README.winning!

I have split this guide into two sections.  The first section titled “Quick Version” is a simple set of steps to get this working on your phone.  All the work in the full version has already been completed by using the quick version.

The “Full Version” goes into process detail if you would like to perform all the steps or it may help if you get stuck at any time during the process.  This guide will continually be updated to include any feedback or changes.

Quick Version:

1. Download the complete set of files you need from here: http://l-lacker.com/bt5/BT5_ARM_Joined.zip Extract BT5.zip to your phones internal SDcard in a directory called “BT5″ (cAsE sEnSiTiVe)
2. Launch terminal emulator from your phone and type (everything after the $: or #: is user input):
   $: su
   #: cd sdcard
   #: cd BT5
   #: sh bootbt
3. While Backtrack is loaded (when you see a red “root@localhost“) start the VNC server by typing:root@localhost:~#: startvnc (stopvnc kills it)
4. Launch VNC (im using this)from your phone and point it at 127.0.0.1:5901 VNC pass: toortoor
5. Welcome to Backtrack on your Phone!

Full Version

1. Download a copy of Backtrack 5 for ARM from : http://www.backtrack-linux.org/downloads/ (Be nice and register)

Update!!!

Complete package files that you need to install on your phone can be found here: http://l-lacker.com/bt5/BT5_ARM_Joined.zip Instructions are included.

2. Extract and review the “README” file.

I have posted the readme file here for quick reference, and have just added my notes to during the process.     I urge you to read the official read me included with the release prior to reading the below with comments.  My notes are in bold.

I would HIGHLY recommend following busybox instructions for your specific rom.   Most of the time this means updating to the latest version, but that is not always the case.

The Vibrant comes with 16gig NON removable internal storage.  The phone mounts this as the “sdcard” and the external SD card is removable.  I will be using the internal mass storage device to install BT5.

Without wasting more time, onto the readme.

BackTrack 5 ARM Edition Quick Start
This image has been developed and tested on the Motorola Xoom.
Your mileage may vary on other devices. As this image runs in a chroot, you will need to have your device rooted. There are numerous tutorials on the subject online and are not included here.

***Rooting your device will potentially void its warranty and we are not in any way resposible if  you brick your device while rooting it.***

### IMPORTANT POINTS ###
1. Since the image runs in a chroot, there is no root password set.

2. There are 2 scripts under /usr/bin/ ‘startvnc’ and ‘stopvnc’ that are set to start with the Xoom’s default resolution.

Once Backtrack5 is running off your phones internal storage you will need to edit the scripts to match your phone or devices resolution.  In my case, the Vibrant uses 480×800.   Details on this step later in the instructions.

3. The current vnc password is set to ‘toortoor’ and can be changed by running ‘vncpasswd’

4. This image is a work in progress and suggestions/tips from the community are always welcome.

### GETTING STARTED ###

ADB is a  veristile tool when it comes to Android development and interacting with the device and while the below WILL indeed work, and is independent of any OS (assuming you have the Android SDK installed).  I felt it was overkill for this task and simply mounted my SDcard and moved the files through OSX finder.  I also made changes via another machine using Windows explorer.  Again, choose your comfort level, steps 1-5 are simply a means to an end. That end is getting the files onto your SDcard.

1. Once you have downloaded the ARM BT package, save the files in a convenient location. The steps below assume they are in the platform-tools folder of the Android SDK.

2. Go to your platform-tools directory and proceed to make a directory on the device to store BT5: ./adb shell mkdir /sdcard/BT5 exit

3. Copy over the busybox install files: ./adb push busybox /sdcard/ ./adb push installbusybox.sh /sdcard

4. Install busybox on the device: ./adb shell cd /sdcard/ sh installbusybox.sh exit

5. Transfer the required BT5 files to the device: ./adb push fsrw /sdcard/BT5/ ./adb push mountonly /sdcard/BT5/ ./adb push bootbt /sdcard/BT5/ ./adb push bt5.img.gz /sdcard/BT5/ ./adb push unionfs /sdcard/BT5/

6. Uncompress the image and start BT5: ./adb shell su cd /sdcard/BT5 gunzip bt5.img.gz sh bootbt

My internal SDcard is formated as FAT32 and this file system is “required” for the phone to interact with the contents on the sd card.  I have tried formating the internal card with EXT3, EXT4, exFAT and was greeted each time with a “Damaged SD card” message.
Because of this the installation stops when trying to extract the official bt5.img file from the ARM package as it ends up being >5 gigs.  Since there is a 4 gig file limitation on the FAT32  filesystem, we should just give up. Right?

Nope, Lets Try Harder.

I have tried splitting  the bt5.img and resembling on the device which obviously failed.  There is only one thing left to do….

Modify the bt5.img file to fit into 4 gigs.  What can we remove?

1. Looks like someone over at XDA had the same idea. Therefore,  I am going to revisit this section at a later day on how to manually create the image file.  I started the process, but decided in my end goal for this post was to have a working Backtrack 5 install on my Vibrant.
2. Since the heavy lifting is done, It’s time to grab the files (or contact me for a mirror) , join them together and place this file into the BT5 directory of our sdcard.
   To join the 3 files from the XDA post together, simply put them all in the same directory and use the cat command to join them: “cat bt.7z.* > bt.7z ”
3. Extract the joined bt.7z file
4. Rename bt.img to bt5.img and grab on that file and move it to your sd cards’s BT5 directory.

This is what you should end up with in your phones BT5 directory.

Starting BackTrack 5

Once all the files have been transfered, test the installation by trying to start Backtrack from terminal emulator.

Success!

If all goes well, you’ll be in the BT5 chroot:# sh bootbtnet.ipv4.ip_forward = 1root@localhost:/

# ls /pentest/backdoors  database   exploits   passwords  scanners stressing  voipcisco  enumeration  forensics  python     sniffers  tunneling  webroot@localhost:/#

3. ???? (or is this one profit?)

4. VNC

Here is the fun part, sure the shell is pretty to look at however I want a gui to interact with.

Note: Prior to starting the VNC server, you MUST perform this step to alter the screen resolution to match your device by modifying the /usr/bin/startvnc file.

If you do not alter the geometry you may encounter the error below.

I modified /usr/bin/startvnc by starting an SSH daemon on my phone and doing the work from a computer.

1. Start the VNC server running on the BT5 phone install.

2. Check the VNC log! BT5 is listening on 5901. Then click connect.

3. Welcome to Backtrack 5!

At the beginning of April  I tweeted: “Wouldn’t this just bring tears to your eyes if it was true? #metasploitonandroid http://twitpic.com/4hfqgz ” , and now its true. <tear>

Huge thanks to the backtrack team for providing an Android version of  Backtrack.  Great work!

Special thanks to : anantshri at XDA for the advice and doing the hard work of creating the image files so quickly.  Be sure to check out his other work.

Here is what I used for the research.

1. Samsung Galaxy S (Vibrant) on the T-mobile network. This device has been “rooted”, using the method documented here on XDA.

2. A copy of Root Explorer. This allows you to browse the entire Android File system from your device.  Requires root, but also gives you access to everything a traditional “root” account would. It also has a handy little SQLite DB viewer.

3. A copy of ShootMe. Screen shot app.

Both apps above are dependent on step one being complete. A few other notes, I have two additional updates, non stock rom apps  on this device.

1. Altered startup/shutdown animations.

2. The tether app, from the international Galaxy S (9000).

Both apps require root, and are not standard APK’s.  Therefore they must be flashed using clockwork or the bootloader.

I also used the Android SDK and screencast to do some of the searching from the comforts of my laptop. [Update]. I switched to VNC for remote admin of this device.

Part 1

Android Filesystem and the /data folder

I didn’t set out to create a multipart post, but the deeper down the rabbit hole I went, it became apparent that there was a lot of ground to cover.  In Part 1, I am going to lay out the filesystem and the files that live in the largest directory. The /data dir.

Here is what the Android filesystem directory structure looks like. I am using busybox via the Android Terminal emulator app.

# ls -al
drwxr-xr-x   21 0        0                0 Sep 23 06:57 .
drwxr-xr-x   21 0        0                0 Sep 23 06:57 ..
drwxr-xr-x    2 0        0                0 Jun 22 11:03 .info
drwxrwx—    1 1000     2001             0 Sep 23 06:58 cache
dr-x——    2 0        0                0 Sep 23 06:57 config
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 data
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 data_tmo
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 dbdata
-rwxr-xr-x    1 0        0              117 Jun 22 10:44 default.prop
drwxr-xr-x   10 0        0            13540 Sep 23 06:57 dev
drwxrwx–x    1 1001     1001             0 Sep 23 06:57 efs
lrwxrwxrwx    1 0        0               10 Jun 22 11:03 etc -> system/etc
-rwxr-xr-x    1 0        0             2237 Jun 22 10:44 fota.rc
lrwxrwxrwx    1 0        0                9 Jun 22 11:03 init -> sbin/init
-rwxr-xr-x    1 0        0            24482 Jun 22 10:58 init.rc
-rwxr-xr-x    1 0        0              444 Jun 22 10:44 init.smdkc110.rc
-rwxr-xr-x    1 0        0              335 Jun 22 10:44 init.smdkc110.sh
drwxr-xr-x    3 0        0                0 Jun 22 11:03 lib
-rwxr-xr-x    1 0        0              727 Jun 22 10:44 lpm.rc
drwxr-xr-x    3 0        0                0 Jun 22 11:03 mnt
dr-xr-xr-x  112 0        0                0 Jan  1  1970 proc
-rwxr-xr-x    1 0        0             1143 Jun 22 10:44 recovery.rc
drwxr-xr-x    3 0        0                0 Jun 22 11:03 res
drwxr-xr-x    3 0        0                0 Jun 22 11:03 sbin
drwxrwxr-x   55 1000     1015         32768 Sep 23 07:00 sdcard
drwxrwxrwt    2 0        0               40 Sep 23 15:32 sqlite_stmt_journals
drwxr-xr-x   12 0        0                0 Jan  1  1970 sys
drwxr-xr-x    1 0        0                0 Sep 23 06:57 system
-rwxr-xr-x    1 0        0              154 Jun 22 10:44 system.prop
drwxr-xr-x    3 0        0                0 Jun 22 11:03 tmp
drwxrwx–x    2 1000     1000             0 Sep 23 06:57 userdata

A quick search for databases on the root gave me more hits than I could parse through.   I decided to search in each directory for a more simplified view.

There were still so many just in the data directory, that I have removed entries like the XKCD, Onion and similar apps.  Cached .db’s are also not included.  I wanted to keep this to what seemed “juicy”.  Maybe in another post, I can review those to see what applications are giving up.

$ export PATH=/data/local/bin:$PATH
$su
# find /data -name *.db
/data/data/com.android.providers.userdictionary/databases/user_dict.db
/data/data/com.google.android.talk/databases/suggestions.db
/data/data/com.google.android.providers.settings/databases/googlesettings.db
/data/data/com.layar/databases/layar.db
/data/data/com.android.providers.security/databases/policies.db
/data/data/com.android.providers.telephony/nwk_info.db
/data/data/com.android.providers.telephony/optable.db
/data/data/com.google.android.providers.subscribedfeeds/databases/subscribedfeeds.db
/data/data/com.sec.android.providers.downloads/databases/sisodownloads.db
/data/data/com.google.android.youtube/databases/history.db
/data/data/com.android.email/databases/EmailProvider.db
/data/data/com.android.email/databases/EmailProviderBody.db
/data/data/com.android.email/databases/webview.db
/data/data/com.android.htmlviewer/databases/webview.db
/data/data/com.android.globalsearch/databases/shortcuts-log.db
/data/data/com.android.providers.drm/databases/drm.db
/data/data/com.google.android.voicesearch/databases/webview.db
/data/data/com.android.bluetooth/databases/btopp.db
/data/data/com.sec.android.app.callsetting/databases/rejectmessage.db
/data/data/com.sec.android.app.callsetting/databases/autoreject.db
/data/data/com.twitter.android/databases/twitter.db
/data/data/com.facebook.katana/databases/fb.db
/data/data/com.google.android.apps.googlevoice/databases/model.db
/data/data/com.google.android.apps.googlevoice/databases/shadowmappings.db
/data/data/com.google.android.apps.googlevoice/databases/server_settings.db
/data/data/com.dropbox.android/databases/db.db
/data/data/com.tweetdeck.app/databases/webview.db
/data/data/org.connectbot/databases/webview.db
/data/data/com.ebay.mobile/databases/webview.db
/data/system/accounts.db

Awesome.  Time to head over to Root explorer and see what the data says.   I will post all finding in the google docs spreadsheet embedded below.

In part 2, I hope to cover the remaining databases and what lies within.  Hopefully we wont find anything worse that we already have.

The guys over at viaForensics have a pretty nice application to talk to some of the databases. However, it is no longer available to the public. I am going to *attempt* to leverage Googles App Inventor to automate much of this process, or maybe spit out an .apk to see what can be extracted from both rooted and non rooted devices.

First up from:

Thursday, September 16, 2010 at 10:00 AM
- to -
Friday, September 17, 2010 at 4:00 PM (CT)

Is the first anual Cyber-RAID event.

What is Cyber-RAID you ask?

The Kansas City InfraGard program is hosting a two day cyber event which pits systems and security professionals from the community against each other in a live cyber attack on a replicated commercial network.  This event will specifically focus on managing and protecting this existing “commercial” network infrastructure from a live cyber attack. Since the exercise network is hosted on a private managed network that is not on the Internet, production data and systems are not at risk.

Register here: http://cyberraid.eventbrite.com/?ref=ecount
Note: We need RED Team members!!!

Next up we have SecuityBsidesKC which begins at 10:00am on Friday September 17th and runs through until 5:00pm that night.  I’ve never been at a BSides event, or a Security Con for that matter, but I think it would be safe to assume it will run past 5pm.

Look at the current lineup for speakers, this is shaping up to be a pretty amazing/can’t miss line up.

Call for presenters is still open, so please submit any talks.  There will be barcamp style talk acceptance after the scheduled speakers.

Again, I can’t wait for september to get here so I can sponge knowledge off of people like @ax0n, @hevnsnt, @surbo, @jur1st and @davehull, and im sure there are more that I simply don’t know what their twitter accounts are

This morning I awake to find an envelope taped to my front door. It was blank, and I briefly peek around and see that the rest of the neighborhood has the same thing waiting.

I go ahead and open it, expecting to find a local resident selling mowing, painting or any other service but find something slightly different. Close, but different. In part below:

“Neighbors:

Since we don’t have a homeowners association everyone has done their own thing in regards to trash removal. I thought it would be nice to have one garbage truck come through each week instead of three so I contacted [REDACTED] who I was inquiring about a special.  I have attached their letter….

… If everyone thinks this is a good idea we can all have matching barrels put out at one time per week…

…Again, we dont have an association, but we can all act together if we choose. Their number is on the attached paper if you would like to use them.”

Ok, so whats the problem you ask? Well nothing really, I think it was a nice gesture, and think he was just trying to help his fellow neighbor.

HERE is the problem.

On the “Attached paper” was a browser printout of an email that was sent to his gmail account.  He made an effort to hide his gmail address and thats about it.  The nice little feature gmail provides to show the last account activity was in plain view.  The IP address was in tact.

Being the curious minded person I am, I couldn’t help myself and put in the IP into my browser. Bingo. “Welcome to Windows Small Business Server 2003″

I’d better close it right away… nah, Of COURSE I clicked on “Remote Web Workplace” and of COURSE I got:

“The site’s security certificate is not trusted!”

and of COURSE I was in a VM and so on and so for and moved forward. I was presented with a company name, and a logon prompt.  So a quick tally of what we have so far.

I have his full name, IP address of a machine I know he used, probably was logged into the SBS web desktop. I have his address (duh), place of employment and the phone number and address of his work place.  Oh well.

What I DON’T have

I dont have HIS email address, remember he redacted it.  I NEED that email address now, so when I call him I can send him an email as well.

This was an easy one, the “Attached paper” had the persons name, phone number and email that he contacted about a special. I had all the info I needed to just socially engineer my neighbors email address out of them.  I called the number and received the front desk.  I was informed the person I needed was out, but she could help me. She could take my name and number and get back to me. Stop.  That wasn’t really going to work for this little experiment.  I simply gave her some more details, like the my neighbors name and guess what. She has access to the mailbox that contained the email address.  After helping her troubleshoot a bit, she gave it to me without hesitation, and I even asked her to spell it again and asked if I couldn’t reach him by email If I could call her back because she has been “so helpful and really got me out of a pickle”. Another win for me . FAIL for them. They mindlessly handed out information about another customer.

Additionally, all of his gmail labels were in view on the print out. Pretty organized too, I know his church, hobbies and the fact he uses his gmail for work, Well, I’m assuming thats what the “Work” label meant. Wow. This is awesome.

What was the point of even bothering with this?

To help educate my neighbor that something seemingly harmless could have been bad.

I have contacted him, but haven’t heard back.  I will update this post as soon as I do.  Remember, own your information folks.

Update:  I spoke to my neighbor and he was very thankful that I wasn’t malicious. I think he understood why it was a bad idea, and mentioned “you got all of this from a note on your door about trash…different world we live in”  Protecting people, one neighbor at a time.

Beginning Less than a year ago,

I decided it was time to stop being defined by the job I was doing, I noticed I was on the path of complacency and wanted to belong to an area I have always been an outsider looking in on. Information Security.  I am no stranger to technology, and have had a strong passion for anything related to it for as long as I can remember. I just lacked focus…

Jump

When I finally made the decision shift focus to InfoSec it was scary to say the least.  The more I learn, the less I know. Not only that, but I realized this was a close community with a solid history and more talented people that I could ever imagine.  I felt like it was my first day in prison (disclaimer: I’ve never been to prison) and I felt like I needed to make a name for myself.  Each passing day I was trying to draw comparisons between an existing community with years and years of experience to what I was doing.   I hope I caught that mistake in time, that could have been bad.

Slow Down

Frickin’ Newb, Its only been 8 months…ish.  In that time, I obtained a  C|EH, completed Offensive Security PWB 101 training (No OSCP, on attempt 2) [Update: I passed the OSCP exam in May of 2010], visited my local hackerspace a handful of times ( I recommend doing the same) . I joined Infragard, ISSA and OWASP.  No, I’m not trying to be a braggart, and no, I don’t think this is the path to 1337ness. It served me two purposes really.  First it was an attempt to learn and surround myself with people that built the very community I am trying to get into.  Secondly, It was a good way to test the waters.

Welcome to the Thunderdome

Have you guys seen what you have built? The security community is amazing.  I wont get into a naming of names, but the twitter users alone are not only impressive but if you follow the right people you could socially engineer yourself into an InfoSec job just by regurgitating tweets.  Podcasts? Yeah, you got em.  Need Videos?  There are too many security video sites to count. Cons. Nuff said. I am going to make an effort to hit as many of these cons as possible this year.  Finally,  Blogs? 0_O

Going Forward

I always hear, “give back to the infosec community”, and that is something I plan on doing.  I don’t have much to offer at this point. Writing isn’t my strong suit (<<Captain Obvious) and podcasts from a noobs perspective (hmm catchy) would be a waste of everyone’s time.  I decided the best thing I can do, for myself and the community is to STFU and learn.  The last thing “we” (ducks) need is a wreckless wannabe. I have no idea where I fit in, and its better that way.   I have a long way to go, but the journey so far has been worth the jump.  I only wished I made it 10 years ago.

twitter

I recently re-established my Facebook page to reconnect with friends and stay in contact with family.  I didn’t have the account open for 2 weeks when I constantly saw posts about “Hackers will break into your account” or ” A hacker named Christopher Rosenqueist ate my Monitor”, and other nonsensical items that seemed to be scaring people into commenting or sharing it.

I quickly posted SocialMediaSecurity‘s “Facebook Privacy and Security Guide” to attempt to help my some of my non technical friends and family.  I also tried to stop the spread by commenting with factual information.

These “Hackerz stole my life” posts seem to be a version of  Fear Uncertainty and Doubt. (FUD).  By posting or sharing unverified “hacker” claims, FUD is being caused and propagates itself through the system.   Scaring people into spreading false information.  Crying Wolf, that’s what these posts are.   Stop and think, do you even care or notice when a car alarm goes off? Nope. Why? Its screaming for help. “I’m being broken into!!!!”  Enough false alarms and no one listens.

Update: “crying wolf” may be a bad analogy.  I understand most people are posting with sincere intentions and trying to help others.

Why are you boring me with this?

I wont any further, instead I will offer some of my tips to make your Facebook experience free from “Hackers”

1. Follow this guide.

2. Take ownership of the information, don’t just spread it.  If you see something that seems scary, use google, or ask your friendly Security professional/ IT Guy.  Learning how to spot these will allow you to help yourself and others.

3.  Take ownership of your account.  Follow good password guidelines.  AND DO NOT REUSE PASSWORDS, if your FB password is the same as your banking password, and your etrade account, and your email account, and…  then guess what? If a criminal gets one, you gave him keys to the castle.  Have “fifty Million” passwords, and can’t manage them? So does everyone else, stop fighting it and  let a password management program do it for you.

I tried to keep this short and to the point.  If you have any questions or need help with any of the programs listed. Please contact me.

Update 2.  Here is the FBI’s take on this.

TECHNIQUES USED BY FRAUDSTERS ON SOCIAL NETWORKING SITES

Fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users’ “friends”, giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected.

Another technique used by fraudsters involves applications advertised on social networking sites, which appear legitimate; however, some of these applications install malicious code or rogue anti-virus software. Other malicious software gives the fraudsters access to your profile and personal information. These programs will automatically send messages to your “friends” list, instructing them to download the new application too.

Infected users are often unknowingly spreading additional malware by having infected websites posted on their webpage without their knowledge. Friends are then more apt to click on these sites since they appear to be endorsed by their contacts.

Tips on avoiding these tactics:

Those interested in becoming a user of a social networking site and/or current users are recommended to familiarize themselves with the site’s policies and procedures before encountering such a problem.

Each social networking site may have different procedures on how to handle a hijacked or infected account; therefore, you may want to reference their help or FAQ page for instructions.
Individuals who experienced such incidents are encouraged to file a complaint at www.IC3.gov reporting the incident.