justinclarke.com

Based on my wholly unscientific testing, and opinion, here is my pick for the top 10 free Windows Mobile tools for the security professional:

1. Cain - a subset of the handy functionality available in Cain & Abel, including cracking support for LM, NTLM, MD2, MD4, MD5, SHA1, RIPEMD160, CiscoPIX and MySQL hashes, decoders for Base64, Cisco Type 7 passwords, Cisco VPN Client passwords, and VNC passwords, and support for dumping ActiveSync, Pocket IE, Pocket Outlook and Pocket MSN passwords from the device. Very handy set of tools, although the practicality of cracking hashes on a Pocket PC is dubious.
   
2. btCrawler - a simple and easy to use Bluetooth scanner, bluejacking and bluesnarfing tool for devices with Microsoft Bluetooth stacks. Note that most of the exploit functionality is disabled by default until you add some custom registry entries.
   
3. vxUtil Personal - a suite of network utilities , including DNS lookups, finger, IP subnet calculator, ping and ping sweep, a port scanner, and more.
   
4. WiFiFoFum - a wardriving and wireless scanning tool. Supports all wireless cards, wired and Bluetooth GPS units, and multiple export formats including text, Wi-scan, Tom Tom POI, MemoryMap and Netstumbler (ns1) formats.
   
5. Spybot - Search & Destroy - the Pocket PC version of the popular Windows spyware scanner.
   
6. Netcat for CE - the "network swiss army knife", for Pocket PC. Not everything works quite as it does on Windows or Linux, but the main functionality is there.
   
7. NBTStat CE - find those NetBIOS shares quickly using the Pocket PC version of NBTStat.
   
8. VNC Viewer - complete the trio of GUI clients by downloading this handy little VNC viewer. Supports both VNC 3.x and 4.x servers, full screen mode, and screen rotation.
   
9. OpenVPN - VPN into your home network (or other networks running OpenVPN) from your Pocket PC.
   
10. Citrix ICA client - Supporting most of the same functionality as the Windows client, this allows you to login to those Citrix machines you need to access.

Honourable mentions also need to go to:

• PocketConsole which allows you to unlock the power of the console, since Microsoft doesn't ship a console application with Windows Mobile. This also allows you to run text applications ported to PocketPC such as Pocket GnuPG and SNMPUtils. Unfortunately for me, it doesn't seem to work on my phone.
• Pocket PuTTY - Pocket PC port of the PuTTY ssh and telnet client.
• Skype - not a security tool per se, but since a lot of security professionals use Skype, its a must have on the Pocket PC.
• ppcPodcast - not strictly security, but allows you to download those security podcasts directly to your phone.

I recently had the opportunity to try Major Malfunction's RFIDIOt toolkit out a RFID-enabled New Zealand passport (as we just got one for our daughter). The RFID reader I was using is a ACG Multi-ISO Compact Flash reader, which presents itself as a serial device when I plugged it into the Linux box (running Ubuntu 7.04 - Feisty Fawn) I was using.

First things first, you need to install a few libraries that aren't installed by default with Ubuntu:

sudo apt-get install python-imaging-tk python-serial python-crypto

This works nicely in Ubuntu 7.04 - for some reason the python-imaging-tk package seemed to be broken in Ubuntu 6.10 when I tried it (which is needed for the mrpkey.py tool which reads the passport).

Next step - edit the RFIDIOtconfig.py file to reflect the details of your RFID reader - in my case, this merely involved editing the first line to reflect the serial port (ttyS2 in my case):

# Out-of-Box Multi-ISO Serial
card= RFIDIOt.rfidiot(RFIDIOt.rfidiot.READER_ACG,'/dev/ttyS2',9600, 1)

So, first of all lets try performing a select on the passport - in this case, multiselect to perform multiple selects. This should tell us whether a New Zealand passport behaves like a UK passport in that there is ID generation going on.

[foo:~/Desktop/RFIDIOt-0.1k]$./multiselect.py 
multiselect v0.1f (using RFIDIOt v0.1j)
reader:  ACG MultiISO 1.0  (serial no: 34060218)
Card ID: 10B925A8
Card ID: 10B925A8
Card ID: 10B925A8
Card ID: 10B925A8

Apparently not - we get the same ID each time. Lets move on to trying to read the detail on the passport. This involves deriving some information from the Machine Readable Zone (MRZ) on the passport (if you've ever wondered what those two lines on the bottom of the passport photo pages translate to). For example (some information obscured), the second line of the MRZ on my daughter's passport (EAnnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06), equates to:

• Passport number: EAnnnnnn
• Check Digit: 3
• Nationality: NZL
• Date Of Birth: 07nnnn
• Check Digit: 3
• Sex: F
• Expiry: 12nnnn
• Check Digit: 6
• Optional: <<<<<<<<<<<<<<
• Check Digit: 0
• Composite Check Digit: 6

So now we can run the the mrpkey tool to read the passport (note I had to edit TAG_TYPES, and change 6C to 6c and 6D to 6d for this to work):

[foo:~/Desktop/RFIDIOt-0.1k]$./mrpkey.py "EAnnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06"
mrpkey v0.1g (using RFIDIOt v0.1j)
reader:  ACG MultiISO 1.0  (serial no: 34060218)

Passport number: EAnnnnnn<
Nationality: NZL
Date Of Birth: 07nnnn
Sex: F
Expiry: 12nnnn
Optional: <<<<<<<<<<<<<<

Generate local keys:

Key MRZ Info (kmrz): EAnnnnnn<307nnnn312nnnn6

Select Passport Application (AID):  OK
Select Master File:  Basic Access Control enforced!
Authenticating:  OK

Generate session keys: 

Kifd XOR Kicc (kseed):  1edfc8a6963509b658a131c582715ab4
Session Key ENC:  544929197fc7cdb96dae46e03876d6ce
Session Key MAC:  0b209e16f42c543743b97586016138d0

Calculate Send Sequence Counter: 

SSC:  e73e5c97ee24ba0e
60165f01
File Length:  24
Reading: 00000
EF.COM:  Length:  22
Tag: 5f01 (LDS Version)
  Length:  4
    Data:  30313037
Tag: 5f36 (Unicode Version)
  Length:  6
    Data:  303430303030
Tag: 5c (Tag List)
  Length:  4
    Data Group:  61 (EF.DG1 Data Recorded in MRZ)
    Data Group:  75 (EF.DG2 Encoded Identification Features - FACE)
    Data Group:  6c (EF.DG12 Additional Document Detail(s))
    Data Group:  6d (EF.DG13 Optional Detail(s))
EF.COM stored in /tmp/EF_COM.BIN

Select EF.SOD:  File Length:  2055
Reading: 00000
EF.SOD stored in /tmp/EF_SOD.BIN

Select DG1: 
615b5f1f
File Length:  93
Reading: 00000
EF.DG1 stored in /tmp/EF_DG1.BIN
EF.DG1:  Data Length:  88
  Decoded Data: P<NZLCLARKE<<xxxxx<xxxxxxx<<<<<<<<<<<<<<<<<<EAnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06
    Document code:  P<
    Issuing State or organisation:  NZL
    Name:  CLARKE<<xxxxx<xxxxxxx<<<<<<<<<<<<<<<<<<
    Passport Number:  EAnnnnnn<
    Check Digit:  3
    Nationality:  NZL
    Date of Birth:  07nnnn
    Check Digit:  3
    Sex:  F
    Date of Expiry:  12nnnn
    Check Digit:  6
    Personal Number or other optional elements:  <<<<<<<<<<<<<<
    Check Digit:  0
    Composite Check Digit:  6

Select DG2: 
File Length:  14517
Reading: 00000
EF.DG2:  JPEG image stored in /tmp/EF_DG2.JPG
EF.DG2 stored in /tmp/EF_DG2.BIN

And voila! Passport read...