The makers of backtrack Linux have released a version of the distro which is built for ARM processors. This means that backtrack, a full Linux distribution, sort of an Ubuntu pentester’s spin, will run on mobile devices. This does not however mean its a simple manner. Backtrack’s website has a downloadable image built to run on the Motorola Xoom. However its not exactly plug and play.
I used some directions I found online to get backtrack running on my old Droid Incredible, but it was painfully slow, and pretty muck unusable. Now I have two devices at my disposal which could be more up to the task. First is my new Droid 4. Second is my Asus eeePad Transformer.
For me? It’s just cool. I’m not a pentester, but I am a pretty skilled linux guru. I know a few pentesters, and this could come in handy for them. My skills could help them out. Besides, I want to see if I can do it. 😛
What is backtrack
So, Backtrack Linux is essentially ubuntu, with a ton of Penetration Testing and exploit tools added in. This is useful for guys who live and breathe IT Security. Have a look at Backtrack’s web site for more information about backtrack.
How does this work?
Familiar with chroot? It’s essentually a method of locking a user into a container in a linux system. It’s used for many security reasons. Think about it. Locking the user a service runs as into its own little container. This means that if an attacker breaks into that service, he only has access to what that service has access to. It’s also great for building and testing systems because you can create a file system in a directory, and then chroot into that directory, and then move around as if you were booted into that system. You could, for example, copy an ubuntu system into a disk image, or a directory structure inside of your Fedora system. Then chroot into the ubuntu install’s directory, and then, effectively, work in the ubuntu environment. It’s not identical to actually booting the ubuntu system. In fact you’d be running the Fedora kernel, it would just feel like the ubuntu system, if you did it right. Well this is exactly how Backtrack can be run inside of Android. Android runs a LInux kernel, just like Backtrack. So you get things into the right place, and get permissions the right way, and then chroot. Bang, there you are, Backtrack. X is handled via VNC.
Skip the details?
If you’re not interested in HOW I did this, and would just like to get the finished product, skip to the “The Quick And Dirty” heading at the bottom of this post.
Get the Backtrack Image
So, the first step is to go get Backtrack ARM. Go to Backtrack’s Downloads page, and get the Backtrack 5 for ARM image. I used Backtrack 5, the Torrent version. This download went amazingly fast. about 10 minutes for a gig 7z file. I wont go into talking about the days of 10 minutes for one mb, that’s off topic.
File size limitations
The Droid 4 uses vfat to store data on its sdcard. Or, at least thats the format that MY sd card is (and I had the Droid 4 format it..). Now, from what i’ve read, and what i’ve seen in practice, vfat supports a maximum file size of 2gb. However, the Droid 4 seems to happily charge through that boundary, but die at 4gb. The backtrack image is 5.1gb.
There’s a few options to get around this. One could be to build a new, smaller image, another could be to split the current image. I mounted the full image on a linux workstation, and had a look at where the space was going.
First, it’s not using the full 5 gb. So making a new sub 4gb image is possible.
[me@myworkstation mnt]$ df -h Filesystem Size Used Avail Use% Mounted on /dev/loop0 4.9G 2.6G 2.0G 57% /home/me/Projects/btandroid/mnt
Second, /usr is the pig.
[me@myworkstation mnt]$ sudo du -h --max-depth=1 249M ./opt 200K ./srv 4.0K ./sys 16K ./lost+found 4.0K ./media 4.0K ./home 8.6M ./sbin 4.6M ./root 4.0K ./mnt 140M ./var 12K ./dev 1.9M ./boot 4.0K ./proc 14M ./etc 1.7G ./usr 216K ./share 83M ./lib 6.3M ./bin 77M ./pentest 349M ./tmp 4.0K ./selinux 2.6G .
So, you could make a new image, and duplicate the data from the 5gb image to a less than 4gb image. Or, you could do what I did. Split /usr and / into their own images. I ended up with a 3gb /usr, and a 2gb /. If you dont know how that’s done, here’s a quick rundown.
[me@myworkstation tmp]$ dd if=/dev/zero of=./bt_root.img bs=1024 count=2000000 2000000+0 records in 2000000+0 records out 2048000000 bytes (2.0 GB) copied, 27.4198 s, 74.7 MB/s [me@myworkstation tmp]$ dd if=/dev/zero of=./bt_usr.img bs=1024 count=3000000 3000000+0 records in 3000000+0 records out 3072000000 bytes (3.1 GB) copied, 53.8706 s, 57.0 MB/s [me@myworkstation tmp]$ mkfs.ext3 ./bt_root.img mke2fs 1.41.14 (22-Dec-2010) ./bt_root.img is not a block special device. Proceed anyway? (y,n) y ... [me@myworkstation tmp]$ mkfs.ext3 ./bt_usr.img mke2fs 1.41.14 (22-Dec-2010) ./bt_usr.img is not a block special device. Proceed anyway? (y,n) y ... [me@myworkstation tmp]$ mkdir bt [me@myworkstation tmp]$ mkdir bt_s [me@myworkstation tmp]$ sudo mount -o loop ../bt5.img ./bt [me@myworkstation tmp]$ sudo mount -o loop bt_root.img ./bt_s [me@myworkstation tmp]$ mkdir ./bt_s/usr [me@myworkstation tmp]$ sudo mount -o loop bt_usr.img ./bt_s/usr/ [me@myworkstation tmp]$ sudo rsync -r --links bt/ bt_s
You’ll get a lot of “Skipping non-regular file” warnings from rsync. This is mostly special device files and whatnot, that get replaced with actual working dev files after you mount bt on android.
Now just umount everything.
[me@myworkstation tmp]$ sudo umount bt_s/usr bt_s bt
Now, because you’re on an android device, and the manufacturer doesn’t trust you (even though you paid for the device, and you “own” it….) you don’t have permission to actually do much beyond USE the Droid 4. At this point, you need root. Root exploits are pretty common. The Droid 4 was rooted the day it was released. For this to work, you just need root, and busybox. I gained it by using a nice one-click method that rooted the phone, and installed busybox. Root at your own risk, and in your own way. I won’t presume to tell you what the “best” way to do this is. When i wrote this, there weren’t many options out there.
Get all of this on to the phone
There are three essential files you need to boot backtrack. The “bootbt” script, and the two images I just showed you how to create. Get them on to the phone. I placed them on my sdcard, in a folder called “bt”. This translates to /mnt/sdcard-ext/bt on the phone. Put them wherever you please, just note that you’ll need to change bootbt to the new path if you do with a location other than /mnt/sdcard-ext/bt. If you dont have an sd card, use /mnt/sdcard (which is internal memory, regardless of what the mount point says).
The Backtrack image came with a “bootbt” shell script. This is written for the Motorola Xoom. It needs some modification in order to work on the Droid 4.
Here’s what I ended up with:
[me@myworkstation tmp]$ adb shell cat /mnt/sdcard-ext/bt/bootbt #!/bin/bash perm=$(id|cut -b 5) if [ "$perm" != "0" ];then echo "This Script Needs Root! Type : su";exit;fi #mount -o remount,rw /dev/block/system /system export kit=/sdcard-ext/bt export bin=/system/bin export mnt=/data/local/mnt if [ ! -d "$mnt" ];then mkdir -p $mnt fi export PATH=$bin:/usr/bin:/usr/local/bin:/usr/sbin:/bin:/usr/local/sbin:/usr/games:$PATH export TERM=linux export HOME=/root export USER=root if [ -b /dev/block/loop254 ]; then echo "Loop254 device exists" else busybox mknod /dev/block/loop254 b 7 254 fi if [ -b /dev/block/loop253 ]; then echo "Loop254 device exists" else busybox mknod /dev/block/loop253 b 7 253 fi /sbin/losetup /dev/block/loop254 $kit/bt_root.img /sbin/losetup /dev/block/loop253 $kit/bt_usr.img mount -t ext3 /dev/block/loop254 $mnt mount -t ext3 /dev/block/loop253 $mnt/usr mount -o bind /dev/pts $mnt/dev/pts mount -o bind /proc $mnt/proc mount -o bind /sys $mnt/sys sysctl -w net.ipv4.ip_forward=1 echo "Setting /etc/resolv.conf to Google Open DNS 220.127.116.11 and 18.104.22.168" echo "nameserver 22.214.171.124" > $mnt/etc/resolv.conf echo "nameserver 126.96.36.199" >> $mnt/etc/resolv.conf echo "127.0.0.1 localhost" > $mnt/etc/hosts busybox chroot $mnt /bin/bash echo "Shutting down BackTrack ARM For Droid 4" umount $mnt/dev/pts umount $mnt/proc umount $mnt/sys umount $mnt/usr umount $mnt
I could step through the whole thing with you, but i’ll keep this brief. The script sets up some environment. Then it checks for two loop devices, creates them if they’re not there already. Then it mounts my images on /data/local/mnt and /data/local/mnt/usr. And the binds the host’s proc, sys, and dev/pts to the Backtrack locations for such.
Then it chroots you into Backtrack! It looks something like this:
[me@myworkstation tmp]$ adb shell shell@cdma_maserati:/$ su root@cdma_maserati:/# cd /mnt/sdcard-ext/bt root@cdma_maserati:/mnt/sdcard-ext/bt# sh ./bootbt Loop254 device exists Loop254 device exists net.ipv4.ip_forward = 1 Setting /etc/resolv.conf to Google Open DNS 188.8.131.52 and 184.108.40.206 groups: cannot find name for group ID 1003 groups: cannot find name for group ID 1004 groups: cannot find name for group ID 1007 groups: cannot find name for group ID 1009 groups: cannot find name for group ID 1011 groups: cannot find name for group ID 1015 groups: cannot find name for group ID 3001 groups: cannot find name for group ID 3002 groups: cannot find name for group ID 3003 root@localhost:/# exit --- Here's backtrack! exit Shutting down BackTrack ARM For Droid 4 root@cdma_maserati:/mnt/sdcard-ext/bt# exit shell@cdma_maserati:/$ exit [me@myworkstation tmp]$
The script does its best to clean up after you exit (umounting all of the things we mounted), but it’s best to reboot after you exit, just so you’re sure it’s clean.
You thought that getting Backtrack running was it? Nooooo There’s more! You get X too! X is handled by VNC. You basically start up a vnc server inside of BT, and then connect to it using a VNC client on the phone. So, here goes.
You’ll need a terminal emulator on the phone. I use Better Terminal Emulator. Fire up your terminal, and execute the bootbt script. You’ll do this by opening the terminal, using su to get root, then cd to /path/to/bt, and then sh bootbt. Once you have the BT prompt, run “startvnc”. This will start up the vnc server. Now hit your Home button (without exiting backtrack, or your terminal). Now fire up your vnc app. I use Android-vnc. Connect to 127.0.0.1 on port 5901. The default password is toortoor. You can reset this with vncpasswd. Make sure you select a color depth that’s to your liking. I use 24 bit. Why not, right? That’s it, you’re in! Use bt!
Something you may want to tweak, is the screen resolution of the vnc session. This is done in the startvnc script. The Droid 4’s screen is 960 x 560 pixels.
The script is located in /usr/bin/
root@localhost:/# cat /usr/bin/startvnc #!/bin/bash rm -rf /tmp/.X1* vncserver -geometry 960x560
Stopping vnc is as easy as dropping back to your terminal, and running “stopvnc”.
Then just exit bt by typing exit. As stated, it’s a good idea to reboot after exiting, unless you’re planning on starting bt right back up again.
The quick and dirty
So, as promised, here’s the overall procedure. We’ll call it a recap.
Get the images here: add link here
Get Root, and Busybox (you’re on your own).
Get a terminal emulator, and a vnc client for your phone. (Check the market, see above for my preferred apps).
Extract the bt archive, and put the “bt” directory on your phone. Somewhere like /mnt/sdcard, or /mnt/sdcard-ext is preferable.
Now edit the bootbt script so that the “kit” variable points to the location of the bt folder.
Run bootbt, as root.
shell@cdma_maserati:/$ su root@cdma_maserati:/# cd /mnt/sdcard-ext/bt root@cdma_maserati:/mnt/sdcard-ext/bt# sh ./bootbt
From within bt, use “startvnc” to start up X, in a vnc session.
Use your VNC app to connect to: 127.0.0.1:5901 password toortoor (unless you changed it).
When you’re done, exit bt from your terminal, and then reboot the phone for proper cleanup.
And, Here it is: