I ditched my iPhone 3G for a Nexus One. For me the reason was an extremely easy one: seemless integration with Google. I love the way it handles syncing email, contacts, calendar, and voice mail. To be honest, I don’t really use the phone for much else. I tracked my usage of apps on the iPhone and found them mostly to be novelty apps.

But being a Linux geek at heart and a Capricorn, I do like to have complete control! So I embarked on rooting the Nexus One as soon as it OTA updated to Android 2.2 (Froyo). After reading numerous threads, blogs and posts, here is my way of distilling all that info down into four easy steps.

Remember: this is for the stock ROM FRF91. I cannot explain — as I don’t know — what will happen if you screwed around with your phone in the past. This happens to be a phone fresh from the factory that OTA updated to Android 2.2 as soon as I turned it on! YMMV.

Step 01: Unlock Bootloader

• Download fastboot for Linux here
• Turn off the Nexus One
• Connect your phone to your computer via a USB cable
• Power it on by holding down the trackball as you hit the power button

you should see a text screen with three skateboarding Androids

• Open a terminal on your Linux box

navigate to where fastboot is located

• Run ./fastboot-linux devices

you should see some output
if you did not see output, you need Step 02: Modify UDEV
repeat above steps until output is seen

• Run ./fastboot-linux oem unlock
• Use the Volume Up to select Yes to Unlock bootloader

Step 02: Modify UDEV
AFAIK, this only applies to Ubuntu systems.

• sudo vi /etc/udev/rules.d/51-android.rules
• add the following lines to this file

SUBSYSTEM=="usb", SYSFS{idVendor}=="18d1", MODE="0666"
SUBSYSTEM=="usb", SYSFS{idVendor}=="0bb4", MODE="0666"

• sudo chmod a+rx /etc/udev/rules.d/51-android.rules
• sudo services udev restart

Step 03: Flash a Recovery Image

• Download the lastest recovery image here
• Turn off Nexus One
• Power in to Fastboot mode

hold down trackball as you hit the power button
same as in Step 01: Unlock Bootloader

• Run ./fastboot-linux devices

make sure you see the device

• Run ./fastboot flash recovery recovery-RA-nexus-v1.7.0.1.img
• Test recovery mode

use the Volume Down-key to toggle Reboot
hit the power button
hold down the Volume Down-key as it reboots
navigate to RECOVERY with the Volume Down-key
press the power button to select

• If all goes well, you’ll see a nice recovery menu

Step 04: Install Rooted Image

• Download the rooted image from here
• While in Recovery mode, perform a nandroid backup of your system
• Return to main menu and select USB-MS toggle

This will mount the SD card onto your Linux system

• Copy over froyo-rooter-signed.zip to the SD card
• Unmount the SD card in Linux
• Press the trackball to disable USB-MS mode
• From the Recovery menu select Flash zip from sdcard

Within a few seconds you will have a rooted Nexus One w/Froyo Android 2.2

• Power down or reboot the phone

If all went according to plan, you should have a rooted Nexus One. A quick way to tell is by looking for a new app call “Superuser Permissions.”

Good luck!

I got this idea from Linux Journal. After you have watched a video online, run this script to save a local copy in the same place this script is run.

Some pre-reqs: I assume Firefox is your browser in both Linux and OS X, and I assume you have mplayer installed in Linux and VLC in OS X.

Here’s the Linux version:

#! /bin/bash

clear

echo "Video Saver Script Foo by geezer"
echo

PID=`ps xfa | grep firefox | awk '/firefox/ { print $1 }' | head -1`
VIDEO=`ls -lU /proc/$PID/fd | grep Flash | awk '{ print $10 }' | tail -1`
DELETED=`ls -lU /proc/$PID/fd | grep Flash | awk '{ print $11 }' | tail -1`

if [ "$VIDEO" == "" ]; then
     echo "No video found!"
     exit
fi

if [ "$DELETED" == "(deleted)" ]; then
     echo "Video is no longer in cache! Please replay."
     exit;
fi

if [ "$1" == "-d" ]; then
	echo $PID
	echo $VIDEO
fi

echo -n "Name your video file: "
read NAME

cp $VIDEO $NAME.flv

echo
echo -n "Do you want to play the video now?  "
read ANSWER

case $ANSWER in
	y | y)
		mplayer $NAME.flv &> /dev/null &
		echo;;
	N | n)
		exit;;
	    *)
		exit;;
esac

And here’s the OS X version:

#! /bin/bash
clear

echo "Video Saver Script Foo by geezer"
echo

PID=`ps xa | grep firefox | awk '/firefox/ { print $1 }' | head -1`
VIDEO=`lsof -p $PID | grep FlashTmp | awk '{ print $9 }' | tail -1`

if [ "$VIDEO" == "" ]; then
	echo "No video found!"
	exit
fi

if [ "$1" == "-d" ]; then
	echo $PID
	echo $VIDEO
fi

echo -n "Name your video file: "
read NAME

cp $VIDEO $NAME.flv

echo
echo -n "Do you want to play the video now?  "
read ANSWER

case $ANSWER in
	Y | y)
                if [ -f "/Applications/VLC.app/Contents/MacOS/VLC" ]; then
                   open -a VLC $NAME.flv &> /dev/null &
                else
                   echo "VLC is not found."
                   exit
                fi

		echo;;
	N | n)
		exit;;
	    *)
		exit;;

esac

For anyone new to Python, here’s a simple script to help copy files of a particular extension type to another location.

My scenario was to copy a bunch of ISO images from my Linux box to my MacBook. Sure I could have mounted the Linux box, selected all the files and do the simple drag-and-drop to my DVD library. As I did that, I noticed ALL the files were being copied at the same time. This was causing way too much “back and forth” of the drive head on the server as it attempted to copy various bits and bytes of each file.

I wanted a way to copy each ISO, one at a time, without me having to wait for each copy to complete to begin the next ISO. This sounds like a job for a script! So here’s the Python script I put together to accomplish the task. At least the drive head on the server wasn’t getting thrashed! And now I could continue doing other tasks.

import os
import fnmatch

for movie in os.listdir('/Volumes/sda1'):
	if fnmatch.fnmatch(movie, '*.ISO'):
		print movie
		os.system("cp /Volumes/sda1/%s ." % movie)

Substitute *.ISO with your own file extension. You can also put in any valid UNIX command in the os.system() function to do your bidding.

More details on these Python modules can be found here:

os module
fnmatch module

The other day I found myself working on an installation script for a program that required a number of software packages from Ubuntu’s repositories.

After a couple hours of continually hitting the “y” button during testing, I finally figured out a method to automate the process without user interaction. You use a “-y” flag with apt-get (it pays to read the man pages!).

So if you’re looking for an automated way to download and install packages from within a Bash script, feel free to use this function I whipped up. Of course, if you have ways to improve it, please post some comments!

Be sure to add the packages you need to the script! Those are the one’s I needed. I’m sure your needs are different.

Enjoy!

#/bin/bash

functionInstall ()
{
     clear
     packages=(build-essential libpcap-dev bison flex libgtk2.0-dev)
     echo "Downloading and installing packages."
     echo
     for i in "${packages[@]}"; do
          echo "     * $i... "
          /usr/bin/apt-get -y install $i &> /dev/null
          echo "done."
     exit 0
}

In my previous post I mentioned the three talks which I found the most informative and useful. I’ve posted the talks’ associated presentations and whitepapers in the Reference Material section for your downloading pleasure. I hope you enjoy these as much as I did.

The third day of DEFCON is always a slow day, at least for me. Many people party their asses off Saturday night only to either stumble into the early morning sessions half drunk or just not show up at all. As for me, neither scenario held. I was only interested in two talks both which turned out to be excellent!

First up for me was Jesse D’Aguanno’s “LAN Protocol Attack – ARP Reloaded.” He began by reviewing the traditional ways to perform ARP cache poisoning and the weaknesses with those techniques in today’s LAN environments. He detailed both client cache limitations as well as CAM (Content-Addressable Memory) tables.

The technique is rather trivial once explained. In the past, most people sent gratuitous ARP replies to the target or broadcast address on a network. The attacker had to keep up this ARP flood in order to pull off the attack. However, Jesse noticed from reading the ARP RFC that if a target receives a request for it’s IP address from an attacker, the target automatically adds the attacker’s IP/MAC address pair to it’s ARP cache. The beauty is that the attack now takes place with a single packet! Genius!! Simple and written in black and white, but genius! I always felt that if more people took the time to actually read RFCs (yawn!) then more tricks like this could be found. I like this.

The second talk was “Intranet Invasion with Anti-DNS Pinning” by David Byrne. For some background on DNS Pinning, go here and here. The talk was great because not only did David confirm all I’ve read on the net about this technique, but he also demonstrated actual attacks live. He was able to trick a victim into loading and running some Javascript that eventually allowed the attacker to run a Nessus scan on the internal network from an outside location. This holds extreme potential for some serious intranet attacks from the outside world.

Every year my goal is to come away from DEFCON with just one new technique that I can play with and improve upon. This year I was fortunate to find at least three: (1) the use of SMB/CIFS and WPAD to gain access to targets without needing an exploit, (2) the ability to perform ARP poisoning in a stealthy manner and (3) the ability to infiltrate an intranet from the outside using anti-DNS pinning techniques.

In addition to the technical gems found, I feel the information gleaned from the two panel discussions, “Meet the VCs” and “Self-Publishing in the Underground,” will help me with my own professional and career development plans. Overall, DEFCON 15 turned out to be better than I had hoped. Now maybe I can go out and enjoy Vegas before my 7:00 am flight tomorrow!

Day two was… interesting. However, it was not as interesting as this!

I started the day by taking in some Web 2.0 attacks and threats at Steve Orrin’s talk. I’ll admit that I’m not up to speed on this Web 2.0 stuff, XML, SOAP, etc. However, some of the attack vectors revealed piqued my interest enough to at least give the technology a shot. Since the web is moving in this direction, it’s only logical to understand this new threat.

Aaron Peterson’s talk on “Pen-testing Wi-Fi” held promise. I’m a Wi-Fi junkie. I’m always looking for something new, unique and novel. Unfortunately, the talk was anything but. I’ll give the guy props for taking existing tools and bundling them together into one useful suite of apps, but come on! There’s nothing new here folks. Next talk.

If there was one talk I had high hopes for, it had to be King Tuna’s “Hacking EVDO.” Now here’s something relevant and new! New because it’s never been talked about before. Relevant because I use EVDO when I’m on the road. In fact, I’m using it as I post this report. Wi-Fi networks are so easily hacked, I refuse to use them.

This presentation revealed ways to modify the firmware of a certain model EVDO card used on the Verizon Wireless Broadband network. By downloading some proprietary software from a torrent, he demonstrated various ways the firmware of the card could be manipulated to do things it shouldn’t do. He did suffer some technical difficulties during his demos which was painful to watch. However, I would expect to see future talks on this subject in the coming years.

If memory serves me correctly, I first heard of a rouge wireless access point referred to as an “Evil Twin” at a past DEFCON talk presented by the Shmoo Group. K.N. Gopinath’s talk, “Multipot: A More Potent Variant of Evil Twin” didn’t do it for me either. Am I being too critical? Am I asking too much when I want to see new material, something cutting edge? I don’t think so. I left the talk early.

There was one other talk on this day that I was looking forward to, “Geolocation of Wireless Access Points” by Ricky Hill. I was impressed! Here was a hardware system developed from scratch that uses triangulation to physically locate wireless access points. The system uses a yagi antenna mounted to a stepping motor combined with a digital compass and a GPS unit. With some Visual Basic code, the tool was able to geolocate wireless access points with better precision than anything else currently on the market that I’ve seen. It’s not ideal in any sense. It only seems to work well in open areas like water. If you place trees in the way or try this in an urban environment, it won’t work and the creator admits it. However, I think it represents a great first try. I hope others pick up the lead and improve on this work.

I ended the day by attending a panel discussion entitled, “Internet Wars 2007.” These discussions are always interesting because they’re very unstructured and anything goes. Personally for me, it was more for entertainment than actual useful knowledge.

Overall, day two provided a few golden nuggets in which I may find value. But for now, I think I’ll watch the video again!

The Con offered five tracks this year. The first talk I attended was by Sean Bodmer, entitled “Analyzing Intrusions & Intruders.” According to the official program guide, “… due to advances in network systems automation we now have time to pay more attention to subtle observations left by attackers…” I took this to mean we were to be treated to an enhanced form of packet analysis that could lead to clues and possible apprehension of the intruders. Instead, the talk focused on a more behavioral science and profiling approach. Not the talk I was expecting; therefore, I was disappointed in my first session.

The second session was right up my alley! Called “Meet the VCs,” we were provided a panel of real venture capitalists actively seeking new technology companies. They detailed what they look for in ideas, businesses and expectations when approached by companies seeking capital. The panel ranged from seed money VCs to well established VCs that may hold companies in their portfolios for many years before seeking an exit. This is definitely one talk worth following up with after the Con.

Since a break for lunch is never provided at the Con, some of us took the next hour and a half to grab some lunch and exchange thoughts and ideas.

Bruce Potter’s talk on “Dirty Secrets of the Security Industry” was standing room only. In fact, many people had to leave since their presence in the ailes and along the walls posed a fire hazard. Bruce loves to rant, and I love to listen! His talk can be summed up this way: There would be no need for “defense in depth” if people wrote secure code in the first place. Unfortunately, there is no formal body, organization or training program that teaches people a consistent way to write secure code. I have to agree.

“Self Publishing in the Underground” by Long, O’Hara & Wirth was an eye opener on how easy it is to get a book published in this day and age. They outlined a number of online alternatives from lulu.com to Amazon.com and their associated costs and headaches. This sounds like an easy way to quickly establish yourself as an expert in your field. It’s worth a look.

H.D. Moore and Valsmith’s “Tactical Exploitation” revealed ways to exploit or attack machines without the use of zero-day exploits. They simply used everyday protocols in ways they weren’t meant to be used! Try to research SMB/CIFS and WPAD and see if you can’t find devious ways to wreck some havoc!

BlackHat 2005 will always be known for Ciscogate. The Dark Tangent gave a behind-the-scenes blow-by-blow of the entire event from his perspective. It was an amazing tale of corporate irresponsibility run amuck with the little guy, The Dark Tangent, caught in the middle.

Sam Bowne recounted his tale of launching a hacking class at the City College of San Francisco in “Teaching Hacking at College.” He detailed how he pitched his idea to the administration, how the lab was set up, the program itself and the final outcome. This is a program worth spreading to other centers of higher learning.

And finally, for me, I ended the day with David Hulton’s talk on “Faster PwninG Assured: New Adventures with FPGAs.” Dave does nothing but amaze us with his FPGA programming foo! All I can say is this guy rocks! He’s a master with combining crypto solutions into an FPGA form factor. Is there anything FPGA related this guy can’t do?

Overall, my impression with day one ended on a positive note. I was worried during the first talk, but things soon shaped up for the better. Now it’s off to day two!

Today kicks off the fifteenth year of DEFCON. Team SSH is in the house. We hope to provide some commentary on this year’s talks. We won’t hold back. We never do.