I have been trying for the last few weeks to get the Android Kernel source and then build a kernel of my own and then load it into the emulator to try to test out the modules. I spent numerous hours in trying to understand about how to go about it. So here’s a post so I can log all that I did in an effort from going from nothing to having my kernel loaded in the Android Emulator.

There are posts such as the one on eeknay32’s blog and the Stackoverflow post that really helped me in getting started. Also there is a HOWTO in the qemu documentation located at external/qemu/docs/KERNEL.TXT

I first started to follow the directions from here but this is only to get the source code of the Android SDK and other tools and to compile those. That was not initially my goal because getting the source of the tools and SDK was not my goal. Don’t bother downloading this (you could get the tools pre-compiled) unless you really want to compile the tools on your own.

The following steps will help you compile the code for the Android emulator and other tools:
sudo apt-get install git-core gnupg flex bison gperf build-essential \
zip curl zlib1g-dev libc6-dev lib32ncurses5-dev ia32-libs \
x11proto-core-dev libx11-dev lib32readline5-dev lib32z-dev \
libgl1-mesa-dev g++-multilib mingw32 tofrodos python-markdown \
libxml2-utils xsltproc
mkdir ~/bin
export PATH=~/bin:$PATH
curl https://dl-ssl.google.com/dl/googlesource/git-repo/repo > ~/bin/repo
chmod a+x ~/bin/repo
cd src
repo init -u https://android.googlesource.com/platform/manifest -b android-2.3_r1
repo sync
. build/envsetup.sh
lunch full-eng


Now going to our main goal.

Get the Android source
git clone https://android.googlesource.com/kernel/goldfish.git goldfish
cd goldfish
Put the cross compilation toolchain into your path and also put the tools (emulator, android tools etc) in your path:
export PATH=$PATH:~/bin:~/bin/src/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin:/root/bin/src/out/host/linux-x86/bin
make ARCH=arm goldfish_defconfig
make ARCH=arm SUBARCH=arm CROSS_COMPILE=arm-eabi- -j4
This is a good resource on different errors you could encounter. If you get a message “zImage is ready” you are good to load this image into the emulator to have a running emulator.
Before you run the android tool you need to first set an environment variable otherwise the tool will complain that ANDROID_SWT is not set.
export ANDROID_SWT=/root/bin/src/prebuilt/linux-x86_64/swt

Now you have to download some of the SDK Framework from the Google website so that you can create your own Android Virtual Device (AVD). Without downloading the SDK platform you will get no output when you issue the following command:
android list targets
After you get the right ANDROID platform you can issue the following commands:
android create avd -n my_android1.5 -t 1
emulator -kernel ~/bin/kern/kernel-common/goldfish/arch/arm/boot/zImage -show-kernel -verbose @my_android1.5
Now you should have a running emulator with your shiny new kernel.
Now if you want to compile your own kernel module and load it into the emulator at runtime then you need to use Android Debug Bridge (ADB) tool. See this post, where the author creates a kernel module. For me I had to modify the Makefile a little as shown below:
VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 29
EXTRAVERSION = -00054-g5f01537
obj-m += hello.o
KDIR=/root/bin/kern/kernel-common/goldfish
PWD := $(shell pwd)
all:
make -C $(KDIR) ARCH=arm CROSS_COMPILE=/root/bin/src1/prebuilt/linux-x86/toolchain/arm-eabi-4.4.0/bin/arm-eabi- SUBDIRS=$(PWD) modules

clean:
make -C $(KDIR) ARCH=arm CROSS_COMPILE=/root/bin/src1/prebuilt/linux-x86/toolchain/arm-eabi-4.4.0/bin/arm-eabi- SUBDIRS=$(PWD) clean

Issue the make command from the directory where you have your makefile and the sources to get hello.ko.
See the partition not mounted as read only by searching for “rw” mount mode by issuing the following command:
/root/bin/src/out/host/linux-x86/bin/adb shell mount
/root/bin/src/out/host/linux-x86/bin/adb push hello.ko /data
/root/bin/src/out/host/linux-x86/bin/adb insmod /data/hello.ko

I had to wipe my existing OS and had to reinstall Nessus on the new BT5R3 image. However, I still wanted all my previous scan data and users to be unaffected in the new OS. So how did I do that? Here’s how:

Take a backup and restore the following folders on the new install:

1. Users Folder (/opt/nessus/var/nessus/users)
2. Master.key (/opt/nessus/var/nessus/master.key)
3. Policies.db (/opt/nessus/var/nessus/policies.db)

If you do get an error after this follow these steps to get rid of errors and just reactivate the nessus feed as follows:

1. service nessusd stop
2. /opt/nessus/sbin/nessus-fix –reset
3. /opt/nessus/bin/nessus-fetch –register [activation code]
4. /opt/nessus/sbin/nessusd -R
5. service nessusd start

I’ll be attending the Shmoocon in Washington, DC from Feb 6th-8th. Hope to see all you h4X0rs out there!

Ever since I installed Tortoise SVN I saw that the right-clicks on my Windows XP SP2 had been terribly slow. It seems like Tortoise performs a whole lot of caching. Every time you right click all the cache entries are browsed and updates are sought. Although, the interface provides ways to disable this overlay caching, it seemed to me that the caching was being performed regardless. I had to uninstall the client to restore the sanity of my right-clicks. I guess software designers should make design decisions such that the UI responsiveness is not compromised for Windows Shell extensions.

I encountered various errors when compiling wepattack. This download does not come with a makefile that is compatible with the ubuntu distro that backtrack uses. First of all make sure that the wlan directory that you get when untarring the .tar.gz archive has execute permissions set to it.

$ cd WepAttack-0.1.3/src
$ chmod +x wlan

Once this is done “permission denied” errors should go.

/Desktop/WepAttack-0.1.3/src$ make
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o wepattack.o wepattack.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
wepattack.c: In function ‘loop_packets’:
wepattack.c:141: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:146: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:151: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:156: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c: In function ‘clean_up’:
wepattack.c:184: warning: format ‘%d’ expects type ‘int’, but argument 3 has type ‘long int’
wepattack.c: In function ‘main’:
wepattack.c:309: warning: format ‘%d’ expects type ‘int’, but argument 2 has type ‘long int’
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o rc4.o rc4.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o wepfilter.o wepfilter.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o log.o log.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o modes.o modes.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
modes.c:25:30: error: wlan/wlan_compat.h: Permission denied
modes.c:26:28: error: wlan/p80211hdr.h: Permission denied
modes.c: In function ‘generate_rc4_key’:
modes.c:51: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c: In function ‘process_rc4_key’:
modes.c:68: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c: In function ‘mode_keygen’:
modes.c:125: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c:127: warning: incompatible implicit declaration of built-in function ‘strcpy’
modes.c: In function ‘mode_wep’:
modes.c:145: warning: incompatible implicit declaration of built-in function ‘memcpy’
make: *** [modes.o] Error 1

The following patch file will take care of most errors and you should be able to get Wepattack compiled properly:

diff -aur WepAttack-0.1.3/src/Makefile WepAttack-patched/src/Makefile
--- WepAttack-0.1.3/src/Makefile 2002-10-23 09:11:36.000000000 -0400
+++ WepAttack-patched/src/Makefile 2010-09-26 04:54:20.000000000 -0400
@@ -6,23 +6,23 @@
LD=gcc
#
# CFLAGS
-CFLAGS=-fno-for-scope -c -D__LINUX_WLAN__ -D__I386__
+CFLAGS= -c -D__LINUX_WLAN__ -D__I386__
#
#
# LDFLAGS
-#LDFLAGS=
+LDFLAGS=-L../run
#
#
# Libraries to link against
-LIBS= -lpcap -lz -lcrypto
+LIBS= -lpcap -lz -lcrypto
#
#
# Install path for wepattack
INSTDIR=/usr/bin

// main loop to process key in modes on every packet

Copy the above patch in to a file called wepattack.patch. Copy wepattack.patch into the WepAttack-0.1.3 directory and patch it as follows:

$ patch -p1 <wepattack.patch
$ cd src
make
sudo make install

You should be able to get wepattack installed!

I wanted to have a list of all the security conferences around the world for a quick reference so I compiled together a list.

I kept getting the following errors on my AD domain in the event viewer and accounts kept locking out:
Pre-authentication failed:
User Name:      user1
User ID:                DOMAIN\user1
Service Name:   krbtgt/DOMAIN.COM
Pre-Authentication Type:        0x0
Failure Code:   0x12
Client Address: 192.168.246.134

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

In the Directory Service logs I see the following entry:
[snip]
Active Directory could not update the following object with changes
received from the domain controller at the following network address
because Active Directory was busy processing information.

Turns out this happens if you have samba/winbind/AD type infrastructure. If someone has some processes running (Even if they us sudo) and happen to change their password while the process is running on unix (and using kerberos authentication), the accounts lockout because the kerberos ticket granting ticket (krbtgt) is not current and any object access is considered to be a failed login attempt. This locks out the accounts if you have account lockout implemented in your AD domain security policy.