Tag: ssh

Weaponizing the Nokia N900 – Part 3.8 – Backtrack 5 on N900

by on May.28, 2011, under Posts

First and foremost I am not taking credit for the act of this. There are other posts on getting Bactrack 5 (ARM) onto the N900. My post mostly pertains to my experience with Backtrack 5 on the N900 and how viable of a offensive information security tool it is.

If you’re curious as to how to get Backtrack 5 running on your N900, you want to thank SuperDumb from the Maemo forums, and take a look at this forum thread. Observe that the default Backtrack 5 (arm) image will not copy over to your vfat microSD external or internal cards. vfat has a file size limit

There are some guides that advocate using ext2/3 on flash devices, but I do not condone you doing this, please see:

http://www.linux.com/archive/feature/114295

To circumvent this issue you can download an image that will work on vfat here, or if you would prefer to re-size the image yourself, follow these steps that SuperDumb graciously gave me via a PM:

Must be done under linux :
Just an example, change the dirs how you want them :

First you need to get the bt5.img out of the downloaded file from backtrack :

gunzip bt5.img.gz

These are the steps to get a img that is small enough :

mv bt5.img bt5.old.img

dd if=/dev/zero of=bt5.img bs=4k count=900000
mke2fs -F -i 8192 bt5.img

mkdir bt5old bt5new
mount -o loop bt5.old.img bt5old
mount -o loop bt5.img bt5new
cd bt5old
cp -rp * ../bt5new

After that just umount bt5old & bt5new and you should have a working img.

Once you have a working img, you will need to have qchroot on your N900 along with gainroot. Then to get Backtrack 5 running on your N900 via the non-GUI way, you simply do as follows:

1.) sudo gainroot

2.) mkdir /mnt/bt5

3.)qchroot /location/to/bt5.img /mnt/bt5

One important note I would like to add with regards to the location of the bt5.img file, is that if you’re like me and you have a bootable linux distro on mmc1, you will not want to have the bt5.img on mmc1. Once your computer mounts the mmc1 card, your mmc1 card will not be accessible via your phone.

You can get VNC up and running, however the N900 keyboard and the Backtrack 5 GUI (at least using gnome) do not get along that well. Additionally, it is resource intensive and if you ask me, to truly utilize Backtrack or almost any Linux distribution, you want to use the command line interface. This is where the power lies. There are a few exceptions to this rule but exceptions don’t necessarily make the rule.

In my humble opinion having Backtrack 5 running on your N900 is not really worth it. My reasoning is due to my experience with it. Here are a couple instances of annoyances that I ran into:

– It is unstable. There were a few times that I would make an attempt to edit sources.list, via:  ‘vi /etc/apt/sources.list’ and my phone would randomly reboot.

– The GUI does not work well at all.

– There are packages that are easily available under the N900, that aren’t easily available under Backtrack 5 (ARM). (kismet for example.)

– Some packages are just broken. For example, miredo does not work at all. (More on miredo later…)

– Nmap’s version under BT5 arm is 5.00 and you can get Nmap for maemo on the N900 at version 5.50.

– easydebian seems like a better alternative and is more stable.

I’m going to go on a bit of a tangent here that I hope is informal and useful.

With miredo not working under BT5 on the N900, that was kind of a big annoyance to myself because miredo for the Maemo even appears to be broken as well.  To get miredo working on your N900 you will want to install and use easydebian.

What is beautiful with miredo, is that you can get an IPv6 address assigned to your N900. You could then use your N900 as a hardware based trojan in a network. The whole concept is very similar to what Mubix did here. You could setup your N900 on a victim network and have ssh listing on your public IPv6 address and then log in to your N900 from an outside network over IPv6. You wouldn’t even have to do any port forwarding on the victim’s firewall/gateway/router.

I will tell you that miredo does not work on all networks and does not appear to work over the gprs0 interface on the N900 (at least with my carrier). Though it works just fine on the wlan0 interface.

Readjusting back from that tangent, summarily I would like to state that the fact that you can get Backtrack 5 working on your N900 is wonderful. Consequently, due to my experience with running BT5 on the N900, I would just advise to use easydebian over BT5 and then customize easydebian to the point that it is essentially a ‘Backtrack’ version. It will be a more stable route to go and you can learn about the tools as you install them, versus having a plethora of tools at your disposal that you may not get around to learning.

14 Comments :, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , more...

An update: Just a bunch of random thoughts

by on Oct.15, 2010, under Uncategorized

Things I’ve taken note of over the past months:

1.) Finding ‘too much information’ (even when it’s public information) on a company can scare HR people, go figure.

2.) Linksys routers that are compatible with DD-WRT or the like, are great for being used as pivot points in networks. For example, if you’re able to to gain access to a router that is DD-WRT compatible and you can get SSH up and running on it, you’ve opened up a lot of opportunities.

One opportunity would include scanning the internet network using proxychains and nmap over an SSH tunnel. You could also use proxychains and nikto to scan web servers that are in the associated network with the DD-WRT compatible router.

You can also setup a private second WLAN network on the DD-WRT compatible router to have a sense of secure access to the network you’re penetrating. Using DD-WRT as a penetration tester, really opens up your possibilities.

3.) http://ipq.co rocks, ‘nough said. 🙂

4.) Being able to boot up a live Linux distro on a victim machine, use bhive, samdump2 (like this tutorial http://www.irongeek.com/i.php?page=security/localsamcrack2), to extract password hashes and then do ‘Pass the hash attacks’ via metasploit (like shown here: http://securitytube.net/Metasploit-Megaprimer-Part-16-(Pass-the-Hash-Attack)-video.aspx) is incredibly cool.

5.) The Nmap scripting engine rocks: http://securitytube.net/Mastering-the-Nmap-Scripting-Engine-(Blackhat-2010)-video.aspx

6.) Did you know you could install Nmap silently on a Windows machine? (Yes, it will also install winpcap.)
nmap-5.35DC1-setup.exe /S

7.) Other cool apps to install ‘silently’ using msiexec on Windows machines:  (msiexec /i appname.msi /q)
http://www.python.org/download/releases/2.5/
http://www.activestate.com/activeperl/downloads

8.) The concepts of SSH reverse connections and port forwarding make me elated: http://www.securitytube.net/Hacking-through-the-Windows-Firewall-using-Metasploit-video.aspx

More to come as usual…

1 Comment :, , , , , , , , , more...


Resilient SSH Tunneled Meterpreter Session –pauldotcom

by on Apr.07, 2010, under Posts, Videos

Persistent SSH Tunneled Meterpreter from PaulDotCom on Vimeo.

http://pauldotcom.com/2010/03/resilient-ssh-tunneled-meterpr.html

Nifty method, however I would argue that storing the password in clear text for your ssh server probably isn’t the best idea, and if you’re forced to do this, then the account that has to have the exposed password, should be severely limited in privileges.

Keep up the good work PaulDotCom.. 🙂

More to come..

Leave a Comment :, , , more...

Openssh on Windows + free domain name setup + ssh tunneling

by on Feb.14, 2010, under Posts

I’m actually posting this for a friend per request:

==OpenSSH + Cygwin Installation==

Over the past year or so, when using Windows on a certain computer in my network, I decided that I wanted secure command line oriented access to my Windows computer. With this being said, telnet would have not been a viable solution to the problem, along with remote desktop. Knowing about cygwin, I was soon to perform some searches on google pertaining to the installation of OpenSSH via cygwin.

The web site presented below, is a wonderful resource for this situation:

http://pigtail.net/LRP/printsrv/cygwin-sshd.html

Follow this tutorial closely and you should have little to no problems getting openssh set up on a Windows computer.

Also if you’re planning on doing ssh tunneling from a remote location or logging into your computer remotely via ssh, make sure to forward port 22 (or whatever port you set ssh to listen on) to the Windows computer that is hosting SSH. You may also want to set the Windows computer as a static client on your network, so you don’t have to worry about the LAN IP address changing which could cause problems, but depending on your router, this isn’t always necessary. It seems that a lot of routers do ‘static DHCP leasing’. To make sure that the service is remotely accessible, go to www.nmap-online.com .

Click on ‘Custom scan’.

Then under the ‘Nmap options..’, clear the options they have set there for you by default, leave your IP address alone and put:

-P0 -sV -vv -n -T3 -p 22 (YOURIP)

Lastly, click on ‘I agree with the Terms of Service’ and click ‘Scan Now!’. If nmap-online’s results yield the port is open, then you’re in business! Otherwise, you most likely
have your software firewall blocking openssh or you didn’t set up port forwarding on your router correctly. Other causes could include your ISP blocking that port as well.

=========================

==Dynamic DNS the free way==

One solution for a free DNS name is to use www.no-ip.com. Sign up using your e-mail address and here’s a video with a kid who has an annoying voice that may help you:

If you have set this up correctly, you should be able to resolve your new DNS name from the command line using a tool like ‘nslookup’. The IP address that shows up for your new DNS name, should be your WAN IP.

=========================

==SSH tunneling via Putty==

Now, say if you want to have a sense of security in a remote location that may be a malicious network. One (not perfect) good solution for if you’re a Windows user is to do SSH tunnelling.

http://oldsite.precedence.co.uk/nc/putty.html

Once you have logged into your server and set up a dynamic port on your loop back interface (127.0.0.1), it is now time to configure your browser to use a SOCKS 5 proxy connection on your loop back interface. Under Firefox this looks like this:

To verify that you’re actually tunneling home, go to www.ipchicken.com and here you should see your Dynamic DNS’s IP address. Now, you don’t have to worry nearly as much about MITM attacks and sniffing. Web  pages won’t appear nearly as quickly, but as the old saying goes, ‘Better safe than sorry’.  I hope this helps you dear friend of mine! 🙂

Last but not least, if you want to see a video on SSH dynamic port forwarding / tunneling, Irongeek has a wonderful video (bare in mind you don’t necessarily need ‘keys’, that he speaks of, you can use password authentication instead):

http://www.irongeek.com/videos/sshdynamicportforwarding.swf

2 Comments :, , , , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!