Dependancies

• Android Device running with an active Google Play install (to allow for application installs)
• A computer with the Android SDK running
• A Kindle Fire
• Beer*

Android Phone/Device Steps

1. Install the application you want to ALSO install on your Kindle Fire onto your Android phone or device.
2. Post Install, connect your phone/device to your computer
3. Use adb to pull the .apk file from your device onto your computer for install onto the kindle. Watch the video for steps on how to perform this

Kindle Installation Steps

1. Connect your Kindle Fire to your computer and make sure the SD Card mounts
2. Enable unknown sources:
1. Tap the “gear” by the wifi and battery icons,  tap settings, Device.
2. Slide on “Allow Installation of Applications (from unknown sources)”
3. Copy the newly obtained .apk from the root of your Android SDK directory (/Android/tools/ in my case)
4. Paste the .apk on your Kindle Fire’storage (Documents or Downloads for example)
5. Use a file explorer/manager installed from the Amazon app store to navigate to the directory you placed the .apk
6. Tap the .apk after it has been copied and install like normal (be sure you check permissions )

Thats it!

Enjoy playing Draw Something without rooting your device!

Recently I have been using my Jasager rig more and more that I built a few years back.  As I use it, I began to wonder… “I wonder if I could pair this with my n900 for ultimate pwnage…”  We all know what happens when hackers wonder… it happens.

TL;DR:

Supplies list:

1. Motorola Camera Connection Kit for MOTOROLA XOOM, Xyboard 10.2, Xyboard 8.2 (Motorola Retail Packaging) 89454N or something similar. I already had this cable laying around.

2. D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter Additionally you can try any of these, but I was able to use the E100 without issue.

3. A FON running Jasager (here is my write up on making it work)

4. Nokia n900 running the pwnie express image.  This is NOT a requirement, but all tools (Like metasploit) are confirmed working already.

Steps to getting the USB ethernet adapter working on the n900.

1. Plug your USB Host cable into the D-link DUB-e100, then patch it to the Fon.

2. Plug the mini USB end of the USB Host cable into your n900.

3. On the n900 open up h-e-n and select the following options.

• High Speed hostmode
• VBUS boost on
• Enumerate (as soon as you press this, you should have juice to your D-link)
• DO NOT CHOOSE MOUNT

Getting the Jasager  to work

• karma.rc should ideally live in the same directory that as your base msf install.
• hamster and ferret do not have any directory dependancies, so place them where you will remember.

2. Launch msfconsole and initiate karma.

This turned out to be the tricky part, mainly because I was unable to initiate ./msfconsole from a terminal. Here are the steps I did to create a new shortcut that would allow for us to call up karma.

All desktop shortcuts are created in the following directory: /usr/share/applications/hildon

List all the files within that directory, and looks like msfconsole.desktop shortcut is pointing to a msf_console.sh file. Checking out msf_console.sh, we see can see whats going on here.

To correct the issue, I just made a new msf_console.sh file and called it “msf_consolek.sh

Add in the changes and head over to /usr/share/applications/hildon and create a new desktop shortcut for launching metasploit with karma.

3. Open another root shell and initiate hamster (ferret tags along)

• [path]./hamster

To access the jasegar web interface from your n900, just point your browser to http://192.168.1.1:1471

To view hamster’sweb interface, just point your proxied browser  to http://127.0.0.1:1234

Gratz ur l33+ (again)

Edit: Looks like Infosecisland also picked this up, be sure to check it out here: http://www.infosecisland.com/videos-view/19101-Malware-Analysis-How-to-Decode-JavaScript-Obfuscation.html

Here are the books I am working through at the moment and their corresponding Evernote page:

• Metasploit: The Penetration Tester’s Guide
• Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
• The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws (2nd Edition)
• Gray Hat Python: Python Programming for Hackers and Reverse Engineers
• Social Engineering: The Art of Human Hacking

The above list is the current short term goal, and I will add books as I work through them on this entry.

Contact/Follow me on Twitter

Recently a friend rooted his Android device and asked “What should I install now?”

Here is a short list (Will clean it up, provide groupings and short descriptions later) that links to a public google docs spreadsheet.  Please add your favorite applications!

Click here to edit

README.winning!

I have split this guide into two sections.  The first section titled “Quick Version” is a simple set of steps to get this working on your phone.  All the work in the full version has already been completed by using the quick version.

The “Full Version” goes into process detail if you would like to perform all the steps or it may help if you get stuck at any time during the process.  This guide will continually be updated to include any feedback or changes.

Quick Version:

1. Download the complete set of files you need from here: http://l-lacker.com/bt5/BT5_ARM_Joined.zip Extract BT5.zip to your phones internal SDcard in a directory called “BT5″ (cAsE sEnSiTiVe)
2. Launch terminal emulator from your phone and type (everything after the $: or #: is user input):
   $: su
   #: cd sdcard
   #: cd BT5
   #: sh bootbt
3. While Backtrack is loaded (when you see a red “root@localhost“) start the VNC server by typing:root@localhost:~#: startvnc (stopvnc kills it)
4. Launch VNC (im using this)from your phone and point it at 127.0.0.1:5901 VNC pass: toortoor
5. Welcome to Backtrack on your Phone!

Full Version

1. Download a copy of Backtrack 5 for ARM from : http://www.backtrack-linux.org/downloads/ (Be nice and register)

Update!!!

Complete package files that you need to install on your phone can be found here: http://l-lacker.com/bt5/BT5_ARM_Joined.zip Instructions are included.

2. Extract and review the “README” file.

I have posted the readme file here for quick reference, and have just added my notes to during the process.     I urge you to read the official read me included with the release prior to reading the below with comments.  My notes are in bold.

I would HIGHLY recommend following busybox instructions for your specific rom.   Most of the time this means updating to the latest version, but that is not always the case.

The Vibrant comes with 16gig NON removable internal storage.  The phone mounts this as the “sdcard” and the external SD card is removable.  I will be using the internal mass storage device to install BT5.

Without wasting more time, onto the readme.

BackTrack 5 ARM Edition Quick Start
This image has been developed and tested on the Motorola Xoom.
Your mileage may vary on other devices. As this image runs in a chroot, you will need to have your device rooted. There are numerous tutorials on the subject online and are not included here.

***Rooting your device will potentially void its warranty and we are not in any way resposible if  you brick your device while rooting it.***

### IMPORTANT POINTS ###
1. Since the image runs in a chroot, there is no root password set.

2. There are 2 scripts under /usr/bin/ ‘startvnc’ and ‘stopvnc’ that are set to start with the Xoom’s default resolution.

Once Backtrack5 is running off your phones internal storage you will need to edit the scripts to match your phone or devices resolution.  In my case, the Vibrant uses 480×800.   Details on this step later in the instructions.

3. The current vnc password is set to ‘toortoor’ and can be changed by running ‘vncpasswd’

4. This image is a work in progress and suggestions/tips from the community are always welcome.

### GETTING STARTED ###

ADB is a  veristile tool when it comes to Android development and interacting with the device and while the below WILL indeed work, and is independent of any OS (assuming you have the Android SDK installed).  I felt it was overkill for this task and simply mounted my SDcard and moved the files through OSX finder.  I also made changes via another machine using Windows explorer.  Again, choose your comfort level, steps 1-5 are simply a means to an end. That end is getting the files onto your SDcard.

1. Once you have downloaded the ARM BT package, save the files in a convenient location. The steps below assume they are in the platform-tools folder of the Android SDK.

2. Go to your platform-tools directory and proceed to make a directory on the device to store BT5: ./adb shell mkdir /sdcard/BT5 exit

3. Copy over the busybox install files: ./adb push busybox /sdcard/ ./adb push installbusybox.sh /sdcard

4. Install busybox on the device: ./adb shell cd /sdcard/ sh installbusybox.sh exit

5. Transfer the required BT5 files to the device: ./adb push fsrw /sdcard/BT5/ ./adb push mountonly /sdcard/BT5/ ./adb push bootbt /sdcard/BT5/ ./adb push bt5.img.gz /sdcard/BT5/ ./adb push unionfs /sdcard/BT5/

6. Uncompress the image and start BT5: ./adb shell su cd /sdcard/BT5 gunzip bt5.img.gz sh bootbt

My internal SDcard is formated as FAT32 and this file system is “required” for the phone to interact with the contents on the sd card.  I have tried formating the internal card with EXT3, EXT4, exFAT and was greeted each time with a “Damaged SD card” message.
Because of this the installation stops when trying to extract the official bt5.img file from the ARM package as it ends up being >5 gigs.  Since there is a 4 gig file limitation on the FAT32  filesystem, we should just give up. Right?

Nope, Lets Try Harder.

I have tried splitting  the bt5.img and resembling on the device which obviously failed.  There is only one thing left to do….

Modify the bt5.img file to fit into 4 gigs.  What can we remove?

1. Looks like someone over at XDA had the same idea. Therefore,  I am going to revisit this section at a later day on how to manually create the image file.  I started the process, but decided in my end goal for this post was to have a working Backtrack 5 install on my Vibrant.
2. Since the heavy lifting is done, It’s time to grab the files (or contact me for a mirror) , join them together and place this file into the BT5 directory of our sdcard.
   To join the 3 files from the XDA post together, simply put them all in the same directory and use the cat command to join them: “cat bt.7z.* > bt.7z ”
3. Extract the joined bt.7z file
4. Rename bt.img to bt5.img and grab on that file and move it to your sd cards’s BT5 directory.

This is what you should end up with in your phones BT5 directory.

Starting BackTrack 5

Once all the files have been transfered, test the installation by trying to start Backtrack from terminal emulator.

Success!

If all goes well, you’ll be in the BT5 chroot:# sh bootbtnet.ipv4.ip_forward = 1root@localhost:/

# ls /pentest/backdoors  database   exploits   passwords  scanners stressing  voipcisco  enumeration  forensics  python     sniffers  tunneling  webroot@localhost:/#

3. ???? (or is this one profit?)

4. VNC

Here is the fun part, sure the shell is pretty to look at however I want a gui to interact with.

Note: Prior to starting the VNC server, you MUST perform this step to alter the screen resolution to match your device by modifying the /usr/bin/startvnc file.

If you do not alter the geometry you may encounter the error below.

I modified /usr/bin/startvnc by starting an SSH daemon on my phone and doing the work from a computer.

1. Start the VNC server running on the BT5 phone install.

2. Check the VNC log! BT5 is listening on 5901. Then click connect.

3. Welcome to Backtrack 5!

At the beginning of April  I tweeted: “Wouldn’t this just bring tears to your eyes if it was true? #metasploitonandroid http://twitpic.com/4hfqgz ” , and now its true. <tear>

Huge thanks to the backtrack team for providing an Android version of  Backtrack.  Great work!

Special thanks to : anantshri at XDA for the advice and doing the hard work of creating the image files so quickly.  Be sure to check out his other work.

This particular phishing email was different, as the site was still alive…

The email was fairly obvious that it was a hoax.  It contained all the ingredients for a classic bad phish; incorrectly addressing me, poor grammar (similar to most of my posts I suppose.) and asking me to update my credit card information.

What do?

I click the link “Your Account”, fully expecting to be greeted with a 404.  However,  I was presented with a Netflix logon page.

The URL reports that I am not at netflix but rather: http://badguy-netflix-thisisnottheactualsite.co.cc/log/index.php. – Strike 1

It behaves exactly like Netflix, I can log on (with arbitrary data) and it takes me right to the credit card update page which was a full page of form fields one right after another. – Strike 2

Upon validating that the site was working, I called Netflix and spoke to a supervisor.  His response to me saying “The site is active and collecting data.” was, “Just delete the email, you’ll be fine.”  I was half expecting this. – Strike 3

As I am gearing up to look into this a little further, I decide to simply drop the /log/index.php and see where it takes me. The result of that simple change revealed it was a clone of another domain that was hosted here in the US.

I hop on the cloned sites twin, and sure enough… adding /log/index.php to that domain (which will remain nameless for their privacy) took me directly to the fake NetFlix page.

I call the contact number on the page, ask to speak to the IT department and am told they only have a single computer and only one person knows how to use it.   I spoke with ‘the one’ and provide details regarding my findings. At this point they are growing nervous as to what exactly this means for them.  My suggestion is to contact their hosting provider  (and any security they have)and show them whats going on.

I leave my contact information and that was that.

So what happened?

I checked in on the site about an hour later and it was dead… both the clone and the legitimate sites directory were no longer hosting the malicious site.   WIN!

I get a call back about an hour later to inform me that the hosting company had taken removal steps and was now doing triage basically to figure out what happened.   They then followed up the next day to ask me if I could check to make sure it was no longer a problem.  After confirming I could no longer see anything (on the surface) that was malicious,  I was invited to come to their offices the next time I am in town. WINNING!

I’d like to point out that no tools what so ever were used to scan the site and no info gathering was done at all really.  A quick check is sometimes all you need to set the wheels in motion to solve bigger problems.

If you’re curious, the title of this post is from this which just popped in my head from my childhood when trying to come up with a title.

I will just detail the steps to get this working and what to do with the data once you have collected it.  I am using BackTrack 4 r2 within a Virtual Machine and an Alfa AWUS036H set at 30db.  You can skip step 2 if you are not using a virtual machine.

1. UPDATE BACKTRACK!!!

• root@bt:~# apt-get update && apt-get dist-upgrade
  • Let this complete, it may take upwards on 2-5 minutes depending on if its a fresh install.

2.  Plug in your Alfa, connect it to the VM and restart networking

• Connect the Alfa USB to the VM by performing the steps below. Additionally you can use the icon row at the bottom of VMware workstation to connect the device.  With Fusion, simply click Virtual Machine // USB // Connect Realtek [Model]

• Once the adapter is attached to the VM, restart networking… just to have a clean attachment.
  • root@bt:~# /etc/init.d/networking stop
  • root@bt:~# /etc/init.d/networking start
• Check that the adapter has been detected and is functioning  by checking iwconfig
  • root@bt:~# iwconfig
    • Determine what interface is associated with your Alfa (Realtek RTL8187) chipset.
    • root@bt:~# airmon-ng
    • In my example we are going to use: wlan0 (zero)

3.  Update Kismet

• Grab the latest version from  http://www.kismetwireless.net/download.shtml and install it. Be sure to review ALL documentation here.
  • root@bt:~# wget https://www.kismetwireless.net/code/kismet-2011-03-R2.tar.gz  (or whatever the latest version is)
  • root@bt:~# tar xvfz kismet-2011-03-R2.tar.gz
  • root@bt:~# cd kismet-2011-03-R2
  • root@bt:~/kismet-2011-03-R2# ./configure
  • root@bt:~/kismet-2011-03-R2# make install (this may take upwards of 5 – 10 minutes)

4. Start Kismet

• Be sure to read the kismet help file for all available switches. I am purposely NOT using -c to specify an interface.
  • root@bt:~# kismet
  • Note: If you are not going to use GPS, edit your kismet.conf file and tell it you are not going to.
    • root@bt:~# vi /usr/local/etc/kismet.conf
    • Edit the line: Do we have a GPS? to say “gps=false”
  • Helpful navigation tips. [TAB] moves selection. [`] Brings up menu items,  arrow and enter keys allow interaction between items.

Select your interface preference . I chose [ Yes]

• After choosing interface options, you will be ‘reminded’ that kismet is running as root.  Be sure to determine the risk before answering.

• Choose if you would like to start the kismet server.  Kismet runs in a client/server configuration. More details here. Note, once you start the server, a number of files will be generated and placed on your desktop. (Assuming you started kismet within that directory)  Do not delete these files, they are the logs of the captures.

• Select [ YES ] to add an interface for raw capture.

• Enter the interface you are going to use (from step 2) and enter any options or name and select [ Add ]



• An error about dhclient looking at the adapter you have chosen will appear if you have not stopped the service.  To stop it specifically for your wireless adapter, just look at the open files and kill the dhclient service attached to wlan0.
  • root@bt:~# lsof | grep wlan0
  • root@bt:~# kill -9 [PSID]

• To view the traffic Kismet is seeing, you will need to close the console. (Don’t worry, you can get it back if you need)

• The Kismet menu system can be engaged by pressing the [`]or [~] and then use the arrow keys to navigate.

• To interact with the visible networks, head over to the sort menu and select your sorting preference.  I chose [ type ] for this example. You can select the network you want more details about by navigating to it and pressing enter.

5. Reviewing Captures

Now Kismet has been capturing data, how can we look at it?

• You should have 5 files (depending on your switches and options you may end up with more or less.

1. 1. Kismet-[ date/time].netxml
   2. Kismet-[date/time].gpsxml
   3. Kismet-[date/time].alert
   4. Kismet-[date/time].nettxt
   5. Kismet-[date/time].pcapdump

• To view the .netxml file in excel, simply rename and drop the [net].

• Then simply import the .xml file into excel.
• In excel 2010, I was only able to open the data in read only mode.



• To view uptime in days,  for the AP’s.  Josh Wright has provided a nice formula we can use.
• Apply: =U[cell]/(1000000 * (60 * 60 * 24)) to the “/bsstimestamp column.
  • Example: =U70/(1000000*(60*60*24))
  • Row 76 becomes 77, where row 77 contains the time in Days in the last column.

Wrap up

There are many ways to view and capture data with Kismet, using xplico plus the .pcap could prove useful.  I have only scratched the surface of what is possible.  The purpose of this post wasn’t to include every possible combination, but to get you up and running quickly using kismet and reviewing the data just as fast.
Twitter

What is SecurityFail’s purpose you ask? Since you want everything handed to you, here you go from the site:

The purpose of this site is to document security failures in various technologies. Users are encouraged to submit stories and articles detailing how various technologies have failed you in terms of security. Using embedded systems as an example, we’d like to highlight issues such as:

We want vendors of embedded systems to:

• FORCE the user to select the password
• Allow users to disable protocols
• Only enable secure management protocols by default (HTTPS, SSH)

We want ISPs to:

• Block inbound port 80 on user subnets
• Manage customer devices properly and implement security

This is a great way to raise awareness and shed light on many of the problems embedded systems have.   As time permits, I have plans for a couple more articles for the site.  Keep watching!

root@bt:/# iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11bg  ESSID:off/any

Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm

Retry  long limit:7   RTS thr:off   Fragment thr:off

Encryption key:off

Power Management:off

20 dBM = 100 MillWatts according to this calculator.

To increase power and get the advertised 1000mW perform the following steps.
Note: This process works in a Virtual Machine OR on a physical machine.

1. Diable the adapter

2. set the power (by changing the region code to alter the TX/RX power levels to work at the appropriate power levels for your country. ) Note: be sure you choose YOUR country. The below is a warning from the aircrack-ng page regarding these changes.

- Be sure to use this guide to set your CORRECT Country Regulatory Domain.

- Setting the wrong Reg Domain could probably break the Law in your Country.

3. Enable the adapter

4. Check it!

Process below:

root@bt:/# ifconfig wlan0 down
root@bt:/# iw reg set US
root@bt:/# airmon-ng start wlan0

Interface       Chipset         Driver
wlan0           RTL8187         rtl8187 – [phy5]
(monitor mode enabled on mon0)

root@bt:/# iwconfig wlan0

wlan0     IEEE 802.11bg  ESSID:off/any
Mode:Managed  Access Point: Not-Associated   Tx-Power=30 dBm
Retry  long limit:7   RTS thr:off   Fragment thr:off
Encryption key:off
Power Management:off

If you head back to the dBm to mW calculator it will tell you that 30dBm  1000 mW.  Success.

I can not take credit for the above, I simply put it here for my own notes to reference in the future.  For more information and further reading check out the aircrack-ng forums.

Update: You will have to perform these steps each time you power on your VM or physical device.  You can toss the below script in your init.d dir so you wont need to remember.  Again, not my work, just placing here for quick reference.

#!/bin/bash
##iw reg set <your-country-code>
iw reg set <insert-your-country-code-here-in-CAPITAL-LETERS>All country codes are in ‘CAPITAL LETTERS’

save & close text editer

then put it in the /etc/init.d/ directory.

So in a terminal enter
sudo cp ~/Desktop/setwirelesscountrycode.sh /etc/init.d/
Then make the file you created executable.e.g.
sudo chmod +x /etc/init.d/setwirelesscountrycode.sh To set it to run on startup
sudo update-rc.d /etc/init.d/setwirelesscountrycode.sh defaults note ‘defaults’ puts a link to start ‘/etc/init.d/setwirelesscountrycode.sh’ in run levels 2, 3, 4 and 5. and puts a link to stop ‘/etc/init.d/setwirelesscountrycode.sh’ into run levels 0, 1 and 6.