Turning a Sharp Zaurus into a penetration tool
This tutorial will show you how to get various poular security tools running on the Sharp Zaurus PDS. I have a strong interest in the topic of computer security and love futzing around with technology. Most of the best network security and penetration testing tools are made for *nix environments, so when I heard about the Sharp Zaurus PDA that ran Linux out of the box it tweaked my interest. The Zaurus makes for a great hacking tool, the price on the older 5500 keeps dropping (I got mine with a WiFi card and a modem for about $200 off Ebay). The following are some of the security tools I have running on my Zaurus 5500, the hoops I had to jump through to install them, and some information on how to use them. While my testing environment is a Zaurus 5500 running OpenZaurus a lot of this information should also apply to other Zaurus models and to Ipaqs and Axims running some kind of ARM Linux. I had a devil of a time installing some of these apps so I hope this website of my notes helps. If you just want a PDA I would urge you to buy a Pocket PC or a Palm, but if you like Linux and Networking definitely go for A Zaurus. If any of the information on this page becomes out of date please email me at Irongeek@irongeek.com or leave a message in my tech forum and let me know so I can update it.
Apps I will be covering:
General OS Info
Change your MAC Address
Scanners and Packet Tools
Irongeek's Test Enviroment:
Sharp Zaurus 5500
Ambicom WL1100C-CF 802.11b Wi-Fi card
TRENDnet/TRENDware TE-CF100 10/100 Ethernet card
OpenZaurus 3.3.6 Pre-1
Packages: http://www.openzaurus.org/official/e...1-2.4.18-gcc3/ (for 5500)
My Mirror: http://tux.ius.edu/zaurus/oz/3.3.6-pre1-gcc3/ (for 5500)
The OpenZaurus ROM gives you more options than the Sharp ROM, and it's said that they have better hardware support. It's fairly easy to install, just copy the root file system (initrd.bin) and kernel (zImage) you want to a CF card and hit the hard reset button while holding down C and D on the keyboard (if you have big paws it can me tuff). See the install GUIde here http://www.openzaurus.org/oz_website...t/installGUIde . I went with OZ 3.3.6 because it was easier to get Wellenreiter II working out of the box then with some of OpenZaurus' more tested ROMS. You can add packages by put them on an SD/CF card and using the packages app or the ipkg command line tool. The packages tool also has a way to install IPKs from the website. Many of the following apps will need LibPcap to function. Before you install any of the Packages I have mirrored please check in the directories ( http://www.openzaurus.org/official/ ) at the OpenZarus site to see if there are any newer versions available. One downside to OZ 3.3.6-pre1-gcc3 is that it was built with gcc 3.3.2 which means you will need the compatibility libraries from http://www.mithis.com/zaurus/ipkgs/ (my mirror is here). You will know when you have a compatibility problem when you get an error like "undefined symbol: _7QString.shared_null". The GUI tool that comes with the compatibility libraries does not always seem to work so what I do is edit the .desktop files and add "runcompat" in front of whatever the exec= line points to (see my example in the Zethereal section). Update 3/15/2004: Tim Ansell (aka Mithro) of the OZ-compat project sent me the following notes that might help you with GCC compatibility problems:
Some general tips:
I was reading your oz-compat pages (as I like to look at how people are using my packages) and found the following information:
"The GUI tool that comes with the compatibility libraries does not always seem to work so what I do is edit the .desktop files and add "runcompat"
in front of whatever the exec= line points to (see my example in the Zethereal section). "
There is actually a better way to do this, if you go to the console and do a "makecompat <binary>" it will link up that binary to the compat libs.
I would also like to know more information on where that script fails so I can fix it
I really need to do a quick C++ application instead of being horrible dependent on the old and unmaintained opie-sh. (I plan to eventually rework and replace opie-sh with a better opie-sh
Anyway I thought i would just inform you of this
Tim aka Mithro
1. Make sure you have a good text editor like Nano installed so you can edit system files, the text editor from the GUI is flaky as hell.
2. The first thing you you should do after installing OZ is give the root account a password using the passwd command.
3. Fn-C acts as Ctrl-C would on the desktop.
4. Make sure you have a good SSH and SFTP program on you box. In Windows I use Putty for SSH and FileZilla for SFTPing files. I use EditPad Lite for editing system files on my Windows box, it does not screw up Unix style line feeds.
5. Keep the backlight low to extend battery life and have suspend mode only turn of the LCD when you are wardriving.
6. Space is limited, get yourself an SD card to log information to.
7. Install LibPcap, almost all of these apps will need it.
Change your MAC Address
Here is how to change you MAC address in OpenZaurus. Iuse these two commands:
This would set you wlan0 interface to use the MAC 0:0a:0a:a0:a0:a0. This could be useful for sniffing other connections or for bypassing MAC address restrictions on an Access Point (find valid MAC addresses by sniffing them). It also makes it less traceable to your hardware.
ifconfig wlan0 down hw ether 0:0a:0a:a0:a0:a0
ifconfig wlan0 up
My Mirror: http://tux.ius.edu/zaurus/wellenreiter/
This is an ass kicking application that is still in active development by Michael Lauer. I would recommend checking at his site regularly to see if there are any updated packages. Wellenreiter II is a great tool for wardiving, and it not only shows you the APs but also what other devices are attaching to those APs. You can also get a dump of some of the traffic that is being passed. Before you try to install this app makes sure you install:
When you first run it give it about 5 seconds so it will pop up the message about killing the DHCP client, once DHCP is killed it works a lot better.
Thanks for the help Mark.
Mark Lachniet wrote me with the following advices, apparently if you run Wellenreiter II from an SD card it can cause problems with the GUI. Here's his advice:
I un-installed from my SD card and re-installed on RAM. It looks like this fixed the problem - its very responsive and doesnt crash OPIE any more. Apparently the SD card was too slow to handle some kind of program data caching, etc. That might be worth a FYI on your web page.
Thanks again for the help,
My Mirror: http://tux.ius.edu/zaurus/
Kismet, you know it, you love it. Kismet is one of the most popular wardiving tools for Linux. It's great because it can do RF monitoring and pick up APs that are not broadcasting their SSID.
If you install version 2.8 it's pretty easy. To run it go into Konsole and type:
Hit the "h" key while it is running to bring up help. A dump of information is kept in /root/ for you to look at later if you want.
To run the newer version it gets a little more complicated. First you must install version 3.1. Once you have installed Kismet overwrite the old kismet.conf (/mnt/ram/usr/local/etc/kismet.conf , it could be in a different path depending on where you installed it) with mine kismet.conf. Basically all I did was tell it to use hostap and turn off the GPS functionality, you may have to make some changes if you don't use a Prism based card (look for the "source=" setting).
Next edit the kismet script:
and add the following line right after "#!/bin/sh"
Now all you should have to do is drop out to Konsole and type:
You should now see the Kismet interface we all know and love.
FPCat has made his own package that can be downloaded from http://members.rogers.com/fpcat/kism...v4l-xscale.ipk , he says you will still need to tweak the kismet.conf file.
I like to use the ncurses interface, but If you want to use Kismet-qt you will have to set it up so that it uses the compatibility libraries (see my entry on Zethereal). It's easy enough to do, just install the compatibility libraries and Kismet-qt then edit the desktop file:
and change the exec line to read:
once that is done restart Opie and the Kismet-qt icon should work
My Mirror: http://tux.ius.edu/zaurus/zethereal/
Zethereal is Ethereal for the Zaurus. It's a good little sniffer/protocol analyzer. All the binaries I've found for it are compiled with the old gcc so you will have to use the compatibility libraries. Make sure you have installed LibPcap then install the ipk in my mirror (provided by Dan L). You will also need to install libglib (my mirror of libglib, boosted from Debian) and do some symlinking to get it toy work, I installed it from the SD card as follows:
Since this was created with the old gcc you will have to edit the .desktop file:
ipkg -force-depends -d ram install /mnt/card/libglib1.2_1.2.10-9_arm.ipk
ln -s /mnt/ram/usr/lib/libglib-1.2.so.0
ln -s /mnt/ram/usr/lib/libglib-1.2.so.0.0.10
ln -s /mnt/ram/usr/lib/libgmodule-1.2.so.0
ln -s /mnt/ram/usr/lib/libgmodule-1.2.so.0.0.10
ln -s /mnt/ram/usr/lib/libgthread-1.2.so.0
ln -s /mnt/ram/usr/lib/libgthread-1.2.so.0.0.10
and change the exec line to read:
Restart Opie and it should all work. By the way, if for some reason installing the IPK does not put icons in the GUI do the following:
then restart Opie.
ln -s /mnt/ram/usr/bin/zethereal-1.0-arm /usr/bin/
ln -s /mnt/ram/opt/QtPalmtop/pics/zethereal.png /opt/QtPalmtop/pics/
ln -s /mnt/ram/opt/QtPalmtop/apps/Applications/zethereal.desktop /opt/QtPalmtop/apps/Applications/
My Mirror: http://tux.ius.edu/zaurus/ettercap/
I found that you can get the Debian ARM packages to work on the Zaurus if you just rename them with a .ipk on the end. Make sure you have installed LibPcap. To install you will have to force dependences and symlink as follows (your paths may vary, I installed Ettercap off of an SD card):
(Pics on website listed at the bottom of the tutorial) The first pic shows the use of the flags needed to do a password capture with the IP base sniffing method in command line mode. To see it in its non command line mode (2nd pic) make sure you turn off wrapping under the Options menu of Konsole and that the onscreen keyboard is not up, otherwise you get an error like "Screen must be at least 25x80 !!". If you get an error about not being able to find etter.ssl.crt make sure you ran the symlink command above. I'm still having problem getting it to do IP forwarding, even if I do a:
ipkg -force-depends -d ram install /mnt/card/ettercap_0.6.b-2_arm.ipk
ipkg -force-depends -d ram install /mnt/card/ettercap-common_0.6.b-2_arm.ipk
ln -s /mnt/ram/etc/ettercap/ /etc/ettercap
ln -s /mnt/ram/usr/sbin/ettercap /usr/sbin/ettercap
I'll try to let you know more when I get more time for testing, it may just be that it does not work with WI-Fi (I have a 10/100 Ethernet card on the way for testing). For the time being when it arpspoofs the two host it kills all communications between them. If Ettercap trys to sniff the USB connection (which is most likely not what you want) make sure you specify what interface to use with the "-i" option:
echo 1 > /proc/sys/net/ipv4/ip_forward
If Ettercap loads too slowly because of host name resolution just turn it of using the "-d" option.
Update 2/6/04: Ok, after testing it with a 10/100 Ethernet card Ettercap still does not work for catching passwords, must be something Zaurus specific because I got the package from Debian and I'm sure they tested it on other ARM platforms. For right now Ettercap on the Zaurus is only good for fingerprinting computers and for killing their net access (packet forwarding does not seem to work). I'll have to try the Dsniff package to see if I can get it to work better.
My Mirror: http://tux.ius.edu/zaurus/bin/ngrep
Ngrep is basically Grep for network packets. It has a lot of filter options so check out the webpage for all of the options. The link above is to a binary, copy it to some place like /mnt/ram/usr/bin/ and symlink it to someplace in your path ( ln -s /mnt/ram/usr/bin/ngrep /bin/ngrep). If you want to save the information instead of show it on the screen use a command like:
to pipe it to a file for later viewing.
ngrep > /mnt/card/ngrep.log
My Mirror: http://tux.ius.edu/zaurus/tcpdump_3....-strongarm.ipk
John H.Sawyer pointed out that I did not list TCPDump, so here it is. Not a bad little command line sniffer See all of the options here: http://www.tcpdump.org/tcpdump_man.html
My Mirror: http://tux.ius.edu/zaurus/nmap/
Once again, an older version of nmap but still good pretty good. I need to see if I can compile a newer version. Nmap is a command line tool but the qpenmap front end makes it easier to use. Try entering something like 192.168.*.* to scan a whole range of IPs. The only version I have found that has be directly ported is 3.27, but you can get the newer Debian ARM packages to work by downloading them from here http://tux.ius.edu/zaurus/nmap/nmap3.50-1/ and following these instructions to install them:
1. Copy libpcre3_4.3-4_arm.ipk and nmap_3.50-1_arm.ipk to a CF or SD card. The change directories into whatever card you put them on.
2. Install libcre3 and symlink it:
ipkg -force-depends -d ram install libpcre3_4.3-4_arm.ipk
ln -s /mnt/ram/usr/lib/libpcre* /usr/lib/
3. Install nmap 3.50-1 and symlink it ands it's support files::
You can find the full man page for nmap at http://www.insecure.org/nmap/data/nmap_manpage.html but here are a few useful flags:
ipkg -force-depends -d ram install nmap_3.50-1_arm.ipk
ln -s /mnt/ram/usr/bin/nmap /usr/bin/
ln -s /mnt/ram/usr/share/nmap /usr/share/nmap
-P0 Don't ping first, this is useful because a lot of hosts turn of ICMP echo requests anymore.
-O Do an OS detection
-e Specify and interface (eth0, wlan0, etc)
-sV Version scan, find out the version of a service that is running
My Mirror: http://tux.ius.edu/zaurus/nemesis/
Nemesis is packet injection utility. It allows you to spoof other hosts and generally cause confusion on the network. I just took the Debian ARM packages and renamed them with a .ipk on the end. The package comes with the following utilitys:
To install from the SD card:
then symlink everything someplace in you path:
ipkg -force-depends -d ram install /mnt/card/nemesis_1.32-5_arm.ipk
One cool use is to fake out an IDS system. If I used the command
ln -s /mnt/ram/usr/sbin/n* /bin/
it would make it look as if Microsoft.com was attacking the target host. Here is a example of a script I wrote that can be used to make it look like another host is doing a port scan:
nemesis-tcp -x 1025 -y 22 -S 184.108.40.206 -D 220.127.116.11
frame.sh (just copy the content below)
copy all that into a text file, chmod +x it and use it by issuing a command like
for port in 21 22 23 25 80 138 139 6776 10008 31337
nemesis-tcp -x 1025 -y port -fS -S $1 -D $2
You will most likely want to change your MAC address first.
frame.sh Farmed_ip Target_IP
Thatís about t, this tutorial was adapted from my notes page at: http://irongeek.com/i.php?submenu=za...rus/zaurusmain