the java applet infection method. It’s a great social engineering method for gaining access to victim’s machines. Plus with SET, you don’t need sun-java6-jdk, which doesn’t appear to be available in the n900’s repositories.

I also wanted to note, that I wasn’t able to get the java applet to work against OSX systems or Linux systems. 🙁

Aircrack-ng goodness:

I was able to get packet injection working and was able to successfully use the chop-chop attack on a WEP network to create enough IVs and then crack the WEP key in about 10 minutes.

Please see this blog entry:

http://david.gnedt.eu/blog/wl1251/

Also pay close attention to:

http://david.gnedt.eu/wl1251/README

Be careful about using this driver because it seems to drain battery life quite quickly.

(Speaking of which..)

Additional notes:

One more tip I would like to share with fellow N900 owners on extending battery life is as follows:

-Uninstall applications that eat up a lot of CPU time and run in the background

-Disable your wifi connection if you’re not using it

-Dim the brightness of your screen

-Disable anything you don’t need or aren’t currently using

-Use an application to that allows you to switch between 3G and 2G networks. If you’re just using SMS and calling people, all you need is the 2G network. (In my humble opinion)

That’s all for now. As usual, more to come!