By Seth Fogie
Date: May 26, 2008
In Part 2 of his look at the OLPC’s XO, Seth Fogie steers beyond the enhancements outlined in Part 1. Here are the steps to take for turning that innocent-looking device into a hacker’s toolkit. You’ll see how to install, set up, and use the device to own remote devices on the network. Who would have thought that the OLPC's goal of educating children in developing countries could empower them to become hackers?
The OLPC project's XO is a cute little green computer that was designed for extreme conditions and novice users. But don't let its appearance deceive you. What appears to be a solution meant to provide an educational stimulus to the children in a third world country might just be so much more.
In Part 1, we illustrated how to tweak the OLPC into a personalized machine that provides a solid foundation for all your hacking dreams. With that accomplished, we will now go one huge step further and turn that passive XO into a true Lean Green Hacking Machine.
Building a Basic Hacker Toolkit
The following series of steps will help you convert your plain old boring OLPC into a device with the potential to own the world. Although we can assure you that the programs we'll mention are used by hackers and crackers worldwide, we won't be providing the required information you'll need to effectively use these programs. So, we highly recommend that you look to external sources (if needed) to expand your knowledge base to fully understand the impact that the highlighted programs can have on the networks and systems they are used against.
The first thing we need to do is install the core suite of tools that traditionally make up a hacker's toolkit, taking away all shreds of remaining innocence from your XO. When you're done with this section, your OLPC will contain enough tools to take on most any network!
Here are the easy-to-install yet essential tools that you can quickly get up and running on the XO, and instructions for installing them.
- Netcat. Netcat is the hacker's Swiss Army knife of tools. In the right hands, it can do scanning, probing, testing, tunneling, and much more. To install, just type yum install nc.
- nmap. The first choice for network mapping. Everyone uses nmap. Even Trinity from The Matrix uses it. You need to use it. To install, just type yum install nmap.
- Zenmap. Though nmap can be a great tool, knowing all those flags and correctly typing them in can be annoying. To simplify things, you need Zenmap, the GUI interface for nmap! To install, type wget http://download.insecure.org/nmap/dist/zenmap-4.53-1.noarch.rpm at a shell prompt as root. Then install the file with the command rpm –iv zenmap*rpm.
- Nikto. Nikto is a web application vulnerability scanner. It admittedly does lead to numerous false positives, but using this tool against a website can save a lot of manual testing and probing. To install, just type yum install nikto.
Adding Nessus and Metasploit
This next set of installation instructions for incorporating Nessus and Metasploit will help you build your not-so-basic hacker toolkit and will require some command-line abilities. However, with these programs installed, the XO will no longer be the simple kid-friendly toy most people see when they look at the little green laptop.
Nessus is the best freely available tool for assessing software vulnerability. If you want to test a network or system for potential vulnerabilities, Nessus is really the only option for the XO. Granted, you could use netcat and manually probe each port, but Nessus will speed things up tremendously.
- Go to http://www.nessus.org/download/index.php.
- Fill out the required information and provide an email address (needed to receive registration code).
- Download the 3.0.6 version of Nessus RPM and NessusClient RPM. You can do this either to an SD media card or directly to the XO's memory.
- Type rpm –iUv Nessus*rpm to install both the backend and client packages.
- Once the packages are installed, type /opt/nessus/sbin/nessus-add-first-user to add a user to the Nessus solution. You can name the user anything you want.
- Type in a password and confirm it.
- Hit Ctrl+D to finalize the addition.
- Start up the nessus daemon by typing /opt/nessus/sbin/nessusd –D or by rebooting. By default, the Nessus backend is set up to start each time the device is booted.
- You can confirm that Nessus is running by typing ps –ef | grep nessus at the command line. If nessusd is running, you will see:
nessusd: waiting for incoming connections
- To launch the client, type /opt/bin/NessusClient & in the XO's terminal window.
- Configure and connect to your localhost using the XO interface, and scan away (Figure 1).
Figure 1 NessusClient on the XO
Where Nessus leaves off, Metasploit picks up. Yes, it can perform scanning, but Metasploit's primary function is exploitation and penetration testing. This is one tool that's familiar to most any seasoned penetration tester. However, installation of Metasploit does require a bit of work to ensure that all its features can be used on the XO.
Stage 1: Preparing the environment. Since Metasploit is essentially a huge collection of Ruby programs, the XO must be upgraded with several packages to ensure that it can execute the core Metasploit functions and files. Following are the steps for these updates—and yes, these can be consolidated, but we want to be as explicit here as possible.
- At command line as root, type yum install ruby and hit Enter.
- At command line as root, type yum install rubygems and hit Enter.
- At command line as root, type yum install ruby-devel and hit Enter.
- At command line as root, type yum install make and hit Enter.
- Download the following files from http://rubyforge.org/ to the local device using wget, or by downloading the files to an SD card on an alternate device:
- Locate the folder with the files, and install gem packages by typing gem install <file>.
- Download the following files from RPMFind.net to your OLPC:
- Once all the rpm files are downloaded, type rpm –iUv post* to install the packages.
Stage 2: Setting up database software. The following steps simply get your database running and prepared for a hook into Metasploit.
- To start the database software, type /etc/rc.d/init.d/postgresql start.
- To log into the database account, type su – postgres.
- Now type createdb metasploit3 to create a database.
Stage 3: Setting up and using Metasploit for Autopwning. Assuming all the previous steps have been completed without problems, you are ready to get Metasploit installed and test your network for vulnerabilities.
- Type yum install subversion to install subversion, an open-source revision control system.
- Change to the directory in which you want to install the Metasploit framework.
- Type svn checkout http://metasploit.com/svn/framework3/trunk/ framework3 and let the Metasploit framework download.
- When the download is complete, change directory into framework3.
- Type ./msfconsole to execute the Metasploit console.
- Type load db_postgres to initialize the postgresql module.
- Type db_create to set up the database.
- Type db_hosts. If there is no response, everything is ready to go.
- Use the db_nmap module to fill the target database (e.g., db_nmap –p 80 192.168.1.1-10).
- Type db_services to list results.
- Use db_autopwn to scan for vulnerabilities or exploit targets and get shell access (e.g., db_autopwn –p –t –e).
- After db_autopwn completes, type sessions –l to view the results! (See Figure 2.)
Figure 2 Metasploit autopwning Windows XP on the XO
Wireless Sniffing on the XO
The OLPC XO is a wireless device and as such would be very handy to use for sniffing wireless networks. However, sniffing on Linux is not a very straightforward process because it heavily depends on the device hardware and the drivers that are installed.
Fortunately, because of the intent of the XO and its targeted location, sniffing capabilities are included. This might not make sense at first, but the OLPC is unique in that it contains mesh WLAN (802.11s) and traditional WLAN (802.11b/g) capabilities. To figure out problems, remote sites will have no other tools but the XO, which means the XO has to have sniffing capabilities to do its job.
Scanning might be possible, but this is the XO we're talking about. In other words, the device can do wireless monitoring, but it isn't going to be as simple as typing in an iwconfig command. This is because the XO obfuscates the technical side of Linux behind a bunch of custom scripts and GUI overlays, which, as we have learned, can get in the way of the users who prefer to control their own system.
That said, here is what you need to do to set your wireless card into monitor mode and start sniffing the airwaves. From the command line:
export TRAFFIC_MASK=0x7 killall NetworkManager echo $TRAFFIC_MASK > /sys/class/net/eth0/device/libertas_rtap ifconfig rtap0 up
Once monitor mode is enabled on the device, sniffing the networks is as easy as using the following command:
tcpdump -s 1500 -i rtap0 -w $CAPTURE_FILE &> /dev/null &
From here the options are limitless. For example, you can install dsniff to steal passwords, use programs such as aircrack-ng to crack WEP and WPA passwords—not to mention capture anything passing over an unprotected wireless network. For details, check out the following site on how to perform wireless hacking on the OLPC: http://wiki.laptop.org/go/Wireless_network_hacking.
Granted, wireless hacking from the XO is not child's play. But if you've made it this far, you're either a very gifted child or someone whose age is greater than your years of education. Either way, having the ability to sniff a wireless network is really only the beginning when it comes to hacking/cracking the data. It will take some time and patience to successfully use the OLPC XO for this purpose, so be sure you are ready to spend several hours behind a miniature keyboard!
Conclusion: Give One, Get Owned
Some would say the OLPC is simply a project that is meant to get computers into the hands of kids around the world. Certainly this is true, but we think the project's real goal is to create a global hacking community that reaches across races, religion, and financial situations. Though the original project might have been titled "Give One, Get One," we think a better title is "Give One, Get Owned"!
So next time you spot a kid with an XO in the nearby coffee shop or at the office, you might want to take a second and see if their desktop looks like Figure 3. If it does, then you had better take action, because you're in the presence of One Leet Pwning Child!
Figure 3 Our OLPC with upgrades