Pen-testing Tools for the Pocket PC
(or "Is that a port scanner in your pocket or are you just happy to see me?")
By Irongeek (Adrian Crenshaw)
As some of you may know I run a website with information on using the Sharp Zaurus PDA as a Pen-testing tool. Since the Zaurus runs Linux, porting over security apps meant to
run on a Linux PC is pretty simple. But what about the other, more popular side of the fence, the Microsoft Pocket PC (usually abbreviated PPC)? Unfortunately the choice of good pen-testing tools for Pocket PC is pretty limited.
Your best bet if you want to use your PPC device as a Pen-testing tool is to see if you can find a distribution of Linux that supports your model and install it, forgoing the PPC/Windows Mobile/WinCE.net OS entirely. With those caveats stated, let's dive into what tools are out there that would be useful to the mobile pen-tester. I'll concentrate on free tools since I have no budget and abhor the idea of paying for a tool that does a worse job than an Open Source alternative running on a Linux/PC platform. I'll also be sticking to tools that are useful for pen-testing and network reconnaissance, ignoring tools for securing the PPC itself like firewalls, encryption apps and
anti-virus packages (as of this writing there seem to be more AV apps for the PPC then there are actual viruses). For my test system I'll be using a Dell Axim X5 with PPC 2003 and a Linksys WCF12 compact flash Wi-Fi card.
I'll gloss over the installation of PPC software; it's pretty easy. There are basically three different scenarios when installing a Pocket PC application:
1. In most cases there will be an installer that you run on your desktop PC that sets ActiveSync up so that the next time you dock your PPC the application will be installed for you automatically (you may have to tap a confirm button on the PPC itself).
2. The application may come as just the binary (an exe file) and support files which you will have to copy to your PPC using My Computer->Mobile Device->My Pocket PC, then run them using the File Explorer.
3. The third and least common way is if the app comes as a CAB file. In this case just copy the CAB file to your PPC the same way as above, then find it in the file explorer and tap it to install.
War driving (or is that walking?)
First let's look at war driving apps for the Pocket PC. One limitation the PPC has is that there seem to be no free tools that let you put the Wi-fi card into RF Mon mode; this means you will never see cloaked SSIDs. To get some of these war driving applications to work you may have to play a little driver bingo. For example the drivers from Linksys for my card won't work with any of these tools, but some other older Prism2 drivers will work just fine. If you have problems getting these applications to work do a Google search on the tool and Wi-fi card you are trying to use. If you have the cash you may want to look into Airmagnet  since it's the only PPC tool out there that I know of that will find cloaked SSIDs. Make sure you check the supported hardware list before you buy Airmagnet since it's kind of particular about hardware. As a side note, I really wish folks on forums would stop referring to war driving tools as sniffers; it just confuses the hell out of Google searches when looking for a real network sniffer. Here are some of the current free or Open Source PPC war driving apps:
The last version of PocketWarrior seems to have come out early in 2003, but it still works well. PocketWarrior supports a GPS and lets you save the information on the WAPs it found. All in all not bad if you don't mind missing cloaked SSIDs, but then again none of the other Wi-Fi tools I review below can see cloaked SSIDs either. PocketWarrior worked fine on my Prism2 based card as long as I used the older Senao drivers.
WiFiFoFum does not seem to have an installer; you just copy the files to your PPC and run the executable from File Explorer by tapping it. On my Axim X5 it just quit without giving an error message, but I've seen it in action before on an Axim X3 and worked quite well. WiFiFoFum has a radar like display that indicates how strong of a signal you're getting from a WAP, cute but it misleads some folks into thinking that the display is indicating the direction of the WAP. WiFiFoFum also support a GPS if you have Compact Framework SP2 installed.
MiniStumbler is the little brother of the Windows PC tool NetStumbler. It supports quite a few Wi-Fi chip sets and the current version (0.4.0 as of this writing) worked flawlessly with my Prism2 card. It has GPS support and a very intuitive interface. If you're familar with NetStumbler for Windows then you should feel right at home with MiniStumbler. It supports 802.11a as well as 802.11b/g networks. Since MiniStumbler saves its session files in the same format as NetStumbler you should have no problem using mapping programs meant for NetStumbler or uploading your finds to Wigle.net.
General Network Information Tools
I'll lump general tools that allow you to find out more about the network you're on into this category. Pocket PC ships with almost nothing built in for exploring the network you're connected to, but luckily there are a few third party tools that may help a little.
As far as free network information tools for the PPC go there's not much that can touch vxUtil. In some ways it's like SamSpade for the PPC. VxUtil Personal is several small applications rolled into one and supports the following functions:
Info (sort of like IP config for Windows)
IP Subnet Calculator
Wake On LAN
While most of these applications are pretty rudimentary they are quite useful and fill a spot left vacant by the tools that come with Pocket PC 2003. The port scanner is slow but it works; just don't expect all of the speed, stealth and packet options of a tool like Nmap.
A pretty rudimentary network sniffer for the cost of $60 bucks, but there is a 30 day evaluation version. You can save out the network captures as a text file so make sure you invest in an SD card to write large dumps too.
Airscanner Mobile Sniffer
Airscanner Mobile Sniffer only supported PPC 2002 (try it on PPC 2003 and you will likely get the error "Windows CE failed to load the packet capture driver"). It's kind of hard to find now since Airscanner dropped support for it but it's still mirrored on various sites. The sniffer's interface itself is not very good, but its one cool feature is that it can dump what it sniffs into a TCPDump format file which can then be loaded into more capable sniffers like TCPDump, Ethereal, Ettercap, etc.
This simple tool lets you read and set SNMP values ( if you know the right community names, which can be sniffed since they are passed as plain text in versions 1 and 2 of the SNMP protocol).
Tiger tools claims to support all sorts of pen-testing tools, but as it does not have an evaluation version I did not test it. It claims to be able to do multi-threaded port scanning, FIN scans and run simple exploit scripts. From what I can see on their web site it looks to be written in eMbeddedVB which gives me some doubts.
PocketConsole (and related tools)
Pocket console makes it easier for developers to port applications that use stdout to the Pocket PC and other Windows CE devices. Here are a few of the related project (hosted on the same site as PocketConsole) that you should be aware of:
After installing PocketConsole this is probably the next app to setup. It works in a similar fashion as the Windows command prompt and is needed to run some of the apps listed below.
NetTools (Ping, Ipconfig, Route, Net, Netstat)
A few basic network tools Microsoft left out of Pocket PC. They may not be as full featured as their Windows XP cousins but they are still useful. The function of Ping and Ipconfig are obvious. Route lets you set up IP routing information (I'm not sure how useful this is since I never plan to use my PPC as a gateway device, but it's still cool that someone spent the time to figure it out). Net allows you view SMB shares and map share points. Netstat gives you various network statistics.
Allows you to retrieve and set SMNP values.
Not as pretty as PocketPuTTY (mentioned below) but since you can specify ports it's more useful for doing banner grabs. For example, if you want to do a banner grab to find out what version of SSH a box is running you could use a command something like the following:
open some.server.com 22
If you are a developer you may want to look into using PocketConsole when porting over your Windows console apps.
PocketLAN costs $14.99 and seems like a nice tool for mapping share points to SMB file servers and finding out what machines are around you. I like the network scan function that does a quick ping sweep and reverse DNS lookup, then tells you information like the network card vendor (based on MAC address) and Domain/Workgroup the hosts belong to. You can view a report of the hosts it finds in HTML format, then copy the reports off of the PPC for later viewing (Quick tip: dock your PPC and look in My Computer->Mobile Device->My Pocket PC\\Program Files\Z2\PocketLAN to find the report).
V-Mobile Network Browser
VM Network Browser costs $17.95 and does the same basic things as PocketLAN, but looks more like the classic Network Neighborhood interface. Unlike PocketLAN, VM Net Browser does not seem to do a ping sweep, but instead pulls its information from NetBIOS traffic or the Windows Browsemaster on the network (it's hard to tell without talking to the developers). VM Net Browser is not as responsive as PocketLAN and it doesn't give as much information about the hosts it scans.
I don't know about paying $15 for a port scanner but of the ones I've tested it seems the fastest. Luckly there's a demo version. Just make sure you set it to only port scan hosts that respond to a ping, otherwise you will be waiting awhile. The bad side: I see no way to save your scans for later viewing.
NbtstatCE does ping sweeps and is supposed to retrieve NetBios info. It appears to have no way to save the scan. Nice, not as slick as other tools but hell, it's open source. As of right now I can't seem to get it to actually pull NetBIOS info, but keep an eye on this app since it shows promise.
Yep, there's a version of Netcat, the network Swiss army knife, for Windows CE. Netcat can be a bit clumsy to use but it's very versatile. With it you can shovel shells, port scan, do banner grabs and a host of other things. See the following website for many of the possible uses for Netcat:
If Netcat loses the connection before you can see the output check the files nc-stdin.txt, nc-stdout.txt and nc-stderr.txt located in the same directory as the Netcat executable. One bug with Netcat for Windows CE is that the backspace key does not work, so be carefull when you type in a command. To give you one example of usage, here is how you could use Netcat to do a quick banner grab to find out what version of sshd a host is running:
1. Start Netcat by
tapping on nc.exe in the File Explorer.
2. Issue the command (replace "targethost" with the name or IP of the host you are connecting to):
3. Hit the enter key
and open nc-stdout.txt if Netcat closes before you can read the output.
While not technically pen-testing tools, every pen-tester needs various clients to access the services they are targeting. Here's a short list of clients I find quite useful on the PPC platform.
Terminal Services Client
Not much to say here. Terminal Service Client comes with Pocket PC and it works fine if you can tolerate the small screen size and a lot of scrolling. Damn useful for connecting to a Windows Terminal Server or an XP box running Remote Desktop.
While both of these VNC clients work, they seem slower than my grandma at the grocery. I think the slowness has something to do with my VPN or just a limitation of Windows CE networking (the VNC client on my Zaurus runs plenty fast). Neither has an installation wizard so just copy them to your PPC and run them using File Explorer. The cool thing about the .Net VNC client is that you can use the same executable on both your PPC and your Windows PC.
PocketPuTTY is the Pocket PC port of the popular Putty SSH client (now try to say that out loud). PocketPuTTY is pretty much your best option for connecting to your *nix box from the PPC. PocketPuTTY does not come with an installation wizard so just copy the files to your PPC. There are two different versions out on their site as of this writing. Make sure you get v0.1-prealpha-0.53b if you're running PPC2003 and newer or download v0.2-alpha-2k2-0.53b if you're using PPC 2002. One huge downside to this app is that I see no place to set it to connect on a non-standard port, so if you want to try banner grabbing use Netcat or the PocketConsole version of Telnet mentioned above.
Pocket IE (PIE)
Pocket IE comes bundled with PPC. The version that ships with PPC 2003 and later shows many speed improvements over the older one in 2002. Till Minimo is ready for prime time I'd recommend sticking to Pocket IE. Keep in mind that Microsoft does not keep PIE all that up to date, so you may want to make yourself aware of some of its vulnerabilities .
Minimo is a version of Mozilla meant for PDA size devices. They are working on porting it to Pocket PC (see a link to the early development version above). While it does not seem to be fully functional yet keep an eye on it in the future. By the way, just so you know, I did not mess up the screen shot to the right-it really looked like that when I ran it.
A simple little freeware FTP client for those that need one.
That about sums it up for the PPC tools I've found useful. Sadly, Open Source developers have by and large ignored the Pocket PC platform in favor of other more open environments. If you know of any good pen-testing tools for the Pocket PC platform please email me and I'll update my list. By the way, if you don't have a Pocket PC yourself port scan your network for 999/tcp and you may find a co-worker that does.
 See if you PPC device supports Linux:
 Airmagnet Homepage
 Wigle, my favorite hot spot finder and mapper
 Information about Pocket PC security
Ports of various *nix tools:
Various freeware sites for the Pocket PC:
If you are having problems getting PocketWarrior or MiniStumbler working on your Intersil Prism2 base Wi-Fi card check out his thread:
CELIB, WinCE ANSI C/POSIX library which may help you port over *nix apps: