Archangel Amael's Blog

Thoughts, and updates.

noreply@blogger.com (Anonymous) — Sat, 26 Jan 2013 20:40:00 +0000

Been along time since I have blogged about anything. Not that I am all to serious about it to begin with. I don't have a lot of time to devote to such things anymore. With a wife and two demanding children it's not always on the top of my do-to list.

Having said that, I just noticed that my blog on shell.tor.hu was taken down.
Although (for me at least) tor.hu was a pay service. Others can have their site hosted there for free. While it is a bit upsetting to see my work was taken down, I can't really complain as I didn't actually re-new my membership with them.

I just got caught up (as many do) in life and of course forgot about doing it.

I guess I could have gotten a "real website" or whatever, but the free ones have always filled my needs. Plus why pay of it, when I can let google or some other site host if for me for free, in return for some silly adverts which I block any way?

I have been messing around in the world of Tea and learning all about Gong-Fu Cha. As such I have amassed some photos of my teas, and experiences, that I may share here as well, Or I might even dedicate tea to it's own blog. Not sure yet though.

I have also been thinking about doing some more tutorials on BackTrack. Of course I would need to revive my testing labs and actually update some things.

So if anyone actually reads this then feel free to let me know what you would like to see a tutorial on.

noreply@blogger.com (Anonymous) — Sat, 28 Apr 2012 20:36:00 +0000

Just noticed that is has been over a year since I last posted on this blog. Well not counting the earlier post from this morning. I still look at the thing, once in a while, when I need some info on a tool. Or to make sure it didn't get swallowed by the internet monsters. Not to mention I do have many posts that are set to draft that contain links to useful information or resources for me. Perhaps I need to start adding more info on either this one, or my blog at http://archangelamael.shell.tor.hu/ I know there is at least one other person in the world who looks at this thing, besides me. Suggestions?

What's going on?

noreply@blogger.com (Anonymous) — Sat, 28 Apr 2012 11:18:00 +0000

Looks like my other blog over at tor.hu is down. Matter of fact like the entire site has been down the last few days.

New home.

noreply@blogger.com (Anonymous) — Wed, 09 Feb 2011 16:06:00 +0000

I have started another blog at http://archangelamael.shell.tor.hu/ I really like the freedom that using a wordpress blog gives me.

I have plans to migrate the guides from here over to there, time will be a big factor in that.

I also want to update/redo some of them. Also plans to do posts on different topics related to computer security that interest me.

If you have a project or want to learn to better use a shell or just want some privacy while using the internet, then sign up for the services at http://tor.hu So far I have been really impressed with the services they have to offer.

Getting a blog up and going was a bit rough but @sickness416 http://sickness.tor.hu/ helped me troubleshoot things. So thanks to him.

Extracting MetaData from photos using exiftool in BT4

noreply@blogger.com (Anonymous) — Thu, 12 Aug 2010 14:28:00 +0000

This guide is about using exiftool, this tool is used to strip Meta data from photos. This can be used from both a Forensics standpoint as well as for doing reconnaissance work on a given target. Especially if this target is very generous when it comes to giving away too much information, in it's photos.
As a warning, it's not cool to stalk people so don't be doing it.
I mean really if you have to stalk someone you probably will never have a relationship with them anyway loser!

So the tools is located in the menu structure under Digital Forensics, or through the
/pentest/misc/exiftool/ directory.

This screen shot shows the default output when calling the command.
--------------------CODE-----------------------------------
root@bt:/pentest/misc/exiftool# ./exiftool
--------------------CODE-----------------------------------

From exiftool

You will need to read the README in order to learn more information.

If you want to just test the tool out, you can use the provided .jpg to do so.
The command would be
--------------------CODE-----------------------------------
root@bt:/pentest/misc/exiftool# ./exiftool t/images/ExifTool.jpg
--------------------CODE-----------------------------------

From exiftool

The above photos only shows a portion of the output. To see the rest you will need to run the tools yourself.
There is a lot of information that could be gained from this test, but in reality the tool author has already sanitized anything of value.
The only thing that is really left is camera information. Boring at best. So let's grab a few photos from the web and see what they can give us.

Ok so to help keep the innocent that way, I won't be linking or giving away too much on the actual photos, I downloaded.
But they are easy to find thanks to social media 2.0.
From the next photo we can parse quite a lot of data out of it.

--------------------CODE-----------------------------------
root@bt:/pentest/misc/exiftool# ./exiftool /tmp/1444432405-37422182c96b551a67f534ead5532.4c63f758-scaled.jpg
--------------------CODE-----------------------------------

From exiftool

So photos 3 shows some generic information on from the camera, we can determine roughly the type of phone in this case a Motorola Droid X

From exiftool

But, in photo 4 bingo, we now have the information from the GPS. So we now know exactly where our target is located, at least at the time of the photo being taken. But by looking at the same information from several photos we maybe able to determine patterns in our targets behavior.
So here is the pertinent data given up by our photograph. 28 degrees 26' 26.00" N 81 degrees 28' 26.00" West
There are many websites to include Google maps to help you put this info into something more familiar, like addresses. Depending on the phone or camera being used this information can be turned off. Which is kind of a smart thing to do.

So that's about it. There are several ways to gain this information from photos, and this is one of tools, that is included in BT to do it.

Setting up Fluxbox in BT4 R1

noreply@blogger.com (Anonymous) — Thu, 05 Aug 2010 20:33:00 +0000

So this guide is for those that choose to upgrade from BackTrack 4 final to the R1.
This does not really apply if you are downloading the R1.iso. Please keep in mind that this is this a new release and there may be bugs (please report them)! This post will also assume you have backtrack-dragon installed. You can use this to setup the rest.
---------------------------CODE----------------------------------------------------
root@bt:~# apt-get install backrack-dragon
---------------------------CODE----------------------------------------------------
Once this finishes run dragon, select desktop and finally desktop fluxbox

From Fluxbox setup BT4 R1

Once this finishes then you need to run flux-for-back
---------------------------CODE---------------------------------------------------
root@bt:~# flux-for-back
---------------------------CODE---------------------------------------------------

From Fluxbox setup BT4 R1

You will see several options to choose from. We are concerned with the -s option so
---------------------------CODE---------------------------------------------------
root@bt:~# flux-for-back -s
---------------------------CODE---------------------------------------------------

From Fluxbox setup BT4 R1

This will bring us a bunch of new choices. In order to build the menu choose either 1 or 2 based on if you want the icons.
Depending on your setup this may take a bit of time. Mine took about 6 or 7 minutes.
Once it is finished it will exit the script and return you to the prompt. At this point you can consider yourself done.
So now you should have the pretty new menu setup for BT
Looking like this.

From Fluxbox setup BT4 R1

At this point you can exit the script. If you want to change the background then you can use the new menu right click by the way is how to access it. So right click and select "flux menu" at the bottom. Then "Backgrounds" "Set BackTrack default Background".

From Fluxbox setup BT4 R1

To change the style to a BT one select "flux menu" then "Styles" "Fluxbox BackTrack Styles"

From Fluxbox setup BT4 R1

Then select one of the 3 choices from the following:
"Centurion_BackTrack_blue, Centurion_BackTrack_red, and flux_bactrack_eeepc"

This last image show the red theme.

From Fluxbox setup BT4 R1

So that's pretty much it. Now you have a new light weight window manager.
Remember that there may be bugs in these new tools so please be patient and report them if you do find them.

Have fun.

Remove duplicate entries in a file W/O sorting.

noreply@blogger.com (Anonymous) — Sat, 24 Jul 2010 22:12:00 +0000

This is mainly for my own reference, however you may find it useful as well.

Remove duplicate entries in a file without sorting.

$ awk '!x[$0]++' FILE where FILE is the name of the file to run on.

One can also use sort | uniq or sort -u however this will sort the files into an order.
With awk we are simply removing all the duplicates.

MySQL Security Assesment Script in BT4

noreply@blogger.com (Anonymous) — Sat, 24 Jul 2010 15:02:00 +0000

So this is a short write up on using the MySQL security Assessment Script
by Carlos Perez

Of course you will need a mysql database to target.
If you want a pre-made setup then get the metasploitable package.

Grab some shell and navigate to the /pentest/database/mysqlaudit/ directory.
Then just run the command with no options.

-----------------------------CODE---------------------------------------

root@bt:/pentest/database/mysqlaudit#./mysqlaudit.py

MySQL Security Assesment Script Version 1.0

By: Carlos Perez, carlos_perez[at]darkoperator.com
USAGE:
python ./mysqlaudit.py Targer IP User Password Report

Target : The system you whant to do the assement on, port 3306 should be open.
User : User account with DBA privelages on the server to use for the assesment.
Password : password for the user account.
Report : Name of text file to wich to write the report.

-----------------------------CODE--------------------------------------

Simple enough the only thing you will need of course is the log-on credentials.
This time we will run the scan against our metasploitable setup and see what happens.

-----------------------------CODE--------------------------------------

root@bt:/pentest/database/mysqlaudit# ./mysqlaudit.py 192.168.2.103 root root /tmp/msqlauditreport.txt
root@bt:/pentest/database/mysqlaudit#

-----------------------------CODE--------------------------------------

So in order to see what our report shows we can either open it with a text editor or we can cat the output back to the screen.
Since the report is quite long I will only show a little of it here.
-----------------------------CODE--------------------------------------

root@bt:/pentest/database/mysqlaudit# cat /tmp/msqlauditreport2.txt | less

Severity: High

Description:

MySQL authentication is based on usernames and passwords stored in a table

called mysql.user. To create a user, a row is added to this table. MySQL
also supports wildcards and blank values in the USERNAME and HOST fields of
the table. By indicating a blank username and a blank password, you allow
anonymous access to the MySQL database.
Solution:

To remove the anonymous user, run the following commands:
shell> mysql -u root [password]
mysql> DELETE FROM mysql.user WHERE User = '';

Anonymous user was found

User Connection Location
anonymous ---->localhost
anonymous ---->ubuntu804-base

-----------------------------CODE-------------------------------------

As you can tell there is a high level flaw in our setup.
So this tool will allow the Penetration tester to target mysql databases and will determine some basics when it comes to the security of the system.

Have fun.

Converting Metasploitable for Virtualbox

noreply@blogger.com (Anonymous) — Fri, 23 Jul 2010 12:25:00 +0000

So this is not a typical Back Track post, but one on converting the Metasploitable VMware image to one that will work with Virtualbox. There are other ways of converting .vmdk files to .vdi ones but none of them seemed to work for me. This was all done on an Ubuntu machine. You could do the same on others though. If you don't have or know about metasploitable check the above link. So grab a copy here and then extract the zip archive.

Go to a shell and then grab qemu, this is another virtualization product but we don't care about it, once we are done you can remove it.

-----------------------------------CODE---------------------------------------
amael@ubuntudork:~$ sudo aptitude install qemu
-----------------------------------CODE---------------------------------------

Once this is done run the following commands.
NOTE: This may take some time to complete.

-----------------------------------CODE---------------------------------------
amael@ubuntudork:/tmp/Metasploitable$ qemu-img convert /tmp/Metasploitable/metasploitable.vmdk metasploitable.bin
-----------------------------------CODE-------------------------------------

This will convert the .vmdk to a binary then we will convert the .bin to a Virtualbox .vdi file.

-----------------------------------CODE-------------------------------------
amael@ubuntudork:/tmp/Metasploitable$ VBoxManage convertdd metasploitable.bin metasploitable.vdi

Sun VirtualBox Command Line Management Interface Version 3.0.14
(C) 2005-2010 Sun Microsystems, Inc.
All rights reserved.
Converting from raw image file="Metasploitable.bin" to file="Metasploitable.vdi"...
Creating dynamic image with size 8589934592 bytes (8192MB)...
-----------------------------------CODE-------------------------------------

Once this is finished you are now ready to use Metasploitable in Virtualbox.

So go ahead and set up a new machine. You can find many guides on doing this on the net.
But basically you just need to point Virtualbox to the newly created Metasploitable.vdi file.

From Virtual Box Metasploitable

You may want to edit some of the settings. For my setup I had to ensure that the Extended Features Enable PAE/NX box was checked. This is located under Settings>System>Processor. The first time I booted without this it did not work.

From Virtual Box Metasploitable

It might also be a good idea to ensure that this machine is configured for "Host Only" networking so that it is not facing the internet.

So there you have it.

From Virtual Box Metasploitable

That's pretty much it. Have fun.

Update bt4-customise.sh script

noreply@blogger.com (Anonymous) — Wed, 21 Jul 2010 09:20:00 +0000

So after someone noticed on the forums that the bt4-customise.sh script needs to be edited in order to work with the new .iso, I decided to make this post with what needs to be changed.

First grab the script and open it with your favorite editor.
------------------------------CODE-------------------------------------
# nano bt4-customise.sh
------------------------------CODE------------------------------------
Then at the top around line 3 change
------------------------------CODE------------------------------------
btisoname=bt4-pre-final.iso
------------------------------CODE------------------------------------
To the new .iso name.
So for the BT4 final you will need bt4-final.iso
------------------------------CODE------------------------------------
So btisoname-bt4-final.iso
------------------------------CODE------------------------------------

Save, exit and that's it.

Have fun.

how-to, brutessh.py in BT4

noreply@blogger.com (Anonymous) — Mon, 19 Jul 2010 20:11:00 +0000

Fast and simple guide to using brutessh.py in BT 4

Standard disclaimer applies, Don't be stupid and do things that will get you put in jail etc.

Ok as the name implies brutessh.py is a python based brute force tool for ssh
So what it does is takes target data on the command line and uses a dictionary to try and brute ssh. Pretty simple.

Grab a shell
-------------------------------------CODE------------------------------------------------------------------

root@bt:/pentest/passwords/brutessh#

-------------------------------------CODE----------------------------------------------------------------
Check out the readme for more info.
-------------------------------------CODE----------------------------------------------------------------

root@bt:/pentest/passwords/brutessh# cat README

-------------------------------------CODE----------------------------------------------------------------
An easy and safe way to run the tool is to simply make a small dictionary in the same directory put a few words and your ssh password into the list.

Now run it.
-------------------------------------CODE----------------------------------------------------------------
root@bt:/pentest/passwords/brutessh# python brutessh.py -h localhost -u root -d dict

*************************************
*SSH Bruteforcer Ver. 0.2 *
*Coded by Christian Martorella *
*Edge-Security Research *
*laramies@gmail.com *
*************************************

HOST: localhost Username: root Password file: dict
===========================================================================
Trying password...
Times -- > Init: 0.15 End: 3.35
Auth OK ---> Password Found: 123abc$$
root@bt:/pentest/passwords/brutessh#
-------------------------------------CODE----------------------------------------------------------------
Of course that's not the real password!

It obviously didn't take that long, 3.35 seconds.

So there you have it. Quick, fast, and easy. Actually I don't believe it gets easier than that.

Bug and Fix in isp.py in BT4

noreply@blogger.com (Anonymous) — Mon, 28 Jun 2010 19:51:00 +0000

While trying to learn more about BT and it's many tools, I discoverd a small bug in one of them
This lead to trying to find a fix for it. I suppose that I was successful.

The tool in question is isp.py locate in ~./pentest/misc/
Upon trying to run the default command one will get the following
------------------code------------------------------
root@bt:/pentest/misc/isp# python isp.py
Traceback (most recent call last):
File "isp.py", line 10, in
conf.verb = 0
NameError: name 'conf' is not defined
root@bt:/pentest/misc/isp
------------------code------------------------------

So to fix open up the isp.py in a text editor and locate the following line near the top from scapy import * and change it to from scapy.all import* and exit.

Now try running again.

------------------code------------------------------
root@bt:/pentest/misc/isp# python isp.py
WARNING: No route found for IPv6 destination :: (no default route?)
isp.py: "I Spoof Packets with my ISP", by Sebastien Raveau
Usage: isp.py [alternate DNS server on the Internet]

WARNING: this gives false-positives when run behind some NAT
routers! If anybody has an idea of how to prevent that, please
leave a comment under the blog post explaing how this tool works:
http://blog.sebastien.raveau.name/2009_02_01_archive.html

Failed to reach DNS server at resolver1.opendns.com
Try again or try isp.py
------------------code------------------------------

There you have it.

Adding and using hostmap.rb to BT4

noreply@blogger.com (Anonymous) — Tue, 25 May 2010 20:23:00 +0000

The next is hostmap.rb a ruby script for DNS
This tool is available at http://hostmap.lonerunners.net/

So to get started visit the above link, download and save the tarball.

root@dorkness:/tmp/# tar xvf hostmap-0.2.2.tar

Remove the tarball, move the directory to /pentest/enumeration/hostmap-0.2.2/

root@dorkness:/tmp/# rm -rf hostmap-0.2.2.tar*

root@dorkness:pentest/enumeration/hostmap-0.2.2# ruby hostmap.rb -h

Usage: hostmap.rb [options] -t [target]
Target options:
-t, --target [STRING] set target domain
Discovery options:
--with-zonetransfer
enable DNS zone transfer check
--without-bruteforce
disable DNS bruteforcing
--without-dnsexpansion
disable DNS TLD expansion
--bruteforce-level [STRING]
set bruteforce aggressivity, values are lite, custom or full (default is lite)
--without-be-paranoid
don't check the results consistency
--http-ports [STRING]
set a comma separated list of custom HTTP ports to check
--only-passive
passive discovery, don't make network activity to the target network
--timeout [STRING]
set plugin timeout
--threads [STRING]
set concurrent threads number
Networking options:
-d, --dns [STRING] set a comma separated list of DNS servers IP addresses to use instead of system defaults
Output options:
--print-maltego
set output formatted for Maltego
-v, --verbose set verbose mode
Misc options:
--without-update
skip update check
-h, --help show this help message

root@dorkness:pentest/enumeration/hostmap-0.2.2#

Note: You will need to give an IP address, you can not use domain names.

An example of usage is as follows:

root@dorkness:/pentest/enumeration/hostmap-0.2.2# ruby hostmap.rb --only-passive --without-update -t 80.65.162.250
hostmap 0.2.2 codename truppola
Coded by Alessandro `jekil` Tanasi

[2010-05-25 22:41] Skipping SSL because only passive checks are enabled
[2010-05-25 22:41] Found new hostname queer.ba
[2010-05-25 22:41] Found new domain queer.ba
[2010-05-25 22:41] Found new hostname diocletian.httpool.ba
[2010-05-25 22:41] Found new domain httpool.ba
[2010-05-25 22:41] Found new nameserver ns.queer.ba
[2010-05-25 22:41] Found new hostname www.queer.ba
[2010-05-25 22:41] Found new hostname www.queer.ba
[2010-05-25 22:41] Found new nameserver ns02.europronet.ba
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS bruteforce because it is enabled only passive checks
[2010-05-25 22:41] Found new mail server mx2.europronet.ba
[2010-05-25 22:41] Found new mail server mx3.europronet.ba
[2010-05-25 22:41] Found new mail server mx1.europronet.ba
[2010-05-25 22:41] Found new nameserver ns1.httpool.com
[2010-05-25 22:41] Found new nameserver ns2.httpool.com
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS bruteforce because it is enabled only passive checks

Results for 80.65.162.250
Served by name server (probably)
ns2.httpool.com
ns1.httpool.com
ns.queer.ba
ns02.europronet.ba
Served by mail exchange (probably)
mx1.europronet.ba
mx3.europronet.ba
mx2.europronet.ba
Hostnames:
www.queer.ba
diocletian.httpool.ba
queer.ba
root@dorkness:/pentest/enumeration/hostmap-0.2.2#

Note: I used the --only-passive flag, the --without-update flags this should be self explanatory. -t is for target

As you can see there are several other options to work with. Those I will leave up to you to work with.

Enjoy

Adding more DNS tools to BT4 part 3

noreply@blogger.com (Anonymous) — Tue, 25 May 2010 20:09:00 +0000

The next tool is subdomainer.py

To get it, download the .tar here

http://www.edge-security.com/subdomainer.php
Again you can save it wherever, I chose /pentest/enumeration/
untar the package cd to the directory chmod +x the subdomainer.pyand then you are set to go.
To untar the package tar xvf subd*
Deleted the tarball rm -rf subdomainer.tar

Generic usage is:

root@dorkness:/pentest/enumeration/subdomainer# python subdomainer.py

*************************************
*Subdomainer Ver. 1.3b *
*Coded by Christian Martorella *
*Edge-Security Research *
*laramies2k@yahoo.com.ar *
*************************************

usage: subdomainer.py options

-d: domain to search
-l: limit of results to work with. (msn and yahoo goes in 10 to 10
google in 100's, and pgp does not need this option)
-m: data source (msn, yahoo, google, pgp-veridis, all)

-o: output to html file. (optional, good for long lists.)

Example:
subdomainer.py -d microsoft.com -l 200 -m google

subdomainer.py -d microsoft.com -l 100 -m all -o microsoft.html

root@dorkness:/pentest/enumeration/subdomainer#

Due to the length of the results I will leave it to you to run them.

Adding more DNS tools to BT4 part 2

noreply@blogger.com (Anonymous) — Tue, 25 May 2010 19:58:00 +0000

DNSbf.py
Ok again this is a simple copy and paste.
Get the source here:
https://docs.google.com/View?docid=dg23j87b_213fh46kgfp

EDIT: Since the above google doc seems to no longer be valid, I will leave it to the user to find it by searching google. Frankly as I stated in the comments below if you can't find this or any other tool I write about then you probably shouldn't be using them since it's obvious you don't know what you are doing.

Copy and paste to wherever you want. I used the same directory as before.
The name is dnsbf.py The purpose of the tools is to use DNS and find hostnames in a subnet.
save and give execute permissions.

Generic usage with no flags set.

root@dorkness:/pentest/enumeration/dnsenum# ./dnsbf.py

*****************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *
*****************************************

begin search...

wrong number of arguments

exemple: ./dnsbf.py 192.168.1.0/24

root@dorkness:/pentest/enumeration/dnsenum#

This time we have some targets to scan.

root@dorkness:/pentest/enumeration/dnsenum# ./dnsbf.py 80.65.162.0/24

*****************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *
*****************************************

begin search...

80.65.162.2 bbr-gtz.europronet.ba
80.65.162.201 fa11_ssw-gadzo01.europronet.ba
80.65.162.202 smtps.bihgap.ba
80.65.162.205 fa05_ssw-sa02.europronet.ba
80.65.162.206 hotcasino03.europronet.ba
80.65.162.209 fa23_ssw-sa01.europronet.ba
80.65.162.210 ulk-srv01.linux.org.ba
80.65.162.213 fa15_ssw-sa01.europronet.ba
80.65.162.214 voip-gw01.europronet.ba
80.65.162.217 fa32_ssw-sa01.europronet.ba
80.65.162.218 yellow.europronet.ba
80.65.162.221 fa42_ssw-sa01.europronet.ba
80.65.162.225 fa06_ssw-sa02.europronet.ba
80.65.162.226 hotcasino2.europronet.ba
80.65.162.250 queer.ba
80.65.162.229 fa13_ssw-sa01.europronet.ba
80.65.162.230 mx2.europronet.ba
80.65.162.233 fa07_ssw-sa02.europronet.ba
80.65.162.234 hotcasinogb.europronet.ba
80.65.162.237 fa31_ssw-sa01.europronet.ba
80.65.162.241 fa34_ssw-sa01.europronet.ba
80.65.162.242 mail.triptih.europronet.ba
80.65.162.245 fa36_ssw-sa01.europronet.ba
80.65.162.1 fe08_asw-sa01.europronet.ba
80.65.163.78 mailsrvsa.octas.com
80.65.163.81 rg-ice.europronet.ba
80.65.163.108 terme-centrala.europronet.ba
80.65.163.162 mail2.procreditbank.ba
80.65.163.194 ip-65-163-194.europronet.ba
80.65.163.254 robot-vgw.europronet.ba
80.65.162.70 ns.queer.ba
80.65.162.34 posao.ba
80.65.162.35 mposao.ba

end of search
511 ip tested, 33 names found, in 11 s

root@dorkness:/pentest/enumeration/dnsenum#

So there you go another cool tool to add to BT for your
reconaissance efforts.

Adding more DNS tools to BT4 part 1

noreply@blogger.com (Anonymous) — Tue, 25 May 2010 19:18:00 +0000

So here is a write up on adding some tools to the BT4 DNS collection.
I will first show how to install and give a brief usage of each tool.
They are not hard to install and are simple to use. The power lies in what they can do.
These tools are ones that I found, and credit goes to their authors. Also note that since the tools are not included in BT by default you are on your own if something goes wrong. However since they are simple python and or ruby scripts with no real dependencies things should work just fine.
NOTE: Most output info has been slightly modified.

So without further delay the first up is
DNSDic.py
Code is here:
https://docs.google.com/View?docid=dg23j87b_214cdwmbjfx

So copy and paste the code from the link to a file named dnsdic.py and make the file executable. I added these tools to the following directory to keep things somewhat organised.
The script will need a dictionary when running. A good one and the one the author recommends is located in the dnsenum directory.

root@dorkness:/pentest/enumeration/#

Again executable is

root@dorkness:/pentest/enumeration/# chmod +x dnsdic.py

Generic run with no options:

root@dorkness:/pentest/enumeration/#python dnsdic.py

***************************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *
***************************************************

begin search...

wrong number of arguments

exemple: dnsdic.py -f ./dico.txt infond.blogspot.com

Ok now a run with some actual usage and results.

root@dorkness:/pentest/enumeration/# python dnsdic.py -f ./dns.txt exampleweb.ba

***************************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *
***************************************************

begin search...

exampleweb.ba ['ftp.exampleweb.ba'] ['81.61.112.150']
mail.exampleweb.ba [] ['81.61.112.10']
ns.exampleweb.ba [] ['81.61.112.70']
exampleweb.ba ['www.exampleweb.ba'] ['81.61.112.250']

end of search
95 names tested, 4 hostnames found, in 16.110284 s

root@dorkness:/pentest/enumeration/#

SSLScan in BT

noreply@blogger.com (Anonymous) — Sun, 23 May 2010 20:10:00 +0000

SSLScan in BT4

No need to write a description since the intro below already has one as well as usage details.
In order to use grab some shell or find it in the menu structure under:
BT> NetworkMapping> ALL> sslscan

Running the command without any options returns the following.

root@dorkness~:# sslscan

_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|

Version 1.6
http://www.titania.co.uk
Copyright (C) 2007-2008 Ian Ventura-Whiting

SSLScan is a fast SSL port scanner. SSLScan connects to SSL
ports and determines what ciphers are supported, which are
the servers prefered ciphers, which SSL protocols are
supported and returns the SSL certificate. Client
certificates / private key can be configured and output is
to text / XML.

Command:
sslscan [Options] [host:port | host]

Options:
--targets= A file containing a list of hosts to
check. Hosts can be supplied with
ports (i.e. host:port).
--no-failed List only accepted ciphers (default
is to listing all ciphers).
--ssl2 Only check SSLv2 ciphers.
--ssl3 Only check SSLv3 ciphers.
--tls1 Only check TLSv1 ciphers.
--pk= A file containing the private key or
a PKCS#12 file containing a private
key/certificate pair (as produced by
MSIE and Netscape).
--pkpass= The password for the private key or
PKCS#12 file.
--certs= A file containing PEM/ASN1 formatted
client certificates.
--xml= Output results to an XML file.
--version Display the program version.
--help Display the help text you are now
reading.
Example:
sslscan 127.0.0.1

Ok here is a generic run without any flags, against our target website.
Of course the output has been truncated and a little bit munged.

root@bt:~# sslscan www.examplewebsite.net

Testing SSL server www.examplewebsite.net on port 443
Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Rejected SSLv3 256 bits ADH-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Rejected TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Rejected TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5

Prefered Server Cipher(s):
SSLv3 256 bits DHE-RSA-AES256-SHA
TLSv1 256 bits DHE-RSA-AES256-SHA

SSL Certificate:
Version: 2
Serial Number: -4294967123
Signature Algorithm: sha1WithRSAEncryption
Issuer: /OU=Extended Validation CA/O=GlobalSign/CN=GlobalSign Extended Validation CA
Not valid before: Sep 16 16:14:35 2009 GMT
Not valid after: Sep 17 16:14:32 2010 GMT
Subject: /2.5.4.15=V1.0, Clause 5.(b)/serialNumber=32123374/1.3.6.1.5.7.311.60.2.1.3=DK/C=DK/ST=Oerum Djurs/L=Oerum Djurs/streetAddress= Main 6/OU=FairSSL/O=Not Yours v/Some Name /CN=www.examplewebsite.net
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit): truncated
00:99:2b:cf:e4:f8:e3:40:88:41:58:8a:41:16:1f:
f3:09:01:99:e5:f3:09:02:89:e4
43:93:7c:6a:3c:bb:c5:cf:
43:df
Exponent: 65421 (0x10001)
X509v3 Extensions:
X509v3 Authority Key Identifier:
keyid:34:B1:E0 truncated

Authority Information Access:
CA Issuers - URI:http://secure.globalsign.net/cacert/extendval1.crt
OCSP - URI:http://ocsp.globalsign.com/ExtendedSSL

X509v3 CRL Distribution Points:
URI:http://crl.globalsign.net/ExtendVal1.crl

X509v3 Subject Key Identifier:
87:D2:7C:2B:D1:B0 truncated
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.4146.1.1
CPS: http://www.globalsign.net/repository/

Netscape Cert Type:
SSL Client, SSL Server
X509v3 Subject Alternative Name:
DNS:www.examplewebsite.net, DNS:examplewebsite.net
Verify Certificate:
unable to get local issuer certificate

root@dorkness~:#

So a generic run returns a lot of information. We learn the properties such as validity, CN CDP OSCP even the EV attributes are returned.

Note: This information is all publicly available. This tool just presents said info in a nice format such as .xml files, using the --xml=file flag, where file is the name to save as.

The other flags above can be used to further refine the output. One of the more important ones is the --no-failed flag which only lists accepted ciphers (see output above), the default of course is to list them all. The ssl2, ssl3, and tls1 flags of course will check for and list only those ciphers defined. If you have several servers to check on then you can also pass a list to sslscan using the --targets=file flag. The other flags are pretty self explanatory.

So the question become "Why is any or all of this important?" Well easy. When auditing servers you may find ones that use weak cypher or protocols, think NULL cipher, or SSLv1.

Well that's about all there is to it, have fun and enjoy.

Remove and Renew Gnome Panels

noreply@blogger.com (Anonymous) — Wed, 19 May 2010 15:19:00 +0000

So your messing around with your panels in gnome and maybe you did like me and biffed them.
Well here is a quick way to remove and renew them.
Get a shell opened up and type the following commands in succession and then you will kill the panels, delete them and create the default panels when you first installed gnome.

----------------CODE-------------------------

aa@dork:~# gconftool --recursive-unset /apps/panel

aa@dork:~# -rf ~/.gconf/apps/panel

aa@dork:~# pkill gnome-panel

----------------CODE-------------------------

So that's pretty much it. Again this will kill your panels and then recreate the defaults for you.

Install WhatWeb 0.4.2 in BT4

noreply@blogger.com (Anonymous) — Fri, 30 Apr 2010 20:04:00 +0000

Quick guide to get Whatweb going in BT4
WhatWeb is a "Next generation web scanner. Identify what websites are running."

First and foremost grab some shell in BT, and get the tar.gz:

root@dorkbox:/pentest/enumeration# wget http://www.morningstarsecurity.com/downloads/whatweb-0.4.2.tar.gz

Next unpack the archive:

root@dorkbox:/pentest/enumeration# tar xvf whatweb*

Remove the archive, and change into the new directory:

root@dorkbox:/pentest/enumeration# rm -f whatweb-0.4.2.tar.gz
root@dorkbox:/pentest/enumeration# cd whatweb*
root@dorkbox:/pentest/enumeration/whatweb-0.4.2#

Next read the Install file.

root@dorkbox:/pentest/enumeration/whatweb-0.4.2# cat INSTALL | less

As you can see by the install file it mentions using ruby 1.9
Well BT4 comes with Ruby 1.8.7 I am not sure if this will make a difference since there is no mention in the documentation nor the website of any type of dependencies. So far during my experiments with WhatWeb, I have not seen any problems. YMMV. There is also mention to a couple other packages but these are already included in BT4 so no problems there.

As for using the program see also the readme.
The readme will contain a good bit of info on using whatweb.

root@dorkbox:/pentest/enumeration/whatweb-0.4.2# cat README | less

But as an example of some generic output:

root@bt:/pentest/enumeration/whatweb# ./whatweb examplewebsite.com
http://examplewebsite.com [301] title[301 Moved Permanently], server-header[Apache], redirect-location[http://www.examplewebsite.com/], md5[0670664f17b872398a96c6a58e812c2d], header-hash[0671564f07b972398a96c6a58e812c2d]
http://examplewebsite.com/ [200] Google-Analytics-GA[791888], Joomla[1.4], server-header[Apache], meta-generator[Joomla! 1.4 - Open Source Content Management], title[Example Websites Design], md5[fcb3ec0df12e54dfdef2e991a24f1c1], footer-hash[a19d726fa5771113aceaec0c61b1bf8ea7], div-span-structure[e56dd07d6f482ee11342e4ea99a9e6a8], header-hash[4379923363b07114470bde23484214e3f]
root@bt:/pentest/enumeration/whatweb#

As a side note the above is not a real website.
Thanks to http://www.morningstarsecurity.com and Andrew Horton aka urbanadventurer
Have fun and remember don't mess with networks that you don't have permission for.

TCPDump Flags

noreply@blogger.com (Anonymous) — Fri, 30 Apr 2010 13:11:00 +0000

I was trying to capture some data the other day and was using TCPDump. This is really for my own needs but I like to share when I can.
Here are a few flags to use when trying to capture certain data types in TCP.
There are more and you can read online to find more if needed.

Sniff all SYN flagged packets:

root@bt:~# tcpdump 'tcp[13] & 2 != 0'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C
ctrl+c: Indicates that I stopped the capture.
0 packets captured
0 packets received by filter
0 packets dropped by kernel

With the above resulting output.

Sniff all PSH flagged packets:
root@bt:~# tcpdump 'tcp[13] & 8 != 0'

Sniff all URG flagged packets:
root@bt:~# tcpdump 'tcp[13] & 32 != 0'

Sniff all RST flagged packets:
root@bt:~# tcpdump 'tcp[13] & 4 != 0'

Sniff all ACK flagged packets:
root@bt:~# tcpdump 'tcp[13] & 16 != 0'

Sniff all FIN flagged packets:
root@bt:~# tcpdump 'tcp[13] & 1 != 0'

Sniff all SYN-ACK flagged packets:
root@bt:~# tcpdump 'tcp[13] = 18'

VGA Resolutions Codes

noreply@blogger.com (Anonymous) — Wed, 03 Mar 2010 20:57:00 +0000

I was looking for a VGA Resolution Code and needed to look in several places to find a complete list. Or at list the ones that I wanted.
So here is a list of all the ones I collected.
Width-Height-Depth VGA Codes HEX Codes
80x25 (TEXT)----------- 3840------------0xF00
80x50 (TEXT) 3841 0xF01
80x43 (TEXT) 3842 0xF02
80x28 (TEXT) 3843 0xF03
80x30 (TEXT) 3845 0xF05
80x34 (TEXT) 3846 0xF06
80x60 (TEXT) 3847 0xF07

320x200x8 816 0x330
320x200x16 782 0x30E
320x200x24 783 0x30F

320x240x8 820 0x334
320x240x16 821 0x335
320x240x24 822 0x336

320x400x8 817 0x331
320x400x16 818 0x332
320x400x24 819 0x333

640x400x8 768 0x300
640x400x16 829 0x33d
640x400x24 830 0x33e

640x480x8 769 0x301
640x480x16 785 0x311
640x480x24 786 0x312

Width-Height-Depth VGA Codes HEX Codes
768x480x8 866 0x362
768x480x16 ??? ????
768x480x24 ??? ????

800x600x8 771 0x303
800x600x16 788 0x314
800x600x24 789 0x315

1024x768x8 773 0x305
1024x768x16 791 0x317
1024x768x24 792 0x318

1280x800x8 864 0x360
1280x800x16 ??? ????
1280x800x24 865 0x361

1280x1024x8 775 0x307
1280x1024x16 794 0x31a
1280x1024x24 795 0x31b

1440x900x8 868 0x364
1440x900x16 ??? ????
1440x900x24 869 0x365

1600x1200x8 796 0x372
1600x1200x16 798 0x374
1600x1200x24 799 0x375

Note to self : The vga code for the eeepc 701 series = 311

Adding SwiftFox to BT4

noreply@blogger.com (Anonymous) — Sat, 27 Feb 2010 21:11:00 +0000

Ok so a quick guide on adding another browswer to BT4
Swiftfox is based off of Firefox and it is designed to be faster.
There are different builds to take advantage of different processors.
Use at your own discretion.
First add the repo to your sources.list.
--------------------code------------------------------
root@dorktest:~# nano /etc/apt/sources.list
--------------------code------------------------------
add the following :
--------------------code------------------------------
deb http://getswiftfox.com/builds/debian unstable non-free
--------------------code------------------------------
Then install it:
--------------------code------------------------------
root@dorktest:~# apt-get update && apt-get install swiftfox-yourprochere
--------------------code------------------------------
where yourprochere is your processor.
The different versions available are:
swiftfox-i686 (Older AMD & Intel)
swiftfox-athlon64 (AMD64 users on a 64bit OS)
swiftfox-athlon64-32bit (AMD64 users on a 32bit OS)
swiftfox-prescott (Intel Prescott and newer)
If you are not sure use this chart for more info.

Install Airdrop-ng

noreply@blogger.com (Anonymous) — Fri, 26 Feb 2010 23:29:00 +0000

So the TheX1le released (to the general populace) airdrop-ng today.
You can visit the aircrack-ng site for more info. There is a video of the talk here.

So this one is so easy a itard can do it.
Grab a shell in BT4
Then
---------------code--------------------------------------
root@dorktest:~# cd /pentest/wireless/
root@dorktest:/pentest/wireless# svn co http://trac.aircrack-ng.org/svn/trunk/scripts/airdrop-ng
---------------code--------------------------------------
Second line above should be all on one line.
Once it completes then:
---------------code--------------------------------------
root@dorktest:~# cd /pentest/wireless/airdrop-ng/
root@dorktest:/pentest/wireless/airdrop-ng/ cat README
---------------code--------------------------------------
And Read it.
Then:
---------------code--------------------------------------
root@dorktest:/pentest/wireless/airdrop-ng/python install.py
---------------code--------------------------------------
to run the installer.
See how easy that was.

Installing ecryptfs in BT4.

noreply@blogger.com (Anonymous) — Fri, 05 Feb 2010 14:14:00 +0000

Installing ecryptfs in BT4.
This guide is a simple one to get encryption setup. This is not the best way of doing things
However it is probably the quickest and easiest to do.
First things:
-----------------code------------------------------
root@bt:~# apt-get install ecryptfs-utils
Reading package lists... Done
The following NEW packages will be installed:
ecryptfs-utils libecryptfs0 libtspi1
0 upgraded, 3 newly installed, 0 to remove and 19 not upgraded.
Need to get 331kB of archives.
After this operation, 1212kB of additional disk space will be used.
Do you want to continue [Y/n]? y
-----------------code------------------------------
After the install is complete before you go on READ THE MAN PAGE and the faq
-----------------code------------------------------
root@bt:~# man ecryptfs
root@bt:~# /usr/share/doc/ecryptfs-utils/ecryptfs-faq.html
-----------------code------------------------------
See also the web page at http://ecryptfs.sourceforge.net/
This is important for your security.
Next run the setup
-----------------code------------------------------
root@bt:~# ecryptfs-setup-private
Enter your log in passphrase: enter your actual log in info here
Enter your mount passphrase [leave blank to generate one]:
************************************************************************
YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:
a706b05233346537fa28121a40e2040ce
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************
Done configuring.
Testing mount/write/umount/read...
Testing succeeded.
-----------------code------------------------------
Once this is done there will be a new directory created called Private
Since I did this with the root user account it is stored in /
Inside this directory is a readme read it before proceeding.
So in order to use your new encrypted directory you will need to log out and back in.
Now your log in passphrase along with the aforementioned mount passphrase will be used to mount the directory Private. There are caveats to using this type of system. Only data you store in Private is encrypted. Any data saved or collected while browsing the internet that is stored elsewhere on the system will be not be encrypted. If you have a swap partition it will not be encrypted either. As with most encryption systems if you leave physical access or access to the encrypted container open (suppose you leave the computer and go out for a coffee, without logging out) then again the data would be accessible. Also when you log out the folder will show that there is encrypted data in the directory.

Google Chromium in BT4

noreply@blogger.com (Anonymous) — Mon, 18 Jan 2010 19:05:00 +0000

This is a small guide to adding the Google browser Chromium to Back Track 4.

Note: Following this guide may break your system and no one will take responsibility for it but you.
OK the first thing you need to do is add the PPA's to your apt sources list.
-------------------------CODE-----------------------------
root@dorkbox:~# nano /etc/apt/sources.list
-------------------------CODE-----------------------------
Add the following to the list
-------------------------CODE-----------------------------
# Chromium browser PPA
deb http://ppa.launchpad.net/chromium-daily/ppa/ubuntu intrepid main
deb-src http://ppa.launchpad.net/chromium-daily/ppa/ubuntu intrepid main
-------------------------CODE-----------------------------
Save and exit.
Next get the key
-------------------------CODE-----------------------------
root@dorkbox:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys FBEF0D696DE1C72BA5A835FE5A9BF3BB4E5E17B5
-------------------------CODE-----------------------------
Note the above should be one line.
Next update apt
-------------------------CODE-----------------------------
root@dorkbox:~# apt-get update
-------------------------CODE-----------------------------
Last apt-get the browser.
-------------------------CODE-----------------------------
root@dorkbox:~# apt-get install chromium-browser
-------------------------CODE-----------------------------
Three other packages should get pulled as well.
chromium-browser chromium-browser-inspector chromium-codecs-ffmpeg