Honestly getting a chroot environment of Backtrack running on the phone is a pretty simple and straight forward task. I am not going to wow you with any magic here. If you are familiar with the linux operating system this will be a walk in the park. I will say I tend to be lazy, and I am operating on a Mac half the time, so some steps might be a little different. Also you will need to root your phone, and probably be smart to install a rom manager so you can backup the phone before you get started. I used SuperOneClick to root mine and worked like a charm. Also you can use SSH if you install an app, the adb shell, or straight terminal app if you really want. Superuser app will also install busybox which you will need for some steps.

First thing I started with is partitioning the SD card for the device. As I talked about in my the other blog post (Gentoo on the Android), the way the phone handles the card is a bit odd, and there are several ways to partition it. This time I did the lazy man way and pulled the card out of the phone. You can do it on the phone, but I had some data I didn’t want to lose, and there is not an easy non destructive partitioning system on the phone.

So I pulled the MicroSD card, dropped it into an SD adapter, and put that in a USB adapter I had. I used the live iso of gparted, and just booted that up in a VM. Gparted saw the card instantly, and cranked out my partition table with ease. I was using a 16g card. The phone can probably use the ext2/3 file system for app storage, but I didn’t feel like messing with it, so left the partition the phone was using as a vfat. You will need to make you a fairly large ext2 or 3 partition for the BT5 image to sit on. You are going to be mounting the image itself so you are probably wondering why you can’t just drop it on the vfat and mount from there. Well size matters (as if you didn’t know), and the vfat will not support the uncompressed BT5 img file. I also put a SWAP partition on there with this phone so limited on ram. The uncompressed image file comes out to right at 5.3 gig, so make sure you make your partition big enough to handle it and modifications you might make.

Once gparted finishes writing your partition table you can shut it down and throw the microsd back into your phone. Startup the phone and it should initialize the card and give you a message at the top once it is done. I will take a second here to make sure you understand the mounting and storage method LG used with this phone. I am pretty sure this isn’t completely standard among other Android devices because I have seen others complain about it. Your phone has storage built into it that is non removable, and the operating sees it as an SD card also. You will actually see it mounted as /mnt/sdcard in the operating system when you take a look. The removable card is mounted at /mnt/sdcard/_ExternalSD when ever you look at it from the file system prospective. Odd and confusing I know. To make things even clearer they use device ID numbers too. So to find your removable SD card take a look and see what is mounted to /mnt/sdcard/_ExternalSD.

So there is the card mounted just like I said, and you can see the device is actually the device ID. so you have to find it in /dev/block

You can see the vfat on the external card is mounted at 179:17. So in my case the ext3 hosting my BT5 image is actually partition 4. You will need to format the new partition, please double check your partitions, you can just use an fdisk print. I will have little sympathy for you if you don’t double check your layout structure before you format the card.

mke2fs -j /dev/block/mmcblk1p4

You will have to change the rootfs over to rewritable to make some directories in /mnt. You can actually do it with the ‘adb shell sysrw’ command or you can just remount it from the cli:

mount -o rw,remount -t sysfs / /

Then I make my directory to mount my new ext3 partition. You can make it whatever you want, i made mine /mnt/extsd4 just so it was a bit more descriptive for me. The system mount command has issues with ext3, so use the busybox version:

busybox mount -t ext3 /dev/block/mmcblk1p4 /mnt/extsd4

Now we have to get the files over. I took the first layer of compression (the z7) off before transferring files over thinking it would be faster. So I was left with the bt5.img.gz. It is about 1.2gig and takes some time to move over. I thought the ‘adb push’ would be the fastest, but honestly it is about the same as the sftp over wifi. Once you get the file over you have to gunzip it, holy crap take a nap or get some coffee. I didn’t actually time it, but it was the better part of an hour. And the file explodes from 1.2gig to 5.2gig in that time. I honestly don’t know what would be faster, doing that on the phone or transferring that massive image. So once it is inflated we now have our image we can mount. We are going to actually modify the bootbt file that is in there so that we can start it and drop straight to shell. Instead of showing you every thing i changed I am going to post mine. You can just edit as necessary.

perm=$(id|cut -b 5)

if [ "$perm" != "0" ];then echo "This Script Needs Root! Type : su";exit;fi

mount -o remount,rw -t sysfs / /
export kit=/mnt/extsd4/BT5
export bin=/system/bin
export mnt=/mnt/BT5
mkdir -p $mnt
export PATH=$bin:/usr/bin:/usr/local/bin:/usr/sbin:/bin:/usr/local/sbin:/usr/games:$PATH
export TERM=linux
export HOME=/root
if [ -b /dev/loop2 ]; then
        echo "Loop device exists"
else
        busybox mknod /dev/loop2 b 7 0
fi
busybox mount -o loop,noatime -t ext2 $kit/bt5.img $mnt
busybox mount -t devpts devpts $mnt/dev/pts
busybox mount -t proc proc $mnt/proc
busybox mount -t sysfs sysfs $mnt/sys
busybox sysctl -w net.ipv4.ip_forward=1
echo "nameserver 8.8.8.8" > $mnt/etc/resolv.conf
echo "127.0.0.1 localhost bt5" > $mnt/etc/hosts
busybox chroot $mnt /bin/bash

echo "Shutting down BackTrack ARM For G2x"
umount $mnt/dev/pts
umount $mnt/proc
umount $mnt/sys
umount $mnt

TADA! You should now be in the chrooted Backtrack 5 environment!

I am sure I have forgotten something along the way, but that should be a quick little starter. If you have any issues then please post them in the comments and I will do my best to answer them.

So I actually moved from the iPhone to the Android. What lured me away was the Optimus 2x, which in the US is running on T-Mobile as the G2x. You can obviously google all the specs, but the dual core gave me hope of doing a little more with it than I could do with the iPhone. One of the first things I really wanted to get running was the Metasploit Framework. As oddly as it is, there is not a Ruby environment that runs on the Android that is capable of this (unlike the iPhone that has been running it since version 1). So instead of messing with Framework and Ruby to get it to work I decided to see if I could just setup Gentoo in a chroot setup.

So here we go. . .First thing we need to do is root the device. Obviously you should know what you are doing here, and warranty issues, blah blah blah. . .
I used SuperOneClick, and I will mention I am on the mac, and it went off without an issue. The link is to the Windows version, with the Linux/Mac version at the bottom.

So that is done, now we are going to install ROM Manager for two reasons. It will backup your ROM, and if you are lazy, it will partition your SD card for you. Here is a video I found, actually walks you through the partitioning. You will want to do the second way, in case you can’t figure that out.

So we have our phone rooted, we have our removable card partitioned. I bold removable because the way the G2x works with storage is a bit odd. The phone has internal storage that is mounted as an SD card too. So we will get into that in a second. Now we have to get access to the shell. You can actually do all this via a terminal app if you want, although that would be a pain. I actually started off using the Android SDK and specifically the adb tool that will start a shell. Then I actually just installed an SSH server from the app store, to make life even easier.

So we get into shell, su to root, and take a loot at the system. It all works pretty much the way you would think that it would, but this is where I noticed the SD card mount was a bit odd.

/dev/block/vold/179:17 /mnt/sdcard/_ExternalSD vfat rw,dirsync, nosuid, nodev, noexec, noatime, uid=1000, gid=1015, fmask=0002, dmask=0002, allow_utime=0020, codepage=cp437, iocharset=iso8859-1, shortname=mixed, utf8, errors=remount-ro 0 0

So you will notice the mount is actually under the sdcard mount, and also it calls it by device number instead of the traditional structure. You can get a bit clearer picture with this:

brw------- root root 179, 19 2011-05-03 01:12 mmcblk1p3
brw------- root root 179, 18 2011-05-03 01:12 mmcblk1p2
brw------- root root 179, 17 2011-05-03 01:12 mmcblk1p1
brw------- root root 179, 16 2011-05-03 01:12 mmcblk1

So we can see the card is currently mounted as a vfat and it is 179:17 which is mmcblk1p1. So what we can do to make sure everything is there is do an fdisk print of the device:

Disk /dev/block/mmcblk1: 15.9 GB, 15931539456 bytes
255 heads, 63 sectors/track, 1936 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/block/mmcblk1p1 1 1432 11496093+ c Win95 FAT32 (LBA)
/dev/block/mmcblk1p2 1432 1930 4000000 83 Linux
/dev/block/mmcblk1p3 1930 1937 62050 82 Linux swap

There is my linux partition, good ol 83. So i did a quick

mke2fs -j /dev/block/mmcblk1p2

Now the root file system is read only, so changed that so I could mount the partition directly.

mount -o rw,remount -t sysfs / /

Then made the mount point that I like

mkdir /mnt/gentoo

Mounted the partition I just made

mount /dev/block/mmcblk1p2 /mnt/gentoo

So if you are familiar with Gentoo that has your storage setup. You can actually pretty much continue on with the standard documentation from. There are some other things that I will show you in part 2 on the install if for some reason you get stuck somewhere.

OH, DO NOT START SSHD IN CHROOT YET
You have to go in and make a change to the /etc/sshd_config and change the AddressFamily value to inet. If set to AddressFamily all or not set at all, it will kill the phone and force a reboot when you try to start up the SSHd service.

Yes, I just totally ripped off their header for that pic, haha.

I have finally recouped from the weekend in DC for Shmoocon. Shmoocon is always a great time, sure people may bitch about ticket sales, not like a talk or two, but it is hard to complain about the people that make it there and the time you get to spend with each other. I was fortunate enough to get a ticket in round one, then receive another one for a paper a submitted to the con.

The most concerning thing about this year is when we landed in DCA it was snowing pretty bad, and the flashbacks of last year started. Compared to most people I had it easy last year, but the idea of another ceiling caving in, or trying to make the drive back to IAD airport was enough to make me think Defcon and Shmoocon should really think about swapping time tables.

The conference overall was a great time. There were a few less talks this year that I was excited about, but that was quickly replaced by the sheer amount of people on my twitter feed that were in attendance at the con. There were some great talks using printers as an attack vector, and a few too many talks about the Android.

Overall such a great weekend! Shmoocon is always fun and makes you excited about trying new things.

It is always nice when someone goes out of their way in helping me be lazy.  I never really complained much about it before, because I would look like a total arse, but thankfully Zate has fixed one of my biggest gripes.  He has actually moved the Nessus interface inside of Metasploit.  Now with just a couple of ruby scripts you can have full control of Nessus with auto import all handled from the cli of Metasploit.  Here is Part 1, Part 2, and Part 3 of making it all work together.

Thanks man, I know I joke, but we all really appreciate this!

Get started:

$ sudo gem install cheat

$ cheat strftime

A magnificent cheat sheet for Ruby’s strftime method will be printed to your terminal.

To get some help on cheat itself:

$ cheat cheat

How meta.

Cheat sheets are basically wiki pages accessible from the command line. You can browse, add, or edit cheat sheets. Try to keep them concise. For a style guide, check out the cheat cheat sheet.

To access a cheat sheet, simply pass the program the desired sheet’s name:

$ cheat ‘sheet name’

(via errtheblog)

Haha, there is the official receipt for Defcon 18 for all of those needing to expense it. Overall I had a great time at Defcon, really no thanks to the actual conference.

I will start with saying they need to learn a LOT from Shmoocon! I understand the idea of not wanting to deal with credit card or prepaying for tickets, and you can claim privacy, but it just doesn’t work anymore. When a thousand people more show up at a conference than you planned for then things go downhill quickly!

The talks were actually just so-so. I really wasn’t impressed with many of them, most of the stuff honestly just seemed like a rehash of things from two years ago mixed with other stuff that has already been presented on.

Now the saving grace, the parties! Wow, and let me tell you, there are some companies and groups that know how to throw a party. I felt like I was living out The Hangover!

Overall I had a lot of fun, but if I had to choose between Shmoocon or Defcon in the future, Shmoo would win hands down.

So I went to rebuild a Cisco router the other day, but didn’t have a freaking serial port anywhere to drop the config! So I ran down to Fry’s to get a USB-to-Serial adapter. Looking online there are several options, at the actual store I only had two/three to choose from. So I ended up with that ugly thing up above, mostly because even though I will PROBABLY never need dual rs232 ports, there might be that day that I need two (and it was only $1 more!). So that ugly thing up above is the USB-2925 from Cables Unlimited. The BIG problem is that according to their website (which contradicts the package) is that it only works on Mac OS 10.0-10.3! OUCH! But we can find a way around this, cause if not this write up would be worthless

The USB-2925 uses the Moschip MCS7720, which has drivers for OS X. The only problem is the drivers are for 10.4, but they worked for me just fine in 10.6.2 (Snow Leopard). You do have to do the install followed by the restart, but after that take a look:

$ ls /dev/tty.*
/dev/tty.Bluetooth-Modem        /dev/tty.USB-Serial0.0
/dev/tty.Bluetooth-PDA-Sync     /dev/tty.USB-Serial1.1

After that you can use the screen command to work with the connection as found in this guide.

Here is a copy of the drivers if you need them: MCS7720DRV_MAC10.X.zip

The problem with OS X is some of the things, like Ruby, are a bit older. Not to mention the version shipped with OS X has some other problems. So I suggest taking the easy way and installing MacPorts. Once installed a few commands will have Ruby, Gems, and supporting plugins ready for you.

To get Ruby installed it is just:

sudo port install ruby

sudo port install rb-rubygems

To finish up everything you need for Dradis install the Gems as followed:

sudo gem install rails rake capistrano capistrano-ext libxml-ruby mongrel hpricot sqlite3-ruby

After all that is done you need to just reset and migrate the database. This can be done by going to the Dradis directory in shell and issuing the following:

rake db:migrate
rake dradis:reset

This should have everything you need to get Dradis up and going on OS X

One of the main problems with the Mac and using VMs is that the main two programs (VMware and Parallels) are not free. In Windows you can get the VMware player and converter for free, but not in OS X. So I use VirtualBox for all of my VM needs. Sure it might be missing some bells and whistles, but it works good for what I do, and it seems a bit faster than the other two.

The first thing they have you do in the tutorial is setup Ubuntu. That step is very easy, you download the zip, expand it to a directory, then mount the HD image in VirtualBox. Set up a new machine, make sure to use the HD from a SCSI/SATA interface, and your ready to go. Once up you mount the CD image they have you download for Samba and your set.

The Windows XP image is actually where I had problems. They have you download an XP VM that is cut up into four different zip files. It turns out that OS X doesn’t handle divvied up zip files (such as, .zip,.z01,.z02). One method i found was to actually ‘cat’ the files together, then tell zip to fix the headers, then unzip it. I unfortunately couldn’t get that one to work, so I sadly resorted over to an XP virtual machine that I already had, mounted the directly as a shared folder and used WinRAR to uncompress it. Once you have virtual hard drive file (which is in Virtual PC) VirtualBox can actually just mount it and use it just fine. I left it as an IDE device on the new VM setup and it seems to work just fine. Once up, you should install the VirtualBox Tools. The ‘local security options’ are going to keep you from installing the drivers. So to change that you go to Control Panels > Administrative Tools > Local Security Settings > Local Policies > Security Options > Devices: Unsigned driver installation behavior. Once you drill all of that down you can change it to ‘Warn but allow install’.

You now have your two VM machines ready to go, all you need is Metasploit installed on your Mac. You can find several ways to do that via Google or on the actual Metasploit page. One of the easiest is probably to use MacPorts, but I like to maintain the most up-to-date plugins and exploits, so use the subversion.

This should have you pretty much up and running for the whole tutorial, if any more stumbling blocks are encountered I will make sure to update this.