Pwnie express Smartphone User manual

Pwn Phone User Manual

Note: The online version of this manual is maintained here:

http://www.pwnieexpress.com/support.html

Legal Stuff

●All Pwnie Express / Rapid Focus Security products are for legally authorized uses

only.

●By using this product you agree to the terms of the Rapid Focus Security EULA:

(http://pwnieexpress.com/pdfs/RFSEULA.pdf)

●As with any software application, any downloads/transfers of this software

are subject to export controls under the U.S. Commerce Department's Export

Administration Regulations (EAR). By using this software you certify your complete

understanding of and compliance with these regulations.

●This product contains both open source and proprietary software: Proprietary

software is distributed under the terms of the Rapid Focus Security EULA: (http://

pwnieexpress.com/pdfs/RFSEULA.pdf). Open source software is distributed under the

GNU General Public License: (http://www.gnu.org/licenses/gpl.html).

Features

● Comes with a wide variety of pen-testing tools installed with quick access shortcuts

● Supports wireless monitor mode and injection for WEP cracking

● Supports promiscuous mode for sniffing other traffic passively

● Man in the middle capabilities for intercepting network traffic

Tools Installed:

● Metasploit, Fasttrack, SET, Scapy, Nikto, SSLstrip, iodine

● Kismet, Aircrack-NG, Wifite, Wifizoo, GrimWEPa, Wepbuster

● Nmap, netcat, tcpdump, wireshark, tshark, Ettercap-NG, exploitDB, macchanger

● presencevnc client, x11vnc server, conky, tor, rdesktop, openvpn, netmon, iptables

Getting started

Make sure the keyboard is not slid out, otherwise you will be greeted with the backup menu.

Turn the phone on by holding the small power button on the top (between volume and camera

buttons) and sliding the side button on the right down. Phone will vibrate and white Nokia screen will

appear.

The first thing to get used to is the interface to the N900. The way it works it simple, but knowing a

few key things will greatly help in navigating. The main desktop screen will have most of the key pen-

testing tools available via convenient shortcut icons. There are 4 desktop screens by default.

Navigation

By tapping the upper left hand corner you will have access to multitasking between running

applications as well as different desktop areas. One of these areas is the main applications folder

where all applications with an icon are stored. This is where you will find things like the application

manager, file manager, and other general settings for the phone.

Also in the upper left hand corner to the right of the clock shows a battery and connection information.

If you tap here you will have access to wireless devices and a basic connection manager. Use this to

connect to wifi and Internet.

TIP: Once in an xterm shell, you can increase/decrease the font size with volume buttons.

Main pen-testing desktop screen (shortcuts left to right):

1. Conky – For seeing system usage and stats

2. Promiscuous_on_off – Script to turn promiscuous mode on and off for wlan0

3. xTerm rootshell – Root shell access to the /home/user/MyDocs/pwnphone folder

4. Macchanger - Rolls mac address of wireless card wlan0 and changes hostname to “DellPC”

5. Nmap – Cmd line version of Nmap

6. Zenmap – Gui version of Nmap

7. InjectionON – Loads drivers required for wireless packet injection

8. InjectionOFF – Unloads packet injection drivers and reloads normal wifi drivers

9. Airodump-ng – Quick access to wireless sniffer, running: airodump-ng wlan0

10. Kismet – Wireless sniffer / mapping tool

11. Wifite – Wireless automated attack tool

12. Wifizoo – Wireless tool to sniff active sessions on open wifi

13. Grimwepa – GUI front end tool used with the Aircrack-NG suite – wep/wpa cracking

14. Wepbuster – Automatically crack wireless WEP networks in range (be careful!)

15. Promiscuous mode on off button – Enables promiscuous mode on wlan0

16. Wireshark – Desktop shortcut – packet analyzer / sniffer

17. Tshark – CMD line version of wireshark – running on wlan0

18. Tcpdump – Run tcpdump on wlan0 (tcpdump -s0 -n -i wlan0)

19. SSLstrip – Tool used to strip websites of ssl and sniff credentials

20. Scapy – Scapy interface - interactive packet manipulation

21. Nikto – Web scanning tool

22. SET – Social Engineering Toolkit

23. Metasploit – CMD version of msf3 (msfconsole)

24. Metasploit-GUI – GUI version of msf3

25. Fasttrack – Automated pentesting tool

26. EttercapNG-Curses – Curses version of EttercapNG

27. EttercapNG-GUI – GUI version of EttercapNG

Admin desktop (left of main pen-testing desktop):

1. File manager – Maemo GUI file manager

2. FTPn900 – FTP client

3. GSM Mon – Monitor status of cell phone connection

4. Presence VNC – VNC client

5. Rdesktop – Remote desktop client

6. x11vnc – VNC server quick shortcut WARNING – no password set by default!

7. Reverse SSH shell – Will ask for hostname to connect to but must be setup – see below

8. Browser – Maemo Web browser

9. VIM – Vim editor

SSH access

● Username: root

● Default password: pwnphone

● Tools path: /home/user/MyDocs/pwnphone

● The rootshell shortcut will bring you to the tools path by default

● Some of the tools are in the path and can be run from anywhere, others are not

Wireless Promiscuous mode

● Promiscuous On/Off script is on desktop – icon has face with red hair and goggles, to the left

of the wireshark icon

● You can then run wireshark, tshark, tcpdump, or ettercap to see packets on the wireless

network that normally you wouldn’t see.

● To Manually Enable: ifconfig wlan0 promisc

● To Manually Disable: ifconfig wlan0 -promisc

Wireless Monitor mode

● Monitor mode allows for fully passive sniffing. As such, you can’t be actively connected to a

wireless network at the same time.

● Kismet and Airodump-ng will automatically put your wireless card in monitor mode. Just

remember you’ll need to put the wireless card wlan0 back into managed mode through

a rootshell terminal (or using Green hat icon on desktop) when you want to connect to a

network again.

Enable:

ifconfig wlan0 down

iwconfig wlan0 mode monitor

ifconfig up

Disable:

ifconfig down

iwconfig wlan0 mode managed

ifconfig up

Wireless packet injection

● For the N900 there are special drivers that support packet injection, but unfortunately when

enabled they also drain the power and battery life substantially.

● The default home screen contains quick shortcuts to enable/disable injection as needed:

InjectionON (red syringe):

This script loads the injection driver and puts the card into monitor mode. Once loaded, use

GrimWEPa or Aircrack-NG for WEP cracking, de-auth attacks, or handshake captures.

InjectionOFF (blue syringe):

This script unloads the injection driver and loads the default wireless driver (which still

supports monitor/promiscuous mode).

Kismet

1. Open the kismet icon (purple) on the desktop or from a shell. It will put your card in monitor

mode if it is not already.

2. The first thing it will ask you is 'Start Kismet Server'. Hit enter for 'Yes'.

3. Hit enter for 'Start'

4. Hit Tab, then enter to close console window and show main windows with networks.

5. Use the volume control buttons on the top of the phone to change the font size.

6. Use Esc to access the Kismet main menu which you can then control with the arrow keys.

7. Kismet will prompt you to use the built in GPS to log networks physical locations. If you do not

want to use this feature simply deny Kismet access to the GPS when it asks or disable the GPS

in the connections menu in upper left hand corner of the screen (where connection manager is

located).

8. Kismet will save logs automatically in many different formats where ever it is run from. If you

use the desktop shortcut, it will default to save them to the /home/user/MyDocs/ folder.

9. For more information on this tool please visit kismetwireless.net

Aircrack-NG suite

● The aircrack-ng suite comes with many different powerful tools to attack and sniff 802.11

wireless networks. There are many good tutorials on youtube and aircrack-ng.org.

● On the desktop, the airodump-ng wlan0 shortcut is great for doing site surveys, monitoring

signal strength, and viewing connected clients.

● Aircrack-NG on this phone is mainly used for WEP cracking and capturing WPA handshakes for

cracking on a more powerful system. If you are unfamiliar with cracking WEP, start with these

videos:

http://www.youtube.com/watch?v=qe1VuhGciSI

http://www.youtube.com/watch?v=oHq-cKoYcr8

● On the N900, the procedure is as follows:

1. [optional] Roll MAC address and hostname with thumbprint icon on desktop

2. Enable injection with the Injection_ON shortcut on the desktop (red syringe)

3. Run airodump-ng in rootshell as follows:

airodump-ng --ivs --bssid (mac address of router) -c (channel) -w (filename to write

to) wlan0

Example: airodump-ng --ivs --bssid 11:22:33:44:55:66 -c 6 -w test wlan0

4. In another rootshell terminal run the arp replay attack with:

aireplay-ng -3 -b 11:22:33:44:55:66 wlan0

5. In another rootshell terminal run the fake-auth attack with:

aireplay-ng -1 0 -a 11:22:33:44:55:66 wlan0

6. If this doesn't work, run a deauth attack (also used for obtaining wpa handshakes):

aireplay-ng -0 10 -a 11:22:33:44:55:66 wlan0

7. Or, de-auth a single client connected to the wireless network:

aireplay-ng -0 10 -a 11:22:33:44:55:66 -c 00:22:44:66:88:99 wlan0

8. Now go back to you terminal window running the arp replay attack and see if it is injecting

packets. If so, it will take 10,000 to 35,000 data packets captured (shown in airodump

window) to successfully crack the WEP key.

9. To attempt the WEP key crack:

aircrack-ng test.ivs (or whatever your capture file is named)

Grimwepa

Grimwepa is a great little java GUI front end to the Aircrack-NG suite. Basically run the first 2 steps in

the last process, rolling MAC address and hostname and turning injection on.

1. Open Grimwepa, if monitor mode is not enabled it will ask you to enable it, which means you

probably forgot to turn on injection ;).

2. Click 'refresh targets' which will automatically spawn airodump to start sniffing. Once you

have found a WEP network you wish to crack, switch back to the Grimwepa interface and

click 'stop scanning'.

3. Select from the list the network you wish to crack, then click 'use client in attack' select

under 'attack method' 'arp-replay'.

4. Then simply click 'start attack'. If everything goes well and you are close enough to

the access point, and there are clients connected, it should attack and crack everything

automatically. If not, you can try opening a separate rootshell terminal and running the

aireplay-ng fake auth and deauth attacks mentioned in the Aircrack-ng section above.

5. Grimpwepa automatically starts cracking once it has collected 10,000 data packets, so if it's a

128-bit WEP network you may need to just stop the cracking process and restart it.

Wifite

Wifite is an automated tool to attack wireless networks. It looks pretty and works OK.

1. To run it, first run airodump-ng wlan0 to start channel hopping, (desktop icon or from

terminal).

2. Then click the Wifite icon and watch it search for things to attack. Once it finds some stuff,

hit Ctrl+C to then move to the next stage of attacking. Note that you may have to use a

rootshell and navigate to it's folder and run it there:

cd /home/user/MyDocs/pwnphone/wireless/wifite

python2.5 wifite_r54.py

3. Use Ctrl C when ready and follow the menu prompts to proceed.

Wifizoo

Wifizoo can be used to sniff all sorts of open wireless traffic, especially active sessions and cookies. To

use it, run Airodump-ng or Kismet to channel hop, then open the icon on the desktop for Wifizoo. If

the browser doesn't show anything, just refresh it.

WepBuster

Wepbuster is a one click fully automated WEP cracking tool. To use, enable injection mode (red

syringe on desktop) and launch the icon (kakashi ninja) on the desktop. Currently this tool is set

to crack the capture file once 30000 ivs are reached, but you can change this value by editing the

wepbuster script itself. Or try running aircrack-ng against the generated capture file in the wepbuster

directory. To use:

● cd /home/user/MyDocs/pwnphone/wireless/wepbuster-1.0_beta/

● perl wepbuster [channel(s)]

● perl wepbuster [sort | connect] [hostname/ip address]

● perl wepbuster permute [OPTIONS]

● perl wepbuster --help (this will give you basic run options)

WARNING: WepBuster will automatically attempt to attack ANY wep networks within range!

Use at your own risk!

MITM with Ettercap and SSLstrip

1. Open Ettercap-NG GUI on desktop.

2. Select 'Sniff' and click 'Unified sniffing'

3. Select 'wlan0' and click 'OK'

4. Click 'Start' and then 'Start Sniffing'

5. Go to 'Hosts' and click 'Scan for Hosts'

6. Go to 'Hosts' and click 'Host list'

7. Select IP address of target computer to mitm and then click 'Add to Target 1'

8. Select Router IP (192.168.1.1 typically) and click 'Add to Target 2'

9. Go to 'Mitm' and click 'Arp Poisoning' and select the checkbox for 'Sniff remote connections'

click 'OK' (to stop arp-cache poisoning simply click on 'Mitm' and select 'Stop mitm')

10. Go to main desktop, open ssltrip shortcut.

11. tail -f /home/user/sslstrip.log

12. Credentials may show up in both Ettercap and /home/user/sslstrip.log

13. On a windows target machine, go to a cmd shell and run arp -a to see if mac address of

pwnphone is there (confirms arp-cache poisoning is working)

14. Open a browser and go to an HTTPS-enabled site to test if sslstrip is working.

Table of contents

Popular Cell Phone manuals by other brands

Nokia

Nokia 6700 classic user guide

LG L34C user guide

Ericsson

Ericsson T60d manual

Zte

Zte Score M user manual

Sony

Sony Xperia Z1 Compact Startup guide

AT AT-Q5 user manual

Vingtor

Vingtor ACM-M-A-V2 Installation/configuration

Olitech

Olitech EasyFlip 2 Quick setup guide

Zte

Zte Atrium Z793C user manual

Alcatel

Alcatel IDEAL manual

Zte

Zte BLADE A520 quick start guide

switel

switel M222 user manual

LG LG-P503 user guide

LG F2410 user guide

Argom

Argom E500 manual

Hisense

Hisense U30 user manual

Argom Tech

Argom Tech E401 user manual

Nokia

Nokia 3595 - Cell Phone - GSM Manual Del Usuario

PWNIE Express Smartphone User manual

Popular Cell Phone manuals by other brands