Thursday, June 21, 2012

Backtrack 5 on Android

A new addition to the Backtrack 5 Linux penetration testing distribution has been released on the ARM platform. This distribution was created for the Motorola Xoom Android tablet. However with some simple modifications I was able to install and run it on my Samsung Galaxy S (Captivate). This should work on most android devices that have a decent amount of processing power. There are a few prerequisites to be able to use this distribution.
First of all you have to have rooted your device and busybox. Secondly you need a terminal emulator and a VNC client. The last thing that you will need is a microSD card big enough to fit the image (8 GB). When preparing the microSD card it does need to be formatted in the ext2 format in order to support the 4+ GB image file. Once you have those items and prepared your microSD card it’s ready to be inserted into your device, it will not be recognized as the ext2 file system is not natively supported by Android devices. So we enter our terminal and mount the memory card using the -t ext2 option. The scripts that are included with Backtrack need to be slightly modified to work with the mount points on your specific device. Once you call the bootbt shell script the device creates a chrooted environment where Backtrack is loaded into memory. Before launching the VNC connection it is also necessary to change a couple environmental variables namely USER has to be set to root and TMPDIR has now changed to /tmp. At this point it the startvnc command can be ran using a modified geometry option to make the desktop display properly on the small screen. I found 800×480 to work rather well. There are two different free VNC clients in the Android marketplace AndroidVNC and PocketCloud. AndroidVNC did not perform as well for me in my tests.
So now that we have the setup out of the way you may be wondering what tools you are capable of using once this setup has been configured. Some of the more well known utilities included with the ARM distribution of Backtrack 5 are as follows:
  • Metasploit Framework
  • Social Engineers Toolkit
  • Nmap scanner
Other high level tool categories include:
  • Information Gathering
  • Vulnerability Assessment
  • Exploitation Tools
  • Priviledge Escalation
  • Maintaining Access
  • Stress Testing
  • Forensics
  • Reporting Tools
This is all well and good but there are a few limitations that regular users of Backtrack may notice right away. Specifically the absence of an entire category of wireless exploration and attacking utilities. This is based upon the obvious hardware limitations of the smartphone or tablet running the operating system. Another limitation you will experience is that the only way to access a network is via a wireless network connection from within the Android operating system. If you are unable to connect directly with the Android device initially you may be limited on what kinds of attack you can perform. However all is not lost as you are required to have root access to your device and this will give you the ability to run software that can create a wireless hotspot. This may create an attack vector that you may not initially suspect within you organization.
One could expect that mobile attack vectors are now much easier to hide and may become more prevalent in the future. Companies need to explore and re-evaluate policies related to connecting external devices to their networks. Smartphones have become much more powerful than they once used to be and can provide some of the same capabilities as an external laptop. If wireless connections are accessible within your organization what do you have in place to prevent these kinds of attacks on your internal network. Many organizations have very little to prevent internal attacks and should consider the addition of intrusion prevention systems to protect their internal networks. One final consideration should be given to which resources need to be accessed from wireless connections and appropriate restrictions should be applied using access control lists or maybe even creating separate subnets that have no or extremely limited access to internal resources on your LAN.
This information was presented by myself at The Tech Garden’s Lightning Talks on June 21st, 2011. The track that I presented in was the Technology Track. The slides are available for download here: Lightning Talk slides