Backtrack from begginer to advanced: 2012

Friday 14 September 2012

#9 Using PwnStar to Setup Soft AP and Sniff HTTPS data

Using PwnStar to Setup Soft AP and Sniff HTTPS data

This tuttorial will show you how to set up a Soft AP for victems to connect to. Once a victem has connected all the traffic will be routed from the Soft AP trough your computer and out the internet inteface.

This lets us become the man in the middle and see any traffic traveling to and from the victem. We will use this to are advantage by using ssl-stripper to capture and decode all information that passes trough are machine using HTTPS protcol.

This basically means we get there login information!

To do this you will need an to have your main machine connected to the internet and connect you Backtack Vm to this connection using the ethernet connection in Wicd Network Manger. Check that the internet is working by loading firefox in Backtrack VM and going to a website. If it loads your ready to move on.

Once connected, you will then connect your external wireless USB to your Backtrack VM. (This has all been done in prevouise tutrials so should be simple)

Now were ready to start :D

First Lets boot up a terminal and fire up the PwnStar script. We do this by pointing the terminal to its location. If you have followed my prevouise tutorials then the location/code in bold below will work. Now enter in the code in bold below or the location of your script if its diffrent.

'/root/Desktop/Hacks/Wireless Attacks/PwnSTAR_0.8'

Now you will be asked a bunch of questions for setting this script up, this first will be which attack do you want to run, we will be running '3) Sniffing: provide internet access, then be MITM' so enter the code in bold below and press enter.

3

You will now be asked if you want to give internet access and we do so enter the code in bold below and press enter

You will then be asked what interface the internet is connect to, it should be your ethernet interface so mine is 'eth1' yours may be diffrent but it will show you avabliabe interfaces above the question. so enter in your interface like in the code in bold below and then press enter.

eth1

It will then ask for your wireless interface (the one the soft AP will be setup on) and yet again it will show interfaces avaliable. So in this example mine was 'wlan0' enter yours in like the code below and press enter

wlan0

It will then ask if you would like to automatically or manually like to change the wireless interfaces MAC address. I suggest entering the code in bold below and pressing enter for automatic MAC changing.

It will then ask if you would like to scan for a target, this time will not be doing this so enter in the code below.

You will now be asked questions about ips ect... just enter the code in bold below and press enter to change the Soft APs channel

You will be asked what channel to use just enter in the code in bold below and press enter.

Can move on so enter in the code in bold below and press enter to continue

You will now be asked what attack to use select the second by entering in the code in bold below and pressing enter

You will then be asked to name your Soft AP, so try something that will persuade your victems to connect like free wifi, so enter this in like the code in bold below and press enter

Free WiFi

It will then start the Soft AP. We are now asked about are DHCP setting, I suggest just continuing by entering the code in bold below

c

Your DHCP server will then start allowing your victems to get a IP address when they connect to the Soft AP

Now you will be asked if you want to start ferret. Say yes so we can see what traffic is passing trough. To do this enter the code in bold below

y

You will now be asked if you want to start ssl strip. Again select yes by entering in the code in bold below

y

You will then be asked if you would like to tail the ssl strip file again select yes and this window that now opens after you enter in the code below, will be the place we will see all are logins (and lots of junk data)

Now just wait until victems connect and get there logon's.

We can parse logs so that we dont get all the junk data in the ssl striper file tail but I waiting for the code on how to do this. I will update when i know.

I will also include another tutorial on how to make this attack a lilttle more effective later on.

Thursday 6 September 2012

#8 Setting Up PwnSTAR

Setting Up PwnSTAR

Now am going to show you how to setup the requirments of a grate script that will allow us to do grate things. This script will allow us to setup a rouge AP (fake wireless spot) which test victems can connect too and then we can do many thing to. such as:

- Direct to a webpage of are choosing

- Direct to are captive portal

- SSLStrip there logins to websites they visit

- Use karmetasploit to exsplot the machine and gain access

and some other thing too.

I will do tutorials on these later but first lets just get eveything setup.

First fire up the Backtrack VM again and download the file from the link below and save it to your desktop.

https://rapidshare.com/files/1446777853/PwnSTAR_0.8.zip

Now right click on the zipped file you just downloaded and select 'Open With Archive Mounter'.

You should see another file created with the same name around the zipped file. It has what looks like a stack of what paper as its icon.

When you see it just right click it and select 'Open'

You will then be presented with a new window with a folder inside named Hacks. Now highlight it, then copy and paste it to the desktop.

Inside this folder is the script we will use to run the attack later and we will be leaving that there. Also inside this folder is webpages, these web pages need to be placed in the apache WWW folder.

We will be using the CLI to move the files/folders. So now open a new terminal and enter the bold text below into the terminal. Be sure the command you hae entered has completed its task before you enter the next line.

mv -f '/root/Desktop/Hacks/Wireless Attacks/hotspot_2' /var/www
mv -f '/root/Desktop/Hacks/Wireless Attacks/portal_hotspot' /var/www
mv -f '/root/Desktop/Hacks/Wireless Attacks/portal_pdf' /var/www
mv -f '/root/Desktop/Hacks/Wireless Attacks/portal_simple' /var/www

Now we need to install sslstrip (because backtrack did a shit job) just open a terminal and enter the code in bold below.

cd /pentest/web/sslstrip
python setup.py install

Now we have sslstrip! :D

Now we just need to clean up, to do this we just need to right click on the mounted zip file (the one with the icon that looks like a stack of white paper) and when the menu appears, select unmount. Now just delete the zip file we downloaded and your all done, nice, clean, organised desktop.

Well done you have just completed the setup, the next tutorial will be on how to use one of the functions of this script.

#7 Quick Sound Fix

Quick Sound Fix

After my last tutorial were i asked you to watch a youtube video to test Flash Player install worked, i noticed that the sound in this version of backtrack was not working.

This is was quickly fixed and only took five minutes of my time!

Simply goto your desktop and select

System->Preferences -> Startup Applications

Now press the button:

Add

You asked the Name, Command and comment. Just match them up like below by entering the text in bold below:

Name: Pulseaudio daemon
Command:/usr/bin/pulseaudio
Comment: Start the sound daemon

Once you have filled in all the information then press

Add

Now logout, then login again but you may need to activate the sound on your VMWare to because i had to.

Its simple to do, just look in the lower right hand corner were we activated are wireless network adapter in a prevouise tutorial. This time look for the one that looks like a speaker and right click it and press connect.

Now we should get sound on a VM!!!

#6 Installing Flash 10.2

Intalling Flash 10.2

Ok, now were back to getting are system ready! Now we need to insall Flash 10.2 for Mozzila Firefox. This is so later when we install Nessus (port scanner) we can use the GUI in the Mozilla Firefox

This is prity simple and quick! so dont worry it wont take you the best part of an hour!

Fist start your Backtrack VM, connect it to the internet and open Mozilla Firefox and go to the address in bold below and download the file. Its just the flash file we will be using.

https://rapidshare.com/files/2556336087/libflashplayer.so

Save the file to your desktop.

Now open a terminal and enter the code in bold below:

mkdir ~/.mozilla/plugins

This will make a folder in Mozilla Firefox's directory called plugins. This is were we will be moving the file we downloaded.

We just need to change the terminal current directory so it can find the we downloaded. using cd will tell the terminal to chage directory and entering the directory path after cd will show the terminal the new directory. This can be seen in the code in boldbelow, enter this into the terminal.

cd /root/desktop

Now we will move the file using the code in bold below. Just enter this into the terminal and the file will move itself to the correct place.

mv -f libflashplayer.so ~/.mozilla/plugins/

To check this work go to youtube in Mozilla Firefox and try place one of the videos.

(note: dont forget to disable Mozilla Firefox addon NoScript because it blocks flash applications)

If that worked then your all done!

# 5 Hacking WPA2 (With WPS Bruteforcing)

Hacking with WPA2 (With WPS Bruteforcing)

I thought it was about time to show you somthing a little more *Fun* than installing and setting up backtrack.

In this tutorial I will be showing you how to use a tool called 'Reaver' and another called 'wash'. These two tool togther provide a powerful set of pentration testing tools. Wash is used to find wireless routers that use WPS and are vulnerable to Reaver WPS bruteforcing.

When Reaver find the correct WPS pin it will then give the user the WPA2 password to the wireless router. Allowing the user access to the network and possibly internet if that network is connected the the web.

I will not go into detail about how reaver actually works I will just show you how to use it in this tutorial but if you do want information on how it works visit the link below and have a good read :)

http://code.google.com/p/reaver-wps/wiki/README

First I show you how to connect your wireless network card and start it in monitoring mode (note: I am using an alfa awus036h network adapter)

This will alow the Wash tool to examine packets being sent wirelessly and discover vulnerable routers.

I will then show you how to use Wash to find the vulnerable routers and lastly I will show you how to use reaver to get the WPA2 password.

First load up your Backtrack VM, once its done then connect your usb wireless network adapter. It may automatically be connected to the VM but if it does not then in the bottom right of your VMware Player you will see little icons like the one's in the picture below:

The icon that looks like a usb stick and is faded is usually the one that represent the wireless network adapter. Simply click on it and select Connect (disconnect from host).

Now we have are wireless card connected lets give it an interface to operate from, to do this we will it in monitor mode. We do this by opening a new terminal and entering the text in bold below:

airmon-ng start wlan1

(Note: your wlan may have a diffrent number but they are usually 1 or 0)

When done correctly it will put you wireless network adapter into monitor mode, which allows us to examine packets being sent wirelessly. This will also start an inteface called mon0 which we will be running are attack trough.

Using Wash to Find a Vulnrable Router

This is easy to do, just open up a terminal end enter in the text in bold below:

wash -i mon0

This will start the wash program and it will use the mon0 interface to find the vulnerable wireless routers and display them in the terminal on a table like in the picture below:

After about 2 minutes wash will have found all vulnerable wirless routers so we will have to stop it running to do this make sure you have the terminal as your active window and Press and hold 'ctlr' and then press 'z'

DO NOT CLOSE THE TERMINAL

Using Reaver to Get the Password

Reaver will use a bruteforcing method to attack the wps pin trying a total of 11k pins. its very simple to use but first we need to pick are target from the table in wash.

I suggest picking the one with the lowest RSSI because it will have the best signal. When you pick your target copy the MAC address. The mac address is 12 charchter long and seprated using collens every two characters for example A3:ED:S2:22:SD:FF.

Now open a new terminal and enter the bold text below but replace the example MAC address with the one you copied.

reaver -i mon0 -b C0:3F:0E:C2:D4:C4 -v

This will start the bruteforcing of the WPS pin and will show you what pins it has tried and what percent it is to being completed. We can see this in the picture below.

Reaver can get the right pin first time or it could be the last one it tries but if the router is accepting the pins then reaver will get it! and display the correct WPS pin and password in the terminal!

HAVE A HAPPY DAY HACKING SOME WPA2 PASSWORDS!!!!

Wednesday 5 September 2012

#4 Fixing the Update Resource List

Fixing the Update Resource List

During the install of DHCP3-Server i found out that someone forgot to put in a line of code needed for the updateing of Backtrack 5r3. This is a quick guide on how to put it back in.

First got to the desktop and select Places > Computer > File System

Then navigate trough the following 2 folders etc > apt

You should then see sources.list

Now right click it and select Open With.. > gedit Text Editor

You should now see the same as the picture below:

At the bottom of this file add the text in bold below

deb http://updates.repository.backtrack-linux.org main microverse non-free testing

Now save and close the file and you be all good. While were here lets have a quick upgrade.

Open a new terminal and enter in the text in bold below.

apt-get update

and when thats done enter the text in bold below

apt-get upgrade

You have just upgrade Backtrack :)

# 3 Installing DHCP3-Server

Installing DHCP3-Server

Welcome back! Are Backtrack VM now needs a DHCP3-Server so when we are doing wireless attacks are victems that connect to us will be given an IP address. In this tutorial i will first show you how to install the DHCP3-Server and secodly i will show you how to configure it.

Installing the DHCP3-Server

This should be very easy BUT!!! When you try to install DHCP3-Server it trows an error because one of it dependancies does not match what we have installed. So now we have to downgrade its dependancy show below....

First lets open a terminal and type in the bold code below:

apt-get install synaptic

Now when thats installed, start synaptic by entering the bold text below into the terminal:

synaptic

Once synaptic starts it will update and once thats done search for dhcp3-common

You should see dhcp3-common on top of the list, highlight it and goto the toolbar at the top of the window and select Package > Force Version (like below)

Now in the drop-down menu, select “3.1.3-2ubuntu3.2 (stable)” and click force version and then “Mark”.

Press the “Apply” button with the green checkmark. Double-check to make sure you’re doing the right thing in the pop-up window. You will be removing dhcp3-common, dhcp3-gtk, dhcp3-daemon, and also Wicd.

Wait for Synaptic to do it’s thing and then close it. (Don’t reboot or anything like that!)

Since Wicd is important for starting and stopping networking with a GUI, reopen the terminal window and type in the bold text below

apt-get install wicd

(note: if you get an error installing WICD like i did then pause you VM and Resume it because that worked for me)

Now we can finally install DHCP3-Server by entering into the terminal the text in bold below:

apt-get install dhcp3-server

That should be installed now!

Configure the DHCP3-Server

Now we can configure the DHCP3-Server. This is easy!

On the desktop select Places > Computer > File System

We should now be able to see the root file system and in here we need to find the dhcp3 server config file so select etc > dhcp3

You should now see the file dhcpd.conf

Now open it and delete all its contents and replace with the text in bold below

default-lease-time 600;
max-lease-time 7200;

option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1, 192.168.0.2;
option domain-name "yourdomainname.com";

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.200;
}

(note:edit the IP's to match your network)

Save this and close everything until your back at the desktop.

Now lets test if it working by opening a terminal and entering the text in bold below

/etc/init.d/dhcp3-server start

If you get the text in bold below then everything went ok!

* Starting DHCP server dhcpd3 [ OK ]

#2 Getting Internet & Wireless Range Extension

Getting Internet & Wireless Range Extension

Now you have your Backtrack up and running, your going to need to be able to connect your VM to your local network.

I am assuming that the machine hosting your VM already has the Internet connected, if this is so it wont matter if its a wireless connection or a wired connection. It will still show up in Backtrack as a wired connection.

Now some people will have DHCP enabled on their router at home while others may not. So i am going to show you how to connect to the Internet using both ways using either a static or a dynamic IP. I always preferred to use a static IP address so i would always know Backtracks IP.

GETTING INTERNET ACCESS

Step One

First boot up and login to your VM Backtrack (login data below in case you have forgot ....)

Username: root

Password: toor

and to load the GUI enter:

Startx

You should now have the GUI screen like below:

Second Step

We will now load up the WICD (Wireless Interface Connection Daemon).

To do this go to 'Applications > Internet > Wicd Network Manager ' like in the image below.

SIDE NOTE! (if you did not get this error move on to Third Step)

If like me you got the following error "Could not connect to wicd's D-Bus interface. Check the wicd log for errors messages" like in the image below:

Then press 'ok' and close Wicd when it loads up.

Now open a terminal and enter the text in bold below

root@bt:~# dpkg-reconfigure wicd
root@bt:~# update-rc.d wicd defaults

and you should get somthing similar to below

root@bt:~# dpkg-reconfigure wicd
root@bt:~# update-rc.d wicd defaults
Adding system startup for /etc/init.d/wicd ...
   /etc/rc0.d/K20wicd -> ../init.d/wicd
   /etc/rc1.d/K20wicd -> ../init.d/wicd
   /etc/rc6.d/K20wicd -> ../init.d/wicd
   /etc/rc2.d/S20wicd -> ../init.d/wicd
   /etc/rc3.d/S20wicd -> ../init.d/wicd
   /etc/rc4.d/S20wicd -> ../init.d/wicd
   /etc/rc5.d/S20wicd -> ../init.d/wicd

And now this error will not show again!!!

Third Step

you should now see the screen below:

To use a dynamic IP address just press connect and the Wicd software will do the rest and you will end up connected to the internet like in the image below:

For a static IP address click on 'properties' under were it says 'Wired-Default'. You will end up with the screen below:

Simply check the box next to 'Use static IPs' and then enter your desired IP address, Netmask and gateway so it looks like below (obvouisly use your own/correct ip etc):

Now press 'OK' and press 'Connect' and you should be connected and see a screen like the image below:

Thats it! you now have internet access!

Wireless Range Extension

If like me you have a 'Alfa AWUS036H 1000mW' wireless network-adapter then you will want to get full use of that 1000mW but because of restrictions each country restricts which channels and at what strength you can transmit signals. This has been built into Backtrack but because linux is fully editable we can change it so we can have full signal strength and transmit on all channels.

Below is a guide on how to do this, as you can see their is 2 ways. The first is a quick one done in a terminal which will need to be done at every startup and the second is a permant fix which once done will never need to be done again. Its up to you which one you choose but i will be choosing the second method.

First Method

Open a terminal and enter the bold text into the terminal:

root@bt:~# sudo ifconfig wlan1 down
root@bt:~# sudo iw reg set BO
root@bt:~# sudo airmon-ng start wlan1

This first turns off the wireless interface and then changes your region to a place were your allowed to transmit at 30dbi (1000mW) and on all channels. It then turn the wireless interface back on.

Second Method

This time we will be making a script that will run at statup and change are region.

First create a blank document on your desktop. To do this:

Right click on the desktop and select Create Document > Empty File and rename it RangeExtension.sh.

Now click on the the new file (RangeExtension.sh) so you get a blank page like the one below:

and now enter the text in bold below into this document:

#!/bin/bash
##iw reg set BO
iw reg set BO

Now save this and close the window.

Next open a terminal and enter the text in bold below, this will move the file from the desktop into the init.d which runs on boot.

sudo cp ~/Desktop/RangeExtension.sh /etc/init.d/

We will now make the document we made into an executable script with the code below, just enter the bold text into the terminal.

sudo chmod +x /etc/init.d/RangeExtension.sh

Now we need to make it run on the next startup, just enter the bold text into the terminal.

sudo update-rc.d RangeExtension.sh defaults

Note: ‘defaults’ puts a link to start ‘/etc/init.d/setwirelesscountrycode.sh’ in run levels 2, 3, 4 and 5. and puts a link to stop ‘/etc/init.d/setwirelesscountrycode.sh’ into run levels 0, 1 and 6.

Just restart so changes can take effect!

Thats it now! are range sould not be at 30dbi (1000mW)! Enjoy!

Tuesday 4 September 2012

#1 Getting Started

Getting Started!!!

Welcome to my blog! I am Deviney from the official BackTrack forums and today I seen a thread on their posted by someone asking if the forum was dying. I personally think it is and it is because there is not enough people teaching the basics. They expect people to either have the knowledge already of how to do it or find it themselves. I do agree with this to an extent as people should be able to find information themselves but if you found this then you found all your information to get you started.

This couldn’t of happened at a better time because my original image was corrupted for some reason :/ and i only have old backups and because it was the old distribution i decided to start from fresh and document it so other could follow my steps. Just note this is how to use Backtrack on a Windows OS in a virtual machine environment.

Firstly am going to start by showing you how to install VMware player and run BT5r3 VM image (Backtrack) on it.

How To Download & Install VMware Player

VMware is software that allows us to run other operating systems within our own operating environment. This means we do not need to dual-boot OS's or uninstall windows to install backtrack.

To run VMware you will need a laptop with virtualization capabilities. The installer below will tell you if your laptop is not capable (I think but not had this problem, correct me if am wrong)

First Step

Go to https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/ and download the file VMware-player-5.0.0-812388.exe. If the version has changed then the download link is usually the one at the top and will have (VMware Player for Windows 32-bit and 64-bit) written under it.

Second Step

Run the VMware Player installer EXE we just downloaded and follow the install instructions. Its pretty basic and almost impossible to mess up so please just keep clicking either Next/Continue/Finish and everything will go ok.

How To Download, Install & Run BT5_R3

Am sure i don’t have to explain what Backtrack is otherwise you would not be here but as you can see we are downloading the VMWare version and not the ISO version. This is because the VMWare version runs as soon as we load it and there is no installing needed.

First Step

Go to http://www.backtrack-linux.org/downloads/ and click the download button.

You will be presented with a new page with blank boxs, when you click on the blank boxs you can select options. Match them up so they look like mine below and press the button shown in the picture:

You will then be presented with a download box like the one below, press save and wait for the download to finish.

NOTE: I am using VMWare Workstation, you can get a copy at your good old piratebay ;) (i do not support piracy)

Second Step

Now it’s finished downloading it’s time to run it in VMWare Player.

You will notice that when you installed VMWare Player it added a folder in your documents called 'My Virtual Machines' I suggest you make a folder in there move the downloaded image of backtrack to there for ease and organisation purposes.

Now lets start VMWare, you will be asked to accept a license agrement on your first run, so please do so.

you will then be presented with a page similar to the one below:

Now click on open a virtual machine and it will ask you to show it the location of the VM image. This is the BT5r3 image we downloaded an placed in 'My Virtual Machine' in 'My Documents'.

Just select the BT5r3 image an press 'Open' it may ask you were you got the image from just click 'I copied it'.

The VM will not begin to boot up, we will now login just to check its working.

When you see the backtrack login like below:

then enter the following login information (enter the bold text and note the password will not show)

bt login : root
password: password

You will now be present with the root command (Root@bt:~# )

This is were we can fire up are GUI (graphical user interface).

Enter the bold text again:

Root@bt:~# startx

we should now see the GUI like the one below

Were almost done we just need to take are VM of a NAT connection to the network and give it a Bridged connection.

First lets shut are VM down, go to System>Shut Down and press Shut Down on the window that opens.

Now click on 'Edit Virtual Machine Settings' like below

You will see a screen like below, you will click on 'Network Adapter' and then under 'Network Connection' select the top option 'Bridged'.

YOU NOW HAVE BACKTRACK 5 R3 INSTALLED ON A VIRTUAL MACHINE!

ENJOY!