Penetration Testing, also known as pentesting, is the practice of attacking a known computer system for the purpose of evaluating the strength of its security. Often, these systems are your own, however, companies will hire external pentesters to simulate an attack and see how well their infrastructure holds up against these attacks.
A common misconception is that a lot of equipment is needed to perform a pentest, however this isn’t the case. Today, I’m going to show you how to set up a suite of pentesting software on an iPod Touch/iPhone, thus transforming it into a mobile hacking platform. Please note that these instructions are for a jailbroken iPod.
This is the list of packages that will be loaded onto the iPod:
- Social Engineer Toolkit
- Stealth MAC
The first and most basic package is MobileTerminal. You can get it in the Cydia repositories.
On iOS version 4.1, there were some issues getting MobileTerminal to open correctly. To get around this, you need to install MobileTerminal version 426, which is available on their website. In order to install it, you’ll need to download the .deb and install it manually. Here are some instructions on how to do this.
Ruby is necessary for packages such as Metasploit. To install it, we can just go into Cydia and select it, or run apt-get install ruby in MobileTerminal, if you have APT installed.
You’re also going to need subversion, rubygems, wget, python, and APT
Metasploit is a framework that allows for easy vulnerability exploitation, and even includes post exploitation tools. This install is done again using Cydia. Make sure you have the Telesphoreo repository enabled, and you can just select Metasploit to install. It takes care of all the updating and file placement for you.
Once it’s installed, you can access it under mobile terminal. First, log in as root:
Next, start up the console:
From here, you have full access to Metasploit’s features. You use autopwn to search for a system’s vulnerabilities, or craft standalone binaries to set up backdoors. You even have access to msfencode for Metasploit payload encoding. You have the entire Metasploit Framework accessible on your iPod.
The Social Engineer Toolkit is a package that incorporates social engineering tactics with computer pentesting. First, we need to get Ruby. However, you need to manually install it (version ruby_1.8.6 and rubygems_1.2.0) via dpkg. To install SET, we’re going to use subversion. First, open up MobileTerminal and create a directory named “SET” in your pentesting folder. Enter this directory, and use subversion to download a copy:
svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/
This will download and install a copy, and will keep it updated for you. To use SET, enter the directory and run “set” as root:
su root cd <SET Directory> ./set
Most features work, however I’ve encountered some troubles with the Java Applet. Hopefully, this should be fixed in future releases.
Aircrack-Ng is a software suite specializing in wireless attacks. It can be used to crack WEP passwords, capture packets, inject packets, and more. We’re going to use Cydia to get this, although we need to add our own repository. Go to Manage > Sources > Edit > Add and add http://theworm.altervista.org/cydia/ as a source. Allow Cydia to update the package information, and install aircrack-ng.
To use aircrack, you need to open MobileTerminal. From here, you can use all the software included in the suite, including airbase-ng, aircrack-ng, and airodump-ng. These tools are very valuable, as they allow for mobile wireless password cracking, spoofing, etc.
dsniff is a software suite best known for arpspoof, which allows the attack to use specially crafted ARP packets to redirect traffic. To install it, use TheWorm repository as shown in the aircrack-ng install section. Then, just select dsniff.
One interesting use of dsniff and arpspoof is the ability to perform a DOS (denial of service) attack on a small network. To do this, open up MobileTerminal. To find the router we will be spoofing, go under Settings > WiFi and then the network you’re connected to. The router IP should be next to the section labeled “Router”. To run the ARP spoof, just type this as root into MobileTerminal:
arpspoof -i en0 <router IP>
Using arpspoof to run a DOS attack
To stop the DOS, just hit Ctrl+C to kill arpspoof.
Ettercap-ng is a software suite specializing in MITM, or Man In The Middle attacks. Ettercap-ng is included in TheWork repository as shown above.
To use ettercap-ng, input commands into MobileTerminal. Documentation for ettercap-ng can be found here.
Nmap is a network tool that can be used to scan for hosts. It is included in the Telesphoreo repository, so just look for nmap in Cydia.
To use Nmap, you again need to input everything in MobileTerminal. A great tutorial for Nmap use can be found in our Nmap tutorial. It shows how to scan for hosts on a local network.
Stealth MAC is a utility for setting a custom MAC address for the wireless adapter on boot. This is useful in hiding or changing the identity of your iPod. Stealth MAC is included in the Telesphoreo repository, so just look for ‘stealth mac’ in Cydia.
To use Stealth MAC, you need to edit the file /etc/stealthmac. Change the line containing the example MAC address to whatever you like. Then, run “smac.sh” and you will have the new MAC address on the next reboot.
Tcpdump is a program used as a packet analyzer, and can store and dump network traffic. On an iPod it is useful because it can sniff network traffic and dump it in a log file, which can be analyzed further on an actual computer. To install this, just look for ‘tcpdump’ in Cydia. Tcpdump is in the Telesphoreo repository.
To view different options for running tcpdump, check out the online man page. To actually run tcpdump, run everything inside MobileTerminal. An example to capture packets and write to a dump file:
su root tcpdump -i en0 -nnvvS -w dump.pcap
The dump.pcap can then be analyzed using another program, like Wireshark.
Using Wireshark to analyze tcpdump data