I’ve been wanting to figure out a way to run Metasploit from my first generation Motorola Droid for quite some time. Messing with my phone is fun but I tend to stray away from doing it very often since it’s my primary tool for communication. If I brick it or otherwise render it useless I wouldn’t be able to make or receive phone calls (who has a land line anymore?). That being said, I did some research and I finally found a way I thought I could safely get Metasploit running on my phone. Here is how I did it.
First of all, your phone has to be rooted. I rooted my phone months ago and I can’t remember exactly how I did it. A quick Google search brought me to this website. The instructions on there look very familiar and I am pretty sure that is how I did it. Regardless of how you accomplish this task, just know that you will need root access eventually in order for this to work.
Next I had to get the Chevyno1 rom image installed on my phone. But I wasn’t able to get it installed properly with my old bootloader. I first had to install the latest version of the RZR boot loader. I just followed the instructions on that site for updating my bootloader. The steps you take may differ depending on what bootloader you currently have installed. The steps I took were:
- Download the zip file.
- Rename it to update.zip.
- Upload the file to the root of your SDCARD on your phone. I did this by plugging in my phone to my laptop’s USB port with the USB cable and enabling USB storage.
- Reboot your phone into the boot loader. For me, I did this by holding down the ‘X’ key on the slide out keyboard while the phone was first booting.
- Once I was in the boot loader menu I had to enable updating from update.zip.
- Then I just triggered the update.
After this I rebooted the phone and the new boot loader was installed. The next step was to get ChevyNo1′s rom image installed on my phone. This process is basically the same as the last process with one important addition.
- Download the rom image. I used the unthemed image.
- Rename it to update.zip and place it in your SDCARD’s root folder just like last time.
- Reboot the phone into the boot loader again.
- This time, I wiped all cache and data. This will erase all of the data on your phone’s internal memory. If you have anything you want to save, make sure you back it up first or it will be gone forever.
- Once the data was wiped, I enabled updating from update.zip and then ran the update.
After another reboot, I was booted into ChevyNo1′s ROM image. I have to say I was impressed with this custom ROM. I haven’t tried many of them but this one seems to run much faster than the stock image I was running previously.
Now comes the cool part. I had heard that some people have been able to get actual distributions of Linux running on the Droid phones. After some searching around, I found someone who managed to get Back Track 5 running on their Android phone. This was awesome news because Back Track not only contains Metasploit, but it has tons of other awesome security tools as well. I figured this was exactly what I needed to get running on my phone. I mostly just followed the instructions on the forum page I linked to, but I will map out my process here too because there were some tricky parts to it.
- Install BusyBox. I just found an app in the marketplace called “BusyBox Installer”. There was a free one and that seems to have worked fine. If you don’t install BusyBox this will definitely not work.
- Download the BT5 zip file from one of the listed mirrors. I used this one.
- Extract the file on your PC. Once it is extracted, you should just have a folder called bt5. If you notice this folder is over 3GB in size once extracted. You will need to make sure you have enough room on your SDCARD for this folder.
- Copy the bt5 folder to your SDCARD root directory using either the phone’s USB cable or by sticking the microsd card in your computer.
- Now open up a terminal application on your phone. You should be greeted with a prompt that looks like “$”.
- Change to the root user. You can do that by just typing in “su” and pressing enter. If it works, you should be greeted with a “#” prompt. If it doesn’t work then you probably didn’t root your phone properly.
- Now change directory to the bt5 directory by typing in “cd /sdcard/bt5″.
- Now the instructions from the forum say to just type in “bt” and it should boot the back track OS. This didn’t work for me. I figured out that the reason is that the first generation Motorola Droid doesn’t natively support the EXT2 file system. Luckily, ChevyNo1′s ROM image came with a loadable EXT2 kernel module. To check if your phone supports EXT2, type in this command, “cat /proc/filesystems”. If you see “ext2″ in the list then skip step 9. If you don’t see it, then proceed to step 9.
- Load the EXT2 module that came with ChevyNo1′s rom image. Do this by typing in “modprobe ext2″. To see if it worked, type in “cat /proc/filesystems” and see if it lists ext2 now. If it does then proceed but if not then you have a problem somewhere. You will need to find a ROM image for your phone that supports EXT2 in order to continue.
- Now make sure you are in the /sdcard/bt5 directory and type in “sh bt”. If all goes well you should see some text on the screen. If you are like me, you will see some errors involving “mkdir”. If not then you may be lucky and you can skip the next step.
- When I tried to startup Back Track 5 I got some errors about the mkdir command. The Android system doesn’t support that command natively. Busy Box adds the support. For some reason, the Busy Box installation I chose did not fix the symlink for the mkdir command so I had to do it myself. Just use the following command, “ln -s /system/xbin/busybox /system/bin/mkdir”. This wil create a symlink so when you or the BT5 scripts try to run the mkdir command, it will use busybox to do so. This fixed the problem for me and I was able to continue.
- At one point it will ask you if you want to start a VNC server. This will allow you to use a VNC viewer from a PC to log into your phone and get a desktop. You can do this if you want, but the Droid phone has so little RAM that I find the desktop interface is practically unusable. I just say “No” to this prompt.
- Now you should be greeted with a new command prompt! Mine says “root@localhost”. If so, then congratulations because you have Back Track 5 running on your cell phone.
The whole reason I went through this process was to get Metasploit running on my phone. So how did I do that? Easy. Once you are at the root@localhost prompt just type in “msfconsole”. It takes a good 15-20 seconds or so for it to load, but it should eventually. I have used this console to successfully exploit a Windows 7 Virtual machine running on my laptop. I was able to get a remote shell prompt as well as start the remote desktop service and then use an Android RDP client to connect to it using a user I added with the exploit. It’s fantastic. I can also run other programs such as NMAP.
I quickly grew tired of having to load the ext2 module every time I rebooted my phone, as well as typing all of the other commands on my little Droid keyboard. To overcome this, I wrote a few scripts on my phone. First, I wrote a script called “bt” and saved it to /system/bin/bt in the Android filesystem (not the BT5 filesystem). I had to “chmod +x” it in order to make it executable. In this file is just 4 lines of code:
Now whenever I want to start up Back Track 5, I just open a terminal window, type in “su” to change to root, then I type in “bt”. The script automatically loads the ext2 module and starts up Back Track for me.
Some things to keep in mind with this. As far as I can tell, the Back Track installation cannot communicate over the 3G network. It can only communicate via wifi. I always connect to an access point before starting up the BT5 instance and it seems to work fine. Also, my phone has very little RAM. This means that if I am running a Metasploit instance and then try to start up some other program leaving the terminal window in the background, the phone runs out of memory and kills the terminal. This closes everything I have done in Metasploit and I have to start all over. It’s best to just leave the terminal window open at all times when working with Metasploit. Another thing to note is that BT5 will start an ssh server on your phone. You can log into that server from a workstation with the username of root and the password root. This is good to know because it is much easier to type on a real keyboard. It’s also good to know because anyone can ssh into your phone with that simple password.