http://www.irongeek.com/i.php?page=security/ppchack
Pen-testing Tools for the Pocket PC
(or "Is that a port scanner in your pocket or are you just happy to see me?")
By Irongeek (Adrian Crenshaw)
As some of you may know I run a website with information on using the Sharp Zaurus PDA as a Pen-testing tool. Since the Zaurus runs Linux, porting over security apps meant to run on a Linux PC is pretty simple. But what about the other, more popular side of the fence, the Microsoft Pocket PC (usually abbreviated PPC)? Unfortunately the choice of good pen-testing tools for Pocket PC is pretty limited. Your best bet if you want to use your PPC device as a Pen-testing tool is to see if you can find a distribution of Linux that supports your model and install it, forgoing the PPC/Windows Mobile/WinCE.net OS entirely[0]. With those caveats stated, let's dive into what tools are out there that would be useful to the mobile pen-tester. I'll concentrate on free tools since I have no budget and abhor the idea of paying for a tool that does a worse job than an Open Source alternative running on a Linux/PC platform. I'll also be sticking to tools that are useful for pen-testing and network reconnaissance, ignoring tools for securing the PPC itself like firewalls, encryption apps and anti-virus packages (as of this writing there seem to be more AV apps for the PPC then there are actual viruses). For my test system I'll be using a Dell Axim X5 with PPC 2003 and a Linksys WCF12 compact flash Wi-Fi card.
Installing Software
I'll gloss over the installation of PPC software; it's pretty easy. There are basically three different scenarios when installing a Pocket PC application:
1. In most cases there will be an installer that you run on your desktop PC that sets ActiveSync up so that the next time you dock your PPC the application will be installed for you automatically (you may have to tap a confirm button on the PPC itself).
2. The application may come as just the binary (an exe file) and support files which you will have to copy to your PPC using My Computer->Mobile Device->My Pocket PC, then run them using the File Explorer.
3. The third and least common way is if the app comes as a CAB file. In this case just copy the CAB file to your PPC the same way as above, then find it in the file explorer and tap it to install.
War driving (or is that walking?)
First let's look at war driving apps for the Pocket PC. One limitation the PPC has is that there seem to be no free tools that let you put the Wi-fi card into RF Mon mode; this means you will never see cloaked SSIDs. To get some of these war driving applications to work you may have to play a little driver bingo. For example the drivers from Linksys for my card won't work with any of these tools, but some other older Prism2 drivers will work just fine. If you have problems getting these applications to work do a Google search on the tool and Wi-fi card you are trying to use. If you have the cash you may want to look into Airmagnet [1] since it's the only PPC tool out there that I know of that will find cloaked SSIDs. Make sure you check the supported hardware list before you buy Airmagnet since it's kind of particular about hardware. As a side note, I really wish folks onforums would stop referring to war driving tools as sniffers; it just confuses the hell out of Google searches when looking for a real network sniffer. Here are some of the current free or Open SourcePPC war driving apps:
Pocket Warrior 
http://www.pocketwarrior.org/
The last version of PocketWarrior seems to have come out early in 2003, but it still works well. PocketWarrior supports a GPS and lets you save the information on the WAPs it found. All in all not bad if you don't mind missing cloaked SSIDs, but then again none of the other Wi-Fi tools I review below can see cloaked SSIDs either. PocketWarrior worked fine on my Prism2 based card as long as I used the older Senao drivers.
WiFiFoFum
www.wififofum.org
WiFiFoFum does not seem to have an installer; you just copy the files to your PPC and run the executable from File Explorer by tapping it. On my Axim X5 it just quit without giving an error message, but I've seen it in action before on an Axim X3 and worked quite well. WiFiFoFum has a radar like display that indicates how strong of a signal you're getting from a WAP, cute but it misleads some folks into thinking that the display is indicating the direction of the WAP. WiFiFoFum also support a GPS if you have Compact Framework SP2 installed.
MiniStumbler 
http://www.netstumbler.com
MiniStumbler is the little brother of the Windows PC tool NetStumbler. It supports quite a few Wi-Fi chip sets and the current version (0.4.0 as of this writing) worked flawlessly with my Prism2 card. It has GPS support and a very intuitive interface. If you're familar with NetStumbler for Windows then you should feel right at home with MiniStumbler. It supports 802.11a as well as 802.11b/g networks. Since MiniStumbler saves its session files in the same format as NetStumbler you should have no problem using mapping programs meant for NetStumbler or uploading your finds to Wigle.net[2].
General Network Information Tools
I'll lump general tools that allow you to find out more about the network you're on into this category. Pocket PC ships with almost nothing built in for exploring the network you're connected to, but luckily there are a few third party tools that may help a little.
vxUtil 
http://www.cam.com/vxutil.html
As far as free network information tools for the PPC go there's not much that can touch vxUtil. In some ways it's like SamSpade for the PPC. VxUtil Personal is several small applications rolled into one and supports the following functions:
DNS Audit
DNS Lookup
Finger
Get HTML
Info (sort of like IP config for Windows)
IP Subnet Calculator
Password Generator |
Ping
Ping Sweep
Port Scanner
Quote
Time Service
Trace Route
Wake On LAN
Whois |
While most of these applications are pretty rudimentary they are quite useful and fill a spot left vacant by the tools that come with Pocket PC 2003. The port scanner is slow but it works; just don't expect all of the speed, stealth and packet options of a tool like Nmap.
vxSniffer 
http://www.cam.com/vxsniffer.html
A pretty rudimentary network sniffer for the cost of $60 bucks, but there is a 30 day evaluation version. You can save out the network captures as a text file so make sure you invest in an SD card to write large dumps too.
Airscanner Mobile Sniffer
http://www.pdagold.com/software/detail.asp?s=223
http://www.airscanner.com/
Airscanner Mobile Sniffer only supported PPC 2002 (try it on PPC 2003 and you will likely get the error "Windows CE failed to load the packet capture driver"). It's kind of hard to find now since Airscanner dropped support for it but it's still mirrored on various sites. The sniffer's interface itself is not very good, but its one cool feature is that it can dump what it sniffs into a TCPDump format file which can then be loaded into more capable sniffers like TCPDump, Ethereal, Ettercap, etc.
vxSNMP
http://www.cam.com/vxsnmp.html
This simple tool lets you read and set SNMP values ( if you know the right community names, which can be sniffed since they are passed as plain text in versions 1 and 2 of the SNMP protocol).
Tiger Tools
http://www.tigertools.net
Tiger tools claims to support all sorts of pen-testing tools, but as it does not have an evaluation version I did not test it. It claims to be able to do multi-threaded port scanning, FIN scans and run simple exploit scripts. From what I can see on their web site it looks to be written in eMbeddedVB which gives me some doubts.
