Recently a friend rooted his Android device and asked “What should I install now?”

Here is a short list (Will clean it up, provide groupings and short descriptions later) that links to a public google docs spreadsheet.  Please add your favorite applications!

Click here to edit

README.winning!

I have split this guide into two sections.  The first section titled “Quick Version” is a simple set of steps to get this working on your phone.  All the work in the full version has already been completed by using the quick version.

The “Full Version” goes into process detail if you would like to perform all the steps or it may help if you get stuck at any time during the process.  This guide will continually be updated to include any feedback or changes.

Quick Version:

1. Download the complete set of files you need from here: http://l-lacker.com/bt5/BT5_ARM_Joined.zip Extract BT5.zip to your phones internal SDcard in a directory called “BT5″ (cAsE sEnSiTiVe)
2. Launch terminal emulator from your phone and type (everything after the $: or #: is user input):
   $: su
   #: cd sdcard
   #: cd BT5
   #: sh bootbt
3. While Backtrack is loaded (when you see a red “root@localhost“) start the VNC server by typing:root@localhost:~#: startvnc (stopvnc kills it)
4. Launch VNC (im using this)from your phone and point it at 127.0.0.1:5901 VNC pass: toortoor
5. Welcome to Backtrack on your Phone!

Full Version

1. Download a copy of Backtrack 5 for ARM from : http://www.backtrack-linux.org/downloads/ (Be nice and register)

Update!!!

Complete package files that you need to install on your phone can be found here: http://l-lacker.com/bt5/BT5_ARM_Joined.zip Instructions are included.

2. Extract and review the “README” file.

I have posted the readme file here for quick reference, and have just added my notes to during the process.     I urge you to read the official read me included with the release prior to reading the below with comments.  My notes are in bold.

I would HIGHLY recommend following busybox instructions for your specific rom.   Most of the time this means updating to the latest version, but that is not always the case.

The Vibrant comes with 16gig NON removable internal storage.  The phone mounts this as the “sdcard” and the external SD card is removable.  I will be using the internal mass storage device to install BT5.

Without wasting more time, onto the readme.

BackTrack 5 ARM Edition Quick Start
This image has been developed and tested on the Motorola Xoom.
Your mileage may vary on other devices. As this image runs in a chroot, you will need to have your device rooted. There are numerous tutorials on the subject online and are not included here.

***Rooting your device will potentially void its warranty and we are not in any way resposible if  you brick your device while rooting it.***

### IMPORTANT POINTS ###
1. Since the image runs in a chroot, there is no root password set.

2. There are 2 scripts under /usr/bin/ ‘startvnc’ and ‘stopvnc’ that are set to start with the Xoom’s default resolution.

Once Backtrack5 is running off your phones internal storage you will need to edit the scripts to match your phone or devices resolution.  In my case, the Vibrant uses 480×800.   Details on this step later in the instructions.

3. The current vnc password is set to ‘toortoor’ and can be changed by running ‘vncpasswd’

4. This image is a work in progress and suggestions/tips from the community are always welcome.

### GETTING STARTED ###

ADB is a  veristile tool when it comes to Android development and interacting with the device and while the below WILL indeed work, and is independent of any OS (assuming you have the Android SDK installed).  I felt it was overkill for this task and simply mounted my SDcard and moved the files through OSX finder.  I also made changes via another machine using Windows explorer.  Again, choose your comfort level, steps 1-5 are simply a means to an end. That end is getting the files onto your SDcard.

1. Once you have downloaded the ARM BT package, save the files in a convenient location. The steps below assume they are in the platform-tools folder of the Android SDK.

2. Go to your platform-tools directory and proceed to make a directory on the device to store BT5: ./adb shell mkdir /sdcard/BT5 exit

3. Copy over the busybox install files: ./adb push busybox /sdcard/ ./adb push installbusybox.sh /sdcard

4. Install busybox on the device: ./adb shell cd /sdcard/ sh installbusybox.sh exit

5. Transfer the required BT5 files to the device: ./adb push fsrw /sdcard/BT5/ ./adb push mountonly /sdcard/BT5/ ./adb push bootbt /sdcard/BT5/ ./adb push bt5.img.gz /sdcard/BT5/ ./adb push unionfs /sdcard/BT5/

6. Uncompress the image and start BT5: ./adb shell su cd /sdcard/BT5 gunzip bt5.img.gz sh bootbt

My internal SDcard is formated as FAT32 and this file system is “required” for the phone to interact with the contents on the sd card.  I have tried formating the internal card with EXT3, EXT4, exFAT and was greeted each time with a “Damaged SD card” message.
Because of this the installation stops when trying to extract the official bt5.img file from the ARM package as it ends up being >5 gigs.  Since there is a 4 gig file limitation on the FAT32  filesystem, we should just give up. Right?

Nope, Lets Try Harder.

I have tried splitting  the bt5.img and resembling on the device which obviously failed.  There is only one thing left to do….

Modify the bt5.img file to fit into 4 gigs.  What can we remove?

1. Looks like someone over at XDA had the same idea. Therefore,  I am going to revisit this section at a later day on how to manually create the image file.  I started the process, but decided in my end goal for this post was to have a working Backtrack 5 install on my Vibrant.
2. Since the heavy lifting is done, It’s time to grab the files (or contact me for a mirror) , join them together and place this file into the BT5 directory of our sdcard.
   To join the 3 files from the XDA post together, simply put them all in the same directory and use the cat command to join them: “cat bt.7z.* > bt.7z ”
3. Extract the joined bt.7z file
4. Rename bt.img to bt5.img and grab on that file and move it to your sd cards’s BT5 directory.

This is what you should end up with in your phones BT5 directory.

Starting BackTrack 5

Once all the files have been transfered, test the installation by trying to start Backtrack from terminal emulator.

Success!

If all goes well, you’ll be in the BT5 chroot:# sh bootbtnet.ipv4.ip_forward = 1root@localhost:/

# ls /pentest/backdoors  database   exploits   passwords  scanners stressing  voipcisco  enumeration  forensics  python     sniffers  tunneling  webroot@localhost:/#

3. ???? (or is this one profit?)

4. VNC

Here is the fun part, sure the shell is pretty to look at however I want a gui to interact with.

Note: Prior to starting the VNC server, you MUST perform this step to alter the screen resolution to match your device by modifying the /usr/bin/startvnc file.

If you do not alter the geometry you may encounter the error below.

I modified /usr/bin/startvnc by starting an SSH daemon on my phone and doing the work from a computer.

1. Start the VNC server running on the BT5 phone install.

2. Check the VNC log! BT5 is listening on 5901. Then click connect.

3. Welcome to Backtrack 5!

At the beginning of April  I tweeted: “Wouldn’t this just bring tears to your eyes if it was true? #metasploitonandroid http://twitpic.com/4hfqgz ” , and now its true. <tear>

Huge thanks to the backtrack team for providing an Android version of  Backtrack.  Great work!

Special thanks to : anantshri at XDA for the advice and doing the hard work of creating the image files so quickly.  Be sure to check out his other work.

I will just detail the steps to get this working and what to do with the data once you have collected it.  I am using BackTrack 4 r2 within a Virtual Machine and an Alfa AWUS036H set at 30db.  You can skip step 2 if you are not using a virtual machine.

1. UPDATE BACKTRACK!!!

• root@bt:~# apt-get update && apt-get dist-upgrade
  • Let this complete, it may take upwards on 2-5 minutes depending on if its a fresh install.

2.  Plug in your Alfa, connect it to the VM and restart networking

• Connect the Alfa USB to the VM by performing the steps below. Additionally you can use the icon row at the bottom of VMware workstation to connect the device.  With Fusion, simply click Virtual Machine // USB // Connect Realtek [Model]

• Once the adapter is attached to the VM, restart networking… just to have a clean attachment.
  • root@bt:~# /etc/init.d/networking stop
  • root@bt:~# /etc/init.d/networking start
• Check that the adapter has been detected and is functioning  by checking iwconfig
  • root@bt:~# iwconfig
    • Determine what interface is associated with your Alfa (Realtek RTL8187) chipset.
    • root@bt:~# airmon-ng
    • In my example we are going to use: wlan0 (zero)

3.  Update Kismet

• Grab the latest version from  http://www.kismetwireless.net/download.shtml and install it. Be sure to review ALL documentation here.
  • root@bt:~# wget https://www.kismetwireless.net/code/kismet-2011-03-R2.tar.gz  (or whatever the latest version is)
  • root@bt:~# tar xvfz kismet-2011-03-R2.tar.gz
  • root@bt:~# cd kismet-2011-03-R2
  • root@bt:~/kismet-2011-03-R2# ./configure
  • root@bt:~/kismet-2011-03-R2# make install (this may take upwards of 5 – 10 minutes)

4. Start Kismet

• Be sure to read the kismet help file for all available switches. I am purposely NOT using -c to specify an interface.
  • root@bt:~# kismet
  • Note: If you are not going to use GPS, edit your kismet.conf file and tell it you are not going to.
    • root@bt:~# vi /usr/local/etc/kismet.conf
    • Edit the line: Do we have a GPS? to say “gps=false”
  • Helpful navigation tips. [TAB] moves selection. [`] Brings up menu items,  arrow and enter keys allow interaction between items.

Select your interface preference . I chose [ Yes]

• After choosing interface options, you will be ‘reminded’ that kismet is running as root.  Be sure to determine the risk before answering.

• Choose if you would like to start the kismet server.  Kismet runs in a client/server configuration. More details here. Note, once you start the server, a number of files will be generated and placed on your desktop. (Assuming you started kismet within that directory)  Do not delete these files, they are the logs of the captures.

• Select [ YES ] to add an interface for raw capture.

• Enter the interface you are going to use (from step 2) and enter any options or name and select [ Add ]



• An error about dhclient looking at the adapter you have chosen will appear if you have not stopped the service.  To stop it specifically for your wireless adapter, just look at the open files and kill the dhclient service attached to wlan0.
  • root@bt:~# lsof | grep wlan0
  • root@bt:~# kill -9 [PSID]

• To view the traffic Kismet is seeing, you will need to close the console. (Don’t worry, you can get it back if you need)

• The Kismet menu system can be engaged by pressing the [`]or [~] and then use the arrow keys to navigate.

• To interact with the visible networks, head over to the sort menu and select your sorting preference.  I chose [ type ] for this example. You can select the network you want more details about by navigating to it and pressing enter.

5. Reviewing Captures

Now Kismet has been capturing data, how can we look at it?

• You should have 5 files (depending on your switches and options you may end up with more or less.

1. 1. Kismet-[ date/time].netxml
   2. Kismet-[date/time].gpsxml
   3. Kismet-[date/time].alert
   4. Kismet-[date/time].nettxt
   5. Kismet-[date/time].pcapdump

• To view the .netxml file in excel, simply rename and drop the [net].

• Then simply import the .xml file into excel.
• In excel 2010, I was only able to open the data in read only mode.



• To view uptime in days,  for the AP’s.  Josh Wright has provided a nice formula we can use.
• Apply: =U[cell]/(1000000 * (60 * 60 * 24)) to the “/bsstimestamp column.
  • Example: =U70/(1000000*(60*60*24))
  • Row 76 becomes 77, where row 77 contains the time in Days in the last column.

Wrap up

There are many ways to view and capture data with Kismet, using xplico plus the .pcap could prove useful.  I have only scratched the surface of what is possible.  The purpose of this post wasn’t to include every possible combination, but to get you up and running quickly using kismet and reviewing the data just as fast.
Twitter

What is SecurityFail’s purpose you ask? Since you want everything handed to you, here you go from the site:

The purpose of this site is to document security failures in various technologies. Users are encouraged to submit stories and articles detailing how various technologies have failed you in terms of security. Using embedded systems as an example, we’d like to highlight issues such as:

We want vendors of embedded systems to:

• FORCE the user to select the password
• Allow users to disable protocols
• Only enable secure management protocols by default (HTTPS, SSH)

We want ISPs to:

• Block inbound port 80 on user subnets
• Manage customer devices properly and implement security

This is a great way to raise awareness and shed light on many of the problems embedded systems have.   As time permits, I have plans for a couple more articles for the site.  Keep watching!

root@bt:/# iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11bg  ESSID:off/any

Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm

Retry  long limit:7   RTS thr:off   Fragment thr:off

Encryption key:off

Power Management:off

20 dBM = 100 MillWatts according to this calculator.

To increase power and get the advertised 1000mW perform the following steps.
Note: This process works in a Virtual Machine OR on a physical machine.

1. Diable the adapter

2. set the power (by changing the region code to alter the TX/RX power levels to work at the appropriate power levels for your country. ) Note: be sure you choose YOUR country. The below is a warning from the aircrack-ng page regarding these changes.

- Be sure to use this guide to set your CORRECT Country Regulatory Domain.

- Setting the wrong Reg Domain could probably break the Law in your Country.

3. Enable the adapter

4. Check it!

Process below:

root@bt:/# ifconfig wlan0 down
root@bt:/# iw reg set US
root@bt:/# airmon-ng start wlan0

Interface       Chipset         Driver
wlan0           RTL8187         rtl8187 – [phy5]
(monitor mode enabled on mon0)

root@bt:/# iwconfig wlan0

wlan0     IEEE 802.11bg  ESSID:off/any
Mode:Managed  Access Point: Not-Associated   Tx-Power=30 dBm
Retry  long limit:7   RTS thr:off   Fragment thr:off
Encryption key:off
Power Management:off

If you head back to the dBm to mW calculator it will tell you that 30dBm  1000 mW.  Success.

I can not take credit for the above, I simply put it here for my own notes to reference in the future.  For more information and further reading check out the aircrack-ng forums.

Update: You will have to perform these steps each time you power on your VM or physical device.  You can toss the below script in your init.d dir so you wont need to remember.  Again, not my work, just placing here for quick reference.

#!/bin/bash
##iw reg set <your-country-code>
iw reg set <insert-your-country-code-here-in-CAPITAL-LETERS>All country codes are in ‘CAPITAL LETTERS’

save & close text editer

then put it in the /etc/init.d/ directory.

So in a terminal enter
sudo cp ~/Desktop/setwirelesscountrycode.sh /etc/init.d/
Then make the file you created executable.e.g.
sudo chmod +x /etc/init.d/setwirelesscountrycode.sh To set it to run on startup
sudo update-rc.d /etc/init.d/setwirelesscountrycode.sh defaults note ‘defaults’ puts a link to start ‘/etc/init.d/setwirelesscountrycode.sh’ in run levels 2, 3, 4 and 5. and puts a link to stop ‘/etc/init.d/setwirelesscountrycode.sh’ into run levels 0, 1 and 6.

Here is what I used for the research.

1. Samsung Galaxy S (Vibrant) on the T-mobile network. This device has been “rooted”, using the method documented here on XDA.

2. A copy of Root Explorer. This allows you to browse the entire Android File system from your device.  Requires root, but also gives you access to everything a traditional “root” account would. It also has a handy little SQLite DB viewer.

3. A copy of ShootMe. Screen shot app.

Both apps above are dependent on step one being complete. A few other notes, I have two additional updates, non stock rom apps  on this device.

1. Altered startup/shutdown animations.

2. The tether app, from the international Galaxy S (9000).

Both apps require root, and are not standard APK’s.  Therefore they must be flashed using clockwork or the bootloader.

I also used the Android SDK and screencast to do some of the searching from the comforts of my laptop. [Update]. I switched to VNC for remote admin of this device.

Part 1

Android Filesystem and the /data folder

I didn’t set out to create a multipart post, but the deeper down the rabbit hole I went, it became apparent that there was a lot of ground to cover.  In Part 1, I am going to lay out the filesystem and the files that live in the largest directory. The /data dir.

Here is what the Android filesystem directory structure looks like. I am using busybox via the Android Terminal emulator app.

# ls -al
drwxr-xr-x   21 0        0                0 Sep 23 06:57 .
drwxr-xr-x   21 0        0                0 Sep 23 06:57 ..
drwxr-xr-x    2 0        0                0 Jun 22 11:03 .info
drwxrwx—    1 1000     2001             0 Sep 23 06:58 cache
dr-x——    2 0        0                0 Sep 23 06:57 config
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 data
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 data_tmo
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 dbdata
-rwxr-xr-x    1 0        0              117 Jun 22 10:44 default.prop
drwxr-xr-x   10 0        0            13540 Sep 23 06:57 dev
drwxrwx–x    1 1001     1001             0 Sep 23 06:57 efs
lrwxrwxrwx    1 0        0               10 Jun 22 11:03 etc -> system/etc
-rwxr-xr-x    1 0        0             2237 Jun 22 10:44 fota.rc
lrwxrwxrwx    1 0        0                9 Jun 22 11:03 init -> sbin/init
-rwxr-xr-x    1 0        0            24482 Jun 22 10:58 init.rc
-rwxr-xr-x    1 0        0              444 Jun 22 10:44 init.smdkc110.rc
-rwxr-xr-x    1 0        0              335 Jun 22 10:44 init.smdkc110.sh
drwxr-xr-x    3 0        0                0 Jun 22 11:03 lib
-rwxr-xr-x    1 0        0              727 Jun 22 10:44 lpm.rc
drwxr-xr-x    3 0        0                0 Jun 22 11:03 mnt
dr-xr-xr-x  112 0        0                0 Jan  1  1970 proc
-rwxr-xr-x    1 0        0             1143 Jun 22 10:44 recovery.rc
drwxr-xr-x    3 0        0                0 Jun 22 11:03 res
drwxr-xr-x    3 0        0                0 Jun 22 11:03 sbin
drwxrwxr-x   55 1000     1015         32768 Sep 23 07:00 sdcard
drwxrwxrwt    2 0        0               40 Sep 23 15:32 sqlite_stmt_journals
drwxr-xr-x   12 0        0                0 Jan  1  1970 sys
drwxr-xr-x    1 0        0                0 Sep 23 06:57 system
-rwxr-xr-x    1 0        0              154 Jun 22 10:44 system.prop
drwxr-xr-x    3 0        0                0 Jun 22 11:03 tmp
drwxrwx–x    2 1000     1000             0 Sep 23 06:57 userdata

A quick search for databases on the root gave me more hits than I could parse through.   I decided to search in each directory for a more simplified view.

There were still so many just in the data directory, that I have removed entries like the XKCD, Onion and similar apps.  Cached .db’s are also not included.  I wanted to keep this to what seemed “juicy”.  Maybe in another post, I can review those to see what applications are giving up.

$ export PATH=/data/local/bin:$PATH
$su
# find /data -name *.db
/data/data/com.android.providers.userdictionary/databases/user_dict.db
/data/data/com.google.android.talk/databases/suggestions.db
/data/data/com.google.android.providers.settings/databases/googlesettings.db
/data/data/com.layar/databases/layar.db
/data/data/com.android.providers.security/databases/policies.db
/data/data/com.android.providers.telephony/nwk_info.db
/data/data/com.android.providers.telephony/optable.db
/data/data/com.google.android.providers.subscribedfeeds/databases/subscribedfeeds.db
/data/data/com.sec.android.providers.downloads/databases/sisodownloads.db
/data/data/com.google.android.youtube/databases/history.db
/data/data/com.android.email/databases/EmailProvider.db
/data/data/com.android.email/databases/EmailProviderBody.db
/data/data/com.android.email/databases/webview.db
/data/data/com.android.htmlviewer/databases/webview.db
/data/data/com.android.globalsearch/databases/shortcuts-log.db
/data/data/com.android.providers.drm/databases/drm.db
/data/data/com.google.android.voicesearch/databases/webview.db
/data/data/com.android.bluetooth/databases/btopp.db
/data/data/com.sec.android.app.callsetting/databases/rejectmessage.db
/data/data/com.sec.android.app.callsetting/databases/autoreject.db
/data/data/com.twitter.android/databases/twitter.db
/data/data/com.facebook.katana/databases/fb.db
/data/data/com.google.android.apps.googlevoice/databases/model.db
/data/data/com.google.android.apps.googlevoice/databases/shadowmappings.db
/data/data/com.google.android.apps.googlevoice/databases/server_settings.db
/data/data/com.dropbox.android/databases/db.db
/data/data/com.tweetdeck.app/databases/webview.db
/data/data/org.connectbot/databases/webview.db
/data/data/com.ebay.mobile/databases/webview.db
/data/system/accounts.db

Awesome.  Time to head over to Root explorer and see what the data says.   I will post all finding in the google docs spreadsheet embedded below.

In part 2, I hope to cover the remaining databases and what lies within.  Hopefully we wont find anything worse that we already have.

The guys over at viaForensics have a pretty nice application to talk to some of the databases. However, it is no longer available to the public. I am going to *attempt* to leverage Googles App Inventor to automate much of this process, or maybe spit out an .apk to see what can be extracted from both rooted and non rooted devices.

First up from:

Thursday, September 16, 2010 at 10:00 AM
- to -
Friday, September 17, 2010 at 4:00 PM (CT)

Is the first anual Cyber-RAID event.

What is Cyber-RAID you ask?

The Kansas City InfraGard program is hosting a two day cyber event which pits systems and security professionals from the community against each other in a live cyber attack on a replicated commercial network.  This event will specifically focus on managing and protecting this existing “commercial” network infrastructure from a live cyber attack. Since the exercise network is hosted on a private managed network that is not on the Internet, production data and systems are not at risk.

Register here: http://cyberraid.eventbrite.com/?ref=ecount
Note: We need RED Team members!!!

Next up we have SecuityBsidesKC which begins at 10:00am on Friday September 17th and runs through until 5:00pm that night.  I’ve never been at a BSides event, or a Security Con for that matter, but I think it would be safe to assume it will run past 5pm.

Look at the current lineup for speakers, this is shaping up to be a pretty amazing/can’t miss line up.

Call for presenters is still open, so please submit any talks.  There will be barcamp style talk acceptance after the scheduled speakers.

Again, I can’t wait for september to get here so I can sponge knowledge off of people like @ax0n, @hevnsnt, @surbo, @jur1st and @davehull, and im sure there are more that I simply don’t know what their twitter accounts are

I will try to keep this to the point and simply split it up into two sections.  Section 1 will cover what types of things you can include in such a lab. Section 2 will cover converting it all into one portable file and using that within VirtualBox.

Section 1

Adding the h4x()r

“What the hell am I going to include in my lab” was my first thought when I started putting this together.   I have created a matrix below of what my lab includes.  It is by no means an end all be all list.  I don’t want to re-invent the wheel, as Irongeek for example has the *how* to build a mapped out very well already.

My next thought was “How the hell am I going to pay for all of that?”  I ponied up for a Microsoft Technet subscription.  Its $349 well spent.  I decided I didn’t want to pay over 300 bones for that, and was able to use the power of Google and some SE trickery to get 2 free years.

Section 2

Putting it in your pocket

What you will need

• A computer running Microsoft Windows (XP – Server 2008)
• DSK2VHD

Really at this point, only one assumption needs to be made.

• You have setup your Windows machine to “production” standards for your lab.

This is a good time to patch the host to the level you want, install services, load it up with apps, activate it, install your AV and update it, etc.   You may also want to make sure you have  the virtual machine solution of your choice and the VM’s can live anywhere on that local machine.  I am using VMWare with well over 15VM’s locally.  If you have an external disk or additional storage attached locally DSK2VHD will capture them and create a VHD for each HDD it can see.  Be aware that the cap here is 127Gigs.

DSK2VHD

Now would be a good time to learn about this app.  In part, from the applications’ site: I suggest you read the description in it’s entirety. Its short and sweet.

Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted).

Usage: disk2vhd <[drive: [drive:]…]|[*]> <vhdfile>
Example: disk2vhd * c:\vhd\snapshot.vhd

Dont be alarmed, even though this tool creates files for use in “Microsoft Virtual PC” we aren’t going to use that.  More in section 2.

Creating the snapshot

1. Download, unzip and install DSK2VHD on the host system.

2. Launch DSK2VHD

3. Select the disk(s) you want to create and set your save location.

4. Click create.

Sit back and watch it cook. My 119 gig file took.  Once its done we have a nice neat single file containing our Window server and everything that went along with it.

Now it’s time make it usable.

What you will need

• A computer with >/= system specs to the machine from which the .VHD was created. (Note this is not a necessity, but it will determine performance)
• Copy of Sun’s VirtualBox

One of the awesome things about VirtualBox is that is supports .VHD files, and not only that, We can run it on OSX, Linux and Windows.

Setup VirtualBox on the new host

I am going to use OSX (10.6.3) for the example here, but the Linux and Windows versions should follow pretty closely.

Now would be the time to copy the .VHD file from it’s current location to where you want to use it.  We will configure VirtualBox to use that file as an existing harddrive and boot to it.

1. Launch VirtualBox and select “New”

2.  Click Next

3. Name it and match the OS to the OS from which the .VHD file was created.

4.  Set the RAM and click Next

5.  Leave “Boot Hard Disk” checked or enabled.

5a. Select “Use Existing Hard Disk” and click browse. (Folder with the carrot)

Now we need to add the .VHD file to the available virtual disks that VirtualBox can use.

6.  Click Add and navigate to where the .VHD lives.

7. Click open, then select the newly added lab disk and click select.

8. Click next and Finish.

You will now see your lab available to start. Select it and power that bad boy up.

Wrap up

As you can see, it is pretty simple to take your physical Windows server with you.  Now you can hack it,  break it and do whatever you want and you could just revert it to a clean snapshot like any other VM.

If you decide the you want to ever use the .VHD in production, Windows 7 and 2008 Server support mounting AND booting to a VHD. Pretty sweet.

After calling around to a few places, it became clear that purchasing the hardware, let alone the door was going to be WAY to expensive.  A very basic “barn-door” track system, runs upwards of $500 for one similar pictured above. That doesn’t include the door and all the other items I need.

Only one thing to do, buy the metal and do it myself.  However, I lack the shop and supplies to fabricate what I needed.

I called Metal By The Foot Inc. based in Kansas, and purchased the materials (full material list and cost will be provided below).

I then ran over to Fred’s Automotive to have them bend the metal according to the dimensions I provided.  These guys were awesome, and true hardware hackers.  The shop was full of race cars, motors, fenders, and parts from about everything EVER. It  smelled like cigarettes and car wrecks.  Reminded me of high school shop class.  Including the smoke

Fred simply tack welded the piece of flat metal to a pipe, heated and bent.  Perfectly executed.

Now that I have successfully saved myself $500, its time to add wheels and mount this bad boy up.

My wife didn’t like the 2 inch pulleys that the design called for, we wanted to be able to see the pulley move with the door.   I went to the Tractor Supply Company and grabbed a couple of part 3240235.  Here is the current door hardware.

More updates coming soon, the door has been built, stained and ready to distress.  We are just a few weeks away from hanging the door.  We recently had twin girls and have a (soon to be 5) 4 year old son.  Finishing projects in a timely matter has proved to be a challenge.  :)

Stay tuned!

This morning I awake to find an envelope taped to my front door. It was blank, and I briefly peek around and see that the rest of the neighborhood has the same thing waiting.

I go ahead and open it, expecting to find a local resident selling mowing, painting or any other service but find something slightly different. Close, but different. In part below:

“Neighbors:

Since we don’t have a homeowners association everyone has done their own thing in regards to trash removal. I thought it would be nice to have one garbage truck come through each week instead of three so I contacted [REDACTED] who I was inquiring about a special.  I have attached their letter….

… If everyone thinks this is a good idea we can all have matching barrels put out at one time per week…

…Again, we dont have an association, but we can all act together if we choose. Their number is on the attached paper if you would like to use them.”

Ok, so whats the problem you ask? Well nothing really, I think it was a nice gesture, and think he was just trying to help his fellow neighbor.

HERE is the problem.

On the “Attached paper” was a browser printout of an email that was sent to his gmail account.  He made an effort to hide his gmail address and thats about it.  The nice little feature gmail provides to show the last account activity was in plain view.  The IP address was in tact.

Being the curious minded person I am, I couldn’t help myself and put in the IP into my browser. Bingo. “Welcome to Windows Small Business Server 2003″

I’d better close it right away… nah, Of COURSE I clicked on “Remote Web Workplace” and of COURSE I got:

“The site’s security certificate is not trusted!”

and of COURSE I was in a VM and so on and so for and moved forward. I was presented with a company name, and a logon prompt.  So a quick tally of what we have so far.

I have his full name, IP address of a machine I know he used, probably was logged into the SBS web desktop. I have his address (duh), place of employment and the phone number and address of his work place.  Oh well.

What I DON’T have

I dont have HIS email address, remember he redacted it.  I NEED that email address now, so when I call him I can send him an email as well.

This was an easy one, the “Attached paper” had the persons name, phone number and email that he contacted about a special. I had all the info I needed to just socially engineer my neighbors email address out of them.  I called the number and received the front desk.  I was informed the person I needed was out, but she could help me. She could take my name and number and get back to me. Stop.  That wasn’t really going to work for this little experiment.  I simply gave her some more details, like the my neighbors name and guess what. She has access to the mailbox that contained the email address.  After helping her troubleshoot a bit, she gave it to me without hesitation, and I even asked her to spell it again and asked if I couldn’t reach him by email If I could call her back because she has been “so helpful and really got me out of a pickle”. Another win for me . FAIL for them. They mindlessly handed out information about another customer.

Additionally, all of his gmail labels were in view on the print out. Pretty organized too, I know his church, hobbies and the fact he uses his gmail for work, Well, I’m assuming thats what the “Work” label meant. Wow. This is awesome.

What was the point of even bothering with this?

To help educate my neighbor that something seemingly harmless could have been bad.

I have contacted him, but haven’t heard back.  I will update this post as soon as I do.  Remember, own your information folks.

Update:  I spoke to my neighbor and he was very thankful that I wasn’t malicious. I think he understood why it was a bad idea, and mentioned “you got all of this from a note on your door about trash…different world we live in”  Protecting people, one neighbor at a time.