Having survived my week of orientation to work and gearing up for my first day as an actual penetration tester, I’m already slacking and having other people do my work for me. I haven’t actually done this myself, but I’ll certainly be getting one of those G1’s to fool around with as soon as the pay checks from this real life penetration tester gig start coming. On with the tutorial:

Here are instructions for turning a G1 phone into a rogue wireless AP and sniffing the packets of your victims. Note that the only packets sniffed during the sessions described here belonged to the author.
This is presented purely for educational purposes and so on and so forth amen.

This simple exploit isn’t based on any new ideas, and it uses onlyout of the box materials. But it is entertaining, and as far as I know I thought of it first. It might be that other people who thought of it didn’t think it was even worth mentioning, or it might be that they’re up to something nefarious and don’t want to spill the beans.

Materials needed:

1. A rooted g1 phone with data connection. see http://www.androidfanatic.com for explanations of how to get root access to your g1 phone and links to necessary files. Also see http://forum.xda-developers.com/forumdisplay.php?f=448 for useful instructions and downloads relating to root access. This subject is worthy of any number of tutorials in its own right. There are dozens of community developed ROMS for the phone at this point.

2. A debian installation on your g1. see http://www.androidfanatic.com for instructions and downloads relating to this. our debian disk image is 3.5 GB. Significant space is required for saving captures, so you ought to resize the out-of-the-box image following instructions found on http://www.androidfanatic.com. See also Saurik’s page for information from the originator of the debian-on-g1 hack. The size is limited by the fact that the VFAT filesystem on the sd card has a 4GB limit on file sizes. This may have been addressed in some of the more current ROMS, which may patch the android kernel to allow it to use ext2 and ext3 filesystems. I haven’t had time to look into this yet.

3. A wifi tethering application for your g1. I know of two free ones. The one used in this demo is aNetShare, available from http://android.a0soft.com/aNetShare-v2-30-20090326.apk. the other one is called “wireless tether for root users”. This project has been successfully tested with this app as well. it is available for download at http://code.google.com/p/android-wifi-tether/. The various paid tethering apps are untested.

4. Tshark installed in debian on phone. Use aptitude or whatever you like to do this. Note that tshark is the no-GUI version of the justly famed wireshark.

5. A public place where people might expect to find free wifi.

What to do:

1. Set ssid of tethering app to something appropriate.

1.5 Boot up debian on the phone.

2. Invoke tshark in debian terminal emulator. for full contents of packets
dumped to file use

tshark -V -i rmnet0 > filename-to-dump-to

for summaries of packets use

tshark -i rmnet0 > filename-to-dump-to

I figured out the name of the interface to listen on using ifconfig.

3. There is some art involved in getting files out of the debian filesystem
and making them accessible to android and the phone apps. It can be done,
but this isnt a debian-on-android tutorial. They can be read with less,
more, cat, vi, tshark itself, and so on. if you follow the instructions on
http://www.androidfanatic.com to install an xwindowing implementation over your debian it is even possible to use wireshark to analyze the packet dumps, although it taxes the limited resources of the phone.

4. Exercise: install driftnet in your debian-on-android and use it to capture and reassemble images and music files from the tcp stream through your phone. This turns
out to be quite simple, and often hilarious.

Directions for further research:

1. Dsniff and associated applications.

Finally: use this only for good and not for evil, and have fun! If you find these two
goals to be mutually exclusive, then God help save your mortal soul…

papelarroz@foutu.org

Five days of content has quickly turned into five posts before the end of the weekend. Look out for the second half of setting up backtrack on the Asus eee 901 directly with some foolery with a Madwifi access point to follow as soon as I quit breaking networking on the remote machine.

Georgia