Welcome to the 3rd post in my series of leveraging the power of the Nokia N900 utilizing opensource, cutting-edge security tools for espionage/ethical penetration testing.
As mentioned in my last article, I'm continuing to focus on available, easily installed and free tools. This post will cover more scary security-related applications for the Nokia N900, in particular the ability to control the N900 via SMS.
I've been scoping tools for the N900 that will place a call surreptitiously and will cover two here: BabyPhone and SMSCON.
BabyPhone for the N900 is a monitoring application that uses the N900's microphone to listen for a predefined noise threshold, like a baby crying, and then initiates a phone call to the configured number. From a potential espionage/pen-test standpoint, I found this an attractive application in the sense that it's useful to kick off a call when there's ambient noise in the target location, such as an executive conference room.
However, I had some problems with the microphone -- not with the sensing part that listens for noise and then initiates the call, but rather after the call was placed, I could not hear anything. This might be a issue with my phone, and some quick searches for others with this problem proved fruitless. Were the mic working, I might have stuck with this application and not looked further. In retrospect, it's fortunate that it did not work, as I was forced to look for other applications and found a killer one called SMSCON.
SMSCOM is an application that allows you to control your Nokia N900 via SMS messages to the phone. Clearly, from a espionage/pen-test perspective this kind of remote control over a cellular network using SMS is a powerful tool, and is basically allowing you to send SMS commands to a Linux box, which is what the N900 is at the end of the day. SMSCON is also useful as a poor man's Lojack in that the remote control aspects allow you to pull GPS data, take pictures of the perp who stole your phone, SMS the new SIM card information when a replacement SIM is inserted into the N900, etc.
SMSCON has a companion program called SMSCON-EDITOR which which provides some basic pre-configured options and templates to add in various parameters like phone number to call, email address, etc. There are some other options, such as a reverse SSH session from the phone to a SSH server, thereby allowing you to connect to the external SSH server, and then connect back to the N900 through the established SSH tunnel on the external server...very old skool but still slick and an effective means to traverse NAT, firewalls, etc.
Another SMSCON-EDITOR option allows you to kick off a Bash script on the N900 via SMS. Really, with all the bells and whistles and pretty GUI of SMSCON, this single function is the one single thing that a skilled attacker would need to do in using the N900 in a espionage/pen-test scenario. Think of leaving the N900 at a target site, and then sending the SMS to kick off your custom bash script that does any number of things, such as bluetooth scanning, firing up the N900 wireless adapter for sniffing, calling a phone, etc. One of the slickest scripts will send a SMS when the N900's keyboard is opened or closed, providing a useful means to determine if the target has discovered and is handling the N900 you covertly placed on-site for your espionage/pen-test engagement. Pure evil.
Of course, it would be great if all the functions and scripts worked right. With both the SMSCON and SMSCON-EDITOR programs plenty of functions that work, but some do not, and there are plenty of bugs and non-functioning glitches to SMSCON and SMSCON-EDITOR at this time. That said, the good news is that both projects are active and bugs are getting fixed. Both of these are definitely programs to watch, but even so, they have provided the basic framework from which to build your own tools that leverage the N900.
Use The Source
Especially useful about SMSCON is that it's written in a nice Python script. Having a plaintext script as opposed to a compiled binary is excellent as it allows a few things, such as seeing exactly what is going on under the covers. Wondering how the N900 sends a SMS? Read the script. How does the N900 access the front camera, take a photo of the user, and then email it? Read the script. How does the N900 make a cellular call? Read the script.
Overall, the usefulness of this written in Python is huge, and it allows the savvy user and coder to pull functionality from the SMSCON Python script and roll-your-own mini-tools to do specific actions on the N900. I'm not a coder, but even with my meager coding skills I can read through the well-documented and clean SMSCON Python code and figure out quite a bit.
If you're planning to use SMSCON be sure to check out the Maemo forum thread for SMSCON -- it will save you time and answer many of your questions.
Well, that's it for this post, hope you've enjoyed it and that the information helps broaden your view of what kinds of tools and software can be leveraged on COTS gear for espionage/pen-testing engagements. As for what's next, I've been working with some of the wireless tools like Aircrack-NG and Kismet on my N900 and will likely make that the next blog post, or soon thereafter, in this series.