README.winning!

I have split this guide into two sections.  The first section titled “Quick Version” is a simple set of steps to get this working on your phone.  All the work in the full version has already been completed by using the quick version.

The “Full Version” goes into process detail if you would like to perform all the steps or it may help if you get stuck at any time during the process.  This guide will continually be updated to include any feedback or changes.

Quick Version:

1. Download the complete set of files you need from here: http://l-lacker.com/bt5/BT5_ARM_Joined.zip Extract BT5.zip to your phones internal SDcard in a directory called “BT5″ (cAsE sEnSiTiVe)
2. Launch terminal emulator from your phone and type (everything after the $: or #: is user input):
   $: su
   #: cd sdcard
   #: cd BT5
   #: sh bootbt
3. While Backtrack is loaded (when you see a red “root@localhost“) start the VNC server by typing:root@localhost:~#: startvnc (stopvnc kills it)
4. Launch VNC (im using this)from your phone and point it at 127.0.0.1:5901 VNC pass: toortoor
5. Welcome to Backtrack on your Phone!

Full Version

1. Download a copy of Backtrack 5 for ARM from : http://www.backtrack-linux.org/downloads/ (Be nice and register)

Update!!!

Complete package files that you need to install on your phone can be found here: http://l-lacker.com/bt5/BT5_ARM_Joined.zip Instructions are included.

2. Extract and review the “README” file.

I have posted the readme file here for quick reference, and have just added my notes to during the process.     I urge you to read the official read me included with the release prior to reading the below with comments.  My notes are in bold.

I would HIGHLY recommend following busybox instructions for your specific rom.   Most of the time this means updating to the latest version, but that is not always the case.

The Vibrant comes with 16gig NON removable internal storage.  The phone mounts this as the “sdcard” and the external SD card is removable.  I will be using the internal mass storage device to install BT5.

Without wasting more time, onto the readme.

BackTrack 5 ARM Edition Quick Start
This image has been developed and tested on the Motorola Xoom.
Your mileage may vary on other devices. As this image runs in a chroot, you will need to have your device rooted. There are numerous tutorials on the subject online and are not included here.

***Rooting your device will potentially void its warranty and we are not in any way resposible if  you brick your device while rooting it.***

### IMPORTANT POINTS ###
1. Since the image runs in a chroot, there is no root password set.

2. There are 2 scripts under /usr/bin/ ‘startvnc’ and ‘stopvnc’ that are set to start with the Xoom’s default resolution.

Once Backtrack5 is running off your phones internal storage you will need to edit the scripts to match your phone or devices resolution.  In my case, the Vibrant uses 480×800.   Details on this step later in the instructions.

3. The current vnc password is set to ‘toortoor’ and can be changed by running ‘vncpasswd’

4. This image is a work in progress and suggestions/tips from the community are always welcome.

### GETTING STARTED ###

ADB is a  veristile tool when it comes to Android development and interacting with the device and while the below WILL indeed work, and is independent of any OS (assuming you have the Android SDK installed).  I felt it was overkill for this task and simply mounted my SDcard and moved the files through OSX finder.  I also made changes via another machine using Windows explorer.  Again, choose your comfort level, steps 1-5 are simply a means to an end. That end is getting the files onto your SDcard.

1. Once you have downloaded the ARM BT package, save the files in a convenient location. The steps below assume they are in the platform-tools folder of the Android SDK.

2. Go to your platform-tools directory and proceed to make a directory on the device to store BT5: ./adb shell mkdir /sdcard/BT5 exit

3. Copy over the busybox install files: ./adb push busybox /sdcard/ ./adb push installbusybox.sh /sdcard

4. Install busybox on the device: ./adb shell cd /sdcard/ sh installbusybox.sh exit

5. Transfer the required BT5 files to the device: ./adb push fsrw /sdcard/BT5/ ./adb push mountonly /sdcard/BT5/ ./adb push bootbt /sdcard/BT5/ ./adb push bt5.img.gz /sdcard/BT5/ ./adb push unionfs /sdcard/BT5/

6. Uncompress the image and start BT5: ./adb shell su cd /sdcard/BT5 gunzip bt5.img.gz sh bootbt

My internal SDcard is formated as FAT32 and this file system is “required” for the phone to interact with the contents on the sd card.  I have tried formating the internal card with EXT3, EXT4, exFAT and was greeted each time with a “Damaged SD card” message.
Because of this the installation stops when trying to extract the official bt5.img file from the ARM package as it ends up being >5 gigs.  Since there is a 4 gig file limitation on the FAT32  filesystem, we should just give up. Right?

Nope, Lets Try Harder.

I have tried splitting  the bt5.img and resembling on the device which obviously failed.  There is only one thing left to do….

Modify the bt5.img file to fit into 4 gigs.  What can we remove?

1. Looks like someone over at XDA had the same idea. Therefore,  I am going to revisit this section at a later day on how to manually create the image file.  I started the process, but decided in my end goal for this post was to have a working Backtrack 5 install on my Vibrant.
2. Since the heavy lifting is done, It’s time to grab the files (or contact me for a mirror) , join them together and place this file into the BT5 directory of our sdcard.
   To join the 3 files from the XDA post together, simply put them all in the same directory and use the cat command to join them: “cat bt.7z.* > bt.7z ”
3. Extract the joined bt.7z file
4. Rename bt.img to bt5.img and grab on that file and move it to your sd cards’s BT5 directory.

This is what you should end up with in your phones BT5 directory.

Starting BackTrack 5

Once all the files have been transfered, test the installation by trying to start Backtrack from terminal emulator.

Success!

If all goes well, you’ll be in the BT5 chroot:# sh bootbtnet.ipv4.ip_forward = 1root@localhost:/

# ls /pentest/backdoors  database   exploits   passwords  scanners stressing  voipcisco  enumeration  forensics  python     sniffers  tunneling  webroot@localhost:/#

3. ???? (or is this one profit?)

4. VNC

Here is the fun part, sure the shell is pretty to look at however I want a gui to interact with.

Note: Prior to starting the VNC server, you MUST perform this step to alter the screen resolution to match your device by modifying the /usr/bin/startvnc file.

If you do not alter the geometry you may encounter the error below.

I modified /usr/bin/startvnc by starting an SSH daemon on my phone and doing the work from a computer.

1. Start the VNC server running on the BT5 phone install.

2. Check the VNC log! BT5 is listening on 5901. Then click connect.

3. Welcome to Backtrack 5!

At the beginning of April  I tweeted: “Wouldn’t this just bring tears to your eyes if it was true? #metasploitonandroid http://twitpic.com/4hfqgz ” , and now its true. <tear>

Huge thanks to the backtrack team for providing an Android version of  Backtrack.  Great work!

Special thanks to : anantshri at XDA for the advice and doing the hard work of creating the image files so quickly.  Be sure to check out his other work.

I will just detail the steps to get this working and what to do with the data once you have collected it.  I am using BackTrack 4 r2 within a Virtual Machine and an Alfa AWUS036H set at 30db.  You can skip step 2 if you are not using a virtual machine.

1. UPDATE BACKTRACK!!!

• root@bt:~# apt-get update && apt-get dist-upgrade
  • Let this complete, it may take upwards on 2-5 minutes depending on if its a fresh install.

2.  Plug in your Alfa, connect it to the VM and restart networking

• Connect the Alfa USB to the VM by performing the steps below. Additionally you can use the icon row at the bottom of VMware workstation to connect the device.  With Fusion, simply click Virtual Machine // USB // Connect Realtek [Model]

• Once the adapter is attached to the VM, restart networking… just to have a clean attachment.
  • root@bt:~# /etc/init.d/networking stop
  • root@bt:~# /etc/init.d/networking start
• Check that the adapter has been detected and is functioning  by checking iwconfig
  • root@bt:~# iwconfig
    • Determine what interface is associated with your Alfa (Realtek RTL8187) chipset.
    • root@bt:~# airmon-ng
    • In my example we are going to use: wlan0 (zero)

3.  Update Kismet

• Grab the latest version from  http://www.kismetwireless.net/download.shtml and install it. Be sure to review ALL documentation here.
  • root@bt:~# wget https://www.kismetwireless.net/code/kismet-2011-03-R2.tar.gz  (or whatever the latest version is)
  • root@bt:~# tar xvfz kismet-2011-03-R2.tar.gz
  • root@bt:~# cd kismet-2011-03-R2
  • root@bt:~/kismet-2011-03-R2# ./configure
  • root@bt:~/kismet-2011-03-R2# make install (this may take upwards of 5 – 10 minutes)

4. Start Kismet

• Be sure to read the kismet help file for all available switches. I am purposely NOT using -c to specify an interface.
  • root@bt:~# kismet
  • Note: If you are not going to use GPS, edit your kismet.conf file and tell it you are not going to.
    • root@bt:~# vi /usr/local/etc/kismet.conf
    • Edit the line: Do we have a GPS? to say “gps=false”
  • Helpful navigation tips. [TAB] moves selection. [`] Brings up menu items,  arrow and enter keys allow interaction between items.

Select your interface preference . I chose [ Yes]

• After choosing interface options, you will be ‘reminded’ that kismet is running as root.  Be sure to determine the risk before answering.

• Choose if you would like to start the kismet server.  Kismet runs in a client/server configuration. More details here. Note, once you start the server, a number of files will be generated and placed on your desktop. (Assuming you started kismet within that directory)  Do not delete these files, they are the logs of the captures.

• Select [ YES ] to add an interface for raw capture.

• Enter the interface you are going to use (from step 2) and enter any options or name and select [ Add ]



• An error about dhclient looking at the adapter you have chosen will appear if you have not stopped the service.  To stop it specifically for your wireless adapter, just look at the open files and kill the dhclient service attached to wlan0.
  • root@bt:~# lsof | grep wlan0
  • root@bt:~# kill -9 [PSID]

• To view the traffic Kismet is seeing, you will need to close the console. (Don’t worry, you can get it back if you need)

• The Kismet menu system can be engaged by pressing the [`]or [~] and then use the arrow keys to navigate.

• To interact with the visible networks, head over to the sort menu and select your sorting preference.  I chose [ type ] for this example. You can select the network you want more details about by navigating to it and pressing enter.

5. Reviewing Captures

Now Kismet has been capturing data, how can we look at it?

• You should have 5 files (depending on your switches and options you may end up with more or less.

1. 1. Kismet-[ date/time].netxml
   2. Kismet-[date/time].gpsxml
   3. Kismet-[date/time].alert
   4. Kismet-[date/time].nettxt
   5. Kismet-[date/time].pcapdump

• To view the .netxml file in excel, simply rename and drop the [net].

• Then simply import the .xml file into excel.
• In excel 2010, I was only able to open the data in read only mode.



• To view uptime in days,  for the AP’s.  Josh Wright has provided a nice formula we can use.
• Apply: =U[cell]/(1000000 * (60 * 60 * 24)) to the “/bsstimestamp column.
  • Example: =U70/(1000000*(60*60*24))
  • Row 76 becomes 77, where row 77 contains the time in Days in the last column.

Wrap up

There are many ways to view and capture data with Kismet, using xplico plus the .pcap could prove useful.  I have only scratched the surface of what is possible.  The purpose of this post wasn’t to include every possible combination, but to get you up and running quickly using kismet and reviewing the data just as fast.
Twitter

root@bt:/# iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11bg  ESSID:off/any

Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm

Retry  long limit:7   RTS thr:off   Fragment thr:off

Encryption key:off

Power Management:off

20 dBM = 100 MillWatts according to this calculator.

To increase power and get the advertised 1000mW perform the following steps.
Note: This process works in a Virtual Machine OR on a physical machine.

1. Diable the adapter

2. set the power (by changing the region code to alter the TX/RX power levels to work at the appropriate power levels for your country. ) Note: be sure you choose YOUR country. The below is a warning from the aircrack-ng page regarding these changes.

- Be sure to use this guide to set your CORRECT Country Regulatory Domain.

- Setting the wrong Reg Domain could probably break the Law in your Country.

3. Enable the adapter

4. Check it!

Process below:

root@bt:/# ifconfig wlan0 down
root@bt:/# iw reg set US
root@bt:/# airmon-ng start wlan0

Interface       Chipset         Driver
wlan0           RTL8187         rtl8187 – [phy5]
(monitor mode enabled on mon0)

root@bt:/# iwconfig wlan0

wlan0     IEEE 802.11bg  ESSID:off/any
Mode:Managed  Access Point: Not-Associated   Tx-Power=30 dBm
Retry  long limit:7   RTS thr:off   Fragment thr:off
Encryption key:off
Power Management:off

If you head back to the dBm to mW calculator it will tell you that 30dBm  1000 mW.  Success.

I can not take credit for the above, I simply put it here for my own notes to reference in the future.  For more information and further reading check out the aircrack-ng forums.

Update: You will have to perform these steps each time you power on your VM or physical device.  You can toss the below script in your init.d dir so you wont need to remember.  Again, not my work, just placing here for quick reference.

#!/bin/bash
##iw reg set <your-country-code>
iw reg set <insert-your-country-code-here-in-CAPITAL-LETERS>All country codes are in ‘CAPITAL LETTERS’

save & close text editer

then put it in the /etc/init.d/ directory.

So in a terminal enter
sudo cp ~/Desktop/setwirelesscountrycode.sh /etc/init.d/
Then make the file you created executable.e.g.
sudo chmod +x /etc/init.d/setwirelesscountrycode.sh To set it to run on startup
sudo update-rc.d /etc/init.d/setwirelesscountrycode.sh defaults note ‘defaults’ puts a link to start ‘/etc/init.d/setwirelesscountrycode.sh’ in run levels 2, 3, 4 and 5. and puts a link to stop ‘/etc/init.d/setwirelesscountrycode.sh’ into run levels 0, 1 and 6.

Here is what I used for the research.

1. Samsung Galaxy S (Vibrant) on the T-mobile network. This device has been “rooted”, using the method documented here on XDA.

2. A copy of Root Explorer. This allows you to browse the entire Android File system from your device.  Requires root, but also gives you access to everything a traditional “root” account would. It also has a handy little SQLite DB viewer.

3. A copy of ShootMe. Screen shot app.

Both apps above are dependent on step one being complete. A few other notes, I have two additional updates, non stock rom apps  on this device.

1. Altered startup/shutdown animations.

2. The tether app, from the international Galaxy S (9000).

Both apps require root, and are not standard APK’s.  Therefore they must be flashed using clockwork or the bootloader.

I also used the Android SDK and screencast to do some of the searching from the comforts of my laptop. [Update]. I switched to VNC for remote admin of this device.

Part 1

Android Filesystem and the /data folder

I didn’t set out to create a multipart post, but the deeper down the rabbit hole I went, it became apparent that there was a lot of ground to cover.  In Part 1, I am going to lay out the filesystem and the files that live in the largest directory. The /data dir.

Here is what the Android filesystem directory structure looks like. I am using busybox via the Android Terminal emulator app.

# ls -al
drwxr-xr-x   21 0        0                0 Sep 23 06:57 .
drwxr-xr-x   21 0        0                0 Sep 23 06:57 ..
drwxr-xr-x    2 0        0                0 Jun 22 11:03 .info
drwxrwx—    1 1000     2001             0 Sep 23 06:58 cache
dr-x——    2 0        0                0 Sep 23 06:57 config
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 data
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 data_tmo
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 dbdata
-rwxr-xr-x    1 0        0              117 Jun 22 10:44 default.prop
drwxr-xr-x   10 0        0            13540 Sep 23 06:57 dev
drwxrwx–x    1 1001     1001             0 Sep 23 06:57 efs
lrwxrwxrwx    1 0        0               10 Jun 22 11:03 etc -> system/etc
-rwxr-xr-x    1 0        0             2237 Jun 22 10:44 fota.rc
lrwxrwxrwx    1 0        0                9 Jun 22 11:03 init -> sbin/init
-rwxr-xr-x    1 0        0            24482 Jun 22 10:58 init.rc
-rwxr-xr-x    1 0        0              444 Jun 22 10:44 init.smdkc110.rc
-rwxr-xr-x    1 0        0              335 Jun 22 10:44 init.smdkc110.sh
drwxr-xr-x    3 0        0                0 Jun 22 11:03 lib
-rwxr-xr-x    1 0        0              727 Jun 22 10:44 lpm.rc
drwxr-xr-x    3 0        0                0 Jun 22 11:03 mnt
dr-xr-xr-x  112 0        0                0 Jan  1  1970 proc
-rwxr-xr-x    1 0        0             1143 Jun 22 10:44 recovery.rc
drwxr-xr-x    3 0        0                0 Jun 22 11:03 res
drwxr-xr-x    3 0        0                0 Jun 22 11:03 sbin
drwxrwxr-x   55 1000     1015         32768 Sep 23 07:00 sdcard
drwxrwxrwt    2 0        0               40 Sep 23 15:32 sqlite_stmt_journals
drwxr-xr-x   12 0        0                0 Jan  1  1970 sys
drwxr-xr-x    1 0        0                0 Sep 23 06:57 system
-rwxr-xr-x    1 0        0              154 Jun 22 10:44 system.prop
drwxr-xr-x    3 0        0                0 Jun 22 11:03 tmp
drwxrwx–x    2 1000     1000             0 Sep 23 06:57 userdata

A quick search for databases on the root gave me more hits than I could parse through.   I decided to search in each directory for a more simplified view.

There were still so many just in the data directory, that I have removed entries like the XKCD, Onion and similar apps.  Cached .db’s are also not included.  I wanted to keep this to what seemed “juicy”.  Maybe in another post, I can review those to see what applications are giving up.

$ export PATH=/data/local/bin:$PATH
$su
# find /data -name *.db
/data/data/com.android.providers.userdictionary/databases/user_dict.db
/data/data/com.google.android.talk/databases/suggestions.db
/data/data/com.google.android.providers.settings/databases/googlesettings.db
/data/data/com.layar/databases/layar.db
/data/data/com.android.providers.security/databases/policies.db
/data/data/com.android.providers.telephony/nwk_info.db
/data/data/com.android.providers.telephony/optable.db
/data/data/com.google.android.providers.subscribedfeeds/databases/subscribedfeeds.db
/data/data/com.sec.android.providers.downloads/databases/sisodownloads.db
/data/data/com.google.android.youtube/databases/history.db
/data/data/com.android.email/databases/EmailProvider.db
/data/data/com.android.email/databases/EmailProviderBody.db
/data/data/com.android.email/databases/webview.db
/data/data/com.android.htmlviewer/databases/webview.db
/data/data/com.android.globalsearch/databases/shortcuts-log.db
/data/data/com.android.providers.drm/databases/drm.db
/data/data/com.google.android.voicesearch/databases/webview.db
/data/data/com.android.bluetooth/databases/btopp.db
/data/data/com.sec.android.app.callsetting/databases/rejectmessage.db
/data/data/com.sec.android.app.callsetting/databases/autoreject.db
/data/data/com.twitter.android/databases/twitter.db
/data/data/com.facebook.katana/databases/fb.db
/data/data/com.google.android.apps.googlevoice/databases/model.db
/data/data/com.google.android.apps.googlevoice/databases/shadowmappings.db
/data/data/com.google.android.apps.googlevoice/databases/server_settings.db
/data/data/com.dropbox.android/databases/db.db
/data/data/com.tweetdeck.app/databases/webview.db
/data/data/org.connectbot/databases/webview.db
/data/data/com.ebay.mobile/databases/webview.db
/data/system/accounts.db

Awesome.  Time to head over to Root explorer and see what the data says.   I will post all finding in the google docs spreadsheet embedded below.

In part 2, I hope to cover the remaining databases and what lies within.  Hopefully we wont find anything worse that we already have.

The guys over at viaForensics have a pretty nice application to talk to some of the databases. However, it is no longer available to the public. I am going to *attempt* to leverage Googles App Inventor to automate much of this process, or maybe spit out an .apk to see what can be extracted from both rooted and non rooted devices.

First up from:

Thursday, September 16, 2010 at 10:00 AM
- to -
Friday, September 17, 2010 at 4:00 PM (CT)

Is the first anual Cyber-RAID event.

What is Cyber-RAID you ask?

The Kansas City InfraGard program is hosting a two day cyber event which pits systems and security professionals from the community against each other in a live cyber attack on a replicated commercial network.  This event will specifically focus on managing and protecting this existing “commercial” network infrastructure from a live cyber attack. Since the exercise network is hosted on a private managed network that is not on the Internet, production data and systems are not at risk.

Register here: http://cyberraid.eventbrite.com/?ref=ecount
Note: We need RED Team members!!!

Next up we have SecuityBsidesKC which begins at 10:00am on Friday September 17th and runs through until 5:00pm that night.  I’ve never been at a BSides event, or a Security Con for that matter, but I think it would be safe to assume it will run past 5pm.

Look at the current lineup for speakers, this is shaping up to be a pretty amazing/can’t miss line up.

Call for presenters is still open, so please submit any talks.  There will be barcamp style talk acceptance after the scheduled speakers.

Again, I can’t wait for september to get here so I can sponge knowledge off of people like @ax0n, @hevnsnt, @surbo, @jur1st and @davehull, and im sure there are more that I simply don’t know what their twitter accounts are

This morning I awake to find an envelope taped to my front door. It was blank, and I briefly peek around and see that the rest of the neighborhood has the same thing waiting.

I go ahead and open it, expecting to find a local resident selling mowing, painting or any other service but find something slightly different. Close, but different. In part below:

“Neighbors:

Since we don’t have a homeowners association everyone has done their own thing in regards to trash removal. I thought it would be nice to have one garbage truck come through each week instead of three so I contacted [REDACTED] who I was inquiring about a special.  I have attached their letter….

… If everyone thinks this is a good idea we can all have matching barrels put out at one time per week…

…Again, we dont have an association, but we can all act together if we choose. Their number is on the attached paper if you would like to use them.”

Ok, so whats the problem you ask? Well nothing really, I think it was a nice gesture, and think he was just trying to help his fellow neighbor.

HERE is the problem.

On the “Attached paper” was a browser printout of an email that was sent to his gmail account.  He made an effort to hide his gmail address and thats about it.  The nice little feature gmail provides to show the last account activity was in plain view.  The IP address was in tact.

Being the curious minded person I am, I couldn’t help myself and put in the IP into my browser. Bingo. “Welcome to Windows Small Business Server 2003″

I’d better close it right away… nah, Of COURSE I clicked on “Remote Web Workplace” and of COURSE I got:

“The site’s security certificate is not trusted!”

and of COURSE I was in a VM and so on and so for and moved forward. I was presented with a company name, and a logon prompt.  So a quick tally of what we have so far.

I have his full name, IP address of a machine I know he used, probably was logged into the SBS web desktop. I have his address (duh), place of employment and the phone number and address of his work place.  Oh well.

What I DON’T have

I dont have HIS email address, remember he redacted it.  I NEED that email address now, so when I call him I can send him an email as well.

This was an easy one, the “Attached paper” had the persons name, phone number and email that he contacted about a special. I had all the info I needed to just socially engineer my neighbors email address out of them.  I called the number and received the front desk.  I was informed the person I needed was out, but she could help me. She could take my name and number and get back to me. Stop.  That wasn’t really going to work for this little experiment.  I simply gave her some more details, like the my neighbors name and guess what. She has access to the mailbox that contained the email address.  After helping her troubleshoot a bit, she gave it to me without hesitation, and I even asked her to spell it again and asked if I couldn’t reach him by email If I could call her back because she has been “so helpful and really got me out of a pickle”. Another win for me . FAIL for them. They mindlessly handed out information about another customer.

Additionally, all of his gmail labels were in view on the print out. Pretty organized too, I know his church, hobbies and the fact he uses his gmail for work, Well, I’m assuming thats what the “Work” label meant. Wow. This is awesome.

What was the point of even bothering with this?

To help educate my neighbor that something seemingly harmless could have been bad.

I have contacted him, but haven’t heard back.  I will update this post as soon as I do.  Remember, own your information folks.

Update:  I spoke to my neighbor and he was very thankful that I wasn’t malicious. I think he understood why it was a bad idea, and mentioned “you got all of this from a note on your door about trash…different world we live in”  Protecting people, one neighbor at a time.

Beginning Less than a year ago,

I decided it was time to stop being defined by the job I was doing, I noticed I was on the path of complacency and wanted to belong to an area I have always been an outsider looking in on. Information Security.  I am no stranger to technology, and have had a strong passion for anything related to it for as long as I can remember. I just lacked focus…

Jump

When I finally made the decision shift focus to InfoSec it was scary to say the least.  The more I learn, the less I know. Not only that, but I realized this was a close community with a solid history and more talented people that I could ever imagine.  I felt like it was my first day in prison (disclaimer: I’ve never been to prison) and I felt like I needed to make a name for myself.  Each passing day I was trying to draw comparisons between an existing community with years and years of experience to what I was doing.   I hope I caught that mistake in time, that could have been bad.

Slow Down

Frickin’ Newb, Its only been 8 months…ish.  In that time, I obtained a  C|EH, completed Offensive Security PWB 101 training (No OSCP, on attempt 2) [Update: I passed the OSCP exam in May of 2010], visited my local hackerspace a handful of times ( I recommend doing the same) . I joined Infragard, ISSA and OWASP.  No, I’m not trying to be a braggart, and no, I don’t think this is the path to 1337ness. It served me two purposes really.  First it was an attempt to learn and surround myself with people that built the very community I am trying to get into.  Secondly, It was a good way to test the waters.

Welcome to the Thunderdome

Have you guys seen what you have built? The security community is amazing.  I wont get into a naming of names, but the twitter users alone are not only impressive but if you follow the right people you could socially engineer yourself into an InfoSec job just by regurgitating tweets.  Podcasts? Yeah, you got em.  Need Videos?  There are too many security video sites to count. Cons. Nuff said. I am going to make an effort to hit as many of these cons as possible this year.  Finally,  Blogs? 0_O

Going Forward

I always hear, “give back to the infosec community”, and that is something I plan on doing.  I don’t have much to offer at this point. Writing isn’t my strong suit (<<Captain Obvious) and podcasts from a noobs perspective (hmm catchy) would be a waste of everyone’s time.  I decided the best thing I can do, for myself and the community is to STFU and learn.  The last thing “we” (ducks) need is a wreckless wannabe. I have no idea where I fit in, and its better that way.   I have a long way to go, but the journey so far has been worth the jump.  I only wished I made it 10 years ago.

twitter

@mattjay (Web: http://mattjaysecurity.com)Took a peek when it was in it’s earliest form and gave me some great pointers.  I suppose what I am looking for is feedback, or criticism to make the talk better.

The audience will be non “power” users.  I pictured giving this talk in a nursing home to try to make the content as “friendly” as possible.

What types of things do you want users to know? I feel that education is the best medicine for information security, and by working with them and making it accessible will at least (hopefully) get them to stop and consider any actions that may have become habit.

This link is to the shared version of the talk, EVERYONE can edit and make changes.  My hope is, the “open” format will lead to some great feed back.  Unless someone deletes the whole thing, then I’ll get the hint.

Update: With a lot of amazing feedback from @fsamurai (web: http://www.freelancesamurai.com)  I have updated the talk  Here is the latest version (2.0). Also feel free to make changes or edits.

Feel free to use this talk, or modify it for your own purposes.  Getting the info out is what is important.

Thanks Everyone.

I recently re-established my Facebook page to reconnect with friends and stay in contact with family.  I didn’t have the account open for 2 weeks when I constantly saw posts about “Hackers will break into your account” or ” A hacker named Christopher Rosenqueist ate my Monitor”, and other nonsensical items that seemed to be scaring people into commenting or sharing it.

I quickly posted SocialMediaSecurity‘s “Facebook Privacy and Security Guide” to attempt to help my some of my non technical friends and family.  I also tried to stop the spread by commenting with factual information.

These “Hackerz stole my life” posts seem to be a version of  Fear Uncertainty and Doubt. (FUD).  By posting or sharing unverified “hacker” claims, FUD is being caused and propagates itself through the system.   Scaring people into spreading false information.  Crying Wolf, that’s what these posts are.   Stop and think, do you even care or notice when a car alarm goes off? Nope. Why? Its screaming for help. “I’m being broken into!!!!”  Enough false alarms and no one listens.

Update: “crying wolf” may be a bad analogy.  I understand most people are posting with sincere intentions and trying to help others.

Why are you boring me with this?

I wont any further, instead I will offer some of my tips to make your Facebook experience free from “Hackers”

1. Follow this guide.

2. Take ownership of the information, don’t just spread it.  If you see something that seems scary, use google, or ask your friendly Security professional/ IT Guy.  Learning how to spot these will allow you to help yourself and others.

3.  Take ownership of your account.  Follow good password guidelines.  AND DO NOT REUSE PASSWORDS, if your FB password is the same as your banking password, and your etrade account, and your email account, and…  then guess what? If a criminal gets one, you gave him keys to the castle.  Have “fifty Million” passwords, and can’t manage them? So does everyone else, stop fighting it and  let a password management program do it for you.

I tried to keep this short and to the point.  If you have any questions or need help with any of the programs listed. Please contact me.

Update 2.  Here is the FBI’s take on this.

TECHNIQUES USED BY FRAUDSTERS ON SOCIAL NETWORKING SITES

Fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users’ “friends”, giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected.

Another technique used by fraudsters involves applications advertised on social networking sites, which appear legitimate; however, some of these applications install malicious code or rogue anti-virus software. Other malicious software gives the fraudsters access to your profile and personal information. These programs will automatically send messages to your “friends” list, instructing them to download the new application too.

Infected users are often unknowingly spreading additional malware by having infected websites posted on their webpage without their knowledge. Friends are then more apt to click on these sites since they appear to be endorsed by their contacts.

Tips on avoiding these tactics:

Those interested in becoming a user of a social networking site and/or current users are recommended to familiarize themselves with the site’s policies and procedures before encountering such a problem.

Each social networking site may have different procedures on how to handle a hijacked or infected account; therefore, you may want to reference their help or FAQ page for instructions.
Individuals who experienced such incidents are encouraged to file a complaint at www.IC3.gov reporting the incident.

ax0n

This document will reference his article A.LOT. I suggest you stop reading this (for now), and head directly to his article to familiarize yourself with it.

I am simply going to focus on OSX (Snow Leopard – 10.6). I wanted this to be available on my MacBook at the drop of a hat.

“So, uh…other than that, what’s the point of this ‘article’ ?” . Hmmm… great question. I better get started before you leave.

Note: I’m assuming you have met all of the hardware requirements in the h-i-r.net article.

Step 1: Flashing the Fon

Enable redboot! I used this guide. The problem however, is that once I had established the ssh connection to the Fon, I was unable to wget the files. Additionally, I was unable to ping anything external. I’m sure I was doing something wrong, and there is a simple fix (comment if there is). So what should I do now? I mean, stuck at the second step in the instructions? Fail. To correct the issue, Grab the files referenced in the instructions from here and here and while your at it grab this (you’ll need all of these files), launch a tftp server, unpack the files and place them in the tftp server directory. Then start server. (be sure to make note of the IP address ). I placed the files in a root dir called “tftp” this makes it a little easier when typing the path.

Enabling Redboot

Now that we have the files living in the tftp server dir, Launch a terminal, connect to the Fon via ssh and issue the following commands using the following syntax to grab the files (wget http://[ip.add.re.ss]/[dir]/[filename]):

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://201.37.100.106/tftp/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma 
root@OpenWrt:~# mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
root@OpenWrt:~# reboot

After the Fon comes back online, ssh back in and follow the remaining steps in the instructions to enable redboot.

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://201.37.100.106/tftp/out.hex
root@OpenWrt:~# mtd -e "RedBoot config" write out.hex "RedBoot config"
root@OpenWrt:~# reboot

Once you get to the section “now your ready to flash”, you can stop. Those instructions follow a path we aren’t going to.

Installing the Jasager Firmware

Head over to digininja’s site and follow the instructions here “for firmware users”. I skipped the redboot.pl installation, as we already have redboot enabled and working. Download jasegar, unpack it and place it in your tftp dir. (if you didn’t do it earlier) The ONLY tricky part during the flash process is to be SURE you copy and paste the commands or triple check your typing. I mistakenly forgot to load vmlinux.bin.17.  It didn’t brick the Fon, but I was scared to reboot it.

RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801003ff, assumed entry at 0x80040400
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
 
< Wait for a while > note: This took about 2 minutes
 
... Erase from 0xa8030000-0xa80f0000: ............
... Program from 0x80040400-0x80100400 at 0xa8030000: ............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801e03ff, assumed entry at 0x80040400
RedBoot> fis create -l 0x6F0000 rootfs
 
< Wait for a long while > note: This took almost 15 minutes. Don’t panic. It’s working.
 
... Erase from 0xa80f0000-0xa87e0000: ...........
... Program from 0x80040400-0x801e0400 at 0xa80f0000: ..........................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
 
RedBoot> fconfig
Run script at boot: true
Boot script: 
Enter script, terminate with empty line
>> fis load -l vmlinux.bin.l7
>> exec
>> 
Boot script timeout (1000ms resolution): 2 (My default was 10)
Use BOOTP for network configuration: false
Gateway IP address: 
Local IP address: 192.168.1.1
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.254
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset
 
^]
telnet> Connection closed.
root@desktop ~ # 

Sweet!

The hard part is over. So what happens if you make a mistake in fconfig like
me? Type fconfig -n it will list all of the nicknames of the fields you can
change. The shell doesn’t know what delete is, and there are all sorts of redboot keyboard-fu you can use to control input. I found it easier to type at the reboot> fconfig field_name [input]. So for
example, if you accidentally entered 192.168.1.11 for the IP address. You could fix just that line by typing: fconfig boot_my_ip 192.168.1.1

Let the Fon reboot, make sure you can ping 192.168.1.1 after all the lights
look good, then open your browser and hit http://192.168.1.1:1471 .

The jasager interface *should* open. If it does not after a few minutes… try the following.

1. Make sure you are loading and executing vmlinux.bin.17 in fconfig
2. Reboot the Fon
3. Double and triple check fconfig.

If all else fails, repeat the process. I ended up flashing almost 10 times
due for various reasons, ranging from mistakes I made in the network config, to
the Fon not playing nice with DHCP. If you need to reflash, redboot is only
available for a few seconds while the fon device is booting. I hope your
SMB, 3-1 infinite guy timing is still there. Here is what I had to do to hit
the timing properly.

1. Remove power from Fon
2. Launch a terminal and start pinging 192.168.1.254
3. Launch another terminal and PREP a telnet session to 192.168.1.254 9000
4. The first reply you receive from ping, press enter on your telnet session
5. If it fails. Repeat process until you get it.

Now, head back to

part 1 of the h-i-r instructions and follow along starting with “tinker
time”

Step 2: Install the pWn

This is the easy part. Below are simply notes regarding the process.

Metasploit and Karma

This is the part where I point you back to h-i-r.net’s part 2 for the complete setup of this step. I was able to drop in the framework to my tools directory with no additional steps required. However, you may want to update ruby if you desire. Then Download karma.rc, put it in the root directory with the framework and we are in the home stretch to put this all together.

Head to part 2 of the h-i-r instructions. Follow from “Time to tweak stuff”. You will need to edit karma.rc before you run it.

Hamster and Ferret

Last files we need to grab are hamster and ferret.

I was having some trouble getting hamster and ferret to compile, even after installing xcode. Luckily, the binaries are compiled for us already . Download them and place them in a directory you will remember.

You will need to set your browsers proxy to 127.0.0.1:1234 to view the Hamster interface. Be sure you add an exception for your NIC’s ip address, so you can monitor Jasager as well.

You can now head back to ax0n’s work and button up the rest of the project.

Starting the entire process

Here are the steps I use when booting this rig.

1. Power on the Fon and connect it to your PC with an Ethernet cable.
2. Make sure Jasager is online and Karma is active. I opted to control its state, instead of automatically starting it.
3. Open a terminal and Launch Metasploit and Karma with> sudo ~./msfconsole -r karma.rc
4. Open another terminal and launch hamster with> sudo ~./hamster
5. Enable your proxy. Or use quickproxy for firefox to quickly enable.
6. Open the Jasager (192.168.1.1:1471) and hamster (127.0.0.1:1234) interfaces
7. Gratz ur l33+

Conclusion

While this guide wasn’t meant to be as comprehensive as the article it was based on. I hope you will find a quick reference for installing this on your Mac Box.

All the files referenced, I have zipped up and stashed them here. Comment with questions or hit me up via twitter