Nokia N900 – pentester’s multitool in your pocket

I was very patient and waited for this device for some time. Despite of time flowing without mercy – Nokia N900 still does the job. It’s potential is amazing, believe me. N900 is run by Maemo 5 OS which is based on Debian Linux distro. Wide variety of packages dedicated for N900 or ARM architecture allows us to quickly find all the tools we need.

Phone is quite fat, but still – looks small comparising with modern smartphone.

Nokia N900 and Sony Xperia Z2

Removable BL-5J battery with capacity of 1320 mAh allows me to use phone actively for about 12h. Currently I got no sim inserted into it.

Worth mentioning, that there are projects which are supposed to be kind of N900 successor. Take a peek:
Pyra Handheld
Gemini PDA

First of all – change root password and add a line to /etc/sudoers to make your user become superuser quickly (command: echo “user ALL = NOPASSWD: ALL” >> /etc/sudoers should do the trick). Now you can use (sudo / sudo -i) commands. Get a bash package and ssh server to manage your phone easily.

Let’s presume that we would use Nokia N900 as a mobile tool to analyze and sniff network traffic (tcpdump / wireshark / dsniff), phishing (ghost-phisher / ettercap), creating fake AP (aircrack), MITM attacks (arpspoof / ettercap / sslstrip / driftnet), pentesting wireless networks (aircrack / reaver / wpscrack) and work with Metasploit framework. N900 is quite responsive, it has a decent wireless card, ARM architecture with many repositories available. This phone goes well in pair with mAP Lite from previous article – MikroTik mAP Lite – smallest credential harvester. Selective deauth attack can force users to join to our network, N900 also works flawlessly as a fake AP with data harvester as well. Options are almost unlimited. It’s very important that profiling your attack towards its target makes it extremely efficient.

I won’t guide you through packet installation processes – you need different tools that I do. It’s up to you.
Now for the fun part. All attacks were done within my own network.

Kismet (Kismet – main page is a great wireless reconnaissance tool. Definitely worth noticing.

Kismet on Nokia N900

Wireless module TI WL-1251 is capable of packet injection, but it needs modified drivers to do so. It is necessary to have it enabled while using aircrack package. “Power kernel” package should provide everything you need. Airodump while listening to wireless networks nearby in action…

Airodump (aircrack package) running

I created WEP ciphered (104 bits) wireless network with an SSID: “PEW” for a test using MikroTik 951Ui-2HnD.

Tiny wireless lab

Successful attack on a WEP-enabled network took N900 about 9 minutes. To make it quicker and more efficient I used aireplay and generated bogus arp traffic from one of connected stations.

Collecting packets with IV vector took ~8 minutes. Cracking WEP took 55 seconds while using PTW method

Networks secured with WEP cipher method are currently unusual. You can attack WPA/WPA2 enabled networks of course, however it will take massively more time. Maemo system allows you to install and use reaver to exploit WPS vulnerabilities. There are many ways.

I mentioned deauth attack some sentences ago. Management frames in wireless networks are transmitted unciphered which allows us to inject them into network and diconnect certain / all users.

Just after the attack you can see packet loss and lack of wireless connection icon

Here is a taste of a MITM attack in my network. Take a look at captured credential for a FTP service.

Ettercap on left, wireshark on right

N900 can run GIMP or even OpenOffice applications. It’s obvious that using them is uncomfortable but it shows that there are almost no limitations. You can also run CorsixTH (Theme Hospital port) – works flawlessly 🙂

You also have a infrared port, video out and 32GB of internal memory for your use. Currently you can buy N900 for about 25 – 50$ (depends on a condition). I think it’s worth to get this device in your hands.

I will also mention, that my previous project is doing well and soon I will share with you about it’s result.

Another access points running…

Leave a Reply

Your email address will not be published. Required fields are marked *