Crouton – Chromebooks as a Pentesting Platform

I had the opportunity to pick up a Chromebook (Acer C720) on the cheap(er) this past weekend. A local high school was getting rid of those machines that had previously belonged to graduating seniors who had chosen not to buy them outright at the end of the year. I had never had much of a chance to play around in ChromeOS until now, so I was excited to get my hands dirty. I have to say, I’m pretty impressed so far. Even with Developer Mode activated (more on that to come), it boots up in a manner of seconds. It has a pair of USB ports (one 2.0, one 3.0) and an SD card slot for expansion. All-in-all, not a bad little machine.

So, like any good offensive security professional with a new toy, the first question I had to ask is whether or not I could turn it into a decent pentesting rig. There are certainly some privacy issues to consider if you plan to use a Chromebook for all of your pentesting needs. That being said, it’s a great proof-of-concept and runs surprisingly well.

What you’ll find here are the steps to install and maintain the following:

  1. Ubuntu in a chroot
  2. Metasploit
  3. Various pentest/web app security friendly Chrome extensions

Most of the information here can be found in a variety of sources (to which I will link). My purpose is really to get as much useful information as possible into one, easy-to-find location.

 

Developer Mode

The first step in building your new Chromebook pentesting box is to enable Developer Mode. Note: This will factory reset your machine.

  1. While your Chromebook is on, hold Escape and Refresh and then press the power button to enter Recovery Mode.
  2. Tap Control-D when you see the Recovery Mode screen. It will probably say something scary like your Chromebook is damaged (don’t worry, it isn’t…probably).
  3. You will be presented with a new screen. Press enter to confirm, and wait for the Chromebook to reboot.
  4. You’ll get a warning about OS Verification during the boot process. Press Control-D, or simply wait 30 seconds.
Recovery Mode screen

Figure 1: Recovery Mode screen

 

Figure 2: Turn OS Verification Off

Figure 2: Turn OS Verification Off

 

Figure 3: OS Verification at Boot

Figure 3: OS Verification at Boot

 

Installing Crouton

Crouton is a standlone tool that uses the chroot command to run Linux (Ubuntu, specifically) on top of Chrome OS (which is, in truth, just another flavor of Linux). As this is not dual-booting, switching between Chrome OS and Ubuntu is simple and speedy. No reboots are required which is really convenient. Also, there are nice keyboard shortcuts for switching between the two which makes the whole thing incredibly convenient.

Follow these steps to get Crouton (and then Ubuntu) up and running:

1) Download it from the page linked above (or just click this link).  The crouton binary should end up in your Downloads folder.

2) Bring up a crosh terminal window by pressing Control+Alt+T.

crosh and shell

crosh and shell

3) Drop into a shell from within the terminal.

shell

4) There are a lot of installation options with crouton, so it’s best to find those that work best for you.

You can choose to add a -n flag to name your chroot which is useful should you choose to install more than one. The -t flag is used to specify the options that you would like to include in your build. For a complete list of available targets, enter the following command prior to installation.

sudo sh -e ~/Downloads/crouton -t list (or help)

The output will be similar to the screenshot below.

Targets

crouton Targets

Running this next command (change the -t to a -r) will output a short, concise list of the available releases. Not everything  is officially supported, so keep that in mind when making your choices (and expect some bugs here or there with those options that are starred in the list).

sudo sh -e ~Downloads/crouton -r list

crouton Releases

crouton Releases

Note: If you are using a Chromebook Pixel, be sure to include touch in your –t flag options (separated by commas).

After you’ve made your decisions, type in the following command to install crouton and create your new chroot environment. Use -r to select a release and -t for any options. Below, you’ll see I went with Trusty and gnome.

sudo sh -e ~/Downloads/crouton -r trusty -t gnome-desktop

5)  The installation will take a considerable amount of time, so feel free to step away from the computer for a bit. You shouldn’t be prompted for any input until the process completes when you will be asked for a username and password for your new install. And then you’ll be ready to go!

6) After the install process has completed, use the command it spits out to start up your new environment. If you are stuck with the defaults, substitute accordingly (ie: startxfce4 instead of what you see below).

sudo startgnome

You will see the start-up process in your shell window, and then a new window will open for your desktop environment.

Starting up

Starting up

To switch between your Ubuntu and ChromeOS environments tap Alt+Ctrl+Left/Right arrows. These are not the arrow keys but rather the arrows taking the place of the traditional F1 and F2 keys. Note: For the AcerC720 (and possibly other hardware) you will have to use Alt+Ctrl+Shift+Left/Right arrows.

If you would prefer to run your chroot in a Window, use the xiwi target. I have experienced some “out of memory” problems with this option after Ubuntu has been running for a long while (~24 hours). You may have better luck.

Alternatively, you can drop directly into a command prompt within your chroot from a chrosh -> shell by using this command. If you have more than one, add a -n flag with your chosen chroot’s name.

sudo enter-chroot

 

The Right Tools for the Job

There are all kinds of useful pentesting tools that can be installed at this point. I’ll begin with Metasploit and then just touch on a few Chrome Extensions that you might find useful.

Installing Metasploit

I’m going to steal some of Darkoperator’s thunder here and give you a quick run down on installing Metasploit in your new Ubuntu chroot. Again, this has all been said before, but my goal is to get it all into a single location.

The following steps assume you have installed Ubuntu (I have done this on 12.04 and 14.04 thus far).

1) Update your system.

sudo apt-get update

sudo apt-get upgrade

2) Install all of the Metasploit dependencies.

sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev

3) Install the correct version of Ruby. Sadly, the version of Ruby that comes packaged with Ubuntu isn’t going to work for Metasploit. The installation is a multi-step process and is the step that is most likely to cause hiccups down the line.

Note: There is a an alternative installation process option covered in Darkoperator’s blog post, but I will only cover the first (using rvm).

Run these commands to download the latest version of rvm, change your bashrc file to account for it, and then install Ruby 2.1.6.

curl -L https://get.rvm.io | bash -s stable
source ~/.rvm/scripts/rvm
echo “source ~/.rvm/scripts/rvm” >> ~/.bashrc
source ~/.bashrc
rvm install 2.1.6
rvm use 2.1.6 –default
ruby -v

There is a good chance you will be presented with the following error message after the first command.

gpg: Can’t check signature: public key not found.

Simply run the “gpg –keyserver” command supplied by the error message to grab the public key and correct the problem. Then try the curl command again and proceed as normal.

4) Install Nmap. This tool was not included in the dependencies we installed initially because it must be manually compiled. Just follow along with the commands below, and you shouldn’t run into any problems.

mkdir ~/Development
cd ~/Development
svn co https://svn.nmap.org/nmap
cd nmap
./configure
make
sudo make install
make clean

5) Configuring Postgre SQL Server. First, switch to the postgres user and create the user and database that will be used for Metasploit.

sudo su postgres

Next, create the user and database necessary for Metasploit. Make sure to remember the name of the database (below, I use “msf”) as it will be included in the yml file that Metasploit uses to establish a connection to the database.

createuser msf -P -S -R -D
createdb -O msf msf
exit

For the sake of convenience, be sure to start postgresql on boot.

sudo update-rc.d postgresql enable

6) Install the Metasploit Framework. Download the latest version of Metasploit via Git.

cd /opt
sudo git clone https://github.com/rapid7/metasploit-framework.git
sudo chown -R `whoami` /opt/metasploit-framework
cd metasploit-framework

Once the download finishes, use bundler to install the required gem versions. Once again, I’m assuming that you installed Ruby via rvm.

rvm –default use ruby-2.1.6@metasploit-framework

gem install bundler
bundle install

7) Create database.yml file.

sudo nano /opt/metasploit-framework/config/database.yml

Copy the text below into your new file. Make sure to use the username, password, and database you created in Step 5! Here, they are all “msf.”

production:
adapter: postgresql
database: msf
username: msf
password: msf
host: 127.0.0.1
port: 5432
pool: 75
timeout: 5

Finally, create an environment variable so that the file is automatically loaded when Metasploit is run. Then, load the variable into your shell.

sudo sh -c “echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile”

source /etc/profile

8) Run Metasploit for the first time. Be sure to run it as a regular user the first time so that all of the folders are created in the appropriate spots with the correct permissions.

Starting up Metasploit

Starting up Metasploit

Note: Since Metasploit needs root for a lot of its functionality, once you’ve run it as a regular user, you can use rvmsudo in place of sudo (or running it as root) to avoid some Ruby issues that may occur.

Useful Chrome Extensions

This isn’t crouton related, but I wanted to touch on it anyway. There are all kinds of Extensions available for Chrome that make pentesting tasks a little simpler. Here are some of my favorites:

Other Tools

I haven’t done a lot of playing around to see what works/what doesn’t beyond what I’ve presented here. I will definitely be looking at some wireless options eventually and seeing if it’s Alfa card/aircrack-ng friendly. Possibly more on that to come.

 

Upkeep

Here are some noteworthy housekeeping functions for Crouton.

Update crouton and a chroot: To update Crouton and your chroot, hit Alt+T to bring up crosh and then enter the following.

shell

sudo sh -e ~/Downloads/crouton -u -n chrootname

If you would like to add new targets to the chroot during the update, you’ll run the same command but with a few additions.

sudo sh -e ~/Downloads/crouton -u -n chrootname -t new_target_1,new_target_2

Delete a chroot: Enter the following command to delete one of your chroots.

sudo delete-chroot chrootname

Rename a chroot: To rename an existing chroot installation, use this command string.

sudo edit-chroot source -m destination

For additional help, check out the cheat sheet from crouton’s author dnschneid.

 

Conclusion

New toys are always fun, and my Chromebook has been no different. I’m impressed with the C720, and it runs Metasploit and other pentesting tools really well so far. Again, because Chrome is largely dependent on the cloud, be mindful of the consequences of letting client or test data (potentially) sit out on the Internet should you choose to use such a rig on an actual engagement.

Happy hunting!

patchwork

patchwork

Former military intelligence. Physical security and network penetration testing.
patchwork

Latest posts by patchwork (see all)