Posts Tagged ‘Hack’

BackTrack 5 in chroot on Android

March 22, 2012 14 comments

I just did something that I still can’t quite believe. I got BackTrack 5 running on my Android phone (a Driod Incredible 2) and tablet (Nook Tablet). Not only that, I can’t believe how easy it was!

Although there is an ARM port of BackTrack (most Android devices use ARM processors), it probably won’t just boot up natively on your phone. But a couple of users on XDA-Developers came up with a convenient script to automate starting BackTrack 5 on Android in a chroot environment, and shrunk the BackTrack image file to make it small enough to fit on a FAT32 partition (the standard BackTrack ARM image is larger than the 4GB single-file limit). This allows BackTrack to run alongside the existing Android system, which I think is actually better than running BackTrack natively since you can still use your phone as a phone when you’re done with BackTrack.

I’m running Cyanogenmod 7 on both devices, and as far as I can tell, this should work as advertised for any CM7 installation that mounts the external SD card as /sdcard. If you aren’t running Cyanogenmod, or your SD card doesn’t mount as /sdcard, your milage may vary. First, a couple of caveats. You must:

*Be rooted
*Have a proper busybox install
*Be able to “su” from the command line
Have a terminal program installed
*Have ext2 support (use “cat /proc/filesystems” at a superuser command
prompt – you should see ext2 listed)
Have a VNC viewer installed
Be connected to a WiFi network (BackTrack won’t see a cellular data
connection as a valid network device)

The items with stars above should come along for the ride by running Cyanogenmod 7. I had previously installed a terminal program (the cleverly named “Terminal Emulator”) and was connected to a WiFi network, so my prep time was about two minutes to find a VNC viewer (the equally well-named androidVNC).

The only hard part was getting the BackTrack 5 files. The original thread from XDA-Developers is here with additional background here. I was only able to get one of the mirror sites to work. If you can’t get any of the mirrors to work, try googling for the filename –

Once you have the file, decompress it to get the bt5 folder out. It should be about 3.25 gigs. Copy that to your SD card. Open your terminal and type the following:

cd /sdcard/bt5
sh bt

Backtrack should start up and ask you if you want to start a VNC server. Once past that, you are at BackTrack’s command line. You can run command line tools (like Metasploit’s MSF Console) from here, or SSH to it from another system on the network. Even better than that, if you answered yes to the VNC server, you can use the VNC client on your phone or on another system to connect to the Gnome desktop session (address:, port: 5901, user and password are root – change the address as needed for external connections). It couldn’t be much more simple than that.

Categories: Network Tags: , , ,

All attacks are APT

April 4, 2011 Leave a comment

I really wonder if RSA isn’t shooting themselves in the foot with their PR strategy surrounding the breach of their network. As far as I can tell, their plan is to blind everyone with useless (but possibly interesting) details while hoping that no one notices that they haven’t disclosed any information that anyone can actually use.

Let’s look at the information that went out initially. On March 17th, RSA sent a letter to SecurID customers, informing them that RSA had been hacked. However, the only information included other than the fact that the breach centered on the SecurID product was a list of recommendations that could have been written by a student going through a SANS 401 class:

  • Enforce strong password policy
  • Increase focus on social media security
  • Re-educate employees
  • Pay attention to your SIEM
  • Harden and monitor critical systems
  • Examine helpdesk practices for social engineering weaknesses
  • Apply patches and updates

Oh…thanks. That really helps folks who are afraid their SecurID tokens now provide as much security as double-ROT13 encoding. Based on the lack of information to help evaluate the risk level, I’m sure many organizations have begun making plans to move away from SecureID (including one organization described by Allen Paller as “one of the largest US defense contractors”).

Maybe RSA will fix this with a follow-up announcement, letting everyone know that they have nothing to fear? They did release a second announcement (almost two weeks later), but I’m not sure it was any more helpful or reassuring than the first.

In a post titled “Anatomy of an Attack“, RSA laid out some of the technical details of the intrusion. The first stage is described in great detail. An attacker sent phishing emails containing a trojanized Excel file with an embedded Flash 0-day exploit. A user opened the file, allowing the attacker to install a copy of Poison Ivy in reverse connect mode.

This unfortunate user is described as being part of a group that was not high profile or high value. But later in the post, the attackers are described as needing more access and getting access to user, service and even domain admin accounts. Wait, how did the attacker go from compromising what sounds like a limited user on a workstation to having domain admin access? Apparently, “digital shoulder surfing.”

Again, we have lots of information we already know (attackers are sending phishing emails and users will launch them), and almost nothing about what we don’t know (how an attacker went from limited access on a limited system to owning the network).

It almost seems like RSA is trying to make the worst of a good situation with their misguided PR plan. They announce they’ve been hacked, but they don’t give any details about what their customer’s risk level is. They yell “APT!!!”, then talk about how the attacker used a well-known tool and common techniques, with no details about the true meat of the attack. They caught the attack in the middle of the operation, but they won’t say that they were able to curtail the attacker’s access from the most sensitive data. Maybe they can’t say more due to legal or other constraints, but at least they could let us know if that was the case.

And what’s with the now-popular use of “APT”, anyway? RSA caught the attack in the early stages, so it wasn’t exactly persistent. The attacker also used common tools and techniques, so not terribly advanced. The use of a Flash 0-day does elevate the attacker to somewhere above script-kiddie level, but Flash flaws are discovered about twice a week… so this isn’t exactly Stuxnet. Maybe there was something amazing in the technical details of the “digital shoulder surfing”, but at this point everything we’ve heard from RSA is “we got hacked by the best… but everything’s cool.”

RSA may be reaching out to SecurID customers directly to share more detailed information about this incident, but if I was in the market for two-factor authentication, I would be severely spooked. It’s funny, because I feel like RSA might have deserved a pat on the back. Their blog post states they caught the hack in progress, which deserve some kudos, even if they didn’t prevent the attack in the first place (prevention is ideal, but detection is a must). Maybe RSA is suffering from the tech geek’s Achilles heel: they have done some good technical work, but they’ve failed to put it into words for the customer/boss.

Categories: Opinion Tags: , , , ,