Over the summer I’ve been working on a final project for the Nokia N900 and I’m still in the progress of coding this program. I will post the project to my website and infosecisland when done. This program should save a lot of people (including myself) time in weaponizing their Nokia N900s.
Tag Archives: n900
Nokia N900 Packet Injection Problems
I am writing this right after I was just about to pull my hair out due to the fact that I rely on my N900 as my primary phone (which is not necessarily the greatest idea if you tinker with it quite a bit).
I have noticed that after updating to this kernel:
Linux N900 2.6.28.10-power50
produces an issue with the bleeding-edge wireless driver that allows the N900 to be able to do packet injection. If you try to enable the driver and use it, the wlan0 interface will disappear. You will then have to reboot your phone to be able to get the wlan0 interface back.
So out of curiosity I decided to try rolling back to the previous kernel I was using that was provided with the bleeding-edge drivers. Case and point, this was a BAD IDEA. The installation failed and upon rebooting my N900, the N900 went into a reboot loop and to power the phone off I had to pull the battery.
Gladly, I was able to reflash the phone and get it functioning.
Conclusion:
If you want to be able to do packet injection (and use awesome tools like reaver and aircrack) on your N900, you MUST (for now) use the kernel (kernel-power_2.6.28-maemo46-wl1) from bleeding-edge.
Feel free to contact me if you need any help regarding this and I will do my best to help you.
Smart Phone Privacy and Steps Towards Anonymizing the Nokia N900
Within current times a lot of people are now using and relying on smart phones. Part of what makes these devices so ‘smart’, is their ability to gather information on the user and use this information to better serve the user. Per contra, the problem with this is that a lot of private information is being gathered which can include longitude and latitude coordinates.
Even when you take pictures with some smart phones, longitude and latitude information can be tagged on as metadata. (See: http://icanstalku.com/ )
What is ironic, is that from my personal experience and information gathering locally, a lot of people seem to not care about this or privacy. I think this is where the government needs to step in and do something. (Which the US government appears to be making steps towards this: http://www.nationaljournal.com/tech/online-privacy-concerns-fuel-drive-for-do-not-track-legislation-20110506 )
My concern with this, is that if people will really care to opt out of tracking and if they do opt out of tracking, then are the services that they use going to be a lot less useful?
Pertaining to the iPhone, I think this video gives you really good technical insight into the tracking issue: http://www.securitytube.net/video/1774
Now onto my beloved Nokia N900. I have taken steps towards anonymizing the N900 and I will show you what I did.
1.) Go to settings and then look for ‘Location’
2.) Disable GPS and disable network positioning.
3.) Under internet connections set ‘Connect automatically’ to ‘Always ask’.
4.) If you’re planning on using the N900 as a tablet and do not want to be tracked via triangulation, to mitigate this you can do as follows:
a.) Pull up the terminal and make sure you are root. (sudo gainroot)
b.) You also want to make sure you have enabled the extra repositories
c.) Install this following application via: apt-get install cell-modem-ui -y
d.) Now to enable the tablet mode and mitigate the possibility of being tracked via triangulation, click the power button on the top of the N900 and a new button should be there that says, ‘Tablet’
e.) Simply tap on this, and your N900 is now just acting as an internet tablet.
5.) tor is available for the N900, you can install this simply via: apt-get install tor -y
6.) You can use proxychains but only under a chroot environment. To use it do as follows:
a.) ssh -D 9050 user@somehost
b.)debbie bash (This is to get into the chroot environment without having to start a GUI session. 🙂 )
c.) proxychains ssh user@someotherhost
7.) You can spoof the MAC address of the wlan0 interface via: (as root) ifconfig wlan0 hw ether 00:12:34:56:78:90
8.) To change MicroB’s user agent string have a look at: http://gerrymoth.co.uk/?p=108
9.) When you first open the lens cover to the camera, you can opt out of adding metadata to your pictures.
10.) Truecrypt is available, however full disk encryption is not available for the N900 or any phone I can think of. I have heard that DARPA is working on a project related to this for iPhones and Androids. ( http://www.infosecurity-us.com/view/17340/darpa-working-on-full-disk-encryption-for-iphone-and-android/ )
This concerns me a bit because I’m a resident of Michigan… ( http://www.thenewspaper.com/news/34/3458.asp )
I hope this information is helpful to you and if you have anymore ideas on anonymizing the Nokia N900 please feel free to send me an e-mail or leave a comment.
Weaponizing the Nokia N900 – Part 3.7 – More goodness and packet injection!
Thanks to Shawn Merdinger, from infosecisland for the inspiration and thanks to many others in the information security community, I’m continuing with my ‘Weaponizing the Nokia N900’ series with another entry.
Firstly, I would like to mention that I’m contemplating on writing a program to automate the process of turning your N900 into a pentester’s device. This is largely due to the fact that the neopwn project seems to have come to a stand still. I have attempted contacting an individual from the neopwn project, however I haven’t had much luck.
In this post I will cover some of the other attacks you can carry out with your N900 as a rogue ap point using dns spoofing and David Kennedy‘s Social Engineering Toolkit. Along with that, I’ll give you information on how to get packet injection working so the aircrack suite is more useful to you.
Rogue AP Goodness:
1.) Download SET to your n900 and take note of this information:
a.) You’ll need to install some additional python modules such as, python-crypto. Python-crypto is in the repositories if you have the extra repositorise that I mentioned in an earlier post: http://zitstif.no-ip.org/?p=451
b.) I wasn’t able to find python-pexpect in the repositories, but luckily SET was able to download it and install it for me.
c.) If you’re planning on using metasploit in tandem with SET, you’ll need to do as follows:
ln -s /usr/bin/rub1.8 /usr/bin/ruby
Oddly enough, SET does not do a check for whether or not if you have ruby installed. I would implement something like this some where in the SET project:
http://zitstif.no-ip.org/setfix.txt
2.) See my earlier post on how to setup your n900 as a rogue ap point: http://zitstif.no-ip.org/?p=459 (Keep in mind though we’re going to inject a new step or two.)
3.) After step 4 (in the earlier rogue ap point instructions) load up SET and select number 2 for the website attack vectors section
4.) Select option 1 for the java applet attack method
5.) Now select the site cloner option
6.) Select a website to clone (Hmm anyone up for Facebook?! 😉 )
7.) For the payload, give SET’s own payload a try, it’s pretty powerful and you can even run a keylogger. In addition to that for the moment, this attack bypasses some AV solutions. (The system I tested this on was a fully patched Windows 7 x64 system that has Microsoft Security Essentials up to date, and I was able to get a session without any AV alarms going off.)
8.) Before you fire up ettercap, go to etter.dns and create an entry like this (especially if you’re using the mobilehotspot application)
www.facebook.com A 10.105.242.1
9.) Now run this:
ettercap -i wlan0 -q -T -p -u // // -P dns_spoof
What I adore about this attack, is the java applet infection method. It’s a great social engineering method for gaining access to victim’s machines. Plus with SET, you don’t need sun-java6-jdk, which doesn’t appear to be available in the n900’s repositories.
I also wanted to note, that I wasn’t able to get the java applet to work against OSX systems or Linux systems. 🙁
Aircrack-ng goodness:
I was able to get packet injection working and was able to successfully use the chop-chop attack on a WEP network to create enough IVs and then crack the WEP key in about 10 minutes.
Please see this blog entry:
http://david.gnedt.eu/blog/wl1251/
Also pay close attention to:
http://david.gnedt.eu/wl1251/README
Be careful about using this driver because it seems to drain battery life quite quickly.
(Speaking of which..)
Additional notes:
One more tip I would like to share with fellow N900 owners on extending battery life is as follows:
-Uninstall applications that eat up a lot of CPU time and run in the background
-Disable your wifi connection if you’re not using it
-Dim the brightness of your screen
-Disable anything you don’t need or aren’t currently using
-Use an application to that allows you to switch between 3G and 2G networks. If you’re just using SMS and calling people, all you need is the 2G network. (In my humble opinion)
That’s all for now. As usual, more to come!
Weaponizing the Nokia N900 – Part 3.6 – Portable Rogue AP Point
With continuing the series of weaponizing the N900 and hoping that Infosec Island will continue with their series as well, I have successfully setup my N900 as a rogue AP point.
Firstly, to effectively deploy it you want to make sure your cell phone service (3G for the N900) is quite strong. You may even want to try pinging google or the like and see what the delay is. With a good connection, it will very for me between 70 and 90 milliseconds.
Second, you want to survey the site you’re going to deploy your portable rogue ap point. Luckily, you can run kismet on the N900. Once you have surveyed the site for other AP points, take note of the MAC addresses of each AP point that is specific to the area and also take note of the names of the AP points. With this mac address you can spoof your wlan0 interface to something that is very similar:
ifconfig wlan0 hw ether 00:XX:XX:XX:XX:XX
You will need to have the extra repos enabled to install an application called mobilehotspot. You will also need prior to this, to install the custom kernel for the N900. You will also need ettercap and sslstrip to carry out this attack. See my earlier post for notes on the two: http://zitstif.no-ip.org/?p=451
1.) Get sslstrip up and running, and make sure you have iptables. For steps on using sslstrip check out:
http://www.thoughtcrime.org/software/sslstrip
2.) Spoof your wlan0 hardware address to what is appropriate for the site.
3.) Run the mobilehotspot application.
4.) Wait for a few seconds
5.) Run ettercap by doing so (modify as needed):
ettercap -i wlan0 -q -T -p -u // //
The reason why we don’t have ettercap forward packets, is because the kernel is already doing so due to the mobilehotspot application.
That is pretty much it. You could also do dnsspoofing to send your victims to a server under your control to do drive by attacks.