- Table of Contents
- Overview
- Web Application Security
- Operating System Security
- Network Security
- Hardening Your System
- Wireless Security
- Mobile Security
- Windows Mobile Autorun
- Does Windows Mobile Code Signing Help or Hurt Microsoft Security? (Part 1)
- Does Windows Mobile code signing help or hurt Microsoft security? (Part 2)
- Cracking the Encryption of a Windows Mobile Application
- Prodding PocketMoney
- Top Ten Cell Phone Security Problems
- Wireless Gadget Vulnerabilities: The Nikon Coolpix P1
- Abusing the Nikon Coolpix P1 Picture Transfer Service/Protocol
- Caller ID Security: Hacking like Paris Hilton
- Stealing Your Family Vacation: Memories of a Media Card
- Pimp My N800
- Designing an Enterprise Handheld Security Policy, Part I
- Designing an Enterprise Handheld Security Policy, Part II
- Designing an Enterprise Handheld Security Policy, Part III
- Designing an Enterprise Handheld Security Policy, Part IV
- BlackBerry Firewall
- Virtual Lock Picking of Windows Mobile Password Managers
- Bypassing the CodeWallet 6.14 Password Validation Routine
- Building a Password Cracker
- Exploiting Systems through ActiveSync
- Mobile Platform Malware Threat Overview
- A Case for Mobile Security Software
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security
- Additional Resources
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
Pimp My N800
Last updated Apr 6, 2007.
The N800 is a Linux based tabled PC from Nokia that is a gadget geeks dream come true. Contained with in the sharp looking device is a fully configurable and customizable debian based Linux operating system that can host hundreds of applications, custom scripts and more. However, what makes this device truly covetable is that you can install a wide range of security related tools—from Metasploit to nmap. In this section we will look at the device and provide tips on how to Pimp your N800 into a pen-testing tool. Please note that we did not personally come up with any of these procedures. This document is meant to be a central collection of what we found interesting from all over the internet. Consider this a time saving document. Ironically, we have already used after quickly forgetting the exact steps needed to get a piece installed.
Enabled R&D Mode
Before doing anything at all to the device or installing any applications, you will want to enable R&D mode. If you do not enable this mode, your device will be limited to the "user" account and as such will keep you from realizing the true potential of the N800. To do this does require another Linux device. However, this can be an Ubuntu LiveCD running in VMWare or on a PC you have available.
- Get Ubuntu or another newer Linux distro up and running.
- Turn off the N800
- Plug in the USB cord and connect the N800 to the Linux box.
- Turn on the N800 while holding in the "Home" button until you see the USB icon in the top right corner of the screen of the N800.
- Download the flasher-3.0 utility from http://maemo.org/downloads/d3.php to your Linux box.
- Execute the flasher with the following options:
- ./flasher-3.0—enable-rd-mode
- Reboot the device
At this point, you should be able to see a boot screen that contains a lot more content than before. Congrats, you are now one step away from gaining access to root!
Installing XTerminal
Installing XTerm is very easy. First establish a connection to the Internet. Then click the Applications button, Tools—Application Manager and Browse Installable Applications. Near the bottom of this list you should see an XTerm listed. Simply click on this listing and install the program.
Enabling the Red Pill
While in the Application Manager, you might note there are relatively few applications. If you were paying attention, we mentioned having the option to install hundreds of apps in the intro. So, where are they!?
Well, the N800 has a special Easter Egg that will give you access to these applications. To enable this Red Pill mode, do the following from within the Application manager:
- Click the little down arrow next to the Application manager title in the top left.
- Select tools—Application catalog...
- Hit the [New] button
- Type the word "matrix" in the web address field. Ensure you delete the "http://" out first.
- Do not hit OK. Instead hit cancel.
- Once you do this, a popup will show up asking "Which pill?" Select the [Red] button and then hit close.
You will now note that your list of installable applications is much longer. If not, update the list.
Set up SSH
Remote access is a must for the N800. It will save you hours and hours of time setting up and configuring the system. While typing in XTerminal works, it is very slow and tedious. Fortunately, doing this is as easy as selecting ssh from the list of applications and installing it. Ensure you immediately setup and change the root password using the following instructions.
Access Root and Setting up Password
If you have enabled the R&D mode, gaining access to root is rather easy. Just type in "sudo gainroot" into your newly installed XTerminal windows (accessible via Application button – Extras). This should drop you to the root prompt. Next you can setup the root password by typing "passwd <newpass>."
Congratulations. You can now access your N800 via an ssh client. If you are new to ssh, then download putty.exe, a freely available ssh client that supports all sorts of features.
Installing the Core Set of Utils
Every security practitioner out there has a basic set of tools that are on each an every PC/laptop they own. Thankfully, most of them are also available for the N800 thanks to the work of many dedicated people. In fact, not only are they available, but they are very easy to install.
We suggest you setup a folder that you can download all the .deb files that you will need to download using curl. If curl is not installed, simply use the Application manager to install the file automatically.
Downloading files with curl is as easy as entering "curl -C—-O" followed by the file name. Special thanks to Collin Mulliner for his work in getting these files read and hosting them on his server!
Once you have the specified file downloaded, enter the folder where the file is stored and install it using the following command:
dpkg –i <file.deb>
You can shorten the file name using the * character after typing in a few letters of the name (i.e. dpkg –i <file*>).
Tcpdump
Tcpdump is one of the most important tools that any security geek could have on their mobile wireless device. With it an attacker can capture user names, passwords, LanMan hashes and much, much more. Note that if using this program over the SSH connection, you will want to prefilter the sniffer using "tcpdump not host <your IP address>." You can figure out your IP address by using the "ifconfig" command.
Link:
http://www.mulliner.org/nokia770/repository/dists/bora/free/binary-armel/tcpdump_3.9.5-1_armel.deb
Nmap
Nmap is port scanning and device emulation program that can be used to quickly determine what machines are live on a network and what services are running on those machines. There are many documents online that explain how to use this program.
Link:
http://www.mulliner.org/nokia770/repository/dists/bora/free/binary-armel/nmap_3.95-1_armel.deb
dnsiff
One of the most difficult things about using a program like tcpdump is that you end up with a lot of excess data you really don’t want. For example, if you are only looking for sensitive data, such as user/passwords, then it can be overkill. For this reason, we recommend dsniff for all your password snarfing needs. In addition to just passwords, dnsiff includes the ability to capture emails, chat sessions, arpspoofing, DNS spoofing, and much more. This is really a fun tool... but dangerous at the same time.
Link:
http://www.mulliner.org/nokia770/repository/dists/bora/free/binary-armel/dsniff_2.4b1s2-1_armel.deb
TCP Essentials
There are several programs we just can’t live without in the networking world. These tools include, ping, traceroute, telnet, netcat, eget, and ip. However, these essentials are just not included with the core device. Thankfully, Laurent described exactly how to obtain these files at http://maemo.org/pipermail/maemo-users/2007-January/003108.html. While it does take a tad bit of Linux know how, the instructions are great. The following lists the instructions—included the command to add wget.
- mkdir -p /tmp/n
- cd /tmp/n
- wget http://mummola.cs.tut.fi/n770/files/busybox_1.01-4.osso10-ipv6.etc1_armel.deb
- ar x busybox_1.01-4.osso10-ipv6.etc1_armel.deb data.tar.gz
- tar xfz data.tar.gz
- mv ./bin/busybox ./bin/busybox2
- scp ./bin/busybox2 root at YOURNOKIA:/bin/
Then on my N800 as root:
- cd /usr/bin
- ln -s /bin/busybox2 ip
- ln -s /bin/busybox2 nc
- ln -s /bin/busybox2 ping
- ln -s /bin/busybox2 ping6
- ln -s /bin/busybox2 telnet
- ln -s /bin/busybox2 traceroute
Windows Share Access
While not a program, per se, the CIFS module from http://maemo.org/maemowiki/HowToAccessWindowsCIFS is one of those essential features that is necessary on any mobile testing platform. In addition, it is nice to connect up to you own home file server over a wireless connect and stream music/movies to the device. The listed website includes instructions on how to get this module installed, but we listed the short and sweet version below.
- Download the N800 version of CIFS from http://handhelds.org/~fanoush/maemo/cifs.N800.2.2006.51-6.tar.gz.
- Unpack it using tar xvzf <filename>
Finally type insmod ./cifs.ko to load the module
At this point you can mount shares just like you would do in any standard Linux system
Metasploit
The final program we want to assist you with getting installed is the highly dangerous and useful program known as Metasploit. Thankfully, HD Moore and David Maynor have provided the key components and instructions needed to make this a reality (http://www.erratasec.com/meta-n800.html). In summary, you need to download a custom version of Ruby, which is the framework Metasploit runs on, then download the latest version, strip the .svn components out on a separate Linux box (find . -name .svn -exec rm -fr {} \;), and copy it to your device via SD Card or scp.
Summary
If you have completed all these steps, you now are the proud owner of one Pimped out N800. Now it is time to take the device out on the road and enjoy some Linux based fun and foolery. Of interest, these devices are picking up some ground—especially in the conference attending security community. Keep in mind that having the tools is only have the equation. With the built in wireless and Bluetooth capabilities and programs, it is trivial to turn your device in a hand held recon and attack tool that can play music, surf the internet, and display movies all at the same time.
Digg
Del.icio.us
Your Account
Account Sign In
View your cart