Root Your G2

1. Install Terminal Emulator and a file manager (such as Astro File Manager) from the Market.
2. Extract the contents of the zip file (Download from XDA site / here) to the SD card (this will create a directory called root_files on the card). When done, make sure you unmount your SD card from your computer if you had mounted it as a storage device to transfer the files.
3. Enable Unknown Sources (under Settings->Applications) and USB Debugging (under Settings->Applications->Development).
4. Using your file manager, navigate to the root_files directory on your SD card and select “com.modaco.visionaryplus.r14.apk” to install the Visionary app.
5. Start the Visionary app and click on “Temproot now.” Leave all other settings unchecked.
6. Start the Terminal app and type the following commands (the $ and # symbols represent the command prompt and should not be typed):

Select Temproot now in Visionary

Temp Root in progress via Visionary Plus

Perm Root commands

Perm Root execution in progress

You will see multiple messages scroll by as the programs run. Once you are returned to the prompt in terminal, you will have permanent root (S-OFF), as well as subsidy unlock and SuperCID.

Steps to Backup Installed Apps + Data to SD card (using Titanium Backup)

1. Install Titanium Backup from Market (free version would do the job, though it will take only one version of backup).
2. Make sure the latest / good version of BusyBox is installed (hit the “Problems” button lower right in Titanium home screen)
3. Un-check “Auto-sync TB settings” under Preferences
4. Only Run “Backup all user apps” under ‘Batch’.
5. Titanium takes a backup of app and user data to SDCard.

Batch backup

Steps to Backup Stock ROM to SD card (Using Clockworkmod Recovery)

1. Install ROM Manager from Market (free version)
2. Open ROM Manager and select ‘Flash ClockworkMod Recovery’. Confirm the phone model and wait until flash operation is complete.
3. Now ‘Select Reboot to Recovery Option’.
4. In Recovery console, scroll to ‘backup/restore’ (Trackpad button to scroll and select, Power button to go back) and then select ‘backup’ to initiate stock ROM backup process. (It will take 5-10 mins).
5. Once the backup is complete you will be redirected back to recovery console.
6. (Optional: copy Titanium backup folder & Clockworkmod backup folder form the SDCard root folder to your PC, just in case)

Flashing Clockworkmod Recovery

Rom Manager Requesting for SuperUser access

Recovery Console

Backup in Progress

Backup Complete

Install Custom ROM – Cyanogenmod 7 based on Gingerbread

1. Download the latest Cyanogenmod ROM zip file for G2 from here.
2. Download Google Apps bundle from here. Its recommended to keep the zip on the root of SDCard.
3. Copy the zip file to Sdcard root directory. Unmount Sdcard from computer.
4. On your phone recovery console select wipe data/factory reset, wipe cache partition and Advanced > ‘Wipe Dalvik cache’. (Ensure that this step is complete before proceeding ahead).
5. Now select the option ‘install zip from sdcard’ and choose cyanogenmod 7 zip that was copied earlier.

Wipe Cache, data ans Select Cyanogen zip from sdcard

Cyanogen Boot Screen

G2 with Honeycomb Theme

Install Google Apps

1. In recovery console select ‘install zip from sdcard’ and choose the google apps zip file. Reboot the device.

Note: Now Cyanogenmod bootloader will be displayed. It might take one or two minutes to boot to the new OS. My phone started looping through the boot screen and the home screen. If that happens reboot your device once or twice.

Restore Backed-up Apps + Data via Titanium Backup

1. Install Titanium Backup from Market.
2. After opening Titanium, selectively restore apps from the “Restore all apps with data” (these will only be user apps per 3. above) by selecting this batch operation and un-checking the apps I do not want to restore via Titanium prior to running the batch operation (by default all apps will be selected). You can also select here to restore just the app, app + data, or just data.

Restore Apps and Data

Content extracted from

• xda-developers (link), g2hacks (link1, link2), addictivetips (link1, link2)

CyanogenMod 7 Info
App Name	CyanogenMod 7
License	free
Type	code
App URL
More Info	link

Installation on Ubuntu/BackTrack (via Redspin)

Use the following commands in the terminal windows to install and run Skipfish. Replace OUTPUT_FOLDER and TARGETSITE with the domain name and the target’s URL respectively. Also change the wget URL to the URL of the latest version of Skipfish download available.

wget http://skipfish.googlecode.com/files/skipfish-1.29b.tgz
tar zxvf skipfish-1.01b.tgz
sudo apt-get install libidn11-dev
cd skipfish
make
cp dictionaries/default.wl skipfish.wl
./skipfish -o OUTPUT_FOLDER http://www.TARGETSITE.com

Trial Run

Installed SkipFish and ran on the target site, specs below.

Guest OS : BackTrack4 VM

Host OS : Windows Vista

RAM : 512MB

Application Size : Medium ( < 1000 Unique Pages )

Internet Speed : 1 MBPS

Skipfish Verbose

Skipfish displays the scan run statistics continuously during the run. Once the scan run is complete, we get to see the scan summary (shown in the below screenshot).

Skipfish Console (Click to Enlarge)

Scan Output

Once the scan is complete, results are saved in HTML format. Its a simple tree interface that displays the details of the vulnerability along with the HTTP Header trace for each request.

NOTE: The target application which was used to test the application is a custom and private application and has been removed from the server. Please do not run scanner on any of the domains you dont own.

Skipfish Scan Report (Click to Enlarge)

Observations

• Installation and setup is super easy.
• Definitely not a heavy weight, memory hogging scanner.
• Did not find some of the basic vulnerabilities other scanners had found.
• Scan ran for ~14hours for that medium sized app.

Features

• High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.

• Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.

• Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

The tool is believed to support Linux, FreeBSD 7.0+, MacOS X, and Windows (Cygwin) environments.

List of High and Medium Vulnerabilities Skipfish Attempts to Identify

A rough list of the security checks, for High and Medium vulnerabilties, offered by the tool is outlined below.

• High risk flaws (potentially leading to system compromise):
  • Server-side SQL injection (including blind vectors, numerical parameters).
  • Explicit SQL-like syntax in GET or POST parameters.
  • Server-side shell command injection (including blind vectors).
  • Server-side XML / XPath injection (including blind vectors).
  • Format string vulnerabilities.
  • Integer overflow vulnerabilities.
  • Locations accepting HTTP PUT.

• Medium risk flaws (potentially leading to data compromise):
  • Stored and reflected XSS vectors in document body (minimal JS XSS support present).
  • Stored and reflected XSS vectors via HTTP redirects.
  • Stored and reflected XSS vectors via HTTP header splitting.
  • Directory traversal (including constrained vectors).
  • Assorted file POIs (server-side sources, configs, etc).
  • Attacker-supplied script and CSS inclusion vectors (stored and reflected).
  • External untrusted script and CSS inclusion vectors.
  • Mixed content problems on script and CSS resources (optional).
  • Incorrect or missing MIME types on renderables.
  • Generic MIME types on renderables.
  • Incorrect or missing charsets on renderables.
  • Conflicting MIME / charset info on renderables.
  • Bad caching directives on cookie setting responses.

Google Skipfish Info
App Name	Google Skipfish
License	free
Type	code
App URL
More Info	link

This is a free portable tool and can run on almost any Windows operating systems (Pro commercial version with enhanced is also available)

Here I’ve documented few of the main features of the free version of this tool; download and experiment with 3D traceroute to get the complete picture of it.

Note: This article is targeted for the readers who have basic understanding or experience with using various networking tools.

Main Window:

To trace the route to the sever, we just have to enter the target’s URL and click on the Trace Button. The 3D Trace View is continuosly refreshed and is displayed on the main window. We have options to zoom, rotate and move around the display as per our requirement.

3D TraceRoute Main Window

Whois Details Window :

We can view the query options in the ‘Query’ navigation present in the left handside bar. Just click on the query to obtain the whois details of the server.

Whois Details Window

HTTP Spy :

One cool feature in this app is HTTP Spy which allows us to quickly obtain the details like name and version of the Server in which this target application is hosted. This is obtained by analysing the Response headers of the Request message sent by the server.

HTTP Spy Window

Email Header Analysis :

To trace down the source or details of the email message we have received we should see the raw email message and manually go through it. For example in Gmail we have an Option ‘show original’ to view the raw message. 3D TraceRoute has a email header analyzer which process the raw data and displays the IP address of the sender and whether it has been listed as Spam before.

Email Headers Analysis

Video Demo :

Features

• 3d traceroute display: multiple graphics modification options
• Statistics window: min, max, average, standard deviation and history window with destination ping time
• AS list: the usual data view with lots of features
• Long period Ping and HTTP monitor
• Whois query: everything with only one click
• Record and playback: record any trace and playback step by step
• Built-in Browser: and the browser is already built in.
• ASN inspector
• NSLookup: with UDP and TCP. And zone transfer capability.
• Day and Night trace: Admins beloved toy
• Command-line execution mode: full replacement for good old buddy tracert.
• Passive OS fingerprinting
• Portscanner (knows 3,612 well known ports)
• eMail headers Analyzer: against RBLs
• Connection viewer: TCP, IP, UDP etc. statistics
• HTTP Spy: query HTTP-headers and webpages
• Atomic Clock Sync
• Built-in TELNET client
• And lot more….

Download 3D TraceRoute :

This post has two sections, the first explains how to obtain details of any website (Information Gathering) and the second deals with analysis and understanding of HTTP raw header information.

Addon 1: Domain Details

DomainDetails addon, can be helpful in finding out Server Type, Headers, IP Address, Location Flag, and Whois information of any website you browse with Firefox. Once you install the addon, Server name, Ip address of the current website is displayed in the status bar, and a tiny button is displayed, clicking on that will display a menu which gives access to explore more details of that website.

SecFox Addon, How?

How can this addon be useful while performing the security assessments?

1. Display’s Server Name and Version - This info can be used to search for the open vulnerabilities found in the target server. Several advisories publishes vulnerabilities associated with a particular version of various servers; the sites like milw0rm, cert, Secunia, etc holds a repository of latest advisories.

2. Displays IP Address – Input of several vulnerability scanners(like nmap) will be the IP address of the target website. Ideally, to obtain the IP address of the target, we would have to do ns lookup (open cmd prompt, then nslookup www.targetsite.com), but with with DomainDetails we can directly lookup IP address of the website immediately while the page loads.

3. Webpage fingerprint – Whois is used for querying authoritative registries/ databases to discover the owner of a domain name, an IP address, or an autonomous system number of the target website. Online sites like Whois.net, DNSStuff, Central Ops gives server info any many other details about any site you search for. Domain Details just adds option to directly search for these details from the statusbar menu, saving us few of our preciuos keystrokes.

Demo

Download DomainDetails :

Addon 2 : LiveHTTP Headers

The addon LiveHTTP Headers is one of the must have addon if you are a security analyst. This addon displays the RAW HTTP Headers (Request and Response) for the webpage you are browsing.

SecFox Addon, How?

1. Display’s server Name and Version – As explained in the previous section, this can be used to find out and exploit the known vulnerabilities found in the target server.

2. Displays the Response Code - This is very helpful in knowing how the server responds for any client request. So if there is any misconfiguration in the server so that a particular request of the client forces the client to behave indifferently and exposing the vulnerability.

3. Cookie Config – This also displays the cookie config set at the server. For example if we observe that in the server response, for any request sent for any sensitive pages, that Cache-Control: no-cache is not present, then it means that those sensitive pages are cached and be visible for those who are not intended to.

4. Replay any forged request – We can modify the POST data and replay it from this addon. This means that we are bypassing any client side validations present in that site.

5. Monitor Cookie Info – We can also monitor the cookie value and try to reverse engineer and decode its value.

6. This list continues – Analysis of HTTP Headers would will be the first step when doing the security assessments and LiveHTTP Headers will be the key to get it. We can break the headers into parts and research on that to get the best out of it.

More info on HTTP Headers

Demo

Download LiveHTTP Headers :

Stay Tuned coming posts features more security addons and its usage…

–

You can even do more than starting programs with the built-in file management functions like Copy, Rename, Makedir, Delete, End Process, Kill Process and Text to Clipboard. Batchrun batch files can be launched from Explorer or placed in StartUp folder or on the Desktop.

Check how to enable and disable USB devices with batch programming

Features

• Launch files of any filetype and dialup connections
• Internal commands: Run, Copy, Rename, Makedir, Delete, DelTree, End Process, Kill Process, Text to Clipboard
• Wildcard support for Copy, Delete and DelTree
• Makedir nested folder creation
• Drag and Drop between Explorer and Batchrun
• Support for date and time tags
• Command line parameters can be passed to Batchrun script files
• Save batch files directly to Startup and Desktop

Note: If you are using the portable version of BatchRun make sure that you associate ‘*.brs‘ files with this application.

Download BatchRun :

More Info at BatchRun HomePage

Note : This is NOT a freeware and is a 30 Day trial product.

We can easily stop the USB device by left-clicking the drive to be stopped from the tray menu.

We can set various options from the main window, like hiding certain ‘always connected’ drives as shown below.

Features

• Displaying what prevent a device from being stopped
• Restarting stopped device back!
• Safe removal via individually customizable hotkeys
• Safely Remove Menu with identifiable device icons
• Real device names and ability to rename them
• Feature to hide unnecessary to stop devices
• Program autorun on device connection\disconnection
• Command line for safe removal
• Hiding of “empty” card reader drives
• Card reader memory cards ejection one-by-one

Check the full list of features here

Download USB Safe Remove :

More Info at USBSafeRemove Homepage

And what you do is clear the temp files or search for some less important applications which you can uninstall. But you would ultimately fail by not finding the required space. The solution is to change the working folder used by 7zip. By default the working folder will be the root drive where OS is installed.

Change the temp folder is easy, Open Options from Tools Menu and select Plugins tab, now click Options and then Folders tab. Now change the temp folder as shown below.

And commandline options for geeks, the command is

7z x _FiletoExtract_ w_WorkingDir_ o_OutputFolder_

x : Denotes extract
w : Working Folder/Temp Folder (e.g. wD:\tmp\)
o : Output Folder (e.g oD:\Files\)

For more options check here

Note: Changing tempdir is not the feature available only in 7Zip, but its mentioned here because 7Zip is the most popular archivial tools available in the market.

But it will be a tedious and boring task to repeatedly follow a sequence of steps to get your volume mounted. But we can find out a simple solution for this…

So every time we have to mount a drive, we have to

• Open Truecrypt
• Select the drive where the file needs to be mounted.
• Browse the encrypted file
• Enter the long and strong password, mount the volume

Similar steps are needed while dismounting the drive as well.

Thanks to command line support of Truecrypt which is utilized here to mount the drive with few strokes.

Mount from commandline

We use the following command to mount from commandline

_TruecryptExePath_ /q background /v _EncFile_ /lx /p _Pswd_ + /b

Options

/q – Automatically perform requested actions and exit, launches the TrueCrypt Background Task (tray icon).
/v – File and path name of a TrueCrypt volume to mount (Enclosed in quotes)
/l – Driver letter to mount the volume as.
/p – The volume password (Enclosed in quotes)

_TruecryptExePath_ = Path of truecrypt exe e.g “D:\Truecrypt\Truecrypt.exe” (Enclosed in quotes)
_EncFile_ = Path of Encrypted file e.g “D:\MyStore.enc”(Enclosed in quotes)
_Pswd_ = Volume password e.g “demo123″ (Enclosed in quotes)

Dismount from commandline

_TruecryptExePath_ /q /dy

Mount from Launchy

Any application launchers like Launchy can be used to run a particular program by using shortcuts.

1. Go to Plugins tab from Launchy Options
2. Select Runner Plugin
3. Give suitable shortcut name in Name, _TruecryptExePath_ in Program and the command mentioned above in Arguments.

Launchy Runner Config

So next time to mount a volume just do Alt+Space (default Launchy hotkey) and type shortcut name.

I’ve put shortcut as ‘cryptX’ which will mount my enc file to X: drive. So all I’ve to do is type ‘crx’ and press Enter (Launchy matches ‘crx’ and finds ‘cryptX’ automatically)

Repeat this and use the command for dismount and assign it to Launchy. I’ve used ‘dcryptX’ to dismount from X: (So I type ‘dcrx’ in Launchy)

Note: If you want to mount secure truecrypt volume in command line, encrypt password using MD5 tool onto a textfile and use the same to decrypt and compare with the password you input in CLI. This method is considered to be insecure so its recommended not to use.

Update: Use the following command to enter the password onto launchy or display the actual ‘Enter Password’ screen of Truecrypt. This means you are still secure with using Launchy for Truecrypt.

_TruecryptExePath_ /q background /v _EncFile_ /lx /p $$ + /b

1. To display the truecrypt ‘Enter Password’, type ‘cryptx’ and press enter
2. To mount the volume silently without prompting the password, type ‘cryptX’ + Tab Key + _Pswd_

How to use

1. Locate the Firefox profile directory (If your firefox is a portable one, then find it in \Data\profile)

2. Copy the files bkey3.db, cert8.db and singons*.txt from the profile directory to a .

3. Open Commandprompt and type as shown below (replace the tmp_dir with the one mentioned in above step)

FirePassword [-m "master password" ] >> pass.txt

Options: -m specify the master password

4. Finds the passwords in plain text in pass.txt

Note: The steps mentioned above is for firefox 3, I’ve tested and got the expected results. Please check firepassword homepage for other versions of firefox.

Download Firepassword :

The script will enable the security permissions which will help us to modify certain registry keys, then modifies the required keys and reverts back the permissions.

First create four files as mentioned below.

0.reg

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUSBSTOR]
"Start"=dword:00000004

1.reg

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUSBSTOR]
"Start"=dword:00000003

SubInACL

Before proceeding further you need to download SubInACL (Incase if the link doesn’t work, google for ‘SubInACL’ to get the MS download link). This tool helps you to set ACL permissions for the registry keys through command line parameters.

@echo off
cls
regedit /s 0.reg
subinacl.exe /keyreg systemcurrentcontrolsetservicesusbstor /deny=system
subinacl.exe /keyreg systemcurrentcontrolsetservicesusbstor /deny=users
subinacl.exe /keyreg systemcurrentcontrolsetservicesusbstor /deny=administrators
echo.
echo **Disabled**
echo.
//pause

@echo off
cls
subinacl.exe /keyreg systemcurrentcontrolsetservicesusbstor /grant=system
subinacl.exe /keyreg systemcurrentcontrolsetservicesusbstor /grant=users
subinacl.exe /keyreg systemcurrentcontrolsetservicesusbstor /grant=administrators
regedit /s 1.reg
echo.
echo **Enabled**
echo.
//pause

After creating all the above mentioned files, put those in a directory. Make sure you have all the five files in the same directory (i.e 0.reg, 1.reg, enable.bat*, disable.bat* and subinacl.exe).

Now double click the batch file* to see it in action.

Note*:

Uncomment pause command to see the execution status in the command prompt.