Over the summer I’ve been working on a final project for the Nokia N900 and I’m still in the progress of coding this program. I will post the project to my website and infosecisland when done. This program should save a lot of people (including myself) time in weaponizing their Nokia N900s.
Tag Archives: infosecisland
Weaponizing the Nokia N900 – Part 3.8 – Backtrack 5 on N900
First and foremost I am not taking credit for the act of this. There are other posts on getting Bactrack 5 (ARM) onto the N900. My post mostly pertains to my experience with Backtrack 5 on the N900 and how viable of a offensive information security tool it is.
If you’re curious as to how to get Backtrack 5 running on your N900, you want to thank SuperDumb from the Maemo forums, and take a look at this forum thread. Observe that the default Backtrack 5 (arm) image will not copy over to your vfat microSD external or internal cards. vfat has a file size limit
There are some guides that advocate using ext2/3 on flash devices, but I do not condone you doing this, please see:
http://www.linux.com/archive/feature/114295
To circumvent this issue you can download an image that will work on vfat here, or if you would prefer to re-size the image yourself, follow these steps that SuperDumb graciously gave me via a PM:
Must be done under linux :
Just an example, change the dirs how you want them :
First you need to get the bt5.img out of the downloaded file from backtrack :
gunzip bt5.img.gz
These are the steps to get a img that is small enough :
mv bt5.img bt5.old.img
dd if=/dev/zero of=bt5.img bs=4k count=900000
mke2fs -F -i 8192 bt5.imgmkdir bt5old bt5new
mount -o loop bt5.old.img bt5old
mount -o loop bt5.img bt5new
cd bt5old
cp -rp * ../bt5new
After that just umount bt5old & bt5new and you should have a working img.
Once you have a working img, you will need to have qchroot on your N900 along with gainroot. Then to get Backtrack 5 running on your N900 via the non-GUI way, you simply do as follows:
1.) sudo gainroot
2.) mkdir /mnt/bt5
3.)qchroot /location/to/bt5.img /mnt/bt5
One important note I would like to add with regards to the location of the bt5.img file, is that if you’re like me and you have a bootable linux distro on mmc1, you will not want to have the bt5.img on mmc1. Once your computer mounts the mmc1 card, your mmc1 card will not be accessible via your phone.
You can get VNC up and running, however the N900 keyboard and the Backtrack 5 GUI (at least using gnome) do not get along that well. Additionally, it is resource intensive and if you ask me, to truly utilize Backtrack or almost any Linux distribution, you want to use the command line interface. This is where the power lies. There are a few exceptions to this rule but exceptions don’t necessarily make the rule.
In my humble opinion having Backtrack 5 running on your N900 is not really worth it. My reasoning is due to my experience with it. Here are a couple instances of annoyances that I ran into:
– It is unstable. There were a few times that I would make an attempt to edit sources.list, via: ‘vi /etc/apt/sources.list’ and my phone would randomly reboot.
– The GUI does not work well at all.
– There are packages that are easily available under the N900, that aren’t easily available under Backtrack 5 (ARM). (kismet for example.)
– Some packages are just broken. For example, miredo does not work at all. (More on miredo later…)
– Nmap’s version under BT5 arm is 5.00 and you can get Nmap for maemo on the N900 at version 5.50.
– easydebian seems like a better alternative and is more stable.
I’m going to go on a bit of a tangent here that I hope is informal and useful.
With miredo not working under BT5 on the N900, that was kind of a big annoyance to myself because miredo for the Maemo even appears to be broken as well. To get miredo working on your N900 you will want to install and use easydebian.
What is beautiful with miredo, is that you can get an IPv6 address assigned to your N900. You could then use your N900 as a hardware based trojan in a network. The whole concept is very similar to what Mubix did here. You could setup your N900 on a victim network and have ssh listing on your public IPv6 address and then log in to your N900 from an outside network over IPv6. You wouldn’t even have to do any port forwarding on the victim’s firewall/gateway/router.
I will tell you that miredo does not work on all networks and does not appear to work over the gprs0 interface on the N900 (at least with my carrier). Though it works just fine on the wlan0 interface.
Readjusting back from that tangent, summarily I would like to state that the fact that you can get Backtrack 5 working on your N900 is wonderful. Consequently, due to my experience with running BT5 on the N900, I would just advise to use easydebian over BT5 and then customize easydebian to the point that it is essentially a ‘Backtrack’ version. It will be a more stable route to go and you can learn about the tools as you install them, versus having a plethora of tools at your disposal that you may not get around to learning.
Weaponizing the Nokia N900 – Part 3.7 – More goodness and packet injection!
Thanks to Shawn Merdinger, from infosecisland for the inspiration and thanks to many others in the information security community, I’m continuing with my ‘Weaponizing the Nokia N900’ series with another entry.
Firstly, I would like to mention that I’m contemplating on writing a program to automate the process of turning your N900 into a pentester’s device. This is largely due to the fact that the neopwn project seems to have come to a stand still. I have attempted contacting an individual from the neopwn project, however I haven’t had much luck.
In this post I will cover some of the other attacks you can carry out with your N900 as a rogue ap point using dns spoofing and David Kennedy‘s Social Engineering Toolkit. Along with that, I’ll give you information on how to get packet injection working so the aircrack suite is more useful to you.
Rogue AP Goodness:
1.) Download SET to your n900 and take note of this information:
a.) You’ll need to install some additional python modules such as, python-crypto. Python-crypto is in the repositories if you have the extra repositorise that I mentioned in an earlier post: http://zitstif.no-ip.org/?p=451
b.) I wasn’t able to find python-pexpect in the repositories, but luckily SET was able to download it and install it for me.
c.) If you’re planning on using metasploit in tandem with SET, you’ll need to do as follows:
ln -s /usr/bin/rub1.8 /usr/bin/ruby
Oddly enough, SET does not do a check for whether or not if you have ruby installed. I would implement something like this some where in the SET project:
http://zitstif.no-ip.org/setfix.txt
2.) See my earlier post on how to setup your n900 as a rogue ap point: http://zitstif.no-ip.org/?p=459 (Keep in mind though we’re going to inject a new step or two.)
3.) After step 4 (in the earlier rogue ap point instructions) load up SET and select number 2 for the website attack vectors section
4.) Select option 1 for the java applet attack method
5.) Now select the site cloner option
6.) Select a website to clone (Hmm anyone up for Facebook?! 😉 )
7.) For the payload, give SET’s own payload a try, it’s pretty powerful and you can even run a keylogger. In addition to that for the moment, this attack bypasses some AV solutions. (The system I tested this on was a fully patched Windows 7 x64 system that has Microsoft Security Essentials up to date, and I was able to get a session without any AV alarms going off.)
8.) Before you fire up ettercap, go to etter.dns and create an entry like this (especially if you’re using the mobilehotspot application)
www.facebook.com A 10.105.242.1
9.) Now run this:
ettercap -i wlan0 -q -T -p -u // // -P dns_spoof
What I adore about this attack, is the java applet infection method. It’s a great social engineering method for gaining access to victim’s machines. Plus with SET, you don’t need sun-java6-jdk, which doesn’t appear to be available in the n900’s repositories.
I also wanted to note, that I wasn’t able to get the java applet to work against OSX systems or Linux systems. 🙁
Aircrack-ng goodness:
I was able to get packet injection working and was able to successfully use the chop-chop attack on a WEP network to create enough IVs and then crack the WEP key in about 10 minutes.
Please see this blog entry:
http://david.gnedt.eu/blog/wl1251/
Also pay close attention to:
http://david.gnedt.eu/wl1251/README
Be careful about using this driver because it seems to drain battery life quite quickly.
(Speaking of which..)
Additional notes:
One more tip I would like to share with fellow N900 owners on extending battery life is as follows:
-Uninstall applications that eat up a lot of CPU time and run in the background
-Disable your wifi connection if you’re not using it
-Dim the brightness of your screen
-Disable anything you don’t need or aren’t currently using
-Use an application to that allows you to switch between 3G and 2G networks. If you’re just using SMS and calling people, all you need is the 2G network. (In my humble opinion)
That’s all for now. As usual, more to come!
Weaponizing the Nokia N900 – Part 3.5
Due to my love of hand held devices that can be used for penetration testing, I have obtained a Nokia N900 for relatively cheap on eBay. A brand new N900 will burn you a hole about the size of $399 USD in your pocket. However, I obtained mine (a refurbished one) for about $285.
Granted this device is now 2 years old but in my opinion it can be setup as a solid security assessment tool. I thought I would write a de facto continuation of the “Weaponizing the Nokia N900″ series that Infosec island has done. (I hope they don’t mind 🙂 )
With the N900 being an old man, in terms of technology, one can spruce it up a bit via overclocking. I would highly suggest to check out:
http://thehandheldblog.com/2010/07/27/how-to-easily-overclock-your-n900-in-under-two-minutes/
I have mine overclocked to 750MHZ and it seems to be running just fine. Metasploit will load in about a minute or so. Which is not nearly as bad as running Metasploit on the N810 (which I was able to do by just following the same instructions for getting Metasploit to run on the N900). The N810, the last time I checked, took 15 minutes to load Metasploit.
Bear in mind that my tips imply that you have already enabled all the extra repositories as needed, if you haven’t done so check out:
As stated and shown before, there have been guides on weaponizing the N900. However some of these guides have failed to explain certain issues that I would like to address:
1.) The ettercap-ng package from the repositories is totally broken. I ended up having to download ettercap from this forum post and follow the instructions on it appropriately:
http://talk.maemo.org/showthread.php?t=42680
2.) sslstrip will work, and you have to follow the comments addressed on this web page to get it setup along with a few other things:
http://www.knownokia.ca/2010/04/using-n900-for-fun-and-profit.html
a.) You have to install iptables (apt-get install iptables)
b.) You have to install another python package, (apt-get install python-openssl)
3.) The Metasploit package comes in in a tar.bz2 format. For some odd reason, the version of tar (the busy-box version) cannot do ‘-xjf’. So either you have to install the gnu version of tar or put metasploit on a computer that can extract it and put it into a format that can be decompressed on the n900.
4.) I wasn’t able to find netcat in the repositories. If you’re in the same boat, you’ll have to port it over or get a chroot environment setup. (easydebian)
Lastly, here is my original way of weaponizing the n900 even more so.
You’ll need a MicroSD card that you’re currently not using and you don’t mind wiping it and making it bootable. Also, you’re going to need BackBox iso (yes.. not BackTrack 4, I will explain later) and unetbootin.
Obtain BackBox from:
http://www.backbox.org/content/download
Obtain unetbootin from:
http://unetbootin.sourceforge.net/
1.) Install your Microsd card into the N900, by removing the back plate.
2.) Connect your n900 via the USB cable that came with it to your N900.
3.) When you get a prompt on your n900 from connecting it to your computer, choose the Mass storage device mode.
4.) Now, 2 drives should show up, (depending on if you’re using Windows or if you have automount setup under Linux). The drive that is the size of your MicroSD card, is your MicroSD card. (I know.. DUH)
5.) Fire up unetbootin, select Diskimage option, locate where you downloaded the BackBox iso and select it.
6.) Make sure you have the correct drive selected and finally click ‘OK’.
7.) Once the process is done, reboot your computer.
8.) Hit F2 (or it could be other keys, like F9) for your BIOS or better yet if there is an option for a boot menu, hit that key.
9.) Select to boot off of the N900 (some BIOS will show two and not differentiate the two, while other BIOS will state that there is a removable n900. If you’re not sure, just change your boot order to have both N900’s as the first and second boot devices. If your BIOS shows the removable N900, this is the one you want to boot off of.)
10.) Your computer should now be booting off your MicroSD card which is in your N900.
The real cool thing here, is that you can still use your N900 while the computer has booted off of your N900. So you can still make phone calls or surf the net with it.
Now you may be asking yourself, “Why would I want to do this?”. I ran through a couple scenarios in my head, the first, is if you only have one USB drive that is currently in use running, say L0phtcrack on one workstation, but you want to multitask and still explore the network further. Well you have your handy and now bootable N900. Lastly, it seems as if most computers (from my experience) don’t have a MicroSD card slot but have USB ports.
Finally, I naturally tried BackTrack 4, but it would not boot and it would shove me to a busybox shell. I didn’t feel like dealing with finding a fix at the time, so I thought I would find a different distro.
If I do more interesting and original things with my N900, I will post more.
As usual more to come…