So... this is less the announcement of a hack than the announcement of a plan to attempt a hack, but this one is big enough I thought I should get it started now.
Short version: I want to get an OpenVPN client working on my phone (ideally on a stock ROM, with Root Tools).
Somewhat longer explanation: OpenVPN itself is actually a very simple program; it takes a network traffic stream from the "TAP" virtual network device, and sends it over an SSL connection to an OpenVPN server. This is also reversible (listen on the SSL connection, then route the traffic from it to the TAP "device"). It's an incredibly simple way to implement VPN, but is high-performance and secure nonetheless. The entirely to OpenVPN itself is actually implemented in user-space; I don't expect porting it to WP7 to be too difficult (in fact, there's already a WinMo port in progress that would probably be pretty easy to adapt).
The catch is the TAP driver. In short, this is a virtual network adapter that, instead of connecting the computer to a LAN or WAN, connects the computer to a program running on the computer. This program can be any number of things, but in the specific case I'm interested in, it's the OpenVPN client. The idea is that you make TAP the default network device, so every other program sends and receives its traffic over TAP... which in reality means sending and receiving over whatever the program connected to TAP is using where normally a LAN or WAN would be.
The TAP driver, so far as I know, needs to be kernel-mode; it might be possible to implement it as user-mode driver but I'm not sure if this is practical. The trick is to install a third-party driver on WP7 at all. On WinMo / PocketPC devices it was possible (see http://ovpnppc.ziggurat29.com/ovpnppc-main.htm) but those operating systems both lacked the WP7 policy system and had rather better-documented security features and APIs.
Anyhow, I wanted to announce this project, to see who else might have anything - information, code, experience, or simple suggestions - that they could contribute. The repurcussions of this project go far beyond OpenVPN, but since I find myself currently in need of that particular software, that is the goal I'm pursuing. I welcome you to join me.
I'll post updates and such about the project here, along with any code for testing.
Now this is something DEFINITELY that I will follow. I could use this... A guy that I work with has recently parted from his WinMo 6.1 (he hated 6.5) device and one of the things he said he would like to do on his WP is to VPN. I'll be glad to test or help any way I can for this
me too volunteering as beta tester for VPN!!!
I support the
Thank you my friend
Volunteering as beta tester. I have custom full rom
Sent from my 7 Trophy T8686 using Board Express
IPSec or PPTP?
i have worked on a ipsec client for linux before, but it only handle the IKE packets, ah or esp is handled by kernel protocol stack, if there are correct sp & sa, so i think you should make a driver, wp7 cut the builtin ipsec driver.really a very big project, maybe ipsec driver in ce7 can work on wp7.
IPSec and PPTP are both tunneling approaches which are implemented at the driver level. There's nothing wrong with that, but it's not my corrent and immediate goal. OpenVPN's tunneling is achieved over a simple SSL connection, entirely in user-space. This makes it trivial to implement the encryption, but offers the full power of the OpenSSL library for authentication.
While I appreciate the offers of testing, that's going to be some time off. The most useful thing would be developers. For example, has anybody worked with NDIS (Network Driver Interface Specification) before, on CE or even NT? I have not, and while I'm certainly interested in learning it, I was hoping to get this off the ground faster than will be possible if I have to learn it all myself.
I'll be working with the OpenVPN for PocketPC codebase as a starting point. It's still going to take a lot of work, though. I'll probably set up a public version control system to aid in sharing the code and (hopefully) contributing changes.
I'm also going to take a look at CE7 user-mode drivers. If it's possible to write a network driver that way, it may be easier to test and install than a kernel-mode one would be.
On my Mozart:
View attachment 1079356
View attachment 1079398
Thanks, spavlin! Unfortunately, it looks like the app queries a bunch of provisioning providers that WP7 doesn't have. There might be newer variants of those characteristics that I can try to query, though.
It's good that we're able to dump the routing info; that means there's a decent chance we'll also be able to change it. Thanks for checking that for me! Running those on my phone would take some work (not full-unlocked).
Related
Good evening folks,
I am considering buying the HTC Touch Pro2 when it is released in the USA on Tmobile. I would like to understand what hacking (security testing) tools are available on the Windows Mobile Platform. I am a security professional and have the desire to perform penetration testing from the HTC Touch Pro2.
It seems the MetaSploit framework is not available. I like to work with the command prompt, is the command prompt accessible on the HTC Touch Pro2? I've read some info about being able to mount ISOs or run emulators. Is there WiFi hacking software such as Kismet available?
Does anyone know what hacking tools are available for this platform?
Thank you!
Anyone have any ideas?
It doesn't run real windows, you can't get a command prompt. You'd be better off with a real machine.
There's a couple companies out there that sell WM devices for pentesting, but they are all provided with the hardware since they are focused on wifi and I don't believe the standard WM stuff lets you put it into promiscuous mode.
You'd probably be better off with an android device so you can just compile whatever you want.
MSFT products have never been suitable for comp-sec professionals.
You're better off connecting to a *nix box using either PocketPuTTY or using a webbrowser to connect to a remote server running metasploit.
Check out VxUtil, it gives you DNS, reverse DNS, port scan, ping, finger & so on. Pocket Putty is a good free SSH client, also does port forwarding.
OpenVPN works as well if that takes your fancy. Lots of security tools are available, they are just a bit obscure. I don't think nmap is around though.
thanks for the reply
Our company actually just released a new product (called Security Tools) that lets you ping, traceroute, do a WHOIS lookup, and even do port testing on your Windows Mobile phones. The port testing can even send clear text commands to a port such as 'GET / HTTP/1.0' to verify that it is a HTTP service listening on that port. The traceroute is also able to visually show the trace (if it's public IP address) on a map so you can kind of get a visual representation of where your traffic is going. Please feel free to try our one week free trial which lets you use the application for a week without limitations, so you can make sure everything works as you want before you buy.
You can visit the original post here at xda over at this thread:
http://forum.xda-developers.com/showthread.php?t=550473
or you can visit the website for the product at:
http://www.securenetworksystems.com/SecurityTools/
Punkster812:
I downloaded "security tool" , installed, got a license - and it was already expired...
Also, your company name is "secure network systems" and your web-pages are hosed in Microsoft IIS, and based on aspx .....seriously, if you wish to appear as a security company, you cannot use that crap.
the program with won't work because you serve old license, but one thing is clear; the icon is of very low resolution, and looks bad on WM6.5 or TouchFlo menu.
And: the long Device-ID is there only to annoy your customers, no pir8 would ever be bothered by it, so you may as well stick to 6 characters alphanumeric code +-+++...
AlCapone said:
Punkster812:
I downloaded "security tool" , installed, got a license - and it was already expired...
Also, your company name is "secure network systems" and your web-pages are hosed in Microsoft IIS, and based on aspx .....seriously, if you wish to appear as a security company, you cannot use that crap.
the program with won't work because you serve old license, but one thing is clear; the icon is of very low resolution, and looks bad on WM6.5 or TouchFlo menu.
And: the long Device-ID is there only to annoy your customers, no pir8 would ever be bothered by it, so you may as well stick to 6 characters alphanumeric code +-+++...
Click to expand...
Click to collapse
I am sorry that you had troubles with the trial download, if you PM me with your Device ID I can get you one. We are aware of the low resolution, but rather than focusing on a pretty icon, we worked hard on a functional program. The long Device ID is not to annoy customers, it is actual a very secure method that we use and if you are able to break it, I would be very impressed; I know it's long but it's to protect our intellectual property and no other licensing method existed that prevent piracy like this does. We know ever method is breakable, but this accomplished our goal of restricting to the pirates that are going to steal software no matter what.
As far as the server... you are using a Microsoft product as well for you phone. We very rarely use Asp.net through our site, in fact it's only for license generation and to set up an order, but doesn't actually handle purchases. So the site is secure and I am confused on why you think our site is so insecure. I love Linux and Apache as much as the next network administrator. 4 out of 5 of my personal pc's run Linux with one set up with Apache for my personal site, but for our business needs, we went with IIS.
Again I am sorry that it didn't work for you, I will double check to see if it's still properly generating license, and remember, the trial starts from when you download the license, not run the application with the license.
regarding IIS: http://www.internetnews.com/securit...Microsoft+Rushes+to+Patch+FTP+Hole+in+IIS.htm
This finally got some attention, it was in fact being exploited for years, over several versions.
Hosting software on vulnerable servers gives an opportunity for hackers to easily repack your CAB with spyware/dialer, and you can guess the rest. - such CABs must be inspected for each download.
Regrading long serial number, it only makes a brute force attack harder, at best, which is usually not the method used. You can as well trunk it to a 6-7 char/alphanumeric number, and it will work the same, but annoy people less.
Remember you are at a forum where people often reflash, and entering long serials each time (if cannot be exported from registry) - is boring, and a motivation to workaround.
I can't remember what it's called, but there is a CAIN port for Windows Mobile.
Fmstrat said:
I can't remember what it's called, but there is a CAIN port for Windows Mobile.
Click to expand...
Click to collapse
you are right; - it's simply "Cain for PPC:"
http://www.oxid.it/downloads/Cain_setup_PPC.ARM.exe
and yes, it's far away from the "real" Cain.
AlCapone said:
regarding IIS: http://www.internetnews.com/securit...Microsoft+Rushes+to+Patch+FTP+Hole+in+IIS.htm
This finally got some attention, it was in fact being exploited for years, over several versions.
Hosting software on vulnerable servers gives an opportunity for hackers to easily repack your CAB with spyware/dialer, and you can guess the rest. - such CABs must be inspected for each download.
Regrading long serial number, it only makes a brute force attack harder, at best, which is usually not the method used. You can as well trunk it to a 6-7 char/alphanumeric number, and it will work the same, but annoy people less.
Remember you are at a forum where people often reflash, and entering long serials each time (if cannot be exported from registry) - is boring, and a motivation to workaround.
Click to expand...
Click to collapse
Thanks for the link, I looked into and we are not vulnerable against the attack and never have been due to the attacks requirements (http://blogs.technet.com/srd/archive/2009/09/01/new-vulnerability-in-iis5-and-iis6.aspx). As far as brute forcing, without going into to much details, would be extremely difficult to do as it uses standards proven encryption algorithms. The extremely long serial that you are talking about is a unique ID for your phone. We know it's long and are always looking for ways to improve the licensing we use. The license is a file and not something that you key in, you copy to the installation directory; so you can keep a copy in your email, on your computer, flash drive, where ever for back up purposes in case you need to reload the app.
As far as reflashing, that is a very valid point. I am not 100% sure, but I believe reflashing should not hurt the license, which would hopefully mean you wouldn't have to enter your device id again. But if any one could confirm this, that would be appreciated. We know a lot of the people here are very advanced and know more about their phones then most the people at service providers or even the phone manufactures themselves sometimes, which is why we enjoy releasing our products here for testing before we release them to the public. In the little time that Security Tools has been up we have received some constructive feedback on what could be improved.
Punkster812 said:
As far as brute forcing, without going into to much details, would be extremely difficult to do as it uses standards proven encryption algorithms.
Click to expand...
Click to collapse
Right, that's why I said long numbers would be good for only that, once the calculation/verification routine is extracted for a keygen, it's no more job whatever the result is 6 or 50 digits long.
- Therefore, you might save your customers from all the boring entry, because no keygen /(or crack) will be more difficult by having more digits.
Obviously, I think the use of the word "Series" tells me that Microsoft isn't done with the many "options" they will offer with WP7S. I think a nice enterprise/business UI is on the way as well, if not coming a bit after the holiday 2010 release.
Any predictions? I'm looking forward to this update in the Series just because my life really doesn't revolve around what my friends ate for breakfast and what movie they just went to see.
Personally, I need to make sure that I have a professional messaging/mail layout, Office, file management, VNC capabilities, and the ability to customize the UI based on limitations necessary per business needs.
1. Office Communicator Mobile with PUSH capabilities
2. Remote Device Management
3. Remote Desktop
Well, I guess Microsoft already put a lot for Business users in there: multiple Mail-Push-Systems, Sharepoint Integration and so on.
One could perhaps integrate Status messages on corporate progress from time management systems to the people screeen (and i'm pretty sure this already integrates with MS Exchange).
It comes down to what information u need and u are able to have that on the Start Screen via Live Tiles. What will be interesting is how company's will be able to deploy their custom software to the devices - as Marketplace is not the way to deploy these.
All the Social Networking Systems are just a means of adding additional information - u don't need it, u don't use it. Guess there'll be a RDP Client in there (although i hope it's more usable now, than the version in WinMo 6.5).
Remote Management - well, do you really think MS would release a phone that supports all the features of MS Exchange Active Sync but omit the manageability (disable storage card, disable camera, wipe device are not that hard to implement).
Welcome! I wanted to let the community know about the IRC client I was building but there are some major caveats that may turn you off.
First, you absolutely need a dev unlocked phone. This can't be sold on the Marketplace yet because I'm using Homebrew sockets from this very forum (well the hacking one but you get what I mean). Mango will change this but that's a good 6 months off if we're lucky.
Second, in it's current state it is pretty bare and you may hate me for it. There is currently no tombstone support so you have to connect again any time you move out of the app. This is my highest priority to fix.
The project is hosted on codeplex at http://dirca.codeplex.com/ and will be OSS. If any developers are interested you can either submit patches or I may give commit access depending on your previous work. I'll be honest, I need help in the form of feedback because I do have a direction finally but the IRC client code completely zapped me of all interest. There is more than enough work in just getting a functional UI but to have to work out IRC quirks is completely draining. After working on this, I would *never* recommend anyone work on an IRC client from scratch. You absolutely have to use a library like ircdotnet or smartirc4net to keep your sanity.
There's a SketchFlow project recently committed that outlines where I plan to take this, which is IRC with the look and feel of a Twitter client. The current incarnation feels way too much like mIRC which isn't a problem on it's own but that type of client doesn't translate to the phone well and this proves it.
Thankx my friends, very good project in WP7 !!
any way of connecting to a specific irc server or am I being a bit stupid??
Works, and You are on right path gui-wise so don't worry about that.
GUI is good, i like the way one moves through channels. Some thoughts after some testing:
- Possible bug: didn't connect to server in port 39998 without changing the option of default port to 39998 even when own server had port-option right.
- In auto-feeding of discussion in channels last line (the most recent line) is cut of, i.e the auto-feed is "one line too slow"
You're in very good way with this, I'll be checking in to this as I'm a irc-user and have been without irc in WP7 so far, thanks for the work!
Wishlist (always got to have a wishlist!)
- Option to change text-color & size
- tombstone will be great when it comes
Long time follower of all of the work done here. Its a shame that the device is so locked down and no progress has been made. However, I thought I would share with anyone who is interested that its now possible to sync your kin on linux without the need for a virtualbox and windows loaded up.
You can find the fork of lib-mtp at: github [dot] com/kbhomes/libmtp-zune
I've tested it and am able to now sync via terminal or with gMTP. The project was started with the hopes of syncing zunes.. Zune has the same handshake process as the KIN (MTPz)
The background on how it came to be can be found on his project blog: kbhomes.github [dot] com/blog [dot] html.
Hope this helps anyone else who just would like to sync pictures, video, images, songs.
Back to lurking I will go.
Well, it was possible already. No one here uses virtual machines (i hope) in linux but mono runtime.
At least till Kino version comes, so more native (c++ over libusb) approach would be taken.
If you are able to use the standard MTPz way (not our shorcut mtp propietary command), a better approach would be to help here into decrypting the app syncing/uploading procedure, so we could understand what xna framework does in the background and do homebrew launch (which could then help the phone development).
On the other hand, being able to "transparent" sincing would be kind of a good stuff if you could use the kin in software like rythmbox
Sounds good. I hadnt thought abou going at the KIN through Linux before although it would make sense if the KIN was open source. I dont know how much this will help us though.
What he's providing is a fork of the mighty libmtp libraries & tools which is a open implementation of mtp (right one) used by almost any access on the linux environment to mtp devices.
in that fork, he redid the real stuff (aka MTPz) which could be just said as "bypassing" the kin handshake between zune and the device. At least if kin operates exactly like a Zune device (which we think).
It could help by using the kin as a normal (not protected) device on linux providing which kino does IF programs are redirected to it instead normal libmtp, so you can access files and also use in Zune-like software.
On my test field, i wasn't able to compile the software "out of the box" to try on my debian box, so no providing compilation instructions nor a .deb file (debian & ubuntu flavours) or a .rpm file (fedora & redhat 's) makes it just another utility which is non usable by common joe.
What i meant above is that the blog (which i followed back in the day) explains what he did for reversing mtpz protocol, but is not a walkthrough, so we can't just take it and learn, for example, how the kin receives "half succesfully" a XNA application, as i did back in the day in the thread "XNA madness".
better now?
What f we programm an application split it in half and add a part we dont care about for the other half that does nothing then send it to the device with a strip that tells it to complete itself by recommbining itslef on the device?
Full Article
http://justinangel.net/Win81APIs
Bluetooth 4.0 RfComm and GATT support
Point of sale: Barcode scanners and Magnetic card readers
Smart Cards
Lock screen Image Apps
VPN support for Metro apps
Scanner APIs and apps
Support for any External / USB device
Native PDF rendering in apps
Multiple screens projection support in apps
XAML/WinJS: New resolution scaling support / Super-high resolution tablets
Camera: Low-lag cameras / HDR
New Metro App Types: Appointments, LockScreen, Contacts and GeoLoc
New App Type: GeoFenced activation
New App Type: Lock screen call
New App Type: Appointments Provider
Text-to-speech
Read-write access to Camera roll, Saved pictures and playlists
XAML/WinJS: new SearchBox control
XAML/WinJS: Hubs for SemanticZoom
XAML: DatePicker and TimePicker
XAML: Flyout, MenuFlyout and SettingsMenuFlyout
XAML: AppBar simplification
XAML: DataBinding Improvements
Globalization: Currencies, Numeral systems and Numerical formatters
Other minor but important Win8.1 features
Be aware: these are new WinRT APIs, not Windows RT features. WinRT != Windows RT (I usually abbreviate the latter as "WRT" to avoid confusion and for similarity with things like WP8).
With that said, since WinRT is the only official API for developing WRT apps, and since Win8.0 and WRT_RTM support the same WinRT APIs, it's reasonable to assume that the same APIs are coming to WRT and therefore apps using these API features will be available on WRT devices.
Another interesting point is that WP8 uses WinRT as well (though only a subset of it). Hopefully at least some of these new APIs also become available on WP8.1; the obvious candidates are things like alarms and Bluetooth and such, though it'd be great to get *any* kind of VPN support in there...
"Support for any External / USB device"
Does that sound like unsigned (or testsigned, whatever) kernel mode code to anyone else?
Edit: Should probably read the thread closer, this is WinRT stuff.
It's not kernel mode. More accurate would be the ability to write (sandboxed, low-privilege) user-mode drivers using WinRT. That's still cool - it's the first official driver API of any kind, and from a security standpoint I'm way more comfortable about installing WWinRT apps than actual NT drivers - but it probably won't help with unlocks. It does mean you can talk directly* to USB devices, though, which is cool in many ways.
Given the ability to handle unrecognized devices, I'm guessing that apps will be able to register for specific USB IDs (in the same way that they can register for URI schemes and file extensions now) so that the app will auto-start when you connect a device, or so you can search the store for apps which can handle a specific device. This is big. The lack of third-party NT drivers for obscure hardware on RT has been an impediment (one of many) to progress on the platform. Asking people to write their own drivers is probably not going to fly for really complex hardware unless it's also quite popular, but I can see people doing things like writing an ADB app; there's no reason I know of why that needs to be a kernel driver.
* I'm assuming that the new WinRT APIs basically call into a generic NT driver that does the actual device IO. So, it's not literally directly talking to the device in the sense of sending bits down the USB port from your software, but it's still a lot closer to the metal than we could officially get before.
GoodDayToDie said:
* I'm assuming that the new WinRT APIs basically call into a generic NT driver that does the actual device IO. So, it's not literally directly talking to the device in the sense of sending bits down the USB port from your software, but it's still a lot closer to the metal than we could officially get before.
Click to expand...
Click to collapse
Yes, it is probably just a Metro wrapper around the old well-known WinUSB API: http://msdn.microsoft.com/en-us/library/windows/hardware/ff540174(v=vs.85).aspx
And there is a strange question in the article:
Despite the plethora of new VPN APIs, an open question remains as to whether WinRT Win8.1 apps will work by default on VPNs.
Click to expand...
Click to collapse
VPN works fine on RT. At least I can connect to our company VPN with the built-in client and access all our internal resources, for example Sharepoint from the Internet Explorer.
Confusion of "Windows RT" and "WinRT" again*. VPN works "fine" on Windows RT, or on Windows 8, for desktop apps. However, WinRT apps, on either Win8 or WRT, are known to have problems tunneling through VPNs. These new APIs will hopefully help with that, but the question remains whether WinRT (Metro) apps will work *by default* over a VPN, or not.
* I swear, the entire Microsoft branding department, or at least any of them who can't provide proof they didn't argue against this idiocy, need to be stood up against a wall, slapped in the face, by everybody who ever got those two mixed up, and then fired. Much like Windows Phone... at least the complete retard who came up with "Windows Phone 7 Series devices" got the boot, but the result was merely slightly less awful and it hasn't gotten better since.
Being able to write drivers in WinRT level sounds very interesting indeed. I wonder how much integration into the OS will those drivers have, especially, if they are to remain active even when the parent app is not running.
I just hope they bring the entire IO interface of .NET on WinRT. That way we would be able to write drivers from scratch if we really wanted to...
I just want to access to COM ports. Seriously that was a dumb decision on microsofts behalf to block it. Only security threat it poses Tcp also poses so that can't be the reason.
I guess with raw usb access you can try a custom driver to a usb adaptor.