Re: nmap for PalmOS

[Fyodor <fyodor () insecure org>]

Here is an interesting post from Emerson regarding 10Mbps Ethernet cradle
availability (appended).  The URL for the cradle he mentions seems to be
http://www.palm.com/products/enterprise/ethernet.html .

They have a FAQ available on that page which says it is $249 and "is
scheduled for general availability in March 2000".  But I called them and
they said it was not ready yet and they couldn't provide any further
details.  The web page above says "mid - 2000".  It is far from ideal for
covert operations anyway, due to size, power requirement (you have to plug
it in), and lack of palm V form factor support.

As a side note, I received like 40 responses on this thread.  Since the
link to Nmap is rather tenuous, I can't post all of them.  I've been
trying to post the ones with the most new information.  

I have been thinking about a Palm port of Nmap for a long time, although I
haven't had a chance to do anything constructive yet.  I'm glad to see
others are taking up the challenge.  From all the responses it is clear
that there are many of us who would like to use our Palms as a mobile
network penetration device :).  You could sneak into the corporation you
are auditing, plug into any handy 10BaseT jack and immediately start up
your palm sniffers, scanners, named exploits, etc.  It would be nicer if
you could leave the unit there and have it mail you the scan results (or
new passwords whenever the sniffer catches one).  You could hide a Palm
anywhere -- in a wiring closet, or taped under a desk, or inside
those cubicle-compartments that house the 10baseT ports and AC plugins.  
And of course one could write a relatively simple app that establishes an
outbound connection to an external IP address and offers simple connection
proxying to that computer so that you can bypass the firewall from outside
and continue to hack away at the network from the privacy of your hotel
room.  Of course these last suggestions raise battery life issues, but at
worse you would just have to plug it in to AC as well as ether.

Lets see what we have in our Palm arsenal so far:

Port scanner -- In progress
Wardialer -- TBD by L0pht (closed source :( ) --
             http://www.l0pht.com/~kingpin/pilot.html). 
ssh client -- Top Gun SSH (open source) --
              http://www.isaac.cs.berkeley.edu/pilot/
telnet client -- Top Gun Telnet (same URL as above)
Net libraries -- Berkeley Sockets are available in SDK
Encryption libraries/programs -- Widely available
Apple II Pornography -- http://www.l0pht.com/~kingpin/hairy15.zip
Mudge's Cisco password decryptor -- http://www.l0pht.com/~kingpin/cisco.zip

Some applications may require use of undocumented PalmOS features.  If
anyone has access to the PalmOS source, please drop me a line.  I have
some simple questions about it.

Oh yeah, and here is the message that I only meant to add a couple quick
comments to :)

---------- Forwarded message ----------
Date: Tue, 25 Apr 2000 17:01:50 -0600
From: Emerson <nutter () technologist com>
To: bart () ixori demon nl, mike () getbent net
Cc: nmap-hackers () insecure org
Subject: Re: nmap for PalmOS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 03:23 PM 4/25/00 +0200, Bart van Leeuwen wrote:
> Which might be of concern when scanning internet connected machines
> and having to pay for it yourself.. If you have to scan a supposedly
> closed network then you don't dial in on the internet and this
> argument doesn't play much of a role anymore.
>
> btw, the only way I know off to connect a palm III etc. to an
> ethernet is by using a machine that will act as a router betwen a
> ppp connection with the palm and your ethernet... no direct
> connection, and often not evenpractical to setup for the purpose of
> a portscan.. but in my case I happen to have such a setup for other
> purposes already, and in that case a palm becomes quite practical
> for such things.

There is a Palm Ethernet cradle available and some devices that use
Palm OS like the ruggedised handhelp from Symbol do have PCMCIA slots
that can take wireless ethernet cards (which probably kill the
batteries rally fast). So you can hook up your plam to the local
ehternet.

The Palm WWW page on the ethernet cradle suggests putting them in
public places and in cafeterias and meeting rooms. The cradle itself
might be DHCP aware, as it says requires a DHCP server(or is the DHCP
client internal to Palm OS - anyone know?). Also it looks like it was
designed with the goal of being able to hot-sync with a hot-sync
server. 

If N-map for palm were created, I can easily imagine being able to go
into a place, hook my palm up to the cradle in the lobby and then
promptly scan the entire place, probably from within the corporate
security perimeter, have my meeting and then leave, with a full
picture of what their network looks like from the inside. Great for
marketing security services "look what I found just by plugging this
in; why don't you hire us" ;-) .

Come to think of it, that raises an interesting point, things like
that palm cradle probably want to be placed on the dirty side of a
firewall, esp if things like netcat for palm come into extistence
(that might be an interesting project, I wonder if anyone has done
that yet?)

All that being said, I still think that N-map for palm is an
interesting engineering excercise, and it is likely that some
pervertedly creative soul will find legitimate use for it..... ;-)

Just random thoughts with no inherent value.....

Emerson

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOQYj3bAwpha8VR2jEQKfdwCfR84R72Hqx5W8BkJBJecOY84tEZ4AoN7R
+sPr6qg34gwRq3j5duI9aFA1
=6eaT
-----END PGP SIGNATURE-----

---
"Who kills a man kills a reasonable creature, God's image; but he who
destroys a book, kills reason itself, kills the Image of God" - John Milton

Emerson
nutter () technologist com:PGP pubkey on request:
ICQ 13396569