HOWTO: Ultra-mobile pentesting on a Linux PDA: the Zaurus SL-5500

[10goto10]

The following is an unedited copy/paste from an article I was writing for a blog. Unfortunately, due to little free time, I never got round to actually start my blog. I decided to post the unfinished article plus notes here, so it might help someone. The Zaurus is a cool little machine, and I loved working on it. Definately check this out if you're into ultra-mobile pentesting.

It's my gift to the Hak5 community :) Enjoy the article!

Ultra-mobile pentesting on a Linux PDA: the Zaurus SL-5500

I wanted a cheap, portable hacking plaything for when a PC or laptop was unavailable or unpractical. Think long breaks in the school canteen, waiting on your train at the station, or killing half an hour by peeking into the airwaves to see what the other hotel guest are doing. Times like those. I didn't want to "just" buy a new, expensive PDA, but rather see what alternatives are out there when you're on a budget, and what you can do to hack them. To "hack them" basically means running Linux on them, which opens a wide range of possibilities of apps you can install and use.

After googling to see what's out there, I came across several interesting devices. One I was seriously considering was the Zipit, which is basically a portable clamshell "toy" PDA for the sole purpose of chatting through MSN and Yahoo. It takes some soldering before you can put your own Linux on it, offering a limited but useful set of tools that can aid you in pen testing. I liked the robustness of the little PDA-like thing, the keyboard was acceptable, and I got mine for only $50 offa Ebay, but I haven't gotten round to the soldering. For now it remains a cool toy for personal messaging over open networks (or WEP encrypted ones -- if you know the key).

In my search for a cheap PDA I quickly came across the Zaurus SL-5500, a PDA that got mentioned on several security sites as the best pick for anybody who's serious about security but has a budget to stick to. The Zaurus SL-5500 has a small QWERTY keyboard that's hidden under the bottom part of the PDA, has a 240 x 320 screen and a StrongARM 206MHz processor. The 64MB internal memory can easily be expanded with a CF or SD card.

I found my Zaurus SL-5500 on Ebay for exactly $100. It came with everything except the original box, and if I wanted to do something as dull as managing appointments and addresses with the Zaurus, I would be good to go. The Zaurus comes with 64MB of Flash memory that's used for everything: storing the OS, memory, data and applications. That's not a lot, especially when you wanna install lots of apps that produce big log files, but the good news is you can get yourself extra space by plugging in both a CF and a SD memory card. I had both (a 64MB CF and a 500MB SD card) lying around, so I dedicated these to the Zaurus. The only thing left I really needed was something to pick up the wifi air waves.

You can plug a wireless card in the CF slot of the Zaurus. After googling a while for compatible wireless cards, I came across several brands and types that seemed to be easy to get to work. I found this important, as a weekend with a borrowed B-brand wireless CF card resulted in nothing but a headache and not a single byte my Zaurus picked out of the air. I settled for a Linksys WCF12, which worked a whole lot better. Now all the hardware ingredients were complete, I could move on to install the software.

After plugging in your wifi card, take a look at the network settings and see how your card is regonised. It should be wlan0, but some cards are recognised as eth0. To fix this, check this wiki entry: http://wiki.openzaurus.org/FAQ#WiFi_related_questions . [ Remake hostap_cs.conf file to get your card recognised as wlan0 ] [ More on configuring your wifi card: http://wiki.openzaurus.org/HowTos/WPA ]

The OpenZaurus community has already achieved a lot, but there is still much to be done. If you're looking for a project to sink your teeth in, check out the wiki for a list of things that need testing or developing. At the moment, there's even a cash bounty price for the person who writes a driver for SD cards over 1GB! Cold, hard cash!

Don't expect the Zaurus to be too perfect. The hardware ofcourse is slightly oudated, and can't compete with a brand new clamshell PDA with built-in Bluetooth and 802.11g wireless adaptors. On the other hand, this makes the Zaurus suitable for taking just anywhere: no need to worry about scratching your precious little expensive gadget. Memory and wireless cards are cheap, and for the budget conscious hacker, this is one of the best machines out there at the moment. The software side has it's problems too. Openzaurus is a great platform, and Opie is a great interface, but they're just not as stable as you'd hope. More than once did applications just crash, or did I have to "fix" my wireless card by just pulling it out and reinserting it - which sometimes helped, sometimes not. Going in- and out of suspend mode is a tricky thing too, and only half of my reboots went okay.

As far as possibilities go, I have only scratched the surface. For me this was a learning process, so I had to start at the very beginning. What you could do with this little Linux machine, you ask? What about turning it into a mini portable access point, go to the airport and check out who wants to connect to you? Or walking around in a place full of open networks, attacking websites in total anonymity?

During all this testing and stuff, I noticed another thing: I actually got used to having my Zaurus in the cradle, hooked up to my Windows XP machine through the USB network connection. Whenever I wanted to work in Linux, I'd just SSH to my Zaurus and happily work from there. This sure beats having my old clunky PC humming in the corner of the room! The more I used my Zaurus, the less I actually used it as a portable device.

These are my rough, unedited notes on what I installed on my Zaurus:

Install OpenZaurus following these instructions: http://wiki.openzaurus.org/Collie/Install

I started out with Opie for my graphical interface. It looks similar to Sharp's original GUI for the SL-5500, and gives you more of a PDA-feel instead of a "small computer running Linux"-feel. But if the latter sounds more like your thing, try out GPE. It's supposed to be less mature and refined than Opie, but at least my Linksys WCF12 wireless card gets recognised properly and reliably.

Installing packages from the commandline is pretty easy with the ipkg package manager, which works much like apt-get. Installking packages from the GUI with the package manager never really went smooth for me.

For Opie, install Konqueror to have a browser in the GUI environement. Although it has it's flaws, it's adequate for simple browsing. Apparently it's also possible to get Opera to run, but I haven't tried that myself since Konqueror does the job for me.

Install Wellenreiter for a great tool for wardriving. It works in Opie, you get a neat GUI for it and it has plenty of options, so this tool alone basically just turned your Zaurus into a lean mean pocket size wardriving tool. ( ipkg install opie-wellenreiter )

Install Kismet. Change the kismet.conf to tell it which source to use (in my case: source=hostap,wlan0,hostap) ( ipkg install kismet )

Dsniff sniffs out passwords on the network, and includes more tools to to sniff our certain things like URLs. Irongeek has instructions on his site for installing Dsniff 2.4, and the packages list has version 2.3 which can easily be installed with ipkg install dsniff. I did just that, but some files were missing after the install. I fixed this by downloading the tar.gz from the Dsniff creator's site and moving the neccesary files to the Zaurus.

Ettercap is one of the many other tools you can just install with the ipkg package manager. Basically, check out Irongeek's website for a great list of useful tools. Don't be scared off by the installation instructions on his website, as you seem to be able to install most of those apps simply through the ipkg package manager.

Another simple way to get a whole bunch of security related tools on your Zaurus is downloading the Securus package. This is one big ZIP archive with statically linked binaries specifically for the Zaurus series, all tested on the SL-5500. Chances are that you won't need anything else than this. It takes up about 64 MB so be sure to copy it to your SD card. Not everything works right away (or at all). If you encounter too many problems, try to find the application in the package manager and install it that way. http://kost.com.hr/securus.php

To finish off, some links I found usefull:

Update the Zaurus and install Kismet:

http://www.minstrel.org.uk/papers/zaurus/

Customisation of OpenZaurus 3.5.2

http://www.purple.dropbear.id.au/node/97

Gentgeen's installation notes:

http://gentgeen.homelinux.org/cgi-bin/wiki...l?Install-Notes

And finally the awesome IronGeek and his very useful notes on this subject:

http://www.irongeek.com/i.php?submenu=zaur...urus/zaurusmain

Hopefully this helps some lonley Zaurus hacker out there and my time didn't go to waste ;)

[DingleBerries]

Great little article. I have a Palm TX and still play around with OPIE on it. OPIE runs great but the wireless still doesnt work. I might try and put one of these together for palm. Again great work.