How to Turn an MP3 Player into a Linux Bootable Drive

I have a couple old MP3 players kicking around and have always wanted to try this. A lot of MP3 players are just USB flash drives with the brains to play music from the files stored on them.

You can open the MP3 player up in Windows Explorer and music files are usually stored in the root of the device or in a folder called “Music”. Simply adding songs or removing them manually is usually easier than trying to do it in Media Player or iTunes.

So, what I did is take one of these:

Copied all the information that was on the MP3 player to a backup folder on my PC (in case things went bad). Downloaded Ubuntu 11, and it’s USB installer and loaded Ubuntu onto it:

I then rebooted my PC, selected “boot from USB drive” from the Boot menu and got this:

Finally I copied the music files back to the MP3 player, ejected it from the PC, plugged my headphones in and it played music like a champ. Now, I have an MP3 player and a bootable USB drive.

I was thinking of installing Backtrack 5 on it and making it into a inconspicuous looking penetration testing platform, but the MP3 player just did not have enough free space.

Pretty cool, just a note of caution though, this may not work on every mp3 player. Only try it on one that you can risk ruining.

Backtrack 5: Linux & Mac Systems Vulnerable to Malicious Scripts Too

Ask almost any Linux or Mac user and they will tell you that they are much better protected against viruses and online threats. But is this really true?

Not necessarily so.

Sure, most malware writers target Windows based systems due to the large volume of potential targets. But, malicious executables and scripts work just as well against Linux and Mac systems.

I have recently been working on a video showing Backtrack 5 in action against a Windows 7 target and wondered, ‘How well would some of the same attacks work against a Mac or Linux system?’

So, I fired up Backtrack 5 in my lab and used it to create a test malicious website. The site serves up a backdoored java applet to a target machine when they connect to the page.

This is what the simulated target machine saw when it surfed to the website:

The target machine is an Ubuntu 11.04 machine, running Google Chrome, with the built in firewall enabled and an updated Anti-Virus program running. As you can see, the webpage is a bogus “message from the CEO” page and it instructs the user to run the Java popup. A real malicious page could look much more believable or could even be an exact clone of an existing site.

When the user clicks “run”, a remote shell session (Session 1) is created on the Backtrack 5 machine as seen below:

And that is it. I now have read/write access to the Ubuntu host in the context of the logged in user. I ran a few Linux commands to verify the connection. Commands entered are highlighted by a white box:

I checked the Ubuntu version, the present user name and the user’s identity.

I then checked the disk space, surfed to the users document directory and viewed the contents of the file named “Test”:

And finally, checked the processes running on the remote system:

I do not have root access at this point, just user level access. But from here I could check the system for other vulnerabilities that could be exploited. Or if my goal was just to collect user data or documents, no further penetration is necessary.

Malicious scripts and executables are encoded and obfuscated to purposely bypass anti-virus programs. And once they are run on a target machine, Windows, Mac or Linux, they connect out through the firewall to the attacker machine. It is imperative to educate your users about these types of attacks and tell them to never allow programs to run from unknown websites or e-mails.

Running script blocking programs like “Noscript“, and disabling script capabilities in browsers really help against these types of attacks. But users with privileges can and will allow programs to run if they really think they need the program or gadget that the attacker is offering.

Finally, locking down what sites your users can connect out to and monitoring the traffic leaving your network is always a good idea in preventing or detecting these types of attacks.

How to Log into Windows without the Password

I covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have legitimately lost the password to?

Well, there seems to be a couple utilities out there that claim to allow you to do this. We tried a Linux Live-CD based, one that was supposed to allow you to change any Windows password. But it didn’t work.

I even tried Kon-Boot, both the CD based and USB flash drive variety. Kon-boot sounds very cool, and comes highly recommended. You boot Kon-Boot first, then after it is booted, it loads your OS. Then you can put in any password, or hit enter and it bypasses the login and allows you into the users account. It is supposed to work on Windows and Linux systems. But unfortunately it also did not work on my systems.

What to do? Well, I figured I would give my article from last year a shot to see if it still worked. (Okay, just a quick disclaimer. Do not do this on a system that you do not own, or have permission to modify. And messing with system files could leave your system in an unstable state, if you chose to continue, you do so at your own risk.)

So I booted into Ubuntu, went to the Windows System 32 directory, renamed utilman.exe to utilman.old, copied to utilman.exe and rebooted.  At the Windows log in prompt I hit the “Windows”+”U” key and open pops a system level command prompt. From here you can type any windows command, add users, etc.

The funny part is you can type “explorer.exe”, hit enter and a you get a System level desktop. From here you can open Internet Explorer, and surf the web. And while you are doing all this, the Windows login screen dutifully stays in the background  protecting(?) your system.

I found the Utilman modification solution on Microsoft’s Technet site, but it is not the only one that works. A comment on last year’s post pointed me to another trick on Adam’s Technical Journal.  Modifying the “Sethc.exe” command in the same way also allows you to bypass the Windows login screen. The “sethc” file is for the Windows Sticky Keys function. Under normal operation, if you hit the Shift key something like 5 times in a row, the sticky key dialog box will pop up.

Doing so when the sethc file has been replaced with a copy of, opens up a system command prompt at the login screen, just like the utilman modification above.

This process still works on a fully patched and updated Windows 7 system. When I checked it last year, it also worked on all of Windows server products. Windows protects these system files from being modified when Windows is booted, but booting in Linux to alter them just takes a couple minutes at most.

These techniques can be a life saver if you have lost the password to an important system, but it also goes to show that strong physical security is also needed when securing your systems.